Most　of　the　intrusion　detection　models　(IDM)　are　constructed　with　off-line　training　data.　Time-variance　characteristic　of　the　practical　network　system　cannot　be　embodied　in　the　off-line　constructed　IDM.　On-line　updating　of　the　off-line　IDM　with　the　valued　new　samples　is　very　necessary.　In　this　paper,　a　new　on-line　instruction　detection　model　based　on　approximate　linear　dependent　(ALD)　condition　with　linear　latent　feature　extraction　is　proposed　to　address　this　problem.　Specifically,　the　valued　samples　which　can　represent　drift　of　the　practical　network　are　indentified　with　ALD　and　prior　knowledge.　Then,　these　selected　samples　are　used　to　update　the　off-line　IDM　based　on　on-line　latent　feature　extraction　method　and　fast　machine　learning　algorithm　with　sample-based　updating　strategy.　Experiments　based　on　KDD99　data　are　used　to　validate　the　proposed　approach.