Intruder detection using pattern matching is also known as misuse detection or signature-based detection. Basically, this is used to detect known attacks by their patterns—this includes specific actions that happen as part of the attack or their "signatures".

This is similar to identifying criminals from the fingerprints they have left at the scene of a crime. However, to be able to accurately pinpoint the identity of the criminal who was present at the scene of the crime, we need to have his/her fingerprints available in our database. In the same fashion, we need to have the pattern or signature of possible attacks in our database before our IDS/IPS can detect such an event.

Hence, the effectiveness of an IDS that relies on pattern matching is completely dependent on the signature database. Therefore, in an IDS of this type, it is critical to keep the signature database completely up to date.

The greatest weakness of pattern matching is just this. Unless an attack's signature is present in the database, it will not be detected and will succeed very easily. Hence, the susceptibility of the network to Zero day attacks or even relatively new attacks is quite high. In addition, a number of common malware-based attacks exploit this weakness. These implement a minor modification in the pattern to get past the pattern matching, which looks for specific signatures. Hence, even if the attack is of the same type, the manipulated signature ensures that the NIDS and NIPS are unable to detect it.

Anomaly-based detection is all about the statistical comparison of normal usage patterns with deviations caused by attacks.

To begin with, a baseline profile is established to determine what is normal. Next, actions outside normal parameters are monitored. In this way, we can catch any new intruder on the network whose attack methodology does not have a known attack signature in our NIDS database.

This is similar to a night guard who guards a particular area. He knows from experience what is normal for the area. Anything he sees that does not conform to this normal baseline would be grounds for suspicion on his part.

A major issue with an anomaly detection-based IDS is the high incidence of false positives. This is because any behavior that seems unusual will be identified as an attack on the network.

A problem with anomaly-based IDS is the higher incidence of false positives because behavior that is unusual will be flagged as a possible attack, even if it's not. This can be mitigated in part by advanced heuristics and machine learning.