This paper describes a large-scale distributed intrusion detection (ID) architecture based on intrusion detection system (IDS) agents and collaborative attack strategy analysis. This architecture couples distributed IDS agents performing local event analysis with cooperative global ID. Other agent-based approaches have highlighted several advantages over monolithic architectures. This approach specifically focuses on cooperative IDS agents working together by analyzing the intruder’s attack strategy and separating local event processing from global analysis. We believe that focusing on the intruder's intent (attack strategy) provides a theme that will help distributed IDS to work together. Furthermore, strategy analysis creates an opportunity for IDS agents to pro-actively look ahead for data most pertinent to current case development. This look ahead adaptive auditing behavior focuses limited system resources on collecting and auditing those events which are most likely to reveal intrusions.