This is a short post for what could be an article of a response. I recently went to a telecom meeting and one of the keynote speakers was talking about anonmoly(sp?) detection. This place, and many other popping up do intensive scans of your network and then monitor it for changes in bandwidth shaping and over all traffic flow. They target small business, not enterprise level so it may or may not work for you. They spoke about how rule based intrusion detection will eventually split off and do more anonmoly based scanning rather than "known" attacks. Sweet idea.