2. ABSTRACT
Internet services and applications
Increase in application and data complexity
Multi-tier web application design (1-tier, 2-tier and 3-tier)
Intrusions - any set of actions that attempt to compromise the integrity, confidentiality, or
DIVYA K, 1RN09IS016, RNSIT
availability of a resource
IDS - Intrusion Detection System:
a device or software application that monitors network and/or system activities for
malicious activities or policy violations and produces reports to a Management Station
Limitation - Detecting newly published attacks or variants of existing attacks.
An Intrusion Detection System which manages both front and back end of the multi-tier
design & exposes a wide range of attacks with 100% accuracy.
2
4. Daily tasks, such as banking, travel, and social networking, are all done via the web.
Due to their ubiquitous use for personal and/or corporate data, web services have always
DIVYA K, 1RN09IS016, RNSIT
been the target of attacks.
These attacks have recently become more diverse, as attention has shifted from
attacking the front-end to exploiting vulnerabilities of the web applications in order to
corrupt the back-end database system
To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely
used to detect known attacks by matching misused traffic patterns or signatures.
Functions of an intrusion detection system are to:
Monitor and analyze the user and system activities.
Analyze system configurations and vulnerabilities.
Assess system and file.
4
5. INTRUSION DETECTION SYSTEM
Why should I use an IDS, especially when I already have firewalls, anti-virus tools,
and other security protections on my system?
DIVYA K, 1RN09IS016, RNSIT
Each security protection serves to address a particular security threat to your
system.
Furthermore, each security protection has weak and strong points.
Only by combining them (this combination is sometimes called security in depth) we
can protect from a realistic range of security attacks.
Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic
and allowing others, based on a firewall policy.
IDSs serve as monitoring mechanisms, watching activities, and making decisions
about whether the observed events are suspicious.
They can spot attackers circumventing firewalls and report them to system
administrators, who can take steps to prevent damage. 5
6. CATEGORIES OF IDS
Misuse Detection vs Anomaly Detection:
In misuse detection, the IDS identifies illegal invasions and compares it to large
DIVYA K, 1RN09IS016, RNSIT
database of attack signatures.
In anomaly detection, the IDS. monitors the network segments and compare their
state to the normal baseline to detect anomalies
Network-based vs Host-based Systems:
A network-based intrusion detection system (NIDS) identifies intrusions by
examining network traffic and monitoring multiple hosts.
A host-based intrusion detection system examines the activity of each individual
computer or host.
6
7. LIMITATIONS OF IDS
Individually, the web IDS and the database IDS can detect abnormal network traffic sent
to either of them.
DIVYA K, 1RN09IS016, RNSIT
However, it is found that these IDS cannot detect cases wherein normal traffic is used to
attack the web server and the database server.
For example, if an attacker with non-admin privileges can log in to a web server using
normal-user access credentials, he/she can find a way to issue a privileged database
query by exploiting vulnerabilities in the web server.
DoubleGuard is a system used to detect attacks in multi-tiered web services.
This approach can create normality models of isolated user sessions that include both
the web front-end (HTTP) and back-end (File or SQL) network transactions.
7
8. DOUBLE GUARD
Composes both web IDS and database IDS to achieve more accurate detection
It also uses a reverse HTTP proxy to maintain a reduced level of service in the presence
DIVYA K, 1RN09IS016, RNSIT
of false positives.
Instead of connecting to a database server, web applications will first connect to a
database firewall. SQL queries are analyzed; if they’re deemed safe, they are then
forwarded to the back-end database server.
GreenSQL software work as a reverse proxy for DB connections
Virtualization is used to isolate objects and enhance security performance.
CLAMP is an architecture for preventing data leaks even in the presence of attacks.
8
14. CONCLUSION
We presented an Intrusion Detection System that builds models for Multi-Tiered Web
Applications From both Front-end(HTTP) and Back-end(SQL).
DIVYA K, 1RN09IS016, RNSIT
Introduction Of Sensors in the Normality model, which alerts when there is an Attack.
Precise Anomaly detection using Lightweight Virtualization.
Double Guard was able to Identify wide range of attacks with minimal False positives.
Perfect Accuracy, with 0.6% false positives.
14
15. REFERENCES
www.sans.org/top-cyber-security-risks/
www.xenoclast.org/
DIVYA K, 1RN09IS016, RNSIT
www.cve.mitre.org/
www.greensql.net/
www.wordpress.org/
www.wikipedia.org/
C.Anley,Advanced Sql injection in sql server applications,2002.
K.bai,H.Wang and P.Liu, Towards database firewalls,2005.
M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious pattern.
M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of state
violations in web application. 2007
15