Security Model for Multi-Tier Web Application by Using Double Guard SnehalKhedkar 1, Mangal Vetal 2, Surekha Kotkar 3, R. S. Tambe 4 1,2,3 B.E. Computer, 4 M.E.Computer, P.R.E.C. Loni Abstract- The use of internet services & its applications in daily life are increase in large amount. This enables the communication & management of personal information. This results the increase in applications & data complexity. So web services run toward the multi-tiered design in which web server act as front end & data server or file server act as back end.in this paper, we represent the intrusions detection system called web gatekeeper. In which an IDS models the behavior of user sessions in network across both front-end & back-end. Web gate keeper is able to detect attacks by monitoring web and database requests that independent IDS would not detect attacks. To avoid this limitation using the apache web server with MYSQL & lightweight virtualization, we implement the Web gate keeper. We then proceed real word traffic over a 20 days period to deploy the system in both static & dynamic web application. Finally using this system, we are able to detect wide range of attacks with 100% accuracy. We get 100% correct result for static web services& 99.4% correct result for dynamic web services. Keywords- Intrusion detection, multitier web application external intruder, session, IDS I. INTRODUCTION From past few years web delivered services and their applications have increased in both popularity and complexity. In the fields like banking, shopping, travelling we used web services and applications such services work on front end and back end server. Front end consist of application user interface logic back end server consist of database for particular user data. All the vital information are stored on database server so attacker shifted their focuse from front end to back end. To detect the known attacks in the misuse traffic patterns or signatures, IDS systems have been widely used in order to protect multi-tier web services. A class of IDS detect unknown attacks by identifying the abnormal behavior of the network traffic action from previous behavior of IDS training phase. The attackers abnormal network traffic can be detected by database and web IDS. It stop the attacker to enter within the server. But when attacker used the normal traffic to attack on the web server and data server then this type of attack is unable to detect by IDS. Internet Firewall Router IDS IDS Figure 1: IDS System Corporate Network1 Corporate Network2 Consider an example, an attacker can log into web server with non admin privilege using normal user access credentials he or she can find the path true issue privilege database query in the web server by exploiting vulnerabilities in that server. Only web IDS but also database IDS would not detect this type of attack detect. In such type of attack web IDS only see the typical user login traffic and the database IDS see the normal traffic of a privileged user. so, within the current multitier web application it is not possible to detect such causal mapping between web server and database server traffic. The efficiency of IDS can be measure using following: 1. Completeness-If IDS is not able to detect attack then there is no completeness in the system the attack detection is not easy task because it is not possible to have a global knowledge about all the attacks. 2. Performance-The quality of system depends on it performances. The real time attack detection is not possible, if the performance of IDS is poor. 3. Accuracy-An IDS system signals that an abnormal action is taken in the given environment then in accuracy may be occurring. 943
In this paper, our approach is to create normality models of isolated user sessions which include both the web server (front end) and database server (back end) network transaction. To achieve this, we used a lightweight virtualization technique for assigning a dedicated container to each and every user s web sessions, which provides and isolated virtual computing environment. Accurately associate the web request with the subsequent database queries we used the container id thus, we present double guard which can build causal mapping profile by considering both the front end and back end traffic. Thus, double guard is used to detect the attacks in multi-tiers web services. We have implemented our double guard container architecture using open virtualization environment so, we get reasonable performances overhead by mapping of particular profile into proper and accurate account. II. RELETED WORK A network IDS can be used to detect attacks mainly in following conditions: Anomaly detection and Misuse detection. In anomaly detection, IDS have to define and characterized the correct and acceptable static and dynamic behavior of the system to detect abnormal changes or anomalies behavior [2], [3]. Behavior normality model are built on historical data by performing a statistical analysis [4], [1]. Behavior model also build by using role-based approaches to specify behavioral patterns [5]. An anomaly detector can identify abnormal behavior by comparing actual usage patterns against established models. Due to some legitimate updates, it may cause the model to drift. There are many approaches to solve this type of problems. Our attack detection system may run into the same problem [6]. Some approaches detect the intrusion or attacks by static analysis of source code or executable [4], [7],[8]. While other approaches dynamically track the information flow to understand wrong propagation and detect intrusion but in double guard system we use a new container-based web server architecture that enables us to separate different information flows by each session. It track the information flows to database server. For each server from the web server, this approach does not need to analyze the source code or not need to know the application logic. For building of a model, an application logic is not require in static web pages but we need to know the basic user operations rather than full application logic for dynamic web services in order to model normal behavior. 944 The main purpose of double guard system is to model the mapping patterns between database queries and http requests to detect malicious user sessions. It requires a large number of isolated web containers. So that mapping patterns would appear across different session-instances [9]. III. Diff Inter net Brow sers SYSTEM ARCHITECTURE Figure2: System Architecture As shown in the above figure all request from server1 Servlet filter will be processed first function of Servlet filter is to take care of session validation and session tracking. After that control goes from servlet filter dispatcher servlet. Dispatcher Servlet is used for dispatching request to appropriate service. Only web server2 and web server3 will access a database server using entry and exit page of application session tracking will be done. If user enters in the application without coming from the entry page then it will be prohibited and redirected to the application error page. The open source apache tomcat web server and my SQL database server are used to implement this application. IV. Ser vlet File rses sion sess r Dis patc her serv let WORKING Web applic ation1 Web applic ation2 The web gate keeper or double guard system is designed in a such way that no user will have direct access to database server and also application server on which the application is hosted. The entire request will be processed from servlet filter of server1. It will check session validation and session tracking then control move towards the dispatcher servlet which is mainly focus on dispatching request to appropriate service. DB
Only server2 and server3 will be able to access database server where actual web application is reside. So this application is help to prevent various types of attack on web servers and its applications. In our actual system, if user logs into the web application with wrong id and password then the respective session is retired and allows the user to try again. Model view controller i.e. MVC is very popular to isolate user interface layer from application logic. In MVC, the controller receives all the requests from application and then work with the model and become ready to prepare the data needed by the view. Then view uses this prepared data to show the result. Web gate keeper system looks out special rights of user. Through entitlement service, it provides the required services to the respected user. Changing of special rights of normal user are prevented using this entitled service. If such activities are taking place then this session is expire immediately.at the same time intrusion details are saved for future purpose. V. MAPPING RELATIONS There are four possible mapping relations. Each request from origin is treat as the mapping source. A. Deterministic Mapping Consider the web request rm and database query qn. The web request rm appears in all the traffic with the SQL query Qn. Then rm!qn Is the mapping pattern. In testing phase if query set qn is absent for request rm then it indicates possible intrusion or attack. B. Empty Query Set Web requests that neither causes nor generates database queries then it is consider as empty query set. C. Request Not Matched Queries from database server cannot match with any web request. Then these queries are considered as legitimate query during the testing phase. D. Non-Deterministic Mapping There are different SQL queries for same web request based on input parameters. Although these queries do not appears randomly. Candidate pool of query set (Qn, Qp, Qq...) is maintain. There is match of one and only one query set in the pool for same type of web request. Then rm->qi is the mapping pattern where Qi= (Qn, Qp, Qq...). Due to this there is difficulty to identify the matched pattern. The dynamic websites like forum and blogs are suffered from this pattern. 945 But for static web sites the non-deterministic mapping is not exist due to unavailability of input variables or states for static content. E. Privilege Escalation Attack In this type of attack, an attacker acts as normal user and log into web server, upgrades his/he. After that an attacker triggered admin queries so as to obtain the data of administrator. But either web server IDS or database server IDS cannot detect this type of attack. In our approach, the system can detect this type of attack if database queries does not match with the web requests according to our mapping model. F. Hijacking Future Session Attack The main aim of this type of attack is on the web server side. An attacker hijack all subsequent legitimate user sessions for launching the attacks by overtaking web server. An attacker can eavesdrop, send spoofed replies or drop the user s requests by hijacking particular user session. Neither conventional web server IDS nor database IDS can detect such type of hijack future session attack. The types of this attack areas fallow: 1. Spoofing/man-in-the-middle attack 2. Denial of service/packet drop attack 3. Replay attack G. SQL Injection attack Using existing vulnerabilities in the web server logic, an attacker inject data or string content that contains the exploits. then attacker use web server to relay these exploits to attack the database server(back-end server).but in our approach, DB server would not be able to take web server request, even if web server accept this exploits. When injected queries are go through the web server(frontend) side, our system generate SQL queries in different structure. So, deviation from SQL query structure would be detected. H. Direct database attack There is possibility that the attacker can bypass the web server or firewalls and directly connect to the database server. An attacker already takes over the web server. Then instead of sending web request, attacker sends web query from the web server. Without matching the web request for such queries, the IDS present at web server could neither. Furthermore, the IDS present at database server could detect neither if these queries are within the set of allowed format. An attacker bypass the web server in order to query the database server. so, we develop, double guard system which can detect this type of attack.
VI. ALGORITHM 30 add request are intoempty query set (EQS) A.. Query mappingalgorithm Input: training dataset, threshold (t) Output: static website query mapping model 1 start 2 for separate traffic ti of each session do 3 obtain different http request(r) and database queries (q) in this session 4 for each different request rdo 5 if request r is request to a static file then 6 add this request into empty query set(eqs) 7 else 8 if request r is not in the REQ set then 9 add r into REQ set 10 with the key r, append the session id(i)to the set ARr 11 for each different query qdo 12 if query(q) is not in the SQL set then 13 add query (q) into sql set 14 with q as the key append session id(i) into the set AQq 15 for each distinct request r in the REQ do 16 for each distinct database query(q) in the sql do 17 compare the ARr set with the AQq set 18 if ARr==AQq and t<cardinality (ARr) then 19 find the deterministic mapping from r to q 20 add q into the mapping model set MSr of r 21 mark q in sql set 22 else 23 more training sessions are require 24 return false 25 for each database query (q) in sql set do 26 if query is not marked then 27 query (q) into the set (NMR) no matched request 28 for each http request r inreq set do 29 if request r has no deterministic model then 31 return true 32. Stop B. Algorithm for intrusion detection Input: http server request r and database server query q Output: user login shows that it is malicious attack Algorithm: 1:For rule for request r is deterministic mapping as r->q do 2: If query q is in SQL set then 3: If request is valid then 4: Mark the query q 5: Else 6: violation is detected and considered as abnormal and also mark this session as suspicious 7: if r->0(empty query set) then 8: no intrusion is detected 9: for unmarked database queries do 10: if query q is in the set NMR (no matched request) then 11: mark this query as abnormal 12: if query q is in thedband not in the webserver then 13: marked as abnormal query and session is hijacked. VII. CONCLUSION We present a Double Guard system, an intrusion detection system to detect wider range of threads or attacks. This system built a model for normal behavior of multitiered web application. We model the system for static and dynamic web requests along with back-end database system with queries. It is a system which is application independent and hence it provide better security to database and web application. REFERENCES [1] M.Cova,D. Balzarotti, V. Felmetsger and G. Vigna, Swadder: An Approach for the Anomaly-based Detection of State Violation in Web Applications. In RAID 2007. [2] H. Debar, M. Dacier and A. Wespi. Towards a taxonomy of intrusion detection systems. Computer Networks, 1999. [3] T. Verwoerd and R.Hunt. Intrusion detection techniques and approaches. Computer communications, 25(15), 2002. [4] C.Kruegel and G.Vigna. Anomaly detection of web based attacks. Oct 2003. 946
[5] M.Roesch. Snort,intrusion-detection system. http://www.snort.org. [6] A.Stavrou,G.Cretu-Ciocarlie,M.Lacasto, and S.Stolfo. Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes. In proceeding of the 2 nd ACM workshop on security and artificial intelligence, 2009. [7] M.Christrodorescu and S.Jha. Static analysis of executable to detect malicious patterns. [8] D.Wagner and D. Dean. Intrusion detection via static analysis. In symposium on security and privacy (SSP 01), may 2001. [9] Meixing Le,AngelosStavrou, Brent ByungHoonKang, DoubleGuard: Detecting Intrusion in Multi-tier Web Application, IEEE Transactions on dependable and secure computing vol.9,no. 4,July/August 2012. [10] SanazJafari and Prof. Dr. Suhas H. Patil, Web Gate Keeper: Detecting Encroachment in Multitier Web Application, vol 2, no. 5, May 2013. [11] K.Karthika,K.Shripriyadevi, To Detect Intrusions in Multitier Web Application by Using Double Guard Approach. [12] AmbreenFatima,SameenaBanu, IDS(Intrusion Detection System) with Double Guard,Vol 2, Issue 7, July 2013. [13] J.Newsome,B.Karp,D.X. Song. Polygraph: Automatically generating signatures for polymorphic worms.in IEEE Symposium on Security and privacy. IEEEComputer Society, 2005. 947