Joaquín García

Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation

We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.

Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework

Since current computer infrastructures are increasingly vulnerable to malicious activities, intrusion detection is necessary but unfortunately not sufficient. We need to design effective response techniques to circumvent intrusions when they are detected. Our approach is based on a library that implements different types of counter-measures. The idea is to design a decision support tool to help the administrator to choose, in this library, the appropriate counter-measure when a given intrusion occurs. For this purpose, we formally define the notion of anti-correlation which is used to determine the counter-measures that are effective to stop the intrusion. Finally, we present a platform of intrusion detection that implements the response mechanisms presented in this paper.RésuméÉtant donné que les systèmes informatiques sont de plus en plus vulnérables aux activités malveillantes, l’utilisation de la détection d’intrusion est nécessaire mais ne suffit pas. Nous devons élaborer des méthodes efficaces de réaction aux intrusions afin d’arrêter les intrusions détectées. Notre approche est basée sur une bibliothèque de différents types de contre-mesures. L’objectif est d’aider l’administrateur à choisir dans cette bibliothèque la contre-mesure la mieux adaptée quand une intrusion est détectée. Pour ce faire nous définissons formellement la notion d’anti-corrélation qui est utilisée pour sélectionner les contre-mesures permettant d’arrêter l’intrusion. Nous finissons par la présentation d’une plateforme de détection d’intrusion mettant en œuvre les mécanismes présentés dans cet article.

Decoupling Components of an Attack Prevention System Using Publish/Subscribe

Distributed and coordinated attacks can disrupt electronic commerce applications and cause large revenue losses. The prevention of these attacks is not possible by just considering information from isolated sources of the network. A global view of the whole system is necessary to react against the different actions of such an attack. We are currently working on a decentralized attack prevention framework that is targeted at detecting as well as reacting to these attacks. The cooperation between the different entities of this system has been efficiently solved through the use of a publish/subscribe model. In this paper we first present the advantages and convenience in using this communication paradigm for a general decentralized attack prevention framework. Then, we present the design for our specific approach. Finally, we shortly discuss our implementation based on a freely available publish/subscribe message oriented middleware.

An alert communication infrastructure for a decentralized attack prevention framework

The cooperation between the different entities of a decentralized prevention system can be solved efficiently using the publish/subscribe communication model. Here, clients can share and correlate alert information about the systems they monitor. In this paper, we present the advantages and convenience in using this communication model for a general decentralized prevention framework. Additionally, we outline the design for a specific architecture, and evaluate our design using a freely available publish/subscribe message oriented middleware

Protecting on-line casinos against fraudulent player drop-out

Some multiplayer, on-line games rely on the collaboration of all participating players. If a players gamble is aborted, the rest of players cannot continue playing. This behavior can be used by fraudulent players to avoid paying by simply quitting the game before its completion. It is difficult to decide whether a player has left the game in a deliberated, fraudulent way, because there are many factors, both intentional and inadvertent, that can cause the abandonment. This paper presents a fraud detection system that specially fits to such scenarios. By gathering and correlating information held by multiple sources, our approach will help the on-line casino administrator to decide if a player leaving a game is actually cheating. Results of our work can be easily adapted for use against other existing on-line gambling frauds.

Digital chips for an on-line casino

Unlike in traditional environments, e-gambling players must make a beforehand payment to start a game. Most on-line casinos currently solve this problem using prepayment systems where the on-line casino has absolute control over all the transactions among the players. However, this solution poses a great number of problems because of the necessary trust relation between players and the on-line casino managers. To reduce this strong trust relationship with the on-line casino, the authors proposed in this paper the use of a reliable digital chips system, which provides auditing facilities, and can be trusted by external parties. Digital chips, just like physical ones, will be used for players instead of legal course money. A set of cryptographic protocols will protect the different actions that players can perform using these digital chips.

Mechanisms for attack protection on a prevention framework

Current research in intrusion detection systems (IDSs), targeted towards preventing computer attacks, is mainly focused on improving detection and reaction mechanisms, without presetting the protection of the system itself. This way, if an attacker compromises the security of the detection system, she may be able to disarm the detection or reaction mechanisms, as well as delete log entries that may reveal her actions. Given this scenario, we introduce in this paper the use of an access control mechanism, embedded into the operating systems kernel, to handle the protection of the system itself once it has been compromised by an attacker

Secure agent-based management for pervasive environments

A typical pervasive computing scenario may consist of a wide range of devices interconnected through ad-hoc networks. One of the problems that pervasive computing introduces is the management and interaction between these devices, as well as the security implications of this management. We present in this paper an architecture, which provides initial mechanisms to solve these problems. Inspired by trust management systems, our architecture is built on top of a multi-agent system. However, our proposal is sufficiently open to allow the integration with other technologies. Results of our work can be easily applied to existing pervasive computing software and associated technologies.

Amapola: A Simple Infrastructure for Ubiquitous Computing

In this paper we present a simple framework for the management of entities in ubiquitous computing and ad-hoc networks. It provides mechanisms to identify entities, create and manage groups, and a simple management mechanism to allow the coordination of several entities. The framework is called AMAPOLA, and is built on top of a popular multiagent systems (JADE), although, its simplicity makes it suitable for any kind of environment. The framework provides an modular API, which is easy to use for programmers.