Figure 4.1 Information Flow in the Knowledge Store Architecture [6]

 In case the IDS on a particular host is killed, another IDS can take over the host

and retain the same state, by looking at the most recent events that were reported by that

host to the knowledge store. Even if the knowledge store is attacked, the other stores in

the network can contribute to the recovery process, with the information that they have

about that cell.

 This design also allows for new rules to be propagated to all hosts of the network.

Thus it is easier to update the rule base on each IDS. In addition to this, knowledge stores

can be queried for more information about an attack, by detectors and response agents.

This allows for specialized sensors to formulate new patterns of attacks, by looking at

events in different cells. Another good feature that arises from this design is that IDSs in