Traditionally the IDS space has attempted to detect attacks in a serial manner, as packets come in. Various technologies were introduced to provide for modeling of network communication behavior (fragmentation, TCP streaming, etc. . . . ). However, the focus has continued to be on speed of processing, in order to keep up with the packet stream.
This approach is difficult, if not impossible, to maintain if full detection on client-side attacks is desired. Because of the difficulties in processing file formats (offset tables, embedded files and backwards pointer references) and because of the extensive evasion capabilities available to attackers (loose interpretation of file format specifications, encryption, encoding, compression and scripting obfuscation) it is challenging to maintain detection. Add to that the necessity of modeling the behavior of thousands of clients and the requirement to operate at wire-speed becomes unrealistic.
Furthermore, vendor-specific implementation of data capture and data analysis systems typically do not provide for a mechanism to exchange data, each detection system is discrete, with a limited view of incoming data and no understanding if that data has been evaluated before. This approach fails to take advantage of the full investment made in detection technology and introduces an unnecessary amount of overhead to the system.