Preventing Coordinated Attacks Via Distributed Alert Exchange

Attacks on information systems followed by intrusions may cause large revenue losses. The prevention of both is not always possible by just considering information from isolated sources of the network. A global view of the whole system is necessary to recognize and react to the different actions of such an attack. The design and deployment of a decentralized system targeted at detecting as well as reacting to information system attacks might benefit from the loose coupling realized by publish/subscribe middleware. In this paper, we present the advantages and convenience in using this communication paradigm for a general decentralized attack prevention framework. Furthermore, we present the design and implementation of our approach based on existing publish/subscribe middleware and evaluate our approach for GNU/Linux systems.

💡 Research Summary

**
The paper addresses the critical need for a global, real‑time view of an enterprise’s security posture in order to detect and mitigate coordinated or distributed attacks. Traditional intrusion detection architectures such as DIDS, NetSTAT, and GrIDS rely on a centralized analyzer that aggregates audit data from many sensors. While these systems can correlate events, they suffer from inherent bottlenecks, limited scalability, and a single point of failure: when the central node is overloaded or compromised, the entire detection capability collapses. Hierarchical approaches (e.g., GrIDS, EMERALD, AAfID) attempt to distribute processing across multiple layers, yet they still funnel large volumes of data upward and retain a vulnerable root component.

To overcome these drawbacks, the authors propose a fully decentralized alert‑exchange framework built on the publish/subscribe (pub/sub) communication paradigm. In a pub/sub system, producers (publishers) emit messages without knowledge of who will consume them, while consumers (subscribers) express interest through content‑based filters. This decoupling eliminates the need for a central broker that knows all participants, thereby improving scalability, fault tolerance, and flexibility for adding new security components.

The implementation uses the open‑source xmlBlaster middleware, which provides a distributed broker overlay capable of handling XML‑based messages. Security agents—such as host‑based IDS modules, network sensors, and file integrity monitors—convert their alerts into the standardized Intrusion Detection Message Exchange Format (IDMEF) and publish them to xmlBlaster topics. Subscribers register XPath or attribute‑based filters that match specific attack signatures (e.g., port scans, anomalous file creation). The broker network forwards messages to local subscribers and propagates them to neighboring brokers according to a hybrid routing algorithm that combines hash‑based topic distribution with content‑based filtering, minimizing duplicate transmissions.

A prototype was deployed on a GNU/Linux testbed consisting of four servers, each running multiple sensors. Two experimental scenarios were evaluated: (1) a stress test generating 500 concurrent IDMEF alerts, and (2) a realistic coordinated attack simulation involving distributed port scanning and denial‑of‑service traffic. Compared with a conventional centralized IDS, the pub/sub framework reduced average alert propagation latency by more than 30 % and cut overall network traffic by roughly 20 % due to efficient routing and selective delivery. Scaling the broker overlay from one to three nodes yielded near‑linear increases in throughput, handling up to 1,200 alerts per second. When a broker was deliberately taken offline, the system recovered alert delivery within a few seconds, demonstrating resilience against single‑node failures.

The authors acknowledge several open issues. The current prototype relies on static filters and fixed topic hierarchies, which may limit detection of sophisticated multi‑stage attacks that require dynamic correlation across diverse data sources. Future work will explore integration of machine‑learning techniques for automatic filter generation, policy‑driven dynamic subscription management, and stronger security guarantees such as TLS‑based authentication and encryption between brokers. Long‑term stability tests in production environments and extensive evaluation against a broader set of attack patterns are also planned.

In summary, the paper presents a compelling case for leveraging publish/subscribe middleware to build a decentralized, scalable, and fault‑tolerant attack‑prevention system. By adopting IDMEF for standardized alert representation and demonstrating practical performance gains on Linux platforms, the work lays a solid foundation for next‑generation collaborative intrusion detection architectures.