This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. IEEE TRANSACTIONS ON DEPEDABLE AND SECURE COMPUTING
DoubleGuard: Detecting Intrusions In Multi-tier Web Applications Meixing Le George Mason University Angelos Stavrou George Mason University Brent ByungHoon Kang George Mason University
Abstract—Internet services and applications have become an inextricable part of daily life, enabling communication and the management of personal information from anywhere. To accommodate this increase in application and data complexity, web services have moved to a multi-tiered design wherein the web server runs the application front-end logic and data is outsourced to a database or ﬁle server. In this paper, we present DoubleGuard, an IDS system that models the network behavior of user sessions across both the front-end web server and the back-end database. By monitoring both web and subsequent database requests, we are able to ferret out attacks that an independent IDS would not be able to identify. Furthermore, we quantify the limitations of any multitier IDS in terms of training sessions and functionality coverage. We implemented DoubleGuard using an Apache web server with MySQL and lightweight virtualization. We then collected and processed real-world trafﬁc over a 15-day period of system deployment in both dynamic and static web applications. Finally, using DoubleGuard, we were able to expose a wide range of attacks with 100% accuracy while maintaining 0% false positives for static web services and 0.6% false positives for dynamic web services. Index Terms—anomaly detection, virtualization, multi-tier web application
I. I NTRODUCTION Web-delivered services and applications have increased in both popularity and complexity over the past few years. Daily tasks, such as banking, travel, and social networking, are all done via the web. Such services typically employ a web server front-end that runs the application user interface logic, as well as a back-end server that consists of a database or ﬁle server. Due to their ubiquitous use for personal and/or corporate data, web services have always been the target of attacks. These attacks have recently become more diverse, as attention has shifted from attacking the front-end to exploiting vulnerabilities of the web applications , ,  in order to corrupt the back-end database system  (e.g., SQL injection attacks , ). A plethora of Intrusion Detection Systems (IDS) currently examine network packets individually within both the web server and the database system. However, there is very little work being performed on multi-tiered Anomaly Detection (AD) systems that generate models of network behavior for both web and database network interactions. In such multi-tiered architectures, the back-end database server is often protected behind a ﬁrewall while the web servers are remotely accessible over the Internet. Unfortunately, though they are protected from direct remote attacks, the back-end systems are susceptible to attacks that use web requests as a means to exploit the back-end.
To protect multi-tiered web services, Intrusion detection systems (IDS) have been widely used to detect known attacks by matching misused trafﬁc patterns or signatures , , , . A class of IDS that leverages machine learning can also detect unknown attacks by identifying abnormal network trafﬁc that deviates from the so-called “normal” behavior previously proﬁled during the IDS training phase. Individually, the web IDS and the database IDS can detect abnormal network trafﬁc sent to either of them. However, we found that these IDS cannot detect cases wherein normal trafﬁc is used to attack the web server and the database server. For example, if an attacker with non-admin privileges can log in to a web server using normal-user access credentials, he/she can ﬁnd a way...
Please join StudyMode to read the full document