As the capabilities of intrusion detection systems (IDSs) advance, attackers may disable organizations' IDSs before attempting to penetrate more valuable targets. To counter this threat, this paper presents an IDS architecture that is resistant to denial-of-service attacks. The architecture frustrates attackers by making IDS components invisible to attackers' normal means of "seeing" in a network. Upon a successful attack, the architecture allows IDS components to relocate from attacked hosts to operational hosts thereby mitigating the attack. These capabilities are obtained by using mobile agent technology, utilizing network topology features, and by restricting the communication allowed between different types of IDS components.