DECOUPLING COMPONENTS OF AN ATTACK PREVENTION SYSTEM USING PUBLISH/SUBSCRIBE * Joaquín García 1 , Michael A. Jaeger 2 , Gero Mühl 2 , and Joan Borrell 1 1 Autonomous University of Barcelona, Dept. of Information and Communications Engineering, Edifici Q, 08193 Bellaterra, Spain {jgarcia,jborrell}@ccd.uab.es 2 Technical University of Berlin, Institute for Telecommunication Systems, Communication and Operating Systems Group, EN6, Einsteinufer 17, D-10587 Berlin, Germany {michael.jaeger,g muehl}@acm.org Abstract Distributed and coordinated attacks can disrupt electronic commerce applica- tions and cause large revenue losses. The prevention of these attacks is not possible by just considering information from isolated sources of the network. A global view of the whole system is necessary to react against the different actions of such an attack. We are currently working on a decentralized attack prevention framework that is targeted at detecting as well as reacting to these attacks. The cooperation between the different entities of this system has been efficiently solved through the use of a publish/subscribe model. In this paper we first present the advantages and convenience in using this communication paradigm for a general decentralized attack prevention framework. Then, we present the design for our specific approach. Finally, we shortly discuss our implementation based on a freely available publish/subscribe message oriented middleware. 1. Introduction When attackers gain access to a corporate network by compromising autho- rized users, computers, or applications, the network and its resources can be- * This work has partially been funded by the Spanish Ministry of Science and Technology (MCYT) through the project TIC2003-02041 and the Catalan Ministry of Universities, Research and Information Society (DURSI) with its grant 2003FI-126.