This　paper　presents　a　network　early-warning　architecture　based　on　intrusion　detection　using　mobile　agent.　This　model　can　predict　potential　attacks　based　on　rules　among　suspicious　events,　which　are　produced　by　basic　intrusion　detection　module.　Depending　on　the　current　needs　of　the　deduction　process,　it　can　dispatch　relevant　mobile　agents　to　collect　further　suspicious　events.　The　advantage　of　this　model　is　that:　on　the　one　hand　it　can　lower　network　traffic　and　system　load　because　of　the　use　of　mobile　agent;　on　the　other　hand　it　can　reduce　the　number　of　false　positives,　predict　potential　attacks,　and　furthermore　prepare　the　response　in　advance.　©　2003　IEEE.