04-07-2014, 11:22 AM
DoubleGuard Detecting Intrusions In Multi-Tier
DoubleGuard Detecting Intrusions In Multi-Tier.docx (Size: 1.27 MB / Downloads: 83)
INTRODUCTION
Web-delivered services and applications have increased in both popularity and complexity over the past few years. Daily tasks, such as banking, travel, and social networking, are all done via the web. Such services typically employ a web server front-end that runs the application user interface logic, as well as a back-end server that consists of a database or file server. Due to their ubiquitous use for personal and/or corporate data, web services have always been the target of attacks. These attacks have recently become more diverse, as attention has shifted from attacking the front-end to exploiting vulnerabilities of the web applications [6], [5], [1] in order to corrupt the back-end database system [40] (e.g., SQL injection attacks [20], [43]). A plethora of Intrusion Detection Systems (IDS) currently examine network packets individually within both the web server and the database system. However, there is very little work being performed on multi-tiered Anomaly Detection (AD) systems that generate models of network behaviour for both web and database network interactions. In such multi-tiered architectures, the back-end database server is often protected behind a firewall while the web servers are remotely accessible over the Internet. Unfortunately, though they are protected from direct remote attacks, the back-end systems are susceptible to attacks that use web requests as a means to exploit the back-end.
To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely used to detect known attacks by matching misused traffic patterns or signatures [34], [30], [33], [22]. A class of IDS that leverages machine learning can also detect unknown attacks by identifying abnormal network traffic that deviates from the so-called “normal” behaviour previously profiled during the IDS training phase. Individually, the web IDS and the database IDS can detect abnormal network traffic sent to either of them. However, it is found that these IDS cannot detect cases wherein normal traffic is used to attack the web server and the database server. For example, if an attacker with non-admin privileges can log in to a web server using normal-user access credentials, he/she can find a way to issue a privileged database query by exploiting vulnerabilities in the web server. Neither the web IDS nor the database IDS would detect this type of attack since the web IDS would merely see typical user login traffic and the database IDS would see only the normal traffic of a privileged user. This type of attack can be readily detected if the database IDS can identify that a privileged request from the web server is not associated with user-privileged access. Unfortunately, within the current multi-threaded web server architecture, it is not feasible to detect or profile such causal mapping between web server traffic and DB server traffic since traffic cannot be clearly attributed to user sessions
THE INTRUSION DETECTION SYSTEM
Introduction of IDS
An intrusion can be defined as “any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource” [3]. An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.
Functions of an intrusion detection system are to
• Monitor and analyze the user and system activities.
• Analyze system configurations and vulnerabilities.
• Assess system and file.
A secured network must have the following three features
• Confidentiality: Only authorized people should be able to access the data that are being transferred through the network.
• Integrity: The integrity of the data should be maintained starting from its transmission until it is received by the receiver.
• Availability: The network should be resilient to any kind of attacks.
Misuse Detection vs Anomaly Detection
In misuse detection, the IDS identifies illegal invasions and compares it to large database of attack signatures. Basically, the IDS looks for an already documented specific attack. The main disadvantage of this method is that if an unknown intrusion appears then it cannot be detected. The detection efficiency of this method is quite high. In anomaly detection, the IDS monitors the network segments and compare their state to the normal baseline to detect anomalies.
DATA MINING TECHNOLOGY
Data mining is the process of sorting through large database or data warehouse and extracting knowledge interested by the people. The extracted knowledge may be represented as concept, rule, law and model. The purpose of data mining is to help the decision- maker in order to find potential association between data, found neglected elements which might be very useful for trends and decision- making behavior. It has been described as “the nontrivial extraction of implicit, previously unknown, and potentially useful information from data” and “the science of extracting useful information from large data sets or databases”.
Data mining identifies trends within data that go beyond simple analysis. Through the use of sophisticated algorithms, non-statistician users have the opportunity to identify key attributes of any kind of real life problems like Intrusion Detection Activities, Face recognition problem, Image processing, business processes and any other target opportunities. However abdicating control on these process from the statistician to the machine may or may not result in positives or useful results until one can assure that the data on which the operations are supposed to be performed are complete in all respect. Figure 3.1 shows the basic approach of Data Mining.
INTRUSION DETECTION SYSTEM IN WEB SERVICES
Introduction
Web applications have become a ubiquitous use of daily tasks, such as banking, travel, and social networking, etc., to manage this web applications have moved to multi-tiered architecture
Related Work
The existing system, classic three-tier model at the database side, unable to tell which transaction corresponds to which client request. The communication between the web server and the database server is not separated, and can hardly understand the relationships among them.
Bryan Parno et.al.[7], proposed CLAMP is architecture for preventing data leaks even in the presence of attacks. By isolating code at the web server layer and data at the database layer by users, CLAMP guarantees that a user’s sensitive data can only be accessed by code running on behalf of different users. In contrast, DoubleGuard focuses on modeling the mapping patterns between HTTP requests and DB queries to detect malicious user sessions. There are additional differences between these two in terms of requirements and focus. CLAMP, requires modification to the existing application code, and the Query Restrictor works as a proxy to mediate all database access requests.
Moreover, resource requirements and overhead differ in order of magnitude: DoubleGuard uses process isolation whereas CLAMP requires platform virtualization, and CLAMP provides more coarse-grained isolation than DoubleGuard
Problem Statement
Existing Intrusion Detection system (IDS), network packets individually monitoring by web server either database side only. It doesn’t construct virtual environment, so not able to provide Security in Web Application. Not isolate information flow in each Container Session can hardly identify among the relationship. It’s not able to detect different types of attacks, and not able to enhances the security in web application
Proposed Architecture Description
The Client (End user) accesses the websites via request such as Http request (URL), parameter list, IP address. In the requests are receives by the web server. Goal of the system is detect the attacks in front end and back end and produce to alerts. Figure 4.3, the front end such as act as web server, in the server identifies the attacks using IDS and minimizes the false positive. Similarly monitoring the network behaviors at the back-end (Database) Server before receives request, its may be web server or direct request (without) causing web server to the database. In the back end act as Database server, it’s identified the attacks using IDS and minimizes the false positive at the back end. In this system suppose any intruder try to access the web application, mapping model capture
RELATED WORKS
A network Intrusion Detection System (IDS) can be classified into two types: anomaly detection and misuse detection. Anomaly detection first requires the IDS to define and characterize the correct and acceptable static form and dynamic behaviour of the system, which can then be used to detect abnormal changes or anomalous behaviours [26], [48]. The boundary between acceptable and anomalous forms of stored code and data is precisely definable. Behaviour models are built by performing a statistical analysis on historical data [31], [49], [25] or by using rule-based approaches to specify behaviour patterns [39]. An anomaly detector then compares actual usage patterns against established models to identify abnormal events.
Intrusion alerts correlation [47] provides a collection of components that transform intrusion detection sensor alerts into succinct intrusion reports in order to reduce the number of replicated alerts, false positives, and non-relevant positives. It also fuses the alerts from different levels describing a single attack, with the goal of producing a succinct overview of security-related activity on the network. It focuses primarily on abstracting the low-level sensor alerts and providing compound, logical, high-level alert events to the users.
DoubleGuard differs from this type of approach that correlates alerts from independent IDSs. Rather, DoubleGuard operates on multiple feeds of network traffic using a single IDS that looks across sessions to produce an alert without correlating or summarizing the alerts produced by other independent IDSs. An IDS such as [42] also uses temporal information to detect intrusions. DoubleGuard, however, does not correlate events on a time basis, which runs the risk of mistakenly considering independent but concurrent events as correlated events.
DoubleGuard does not have such a limitation as it uses the container ID for each session to causally map the related events, whether they are concurrent or not. Since databases always contain more valuable information, they should receive the highest level of protection. Therefore, significant research efforts have been made on database IDS [32], [28], [44] and database firewalls [21]. These softwares such as Green SQL [7], work as a reverse proxy for database connections. Instead of connecting to a database server
THREAT MODEL AND SYSTEM ARCHITECTURE
Attacks are network-borne and come from the web clients; they can launch application-layer attacks to compromise the web servers they are connecting to. The attackers can bypass the web server to directly attack the database server. It is assumed that the attacks can neither be detected nor prevented by the current web server IDS, that attacker may take over the web server after the attack, and that afterwards they can obtain full control of the web server to launch subsequent attacks. For example, the attackers could modify the application logic of the web applications, eavesdrop or hijack other users’ web requests, or intercept and modify the database queries to steal sensitive data beyond their privileges.
Attackers may strike the database server through the web server or, more directly, by submitting SQL queries, they may obtain and pollute sensitive data within the database. These assumptions are reasonable since, in most cases, the database server is not exposed to the public and is therefore difficult for attackers to completely take over
6.3.4 Direct DB attack
It is possible for an attacker to bypass the web server or firewalls and connect directly to the database. An attacker could also have already taken over the web server and be submitting such queries from the web server without sending web requests. Without matched web requests for such queries, a web server IDS could detect neither. Furthermore, if these DB queries were within the set of allowed queries, then the database IDS itself would not detect it either. However, this type of attack can be caught with our approach since we cannot match any web requests with these queries
MODELING DETERMINISTIC MAPPING AND PATTERNS
Due to their diverse functionality, different web applications exhibit different characteristics. Many websites serve only static content, which is updated and often managed by a Content Management System (CMS). However, some websites (e.g., blogs, forums) allow regular users with non-administrative privileges to update the contents of the served data. This creates tremendous challenges for IDS system training because the HTTP requests can contain variables in the passed parameters.
7.4 Modelling of Dynamic Patterns
In contrast to static web pages, dynamic web pages allow users to generate the same web query with different parameters. Additionally, dynamic pages often use POST rather than GET methods to commit user inputs. Based on the web server’s application logic, different inputs would cause different database queries. For example, to post a comment to a blog article, the web server would first query the database to see the existing comments. If the user’s comment differs from previous comments, then the web server would automatically generate a set of new queries to insert the new post into the back-end database
PERFORMANCE EVALUATION
Implementation
Figure 8.1 depicts the architecture and session assignment of our prototype, where the host web server works as a dispatcher. In the implementation, containers were recycled based on events or when sessions time out. It was able to use the same session tracking mechanisms as implemented by the Apache server (cookies, mod usertrack, etc) because lightweight virtualization containers do not impose high memory and storage overhead. Thus, maintaining a large number of parallel-running Apache instances similar to the Apache threads that the server would maintain in the scenario without containers was possible. If a session timed out, the Apache instance was terminated along with its container
CONCLUSION
An intrusion detection system that builds models of normal behavior for multi-tiered web applications from both front-end web (HTTP) requests and back-end database (SQL) queries was presented.
Correlation of input streams was shown which in turn provides a better characterization of the system for anomaly detection because the intrusion sensor has a more precise normality model that detects a wider range of threats.
Moreover, it was showed that this held true for dynamic requests where both retrieval of information and updates to the back-end database occur using the web-server front end. When prototype was deployed on a system that employed Apache web server, a blog application and a MySQL back-end, DoubleGuard was able to identify a wide range of attacks with minimal false positives. As expected, the number of false positives depended on the size and coverage of the training sessions.