The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - July-Aug. (2012 vol.9)
pp: 511-524
Meixing Le , George Mason University, fairfax
Angelos Stavrou , George Mason University, Fairfax
Brent ByungHoon Kang , George Mason University, Fairfax
ABSTRACT
Internet services and applications have become an inextricable part of daily life, enabling communication and the management of personal information from anywhere. To accommodate this increase in application and data complexity, web services have moved to a multitiered design wherein the webserver runs the application front-end logic and data are outsourced to a database or file server. In this paper, we present DoubleGuard, an IDS system that models the network behavior of user sessions across both the front-end webserver and the back-end database. By monitoring both web and subsequent database requests, we are able to ferret out attacks that an independent IDS would not be able to identify. Furthermore, we quantify the limitations of any multitier IDS in terms of training sessions and functionality coverage. We implemented DoubleGuard using an Apache webserver with MySQL and lightweight virtualization. We then collected and processed real-world traffic over a 15-day period of system deployment in both dynamic and static web applications. Finally, using DoubleGuard, we were able to expose a wide range of attacks with 100 percent accuracy while maintaining 0 percent false positives for static web services and 0.6 percent false positives for dynamic web services.
INDEX TERMS
Anomaly detection, virtualization, multitier web application.
CITATION
Meixing Le, Angelos Stavrou, Brent ByungHoon Kang, "DoubleGuard: Detecting Intrusions in Multitier Web Applications", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 4, pp. 511-524, July-Aug. 2012, doi:10.1109/TDSC.2011.59
REFERENCES
[1] SANS, “The Top Cyber Security Risks,” http://www.sans.orgtop-cyber-security-risks /, 2011.
[2] National Vulnerability Database, “Vulnerability Summary for CVE-2010-4332,” http://web.nvd.nist.gov/view/vulndetail? vulnId= CVE-2010-4332 , 2011.
[3] National Vulnerability Database, “Vulnerability Summary for CVE-2010-4333,” http://web.nvd.nist.gov/view/vulndetail? vulnId=CVE-2010-4333 , 2011.
[4] Autobench, http://www.xenoclast.orgautobench/, 2011.
[5] “Common Vulnerabilities and Exposures,” http:/www.cve. mitre. org/, 2011.
[6] “Five Common Web Application Vulnerabilities,” http://www. symantec.com/connect/articles five-common-web-application-vulnerabilities , 2011.
[7] greensql, http:/www.greensql.net/, 2011.
[8] httperf, http://www.hpl.hp.com/research/linuxhttperf /, 2011.
[9] http_load, http://www.acme.com/softwarehttp_load/, 2011.
[10] Joomla cms, http:/www.joomla.org/, 2011.
[11] Linux-vserver, http:/linux-vserver.org/, 2011.
[12] metasploit, http:/www.metasploit.com/, 2011.
[13] nikto, http://cirt.netnikto2, 2011.
[14] Openvz, http:/wiki.openvz.org, 2011.
[15] Seleniumhq, http:/seleniumhq.org/, 2011.
[16] sqlmap, http:/sqlmap.sourceforge.net/, 2011.
[17] “Virtuozzo Containers,” http://www.parallels.com/productspvc45/, 2011.
[18] “Wordpress,” http:/www.wordpress.org/, 2011.
[19] “Wordpress Bug,” http://core.trac.wordpress.org/ticket5487 , 2011.
[20] C. Anley, “Advanced Sql Injection in Sql Server Applications,” technical report, Next Generation Security Software, Ltd., 2002.
[21] K. Bai, H. Wang, and P. Liu, “Towards Database Firewalls,” Proc. Ann. IFIP WG 11.3 Working Conf. Data and Applications Security (DBSec '05), 2005.
[22] B.I.A. Barry and H.A. Chan, “Syntax, and Semantics-Based Signature Database for Hybrid Intrusion Detection Systems,” Security and Comm. Networks, vol. 2, no. 6, pp. 457-475, 2009.
[23] D. Bates, A. Barth, and C. Jackson, “Regular Expressions Considered Harmful in Client-Side XSS Filters,” Proc. 19th Int'l Conf. World Wide Web, 2010.
[24] M. Christodorescu and S. Jha, “Static Analysis of Executables to Detect Malicious Patterns,” Proc. Conf. USENIX Security Symp., 2003.
[25] M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna, “Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications,” Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID '07), 2007.
[26] H. Debar, M. Dacier, and A. Wespi, “Towards a Taxonomy of Intrusion-Detection Systems,” Computer Networks, vol. 31, no. 9, pp. 805-822, 1999.
[27] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna, “Toward Automated Detection of Logic Vulnerabilities in Web Applications,” Proc. USENIX Security Symp., 2010.
[28] Y. Hu and B. Panda, “A Data Mining Approach for Database Intrusion Detection,” Proc. ACM Symp. Applied Computing (SAC), H. Haddad, A. Omicini, R.L. Wainwright, and L.M. Liebrock, eds., 2004.
[29] Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, “Efficiently Tracking Application Interactions Using Lightweight Virtualization,” Proc. First ACM Workshop Virtual Machine Security, 2008.
[30] H.-A. Kim and B. Karp, “Autograph: Toward Automated Distributed Worm Signature Detection,” Proc. USENIX Security Symp., 2004.
[31] C. Kruegel and G. Vigna, “Anomaly Detection of Web-Based Attacks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
[32] S.Y. Lee, W.L. Low, and P.Y. Wong, “Learning Fingerprints for a Database Intrusion Detection System,” ESORICS: Proc. European Symp. Research in Computer Security, 2002.
[33] Liang and Sekar, “Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers,” SIGSAC: Proc. 12th ACM Conf. Computer and Comm. Security, 2005.
[34] J. Newsome, B. Karp, and D.X. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Proc. IEEE Symp. Security and Privacy, 2005.
[35] B. Parno, J.M. McCune, D. Wendlandt, D.G. Andersen, and A. Perrig, “CLAMP: Practical Prevention of Large-Scale Data Leaks,” Proc. IEEE Symp. Security and Privacy, 2009.
[36] T. Pietraszek and C.V. Berghe, “Defending against Injection Attacks through Context-Sensitive String Evaluation,” Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID '05), 2005.
[37] S. Potter and J. Nieh, “Apiary: Easy-to-Use Desktop Application Fault Containment on Commodity Operating Systems,” Proc. USENIX Ann. Technical Conf., 2010.
[38] W. Robertson, F. Maggi, C. Kruegel, and G. Vigna, “Effective Anomaly Detection with Scarce Training Data,” Proc. Network and Distributed System Security Symp. (NDSS), 2010.
[39] M. Roesch, “Snort, Intrusion Detection System,” http:/www. snort.org, 2011.
[40] A. Schulman, “Top 10 Database Attacks,” http://www.bcs.orgserver.php?show=ConWebDoc.8852 , 2011.
[41] R. Sekar, “An Efficient Black-Box Technique for Defeating Web Application Attacks,” Proc. Network and Distributed System Security Symp. (NDSS), 2009.
[42] A. Seleznyov and S. Puuronen, “Anomaly Intrusion Detection Systems: Handling Temporal Relations between Events,” Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID '99), 1999.
[43] Y. Shin, L. Williams, and T. Xie, “SQLUnitgen: Test Case Generation for SQL Injection Detection,” technical report, Dept. of Computer Science, North Carolina State Univ., 2006.
[44] A. Srivastava, S. Sural, and A.K. Majumdar, “Database Intrusion Detection Using Weighted Sequence Mining,” J. Computers, vol. 1, no. 4, pp. 8-17, 2006.
[45] A. Stavrou, G. Cretu-Ciocarlie, M. Locasto, and S. Stolfo, “Keep Your Friends Close: The Necessity for Updating an Anomaly Sensor with Legitimate Environment Changes,” Proc. Second ACM Workshop Security and Artificial Intelligence, 2009.
[46] G.E. Suh, J.W. Lee, D. Zhang, and S. Devadas, “Secure Program Execution via Dynamic Information Flow Tracking,” ACM SIGPLAN Notices, vol. 39, no. 11, pp. 85-96, Nov. 2004.
[47] F. Valeur, G. Vigna, C. Krügel, and R.A. Kemmerer, “A Comprehensive Approach to Intrusion Detection Alert Correlation,” IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004.
[48] T. Verwoerd and R. Hunt, “Intrusion Detection Techniques and Approaches,” Computer Comm., vol. 25, no. 15, pp. 1356-1365, 2002.
[49] G. Vigna, W.K. Robertson, V. Kher, and R.A. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers,” Proc. Ann. Computer Security Applications Conf. (ACSAC '03), 2003.
[50] G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel, and E. Kirda, “Reducing Errors in the Anomaly-Based Detection of Web-Based Attacks through the Combined Analysis of Web Requests and SQL Queries,” J. Computer Security, vol. 17, no. 3, pp. 305-329, 2009.
[51] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna, “Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis,” Proc. Network and Distributed System Security Symp. (NDSS '07), 2007.
[52] D. Wagner and D. Dean, “Intrusion Detection via Static Analysis,” Proc. Symp. Security and Privacy (SSP '01), May 2001.
36 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool