Container and Virtualization Concept for Bi-filter Intrusion Detection with Caching of Web Requests in Relational Database

Transcription

1 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April Container and Virtualization Concept for Bi-filter Intrusion Detection with Caching of Web Requests in Relational 1 I. Jasmine Selvakumari Jeya, 2 Harsha Thomas ABSTRACT 1Research Scholar, Dept. of CSE, Hindusthan College of Engineering and Technology, Coimbatore-32, Tamil Nadu, India, wjasminejeya@gmail.com 2 P.G Student, Dept. of CSE, Hindusthan College of Engineering and Technology, Coimbatore-32, Tamil Nadu, India, thomasharsha26@gmail.com In multi tier web architecture often referred to as n tier architecture, the back end database server are kept protected behind a firewall and web application made it possible for user to access set of services from web servers which are remotely accessible over the Internet. The current IDS system installed at web server and at database server is unable to detect intrusions where a normal traffic is used for attacking back end database. Though they are protected from direct remote attacks, the back end systems are susceptible to attacks that use web requests as a means to exploit the back end. Existing prevention systems are often insufficient to protect this class of applications, because the security mechanisms provided are either not well understood or simply disabled by the web developers to get the job done. Therefore, prevention mechanisms should be complemented by intrusion detection systems, which are able to identify attacks and provide early warning about suspicious activities. An approach of Bifilter proposed is based upon the mapping model which maps the web request along with set of resultant query invoked by that request within an individual session. The mapping model it can be used to detect abnormal behaviors. In this paper we proposed a new caching paradigm called reference point caching whereby information about a document is cached at a point where the document is referenced. Our motivation is to reduce latency by avoiding unnecessary protocol steps. We proposed two specific instances of this scheme: caching IP addresses and caching documents themselves. Keywords : Component; Formatting; Style; Styling; Insert (keywords) 1 INTRODUCTION Web based attacks have recently become more diverse, as attention has shifted from attacking the front end to exploiting vulnerabilities of the web applications in order to corrupt the back end database system. Intrusion detection plays one of the key roles in computer system security techniques. An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces alerts. An intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns of common computer attacks, and taking action to alert operators. A system that terminates connections is called an intrusion prevention system, and is another form of an application layer firewall. There are two general approaches to intrusion detection: anomaly detection and misuse detection [9]. A signature based IDS [6] works similar to anti virus software. It employs a signature database of well known attacks, and a successful match with current input raises an alert [4]. An anomaly based intrusion detection system is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous [2]. A statistical anomaly based IDS determines normal network activity like what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other and alert the administrator or user when traffic is detected which is anomalous. Bifilter intrusion detection has been achieved by employing a virtualization. It assigns each user s web session to a dedicated container. Container is an isolated virtual computing environment. Each container will be having unique container ID. This unique container ID can be used to accurately associate the web request with the subsequent DB queries. Thus, Bifilter can build a causal mapping profile by taking both the web server and DB traffic into account An alternative is lightweight virtualization, generally based on some sort of container concept. With containers, a group of processes still appears to have its own dedicated system, but it is really running in a specially isolated environment. All containers run on top of the same kernel. With containers, the ability to run different operating systems is lost, as is the strong separation between virtual systems. To reduce web access latencies [12], a new paradigm for caching at the reference point of a document. If a document X is referred to from a document Y, information is cached at Y to reduce the latency of client accesses to X.

2 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April SNO SIGNATURE BASED DETECTION MISUSE DETECTION ANOMALY DETECTION Catches the intrusion in terms of characteristics of Known attack i.e. knowledge Catches the intrusion based on signature Pattern of known attack viates from the normal behavior Detect any action that significantly de 1. based Manual i.e. Integrate the Human 2. Manual i.e. Integrate the Human knowledge Automatic i.e. Self learning knowledge High accuracy in detecting unknown High accuracy in detecting unknown 3. High accuracy in detecting known attack attack attack 4. Computationally less expensive Computationally expensive Computationally expensive 5. Not able to detect zero day attack Able to detect zero day attack Able to detect zero day attack 6. Law FPR Law FPR High false alarms 7. Does not require Training Does not require Training Require initial training 8. White Box Approach White Box Approach Black Box Approach 9. Classified alerts Classified alerts Unclassified alerts Table 1. Comparision of Different Anomaly Detection Techniques 2 RELATED WORK A network intrusion detection system can be classified into two types: signature detection and anomaly detection [3]. Anomaly detection first requires the IDS to define the characterize the correct and acceptable static from dynamic behavior of the system. It is used to detect the abnormal behavior of the system. Thus [5] first define the normal behavior of the system and create profile of the user In early IDS system that use the independent IDS used. F. Valeur, Vigna, C. Krugel, and R.A. Kemmerer [4] considers intrusion alerts correlation that transform intrusion detection sensor alerts into succinct intrusion reports in order to reduce the number of replicated alerts, false positives, and non relevant positives. Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna [7] proposed a novel approach which is based upon detailed characterization of the internal state of a web application, by means of a number of anomaly models. Web application internal state is defined as information that survives single client and server interaction or simply the information associated with single user session. The minimum state information is passed as a cookie to a browser. Minimum context information such as a session ID must be passed between the browser and the server to identify the rest of the state information. The key point here is it is easy to model out typical intrusion scenario by keeping track of all states in which that intrusion is normally executed. Angelos Stavrou [8] stated interactions among VEs are modeled as transactions. It is a requirement that the underlying virtualization technologies prohibits processes running in different VEs from sharing memory, send signals or communicate with IPC facilities. Under this requirement, VEs interact with each other or remote hosts using the same mechanisms like machines in a distributed computing system: through data sharing or socket connections. This models such VE interactions as database transactions. Giovanni Vigna, William Robertson [10] describes WebSTAT, a STAT based intrusion detection system that supports the modeling and detection of sophisticated attacks. WebSTAT operates on multiple event streams, and it is able to correlate both network level and operating system level events with entries contained in server logs. D Wagner [11] derives the specification of expected system calls bystatically analyzing the source code. Meixing Le, Angelos Stavrou, Brent Byung Hoon Kang [1] proposed a new approach called Double guard to detect intrusions in multitier web applications. This approach assumes that there is causal mapping of web requests and resulting SQL queries in a given session. And above modeled attack can be readily detected if the database IDS can determine that a privileged request from the web server is not associated with user privileged access.this approach does not require input validation, source code validation and know the application logic. This identifies the causal relationship between web server request and database request. These approaches dynamically generate new containers and recycle the used ones. The Table 1 illustrates the Summary of different anomaly detection techniques. Its merits and demerits are determined and compared.

3 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April METHODOLOGY The First thing is to set up threat model to include the assumptions and the types of attacks that are trying to protect against. Figure 1 illustrates the classic three tier model. At the database side, it is unable to tell which transaction corresponds to which client request. The communication between the web server and the database server is not separated, and can hardly understand the relationships among them. According to Figure. 1, If Client 2 is malicious and takes over the web server, all subsequent database transactions become suspect, as well as the response to the client. Bifilter are able to ferret out attacks that even independent IDS would not be able to identify. This approach can create normality models of isolated user sessions that include both the web front end and back end network transactions. This uses container based and session separated web server architecture that not only enhances the security performances but also provides us with the isolated information flows that are separated in each container session. It allows us to identify the mapping between the web server requests and the subsequent DB queries, and to utilize such a mapping model to detect abnormal behaviors on a session/client level. cache sitting in front of it: The browser checks to see if the image is cached locally. If yes and the image are not stale, the browser uses the image from its cache. Otherwise, the browser sends the request for the image to the website. Since there is a transparent proxy cache, the request will be intercepted by the proxy cache. The transparent proxy cache checks to see if it has the image. If yes and the image are not stale, the proxy cache sends the image to the browser, which in addition to using caches it. Otherwise, the proxy cache sends the request for the image to the website where it is intercepted by the reverse proxy cache. Web Client Web Client Caching Http Request Http Response Http Request Http Response Firewall V.E Apache IIS Netscape etc Plugins: Perl c/c++ Web Application SQL connection: ADO,ODBC,etc. Client 1 Client 2 Client 3 Rq1 Rs1 Rq2 Rs2 Rq3 Rs3 Web server Queries Replies Server Figure.1 Three Tier Architecture This architecture put filters at both sides of the servers. At the web server, our filters are deployed on the host system and cannot be attacked directly since only the virtualized containers are exposed to attackers. These filters will not be attacked at the database server either, as this exist an assumption that the attacker cannot completely take control of the database. It will identify when there are such sessions so that it may have false positives in that detection. The number of false positives depended on the size and coverage of the training sessions. Finally, this Bifilter application reduced the the false positives for both static and dynamic pages. Suppose that a user s browser needs an image for a Web page (Server). The browser is caching, all its requests are funneled through a transparent proxy cache, and the website has a reverse proxy Figure 2. Bifilter Intrusion Detection System with Caching When the transparent proxy cache gets the image, it sends it to the browser and also caches it. The reverse proxy cache checks to see if it has the image. If yes and the object are not stale, the reverse proxy cache sends the image to the requesting transparent proxy cache. Otherwise, the reverse proxy cache gets the image from the website, sends it to the requesting proxy cache, and caches the image. Note that in each case, if the cache size is exceeded, the cache will have to throw out one or more cached objects so as to cache a new object. Typically the objects discarded are the ones that are used infrequently or ones that have not been used for a long time. 3.1 Applying Virtualization Concept The OpenVZ network virtualization layer is designed to isolate Container (CT) from each other and from the physical network: Each Container has its own IP address; multiple IP addresses per CT are allowed. Network traffic of a CT is isolated from the other CTs. In other words, containers are protected from each other in the way that makes traffic snooping impossible. Firewalling may be used inside a CT (the user can create rules limiting access to some services using the canonical ip tables tool inside a CT). In other words, it is possible to set up firewall rules from inside a CT. Routing table manipulations and advanced routing features are supported for individual containers.

4 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April Create Container Model This make use of lightweight process containers referred to as containers as ephemeral, disposable servers for client sessions. It is possible to initialize thousands of containers on a single physical machine, and these virtualized containers can be discarded, reverted, or quickly reinitialized to serve new sessions. A single physical web server runs many containers, each one an exact copy of the original web server. This approach dynamically generates new containers and recycles used ones. As a result, a single physical server can run continuously and serve all web requests. This container based and session separated web server architecture not only enhances the security performances but also provides us with the isolated information flows that are separated in each container session. It allows us to identify the mapping between the web server requests and the subsequent DB queries, and to utilize such a mapping model to detect abnormal behaviors on a session/client level. It want to model such causal mapping relationships of all legitimate Figure.2 depicts how communications are categorized as sessions and how database transactions can be related to a corresponding session. Figure.2, Client 2 will only compromise the VE 2, and the corresponding database transaction set T2 will be the only affected section of data within the database. It is impossible for a database server to determine which SQL queries are the results of which web requests, much less to find out the relationship between them. However, within our container based web servers, it is a straightforward matter to identify the causal pairs of web requests and resulting SQL queries in a given session. Moreover, as traffic can easily be separated by session, it becomes possible for us to compare and analyze the request and queries across different sessions. Thus the mapping model, it can be used to detect abnormal behaviors. Both the web request and the database queries within each session should be in accordance with the model. If there exists any request or query that violates the normality model within a session, then the session will be treated as a possible attack. 3.3 Mapping Relations In Bifilter these classify the four possible mapping patterns. Since the request is at the origin of the dataflow treat each request as the mapping source. In other word, the mappings in the model are always in the form of one request to a query set Mapping relation explain about how the request and corresponding query are matched, causal relationship between rm to {qn,qp}.here qn,qp are mention the different database query. The possible mapping patterns as follows. Deteministic Mapping This is the most common and perfectly matched pattern. That is to say that web request rm appears in all traffic with the SQL queries set Qn. The mapping pattern is then rm to Qn. In static websites, this type of mapping comprises the majority of cases since the same results should be returned for each time a user visits the same link. Empty Query Set In special cases, the SQL query set may be the empty set. This implies that the web request neither causes nor generates any database queries. No Matched Request In some cases, the web server may periodically submit queries to the database server in order to conduct some scheduled tasks, such as cron jobs for archiving or backup. Nondeterministic Mapping The same web request may result in different SQL query sets based on input parameters or the status of the webpage at the time the web request is received. In fact, these different SQL query sets do not appear randomly, and there exists a candidate pool of query sets (e.g., {qn,qp...}). 3.4 Based Attacks Web The different types of attacks are in the based attacks web. There are: Path Traversal Attack In a path traversal attack, an intruder manipulates a URL in such a way that the Web server executes or reveals the contents of a file anywhere on the server, including those lying outside the document root directory. Path traversal attacks take advantage of special characters sequences in URL input parameters, cookies and HTTP request header. The most basic path traversal attack uses the ʺ../ʺ character sequence to alter the document or resource location requested in a URL. Although most Web servers prevent this method from escaping the web document root, alternate encodings of the ʺ../ʺ sequence, such as Unicodeencoding, can bypass basic security filters. This can be prevented by blocking requests that contain unsafe characters, also by disabling the parent paths setting, which prevents the use of ʺ..ʺ in script and application calls. Privilege Escalation Attack Suppose that an attacker logs into the webserver as a normal user as in Figure.3, upgrades his/her privileges, and triggers admin queries so as to obtain an administrator s data. This attack can never be detected by either the web server IDS or the database IDS since both ru and Qa are legitimate requests and queries. 1. User Request 5. Response 2. Privilege Escalation Attack Step 2 Use Level Process Admin Level Process Attack Step 1 3. Admin Queries 4. Replies Figure 3.Privilage Escalation Attack Server

5 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April Hijack Future Session Attack In Figure.4 attacker takes web server by hijack the other user sessions by sending spoofed replies. In double guard it is detected by causal mapping a request without query it is not accepted. Fortunately, the isolation property of our container based web server architecture can also prevent this type of attack. were to go through the web server side, it would generate SQL queries in a different structure that could be detected as a deviation from the SQL query structure that would normally follow such a web request. The injection attack is shown in the Figure.6 and Figure. 7 examples for the injection attack. Queries Bypass Attack Normal User 1. Took Over the Server 2. User Request 4. Bogus Reply Tainted Process Session Hijacked 3. Queries Dropped or Hijacked Normal User 1. User Request 4. Response User Queries 3. Query Replies Server Server Figure.6.Injection Attack Figure.4.Hijacked Future Sesssion Attack Direct DB Attack It is possible for an attacker to bypass the web server or firewalls and connect directly to the database. An attacker could also have already taken over the web server and be submitting such queries from the web server without sending web requests. Without matched web requests for such queries, a web server IDS could detect neither. Furthermore, if these DB queries were within the set of allowed queries, then the database IDS it would not detect it either. However, this type of attack can be caught with our approach since we cannot match any web requests with these queries as in Figure User Request With Injection Injection 4. Response 2. Queries With Injections 3. Privileged Replies Figure.5.Direct DB Attack Server Injection Attack s can use existing vulnerabilities in the web server logic to inject the data or string content that contains the exploits and then use the web server to relay these exploits to attack the back end database. Since our approach provides a two tier detection, even if the exploits are accepted by the web server, the relayed contents to the DB server would not be able to take on the expected structure for the given web server request. For instance, since the SQL injection attack changes the structure of the SQL queries, even if the injected data Figure.7.Injection Attack Example Cross site Scripting (XSS) This enables attackers to inject client side script into Web pages viewed by other users. The primary defense mechanism to stop XSS is contextual output encoding/escaping. There are several different escaping schemes that must be used depending on where the untrusted string needs to be placed within an HTML document including HTML entity encoding, Java Script escaping, CSS escaping, and URL (or percent) encoding. Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a fairly straightforward manner. All network traffic from both legitimate users and adversaries, is received intermixed at the same web server first, we tried to categorize all of the potential single (atomic) operations on the web pages. All of the operations that appear within one session are permutations of these operations. If we could build a mapping model for each of these basic operations, then we could compare web requests to determine the basic operations of the session and obtain the most likely set of queries mapped from these operations. If these single operation models could not cover all of the requests and queries in a session, then this would indicate a

6 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April possible intrusion. Figure 8.The Detection of Privilege Escalation Attack Figure.9 Hijack Future Session Attack Figure.10 The Denial of Service attack The Figure 8. Indicates how the attacker increases his privileges in an unauthorized way and how privilege escalation attack detected. The Hijack Future session attack is depicted in the Figure.9.All the future session will be hijacked by attacker. In the Figure.10. it shows how the service is denied for a requested client. 4 REDUCING LATENCY USING REFERENCE POINT CACHING Consider client C browsing through a page at R (called the reference point) which has a link to a page on server S. If C decides to browse the page at S, the standard mechanism for C is to first initiate a DNS query for the hostname S. If the DNS mapping is not available in the client DNS cache, the query is sent to the local DNS server in the client domain; if S is not cached in the local name server, the DNS query may be sent to the root server and then to the authoritative server for S in S s domain. Our measurements indicate that DNS query times can be very large, up to several seconds. In this new mechanism, the reference point is allowed to have a cached copy of the page at S. If R has cached the page, it indicates that the annotating its link to S with a flag that indicates that the page is locallycached. This flag is used by the client browser but is not displayed to the user. If the client browser decides to retrieve the cached page at R, the browser can do so using the same connection it already has to R. This not only avoids a connection set up delay but also makes it more likely that the congestion window of the TCP connection is high enough to sustain higher throughput. 4.1 Caching IP Address When a client contacts a server for the first time, it has to lookup the IP address of the server, since URLs provide only server names. This lookup can take hundreds of milliseconds if the address is not already cached locally In reference point caching of IP addresses, a server, such as a search engine, include the IP addresses of all the hosts in the page it supplies. The server can preprocess static pages to include the IP addresses in the page, and while generating dynamic pages, it can include the IP addresses by looking up its local DNS. To avoid latency in generating these pages, the server should not include an address for a link if the address is not currently in its local DNS cache. To reduce the DNS traffic originating from search engines and to reduce latency, recommend that the search engine should run a modified name server which prefetches IP addresses of frequently queried host names before they expire. 4.2 Caching Documents In reference point caching of documents, if a document X at server S refers to a document Y at server S, Y can be cached at R, thus allowing a client that accesses document X from R to retrieve document Y from the server R itself without making an additional connection to S. 5 CONCLUSION In this way we surveyed few techniques which are meant for intrusion detection against multitier web applications. Some of the technique use single IDS to detect and prevent web server from malicious request while some approach use combined approach to detect intrusions at both web and database level. Apart from all above discussed approach the last approach is having some additional detection capability to detect attack where

7 International Journal of Advancements in Research & Technology, Volume 2, Issue4, April normal traffic is used as means to launch database attack. Because of container based and session separated approach of Bifilter use multiple input streams to produce alerts. Such correlation of different data streams provides a better characterization of the system for Anomaly detection because the intrusion sensor has a more Reference point caching s motivation is to reduce latency by avoiding unnecessary protocol steps. Technology, Coimbatore. Her area of interest and project focuses on security issues in relational database. REFERENCES [1] Angelos Stavrou, Meixing Le, Brent Byungghoon Kang George Mason University Doubleguard: Detecting Intrusions In Multi TierWeb Applications July/August [2] A. Seleznyov and S. Puuronen, Anomaly Intrusion Detection Systems: Handling Temporal Relations between Events, Proc. Int l Symp. Recent Advances in Intrusion Detection (RAID 99), [3] C. Kruegel and G. Vigna, Anomaly Detection of Web Based Attacks, Proc. 10th ACM Conf. Computer and Comm. Security (CCS 03), Oct [4] F. Valeur, G. Vigna, C. Kru gel, and R.A. Kemmerer, A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3,pp , July Sept [5] G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel, and E. Kirda, Reducing Errors in the Anomaly Based Detection of Web Based Attacks through the Combined Analysis of Web Requests and SQL Queries, J. Computer Security, vol. 17, no. 3, pp , [6] H. Debar, M. Dacier, and A. Wespi, Towards a Taxonomy of Intrusion Detection Systems, Computer Networks, vol. 31, no. 9,pp , [7] M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly based Detection of State Violations in Web Applications. In RAID [8] Y. Huang, A. Stavrou, A. K. Ghosh, and S. Jajodia. Efficiently tracking application interactions using lightweight virtualization. In Proceedings of the 1st ACM workshop on Virtual machine security, [9] T. Verwoerd and R. Hunt. Intrusion detection techniques and approaches.computer Communications, 25(15), [10] G. Vigna, W. K. Robertson, V. Kher, and R. A. Kemmerer. A stateful intrusion detection system for world wide web servers. In ACSAC 2003.IEEE Computer Society. [11] ] D. Wagner and D. Dean. Intrusion detection via static analysis. In Symposium on Security and Privacy (SSP 01), May [12] Girish P. Chandranmenon George Varghese Reducing Web Latency Using Reference Point Caching Bell Laboratories University of California, San Diego. AUTHOR S PROFILE I.JASMINE SELVAKUMARI JEYA is a Research Scholar and Assistant Professor in Department of Computer Science and Engineering at Hindusthan College of Engineering and Technology, Coimbatore. Her research work focuses on security issues in various database using optimization techniques. HARSHA THOMAS is a PG student doing M.E in Department of Computer Science and Engineering at Hindusthan College of Engineering and