ISSN 2319 - 5975 Volume 2,and No.2, February March 2013 Niraj Gaikwad et al.

., International Journal of Networks Systems, 2(2), February March 2013, 09 - 14

International Journal of Networks and Systems

Available Online at http://warse.org/pdfs/2013/ijns02222013.pdf

DoubleGuard: Detecting & Preventing Intrusions in Multitier Web Applications

Niraj Gaikwad1, Swapnil Kandage2, Dhanashri Gholap3 B.E. Computer Department,P.G.M.C.O.E.,Wagholi,Pune, India, nirajgaikwad2837@gmail.com 2 B.E. Computer Department,P.G.M.C.O.E.,Wagholi,Pune, India, swapnilkandge4482@gmail.com 3 B.E. Computer Department,P.G.M.C.O.E.,Wagholi,Pune, India, dhanugholap76@gmail.com
1

ABSTRACT Internet services and applications have become an indivisible part of our daily life. These applications and services are made available through Web Servers and they make use of Database [1], [2] Servers for fulfillment of users request. Both of these servers are prone to attacks. DoubleGuard provides Intrusion Prevention [7] Systems at both the ends (Web Server and Database Server). The prevention logic [5] of our system works on session tracking and control. Through these DoubleGuard provides a secure environment for the application. We are monitoring the Web and its subsequent Database requests so that we can able to ferret out attack which could not able to identify by independent IDS. DoubleGuard is implemented using an Apache web server with MySQL and lightweight virtualization. Keywords: Virtualization, Intrusion, Multi Tier, IDS, Anomaly. 1 INTRODUCTION Over a past few year web services and applications had increased in popularity and complexity. As day to day our most of the task such as banking, social networking, online shopping are done and directly depend on web. The services which are used on the web to run or use the application [8] user interface logic for front end and server which stores the database or file server for particular user data are the back end server. Due to the use of web services which is present everywhere for personal as well as corporate data they have been targeted for the attack. Attacker had diverged the front end attack by attacking the backend server which provides the useful and valuable data for the attackers. Intrusion detection [9], [11] systems have been widely used to detect the attacks which are known by matching misused traffic patterns or signatures [3], [6] to protect the multi tiered web services. The IDS class has a power of machine learning which can detect unknown attack by identifying the abnormal behavior of the network traffic action from previous behavior of IDS phase. The abnormal network traffic which are send by

the attacker to attack the server can be detected by the web IDS and the database IDS [4] and prohibit to enter within the server. But, if the attacker uses the normal traffic to attack the web servers and database server then such type of attack cannot be able to detect by a IDSs. DoubleGuard is a system which is used to detect the attacks in multitier web services. In this system of DoubleGuard we are creating normality model of isolated user sessions which include both the web front-end as HTTP and back-end as File or SQL for network transaction. In DoubleGuard we are going to use lightweight virtualization technique for assigning each users web session to a dedicated container which provides an isolating virtual environment. So, we will take each web request with its subsequent database queries which will be associate with the accurate container ID. DoubleGuard will take the web server and database traffic for mapping profile into proper and accurate account. The performance testing for DoubleGuard system has reasonable performance overhead which is practical for most of the applications. There is no overhead in comparison when there is moderate request rate and when the server is already overloaded i.e. worst case we get near about 26 percent performance overhead. By using the container based web architecture which not only encourages the profiling of relating mapping model but it also provides an isolation which will be helpful in detecting Future Session-Hijack attacks. In lightweight virtualization environment we can use different container each of which are separate from other container for running multiple instances of web server. As container are easily instantiated and destroyed for each user and which is lasting for only short time. If attacker would be able to attack the single user session, the other user sessions remain unaffected because the damage of the single user session is kept within the limit i.e. to that particular session only. We are making direct causal relationship between the requests received by the front-end web server and those generated for the database back-end for the (website which do not have permissions for content modifications done from user) static website. According to the prior knowledge of web 9

@ 2012, IJNS All Rights Reserved

Niraj Gaikwad et al., International Journal of Networks and Systems, 2(2), February March 2013, 09 - 14

applications, we can generate accurate causality mapping model depending upon its functionality and its size. DoubleGuard system will be helpful for the static website as well as dynamic website. In static website we are making direct causal relationship between the request received by the front-end web server and those generated for the database back-end and web application functionality and size we can generate accurate causality mapping model. In dynamic website the parameter and content are changed so causality mapping model relationship between the front-end and back-end is not always deterministic and depend upon application logic and back-end queries are varied depend upon on the value of the parameter passed and previous application state. So same application can be triggered with many different web pages which results in one too many mapping between web and database request. 2 TECHNICAL BASICS A network Intrusion Detection [12] System can be classified into two types: IDS Intrusion Detection System 1. Anomaly detection 2. Misuse detection. Anomaly detection first requires the IDS to define and characterize the correct and acceptable static form and dynamic behavior of the system, which can then be used to detect abnormal changes or anomalous behaviors. The boundary between acceptable and anomalous forms of stored Code and data is precisely definable. Behavior models are built by performing a statistical analysis on historical data or by using rule-based approaches to specify behavior patterns. An anomaly detector then compares actual usage patterns

against established models to identify abnormal events. Our detection approach belongs to anomaly detection. 3 SYSTEM ARCHITECTURE In DoubleGuard architecture shown in Figure 1 we are using the lightweight virtualization technique to assign each user a separate web container. Each user will have a separate web container ID for processing web request. As container can be easily initialized, destroyed and lasting for only short time it would be able to provide a single container for each user. We can initialize thousands of containers on a single system, so these virtualized containers can be discarded, reverted or quickly reinitialized to serve new sessions. In DoubleGuard approach new container and recycle used container are generated dynamically. Each session is assigned to a dedicated web server and separated from other sessions. Each virtualized container uses a read-only clean template which guarantees that each session will be served with a clean web server at initialization. For separate communication at session level so user will always deal with same web server. In this system we are representing session for different user and in order to use the same web server for the request we are identifying the behavior by both session and user and if we found or detect abnormal behavior in a session, we will treat all the network traffic within the session as infected. If the attacker attacks the container then it remains in that container without getting the knowledge of presence or existence of other session communication.

Figure 1: System Architecture

10
@ 2012, IJNS All Rights Reserved

Niraj Gaikwad et al., International Journal of Networks and Systems, 2(2), February March 2013, 09 - 14

4 ATTACK SCENARIOS Following are the types of attacks which are effectively captured by the DoubleGuard 4.1 Privilege Escalation Attack Lets assume that the website serves both regular users and administrators. For a regular user, the web request Ru will trigger the set of SQL queries Qu, for an administrator, the request Ra will trigger the set of admin level queries Qa as shown in Figure 2. Now suppose that an attacker logs into the web server as a normal user, upgrades his/her privileges, and triggers admin queries so as to obtain an administrator data. This attack can never be detected by either the web server IDS or the database IDS since both Ru and Qa are legitimate requests and queries. Our approach can detect this type of attack since the DB query Qa does not match the request Ru, according to our mapping model.

Figure 3: Hijack Future Session Attack

4.3 Injection Attack Attacks such as SQL injection do not require compromising the web server. Attackers can use existing vulnerabilities in the web server logic to inject the data or string content that contains the exploits and then use the web server to relay these exploits to attack the back-end database which is shown in Figure 4. Since our approach provides a two-tier detection, even if the exploits are accepted by the web server, the relayed contents to the DB server would not be able to take on the expected structure for the given web server request.

Figure 2: Privilege Escalation Attack

4.2 Hijack Future Session Attack This class of attacks is mainly aimed at the web server side. An Attacker usually takes over the web server and therefore hijacks all subsequent legitimate user sessions to launch attacks which is shown in Figure 3. For instance, by hijacking other user sessions, the attacker can eavesdrop, send spoofed replies, and/or drop user requests. A session-hijacking attack can be further categorized as a Spoofing/Man-in-the Middle attack, Denial-of-Service/Packet Drop attack, or a Replay attack.

Figure 4: Injection Attack

4.4 Direct DB Attack It is possible for an attacker to bypass the web server or firewalls and connect directly to the database which is shown in Figure 5. An attacker could also have already taken over 11

@ 2012, IJNS All Rights Reserved

Niraj Gaikwad et al., International Journal of Networks and Systems, 2(2), February March 2013, 09 - 14

the web server and be submitting such queries from the web server without sending web requests. Without matched web requests for such queries, a web server IDS could detect neither. Furthermore, if these DB queries were within the set of allowed queries, then the database IDS it would not detect it either. However, this type of attack can be caught with our approach since we cannot match any web requests with these queries.

Scenario 1: If a user tries to log into the web application and if the provided details are incorrect then the session retires and user is allowed another trial to log in. Scenario 2: Model View Controller or MVC is a software design pattern for developing web applications which is shown in Figure 6. A Model View Controller pattern is made up of the following three parts: 1) Model - The lowest level of the pattern which is responsible for maintaining data. The model is responsible for managing the data of the application. It responds to the request from the view and it also responds to instructions from the controller to update itself. 2) View - This is responsible for displaying all or a portion of the data to the user. A presentation of data in a particular format, triggered by a controller's decision to present the data. They are script based templating systems like JSP, ASP, PHP and very easy to integrate with AJAX technology. 3) Controller - Software Code that controls the interactions between the Model and View. The controller is responsible for responding to user input and performs interactions on the data model objects. The controller receives the input; it validates the input and then performs the business operation that modifies the state of the data model. . MVC is popular as it isolates the application logic from the user interface layer and supports separation of concerns. Here the Controller receives all requests for the application and then works with the Model to prepare any data needed by the View. The View then uses the data prepared by the Controller to generate a presentable response.

Figure 5: Direct DB Attack

5 SYSTEM DESIGN AND WORKING Application is designed in such way no user will have direct access to database server as well as application server on which web application is hosted. All request will be processed from Server 1s Servlet Filter, it will take care of session validation and session tracking. Then control goes to dispatcher Servlet which will take care of dispatching request appropriate service. Database server will be accessible only to Server 2 and Server 3 where actual web application is hosted 5.1 Hardware We will be using 3 workstations with the control logic residing on one of them. These workstations will form a network that will be connected with the help of a router. 5.2 Software Multiple Web servers are required to speed up provision of service. An application dependent database server and a separate Web server that will execute the control logic of the system.

Figure 6: MVC Architecture

5.1.3 Working 12
@ 2012, IJNS All Rights Reserved

Scenario 3: When a user requests for execution [10] of a database query, the DoubleGuard checks the privileges of user and then through entitlement service provides service. Upgrading of

Niraj Gaikwad et al., International Journal of Networks and Systems, 2(2), February March 2013, 09 - 14

privileges is prevented through the use of Entitlement service. If it is observed that such an activity is taking place the session is retired and intrusion details are saved in log _le for future reference. 6 ATTACK DETECTION In the following way, DoubleGuard is used to detect the malicious attacks. For the testing phase, we used the attack tools listed in Table No. 1 and which also shows the experiment views for DG.

register privileges in the DoubleGuard database. DG will never show the URL of the respective application database. In this way, DG will prevent privilege attack. 6.2 Hijack Future Session Attack Whenever we use the internet services or application through web browser, it generates a unique session ID and it remains until or task is not completed or web browser is closed. Attacker tries to get this session ID. So that attacker can get the valuable data and its most common examples are FACEBOOK, GMAIL etc. After getting session ID the attacker can do anything he wants with the user data. But the original user doesnt know that attacker is accessing his/her data which would turn harmful for the user. If the user uses the DG application he will be prevented from such kind of attack. In our application, we are making the Mapping Model for the session ID and IP address. If the attacker will be able to get the session ID then also it will not possible to him/her to attack the user data because the IP address of the attacker will not match with our DGs Mapping Model. DG will allow the access if the session ID and IP address are match according to the mapping model of application database. Depending upon the result of the DG it will decide the user is legal or not and allow him/her access the database or not. 6.3 Injection Attack Now-a-days the attacker are using the SQL queries [13] to get the data or change the data of the another user by sending queries like INSERT, UPDATE, DELETE, etc. In this kind of attack, the attacker communicates with the database by sending queries. But whiles ending the SQL queries by an attacker the structure of the queries are changed and which are never detected by the IDS. But, the DG application is able to prevent the injection attack because the DG will generate its own structure queries and which are different from the attacker SQL queries structure. DG will allows to access, update the database if structure of the SQL queries are matched with the structure of the DG application query structure. 6.4 Direct DB Attack Most of the attacker directly attacks the database server besides going to the web server. In this kind of attacking, the attacker uses the IP address of the database server. It is very easy and less time requirement attack. In this attacker sends the SQL queries directly to the database server by bypassing the web server. If the DG is used then the attack will be detected and attacker will not be allowed to the database 13

Table 1: Detection Results for Attacks

6.1 Privilege Escalation Attack This type of attack is actually done by accessing privilege of authorized user by unauthorized users. Suppose there is an application for the Payment System for Employees in which Administrator privilege to update and change the salary of the employee has and employee have privilege to see their attendance. If any employee gets the URL to update the salary then he/she gets the access of all the employee salary. In case, the attacker employee will get the privilege of the admin and privilege escalation attack is done. If the Payment System uses the DoubleGuard application then it will be placed after the DG. DG will store the admin privilege and employee privilege separately in the DG database. Whenever the admin or employee want to use the Payment System application then they has to go from DGs privilege authentication where according to the user i.e. admin or employee and its privilege the DG application will take to their respective privilege pages according to the user
@ 2012, IJNS All Rights Reserved

Niraj Gaikwad et al., International Journal of Networks and Systems, 2(2), February March 2013, 09 - 14

server. If DG is used then it will be placed before the web server and the database server. So that, DG will be able to hide the IP address and location where the database server is located and DG doesnt match the web request with the SQL queries. Thus DG can avoid such kind of attacks. 7 PERFORMANCE Server on which Application resides is a separate one from the server where IDPS resides; hence it wont affect the speed of the application. The control logic in the host controller selects the web server to satisfy the web requests. Hence selection of a web server with minimal pending requests can be made and hence processing of the system speeds up. 8 SECURITY In our System, we are storing the vital information [10] about the application (for which the system will work) in encrypted and secure format. Also the admin details will be safely stored. And as the system itself works for the security this information will not be easily accessible according to our architecture. 9 CONCLUSION DoubleGuard is used to prevent the intrusions in multi tier web application. It is an application independent system and used for both front-end as well as back-end. It is also used for static and dynamic web server which provides better security for data and web application. REFERENCES [1] National Vulnerability Database, Vulnerability Summary for VE-2010-4332, http://web.nvd.nist.gov/view/vuln/detail? VulnId= CVE-2010-4332, 2011. [2] National Vulnerability Database, Vulnerability Summary for VE-2010-4333, http://web.nvd.nist.gov/view/vuln/detail? VulnId=CVE-2010-4333, 2011. [3] B.I.A. Barry and H.A. Chan, Syntax, and Semantics-Based Signature Database for Hybrid Intrusion Detection Systems, Security and Comm. Networks, vol. 2, no. 6, pp. 457-475, 2009. [4] H. Debar, M. Dacier, and A. Wespi, Towards a Taxonomy of Intrusion-Detection Systems, Computer Networks, vol. 31, no. 9, pp. 805-822, 1999. [5] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna, Toward Automated Detection of Logic Vulnerabilities in Web Applications, Proc. USENIX Security Symp., 2010. [6] J. Newsome, B. Karp, and D.X. Song, Polygraph: Automatically Generating Signatures for Polymorphic Worms, Proc. IEEE Symp. Security and Privacy, 2005. 14
@ 2012, IJNS All Rights Reserved

[7] B. Parno, J.M. McCune, D. Wendlandt, D.G. Andersen, and A. Perrig, CLAMP: Practical Prevention of Large-Scale Data Leaks, Proc. IEEE Symp. Security and Privacy, 2009. [8] S. Potter and J. Nieh, Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems, Proc. USENIX Ann. Technical Conf., 2010. [9] A. Srivastava, S. Sural, and A.K. Majumdar, Database Intrusion Detection Using Weighted Sequence Mining, J. Computers, vol. 1, no. 4, pp. 8-17, 2006. [10] G.E. Suh, J.W. Lee, D. Zhang, and S. Devadas, Secure Program Execution via Dynamic Information Flow Tracking, ACM SIGPLAN Notices, vol. 39, no. 11, pp. 85-96, Nov. 2004. [11] F. Valeur, G. Vigna, C. Kru gel, and R.A. Kemmerer, A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004. [12] T. Verwoerd and R. Hunt, Intrusion Detection Techniques and Approaches, Computer Comm., vol. 25, no. 15, pp. 1356-1365, 2002. [13] G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel, and E. Kirda, Reducing Errors in the Anomaly-Based Detection of Web-Based Attacks through the Combined Analysis of Web Requests and SQL Queries, J. Computer Security, vol. 17, no. 3, pp. 305-329, 2009.