Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation

  • Joaquin Garcia
  • Fabien Autrel
  • Joan Borrell
  • Sergio Castillo
  • Frederic Cuppens
  • Guillermo Navarro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3269)


We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.


Intrusion Detection Publish-Subscribe Systems Alert Correlation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Andersson, D., Fong, M., Valdes, A.: Heterogeneous sensor correlation: A case study of live traffic analysis. In: 3rd Annual Information Assurance Workshop, United States Military Academy, West Point, New York, USA (June 2002)Google Scholar
  2. 2.
    Benferhat, S., Autrel, F., Cuppens, F.: Enhanced correlation in an intrusion detection process. In: Gorodetsky, V., Popyack, L.J., Skormin, V.A. (eds.) MMM-ACNS 2003. LNCS, vol. 2776, pp. 157–170. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Cuppens, F.: Managing alerts in a multi-intrusion detection environment. In: 17th Annual Computer Security Applications Conference (ACSAC 2001), New Orleans, Lousiana (December 2001)Google Scholar
  4. 4.
    Cuppens, F., Autrel, F., Miège, A., Benferhat, S.: Recognizing malicious intention in an intrusion detection process. In: Second International Conference on Hybrid Intelligent Systems (HIS 2002), Santiago, Chile (October 2002)Google Scholar
  5. 5.
    Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: IEEE Symposium on Security and Privacy, Oakland, USA (2002)Google Scholar
  6. 6.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 197. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  7. 7.
    Curry, D., Debar, H., Feinstein, B.: Intrusion detection message exchange format data model and extensible markup language (xml) document type definition. Internet draft (January 2004)Google Scholar
  8. 8.
    Garlan, D., Khersonsky, S., Kim, J.S.: Model checking publish-subscribe systems. In: Proceedings of the 10th International SPIN Workshop, Portland, Oregon, USA (May 2003)Google Scholar
  9. 9.
    Julich, K.: Using root cause analysis to handle intrusion detection alarms. ACM journal name 2, 111–136 (2002)Google Scholar
  10. 10.
    Kruegel, C.: Network Alertness - Towards an adaptive, collaborating Intrusion Detection System. PhD thesis, Technical University of Vienna (June 2002)Google Scholar
  11. 11.
    Kruegel, C., Toth, T.: Flexible, mobile agent based intrusion detection for dynamic networks. In: European Wireless, Italy (February 2002)Google Scholar
  12. 12.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: a formal data model for intrusion alarm correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Ning, P., Cui, Y., Reeves, D.S.: Analyzing intensive intrusion alerts via correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 74–94. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, October 1997, pp. 353–365 (1997)Google Scholar
  15. 15.
    Segall, B., Arnold, D.: Elvin has left the building: A publish/subscribe notification service with quenching. In: Proceedings of the third annual technical conference of AUUG 1997, Brisbane, September 1997, pp. 243–255 (1997)Google Scholar
  16. 16.
    Snapp, S.R., Brentano, J., Dias, G.V., Goan, T.L., Heberlein, L.T., Ho, C., Levitt, K.N., Mukherjee, B., Smaha, S.E., Grance, T., Teal, D.M., Mansur, D.: DIDS (distributed intrusion detection system) - motivation, architecture and an early prototype. In: Proceedings 14th National Security Conference, October 1991, pp. 167–176 (1991)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Joaquin Garcia
    • 1
  • Fabien Autrel
    • 2
  • Joan Borrell
    • 1
  • Sergio Castillo
    • 1
  • Frederic Cuppens
    • 3
  • Guillermo Navarro
    • 1
  1. 1.Universitat Autònoma de BarcelonaBellaterraSpain
  2. 2.ONERA-CERTToulouseFrance
  3. 3.GET/ENST-BretagneCesson SévignéFrance

Personalised recommendations