UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES

Cagayan de Oro Campus

College of Information Technology and

Computing
Computer Science Department

Information Assurance and Security

IT 321

COURSE MODULES

by

Marylene Saldon-Eder
Faculty, Computer Science

Name of Student : Yecyec, Marian Ivy Kate, Arao, Hugh Humphrey,

Budlong, Kenjie, Dominguez, Carl Vince, Maulod, Zayq., Orencia, Kim,
Pateño, Renchille, Quinto, Honey Pearl, Roslinda, Cal Patrick, Sangcopan,
Jaber, Tapulgo, Jewel, Vallecera, Kirk.
Year / Section : CS3B
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

COURSE TITLE: Information Assurance and Security

COURSE CODE: CS321
MODULE NO.: 7
TITLE: Security Technology: Intrusion Detection and Prevention Systems and
Other Security Tools

Upon completion of this lecture, you should be able to:

Identify and describe the categories and models of intrusion

detection and prevention systems
Describe the detection approaches employed by modern
intrusion detection and prevention systems
Define and describe honeypots, honeynets, and padded cell
systems
List and define the major categories of scanning and analysis
tools and describe the specific tools used within each category

INTRODUCTION TO INTRUSION DETECTION AND PREVENTION

SYSTEMS
I. Introduction

An intrusion is an event where an individual or system attempts to breach the

confidentiality, integrity, or availability of an information system. These attempts
can range from unauthorized access to complete system disruption and may be
launched by internal users or external attackers. It is essential to distinguish
between general security incidents, such as natural disasters or unintentional
outages, and intrusions, which are deliberate and malicious.

II. Intrusion Detection and Prevention Systems (IDPS)

An IDPS is a combination of intrusion detection and intrusion prevention

capabilities within a single framework. It monitors information systems for signs
of security violations and either alerts administrators or takes action to prevent
harm. It functions much like a digital burglar alarm, detecting abnormal or
malicious activity based on predefined rules or behavioral patterns.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

IDPSs can issue alerts through multiple channels such as emails, pop-up
messages, text notifications, and integration with management consoles. They
may also be configured to initiate an active response, such as disabling user
accounts, blocking IP addresses, or shutting down specific network services.
Many modern IDPSs also include capabilities to integrate with other systems,
such as firewalls and routers, to enforce security policies dynamically.

The main advantage of IDPSs is their ability to act in real-time. Rather than
waiting for an attack to unfold fully, they can interrupt the intrusion process,
potentially minimizing damage and reducing recovery time.

III. Why Use an IDPS

The primary benefit of using an IDPS is early intrusion detection. Identifying

suspicious activity as it begins allows for swift action, which can prevent
significant losses. Additionally, IDPSs can recognize the early signs of attack
reconnaissance, such as footprinting (information gathering) and fingerprinting
(system probing).

An IDPS is particularly useful for monitoring systems with known vulnerabilities

that cannot yet be patched. It provides visibility into attempted exploits and can
alert security personnel before a full compromise occurs. IDPSs also aid in
detecting zero-day attacks—exploits that take advantage of previously
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

unknown vulnerabilities. Though detection is difficult, anomaly-based and

behavioral IDPSs provide a better chance of spotting such threats.

IDPSs collect logs and evidence useful for forensic analysis and can
demonstrate compliance with regulatory requirements. They also deter
attackers by increasing the perceived difficulty and risk of detection.

IV. Types of IDPS

1. Network-Based IDPS (NIDPS)

- Monitors network segments and traffic for suspicious activity. It uses

sensors and management consoles, often requiring SPAN ports or
mirror ports to access full traffic. It excels at detecting a wide array of
network-based threats but is limited by encrypted traffic and high-volume
environments.

❖ Advantages
➢ Can monitor and protect large segments of network traffic with relatively
few devices.
➢ Operates independently of individual hosts, reducing system resource
overhead.
➢ Effective at detecting external threats, such as DoS attacks, port scans,
and worms.
➢ Generally non-intrusive in passive mode, making it easier to deploy in
existing networks.

❖ Disadvantages
➢ Cannot analyze encrypted traffic, limiting visibility into secure sessions
(e.g., SSL/TLS).
➢ May be overwhelmed by high volumes of traffic, reducing detection
accuracy.
➢ Requires access to full network traffic, which may not be available in all
architectures.
➢ Cannot reliably detect attacks that occur within encrypted tunnels or on
isolated hosts.
➢ May lack visibility into local activities on individual systems.

2. Wireless IDPS
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

- Focuses on wireless traffic and is capable of identifying rogue access

points, protocol violations, and attacks specific to wireless networks. It
requires strategic sensor placement and presents challenges in terms of

cost and physical security.

❖ Advantages
➢ Specialized detection of threats unique to wireless environments.
➢ Can detect rogue access points and devices, which may go unnoticed by
wired systems.
➢ Enables organizations to inventory and monitor all wireless assets in real
time.
➢ More accurate detection due to the limited number of wireless protocols
and traffic types.

❖ Disadvantages
➢ Limited to monitoring wireless layers, often unable to analyze upper-
layer protocols like TCP/UDP.
➢ Signal interference and range limitations can affect detection capability.
➢ Physically vulnerable due to deployment in accessible public spaces.
➢ Higher costs due to the need for multiple sensors for full coverage.
➢ May be susceptible to evasion by attackers using passive or directional
wireless attacks.

3. Network Behavior Analysis (NBA)

- Monitors traffic flow rather than content, identifying anomalies such as

unusual communication patterns or excessive data transfer. It can detect
policy violations, scanning, and certain types of malware activity.

❖ Advantages
➢ Capable of detecting unknown and emerging threats through anomaly
analysis.
➢ Does not require access to payload data, allowing it to work even with
encrypted traffic.
➢ Effective for internal network monitoring, especially for insider threats or
misconfigurations.
➢ Works well in large-scale environments where packet-based analysis is
impractical.

❖ Disadvantages
➢ False positives can occur due to natural traffic variability.
➢ Requires time to build a reliable baseline of normal behavior.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

➢ Limited visibility into specific attack payloads or exploit signatures.

➢ May struggle to detect slow, stealthy attacks that do not exceed baseline
thresholds.
➢ High computational and storage overhead for continuous behavioral
modeling.

4. Host-Based IDPS (HIDPS)

- Installed on individual systems and monitors local file integrity,

configurations, and log activities. It is highly effective for encrypted data
and can detect insider threats or changes made at the host level, but
requires more intensive configuration and management.

❖ Advantages
➢ Provides deep visibility into system-level activities that network devices
cannot observe.
➢ Can detect insider threats, local exploits, and unauthorized access
attempts.
➢ Works effectively on encrypted sessions, since analysis occurs after
decryption.
➢ Useful for compliance monitoring and protecting sensitive assets on
critical hosts.

❖ Disadvantages
➢ Requires individual installation and configuration on each host,
increasing administrative overhead.
➢ Consumes system resources, potentially impacting performance.
➢ Vulnerable to host-level tampering or attacks that disable the agent.
➢ Cannot detect threats outside its host environment (e.g., lateral
movement across the network).
➢ May produce high volumes of logs and false alerts if not tuned correctly.

V. Detection Methods

1. Signature-Based Detection

- An IDPS that uses signature-based detection (sometimes called

knowledge-based detection or misuse detection) examines network
traffic in search of patterns that match known signatures—that is,
preconfigured, predetermined attack patterns. Signature-based
technology is widely used because many attacks have clear and distinct
signatures

2. Anomaly-Based Detection
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

- Anomaly-based detection (or behavior-based detection) collects

statistical summaries by observing traffic that is known to be normal.
This normal period of evaluation establishes a performance baseline

over a period of time known as the training period. Once the baseline is
established, the IDPS periodically samples network activity and uses
statistical methods to compare the sampled activity to the baseline.

3. Stateful Protocol Analysis

- Stateful Protocol Analysis (SPA) uses the opposite of a signature

approach. Instead of comparing known attack patterns against observed
traffic or data, the system compares known normal or benign protocol
profiles against observed traffic. These profiles are developed and
provided by the protocol vendors. Essentially, the IDPS knows how a
protocol such as FTP is supposed to work, and therefore can detect
anomalous behavior.

VI. Log File Monitors (LFM)

A log file monitor (LFM) IDPS is similar to an NIDPS. An LFM reviews the log
files generated by servers, network devices, and even other IDPSs, looking for
patterns and signatures that may indicate an attack or intrusion is in process or
has already occurred. This attack detection is enhanced by the fact that the
LFM can look at multiple log files from different systems, even if they use
different operating systems or log formats. The patterns that signify an attack
can be subtle and difficult to distinguish when one system is examined in
isolation, but they may be more identifiable when the events recorded for the
entire network and each of its component systems can be viewed as a whole.

LFM’s purposes are to:

● Identify errors, warnings, and other issues that might indicate problems
with systems or applications.
● Track application performance and identify bottlenecks or slow-downs.
● Detects security breaches, unauthorized access, or suspicious activities.
● Provide information about the root cause of problems and aid in
diagnosing issues.

Examples of Log File Monitors

➢ SiteScope: A commercial monitoring platform that offers a log file

monitor for scanning log files for specific entries.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

➢ Nagios: A popular open-source monitoring system that provides log file

monitoring capabilities.

➢ ELK Stack: A combination of Elasticsearch, Logstash, and Kibana used

for log management and analysis

➢ OpManager: ManageEngine's OpManager offers agent-based log file

monitoring, monitoring system and application logs in real-time.

➢ LogicMonitor: Provides log file monitoring capabilities for detecting

events and triggering alerts.

VII. Security Information and Event Management (SIEM)

An information management system specifically tasked to collect and correlate

events and other log data from a number of servers or other network devices
for the purpose of interpreting, filtering, correlating, analyzing, storing, reporting,
and acting on the resulting information.

Many organizations have come to rely on security information and event

management (SIEM) as a central element to empower a security operations
center (SOC) to identify and react to the many events, incidents, and attacks
against the organization’s information systems.

SIEM’s roots are in the UNIX syslog approach to log file aggregation; for years,
organizations and security professionals have sought ways to leverage existing
systems and have them work together to maintain situation awareness, identify
noteworthy issues, and enable response to adverse events.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

SIEM Operational Capabilities

● Real-Time Monitoring: Many attacks remain undetected for extended
periods, allowing data exfiltration and damage.
● 2019 median dwell time was 56 days; SolarWinds attack dwell time
spanned months.
● SIEM systems can integrate contextual data and reduce attacker dwell
time, improving containment and reducing loss.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

HONEYPOTS, HONEYNETS AND PADDED CELL SYSTEMS

I. Introduction to Honeypots

A honeypot is a deliberately deployed decoy system designed to attract

attackers by appearing to be a legitimate part of the network. Its purpose is not
to block or repel attacks, but to observe and study malicious behavior in a
controlled environment. Honeypots do not hold real data or provide actual
services; rather, they log every interaction in detail. By studying attacker
methods, organizations can gain valuable intelligence on vulnerabilities, tactics,
and motives. Honeypots are also used to divert attackers from critical systems
and to buy time for response teams to intervene.

Honeypots are cybersecurity mechanisms that mimic real systems to attract

and analyze attacks. They are categorized based on their deployment and the
level of interaction they allow:

1. Based on Deployment:

● Research Honeypots:
- Used by researchers to study cyberattack strategies and develop
prevention techniques. These honeypots are not part of a
production environment but are valuable for academic and
security research.

● Production Honeypots:
- Deployed within operational networks, they act as decoys
containing false information to lure attackers away from actual
systems. This provides system administrators time to patch
vulnerabilities and enhance defenses.

2. Based on Interaction:

● Low Interaction Honeypots:

- Simulate only commonly targeted services and offer limited
access to attackers. They are easy to deploy and pose low risk
since the actual operating system is not exposed. However,
skilled attackers can often identify and bypass them.

● Medium Interaction Honeypots:

UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

- Allow more interaction than low interaction honeypots by

simulating realistic responses and limited activity. They offer
better insights while still maintaining a reasonable level of safety.

● High Interaction Honeypots:

- Provide full operating system access and simulate real services,

making them highly effective in collecting detailed attacker
information. However, they are costly, complex to implement, and
riskier because a compromised honeypot could be used to attack
other systems.

II. How Honeypots Work:

● Detection and Monitoring:

- Help security teams understand attacker techniques, patterns, and
vulnerabilities, including zero-day threats.

● Diversion:
- Redirect attackers from genuine targets, wasting their time and
resources.

● Prevent:
- Trigger alerts upon unauthorized access, enabling rapid response to
threats.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

Advantages and Disadvantages of Honeypots:

Advantages Disadvantages

Provide real-time data on malicious Can be identified by experienced

activity. attackers due to behavioral
inconsistencies.

Detect threats even when encrypted Have a narrow scope, detecting only
communication is used. direct attacks.

Consume attacker time and effort on May be exploited as a stepping stone to

fake systems. compromise other systems if breached.

Strengthen overall network security. Vulnerable to fingerprinting, where

attackers recognize the honeypot setup.

III. Honeynets

A honeynet is a more complex implementation that consists of a network of

interconnected honeypots. It simulates a real network environment, offering a broader
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

and more realistic platform for observing sophisticated intrusions. Honeynets may
contain different types of decoy systems, such as web servers, databases, and
applications, to entice attackers with a variety of targets. This setup provides a deeper

understanding of coordinated attack strategies and techniques used by advanced

threat actors. The data gathered from honeynets is often more comprehensive and
useful for developing defensive strategies.

What is the difference between a honeypot and honeynet?

The key difference between a honeypot and a honeynet is their scale and
structure. A honeypot is a single decoy system designed to attract and monitor
attackers, while a honeynet is a network of multiple honeypots, often configured
with real applications and services to mimic a legitimate production
environment. Honeynets provide deeper insight into attacker behavior and
tactics by simulating a more realistic and valuable target. Any interaction with a
honeynet is considered suspicious, as it is not intended for legitimate users.

IV. Padded Cell Systems

A padded cell system combines the features of an intrusion detection system

with a secure, isolated environment in which suspected attackers are placed.
Once an IDPS detects an unauthorized intrusion attempt, it redirects the
intruder to the padded cell. This system is a monitored environment that mirrors
a legitimate system but is isolated from the actual network to prevent any harm.
The attacker remains unaware of the redirection and continues their activities,
all of which are logged for analysis. This approach enhances security by
preventing intrusions from reaching critical assets while simultaneously
providing valuable forensic and behavioral data.

V. Trap-And-Trace Systems

Trap-and-trace systems are proactive security mechanisms designed to

lure, detect, observe, and trace attackers within a network. Unlike traditional
defensive tools that block or ignore threats, trap-and-trace systems aim to
engage with the attacker to gain intelligence on their methods and possibly
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

identify their source.

Key Components:
● Traps (often in the form of honeypots or honeynets): These are decoy
systems or services intentionally left vulnerable or exposed to attract
attackers.

● Tracing Mechanisms: These include logging tools, packet analyzers,

and network forensics that record attacker actions and attempt to trace
the path back to the attacker’s origin.

● Data Collection: Every interaction with the trap is logged for further
analysis, including IP addresses, payloads, tools used, and patterns of
behavior.

Primary Goals:

● Attribution - Identify who the attacker is or where they are coming from.

● Behavior Analysis - Understand the techniques and tactics used during

the intrusion.

● Legal/Investigative Use - Provide data that can be used in legal

proceedings or for reporting to authorities.

● Delay and Diversion - Waste the attacker’s time and resources,

keeping them away from real assets.

Limitations:
● Attackers may detect the trap and avoid it.

● Legal and ethical concerns may arise when interacting with attackers in
certain jurisdictions.

● Requires careful network segmentation to ensure attackers can’t use the

trap as a launchpad into real systems.

VI. Active Intrusion Prevention Systems (AIPS)

UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

A cybersecurity mechanism that not only detects malicious activity but actively
takes real-time action to prevent or mitigate attacks on a network or
system. Unlike passive systems that simply monitor and alert, AIPS can block
traffic, isolate compromised systems, redirect attackers, or modify system
configurations in response to threats, helping to stop intrusions before they
cause damage.

Common Active Prevention Techniques:

● Automatic Blocking:
- Shuts down connections from suspicious IPs or accounts.

● Dynamic Reconfiguration:
- Changes firewall rules or access policies in response to a threat.

● Rate Limiting or Throttling:

- Slows down communication from sources showing abnormal behavior.

● Traffic Redirection:
- Redirects malicious traffic to controlled environments for observation.

● Fake Services:
- Presents attackers with false but realistic-looking data to distract and
gather information.

Risks and Challenges:

● False positives can result in blocking legitimate users or services.

● Requires constant tuning and monitoring to maintain effectiveness.
● May escalate attacker behavior or trigger evasion techniques.

Specialized Active Intrusion Prevention Tool: LaBrea

LaBrea is an early and widely recognized tool in active defense, specifically designed
to slow down and trap malicious traffic, rather than simply blocking it.

How LaBrea Works:

➔ LaBrea listens for unused IP addresses in a network (i.e., IPs not assigned to
any real machine).
➔ When an attacker or worm tries to scan these unused addresses, LaBrea
responds as if a machine is present.
➔ It then opens a connection and intentionally stalls it, sending responses that
keep the connection alive but unproductive.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

➔ This creates a "tarpit" effect—malware or scanners become stuck, unable to

progress quickly to other targets.

SCANNING AND ANALYSIS TOOLS

I. Introduction to Scanning and Analysis Tools

Scanning and analysis tools are critical components of a security professional’s toolkit,
designed to examine systems, networks, and applications for vulnerabilities,
anomalies, and misconfigurations. These tools are used to discover and analyze
potential attack surfaces, detect unauthorized services, and collect forensic evidence
in case of a security incident.

They are essential for proactive defense, enabling organizations to discover

weaknesses before attackers can exploit them. In addition, these tools help maintain
compliance with regulatory standards, enhance visibility into infrastructure, and
support incident response efforts through logging and behavioral analysis.

II. Scanning and Analysis Tools Categories

A. Port Scanners

Port scanners probe target systems to identify open, closed, or filtered ports
and determine what services are running on them. They send packets to
specified ports on a host and analyze the response to learn which services are
accessible.

They are often used during network reconnaissance to map potential points of
entry. In defensive contexts, they help administrators audit their networks,
disable unnecessary services, and harden systems against unauthorized
access.

B. Vulnerability Scanners

Vulnerability scanners systematically inspect systems for known flaws, security

holes, and misconfigurations by referencing extensive vulnerability databases.
They assess everything from operating system patches and open ports to
outdated software versions and insecure configurations.

These tools enable organizations to prioritize remediation efforts by rating

vulnerabilities by severity and likelihood of exploitation. They play a key role in
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

vulnerability management programs and help demonstrate compliance with

industry standards like ISO 27001, PCI DSS, and NIST.

C. Packet Sniffers / Protocol Analyzers

These tools capture and analyze data packets traversing the network, providing
detailed insights into the structure, content, and flow of communications. They

dissect packet headers and payloads to understand what data is being

transmitted and how it’s formatted.

Used heavily in network diagnostics and security analysis, they help uncover
unauthorized data transfers, detect malware communication, and troubleshoot
performance issues. Their visibility into raw traffic is invaluable during
investigations of data breaches or suspicious behavior.

D. Application Protocol Analyzers

Application protocol analyzers are specialized tools that examine the behavior
of high-level protocols like HTTP, FTP, DNS, and SMTP to detect misuse or
protocol-specific attacks. They analyze how data is transmitted at the
application layer and whether any deviation from expected behavior occurs.

They are crucial for detecting attacks such as DNS spoofing, HTTP flooding,
and command injection that target vulnerabilities within legitimate services. By
focusing on application-layer interactions, these tools can identify sophisticated
threats that bypass lower-level filters.

E. Network Behavior Analysis (NBA) Tools

NBA tools monitor traffic flows and behavior over time to identify anomalies that
deviate from normal usage patterns. They use statistical and heuristic analysis
to flag issues such as bandwidth spikes, protocol misuse, and unexpected
communications.

These tools are effective at detecting zero-day threats, worms, and insider
threats that signature-based systems may miss. They are especially useful in
environments with high data throughput or encrypted traffic where payload
inspection is limited.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

III. Functional Roles of Scanning and Analysis Tools

Function Description

Asset Discovery Identifies all systems, devices, and services on a network

for inventory and analysis.

Vulnerability Detection Scans for security flaws, missing patches, and exploitable
configurations.

Protocol Inspection Analyzes the use and behavior of network and application
protocols.

Behavioral Monitoring Establishes baselines and detects deviations that suggest

malicious activity.

Threat Identification Finds attack patterns, malware indicators, and intrusion

attempts.

Compliance Checks adherence to internal policies and external

Verification regulatory standards.

Forensic Investigation Reconstructs incidents using logs, packet captures, and

system data.

Incident Response Supplies alerts, evidence, and recommendations during

Support active threats.

IV. Challenges and Considerations

● Many tools are prone to false positives and negatives, which can overwhelm
analysts or allow threats to slip through.

● High-performance environments may experience system strain due to scanning

and logging processes.

● Continuous updates are essential to maintain effectiveness against new threats

and vulnerabilities.
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

● Encrypted communications often limit the visibility of certain tools, reducing

their detection capability.

● Skilled analysts are needed to configure, interpret, and act on data produced by
scanning and analysis tools.

● Integrating multiple tools into a unified security framework can be technically

complex but is necessary for maximum visibility.

CASE EXERCISES

Miller Harrison was still working his way through his

attack protocol. Nmap started as it usually did, by
giving the program identification and version
number. Then it started reporting back on the first
host in the SLS network. It reported all of the open
ports on this server. The program moved on to a
second host and began reporting back the open
ports on that system, too. Once it reached the third
host, however, it suddenly stopped. Miller restarted
Nmap, using the last host IP address as the
starting point for the next scan. No response. He
opened another command window and tried to ping
the first host he had just port-scanned. No luck. He
tried to ping the SLS firewall. Nothing. He
happened to know the IP address for the SLS edge
router. He pinged that and got the same result. He
had been “blackholed,” meaning his IP address had

References
● Balbix. (2020, January 24). What is Vulnerability Scanning. Balbix.
https://www.balbix.com/insights/what-is-vulnerability-scanning/

● Hossain, Md. A., & Islam, Md. S. (2023). Ensuring network security with a
robust intrusion detection system using ensemble-based machine learning.
Array, 19, 100306. https://doi.org/10.1016/j.array.2023.100306

● Information Security: Scanning and Analysis Tools. (n.d.). BrainKart.

https://www.brainkart.com/article/Information-Security--Scanning-and-Analysis-
Tools_7942/

● Introduction to Honeypots, Honeynets, and Padded Cells. (n.d.).

Library.mosse-Institute.com.
https://library.mosse-institute.com/articles/2022/05/introduction-to-honeypots-
UNIVERSITY OF SCIENCE AND TECHNOLOGY of SOUTHERN PHILIPPINES
Cagayan de Oro Campus

honeynets-and-padded-cells/introduction-to-honeypots-honeynets-and-padded-
cells.html

● Intrusion Detection and Prevention System (IDPS). (n.d.). Rapid7.

https://www.rapid7.com/fundamentals/intrusion-detection-and-prevention-
systems-idps/

● NIST. (2024). Intrusion Detection and Prevention Systems.

https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=901146

● Scarfone, K., Mell, P., Stavroulakis, P., & Stamp, M. (2010). Intrusion Detection
and Prevention Systems. Csrc.nist.gov; Springer.
https://csrc.nist.gov/pubs/book-section/2010/10/intrusion-detection-and-
prevention-systems/final

● TRAP AND TRACE SYSTEMS. (n.d.).

https://www.idc-online.com/technical_references/pdfs/data_communications/
Trap_and_Trace_Systems.pdf

● Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th

ed.). Cengage Learning.