An intrusion prevention system is a variation of an intrusion detection system that drops packets that are anomalous based on a chosen criteria. An intrusion prevention system is typically placed on the outer perimeter of a network to prevent intruders from reaching vulnerable machines inside the network, though it can also be placed inside the network in front of systems requiring extra security measures. Unfortunately, intrusion prevention systems, even when properly configured, are susceptible to both false positives and false-negatives. The risk of false positives typically leads organizations to deploy these systems with the prevention capability disabled and only focus on detection. In this paper I propose an expansion to current intrusion prevention systems that combines them with the principles behind honeypots to reduce false positives while capturing attack traffic to improve prevention rules. In an experiment using the Snort-inline intrusion prevention system, I was able to reduce the rate of false positives to zero without negatively impacting the rate of false-negatives. I was further able to capture a successful attack in a way that minimized disruption to legitimate users but allowed the compromised system to be later analyzed to find weaknesses, improve prevention rules, and prevent future attacks.

Library of Congress Subject Headings

Computer security; Computer networks--Security measures; Computer networks--Access control; Cyberterrorism--Prevention

Publication Date


Document Type


Student Type

- Please Select One -


Pan, Yin

Advisor/Committee Member

Yuan, Bo

Advisor/Committee Member

Border, Charles


Note: imported from RIT’s Digital Media Library running on DSpace to RIT Scholar Works in December 2013.


RIT – Main Campus

Plan Codes