Abstract This thesis presents an empirical study of the activities of malicious software, which is referred as any malicious, unauthorized, or unexpected program or code, to help network security specialists to understand the network attacks caused by this kind of software and thus be able to setup appropriate plans to ensure network security. To get the realistic attack data, we set up a Snort IDS (Intrusion Detection System) outside of a company’s firewall to collect the attack packets coming from Internet. The collecting time period were four months (December of 2004, and March, April and June of 2005). By the management system of IDS and the aided analysis program which was designed for this study, we can analyze the characteristics of attack time, attack source, attack victim. We also can infer the attack tools used by hackers. We found some interesting phenomenon in this study: (1)Hackers would try to attack some target system continuously and repeatedly, (2) netbios attack is the most frequent way that used by hackers, (3)most hackers try to cause the target system and network service unavailable. (4) hackers may use some tools to get the available ports of target system, and use the same way to attack windows and non-windows system.