An intrusion prevention system (IPS) takes an active response to network traffic that violates some pre-specified rule set. Like firewalls or intrusion detection systems (IDS), IPS inspects packets for violations. In distinction to firewalls, which mostly drop bad traffic, or IDS, which focuses on logging or alerts, IPS will actively adapt to the perceived threat and auto-configure itself to shut down unwanted connections.
For example, suppose an IDS detects what it perceives as a SYN flood attack on an inbound link. An IPS might block the source IP address. It may also do what an IDS does - namely send an alert. There is no hard and fast distinction between IPS, IDS, and firewall. They all filter packets and all of these functionalities can be mixed and matched on the same appliance. However, depending on the emphasis and on where the device sits on the network, one term or the other may provide the most accurate description. In cases where active response (perhaps informed by some sort of adaptive artificial intelligence) is the cental feature, then IPS is the best descriptive term.
Like IDS, IPSs can either be focused on a single host or on an entire network segment. Also like IDS, IPS responses can either be signature-based or anomaly-based. Intrusion signatures based on a single packet are called atomic. Signatures based on multiple packets are called composite or stateful. IPS like IDS is subject to the problems of false positives and false negatives. False positives are benign events flagged as intrusions. False negatives are intrusions that go unnoticed.
References:
http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf