Approach For Detecting Intrusions Computer Science Essay

Published Date: 02 Nov 2017

Priyadharshini R*1, I. Shahanaz Begum#2

Department of Computer Science and Engineering,

University College of Engineering, Tiruchirappalli(BIT campus),

Tiruchirappalli – 620 024. Tamilnadu,

India.

[email protected]

Abstract—Internet has become an essential part in day to day life. As many organizations rely on online business transactions, there is a need for their database to be secured from intruders. Almost all organization uses web application for accessing their data from the database, these applications use user inputs to create a query for storing, retrieving data from the database. Even though all the organizations are concerned about their data security, attackers can still able to lure or corrupt the data by using the techniques like SQL injection, Client Side Cross Site Scripting, Privilege Escalation attack, Hijack future session attack, which are commonly referred to as intrusion. These attacks are done by inserting a malicious query as an input to the web application or by sending malicious content through web request. In this paper we present a novel intrusion detection system based on analyzing user behavior using Support Vector Machine classification technique and by analyzing the user input queries using mapping model algorithm to reduce false positives in Dynamic web application. By monitoring both web requests and subsequent database queries, we are able to detect attacks that independent Intrusion Detection System would not be able to identify.

Keywords—Intrusion Detection System, SQL Injection attack, Cross Site Scripting attack, Privilege Escalation attack, Hijack Future Session attack, mapping model, Support Vector Machine classification technique.

Introduction

In recent years, widespread adoption of the internet has resulted in rapid advancement in information technologies. The internet is used by the general population for the purposes such as financial transactions, educational activities and countless other activities. This development of the Internet use has unfortunately been accompanied by a growth of malicious activity in the Internet. The use of the internet for accomplishing important tasks such as transferring a balance from bank account always comes with a security risk. Today’s websites strive to keep their user’s data confidential and after years of doing secure business online, these companies have become experts in information security. The database systems behind these secure websites store non-critical data along with sensitive information, in a way that allows the information owners to quickly access the information while blocking break-in attempts from unauthorized users. A common break-in strategy is to access sensitive information from a database by first generating a query that will cause the database parser to malfunction, followed by applying this query to the desired database. Such an approach that gains access to private information is called SQL injection. Since databases are everywhere and are accessible from the internet, dealing with SQL injection has become more important than ever.

Although current database systems have little vulnerability, the Computer Security Institute discovered that every year about 50% of databases experience at least one security breach.

An intrusion can be defined as any set of actions that attempt to compromises the integrity, privacy, confidentiality or accessibility of resources of the system. An Intrusion detection system aims to identify an intruder breaking or misusing system resources.

Intrusion Detection Approaches

1) Misuse Detection: It is based on the knowledge of vulnerabilities and known attack signatures. Misuse detection is concerned with detecting intruders who are attempting to break into a system by using some known vulnerabilities. Signature based IDS stores patterns of Known attacks. It uses stored behavior patterns to identify and detect attacks. It can identify only known, previously seen attacks. One of the main drawbacks of Signature based IDS is that it cannot detect new attacks or previously unseen attacks.

2) Anomaly Detection: Anomaly detection assumes that intrusions will always reflect some variation from normal pattern. This type of IDS stores normal behavior of system (using previously seen behavior). It is used to classify any behavior that violates it as attacks. Anomaly based IDS detects new attacks but it produces false alarm for legitimate but previously unseen system behavior which is termed as false positives.

In this paper, we propose a framework, which accurately detect attacks in multi-tier web application. We present a new Intrusion Detection System based on analyzing user behavior and by analyzing the user input queries using mapping model algorithm to reduce false positives in Dynamic web application.

Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security. By monitoring both web requests and subsequent database queries, we are able to detect attacks that an independent Intrusion Detection System would not be able to identify.

Our approach can create normality models of isolated user sessions that include both the front-end HTTP requests and back-end Database Queries. To achieve this, we employ a lightweight virtualization technique to assign each user’s web session to a committed container, an isolated virtual environment. Here, we use ID of the container to accurately associate the web request with the subsequent DB queries. IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks, but a Honeypot gives a real-time approach on how the attack had happened, through which it will be possible to strengthen the system security.

Related Work

Polygraph [7] is a signature generation system that produces signatures that match polymorphic worms. To protect multi-tiered web application, Intrusion detection systems have been widely used to detect known attacks by matching misused traffic patterns or signatures. [6] proposes Signature Generation Algorithm which defines polymorphic signature generation problem. It proposes different classes of signature suitable for matching polymorphic worm payloads and creates signatures in these classes. Signature classes for polymorphic worm includes

Token Subsequence Signatures

Bayes Signatures

Run Signature Generation algorithm on workloads consisting of samples of the polymorphic worms to evaluate the quality of the signature produced by the algorithm and evaluate the computational cost of signature generating algorithm. The Evaluation of signature generation algorithm on a range of polymorphic worms exhibits low false negatives. The main drawback of Signature based Intrusion Detection System is that it uses a database of previous attacks. It cannot detect new attacks or previously unseen attacks.

Anomaly Detection of Web based Attacks [2] presents an Intrusion detection system that uses a number of anomaly detection techniques to detect attacks against web servers. Behavior models are built by performing a statistical analysis on historical data. This paper introduces a novel approach to perform anomaly detection using HTTP queries containing parameters. The parameter characteristics such as length, structure are earned from input data. The system correlates the server side programs with client queries with the parameters contained in the queries. The main drawback of Anomaly based detection is that they detect deviations from the learned patterns of the user behavior. It can detect new attacks but it produces false alarm for legitimate but previously unseen system behavior.

Parse Tree Validation is used to detect and prevent SQL Injection attack [5]. This technique is based on comparing the parse tree of the query before including user’s input with the result after including input at run time. By incorporating a simple SQL parser, it evaluate all user input without requiring a call to the database, thus reducing runtime costs. This aims to satisfy the following 3 criteria:

Eliminate the possibility of attack

Reduces the effort essential for the programmer

Minimize the run time overhead.

A Parse tree is the Data Structure built by the developer for the parsed representation of a statement. In this method, by parsing two statements and comparing their parse trees, we can check if the two queries are equal. When attacker successfully injects SQL attack into the Database, the parse tree of the intended SQL query and the SQL query which was generated by an attacker differs [5]. This method reduces the effort required by the programmer, because it captures both the planned query and the actual query, comparing them and throwing an exception when appropriate.

[10] proposes a general-purpose framework that harnesses the power of lightweight virtualization to track applications interactions in a scalable and efficient manner. The main goal is to use this framework for

Application auditing

Intrusion detection

System recovery from attacks.

Each Virtualized Environment is constructed in a novel way that limits the scope and type of application events that need to be monitored to protect integrity, interactions among VEs and system resources including the system memory and network. The framework termed Journaling Computing System (JCS) makes the following contributions

Model system events as transactions. All interactions among virtualized application’s executions and interactions with remote hosts/servers need to be monitored.

Isolating and Monitoring Virtual Environments.

In JCS, Summarizations preserve history for very long periods of time. So it occupies high disk space. The client-side XSS filter should be placed between the HTML parser and the JavaScript engine, instead of mediating between the network stack and the HTML parser [3]. So this design achieves high performance and high fidelity. This post-parser design examines the semantics of HTTP response, as interpreted by the browser, without performing a time consuming and error-prone simulation. The usefulness of the filter depends on what percentage of vulnerabilities the filter covers and the rate of false positives and false negatives. This new filter design block suspected attacks by preventing the injected script from being passed to the JavaScript engine rather than performing risky transformations on the HTML.

In this paper, we propose a framework, which accurately detects attacks in multi-tier web application. We present a novel Intrusion Detection System based on analyzing user behavior and the user input queries using mapping model algorithm to reduce false positives in Dynamic web application. Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security. By monitoring both web requests and subsequent database queries, we are able to detect attacks that an independent Intrusion Detection System would not be able to identify.

Our approach can create normality models of isolated user sessions that include both the front-end HTTP requests and back-end Database Queries. To achieve this, we employ a lightweight virtualization technique to assign each user’s web session to a committed container, an isolated virtual environment. Here, we use ID of the container to accurately associate the web request with the subsequent DB queries. IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks, but a Honeypot gives a real-time approach on how the attack had happened, through which it will be possible to strengthen the security.

State Of Art

Honeypot is a unique system that is connected to the organization network in order to attract the attackers, to connect with them and learn their behavior, through which it is possible to identify any kind of new attacks. Furthermore, it can be used to monitor behavior of an individual who has gained access to the Honeypot. Honeypots are a unique tool to learn about the policy of hackers to compromise the system security.

Intrusion Detection System can be used as an extension of a Honeypot for improving storage capabilities. The concept involved in Honeypot is that any packet or any traffic route to the Honeypot system is assumed as a suspect for an attack. A system administrator cannot find any fault or attack sensation in the organization, then he/she may satisfied with the security they have for their organization, but by using Honeypot we can obtain the recorded information about an attack, which the firewall failed to detect.

IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks by the blackhats. But a Honeypot gives a real-time approach on how the attack had occurred, through which it will be possible to strengthen the security.

Proposed Method

Building Honeypot

Set up a server and then fill it with attractive files. Build this setup hard but not impossible to crack into. After that sit and wait for the attackers to show up. Monitor them as they gambol around in the server. Trace their interactions and learn them like watching insects under a magnifying glass. The Honey pot system should appear as common system.

sys archi.png

Fig. Building Honeypot

Traffic Collection

The Client sends request to the Web Server through Web browser. Then corresponding Queries are generated which are then transferred from web server to Database server. Client gets response from Database Server through Web Server. All the traffic to a Honeypot should be considered suspicious. Honeypots are designed to review the activity of intruder, save log files and record events. By gathering activity of intruder, the Honey pots work well to improve security.

Fig. Traffic Collection

Attack Scenarios

1) SQL Injection attack: SQL injection is one of the most common types of attack in web connected Databases. Attacker inserts an unauthorized SQL statement through SQL data channel. This attack is caused by non validated input parameters. SQL injection attack is one of the most prominent threats today. SQL injection is a security vulnerability that occurs in the database layer of an application.

Fig. 3 SQL Injection attack

2) Cross Site Scripting attack: Attacker inserts malicious link into familiar website like blogs and waits for other visitors to visit the same website. When Victim user clicks that malicious link, Cross Site Scripting causes a user’s web browser to execute a malicious script. It is a vulnerability that allows intruder to send malicious script to another user. Then it will execute the script which allows the attacker to access any cookies.

Fig. 4. Cross Site Scripting attack

3) Privilege Escalation attack: Privilege means what a user is allowed to do. Common privileges include viewing files, editing files, deleting files. Privilege escalation means a user takes privileges they are not allowed to.

Fig. 5 Privilege Escalation attack

4) Hijack future session attack: This attack is mainly aimed at the Web Server. An attacker takes over the web server and hijacks all the subsequent legitimate user sessions to launch attacks.

Fig. 6 Hijack future session attack

Intrusion Detection System

1) Virtualization Container based Web Server: In our approach, we are utilizing lightweight process containers, disposable servers for client sessions in the Web server. It is possible to initialize thousands of containers on a single physical machine and these virtualized containers can be discarded or quickly reinitialized to serve new sessions. A single physical web server runs many containers. Each one of the container is an exact copy of the unique web server. This approach dynamically generates new containers and recycles used containers. As a result, a single physical server can run continuously and serve all web requests. Virtualization is used to isolate objects and enhance security performance.

2) Session Separated Web Server: Assign each session to a dedicated Web server container. Single user always deals with the same container of the Web server. As each user’s web requests are isolated into a separate container, where an attacker can never break into other user’s sessions. He cannot hijack other user sessions. Therefore, legitimate sessions will not be compromised directly by an attacker.

Analyzing User’s Behavior

Get Client request from a Web browser. Then Associate the Client with the session ID. The request is then passed to the web server. For legitimate user, allow the request to get converted into corresponding queries. For suspected traffic, using some heuristic technique, block the intruder. The Database server checks the validity of the query with the help of mapping model algorithm. Support Vector Machine classification technique is used to detect unknown attacks by identifying abnormal traffic that deviates from the normal behavior, previously profiled during the IDS training phase.

Fig. 7 Analyzing User’s Behavior

Experimental Analysis

Each Session will have some set of requests and queries. Each web request to the web server usually invokes number of SQL queries based on type of request i.e. request parameters. This framework was implemented using Apache Web server as front end web server and MySQL as back end database server. Attack tools such as Sqlmap, metasploit are used to launch attacks manually. Honeypot technique works by monitoring the intruder’s activities during their use of Honeypot. Honey pots are generally designed to check the activity of intruder, save log files and record events. Using Honeypot, we can obtain the information about an attack like how the attack has happened, through which it will be possible to strengthen the security.

Algorithm Summarization

Step 1: Get Queries Q in a session

Step 2: Store IP address with Session ID

Step 3: IDS Retrieval with IP address

Step 4: Rid unique IP address

Step 5: Capture unique IP wise traffic details

Step 6: Login by user u

Step 7: Create Database db, n

Step 8: Store expired IP and active IP with session details

Step 9: Login with IP, avoid duplicate IP address

Step 10: If (IP != n)

Step 11: Yes, Get Query Q

Step 12: Get Session details

Step 13: Tape details

Step 14: End Session

Step 15: Execute IDS

Step 16: Provide honeypot details

Step 17: If IDS finds intruder

Step 18: Action performed

TABLE

Sample Requests And Its Corresponding Query Strings

Request

Date

IP

Query String

Android

2012/Nov 23 10:52:35

180.215.39.110

http://en.wikipedia.org/wiki/Android

Mouse

2012/Dec 05 05:04:12

171.215.39.122

http://en.wikipedia.org/wiki/Mouse

CPU

2012/Dec 20 08:05:32

162.215.38.140

http://en.wikipedia.org/wiki/CPU

Conclusion And Future Work

In this paper, communications are categorized as sessions which identify the mapping between web server request and subsequent DB queries. Using this mapping model approach, at database side, we are able to tell which DB transaction corresponds to which client request. This helps us to identify the mapping between web server request and corresponding Database queries. By using this mapping model, we detect abnormal behavior on a session or client level. Because of the isolation property of our container based web server design, an attacker can stay only within a web server container. So that attacker cannot hijack other user sessions. Intrusion detection system using mapping model algorithm and Support Vector Machine Classification technique can able to detect intrusions more accurately by analyzing the user behavior and by analyzing input queries in order to reduce the false positive rate in Dynamic web application.