Thinking about the implementation of IDS, I've got a discussion point. Suppose that you are now implementing IDS which you wish to run in real-time. You want to use that IDS in some systems where a great many people's account exist. And it incorperates rule-based penetration identification mechanism with just one rule-base. I think, because there are many people in system, there is a possibility that the IDS would not operate in real-time. It will waste much time in useless comparison or searching processes. So, I think that the system environment should be classified such as banking evironment, academic environment, public service env and office env ... And then, you should make ad-hoc rule-base after specifying the characteristics of each environment. That method , I think, will reduce the processing time for real-time detection. Why IDS should be universal? Why IDS should be independent of the system evironment? I don't know the reason... I want your comments on my idea. Thank you .. nolja@oberon.postech.ac.kr