International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)
951
A Practical Approach to Intrusion Detection System
for Multilayer Web Services
Prakash Kalavadekar1, Vishal Mogal2
1Associate Professor, SRES’s COE, Kopargaon, Maharashtra, India
2
Student, SRES’s COE, Kopargaon, Maharashtra, India
Abstract- The common technique to detect intrusion is based on behaviours. The primary objective of the system is to detect attacks in opposition to computer systems or against information systems. The proposed system is used to detect malicious actions in a session, analyze the traffic, and respond accordingly to protection strategy. This approach will mainly concentrate on to identify intrusion in multitier web environment. This also uses container architecture to keep each session separate so as each client’s communication will occurs in different channel. Unique session ID is assign to identify each session from another. When this approach is deployed for any web application it detects a wide range of attacks.
Keywords- Intrusion Detection System, Multitier Architecture, Pattern Mapping, Session ID.
I. INTRODUCTION
In past few years web-services got tremendous popularity. At the same time it also gets more complex. Many daily tasks such as travelling, banking and social media are all on the web. Such services typically employ a web server front end that runs the application user interface logic, and a database server that consists of a database or file system. Since web services are used everywhere for personal and/or banking related data, multilayer application have forever been the victim of
intruders. Due to this attackers are attracted towards the
front end to exploit vulnerabilities of the web environments [1], [2], [3] in order to damage database system [4] (e.g., Direct database attacks[5], [6]). But the thing is that very little effort has been taken to detect attacks in multitier environment. In such multi-tier web environment, the DB server is frequently protected by the firewall while the web servers can be access by all over the world by net.
Identifying intrusion is mainly used to guard multitier web services, such as to detect unknown attacks by monitoring the traffic of network patterns or signatures based [7-9]. Independently, the IDS and the database IDS can‟t detect the latest kind of attack attempted by the attacker.
Consider, if an intruder with normal privileges logs in to a system using normal-user access, that attacker then can increased his/her privileges and then fired admin level query to get admin level or highly confidential data. This kind of attack cannot be detected by web IDS. It also cannot be detected by database IDS also.
[image:1.595.318.557.444.571.2]In this approach given in [10], there is container approach which is shown in Figure 1 which will be used to detect attacks in web environment. This approach will create a normality models which also isolates each users HTTP request and equivalent SQL request. A unique ID will be given to each container so as to differentiate each session. Also matching of queries is also done so as to identify which SQL query is for which HTTP request.
Figure 1. Container architecture
Not even for the static web services, but also for the web services which allow constant back-end data modification. In general we called it as dynamic web sites. There also one possibility is that it will not always deterministic mapping so we will divide the set of queries into various set as No match query, Empty query set or non deterministic query set etc.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)
952
II. PROPOSED WORK
The Query processing and mapping module plays a vital role in proposed system. There are mainly four set of queries in which we are going to add queries. Every query from each session should lies in either these sets or it is a query outside from these set. So queries from outside these sets will be treated as malicious query.
The four main categories for queries are
- Deterministic set of query
- Empty Query Set
- No matched Request set
- Non-deterministic Mapping
1. Deterministic set of query:
When any HTTP query is gets fired from client it comes to the web server, when the requested resource is on database server, it need to fire a SQL query to get that data from DB server. So these kinds of queries are placed in deterministic set of query. The following figure shows the working of deterministic query.
Figure 2. Deterministic query Mapping
2. Empty Query Set:
[image:2.595.326.530.351.461.2]When any client needs any resource/data from web service and it is available at web server itself then in this case there will be no generation of equivalent SQL query. These all kind of HTTP queries is placed in empty query set. Figure given below shows mapping for empty query set.
Figure 3: Empty Query Set
3. No matched Request set:
[image:2.595.86.241.453.610.2]Sometimes web server may need data from database server in these situations web server fires SQL queries and gets data from DB server but in these cases there are no equivalent HTTP request so these kind of SQL queries are placed in no matched request set.
Figure 4: No Matched Request
4. Non-deterministic Mapping:
When multiple SQL queries are generated by just changing the parameters in the HTTP query, we are unable to determine which query should mapped with which SQL query so these kind of queries are placed in non-deterministic mapping set.
[image:2.595.328.539.562.710.2]International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)
953 The flow construction of the system will be as
follows –
1. Implementation 1: This implementation
is for user management.
2. Implementation 2: User sessions will
be crated and handled in these implementations.
3. Implementation 3: This is responsible
for processing of queries.
4. Implementation 4: This maps Clients
queries (HTTP) with corresponding SQL queries.
5. Implementation 5: Generates a record
[image:3.595.85.272.314.549.2]which will display record of attacks.
Figure 6. Work breakdown structure
A. Implementation 1: user management
This implementation will accept the details of user in the registration form where user will enter his user name and password for his further communication with system in secure manner. The probable result of this action should be either unsuccessful or successful login.
Algorithm:
1. Registration form will be filled by a nave user.
2. Successful filling of the form will generate
username and password for the user.
3. With newly generated username and password
user can enter into the system.
4. Various HTTP request and corresponding SQL
request will be generated as user starts his session.
5. Logging out after session completion.
Login implementation will provide the extra security to the system. Due to this any unauthorized cant enters into the system. For every new user filing of registration form is mandatory, because after submitting it to thr server user will get username and password with which he can enters into the system.
After giving correct username and password user will get an alert message of Successful login otherwise it will show a message that you have entered wrong username or password. Thus this implementation prevents unauthorized access and manages the users.
B. Implementation 2: session handling
Implementation of session handling will accept HTTP request from client Cr and SQL query at server Sq as a set of input. The output which is expected from this implementation is that it will generate unique Session id for Cr and Sq in the sets ICr and ISq respectively.
Algorithm:
1. For every session do
2. Get various HTTP requests „Cr‟ and database
queries „Sq‟. for each different Cr do 3. If request Cr is for the static file then
4. Add Cr into set Empty Query Set (EQS)
5. Else
6. If Cr is not present in the request set then
7. Add Cr into request set REQ.
8. Add session ID „i‟ to ICr set with Cr as unique key.
9. Now for each different Sq do
10. If Sq is not in SQL set then
11. Add Sq into set of SQL queries as SQL.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)
954 C. Implementation 3: Processing of query.
Processing of Query will accept the HTTP query Cr and the equivalent generated SQL query Sq into the
algorithm. This results in addition of queries into the various sets of query as Empty Query set, No match set, Deterministic map set and non deterministic map set.
Algorithm:
1. Ti is assign separately for every distinct session
2. Accept various Cr and database queries Sq
3. If request Cr is for a static file then
4. Insert Cr into Empty Query Set i.e. EQS
5. Else
6. If Cr is not Request set of queries then
7. Add Cr into request set
8. Now for every distinct Sq do
9. If Sq is not set of SQL queries then
10. Insert Sq into set of SQL request
D. Implementation 4: Query Matching
This implementation will accept ICr set of request and ISq set of queries. Cr will be mapped with equivalent Sq this will be the output of query matching module.
Algorithm:
1. For every separate Cr in set of REQ do
2. For every separate database query Sq in the set
of SQL do
3. Now match the set of ICr and set of ISq.
4. If ICr =ISq and Cardinality(ICr) > t then
5. establish a mapping called as deterministic from
Cr to Sq
6. Insert Sq into mapping set MatchSr of Cr
7. spot Sq as marked in SQL set of queries
8. Else
9. Accept further queries
10. Return False
11. For every database query Sq in set of SQL query
do
12. If Sq is unmark in the set then
13. Insert Sq into set of queries which are not
matched.
14. For every distinct Cr in set of REQ do
15. If Cr has no deterministic matching in the model
then
16. Insert Cr into set of empty query
17. Return True
E. Implementation 5: Intrusion Detection
This is last step to indentify intrusion in this again we will need Cr and Sq as training data set as input to the algorithm. After taking these inputs i.e. Cr and Sq this implementation should detect whether given set of queries are from intruders or from a normal user.
1. Privilege Escalation Attack: This type attack is done by entering into the system as a normal user and then detecting the low security of application attacker enter into system as a user whose privileges are higher than normal user. In this case by proposed application there is equivalent mapping of every session. All the communication is carried out inside one container only so once user enters into the system in one container he can‟t change his container by any mean if he is doing so it will be treated as intrusion. In this way we can avoid privilege escalation attack
2. Hijack Future Session Attack: Generally session is hacked by the attacker and then further he disturbs all other sessions in that server. But this approach is designed in such a way that if from any session there is attempt of hijack then it can affect only in that session only. No other sessions will be affected by the intruder.
3. Injection Attack: SQL query injection attacks are done by inserting extra parameters into the query to get extra information from the server. Since database server only responsible to give data which come towards it in the form of HTTP request. This approach constructs a normality model which maps each SQL request with its equivalent SQL generated query. This prevents the injection attack.
4. Direct Database Attack: In this type of attack attacker fires a SQL query directly to the database server while bypassing the firewall and security of DB server. But in proposed approach if any query directly comes to DB server it will not have any matching web request. Also this communication is also not carried though any of the container and query fired by attacker is also not present in any kind of set. So this kind of attack is also identify by the proposed system.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)
955 For queries which are not marked, we can check them in no matched request set. Query which comes directly to the DB server will be treated as Direct database attack.
III. CONCLUSION
This approach is a system to identify intrusions which will create a normality model for multitier web environment. The lightweight virtualization technique is used to assign unique ID called as session ID. It is not like the earlier strategies, this will form container architecture to monitor the request and response traffic. According to normality model the HTTP request violating the normality model that will be considered as an attacker. In addition, we can detect attacks of specific type (e.g. Direct DB Attack, SQL Injection Attack). Record generated at admin will illustrate the particulars of the attacks. Proposed system will be applied to static and dynamic sites to provide more security.
References
[1] SANS, “The Top Cyber Security Risks,” http://www.sans.org/ top-cyber-security-risks/, 2011.
[2] “Five Common Web Application Vulnerabilities,” http://www.
symantec.com/connect/articles/five-common-web-applicationvulnerabilities, 2011.
[3] “Common Vulnerabilities and Exposures,” http://www.cve. mitre. org/, 2011.
[4]A.Schulman,“Top10DatabaseAttacks,”http://www.bcs.org/server.ph p?show=ConWebDoc.8852, 2011.
[5] Y. Shin, L. Williams, and T. Xie, “SQLUnitgen: Test Case Generation for SQL Injection Detection,” technical report, Dept. of Computer Science, North Carolina State Univ., 2006.
[6] C. Anley, “Advanced Sql Injection in Sql Server Applications,” technical report, Next Generation Security Software, Ltd., 2002.
[7] J. Newsome, B. Karp, and D.X. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Proc. IEEE Symp. Security and Privacy, 2005.
[8] H.-A. Kim and B. Karp, “Autograph: Toward Automated Distributed Worm Signature Detection,” Proc. USENIX Security Symp., 2004.
[9] Liang and Sekar, “Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers,” SIGSAC: Proc. 12th ACM Conf. Computer and Comm. Security, 2005.
