Distributed network intrusion detection has attracted much attention recently. Our main focus in this work is on zeroday, slowscanning worms, of which no exist ing signatures are available. We organize end hosts into regions based on network knowledge, which we posit is positively correlated to the dependency structure. Lever aging on this organization, we apply different intrusion detection techniques within and across regions. We use a hidden Markov model (HMM) within a region to capture the dependency among hosts, and use sequential hypoth esis testing (SHT) globally to take advantage of the inde pendence between regions. We conduct experiments on DETER, and preliminary results show improvement on detection effectiveness and reduction of communication