INTRODUCTION Intrusions such as virus, malware, and Trojans are a big challenge for current network security. An intrusion can be dened as any set of actions that attempt to compromise the integrity, condentiality, or availability of a resource [1]. In order to mitigate this problem, intrusion detection systems (IDSs), especially network intrusion detection systems (NIDSs), are widely implemented in dierent network environments aiming to defend against various network attacks. ese systems can be roughly classied as signaturebased NIDSs and anomaly-based NIDSs. Specically, a signature-based NIDS like Snort [2] detects an attack mainly based on its stored signatures where a signature is an expert knowledge-based description of known attacks and exploits. On the other hand, an anomaly-based NIDS like Bro [3] aims to identify an anomaly by comparing pre-established normal proles with current network events. A prole can be used to represent a normal network connection.