Intrusion detection systems (IDSs) aim at detecting malicious or unauthorized activities targeting a network and its resources. Usually engineered as self-contained applications, current IDSs are limited in protecting collaborative computing environments, like grids, whose security amplifies the concerns about intrusions and motivates advanced organizing paradigms and technical solutions for effective attack detection. We envision a new generation of IDSs defined by a set of services supporting security managers in improving the overall network security. Specifically, we show how to model the ID processes as a set of plans that a security manager may go through on a network of cooperative nodes interacting with one another in order to offer or to ask for services. Services correspond to specialized ID tasks and encapsulate problem solving and simulation capabilities. Complex ID activities are expressed by workflows, the focus being on flexibility, reuse and interoperability of ID services. Some implementation hints are suggested.