SP 800 94 is the Guide to Intrusion Detection and Prevention Systems (IDPS). Which model is described for IDPS?

The model describes the workflow of an IDPS as detect, analyze, and respond. In practice, sensors and monitoring components continuously look for unusual or known threatening activity (detection). When something is found, the system analyzes the event to decide whether it’s a true threat or a false positive, often using signatures, behavioral baselines, and context from multiple data sources (analysis). If the event is deemed malicious or risky, the system takes action to stop or mitigate the threat, such as alerting administrators, dropping offending packets, flagging or blocking certain traffic, or adjusting security policies (response). This sequence—detecting activity, analyzing it to confirm magnitude or intent, and responding to mitigate impact—is the framework SP 800-94 uses to describe how IDPS operations are performed. The other models mentioned don’t map to the standard IDPS lifecycle: for example, identification/evaluation/mitigation and discovery/containment/eradication are more general or pertain to broader incident handling, while protection/monitoring/audit groups activities differently and doesn’t capture the specific detect-analysis-response cycle of IDPS.