Intrusion detection system is an essential portion of the whole security framework; thus we pay much attention on the IDSs refinement issue. From other IDS researches, we realize that general IDSs have ability to detect intrusion, but hardly having the capability to let system administrator easily modeling an new IDSs according to their architecture. Hence, we propose fast prototyping framework for intrusion detection. In this thesis, we investigate into different IDSs and try to find the same elements of them, and this helps to pay true the fast prototyping framework. After IDS main elements are observed, we found that IDS essential elements can be interpreted as software layers. Hence, a multi-layer IDS is proposed to accomplish the goal of fast prototyping for intrusion detection. However, the multi-layer IDS design concept is far away from all-in-one IDS in the past, so we will describe why and how to use multiple layers while modeling an IDS with MLIDS. And through software pattern analysis MLIDS framework then becomes more concrete and real. Besides the implementation, we show how to add components into layers in MLIDS framework, and also demonstrate some applications. To justify the fitness of variety environment, we discuss efficiency, capacity, and performance of it.