1. Introduction - Academic Science

advertisement
DoubleGuard: Intrusion Detection System in Web Application
Miss. Gopale Sheetal S.
sheetal.gopale6@gmail.com
Miss. Gamane Sonali S.
gamane.sonam@gmail.com
Abstract
Internet plays an important role in our daily life and
affects the private life of an individual in very decisive
ways. Web services have moved to a multitier design
where in the web server runs the application front-end
logic and backend and data is outsourced to a database
or file server.
Over a past few year web services and applications had
increased the attacker to attack the server. We
implemented DoubleGuard using an Apache web server
with MySQL.DoubleGuard provides a secure
environment for the application. We are monitoring the
Web and its subsequent Database requests so that we
can able to detect out attack which could not able to
identify by independent IDS.
Keywords
Algorithm, Anomaly detection, Intrusion, IDS.
1. Introduction
Now-a-days, web-delivered services such as banking,
travel, social networking, etc. have become immensely
popular as well as highly complex. These services
particularly employ a web- server front-end which runs
the application user interface logic and a back-end
database server that consists of a database or file server.
To protect multitier web services, IDSs have been
widely used to detect known attacks by matching
misused traffic pattern or signatures to protected
multitier web services. A class of IDS that uses machine
learning can also detect unknown attacks by identifying
abnormal network traffic from previous behavior of
IDS phase.
DoubleGuard will take the web server and database
traffic for mapping profile into proper and accurate
account. We are making direct causal relationship
between the requests received by the front-end web
Miss. Monica Bachal K.
monicabachal11@gmail.com
server and those generated for the database back-end for
the (website which do not have permissions for content
modifications done from user) static website.
According to the prior knowledge of web applications,
we can generate accurate causality mapping model
depending upon its functionality and its size.
DoubleGuard system will be helpful for the static
website as well as dynamic website.
In static website we are making direct causal
relationship between the request received by the frontend web server and those generated for the database
back-end and web application functionality and size we
can generate accurate causality mapping model.
In dynamic website the parameter and content are
changed so causality mapping model relationship
between the front-end and back-end is not always
deterministic and depend upon application logic and
back-end queries are varied depend upon on the value
of the parameter passed and previous application state.
So same application can be triggered with many
different web pages which results in one too many
mapping between web and database request.
2. Technical basics
A network IDS can be classified into two types 1. Anomaly detection
2. Misuse detection
In Anomaly detection, the correct and acceptable static
form and dynamic behavior of the System is defined
and characterized first. This can be used to detect the
changes or anomalous behaviors. Then an anomaly
detector compares actual usage patterns against models
that are already established in order to identify
abnormal events. We follow the anomaly detection
approach since we depend on a training phase to build
the correct model.
Misuse detection is an approach in detecting attacks. In
misuse detection approach, we define abnormal system
behaviour at first, and then define any other behavior,
as normal behaviour. It stands against anomaly
detection approach which utilizes the reverse approach,
defining normal system behaviour and defining any
other behaviour as abnormal.
3. Attack Scenarios
1 Privilege Escalation attack
This type of attack is mainly happened at web server
side. An attacker takes over the web server and hijacks
all the permissible user sessions to launch attacks. An
attacker can listen, send spoofed replies and drop user
request by hijacking the sessions of other users. We can
say that a man-in-the-middle attack, a Denial-of-Service
attack or a Replay attack are the categories of hijack
session attack. Figure 2 states that a web server can
harm all the Hijack future sessions by not generating
any database queries for normal user requests.
3. Injection Attack
Figure 1. Privilege Escalation attack
Suppose that the website is used by both regular users
and administrators. Regular users will trigger a web
request with the set of SQL queries while an
administrator will trigger a web request with the set of
admin level queries.
Suppose that an attacker logs into the web server as a
normal user, changes or upgrades his/her details and
tries to obtain an administrators data by triggering an
admin queries. This type of attack can never been
detected by IDS, either it is web server IDS or database
IDS, because both the requests and queries are
permissible. But according to our mapping model, a
database query doesn’t match the request and therefore
we can detect these types of attacks. Figure 1 shows
how regular user may use admin queries to obtain
privileged information
2. Hijack Future Session Attack
Figure 2. Hijack Future Session Attack
Figure 3. Injection attack
In this type of attack, an attacker can use existing
exposure in the web server logic to inject the data or
string content which contains the achievements and
then use the web server to control these achievements to
attack the backend database. The SQL injection attack
changes the structure of SQL queries and it generates
SQL queries in different structure, even if the injected
data were to go through web server side.
4. Implementation
Static Model Building Algorithm
Require: Training Data set, Threshold t
Ensure: The Mapping Model for static website
1: for each session separated traffic Ti do
2: Get different HTTP requests r and DB queries q in
this session
3: for each different r do
4: if r is a request to static file then
5: Add r into set EQS
6: else
7: if r is not in set REQ then
8: Add r into REQ
9: Append session ID i to the set ARr with r as the key
10: for each different q do
11: if q is not in set SQL then
12: Add q into SQL
13: Append session ID i to the set AQq with q as the
key
14: for each distinct HTTP request r in REQ do
5. System Working
 MVC
Conclusion
DoubleGuard is used to detect the well -known attack in
multi tier web application.It is an application
independent system and used for both front-end as well
as back-end. It is also used for static and dynamic web
server which provides better security for data and web
application.
References
Figure 4. MVC Architecture



Model- The model manages the behavior and
data of the application domain, responds to
requests for information about its state (usually
from the view), and responds to instructions to
change state (usually from the controller).
View- The view manages the display of
information.
Controller- The controller interprets the mouse
and keyboard inputs from the user, informing
the model and/or the view to change as
appropriate
 STRUTS
Struts provide the Controller portion of the web
application. The Controller receives requests
from the client (user running a web browser),
deciding what business logic function is to be
performed, and then delegating responsibility for
producing the next phase of the user interface to
an appropriate View component.
6. Security
In our System, we are storing the vital information
about the application secure format. Also the admin
details will be safely stored and as the system itself
works for the security this information will not be easily
accessible according to our architecture.
[1] Meixing Le, Angelos Stavrou, “DoubleGuard:
Detecting
intrusions
in
Multitier
Web
Applications”.https://cs.gmu.edu/~astavrou/research/20
12
[2] Niraj Gaikwad 1, Swapnil Kandage 2, Dhanashri
Gholap,” DoubleGuard: Detecting & Preventing
Intrusions
in
Multitier
web
applications”,
http://warse.org/pdfs/2013/ijns02222013
[3]Shaya Potter and Jason Nieh,”Apiary: Easy-to-Use
Desktop Application Fault Containment on commodity
operating system”.
https://citeseerx.ist.psu.edu/viewdoc/summary/2009.
[4]Viktoria Felmetsger,”Toward Automated Detection
of Logic Vulnerabilities inWeb Applications”.
https://www.usenix.org/events/2010.
[5] Willam Robertson,”Effective Anomaly Detection
with Scarce Training Data”.
https://www.cs.ucsb.edu/2010 .
[6]Auto bench, http://www.xenoclast.org/autobench/,
2011.
[7]“Common
Vulnerabilities
and
Exposures,”
http://www.cve.mitre.org/,2011.
[8] “Five Common Web Application Vulnerabilities,”
http://www.symantec.com/connect/articles/fivecommon-web-applicationvulnerabilities,2011.
[9]httperf,http://www.hpl.hp.com/research/linux/httperf/
, 2011.
[10]http_load,
http://www.acme.com/software/http_load/, 2011.
[11]Joomla cms, http://www.joomla.org/, 2011.
[12] Manoj E. Patil, Rakesh,” Survey of Intrusion
Detection System in Multitier Web Application” D.
More www.ijetae.com
[13] Greensql, http://www.greensql.net/, 2011.
Download