Double guard
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • please send me the source code/reports @ email id: murali.munna4ru@gmail.com
    Are you sure you want to
    Your message goes here
  • divya will u pls send me the source code of this project,along with the screen shoots.
    my mail id is nishant.sudan168@gmail.com
    Are you sure you want to
    Your message goes here
  • can you please send me the documentation
    Are you sure you want to
    Your message goes here
  • please can you send me the source code to my mail id vinayasreee.p@gmail.com
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
3,245
On Slideshare
3,245
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
187
Comments
4
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1
  • 2. ABSTRACT Internet services and applications Increase in application and data complexity Multi-tier web application design (1-tier, 2-tier and 3-tier) Intrusions - any set of actions that attempt to compromise the integrity, confidentiality, or DIVYA K, 1RN09IS016, RNSIT availability of a resource IDS - Intrusion Detection System: a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station Limitation - Detecting newly published attacks or variants of existing attacks. An Intrusion Detection System which manages both front and back end of the multi-tier design & exposes a wide range of attacks with 100% accuracy. 2
  • 3. AGENDA Introduction Intrusion Detection System DIVYA K, 1RN09IS016, RNSIT Double Guard Architecture Attack Scenarios Limitations Conclusion References 3 Acknowledgements
  • 4.  Daily tasks, such as banking, travel, and social networking, are all done via the web. Due to their ubiquitous use for personal and/or corporate data, web services have always DIVYA K, 1RN09IS016, RNSIT been the target of attacks. These attacks have recently become more diverse, as attention has shifted from attacking the front-end to exploiting vulnerabilities of the web applications in order to corrupt the back-end database system To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely used to detect known attacks by matching misused traffic patterns or signatures. Functions of an intrusion detection system are to:  Monitor and analyze the user and system activities.  Analyze system configurations and vulnerabilities.  Assess system and file. 4
  • 5. INTRUSION DETECTION SYSTEM Why should I use an IDS, especially when I already have firewalls, anti-virus tools, and other security protections on my system? DIVYA K, 1RN09IS016, RNSIT  Each security protection serves to address a particular security threat to your system.  Furthermore, each security protection has weak and strong points.  Only by combining them (this combination is sometimes called security in depth) we can protect from a realistic range of security attacks.  Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy.  IDSs serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious.  They can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. 5
  • 6. CATEGORIES OF IDS Misuse Detection vs Anomaly Detection:  In misuse detection, the IDS identifies illegal invasions and compares it to large DIVYA K, 1RN09IS016, RNSIT database of attack signatures.  In anomaly detection, the IDS. monitors the network segments and compare their state to the normal baseline to detect anomalies Network-based vs Host-based Systems:  A network-based intrusion detection system (NIDS) identifies intrusions by examining network traffic and monitoring multiple hosts.  A host-based intrusion detection system examines the activity of each individual computer or host. 6
  • 7. LIMITATIONS OF IDS Individually, the web IDS and the database IDS can detect abnormal network traffic sent to either of them. DIVYA K, 1RN09IS016, RNSIT However, it is found that these IDS cannot detect cases wherein normal traffic is used to attack the web server and the database server. For example, if an attacker with non-admin privileges can log in to a web server using normal-user access credentials, he/she can find a way to issue a privileged database query by exploiting vulnerabilities in the web server. DoubleGuard is a system used to detect attacks in multi-tiered web services. This approach can create normality models of isolated user sessions that include both the web front-end (HTTP) and back-end (File or SQL) network transactions. 7
  • 8. DOUBLE GUARD Composes both web IDS and database IDS to achieve more accurate detection It also uses a reverse HTTP proxy to maintain a reduced level of service in the presence DIVYA K, 1RN09IS016, RNSIT of false positives. Instead of connecting to a database server, web applications will first connect to a database firewall. SQL queries are analyzed; if they’re deemed safe, they are then forwarded to the back-end database server. GreenSQL software work as a reverse proxy for DB connections Virtualization is used to isolate objects and enhance security performance. CLAMP is an architecture for preventing data leaks even in the presence of attacks. 8
  • 9. DIVYA K, 1RN09IS016, RNSIT 9SYSTEM ARCHITECTURE
  • 10. ATTACK SCENARIOS Privilege Escalation Attack: DIVYA K, 1RN09IS016, RNSIT  Hijack Future Session Attack: 10
  • 11. ATTACK SCENARIOS (CONTINUED…)  Injection Attack: DIVYA K, 1RN09IS016, RNSIT  Direct DB attack: 11
  • 12. LIMITATIONS OF DOUBLE GUARD Vulnerabilities Due to Improper Input Processing Possibility Of Evading Double Guard DIVYA K, 1RN09IS016, RNSIT Distributed DoS: 12
  • 13. MAPPING RELATIONS  Deterministic mapping  Empty query set DIVYA K, 1RN09IS016, RNSIT  No matched request  Non-deterministic mapping 13
  • 14. CONCLUSION We presented an Intrusion Detection System that builds models for Multi-Tiered Web Applications From both Front-end(HTTP) and Back-end(SQL). DIVYA K, 1RN09IS016, RNSIT Introduction Of Sensors in the Normality model, which alerts when there is an Attack. Precise Anomaly detection using Lightweight Virtualization. Double Guard was able to Identify wide range of attacks with minimal False positives. Perfect Accuracy, with 0.6% false positives. 14
  • 15. REFERENCES www.sans.org/top-cyber-security-risks/ www.xenoclast.org/ DIVYA K, 1RN09IS016, RNSIT www.cve.mitre.org/ www.greensql.net/ www.wordpress.org/ www.wikipedia.org/ C.Anley,Advanced Sql injection in sql server applications,2002. K.bai,H.Wang and P.Liu, Towards database firewalls,2005. M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious pattern. M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of state violations in web application. 2007 15