Change-point detection schemes are a promising approach for detecting network anomalies, such as attacks and epidemics by unknown viruses and worms. They detect those events as change-points. However, they generally also detect false-positive change-points, those caused by other events such as hardware trouble. A scheme is needed that only detects truepositive change-points, caused by attacks and epidemics. Truepositive change-points tend to occur simultaneously in very large numbers, while false-positive change-points tend to occur sporadically. We can exclude false-positive change-points by excluding change-points that occur sporadically, based on information gathered from the entire network. In this paper, we propose a multi-stage network event detection scheme that aggregates change-point information from distributed IDSs (Intrusion Detection Systems) and detects the true-positive change-points. Simulation results show that, compared to a scheme using only one IDS, our method always yields a smaller false-positive rate under the constraint that the detection rate of the true-positive change-points must exceed 0.99. © 2007 IEEE.