A B S T R A C T. Index Terms: DoubleGuard; database server; intruder; web server I INTRODUCTION

Transcription

1 Intervention Detection System Using DoubleGuard Technique Web Application. Prof.P.M.Bhujbal, Prof.S.V.Gumaste, Mr.N.S.Jadhav, Mr.S.N.Dhage Department Of Computer Engineering Jaihind College Of Engineering, Kuran,Sharadchandra Pawar College of Engineering, Savitribai Phule University Pune, India A B S T R A C T Computers are widely used for web application from last two decades. These days most of transactions are done online. Thus it is necessary to provide more security to web server and database server as web applications may hacked easily. In order to address this issue DoubleGuard system is used. In order to prevent and detect various types of attack DoubleGuard system uses Intrusion Detection System. User accounts can be prevented from attacks and being hacked by intruder using DoubleGuard system. Security for both web server and database server can be provided by using mapping of request and query IDS system. An IDS system is modeled by network behavior of user sessions across both the front-end web server and the back- end database. The DoubleGuard System solves the problem by isolating the flow of information from each web server session. The DoubleGuard system quantifies detection accuracy when system attempt to model static and dynamic web requests with the back-end file system and database queries. Different types of attacks can be detected by building correlated models for static web sites. This is also applicable to dynamic requests where both retrieval of information and updates to the back-end database occur using the web-server front end. Index Terms: DoubleGuard; database server; intruder; web server I INTRODUCTION Web dependent services & applications have been increased popularly over past decades. In various daily need tasks such as banking, travel, and social networking web is commonly used now a days. In most of these services web server is typically employed in the front end that consist of user interface logic and back end server that employ database server. Web dependent services have always been target for attacks due to their regular use for personal, corporate data. The Intrusion-detection systems detect attacks against computer systems and networks or against information systems in general. It is difficult to provide probably secure information systems and maintain them in such a secure state for their entire lifetime. But an Intrusion Detection System lack in multi tiered Anomaly Detection (AD) systems that generate models of network behavior for both web and database network interactions. Web servers are remotely accessible over internet in multi tiered web applications. It is possible to protect back end systems i.e. Database servers from direct remote attacks but they are susceptible to web attacks that consist of web requests as means to exploit back end. Intrusion Detection System provides protection against known attacks by misused traffic patterns or signatures on multitier web architecture [1] [12]. Class of Intrusion-detection systems using machine learning detects unknown attacks by identifying abnormal network traffic that deviates from normal traffic. It is very , IJAFRSE and JCON 2015 All Rights Reserved

2 difficult for web server IDS and database IDS to detect type of attacks where normal traffic is used to attack web server or database server. For example if normal user using normal user privileges can log in to web server if in case he/she can find a way to issue admin-privileged database queries by exploiting vulnerabilities in web server. In such a case neither web server nor database server is able to detect such a type of attack. Because web server IDS would be able to see only typical login user traffic and database server would see only traffic of privileged user. Attack using normal traffic can be easily detected wherein privileged normal user request from web server is not associated with privileged admin user request. DoubleGuard system is used to detect attack using normal traffic in multi tiered web architecture. Normal models that use both web front end server (HTTP) and database back end server (SQL) can be employed by Double Guard system for user sessions. In DoubleGuard system each user s web session can be assigned to dedicated container using light weight virtualization technique. ID of the container can then be used to associate web request with corresponding database queries. Using casual mapping between database queries both web server and database server can be protected. OpenVZ [10] can be used to implement DoubleGuard container. The DoubleGuard firewall system using container has a very good performance overhead and is suitable for most web applications. When web request rate is normal there is almost no overhead on DoubleGuard Firewall System. If server is already overloaded there is 26 percent overhead. The DoubleGuard system using container is suitable for both profiling of casual mapping and future session hijacking attacks. Dedicated container can be used for each client session because if in case an attacker may be able to compromise single session but the damage is limited to compromised session only other user session are not affected by this. The requests received by web server and those generated for back end database server for websites that do not permit content modification from users are related by some form of casual relationship. Such casual relationship can be showed using DoubleGuard container in multi tier web architecture. These kinds of web sites are referred as static web applications. The size and functionality of web applications are responsible for casual mapping. This casual mapping is not depending on content changes that can be performed in controlled environment. Also there are web applications that allow fixed back end database server modifications. These web applications are known as Dynamic Web Applications. HTTP requests are allowed by these dynamic web applications that consist of variable which are depend on user input. Dynamic web applications require modeling of a casual relationship between front end and back end which is not always deterministic and depends on application logic. II. LITERATURE SURVEY A. Intrusion Detection System Intrusion Detection System aimed at detecting attacks against computer systems and networks, or against information systems [7]. Intrusion Detection System in general dynamically monitors actions taken in given environment and check whether these actions are indication of an attack. Intrusion Detection System can be described as a detector that processes information coming from the system that is to be protected. In general there are three kinds of information are used by this detector. First one is related to technique used to detect intrusion called long term information. Second one is about the current state of the system called configuration information and third one is describing the events that occur on the system called audit information. In general the detector eliminates unnecessary information from the audit trail and presents a synthetic view of the security-related actions taken by users , IJAFRSE and JCON 2015 All Rights Reserved

3 1) Advantages of Intrusion-Detection System [6] 1) Accuracy Fig. 1 Very simple intrusion-detection system To detect attacks based on mismatch types and signatures the accuracy of Intrusion Detection System is very good. These attacks in multi tier web applications can be detected using web IDS and database IDS[6]. 2) Performance The performance of an intrusion detection system is measured in terms of the rate at which audit events are processed. In actual it is possible to detect real time attack if performance of the intrusion-detection system is good [6]. 2) Limitations of Intrusion-Detection System 1) Information Gathering In case of Intrusion Detection System it is difficult to gather the required information on known attacks and keeping this information abreast with new vulnerabilities. 2) Security of backend server An attacker can directly attack backend database server in Intrusion Detection System. B. GreenSQL GreenSQL is another existing technology to detect attacks in computer system or in information system. For all organizations GreenSQL provides a joined, ready-to-use database security solution [5]. GreenSQL offers low maintenance, renewals and threat update subscriptions with very simplified management. Dedicated hardware, database server or application server can be used to implement or virtualized GreenSQL. An important function of GreenSQL is ability of GreenSQL to secure and accelerate any database in minutes while in learning mode. GreenSQL automatically builds a policy to enable real time conformity based on database usage. For users GreenSQL acts as a proxy server and hides database server. GreenSQL uses Intrusion Detection System and Intrusion Prevention System to detect known and unknown attacks. GreenSQL also does not provide or in effect hides sensitive information from users , IJAFRSE and JCON 2015 All Rights Reserved

4 Input: Any SQL queries Output: Clean allowed SQL queries 1) Features of GreenSQL 1) Security Fig 2: Simple GreenSQL Architecture [5] GreenSQL uses database firewalls [5], virtual patching and IPS/IDS in order to provide security. The database firewalls used by GreenSQL are either query or table based. In order to prevent any known or unknown attacks that target database application virtual patching is used. 2) Auditing GreenSQL provides policy based Auditing. GreenSQL maintain full detailed information regarding any view s or changes to a database, table or column. Database Activity Monitoring (DAM) is limited to only who did, when did and what did. In addition to this if there is any change in database, table or column policy based auditing provides a full Before and After view [5]. 2) Limitations of GreenSQL Attacks like Privilege Escalation Attack, Web server aimed attack; direct database attack cannot be detected bygreensql [5]. II PROGRAMER DESIGN A. Problem Statement: In last two decades for web applications computers have been widely used. Now a day s large amount of transactions are done online. As a result of this data from web server and database server are prone to be hacked easily this relies to provide more security to web applications in spite of security measures even by non ethical ways. To avoid such a thing we will try to apply DoubleGuard System on such applications. B. System Architecture: , IJAFRSE and JCON 2015 All Rights Reserved

5 The existing intrusion detection system like normal Intrusion Detection System, GreenSQL, SNORT are not able to detect attacks like Cross-Site scripting, Privilege Escalation, Direct DB. To overcome such a limitation we will try to implement Intrusion Detection System using DoubleGuard with making use of additional Firewall (database firewall). With the help of this firewall we would trying to show that the requests coming from client are passed to web request database and DoubleGuard Firewall at the same time. Until the time request will get processed, DoubleGuard database firewall will be able to detect that request is coming from legitimate user. So using DoubleGuard firewall it would be possible to overcome cross-site scripting attack. Also the problem of improper input processing and DoS attacks will be taken care of. In DoubleGuard with additional firewall, different information flaws by each session can be separated by the new container-based web server architecture. This provides a way of tracking the information flow from the web server to the database server for each session. This approach also does not require user to analyze the source code or know the application logic. For the static web page, this DoubleGuard approach does not require application logic for building a model. However, proposed architecture do not require the full application logic for dynamic web services, in order to model normal behavior we do not need to know the basic user operations. Fig 3: Proposed System Architecture Modules 1) Login 2) Connecting server 3) Container generation 4) Query processing 5) Attack detection C. Module Description: 1) Login To start up process of getting information from database server user should login to web server in login module. System administrator will provide username and password for every user. User can login to web server using this username and password. 2) Connecting Server After login to the web server, in order to get information from web server the user should made connection with the web server. This information is required for madding connection with the web server. Unique signature is provided by system administrator for every user to denote that they are the authorized person to retrieve the data from the web server and database server. The signature of every user will be checked while making connection with the server with the help of DoubleGuard firewall. If signature is valid then and then only connection is made otherwise connection will not be made , IJAFRSE and JCON 2015 All Rights Reserved

6 3) Container Generation For each and every session in the web server the container will be generated using OpenVZ [10] and session id for every session provided by container. The container contains data and information about query processing. This container will get discarded when the session is closed. 4) Query Processing The user query will be processed in this module. The query will be checked by the web server and DoubleGuard firewall for authentication purpose. If the query is authenticated then the web server will process the query and retrieve the data from the database server. This information is provided to user by web server. 5) Firewall and Attack Detection In order to retrieve data from web server or directly from database server number of attack performed by the attacker. The attacker may perform following types of attack 1. Injection Attack 2. Privilege Attack 3. Hijack Future Session Attack 4. Direct DB Attack During the processing of query the DoubleGuard Firewall is able to detect whether or not request is coming from legitimate user. The detection algorithm is used to detect and control these attacks. In this algorithm the structure of the query, session id, session time and the user id will be compared with the information stored in the DoubleGuard firewall along with database and the web server. If the condition is satisfied then the query will be processed otherwise query will be neglected. D. Algorithm The nondeterministic mapping does not exist in case of static website as there are no available input variables or states for static content. In order to build mapping model the traffic collected by sensors into three patterns. Begin by iterating all of session from 1 to N as the traffic is already separated by session. Necessitate: Training Data set, Threshold T Guarantee: The Mapping Model for static website Step1: for each session separated traffic Ti do Step 2: Get different HTTP requests and DB queries in this session Step 3: for each different do Step 4: if is a request to static file then Step 5: Add into set QS Step 6: else Step 7: if is not in set RS then Step 8: Add into RS Step 9: Append session ID to the set with as the key Step 10: for each different do Step 11: if is not in set SQL then Step 12: Add into SQL Step 13: Append session ID to the set with as the key Step 14: for each distinct HTTP request in RS do Step 15: for each distinct DB query in SQL do Step 16: Compare the set with the set Step 17: if and Cardinality AR assign to T then Step 18: Found a Deterministic mapping from to Step 19: Add into mapping model set of Step 20: Mark in set SQL Step 21: else Step 22: Need more training sessions , IJAFRSE and JCON 2015 All Rights Reserved

7 Step 23: return False Step 24: for each DB query in SQL do Step 25: if is not marked then Step 26: Add into set NM Step 27: for each HTTP request in RS do Step 28: if has no deterministic mapping model then Step 29: Add into set QS Step 30: return true Separately appeared web requests are Separately appeared web requests are still present as a unit. For the period of training phase, unless it has been observed a case when either of them appears separately units are treated as a single instance of web requests bundled together. In next step the other two mapping patterns are decided by assembling a white list for static file requests which includes JPG, GIF, CSS, etc. QS set contain HTTP request for static file sets. RS set contains the remaining requests. If for these other queries any matched queries are not found then they will be located in EQS set. NM contains all remaining queries in SQL will be considered as No Matched Request cases. Training data set is taken as an input in this algorithm set and provides output in terms of building the mapping model for static websites. The algorithm assigns hash table entry for each unique HTTP request and database query, the key of the hash table entry is the request or query itself, and AR is the value of the hash entry for the request or AQ for the query, respectively. By considering all mapping patterns that would happen in static website mapping model generated by the algorithm. In order to build deterministic mapping between HTTP request and database request session ID provided by the container (VE) [9]. III RESULT The work carried out till date is described in the following graph. Fig 4 depicts no of logging in and logging out users with respect to time in the current session. It is very well observed from the graph, the time required is linear to the no of users logging in and logging out. Fig 4: Logging in and out users with respect to time Fig 5 depicts no of containers generated during logging in and logging out users with respect to time in the current session. From the graph, it can be easily made out that the time required for container generation is linear , IJAFRSE and JCON 2015 All Rights Reserved

8 IV CONCLUSION Fig 5: Container generation with respect to time This paper represents effective method for detecting intrusions using DoubleGuard with use of additional database firewall. The paper would achieve successful intrusion detection in static website by forming container based IDS with multiple input streams to produce alerts even with improper input processing. Fundamental methods of Intrusion Detection System and GreenSQL detect intrusions in multitier web application but with assumptions. But with the use of additional firewall to detect intrusions will overcome assumptions that were considered. The flow of information from each web server session with a lightweight virtualization can be isolated to achieve this. DoubleGuard with additional firewall has ability to identify a wide range of attacks efficiently. V. REFERENCES [1] Common Vulnerabilities and Exposures, mitre. org/, 2011.Fröhlich, B. and Plate, J The cubic mouse: a new device for three-dimensional input. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems [2] D. Bates, A. Barth, and C. Jackson, Regular Expressions Considered Harmful in Client-Side XSS Filters, Proc. 19th Int l Conf. World Wide Web, 2010.Y.T. Yu, M.F. Lau, "A comparison of MC/DC, MUMCUT and several other coverage criteria for logical decisions", Journal of Systems and Software, 2005, in press. [3] D. Wagner and D. Dean, Intrusion Detection via Static Analysis, Proc. Symp. Security and Privacy (SSP 01), May [4] G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel, and E. Kirda, Reducing Errors in the Anomaly-Based Detection of Web-Based Attacks through the Combined Analysis of Web Requests and SQL Queries, J. Computer Security, vol. 17, no. 3,pp. [5] greensql, [6] H. Debar, M. Dacier, and A. Wespi, Towards a Taxonomy of Intrusion-Detection Systems, Computer Networks, vol.31, no.9, pp , [7] K. Bai, H. Wang, and P. Liu, Towards Database Firewalls, Proc. Ann. IFIP WG 11.3 Working Conf. Data and Applications Security (DBSec 05), [8] Linux-vserver, [9] Meixing Le, Angelos Stavrou Brent and ByungHoon Kang, DoubleGuard: Detecting Intrusions in , IJAFRSE and JCON 2015 All Rights Reserved

9 Multitier Web Applications, IEEE Transactions On Dependable and Secure Computing, Vol. 9, No. 4, July/August [10] Openvz, [11] S. Potter and J. Nieh, Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems, Proc. USENIX Ann. Technical Conf., [12] SANS, The Top Cyber Security Risks, top-cyber-security-risks/, 2011 [13] T. Pietraszek and C.V. Berghe, Defending against Injection Attacks through Context-Sensitive String Evaluation, Proc. Int lsymp. Recent Advances in Intrusion Detection (RAID 05), [14] Virtuozzo Containers, pvc45/, [15] W. Robertson, F. Maggi, C. Kruegel, and G. Vigna, Effective Anomaly Detection with Scarce Training Data, Proc. Network and Distributed System Security Symp. (NDSS), [16] Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, Efficiently Tracking Application Interactions Using Lightweight Virtualization, Proc. First ACM Workshop Virtual Machine Security , IJAFRSE and JCON 2015 All Rights Reserved