on another host can restart the IDS. Furthermore, the crash of an IDS on a host, does not affect the functioning of the IDSs on neighboring hosts 3. It must resist subversion. It must be able to monitor itself While this has not been implemented currently. It will not be difficult to have a detector periodically match the IDS code against a one way hash stored in a secure location and raise an error when a discrepancy is found. 4. It must impose minimal overhead on the system where it is running. Our system allows for this by making the core IDS components lightweight. Processing power is required mainly by the detectors and response agents. The architecture does not require the presence of all detectors and response agents. Hence the system can be tailored according to needs. 5. It must be able to be configured according to the security policies of the system. This is not currently implemented, as there is no way for security policies to be transformed into rules that can be used by the IDS. 6. It must be able to adapt to changes in system and user behavior over time. The knowledge sharing mechanism allows for data and information about attacks and new signatures to be propagated to the whole system. 7. It must be able to scale to monitor a large number of hosts. This is done easily with the EGIDEM architecture. 8. It mustprovide a graceful degradation of service. Bringing the IDS down on one system does not affect the rest of the system. Also the detectors and response agents can be easily turned on or off without affecting the rest of the IDS. 9. It must allow dynamic reconfiguration. The core IDS components have configuration files that can be changed while the IDS is running. The IDS components periodically scan these files for changes and accordingly adjust themselves. As far as the detectors are concerned, by building interfaces for them, we can have complete control over the detector functionality. 3.6 Summary This chapter describes the EGIDEM architecture. It shows how the model can be scaled to a distributed system. It explains the reasons for the EGIDEM design decisions. It also compares our system against the general requirements for an IDS.