Your SlideShare is downloading. ×
  • Like
Double guard
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Double guard



Published in Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • please send me the source code/reports @ email id:
    Are you sure you want to
    Your message goes here
  • divya will u pls send me the source code of this project,along with the screen shoots.
    my mail id is
    Are you sure you want to
    Your message goes here
  • can you please send me the documentation
    Are you sure you want to
    Your message goes here
  • please can you send me the source code to my mail id
    Are you sure you want to
    Your message goes here
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. 1
  • 2. ABSTRACT Internet services and applications Increase in application and data complexity Multi-tier web application design (1-tier, 2-tier and 3-tier) Intrusions - any set of actions that attempt to compromise the integrity, confidentiality, or DIVYA K, 1RN09IS016, RNSIT availability of a resource IDS - Intrusion Detection System: a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station Limitation - Detecting newly published attacks or variants of existing attacks. An Intrusion Detection System which manages both front and back end of the multi-tier design & exposes a wide range of attacks with 100% accuracy. 2
  • 3. AGENDA Introduction Intrusion Detection System DIVYA K, 1RN09IS016, RNSIT Double Guard Architecture Attack Scenarios Limitations Conclusion References 3 Acknowledgements
  • 4.  Daily tasks, such as banking, travel, and social networking, are all done via the web. Due to their ubiquitous use for personal and/or corporate data, web services have always DIVYA K, 1RN09IS016, RNSIT been the target of attacks. These attacks have recently become more diverse, as attention has shifted from attacking the front-end to exploiting vulnerabilities of the web applications in order to corrupt the back-end database system To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely used to detect known attacks by matching misused traffic patterns or signatures. Functions of an intrusion detection system are to:  Monitor and analyze the user and system activities.  Analyze system configurations and vulnerabilities.  Assess system and file. 4
  • 5. INTRUSION DETECTION SYSTEM Why should I use an IDS, especially when I already have firewalls, anti-virus tools, and other security protections on my system? DIVYA K, 1RN09IS016, RNSIT  Each security protection serves to address a particular security threat to your system.  Furthermore, each security protection has weak and strong points.  Only by combining them (this combination is sometimes called security in depth) we can protect from a realistic range of security attacks.  Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy.  IDSs serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious.  They can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. 5
  • 6. CATEGORIES OF IDS Misuse Detection vs Anomaly Detection:  In misuse detection, the IDS identifies illegal invasions and compares it to large DIVYA K, 1RN09IS016, RNSIT database of attack signatures.  In anomaly detection, the IDS. monitors the network segments and compare their state to the normal baseline to detect anomalies Network-based vs Host-based Systems:  A network-based intrusion detection system (NIDS) identifies intrusions by examining network traffic and monitoring multiple hosts.  A host-based intrusion detection system examines the activity of each individual computer or host. 6
  • 7. LIMITATIONS OF IDS Individually, the web IDS and the database IDS can detect abnormal network traffic sent to either of them. DIVYA K, 1RN09IS016, RNSIT However, it is found that these IDS cannot detect cases wherein normal traffic is used to attack the web server and the database server. For example, if an attacker with non-admin privileges can log in to a web server using normal-user access credentials, he/she can find a way to issue a privileged database query by exploiting vulnerabilities in the web server. DoubleGuard is a system used to detect attacks in multi-tiered web services. This approach can create normality models of isolated user sessions that include both the web front-end (HTTP) and back-end (File or SQL) network transactions. 7
  • 8. DOUBLE GUARD Composes both web IDS and database IDS to achieve more accurate detection It also uses a reverse HTTP proxy to maintain a reduced level of service in the presence DIVYA K, 1RN09IS016, RNSIT of false positives. Instead of connecting to a database server, web applications will first connect to a database firewall. SQL queries are analyzed; if they’re deemed safe, they are then forwarded to the back-end database server. GreenSQL software work as a reverse proxy for DB connections Virtualization is used to isolate objects and enhance security performance. CLAMP is an architecture for preventing data leaks even in the presence of attacks. 8
  • 10. ATTACK SCENARIOS Privilege Escalation Attack: DIVYA K, 1RN09IS016, RNSIT  Hijack Future Session Attack: 10
  • 11. ATTACK SCENARIOS (CONTINUED…)  Injection Attack: DIVYA K, 1RN09IS016, RNSIT  Direct DB attack: 11
  • 12. LIMITATIONS OF DOUBLE GUARD Vulnerabilities Due to Improper Input Processing Possibility Of Evading Double Guard DIVYA K, 1RN09IS016, RNSIT Distributed DoS: 12
  • 13. MAPPING RELATIONS  Deterministic mapping  Empty query set DIVYA K, 1RN09IS016, RNSIT  No matched request  Non-deterministic mapping 13
  • 14. CONCLUSION We presented an Intrusion Detection System that builds models for Multi-Tiered Web Applications From both Front-end(HTTP) and Back-end(SQL). DIVYA K, 1RN09IS016, RNSIT Introduction Of Sensors in the Normality model, which alerts when there is an Attack. Precise Anomaly detection using Lightweight Virtualization. Double Guard was able to Identify wide range of attacks with minimal False positives. Perfect Accuracy, with 0.6% false positives. 14
  • 15. REFERENCES DIVYA K, 1RN09IS016, RNSIT C.Anley,Advanced Sql injection in sql server applications,2002. K.bai,H.Wang and P.Liu, Towards database firewalls,2005. M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious pattern. M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of state violations in web application. 2007 15