Download double guard : detecting intrusions in multi-tier web

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts
no text concepts found
Transcript 
DOUBLE GUARD
DETECTING INTRUSIONS IN MULTITIER WEB APPLICATIONS
1
ABSTRACT

Internet services and applications

Increase in application and data complexity

Multi-tier web application design (1-tier, 2-tier and 3-tier)

Intrusions - any set of actions that attempt to compromise the integrity,
confidentiality, or availability of a resource

IDS - Intrusion Detection System

It is a device or software application that monitors network and/or system activities
for malicious activities or policy violations and produces reports to a Management
Station

Limitation - Detecting newly published attacks or variants of existing attacks.
An Intrusion Detection System which manages both front and back end of the multitier design & exposes a wide range of attacks with 100% accuracy.
2
AGENDA

Introduction

Intrusion Detection System

Double Guard

Architecture

Attack Scenarios

Limitations

Conclusion

References

Acknowledgements
3

Daily tasks, such as banking, travel,
and social networking, are all done
via the web.

Due to their ubiquitous use for
personal and/or corporate data, web
services have always been the target
of attacks.

These attacks have recently become
more
diverse,
as
attention
has
shifted from attacking the front-end
to exploiting vulnerabilities of the
web applications in order to corrupt
the back-end database system
4

To protect multi-tiered web services, Intrusion detection systems (IDS) have been
widely used to detect known attacks by matching misused traffic patterns or
signatures.


Functions of an intrusion detection system are to:

Monitor and analyze the user and system activities.

Analyze system configurations and vulnerabilities.

Assess system and file.
A secured network must have the following three features:

Confidentiality: Only authorized people should be able to access the data that
are being transferred through the network.

Integrity: The integrity of the data should be maintained starting from its
transmission until it is received by the receiver.

Availability: The network should be resilient to any kind of attacks.
5
1-TIER WEB ARCHITECTURE
•All 3 layers are on the same machine
•All code and processing kept on a single machine
•Presentation, Logic, Data layers are tightly connected
•Scalability: Single processor means hard to increase volume of processing
•Portability: Moving to a new machine may mean rewriting everything
•Maintenance: Changing one layer requires changing other layers
6
2 TIER WEB ARCHITECTURE
•Database runs on Server
•Separated from client
•Easy to switch to a different database
•Presentation and logic layers still tightly connected
•Heavy load on server
•Potential congestion on network
•Presentation still tied to business logic
7
3 TIER WEB ARCHITECTURE
•Each layer can potentially run on a different machine
•Presentation, logic, data layers disconnected
8
A TYPICAL 3 TIER ARCHITECTURE
9
DATA MINING TECHNOLOGY
The science of extracting useful information from large data sets or databases







Data cleaning: also known as data cleansing, it is a phase in which noise data and irrelevant data are
removed from the collection.
Data integration: at this stage, multiple data sources, often heterogeneous, may be combined in a common
source.
Data selection: at this step, the data relevant to the analysis is decided on and retrieved from the data
collection.
Data transformation: also known as data consolidation, it is a phase in which the selected data is
transformed into forms appropriate for the mining procedure.
Data mining: it is the crucial step in which clever techniques are applied to extract patterns potentially useful.
Pattern evaluation: in this step, strictly interesting patterns representing knowledge are identified based on
given measures.
Knowledge representation: is the final phase in which the discovered knowledge is visually represented to
the user. This essential step uses visualization techniques to help users understand and interpret the data
mining results.
10
DATA MINING & IDS
In the analysis of intrusion detection system, the data circulating in network has the following
characteristics: mass data, even if a small commercial website, the number of data message sent
and received are quite impressive and incomplete whose transportation is busy, data message
which overweigh network carry will be discarded: noisy, when network is unstable, data
information may get changed in the transportation of message, we can see that these data is in
accordance with the feature of object of data mining, naturally, we want to apply data mining
technology to intrusion detection system
Data mining is the process of discovering meaningful correlations, patterns and trend among the
data by applying statistical, mathematical and machine learning techniques.
Data mining technology covered under descriptive and predictive methodology, for instance,
Clustering, Classification, Feature Summary, association rules can be applied in the intrusion
detection system. It has been proved that data mining technology improves the property of
intrusion detection system, the processing rate and reduces the rate of misreporting
11
INTRUSION DETECTION SYSTEM

Why should I use an IDS, especially when I already have firewalls, anti-
virus tools, and other security protections on my system?

Each security protection serves to address a particular security threat to your
system.

Furthermore, each security protection has weak and strong points.

Only by combining them (this combination is sometimes called security in depth)
we can protect from a realistic range of security attacks.

Firewalls serve as barrier mechanisms, barring entry to some kinds of network
traffic and allowing others, based on a firewall policy.

IDSs serve as monitoring mechanisms, watching activities, and making
decisions about whether the observed events are suspicious.

They can spot attackers circumventing firewalls and report them to system
administrators, who can take steps to prevent damage.
12
CATEGORIES OF IDS

Misuse Detection vs. Anomaly Detection

In misuse detection, the IDS identifies illegal invasions and compares it to
large database of attack signatures.

In anomaly detection, the IDS monitors the network segments and compare
their state to the normal baseline to detect anomalies

Network-based vs. Host-based Systems

A network-based intrusion detection system (NIDS) identifies intrusions by
examining network traffic and monitoring multiple hosts.

A host-based intrusion detection system examines the activity of each
individual computer or host.
13
LIMITATIONS OF IDS

Individually, the web IDS and the database IDS can detect abnormal network traffic
sent to either of them.

However, it is found that these IDS cannot detect cases wherein normal traffic is
used to attack the web server and the database server.

For example, if an attacker with non-admin privileges can log in to a web server
using normal-user access credentials, he/she can find a way to issue a privileged
database query by exploiting vulnerabilities in the web server.

DoubleGuard is a system used to detect attacks in multi-tiered web services.

This approach can create normality models of isolated user sessions that include
both the web front-end (HTTP) and back-end (File or SQL) network transactions.
14
PROPOSED SYSTEM ARCHITECTURE
15
DOUBLE GUARD

Composes both web IDS and database IDS to achieve more accurate detection

It also uses a reverse HTTP proxy to maintain a reduced level of service in the
presence of false positives.

Instead of connecting to a database server, web applications will first connect to a
database firewall. SQL queries are analyzed; if they’re deemed safe, they are then
forwarded to the back-end database server.

GreenSQL software work as a reverse proxy for DB connections

Virtualization is used to isolate objects and enhance security performance.

CLAMP is an architecture for preventing data leaks even in the presence of attacks.
It isolates the code at the web server layer and data at the database layer.

OpenVZ (Open Virtuozzo) is based on the Linux kernel and operating system.
OpenVZ allows a physical server to run multiple isolated operating system instances,
known as containers or Virtual Environments (VEs).
16
ATTACK SCENARIOS
 Privilege Escalation Attack
•
It shows how a normal user may use admin queries to obtain privileged information.
•
Now suppose that an attacker logs into the web server as a normal user, upgrades
his/her privileges, and triggers admin queries so as to obtain an administrator’s data.
•
This attack can never be detected by either the web server IDS or the database IDS.
17
ATTACK SCENARIOS (CONTINUED…)
 Hijack Future Session Attack
•
It illustrates a scenario wherein a compromised web server can harm all the Hijack
Future Sessions by not generating any DB queries for normal user requests.
•
This class of attacks is mainly aimed at the web server side.
•
An attacker usually takes over the web server and therefore hijacks all subsequent
legitimate user sessions to launch attacks.
•
For instance, by hijacking other user sessions, the attacker can eavesdrop, send
spoofed replies, and/or drop user requests.
18
ATTACK SCENARIOS (CONTINUED…)
 Injection Attack
Attacks such as SQL injection do not require compromising the web server. Attackers can use
existing vulnerabilities in the web server logic to inject the data or string content that contains the
exploits and then use the web server to relay these exploits to attack the back-end database.
19
ATTACK SCENARIOS (CONTINUED…)
 Direct DB attack
•
It illustrates the scenario wherein an attacker bypasses the web server to directly query the
database.
•
An attacker could also have already taken over the web server and be submitting such queries
from the web server without sending web requests.
•
Without matched web requests for such queries, a web server IDS could detect neither.
•
Furthermore, if these DB queries were within the set of allowed queries, then the database
IDS itself would not detect it either.
•
However, this type of attack can be caught with Double Guard approach
20
MAPPING RELATIONS
•
Deterministic mapping
•
Empty query set
•
No matched request
•
Non-deterministic mapping
21
IMPLEMENTATION
22
NORMALITY MODEL

Normality model depicts how communications are categorized as sessions and how
database transactions can be related to a corresponding session.

Client2 will only compromise the VE 2 and the corresponding database transaction
set T2 will be the only affected section of data within the database.

Moreover as traffic can easily be separated by session, it becomes possible for us to
compare and analyze the request and queries across different sessions.

Double guard system put sensors at both sides of the servers.

These sensors cannot be attacked and can always capture correct traffic information
at both ends.

Once the mapping model is built, it can be used to detect abnormal behaviours

If there exists any request or query that violates the normality model within a
session, then the session will be treated as a possible of attack.
23
PERFORMANCE RESULTS
Figure shows the training process. As the number of sessions used to build the model
increased, the false positive rate decreased (i.e., the model became more accurate).
24
False positives versus training time in static website.
LIMITATIONS OF DOUBLE GUARD

Vulnerabilities Due to Improper Input Processing

Once the malicious user inputs are normalized, DoubleGuard cannot detect
attacks hidden in the values.

Possibility Of Evading Double Guard

It is possible for an attacker to discover the mapping patterns by doing code
analysis or reverse engineering, and issue “expected” web requests prior to
performing malicious database queries.

Distributed DoS

DoubleGuard is not designed to mitigate DDoS attacks. These attacks can also
occur in the server architecture without the back-end database.
25
CONCLUSION

Internet services and applications

Increase in application and data complexity

Multi-tier web application design (1-tier, 2-tier and 3-tier)

Intrusions - any set of actions that attempt to compromise the integrity,
confidentiality, or availability of a resource

We presented an Intrusion Detection System that builds models for Multi-Tiered
Web Applications from both Front-end(HTTP) and Back-end(SQL).

Double Guard was able to Identify wide range of attacks with minimal False
positives.
26
REFERENCES

C.Anley,Advanced Sql injection in sql server applications,2002.

K.bai,H.Wang and P.Liu, Towards database firewalls,2005.

M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious pattern.

M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of state
violations in web application. 2007

www.sans.org/top-cyber-security-risks/

www.xenoclast.org/

www.cve.mitre.org/

www.greensql.net/

www.wordpress.org/

www.wikipedia.org/
27
ACKNOWLEDGEMENT
I would like to express my thanks to the

Management of RNSIT

Director

Principal

HOD

Seminar Guide

Seminar Coordinators

Panel Members
for the constant support and encouragement.
28
Related documents
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
IIDPS: An Internal Intrusion Detection and
IIDPS: An Internal Intrusion Detection and
Intrusion Prevention Systems
Intrusion Prevention Systems
Intrusion Detection System (IDS)
Intrusion Detection System (IDS)
Report: Intrusion Detection Systems
Report: Intrusion Detection Systems
Skating on Stilts
Skating on Stilts
Abstract-The paper`s object is to develop a network intrusion
Abstract-The paper`s object is to develop a network intrusion
Intrusion Detection Technique by using K
Intrusion Detection Technique by using K
Building Survivable Systems based on Intrusion Detection and
Building Survivable Systems based on Intrusion Detection and
Network Security
Network Security
IDS - Ecs.csus.edu
IDS - Ecs.csus.edu
ppt
ppt