In this paper, a novel intrusion behaviour analysis mechanism based on the design of honeynet and the diagnosis of ant colony algorithm has been proposed. In which, there are three modules including the monitor module, track module, and analyzed module developed. The intrusive behaviour is then analysis through the above modules. In the developed honey pot, all of the architecture, database, directory, security parameters are updated dynamically and timely to evade the probe test from the intruders. To record the traverse of an intrusion, the pheromone will be deposited as discovered. In addition, in order to exactly and correctly measure the capability of the intruders, the content of those discovered file, path and database will be updated and the security setting will also be enhanced timely to raise the difficulty of visiting or access again. All of the traversal of intruders and the corresponding behaviour will be analyzed based on ant colony algorithm. Experimental results demonstrate that the proposed IDS mechanism possesses good efficiency and performance.