DoubleGuard: Intrusion Detection System in Web Application Miss. Gopale Sheetal S. sheetal.gopale6@gmail.com Miss. Gamane Sonali S. gamane.sonam@gmail.com Abstract Internet plays an important role in our daily life and affects the private life of an individual in very decisive ways. Web services have moved to a multitier design where in the web server runs the application front-end logic and backend and data is outsourced to a database or file server. Over a past few year web services and applications had increased the attacker to attack the server. We implemented DoubleGuard using an Apache web server with MySQL.DoubleGuard provides a secure environment for the application. We are monitoring the Web and its subsequent Database requests so that we can able to detect out attack which could not able to identify by independent IDS. Keywords Algorithm, Anomaly detection, Intrusion, IDS. 1. Introduction Now-a-days, web-delivered services such as banking, travel, social networking, etc. have become immensely popular as well as highly complex. These services particularly employ a web- server front-end which runs the application user interface logic and a back-end database server that consists of a database or file server. To protect multitier web services, IDSs have been widely used to detect known attacks by matching misused traffic pattern or signatures to protected multitier web services. A class of IDS that uses machine learning can also detect unknown attacks by identifying abnormal network traffic from previous behavior of IDS phase. DoubleGuard will take the web server and database traffic for mapping profile into proper and accurate account. We are making direct causal relationship between the requests received by the front-end web Miss. Monica Bachal K. monicabachal11@gmail.com server and those generated for the database back-end for the (website which do not have permissions for content modifications done from user) static website. According to the prior knowledge of web applications, we can generate accurate causality mapping model depending upon its functionality and its size. DoubleGuard system will be helpful for the static website as well as dynamic website. In static website we are making direct causal relationship between the request received by the frontend web server and those generated for the database back-end and web application functionality and size we can generate accurate causality mapping model. In dynamic website the parameter and content are changed so causality mapping model relationship between the front-end and back-end is not always deterministic and depend upon application logic and back-end queries are varied depend upon on the value of the parameter passed and previous application state. So same application can be triggered with many different web pages which results in one too many mapping between web and database request. 2. Technical basics A network IDS can be classified into two types 1. Anomaly detection 2. Misuse detection In Anomaly detection, the correct and acceptable static form and dynamic behavior of the System is defined and characterized first. This can be used to detect the changes or anomalous behaviors. Then an anomaly detector compares actual usage patterns against models that are already established in order to identify abnormal events. We follow the anomaly detection approach since we depend on a training phase to build the correct model. Misuse detection is an approach in detecting attacks. In misuse detection approach, we define abnormal system behaviour at first, and then define any other behavior, as normal behaviour. It stands against anomaly detection approach which utilizes the reverse approach, defining normal system behaviour and defining any other behaviour as abnormal. 3. Attack Scenarios 1 Privilege Escalation attack This type of attack is mainly happened at web server side. An attacker takes over the web server and hijacks all the permissible user sessions to launch attacks. An attacker can listen, send spoofed replies and drop user request by hijacking the sessions of other users. We can say that a man-in-the-middle attack, a Denial-of-Service attack or a Replay attack are the categories of hijack session attack. Figure 2 states that a web server can harm all the Hijack future sessions by not generating any database queries for normal user requests. 3. Injection Attack Figure 1. Privilege Escalation attack Suppose that the website is used by both regular users and administrators. Regular users will trigger a web request with the set of SQL queries while an administrator will trigger a web request with the set of admin level queries. Suppose that an attacker logs into the web server as a normal user, changes or upgrades his/her details and tries to obtain an administrators data by triggering an admin queries. This type of attack can never been detected by IDS, either it is web server IDS or database IDS, because both the requests and queries are permissible. But according to our mapping model, a database query doesn’t match the request and therefore we can detect these types of attacks. Figure 1 shows how regular user may use admin queries to obtain privileged information 2. Hijack Future Session Attack Figure 2. Hijack Future Session Attack Figure 3. Injection attack In this type of attack, an attacker can use existing exposure in the web server logic to inject the data or string content which contains the achievements and then use the web server to control these achievements to attack the backend database. The SQL injection attack changes the structure of SQL queries and it generates SQL queries in different structure, even if the injected data were to go through web server side. 4. Implementation Static Model Building Algorithm Require: Training Data set, Threshold t Ensure: The Mapping Model for static website 1: for each session separated traffic Ti do 2: Get different HTTP requests r and DB queries q in this session 3: for each different r do 4: if r is a request to static file then 5: Add r into set EQS 6: else 7: if r is not in set REQ then 8: Add r into REQ 9: Append session ID i to the set ARr with r as the key 10: for each different q do 11: if q is not in set SQL then 12: Add q into SQL 13: Append session ID i to the set AQq with q as the key 14: for each distinct HTTP request r in REQ do 5. System Working MVC Conclusion DoubleGuard is used to detect the well -known attack in multi tier web application.It is an application independent system and used for both front-end as well as back-end. It is also used for static and dynamic web server which provides better security for data and web application. References Figure 4. MVC Architecture Model- The model manages the behavior and data of the application domain, responds to requests for information about its state (usually from the view), and responds to instructions to change state (usually from the controller). View- The view manages the display of information. Controller- The controller interprets the mouse and keyboard inputs from the user, informing the model and/or the view to change as appropriate STRUTS Struts provide the Controller portion of the web application. The Controller receives requests from the client (user running a web browser), deciding what business logic function is to be performed, and then delegating responsibility for producing the next phase of the user interface to an appropriate View component. 6. Security In our System, we are storing the vital information about the application secure format. Also the admin details will be safely stored and as the system itself works for the security this information will not be easily accessible according to our architecture. [1] Meixing Le, Angelos Stavrou, “DoubleGuard: Detecting intrusions in Multitier Web Applications”.https://cs.gmu.edu/~astavrou/research/20 12 [2] Niraj Gaikwad 1, Swapnil Kandage 2, Dhanashri Gholap,” DoubleGuard: Detecting & Preventing Intrusions in Multitier web applications”, http://warse.org/pdfs/2013/ijns02222013 [3]Shaya Potter and Jason Nieh,”Apiary: Easy-to-Use Desktop Application Fault Containment on commodity operating system”. https://citeseerx.ist.psu.edu/viewdoc/summary/2009. [4]Viktoria Felmetsger,”Toward Automated Detection of Logic Vulnerabilities inWeb Applications”. https://www.usenix.org/events/2010. [5] Willam Robertson,”Effective Anomaly Detection with Scarce Training Data”. https://www.cs.ucsb.edu/2010 . [6]Auto bench, http://www.xenoclast.org/autobench/, 2011. [7]“Common Vulnerabilities and Exposures,” http://www.cve.mitre.org/,2011. [8] “Five Common Web Application Vulnerabilities,” http://www.symantec.com/connect/articles/fivecommon-web-applicationvulnerabilities,2011. [9]httperf,http://www.hpl.hp.com/research/linux/httperf/ , 2011. [10]http_load, http://www.acme.com/software/http_load/, 2011. [11]Joomla cms, http://www.joomla.org/, 2011. [12] Manoj E. Patil, Rakesh,” Survey of Intrusion Detection System in Multitier Web Application” D. More www.ijetae.com [13] Greensql, http://www.greensql.net/, 2011.