As a network grows in size and complexity, vulnerabilities within local area and wide area network increase and become more problematic. In addition, popularity of intrusion tools and script also make it easier for anyone to launch an attack to any unguarded machines. Before an attacker is able to compromise a specific machine, valuable information such as vulnerable applications are first gathered. There are numerous techniques to get this information such as sweeping, scanning, probing and so on. These information gathering techniques can be divided into two categories which are a fast attack and a slow attack. A fast attack can be defined as an attack that uses a large amount of packets or connections within a short period in few seconds. Meanwhile the slow attack can be defined as an attack which takes much longer time in minutes or few hours to complete. In order to detect these attacks, introducing intrusion detection system (IDS) inside the network is necessary. IDS has the capabilities to analyze the network traffic and recognize incoming and on- going intrusion. This system be classified into two types, namely, signature-based IDS and anomaly based IDS. Signature-based IDS detects the activities which match attack-pattern signature. Meanwhile, the anomaly-based IDS is meant to detect the activities which are inconsistent with respect to regular expected usage. Majority of the current intrusion detection systems do not differentiate between these two types of attacks. Combining both of these attacks into one detection module may cause considerable delay in the detection process especially for the fast attack. Therefore, separate detection modules are more practical in order to achieve better accuracy and faster speed of detection. Early detection of a fast attack is very useful to prevent any further attack on the targeted network and may help to reduce the possibilities of an attacker gaining access to the vulnerable machine.