IDS / IPS
IDPS means that you want to detect intrusions and protect from intrusions. Most of the time a distinction is made between IDS (intrusion detection system, which is passive) and IPS (intrusion prevention system, which is active).
WAF (Web application firewall)
WAF (https://en.wikipedia.org/wiki/Web_application_firewall) is a technology originated in the 1990s.
What is it? A HTTP reverse proxy that will analyse the HTTP payload going through it.
Examples: ModSecurity, a popular Apache or Nginx module, CloudFlare, Fortinet...
How does it work? A WAF will detect and/or block attacks based on patterns, statistical analysis, and algorithms such as libinjection. WAF can implement useful protections against Denial of Service attacks since they are located on the network - in front of the application.
Inconvenient: due to the few information they use to take action, WAF typically suffer from false positives (they block legitimate attack, or alert you about legitimate attacks).
RASP (Runtime Application Security Protection)
RASP (no Wikipedia page yet) is a much more recent protection method.
What is it? A library or SDK that is embedded inside your application code.
Examples: Sqreen, Prevoty, Checkmarx, Contrast Security, ...
How does it work? RASP modify application runtime behavior (e.g. it will only check for Cross Site Scripting when a page is rendered, not on any incoming HTTP request). It can do everything a WAF can do (since it has as well access to the incoming HTTP request) but it can also use more elaborated algorithms (https://blog.sqreen.io/block-sql-injections-not-customers/) since it has access to the context of any library used by the application. This makes zero false positives.
Inconvenient: RASP cannot protect web applications against Denial of Service attacks.
