We can model intrusion detection behaviors as two different categories, including anomaly detection and misuse detection. Major consideration for a good misuse detection system is to accumulate enough attack signatures; while the performance of anomaly detection is largely influenced by two factors: one is how to set up good section rules for the detection features; another is to design and implement analysis tools to determine the deviation apart from the normal or abnormal behavior. Choosing good detection features will not only have impact on the detection performance, but also on the overall execution efficiency. Improper selection of features will render extra overhead to the system and can’t benefit to the deployment of analysis tools. We adopt data mining approach to classify features and dynamically adapt to the most suitable one. On analysis tool selection, we focus on the environment behavior model. Constructing anomaly detector and as a set of normal behaviors for judging intrusions. We have fulfilled a system implementation and conduct experiment for analyzing detection performance of different tools, including neural network, fuzzy logic, finite state machine, and Bayesian network. In order to evaluate the detection performance of different analysis tools, we study different inclusion types and assess their relationship between analysis methods and intrusion detection performance. We focus on Port-Scan and Syn-Flooder attacks to conduct the evaluation tests. By qualitative and quantitative analysis, we explore their influence on the detection response and find out the most suitable analysis methods.