In this paper, we propose an intrusion detection system (IDS) based on four approaches: (i) statistical-based IDS to reduce detection time; (ii) intertwining data acquisition phase and data preprocessing phase to ensure real-time detection; (iii) geometric linear similarity measure that improves detection accuracy compared with existing measures; and (iv) multivariate correlation analysis that extracts a subset of strongly correlated features to construct a normal behavioral graph. Based on this graph, we derive the normal profile composed of high-level features. We use NSL-KDD dataset to analyze and evaluate the efficiency of the proposed IDS at detecting denial-of-service (DOS) attacks. Experimental results show that the proposed IDS can achieve good results in terms of detection rate and false positive rate. For some DOS attacks, 100% detection rate is achieved with 1.55% false positive. We also use KDD99 dataset to compare the proposed IDS with two statistical-based methods and some data mining and machine learning-based methods. Comparison study shows that the proposed IDS achieves the best tradeoff between detection rate (99.76%) and false positive rate (0.6%). It also requires just a few microseconds to classify the connection as normal or attack with low CPU usage and low memory consumption. Copyright © 2014 John Wiley & Sons, Ltd.