Intrusion‐detection systems (IDS) have been used as part of the security of information and communication technologies infrastructure because it is difficult to ensure that information systems are free from security flaws. In this paper we present a new design of an anomaly IDS. Design and development of the IDS are considered in our 3 main stages: normal behavior construction, anomaly detection and model update. A parametrical mixture model is used for behavior modeling from reference data. The associated Bayesian classification leads to the detection algorithm. A continuous model parameter re‐estimation is discussed as a possible heuristic for model update. Real‐time requirements are presented. Detection and update algorithms for the special case of Gaussian parametrical model are designed and evaluated with respect to their real‐time features in a PC‐like platform without any special hardware requirements. Experiments validating the model are presented as well. © 2003 American Institute of Physics