1

DOUBLE GUARD DETECTING INTRUSIONS IN MULTI-

TIER WEB APPLICATIONS

PRESENTED BY

DIVYA K8TH SEM, ISE

1RN09IS016

RNSIT

2

ABSTRACT

Internet services and applications

Increase in application and data complexity

Multi-tier web application design (1-tier, 2-tier and 3-tier)

Intrusions - any set of actions that attempt to compromise the integrity,

confidentiality, or availability of a resource

IDS - Intrusion Detection System:

a device or software application that monitors network and/or system

activities for malicious activities or policy violations and produces reports to a

Management Station

Limitation - Detecting newly published attacks or variants of existing attacks.

DOUBLE GUARD:

An Intrusion Detection System which manages both front and back end of the

multi-tier design & exposes a wide range of attacks with 100% accuracy.

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

3

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

AGENDA

Introduction

Intrusion Detection System

Double Guard

Architecture

Attack Scenarios

Limitations

Conclusion

References

Acknowledgements

4

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

INTRODUCTION

Daily tasks, such as banking, travel, and social networking, are all done via

the web.

Due to their ubiquitous use for personal and/or corporate data, web services

have always been the target of attacks.

These attacks have recently become more diverse, as attention has shifted

from attacking the front-end to exploiting vulnerabilities of the web

applications in order to corrupt the back-end database system

To protect multi-tiered web services, Intrusion detection systems (IDS) have

been widely used to detect known attacks by matching misused traffic

patterns or signatures. Functions of an intrusion detection system are to:

Monitor and analyze the user and system activities.

Analyze system configurations and vulnerabilities.

Assess system and file.

5

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

INTRUSION DETECTION SYSTEM

Why should I use an IDS, especially when I already have firewalls,

anti-virus tools, and other security protections on my system?

Each security protection serves to address a particular security threat to

your system.

Furthermore, each security protection has weak and strong points.

Only by combining them (this combination is sometimes called security in

depth) we can protect from a realistic range of security attacks.

Firewalls serve as barrier mechanisms, barring entry to some kinds of

network traffic and allowing others, based on a firewall policy.

IDSs serve as monitoring mechanisms, watching activities, and making

decisions about whether the observed events are suspicious.

They can spot attackers circumventing firewalls and report them to

system administrators, who can take steps to prevent damage.

6

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

CATEGORIES OF IDS

Misuse Detection vs Anomaly Detection:

In misuse detection, the IDS identifies illegal invasions and compares it

to large database of attack signatures.

In anomaly detection, the IDS. monitors the network segments and

compare their state to the normal baseline to detect anomalies

Network-based vs Host-based Systems:

A network-based intrusion detection system (NIDS) identifies intrusions

by examining network traffic and monitoring multiple hosts.

A host-based intrusion detection system examines the activity of each

individual computer or host.

7

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

LIMITATIONS OF IDS

Individually, the web IDS and the database IDS can detect abnormal network

traffic sent to either of them.

However, it is found that these IDS cannot detect cases wherein normal traffic

is used to attack the web server and the database server.

For example, if an attacker with non-admin privileges can log in to a web

server using normal-user access credentials, he/she can find a way to issue a

privileged database query by exploiting vulnerabilities in the web server.

DOUBLE GUARD

DoubleGuard is a system used to detect attacks in multi-tiered web services.

This approach can create normality models of isolated user sessions that

include both the web front-end (HTTP) and back-end (File or SQL) network

transactions.

8

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

DOUBLE GUARD

Composes both web IDS and database IDS to achieve more accurate

detection

It also uses a reverse HTTP proxy to maintain a reduced level of service in the

presence of false positives.

Instead of connecting to a database server, web applications will first connect

to a database firewall. SQL queries are analyzed; if they’re deemed safe, they

are then forwarded to the back-end database server.

GreenSQL software work as a reverse proxy for DB connections

Virtualization is used to isolate objects and enhance security performance.

CLAMP is an architecture for preventing data leaks even in the presence of

attacks.

9

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

SYSTEM ARCHITECTURE

10

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

ATTACK SCENARIOS Privilege Escalation Attack:

Hijack Future Session Attack:

11

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

ATTACK SCENARIOS (CONTINUED…)

Injection Attack:

Direct DB attack:

12

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

LIMITATIONS OF DOUBLE GUARD

Vulnerabilities Due to Improper Input Processing

Possibility Of Evading Double Guard

Distributed DoS:

13

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

MAPPING RELATIONS

Deterministic mapping

Empty query set

No matched request

Non-deterministic mapping

14

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

CONCLUSION

We presented an Intrusion Detection System that builds models for Multi-

Tiered Web Applications From both Front-end(HTTP) and Back-end(SQL).

Introduction Of Sensors in the Normality model, which alerts when there is an

Attack.

Precise Anomaly detection using Lightweight Virtualization.

Double Guard was able to Identify wide range of attacks with minimal False

positives.

Perfect Accuracy, with 0.6% false positives.

15

DIV

YA K

, 1R

N0

9IS

01

6, R

NSIT

REFERENCES

www.sans.org/top-cyber-security-risks/

www.xenoclast.org/

www.cve.mitre.org/

www.greensql.net/

www.wordpress.org/

www.wikipedia.org/

C.Anley,Advanced Sql injection in sql server applications,2002.

K.bai,H.Wang and P.Liu, Towards database firewalls,2005.

M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious

pattern.

M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of

state violations in web application. 2007 Thank You