The Intrusion Detection system tries to recognize Portscans, to report and to react suitably on the attack. This happens similarly to the recognition of a ’SYN Flooding’ attack: The "half-open" connections are counted also here, whereby a TCP RESET, which is sent by the scanned computer, leaves a "half-open" connection open again.
If a certain number of half-open connections between the scanned and the scanning computer exist, then this is reported as a port scan.
Likewise, the receipt of empty UDP packets is interpreted as an attempted port scan.