Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Double guard


Published on

Published in: Education

Double guard

  1. 1. 1
  2. 2. ABSTRACT Internet services and applications Increase in application and data complexity Multi-tier web application design (1-tier, 2-tier and 3-tier) Intrusions - any set of actions that attempt to compromise the integrity, confidentiality, or DIVYA K, 1RN09IS016, RNSIT availability of a resource IDS - Intrusion Detection System: a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station Limitation - Detecting newly published attacks or variants of existing attacks. An Intrusion Detection System which manages both front and back end of the multi-tier design & exposes a wide range of attacks with 100% accuracy. 2
  3. 3. AGENDA Introduction Intrusion Detection System DIVYA K, 1RN09IS016, RNSIT Double Guard Architecture Attack Scenarios Limitations Conclusion References 3 Acknowledgements
  4. 4.  Daily tasks, such as banking, travel, and social networking, are all done via the web. Due to their ubiquitous use for personal and/or corporate data, web services have always DIVYA K, 1RN09IS016, RNSIT been the target of attacks. These attacks have recently become more diverse, as attention has shifted from attacking the front-end to exploiting vulnerabilities of the web applications in order to corrupt the back-end database system To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely used to detect known attacks by matching misused traffic patterns or signatures. Functions of an intrusion detection system are to:  Monitor and analyze the user and system activities.  Analyze system configurations and vulnerabilities.  Assess system and file. 4
  5. 5. INTRUSION DETECTION SYSTEM Why should I use an IDS, especially when I already have firewalls, anti-virus tools, and other security protections on my system? DIVYA K, 1RN09IS016, RNSIT  Each security protection serves to address a particular security threat to your system.  Furthermore, each security protection has weak and strong points.  Only by combining them (this combination is sometimes called security in depth) we can protect from a realistic range of security attacks.  Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy.  IDSs serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious.  They can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. 5
  6. 6. CATEGORIES OF IDS Misuse Detection vs Anomaly Detection:  In misuse detection, the IDS identifies illegal invasions and compares it to large DIVYA K, 1RN09IS016, RNSIT database of attack signatures.  In anomaly detection, the IDS. monitors the network segments and compare their state to the normal baseline to detect anomalies Network-based vs Host-based Systems:  A network-based intrusion detection system (NIDS) identifies intrusions by examining network traffic and monitoring multiple hosts.  A host-based intrusion detection system examines the activity of each individual computer or host. 6
  7. 7. LIMITATIONS OF IDS Individually, the web IDS and the database IDS can detect abnormal network traffic sent to either of them. DIVYA K, 1RN09IS016, RNSIT However, it is found that these IDS cannot detect cases wherein normal traffic is used to attack the web server and the database server. For example, if an attacker with non-admin privileges can log in to a web server using normal-user access credentials, he/she can find a way to issue a privileged database query by exploiting vulnerabilities in the web server. DoubleGuard is a system used to detect attacks in multi-tiered web services. This approach can create normality models of isolated user sessions that include both the web front-end (HTTP) and back-end (File or SQL) network transactions. 7
  8. 8. DOUBLE GUARD Composes both web IDS and database IDS to achieve more accurate detection It also uses a reverse HTTP proxy to maintain a reduced level of service in the presence DIVYA K, 1RN09IS016, RNSIT of false positives. Instead of connecting to a database server, web applications will first connect to a database firewall. SQL queries are analyzed; if they’re deemed safe, they are then forwarded to the back-end database server. GreenSQL software work as a reverse proxy for DB connections Virtualization is used to isolate objects and enhance security performance. CLAMP is an architecture for preventing data leaks even in the presence of attacks. 8
  10. 10. ATTACK SCENARIOS Privilege Escalation Attack: DIVYA K, 1RN09IS016, RNSIT  Hijack Future Session Attack: 10
  11. 11. ATTACK SCENARIOS (CONTINUED…)  Injection Attack: DIVYA K, 1RN09IS016, RNSIT  Direct DB attack: 11
  12. 12. LIMITATIONS OF DOUBLE GUARD Vulnerabilities Due to Improper Input Processing Possibility Of Evading Double Guard DIVYA K, 1RN09IS016, RNSIT Distributed DoS: 12
  13. 13. MAPPING RELATIONS  Deterministic mapping  Empty query set DIVYA K, 1RN09IS016, RNSIT  No matched request  Non-deterministic mapping 13
  14. 14. CONCLUSION We presented an Intrusion Detection System that builds models for Multi-Tiered Web Applications From both Front-end(HTTP) and Back-end(SQL). DIVYA K, 1RN09IS016, RNSIT Introduction Of Sensors in the Normality model, which alerts when there is an Attack. Precise Anomaly detection using Lightweight Virtualization. Double Guard was able to Identify wide range of attacks with minimal False positives. Perfect Accuracy, with 0.6% false positives. 14
  15. 15. REFERENCES DIVYA K, 1RN09IS016, RNSIT C.Anley,Advanced Sql injection in sql server applications,2002. K.bai,H.Wang and P.Liu, Towards database firewalls,2005. M.Chritodorescu and S.Jha . Static analysis of executables to detect malicious pattern. M.Cova,D.Balzarotti,G.vigna.Swaddler:An approach for anomaly detection of state violations in web application. 2007 15