An intrusion detection arrangement for communication networks comprising a network activity observer configured to monitor network traffic by the related traffic elements, such as data packets, thereof and to establish traffic profiles relative to the monitored traffic elements, such as one profile per each monitored traffic element, a misuse detector configured to determine a first indication of a probability of the profiled traffic representing malicious activity through co-operation with a model repository comprising at least one model characterizing a known intrusion attack, an anomaly detector configured to determine, at least logically in parallel with the misuse detector, a second indication of a probability of the profiled traffic representing anomalous activity through cooperation with a model repository comprising at least one model characterizing legitimate network activity, and a classifier configured to operate on said first and second indications to generate a classification decision on the nature of the profiled traffic, wherein the applied classification space includes at least one class for legitimate traffic and at least one other class for other traffic such as malicious and/or anomalous traffic. A corresponding method is presented.