Providing Secure Environment In Real World Computer Science Essay

Published Date: 02 Nov 2017

I. Shahanaz Begum#, G. Geetharamani*, Priyadharshini R#

#Department of Computer Science and Engineering,

*Department of Mathematics,

#Department of Computer Science and Engineering,

University College of Engineering, Tiruchirappalli(BIT campus),

Tiruchirappalli – 620 024, India.

[email protected]

[email protected]

[email protected]—Internet has become a vital part in day to day life for wide-ranging population for many purposes like business transactions, instructive purpose etc. As many organizations rely on online business transactions there is a need for their database to get secured from intruders. Every organization uses web application for accessing their data from the database, these applications uses user inputs to create a query for storing, retrieving data from the database. Although all the organizations concerned about their data security, the attackers can still able to lure or corrupt their data by using the techniques like SQL injection, Client Side Cross Site Scripting, Privilege Escalation attack, Hijack future session attack, which are commonly referred to as intrusion. These attacks are done by inserting a malicious query as an input to the web application or by sending malicious content through web request. In this paper we present a novel based intrusion detection system based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are designed to review the activity of intruders, save log files and record events. By monitoring both web requests and subsequent database queries, we are able to detect attacks that independent Intrusion Detection System would not be able to identify.

Keywords—Intrusion Detection System, SQL Injection attack, Cross Site Scripting attack, Privilege Escalation attack, Hijack Future Session attack, User behavior, mapping model.

Introduction

In recent years, widespread adoption of the internet has resulted into rapid advancement in information technologies. The internet is used by the general population for the purposes such as financial transactions, educational activities and countless other activities. This development of the Internet use has unfortunately been accompanied by a growth of malicious activity in the Internet. The use of the internet for accomplishing important tasks such as transferring a balance from bank account always comes with a security risk.

Today’s websites strive to keep their user’s data confidential and after years of doing secure business online, these companies have become experts in information security.

The database systems behind these secure websites store non-critical data along with sensitive information, in a way that allow the information owners to quickly access the information while blocking break-in attempts from unauthorized users. A common break-in strategy is trying to access sensitive information from a database by first generating a query that will cause the database parser to malfunction, followed by applying this query to the desired database. Such an approach that gains access to private information is called SQL injection. Since databases are everywhere and are accessible from the internet, dealing with SQL injection has become more important than ever.

Although current database systems have little vulnerability, the Computer Security Institute discovered that every year about 50% of databases experience at least one security breach. The loss of revenue associated with such breaches has been estimated to be over four million dollars.

An intrusion can be defined as any set of actions that attempt to compromises the integrity, privacy, confidentiality or accessibility of resources of the system. An Intrusion detection system aims to identify an intruder breaking or misusing system resources.

Intrusion Detection Approaches

1) Misuse Detection: It is based on the knowledge of vulnerabilities and known attack signatures. Misuse detection is concerned with detecting intruders who are attempting to break into a system by using some known vulnerabilities. Signature based IDS store patterns of Known attacks. It use stored behavior pattern to identify and detect attacks. It can detect only known attacks. The main drawback of Signature based IDS is that it cannot detect new attacks or previously unseen attacks

2) Anomaly Detection: Anomaly detection assumes that intrusions will always reflect some variation from normal pattern. This type of IDS stores normal behavior of system (using previously seen behavior). It is used to classify any behavior that violates it as attacks. Anomaly based IDS detects new attacks but it produces false alarm for legitimate but previously unseen system behavior which is termed as false positives.

Honeypot systems are system’s setup to gather information about an attacker or intruder into the system. A Honeypot is designed to catch would be attackers before they invade the real servers and services. The main idea of Honeypot is to setup an attractive system that appears to have some vulnerability for easy access to resources. Honeypots are setup not to capture the attacker but to monitor and learn from their actions, then find people how they probe and exploit the system and how those exploitations can be prevented.

In this paper, we propose a framework, which accurately detect attacks in multi-tier web application. We present a novel based Intrusion Detection System based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security. By monitoring both web requests and subsequent database queries, we are able to detect attacks that an independent Intrusion Detection System would not be able to identify.

Our approach can create normality models of isolated user sessions that include both the front-end HTTP requests and back-end Database Queries. To achieve this, we employ a lightweight virtualization technique to assign each user’s web session to a committed container, an isolated virtual environment. Here, we use ID of the container to accurately associate the web request with the subsequent DB queries. IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks, but a Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen their security.

Related Work

Web delivered services and applications have increased in both popularity and complexity over the past few years. Due to their ubiquitous use for personal and/or commercial information, web services have always been the target of attacks [28]. These attacks have recently become more miscellaneous because attention has shifted from attacking the front end to exploiting vulnerabilities of the web applications [5],[4],[1] in order to corrupt the back-end database system [37](e.g, SQL injection attacks [12],[40])

In multi-tiered architectures, the back-end database server is often protected behind a firewall while the webservers are remotely accessible through the Internet. Though they are protected from direct remote attacks, back end systems are vulnerable to attacks that use web requests as a means to exploit the back end. To protect multi-tiered web application, Intrusion detection systems have been widely used to detect known attacks by matching misused traffic patterns or signatures [29],[24],[27],[14].

A network Intrusion Detection System can be classified into 2 types: Misuse detection and Anomaly detection. Anomaly detection first requires the IDS to define and characterize the system’s correct and acceptable static form and dynamic behavior, which can then be used to detect abnormal changes or anomalous behaviors [19],[46]. The boundary between acceptable and anomalous forms of stored code and data is precisely defined. Behavioral models are built by performing a statistical analysis on historical data [25],[46],[17] or by using rule-based approaches to specify behavior patterns [37]. An anomaly detector then compares actual usage patterns against established models to identify abnormal actions. In this paper, our detection approach belongs to anomaly detection, and we depend on honeypot to build the correct model. Since some legitimate updates may cause model drift, there are a number of approaches [46] that are trying to solve this problem. Our detection will not run into this same problem as heuristic technique used in the honeypot will help in preventing legitimate updates being recognized as attacks [20].

Intrusion alerts correlation [44] provides a collection of components that transform intrusion detection sensor alerts into succinct intrusion reports in order to reduce the number of replicated alerts, false positives, and non-relevant positives. It also fuses the alerts from different levels describing a single attack by the goal of producing a succinct overview of security-related activity on the system. This focuses primarily on abstracting the low-level sensor alerts and providing logical, compound and high-level alert events to the users. Our approach operates on the response coming from all the clients monitored by honeypot. It does not have to correlate or summarize the alerts produced by other independent IDSs.

An IDS such as in [39] also uses temporal information to detect intrusions. Our approach does not correlate events based on a time, which runs the risk of mistakenly considering independent but concurrent events as correlated events. Like Doubleguard [28] it also uses the ID of the container for each session to causally map the related actions, whether they are concurrent or not.

Since databases always contain more valuable data, such databases should receive the highest level of protection. So, significant research efforts have been made on database IDS [26], [21], [41] and database firewalls [13]. These softwares, such as Green SQL [7], work as a reverse proxy for database server. Instead of connecting to a database, web applications will first connect to a database firewall. Then SQL queries are evaluated; if they’re deemed secure, they are then forwarded to the back-end database server. The system proposed in [46] composes both web IDS and database IDS to achieve more accurate detection, it also uses a reverse HTTP proxy to maintain a reduced level of service in the presence of false positives. But, we found that certain types of attack utilize normal traffics and cannot be detected by either the web IDS or the database Intrusion Detection System. In such cases, there would be no alerts to correlate.

Some previous approaches have detected intrusions by statically analyzing the source code or executables [48], [16], [19]. Others [38], [43], [47] dynamically track the information flow to understand taint propagations and detect intrusions. In DoubleGuard [28], the new container based webserver architecture enables to separate the different information flows by each session. This provides a mean of tracking the information flow from the web server to database server for each session. This approach also does not require analyzing the source code or knowing the application logic.

For the static webpage, the Double Guard approach does not require application logic for building a model. However, although it does not require full application logic for dynamic web services, it needs to know the basic user operations in order to model normal behavior.

In addition, validating input is useful to detect or Prevent SQL or Cross Site Scripting (XSS) injection attacks [15], [31]. This is orthogonal to the DoubleGuard approach [28], which can utilize input validation as an additional defense. However, it is found that DoubleGuard can detect SQL injection attacks by taking the structures of web requests and database queries without looking into the values of input parameters (i.e., no input validation at the websever).

Virtualization is used to isolate objects and enhance security. Full virtualization and para-virtualization are not the only approaches being considered. An alternative is a lightweight virtualization, such as OpenVZ [9], Parallels Virtuozzo [11], or Linux-VServer [7]. In general, these are based on some sort of container idea. With containers, each group of processes still appears to have its own dedicated structure, yet it is running in an isolated environment. Moreover, lightweight containers can have considerable performance advantages over full virtualization or para-virtualization. On the other hand, Thousands of containers can run on a single physical host. There are also some desktop systems [32], [22] that use lightweight virtualization to isolate different application instances. These virtualization techniques are commonly used for isolation and containment of attacks. However, in Double Guard, the ID of the container was utilized to separate session traffic as a way of extracting and identifying causal relationships between webserver requests and database query events.

CLAMP [30] is an architecture for preventing data leaks even in the presence of attacks. CLAMP guarantees that a user’s sensitive data can only be accessed by code running on behalf of different users, by isolating code at the webserver layer and data at the database layer by users,. In contrast, DoubleGuard focuses on modeling the mapping patterns between HTTP requests and DB queries to detect malicious user sessions. CLAMP requires modification to the existing application code and the Query Restrictor works as a proxy to mediate all database access requests. Furthermore, resource requirements and overhead differ in order of magnitude: DoubleGuard uses process isolation whereas CLAMP requires platform virtualization. CLAMP provides more coarse-grained isolation than DoubleGuard. But, DoubleGuard would be ineffective in detecting attacks if it were to use the coarse-grained isolation as used in CLAMP. Constructing the mapping model in DoubleGuard would require a large number of isolated web stack instances so that mapping patterns would appear across different session instances. Our approach would be effective even in the above mentioned situations.

THREAT MODEL AND SYSTEM ARCHITECTURE

In this paper, we propose a framework, which accurately detect attacks in multi-tier web application. We present a novel based Intrusion Detection System based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security. By monitoring both web requests and subsequent database queries, we are able to detect attacks that an independent Intrusion Detection System would not be able to identify.

Our approach can create normality models of isolated user sessions that include both the front-end HTTP requests and back-end Database Queries. To achieve this, we employ a lightweight virtualization technique to assign each user’s web session to a committed container, an isolated virtual environment. Here, we use ID of the container to accurately associate the web request with the subsequent DB queries. IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks, but a Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the system security.

State Of Art

Honeypot is a unique system that is connected to the organization network in order to attract the attackers to get connects with them and from which it can learn their behavior, through which it is possible to identify any kind of new attacks. Furthermore it can be used to monitor behavior of an individual which gained access to the Honeypot. Honeypots are a unique tool to learn about the policy of hackers to compromise the system security.

Intrusion Detection System can be used as an extension of a Honeypot for improving their storage capabilities. The concept involved in Honeypot is that any packets or any traffic route to the Honeypot system is assumed that it was suspect for an attack. A system administrator cannot find any fault or attack sensation in their organization, he/she may get satisfied with the security they have for their organization, but by using Honeypot we can obtain the recorded information about an attack, which was failed to detect by the firewall.

IDS uses predefined knowledge to identify an attack, it doesn’t have the capability to identify any new attacks by the blackhats, but a Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the security.

Proposed Method

Building Honeypot

Set up a Server and then fill it with attractive files. Build it hard but not impossible to crack into. After that sit and wait for the attackers to show up. Monitor them as they gambol around in the server. Record their conversations and Study them like watching insects under a magnifying glass. The Honey pot system should appear as common system.

Fig. Building Honeypot

Traffic Collection

The Client sends request to the Web Server through Web browser. Then corresponding Queries were generated which were transferred from web server to Database server. Client gets response from Database Server through Web Server. All the traffic to a Honeypot should be considered suspicious. Honeypots are designed to review the activity of intruder, save log files and record events. By gathering activity of intruder, the Honey pots work well to improve security.

Fig. Traffic Collection

Attack Scenarios

1) SQL Injection attack: SQL injection is one of the most common type of attack in web connected Databases. Attacker inserts an unauthorized SQL statement through SQL data channel. This attack is caused by non validated input parameters. SQL injection attack is one of the most prominent threats today. SQL injection is a security vulnerability that occurs in the database layer of an application.

Fig. 3 SQL Injection attack

2) Cross Site Scripting attack: Attacker inserts malicious link into familiar website like blogs and waits for other visitors to visit the same website. When Victim user clicks that malicious link, Cross Site Scripting causes a user’s web browser to execute a malicious script. It is a vulnerability that allows intruder to send malicious script to another user. Then it will execute the script which allows the attacker to access any cookies.

Fig. 4. Cross Site Scripting attack

3) Privilege Escalation attack: Privilege means what a user is allowed to do. Common privileges include viewing files, editing files, deleting files. Privilege escalation means a user takes privileges they are not allowed to do.

Fig. 5 Privilege Escalation attack

4) Hijack future session attack: This attack is mainly aimed at the Web Server. An attacker takes over the web server and hijacks all the subsequent legitimate user sessions to launch attacks.

Fig. 6 Hijack future session attack

Intrusion Detection System

1) Virtualization Container based Web Server: In our approach, we are utilizing lightweight process containers, disposable servers for client sessions in the Web server. It is possible to initialize thousands of containers on a single physical machine and these virtualized containers can be discarded or quickly reinitialized to serve new sessions. A single physical web server runs many containers. Everyone of the container is an exact copy of the unique web server. This approach dynamically generates new containers and recycles used containers. As a result, a single physical server can run continuously and serve all web requests. Virtualization is used to isolate objects and enhance security performance.

2) Session Separated Web Server: Assign each session to a dedicated Web server container. Single user always deals with the same container of the Web server. As each user’s web requests are isolated into a separate container, where an attacker can never break into other user’s sessions. He cannot hijack other user sessions. Therefore, legitimate sessions will not be compromised directly by an attacker.

Experimental Analysis

Each Session will have some set of requests and queries. Each web request to the web server usually invokes number of SQL queries based on type of request i.e. request parameters. This framework was implemented using Apache Web server as front end web server and MySQL as back end database server. Attack tools such as Sqlmap, metasploit are used to launch attacks manually. Honeypot technique works by monitoring the intruder’s activities during their use of Honeypot. Honey pots are generally designed to check the activity of intruder, save log files and record events. Using Honeypot, we can obtain the information about an attack like how the attack has happened, through which it will be possible to strengthen the security.

Algorithm Summarization

Step 1: Get Queries Q in a session

Step 2: Store IP address with Session ID

Step 3: IDS Retrieval with IP address

Step 4: Rid unique IP address

Step 5: Capture unique IP wise traffic details

Step 6: Login by user u

Step 7: Create Database db, n

Step 8: Store expired IP and active IP with session details

Step 9: Login with IP, avoid duplicate IP address

Step 10: If (IP != n)

Step 11: Yes, Get Query Q

Step 12: Get Session details

Step 13: Tape details

Step 14: End Session

Step 15: Execute IDS

Step 16: Provide honeypot details

Step 17: If IDS finds intruder

Step 18: Action performed

TABLE

Sample Requests And Its Corresponding Query Strings

Request

Date

IP

Query String

Android

2012/Nov 23 10:52:35

180.215.39.110

http://en.wikipedia.org/wiki/Android

Mouse

2012/Dec 05 05:04:12

171.215.39.122

http://en.wikipedia.org/wiki/Mouse

CPU

2012/Dec 20 08:05:32

162.215.38.140

http://en.wikipedia.org/wiki/CPU

Conclusion And Future Work

In this paper, Communications are categorized as sessions which identify the mapping between web server request and subsequent DB queries. Using this approach, at database side, we are able to tell which DB transaction corresponds to which client request. This helps us to identify the mapping between web server request and corresponding Database queries. By using this mapping model, we detect abnormal behavior on a session or client level. Because of the isolation property of our container based web server design, an attacker can stay only within a web server container. So that attacker cannot hijack other user sessions. Intrusion detection system using Honeypot technique can able to detect intrusions more accurately by analyzing the user behavior and by analyzing input queries in order to reduce the false positive rate in Dynamic web application. Honeypot gives a real-time approach on how the attack has happened, through which it will be possible to strengthen the security.