In the IDS market there are two different disciplines. The first uses signatures to determine if an attack is happening. The second is using network behavior to determine if an attack is happening. I am a firm believer that you have to at least have a signature based IDS to detect known attacks, virus’ and malware. Having a behavior based IDS is definitely useful but only after you have stopped everything that is known about in the wild.
A researcher at the University of California at Davis has been working on a very interesting way to use behavior based IDS to stop zero day worms.