## IDS approaches for events ** Misuse-based: ** Detects events that violate system policy. *Snort* is a signature-based open-source IDS system used for misuse detection in this research. ** Anomaly-based: ** Detects events that contain abnormal activity. Uses statistical, heuristic and data mining methods. *Packet header anomaly detector (PHAD)*  and *Network traffic anomaly detector (NETAD)*  are used as *Snort* preprocessors for anomaly detection. ## Hybrid architecture **Preprocessors** (for *Snort)*: Can filter and modify packets before it reaches main detection engine. They can also generate alerts individually. In section 4, researchers explain *Snort* software details for preprocessor source-code integration and their implementation of the hybrid system. ## Evaluation of hybrid system *MIT Lincoln Laboratory IDEVAL dataset* used for evaluation of IDS system. A more detailed explanation and simulation environment information about the dataset can be found in section 5, as well in reference articles [3-5]. https://i.imgur.com/SrAvySJ.png Researchers evaluated *Snort* only, *Snort + PHAD* and *Snort + PHAD + NETAD * (hybrid IDS) variations and compared detection capabilities of each system based on detected intrusion counts. Results can be seen in the figure. Based on results hybrid IDS is the most successful on *IDEVAL dataset*. ## References  Mahoney MV, Chan PK. PHAD: packet header anomaly detection for identifying hostile network traffic. Florida Institute of Technology Technical Report, CS-2001-04.  Mahoney MV. Network traffic anomaly detection based on packet bytes. In Proceedings of ACM-SAC; 2003.  Lippman R, Haines JW, Fried DJ, Korba J, Das K. Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In Proceedings of the third international workshop on recent advances in intrusion detection, Toulouse, France; 2–4 October 2000. p. 162–82.  Haines JW, Lippman R, Fried DJ, Zissman MA, Tran E, Boswell SB. 1999 DARPA intrusion detection evaluation: design and procedures. MIT Lincoln Laboratory Technical Report, TR-1062, Massachusetts, USA; 2001.  Data set, DARPA intrusion detection evaluation data set; 1999. <http://www.ll.mit.edu/IST/ideval/data/1999/1999_data_index.html> .