Intrusion Detection Using Double Guard In Multi-Tier Web Applications”: A Survey

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 11, November 2013)

185

“

Intrusion Detection Using Double Guard In Multi-Tier Web

Applications”: A Survey

Sagar Salunke

1

, Prof. Vani Hiremani

2

, Kamlesh Jetha

3

2_{Asst. Professor}

Abstract— Now a day’s computers are widely used for web application. Majority of transanctions are done online these days. Thus data from web server and database server are prone to be hacked easily which relies to provide more security to web applications. To overcome this issue DoubleGuard system is used. Intrusion detection system is used in DoubleGuard system to detect & prevent attacks. DoubleGuard system prevents attacks and prevents user account from intruder from hacking accounts. By using mapping of request and query IDS system can provide security for both web server and database server. The network behavior of user sessions across both the front-end web server and the back- end database is modeled an IDS system. By isolating the flow of information from each web server session the DoubleGuard system solves the problem. The detection accuracy when system attempt to model static and dynamic web requests with the back-end file system and database queries is quantified by DoubleGuard system. For effective detection of different types of attacks system builds correlated models for static websites. This has also been proved true for dynamic requests where both retrieval of information and updates to the back-end database occur using the web-server front end.

Keywords-- DoubleGuard, database server, intruder, web server

I. INTRODUCTION

Over the past decades web dependent services & applications have been increased popularly. Web is used in various daily need tasks such as banking, travel, and social networking. These services typically employ web server in the front end that consist of user interface logic and back end server that employ database server. Due to their regular use for personal, corporate data web dependent services have always been target for attacks. Due to shifting of attention from attacking the front end to exploiting vulnerabilities of the web applications in order to corrupt the back-end database system through SQL injection [2]. Intrusion-detection systems aim at detecting attacks against computer systems and networks, or against information systems in general, as it is difficult to provide provably secure information systems and maintain them in such a secure state for their entire lifetime and for every utilization.

But an Intrusion Detection System lack in multi tiered Anomaly Detection (AD) systems that generate models of network behavior for both web and database network interactions. In multi tiered web applications web servers remotely accessible over internet? Back end systems i.e. Database servers are protected from direct remote attacks but they are susceptible to web attacks that consist of web requests as means to exploit back end.

Known attacks by misused traffic patterns or signatures on multitier web architecture can be protected by Intrusion-detection systems [1] [2].Unknown attacks by identifying abnormal network traffic that deviates from normal traffic can be detected by class of Intrusion-detection systems that uses machine learning. However when normal traffic is used to attack web server or database server it become very difficult for web server IDS and database IDS to detect such type of attack. For example if normal user can log in to web server using normal user privileges if he/she can find a way to issue admin-privileged database queries by exploiting vulnerabilities in web server. In such a case neither web server nor database server detect such a type of attack. Because web server IDS would see only typical login user traffic and database server would see only traffic of privileged user. This type of attack using normal traffic can be easily detected if privileged normal user request from web server is not associated with privileged admin user request.

To detect attack using normal traffic in multi tiered web architecture Double Guard system can be used. Double Guard system can employ normal models for user sessions that use both web front end server (HTTP) and database back end server (SQL). In this system each user‟s web session can be assigned to dedicated container using light weight virtualization technique. The container ID can then be used to associate web request with corresponding database queries. So in this system both web server and database server can be protected using casual mapping between them.

(2)

International Journal of Emerging Technology and Advanced Engineering

186 However there is 26 percent overhead in case server is already overloaded. The DoubleGuard container based architecture is suitable for both profiling of casual mapping and future session hijacking attacks. Dedicated container can be used for each client session because if an attacker may be able to compromise single session but the damage is limited to compromised session only other user session are not affected by this.

There is a casual relation between the requests received by web server and those generated for back end database server for websites that do not permit content modification from users. This can be showed using DoubleGuard container in multi tier web architecture. Such a web sites are referred as „static web applications‟. This casual mapping depends on size and functionality of web applications. It does not depend on content changes that can be performed in controlled environment. However there are web applications that allow fixed back end database server modifications. Such a web applications are known as „Dynamic Web Applications‟. These dynamic web applications allow HTTP requests that consist of variable which are depend on user input. Therefore we have to model a casual relationship between front end and back end which is not always deterministic and depends on application logic. However the backend queries can vary depend on value of parameters passed in the HTTP request and application logic. In some cases same application‟s primitive functionality can be triggered by many different web applications. So in these cases, the resulting casual mapping between web server and database request can range from one to many depending on value of variable passed in the web request. To address this challenge while building casual mapping model for dynamic web pages an individual training model is generated for basic request those are provided by web services.

II. RELATED WORK

There are two types of network Intrusion Detection System namely: Anomaly Detection and Misuse Detection. In anomaly detection an IDS first define and characterize the correct and acceptable static form and dynamic behavior of the system. These stored forms can then be used to detect abnormal forms and anomalous behaviors. Anomaly detection relies on models of normal behavior of computer system. Behavioral models are built by performing statistical analysis of historical data and rule based approach. An anomaly detector then compares actual usage patterns against established profiles to identify abnormal patterns of activity [1] [2].

Misuse detection systems take a complementary approach. Misuse detection systems are equipped with a number of attack descriptions. These descriptions (or “signatures”) are matched against a stream of audit data to find evidence that the modeled attack is occurring [1] [2]. To detect intrusions an IDS uses temporal information. An IDS correlate events on timely basis, which runs the risk of mistakenly considering independent but concurrent events as correlated events. Double Guard uses the container ID for each session to map casually related events whether they may be concurrent or not to overcome such a limitation. Highest level of protection is always provided to database because all valuable information stored in database. So all of the previous approach has been significantly made on database IDS and database firewalls.

The new container-based web server architecture in DoubleGuard enables users to separate the different information flows by each session. By using this it is possible to track the information flow from the web server to the database server for each user session. This approach also does not require users to analyze the source code or know the application logic. For the static webpage, DoubleGuard approach does not require application logic for building a model. However, for dynamic web pages full application logic is not required, to model normal behavior basic user operations is not required. To detect or prevent SQL or Cross Site Scripting (XSS) injection attacks [7], [8] validating input is useful. This is useful to the DoubleGuard approach, which can utilize input validation as an additional defense. However, by taking the structures of web requests and database queries without looking into the values of input parameters DoubleGuard can detect SQL injection attacks. To isolate objects and enhance security performance Virtualization is used. Lightweight virtualizations, such as OpenVZ [6], Parallels Virtuozzo [9], or Linux-VServer [10] are used. Some sort of container concept is used for this virtualization. With containers, a group of processes still appears to have its own dedicated system, yet it is running in an isolated environment. On the other hand, lightweight containers can have considerable performance advantages over full virtualization or para-virtualization. Thousands of containers can run on a single physical host. To isolate different application instances there are also some desktop systems [11], [12] that use lightweight virtualization. Such virtualization techniques are commonly used for isolation and containment of attacks. However, in DoubleGuard, the container ID are utilized to separate session traffic as a way of extracting and identifying causal relationships between web server

(3)

International Journal of Emerging Technology and Advanced Engineering

187 III. DOUBLEGUARD SYSTEM ARCHITECTURE

To improve mechanism to detect intrusions in multitier web applications DoubleGuard system uses lightweight process containers referred to as “containers,” as

ephemeral, disposable servers for client sessions. It is

possible to initialize thousands of containers on a single physical machine, and these virtualized containers can be discarded, reverted, or quickly reinitialized to serve new

sessions.In the classic three-tier model database side, it is

[image:3.612.52.283.311.406.2]

unable to tell which transaction corresponds to which client request. The communication between the web server and the database server is not separated, and we can hardly understand the relationships among them

Fig 1. Classic three-tier model. The web server acts as the front end, with the file and database servers as the content storage back end [14]

This container-based and session-separated web server architecture not only enhances the security performances but also provides us with the isolated information flows that are separated in each container session. It allows us to identify the mapping between the web server requests and the subsequent DB queries, and to utilize such a mapping model to detect abnormal behaviors on a session/client level.

Fig.2. Web server instances running in containers [14].

Once we build the mapping model, it can be used to detect abnormal behaviors. Both the web request and the database queries within each session should be in accordance with the model. If there exists any request or query that violates the normality model within a session,

then the session will be treated as a possible attack.

A. Attack Scenarios

DoubleGuard Intrusion Detection System is effective at capturing the following types of attacks:

1) Privilege Escalation Attack

2) Hijack Future Session Attack

3) Injection Attack

4) Direct DB Attack

B. DoubleGuard Limitations

1) Vulnerabilities Due to Improper Input Processing

To build a mapping model based on the structures of HTTP requests and DB queries the entire user input values are normalized in DoubleGuard [14]. DoubleGuard cannot detect attacks hidden in the values, once the malicious user inputs are normalized. Based on the characterization of input values DoubleGuard offers a complementary approach to those research approaches of detecting web attacks [13].

2) Distributed DoS

DoubleGuard is not designed to mitigate Distributed DoS attacks. These attacks can also occur in the server architecture without the back-end database [14].

IV. DIFFERENT SCHEMES USED IN IMPLEMENTATION OF DOUBLEGUARD SYSTEM

A.Intrusion-Detection System

[image:3.612.52.293.546.663.2]

(4)

International Journal of Emerging Technology and Advanced Engineering

[image:4.612.61.275.345.613.2]

188 Therefore, with respect to this definition, well-known tools such as Cops or Satan are not considered to be intrusion-detection systems; these tools can be considered as configuration analyzers, even though some of their functionalities can be used to detect intrusions. At a very macroscopic level an intrusion-detection system can be described as a detector that processes information coming from the system that is to be protected. Three kinds of information are used by this detector. First one is long-term information related to the technique used to detect intrusions. Second is configuration information about the current state of the system and third one is audit information describing the events that occur on the system. The task of the detector is to eliminate unnecessary information from the audit trail and present a synthetic view of the security-related actions taken by users. Based on probability that these actions can be considered symptoms of an intrusion a decision is made.

Fig. 2 Very simple intrusion-detection system

2) Advantages of Intrusion-Detection System [5]

1) Accuracy

The accuracy of Intrusion Detection System is very good to detect attacks that are based on mismatch types and signatures. To detect such attacks in multitier web applications an IDS uses web IDS and database IDS [5].

2) Performance

The performance of an intrusion detection system is the rate at which audit events are processed. If the performance of the intrusion-detection system is good, then it is possible to detect real-time attack [5].

3) Timeliness

An intrusion-detection system performs and propagates its analysis as quickly as possible so that the security officer able to react before much damage has been done, and also to prevent the attacker from subverting the audit source or the intrusion-detection system itself [5].

4) Limitations of Intrusion-Detection System

Drawbacks of Intrusion Detection System include the difficulty of gathering the required information on the known attacks and keeping it abreast with new vulnerabilities and environments. Also in Intrusion Detection System an attacker can directly attack backend database server [5].

B. GreenSQL

GreenSQL offers a unified, ready-to-use database security solution for all organizations [3]. GreenSQL provides all in one database security and acceleration solution. GreenSQL uses very simplified management along with this GreenSQL offers low maintenance, renewals and threat update subscriptions. GreenSQL can be implemented on dedicated hardware, virtualized on database server or on the application server. GreenSQL is able to secure and accelerate any database in minutes while in learning mode. Based on database usage GreenSQL automatically builds a policy to enable real time compliance. For users GreenSQL hides database server and acts as proxy server. GreenSQL uses Intrusion Detection

System and Intrusion Prevention System to detect known

(5)

International Journal of Emerging Technology and Advanced Engineering

189 Input: Any SQL queries Output: Clean

[image:5.612.51.289.146.363.2]

allowed SQL queries

Fig 4: Simple GreenSQL Architecture [3] 1) Features of GreenSQL

1. Security

GreenSQL provides outbox security using database firewalls [4], virtual patching and IPS/IDS. GreenSQL uses database firewalls that are either query or table based. DB firewalls implements full separation of duties. Virtual patching is used for preventing any known and unknown

attacks that targets database application [3]

.

2. Auditing

GreenSQL provides Advanced Auditing to MySQL,

Microsoft SQL and PostgreSQL Databases provides the option to create a policy based Auditing and have a full detailed information regarding any view‟s or changes to a database, table or column. Database Activity Monitoring only shows who did, when did and what did. Besides this Advance auditing also provides a full “Before and After”

view regarding any change in database, table or column [3].

3. Caching

GreenSQL provides out of the box database caching for basic queries and procedures, supporting Microsoft SQL, MySQL and PostgreSQL. Caching can be enabled or disabled per entire GreenSQL installation or per database, rule, table or even the query [3].

4. Masking

GreenSQL provides out of the box database masking for Microsoft SQL, MySQL and PostgreSQL. GreenSQL masks sensitive information like IP, source address, destination address, application user, application name and time frame [3].

2) Limitations of GreenSQL

GreenSQL is not able to detect attacks like Privilege Escalation Attack, Web server aimed attack, direct database attack [3].

V. FUTURE SCOPE

To protect multitier web applications against attacks is

the mainconcentration point in Intrusion Detection System

using DoubleGuard. We propose a prototype of DoubleGuard using a web server with a back-end DB. We also propose some modification to existing DoubleGuard to increase its performance, reliability in case of static and dynamic web sites. In our prototype, we propose to assign each user session into a different container; however, this will be a design decision. We could maintain a large number of parallel-running Apache instances similar to the Apache threads that the server would maintain in the scenario without containers. If a session timed out, the Apache instance was terminated along with its container. In our prototype we will use 60-minute timeout due to resource constraints of our test server.

VI. CONCLUSION

An intrusion detection system using DoubleGuard builds models of normal behavior for multitiered web applications from both front-end web (HTTP) requests and back-end database (SQL) queries. Unlike previous approaches such as IDS and DoubleGuard that correlated or summarized alerts generated by independent IDSs, DoubleGuard forms container-based IDS with multiple input streams to produce alerts. Such correlation of input streams provides a better characterization of the system for anomaly detection because the intrusion sensor has a more precise normality model that detects a wider range of threats. This is achieved by isolating the flow of information from each web server session with a lightweight virtualization. For static websites, a well-correlated model is built to detect different types of attacks. Moreover, for dynamic requests where

both retrieval of information and updates to the back-end

(6)

International Journal of Emerging Technology and Advanced Engineering

190 DoubleGuard is able to identify a wide range of attacks with minimal false positives. As expected, the number of false positives depended on the size and coverage of the training sessions that are used.

REFERENCES

[1] SANS, “The Top Cyber Security Risks,” http://www.sans.org/ top-cyber-security-risks/, 2011.

[2] “Common Vulnerabilities and Exposures,” http://www.cve. mitre. org/, 2011.Fröhlich, B. and Plate, J. 2000. The cubic mouse: a new device for three-dimensional input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

[3] greensql, http://www.greensql.net/, 2011.

[4] K. Bai, H. Wang, and P. Liu, “Towards Database Firewalls,” Proc. Ann. IFIP WG 11.3 Working Conf. Data and Applications Security (DBSec ‟05), 2005.

[5] H. Debar, M. Dacier, and A. Wespi, “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks, vol. 31, no. 9, pp. 805-822, 1999.

[6] Openvz, http://wiki.openvz.org, 2011.

[7] D. Bates, A. Barth, and C. Jackson, “Regular Expressions Considered Harmful in Client-Side XSS Filters,” Proc. 19th Int‟l Conf. World Wide Web, 2010.Y.T. Yu, M.F. Lau, "A comparison of MC/DC, MUMCUT and several other coverage criteria for logical decisions", Journal of Systems and Software, 2005, in press.

[8] T. Pietraszek and C.V. Berghe, “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proc. Int‟l Symp. Recent Advances in Intrusion Detection (RAID ‟05), 2005. [9] “Virtuozzo Containers,” http://www.parallels.com/products/ pvc45/,

2011.

[10] Linux-vserver, http://linux-vserver.org/, 2011.

[11] S. Potter and J. Nieh, “Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems,” Proc. USENIX Ann. Technical Conf., 2010.

[12] Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, “Efficiently Tracking Application Interactions Using Lightweight Virtualization,” Proc. First ACM Workshop Virtual Machine Security 2008

[13] W. Robertson, F. Maggi, C. Kruegel, and G. Vigna, “Effective Anomaly Detection with Scarce Training Data,” Proc. Network and Distributed System Security Symp. (NDSS), 2010.