In this paper, we propose an intrusion detection system (IDS) based on four approaches: (i) statistical‐based IDS to reduce detection time; (ii) intertwining data acquisition phase and data preprocessing phase to ensure real‐time detection; (iii) geometric linear similarity measure that improves detection accuracy compared with existing measures; and (iv) multivariate correlation analysis that extracts a subset of strongly correlated features to construct a normal behavioral graph. Based on this graph, we derive the normal profile composed of high‐level features. We use NSL‐KDD dataset to analyze and evaluate the efficiency of the proposed IDS at detecting denial‐of‐service (DOS) attacks. Experimental results show that the proposed IDS can achieve good results in terms of detection rate and false positive rate. For some DOS attacks, 100% detection rate is achieved with 1.55% false positive. We also use KDD99 dataset to compare the proposed IDS with two statistical‐based methods and some data mining and machine learning‐based methods. Comparison study shows that the proposed IDS achieves the best tradeoff between detection rate (99.76%) and false positive rate (0.6%). It also requires just a few microseconds to classify the connection as normal or attack with low CPU usage and low memory consumption. Copyright © 2014 John Wiley & Sons, Ltd.