This paper investigates combining Misuse and Anomaly based IDS into one system. Misuse detection consists of defining malicious network traffic and monitoring for it. Anomaly detection consists of defining normal or typical network traffic and then detecting anything else. The perl source code for a prototype NIDS is included (requires TCPDump).
You can download it from the following link: https://packetstormsecurity.com/files/download/30841/kaletonidspaper.pdf
Source: https://packetstormsecurity.com/files/30841/kaletonidspaper.pdf.html