Date post: | 25-May-2015 |
Category: |
Education |
Upload: | divya-gowda |
View: | 3,213 times |
Download: | 0 times |
1
DOUBLE GUARD DETECTING INTRUSIONS IN MULTI-
TIER WEB APPLICATIONS
PRESENTED BY
DIVYA K8TH SEM, ISE
1RN09IS016
RNSIT
2
ABSTRACT
Internet services and applications
Increase in application and data complexity
Multi-tier web application design (1-tier, 2-tier and 3-tier)
Intrusions - any set of actions that attempt to compromise the integrity,
confidentiality, or availability of a resource
IDS - Intrusion Detection System:
a device or software application that monitors network and/or system
activities for malicious activities or policy violations and produces reports to a
Management Station
Limitation - Detecting newly published attacks or variants of existing attacks.
DOUBLE GUARD:
An Intrusion Detection System which manages both front and back end of the
multi-tier design & exposes a wide range of attacks with 100% accuracy.
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
3
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
AGENDA
Introduction
Intrusion Detection System
Double Guard
Architecture
Attack Scenarios
Limitations
Conclusion
References
Acknowledgements
4
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
INTRODUCTION
Daily tasks, such as banking, travel, and social networking, are all done via
the web.
Due to their ubiquitous use for personal and/or corporate data, web services
have always been the target of attacks.
These attacks have recently become more diverse, as attention has shifted
from attacking the front-end to exploiting vulnerabilities of the web
applications in order to corrupt the back-end database system
To protect multi-tiered web services, Intrusion detection systems (IDS) have
been widely used to detect known attacks by matching misused traffic
patterns or signatures. Functions of an intrusion detection system are to:
Monitor and analyze the user and system activities.
Analyze system configurations and vulnerabilities.
Assess system and file.
5
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
INTRUSION DETECTION SYSTEM
Why should I use an IDS, especially when I already have firewalls,
anti-virus tools, and other security protections on my system?
Each security protection serves to address a particular security threat to
your system.
Furthermore, each security protection has weak and strong points.
Only by combining them (this combination is sometimes called security in
depth) we can protect from a realistic range of security attacks.
Firewalls serve as barrier mechanisms, barring entry to some kinds of
network traffic and allowing others, based on a firewall policy.
IDSs serve as monitoring mechanisms, watching activities, and making
decisions about whether the observed events are suspicious.
They can spot attackers circumventing firewalls and report them to
system administrators, who can take steps to prevent damage.
6
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
CATEGORIES OF IDS
Misuse Detection vs Anomaly Detection:
In misuse detection, the IDS identifies illegal invasions and compares it
to large database of attack signatures.
In anomaly detection, the IDS. monitors the network segments and
compare their state to the normal baseline to detect anomalies
Network-based vs Host-based Systems:
A network-based intrusion detection system (NIDS) identifies intrusions
by examining network traffic and monitoring multiple hosts.
A host-based intrusion detection system examines the activity of each
individual computer or host.
7
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
LIMITATIONS OF IDS
Individually, the web IDS and the database IDS can detect abnormal network
traffic sent to either of them.
However, it is found that these IDS cannot detect cases wherein normal traffic
is used to attack the web server and the database server.
For example, if an attacker with non-admin privileges can log in to a web
server using normal-user access credentials, he/she can find a way to issue a
privileged database query by exploiting vulnerabilities in the web server.
DOUBLE GUARD
DoubleGuard is a system used to detect attacks in multi-tiered web services.
This approach can create normality models of isolated user sessions that
include both the web front-end (HTTP) and back-end (File or SQL) network
transactions.
8
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
DOUBLE GUARD
Composes both web IDS and database IDS to achieve more accurate
detection
It also uses a reverse HTTP proxy to maintain a reduced level of service in the
presence of false positives.
Instead of connecting to a database server, web applications will first connect
to a database firewall. SQL queries are analyzed; if they’re deemed safe, they
are then forwarded to the back-end database server.
GreenSQL software work as a reverse proxy for DB connections
Virtualization is used to isolate objects and enhance security performance.
CLAMP is an architecture for preventing data leaks even in the presence of
attacks.
9
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
SYSTEM ARCHITECTURE
10
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
ATTACK SCENARIOS Privilege Escalation Attack:
Hijack Future Session Attack:
11
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
ATTACK SCENARIOS (CONTINUED…)
Injection Attack:
Direct DB attack:
12
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
LIMITATIONS OF DOUBLE GUARD
Vulnerabilities Due to Improper Input Processing
Possibility Of Evading Double Guard
Distributed DoS:
13
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
MAPPING RELATIONS
Deterministic mapping
Empty query set
No matched request
Non-deterministic mapping
14
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
CONCLUSION
We presented an Intrusion Detection System that builds models for Multi-
Tiered Web Applications From both Front-end(HTTP) and Back-end(SQL).
Introduction Of Sensors in the Normality model, which alerts when there is an
Attack.
Precise Anomaly detection using Lightweight Virtualization.
Double Guard was able to Identify wide range of attacks with minimal False
positives.
Perfect Accuracy, with 0.6% false positives.
15
DIV
YA K
, 1R
N0
9IS
01
6, R
NSIT
REFERENCES
www.sans.org/top-cyber-security-risks/
www.xenoclast.org/
www.cve.mitre.org/
www.greensql.net/
www.wordpress.org/
www.wikipedia.org/
C.Anley,Advanced Sql injection in sql server applications,2002.
K.bai,H.Wang and P.Liu, Towards database firewalls,2005.
M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious
pattern.
M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of
state violations in web application. 2007 Thank You