Sie sind auf Seite 1von 8

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013

ISSN: 2231-2803 Page 2850

Secured N-Tier Attack Detection and Prevention
Mechani sm.
Department of Computer Science &
Gudalavalleru Engineering College

Ch.Sivaramamohana Rao
Department of Computer Science &
Gudalavalleru Engineering College

Abstract: Over the past few years Web services and
applications have increased both popularity and
complexity. Due to the lots of data, web services have
moved to multitier design where files are uploaded to
usually the internet server server run as begining and the
data is outsourced onto the database server run as
backend. Due to their high levels of presence, web
services were always the target of attacks. To overcome
this increase in application and data complexity, web
services web services have moved to multitiered. The
front end include web server which can certainly
responsible for your application and offers that output to
back end i.e. file or database server. This strategy is
beneficial to obtain the intrusion at both beginning and
back end of web application.[1] This system has been
utilized to monitor the behavior across beginning web
server and back end database server or file server using
IDS. This systemis able to detect intrusion in static and
dynamic web application.IDS have maximumaccuracy
that is mainly responsible to recognize intrusion. In
Existing approach, Multi Tier Security System, an IDS
systemthat models the network behavior of user sessions
across both the front-end web server and the back-end
database. Proposed work analyze the owner sessions
hijacking and db request monitoring .We implemented
Multi Tier Security Guard using an Apache server with
Oracle Database and lightweight virtualization.

Keywords Two-Tie Architecture, HTTPS,Business Logic
And Client Tier,SQL Injection


Model View Controller or MVC as it's popularly called,
is naturally a software design pattern for developing web
applications. A Model View Controller pattern comprises
of some fundamental three parts:
Model - The very least level of the pattern and that is
liable for maintaining data.View - This happens to be
responsible for displaying all or maybe a portion of the
comprehensive data towards the user.Controller -
Software Code that controls the interactions involving the
Model and View.MVC is fun it isolates the application
formlogic that are caused by the graphical user interface
layer and supports separation of concerns.Here the
Controller receives all requests when it comes to the

application after which works with the product to prepare
any data needed by the View. The View then uses the
data prepared via the Controller to obtain one last
presentable response. The MVC abstraction can be
graphically represented those listed below.
The model:
The model is responsible for managing the data of this
very application. It responds to the request that are
caused by the view and it also responds to instructions
seen fromthe controller to update itself.
The view:
A presentation of data in a particular format, triggered
using a controller's decision to present information. They
are actually script based templating systems like JSP,
ASP, PHP and very easy to integrate with AJAX
technology as shown in fig1:.

Fig 1: General MVC structure
The controller:
The controller is accountable to responding to user input
and performinteractions on the data model objects. The
controller receives the input, it validates the input after

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2851

which performs the process operation that modifies the
continent of information model[2].
A. Client Tier
This is the topmost grade of the application. The
presentation tier displays information regarding queries
made through browsing and displays the answer in fig 2.

Fig-2 : 3-Tier Architecture

B. Logic Tier
It is implemented being a separate layer and this process and
controls an applications functionality.
C. Data Tier
This tier is comprised of database servers or file servers.
Here info is stored and retrieved. This tier keeps data neutral
and independent fromapplication servers or business logic.

Double Guard[1] serves as a systemwhich is used to
detect the attacks in multitier web services. In this
particular system of Double Guard we are creating
normality model of isolated user sessions which includes
both the web front-end as HTTP and back-end as File or
SQL for network transaction. In Double Guard we are
going to use lightweight virtualization technique for
assigning each users web session to the dedicated
container which provides an isolating virtual
environment. So, we are going to take each web request
with its subsequent database queries which will be keep
company with the accurate container ID. Double Guard
takes the www server and database traffic for mapping
profile into proper and accurate account.


Intrusion Recovery for Database-backed Web
Applications [7] In this paper Users or administrators
must manually inspect the application for indicators of an
attack that exploited the vulnerability, if an attack is
located, they have to determine the attackers actions and
rectify the injury physically. When an administrator
learns of security vulnerability within a web application,
he / she can use WARP to examine whether that
vulnerability was recently exploited, in order to endure
any resulting intrusions.

Anomaly-Based Intrusion Detection System [6], serves
as a system for detecting computer intrusions and misuse
by monitoring system activity and classifying it as either
normal or anomalous. The classification is based on
heuristics or rules, rather than patterns or signatures, and
shall detect any formof misuse that falls out of normal
systemoperation. This happens to be in preference to
signature based systems which can only detect attacks for
which a signature has previously been created.
computer systems and networks or against information
systems as a whole as it is challenging to provide
provably secure information systems and manage them in
this particular secure state for their own entire lifetime as
well as for every utilization Sometimes legacy or
operational constrains never even allow a fully secure
information system to be realized in any respect. We
introduce a taxonomy of intrusion detection systems [5]
that highlights the various aspects of this area. Most Web
sites today add dynamic content to a Web page creating
the experience for the user more enjoyable. Dynamic
content is content created by some server process, which
when delivered can behave and display differently onto
the user depending upon their settings and needs.[4]
Cross-site scripting is gaining popularity among attackers
as an easy contact with find in Websites. Cross-site
scripting flaws[6] just surpassed buffer over flows clearly
as the world's most popular publicly-reported security
vulnerability. Recently, browser vendors and researchers
have made an attempt to develop client-side filters to
mitigate these attacks. You can find contributed an
implementation our filter design to the Web Kit open
source rendering engine, and to discover the filter is
currently enabled by default inside the Google Chrome

Increase system security by mapping all requests
reaching to server to set of Database query. Concept of
Double Guard is founded on to earning request reaching
to server Isolated fromeach other. This architecture will
get boosted system security by mapping all requests
reaching to server to set of Database query. Double
Guard may well be tie in with during first point of
contact to web server and at last point of contact of web
server just before touching to Database layer[3].


Injection flaws certainly are a kinds of flaw in
which a parameter supplied to usually the internet
server application goes unchecked or is unsanitary
after which made use of by the web application as
ordinary data or possibly code.
Like this a malicious user may enter or inject code
to get run during the web application. Most typi cal
type is SQL-injection where the supplied user
input is performed according to the database
without checking for special characters or
otherwise escaping the input, thus leading to

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2852

execution of arbitrary user SQL statements when
using the possible effect of stealing passwords or
other sensitive information. A common method to
escape this type of attack is usually to strip the
input from special characters which control the
statement such as ' and ;. However this method of
mitigating the attack is not really one of the best
ever since the stripping has to be performed on
every occurrence of user supplied input when using
the database. This could be difficult and is
definitel y missed. Another flaw in this particular
mitigation technique is the wide gap left even after
stripping of virtually all special characters. Since
most SQL statements may well be rewritten using
only letters. An individual doesn't need =but can
write LIKE instead. An easier way will be to allow
input only typically from a whitelist, however this
method is also hard to maintain and to discover the
preferred way for you to mitigate against
SQLinjections is to use prepared statements. With
a prepared statement the user supplied input cannot
conflict with the coded SQL statement because it is
already within the SQL engine. The person
supplied input is merely inside the present
statement. Another advantage is that the prepared
statement will probably be parsed only once from
the SQL engine, so a speedup has been reached as


Dynamic Attack Detection Algori htm:

Require: Training Data set, Threshold t
Ensure: The Mapping Model for static website
for session separated traffic Ti do
Get different HTTP requests r and DB queries q in
this session
for each different r do
if r is a request to static file next add r into set
if r is not really in set REQ then put r into REQ
Append session ID i onto the set ARr with r clearly
as the key
for each different q do
if q is not just in set SQL then
Add q into SQL
Append session ID i towards the set AQq with q
clearly as the
for each distinct HTTP request r in REQ do
for each distinct DB query q in SQL do
Compare the set ARr in the set AQq
if ARr =AQq and Cardinality(ARr) >t then
Found a Deterministic mapping from r to q
Add q into mapping model set MSr of r
Mark q in set SQL
Need more training sessions
return False
for each DB query q in SQL do
if q is not just marked next add q into set NMR
for one HTTP request r in REQ do
if r does not have any deterministic mapping model
next add r into set EQS
return Correct
Here the intention is usually to use 'numeric SQL
injection' to bypass authorization.

Ever since the page sends an 'employee_id'
together with requested action 'view' it seemed
natural to intercept this users id and give it 112
instead, though this gave an odd error page onl y
saying \"A mistkea has occurred\" with no
information in the logs. A tip gave away the
answer that's 101 OR 1=1 ORDER BY salary desc.
Which means there is a pay attention to in case the
currently logged in user would be the requested
profile id. This check is bypassed by utilizing the
above string. It offers the currentl y logged in users
ID, 101, but appends a thing that is always true and
asks to sort it by salary, which happens to return
another user first in comparison to the current
users id.

Privilege Escalation Attack

Lets assume that the site serves both regular users
and administrators. For a regular user, the www
request ru will trigger the desirable of SQL queries
Qu; for the administrator, the request ra will
trigger the desirable of admin level queries Qa.
Now suppose that an attacker logs directly into
webserver as a normal user, upgrades his/her
privileges, and triggers admin queries so as to
attain a administrators data. This attack won't be
able to be detected by either the webserver IDS as
well as database IDS since both ru and Qa are
legitimate requests and queries. Our approach,
however, can detect this sort of attack since the DB
query Qa does not equal the request ru, based on
our mapping model. Fig shows the way a normal
user might use admin queries must purchase
privileged information.

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2853

Fig 3: Privilege Escalation Attack

Injection Attack

Attacks for instance SQL injection do not require
compromising the web server. Attackers can make
use of existing vulnerabilities in the web server
logic to inject the data or string content that
contains the exploits and then utilize the web
server to relay these exploits to attack the back-end
database. Since our approach provides a two-tier
detection, whether or not the exploits are accepted
by the web server, the rel ayed contents to
theDBserver will never be capable of taking
toward the expected structure for your given web
server request. To illustrate, since the SQL
injection attack changes the structure of one's SQL
queries, even if the injected data had to undergo
the web server side, it would generate SQL queries
in a different structure that might be detected for
being deviation that are caused by the SQL query
structure that would normally foll ow this type web
request. Fig. illustrates the scenario of a SQL
injection attack.

Direct DB Attack:

It is quite likely for an attacker to bypass the webserver
or firewalls and connect straight into the database. An
attacker could also have previously rise above the
webserver and feel submitting such queries from the
webserver without sending web requests. Without
matched web requests for such queries, a webserver IDS
could detect neither. Furthermore, if these DB queries
were within the set of allowed queries, probably the
database IDS itself won't detect it either. However, the
sort of attack may well be caught with our approach since
we cannot match any web requests basic queries. Fig 4.
illustrates the scenario wherein an attacker bypasses the
webserver to directly query the database.

Fig 4: Direct DB attack


All experiments were performed with the configurations
Intel(R) Core(TM)2 CPU 2.13GHz, 2 GB RAM, and the
operating system platform is Microsoft Windows XP
Professional (SP2).Experimental results uses Apache
tomcat and JSP,Servlet technologies.


User login with sql injection quotes

Sql injection access granted

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2854

Sql injection prevention mechanism

Sql injection prevention error message

Direct DB attack

User attacked url details

Application access granted using attacked url

Direct database prevention mechanism

Direct db attack prevention redirects to

User To Root Attack

User attacks Admin Information home page

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2855

List of user attacked admin created users details

User attacked admin tables information

User attacked session users details

User kill user sessions

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2856

Admin privileges hiding using encryption in
order to prevent user to root attack

Performance Analysis:

Experimental results are tested under j2ee applications
and then memory, time for each request is identified as

0 1000 2000
DirectDB Attack
Prevention 1.2 217
2 1422
Graph shows Direct db attack server and time
overload details under attack and prevention
10 24544
8 2186
Requests Time(ms)

Graph shows Sql injection attack and prevention requests
and time overhead details.


The novel system with intrusion prevention proxy has
proved to be effective in detecting the SQL injection
attacks. Dynamically user input extraction and analysis
considering the context of the querys syntactic structure.
Unlike current protection techniques, our approach is
fully modular and it doesn't require access to the original
source code of the web applications and the database. In
addition, our system is easily deployable to existing
enterprise environments and could protect multiple front-
end webapplications with no modications. Our
experimental results imply that we could achieve have
high detection rate with reasonable performance
overhead making our system most suited for
environments where software or architecture changes is
not really an economically viable option. In future work,
the main focus will probably be on optimization of a
given systemand take off the vulnerable points inside the
application itself, and additionally to detection and
studying alternate techniques for detection and mitigation
of SQL injection attacks.

Unlike previous methods that correlated or summarized
alerts generated by independent IDSs, DoubleGuard
forms a container-based IDS with multiple input streams
to generate alerts. We have now shown that such
correlation of input streams creates a better
characterization of this very system for anomaly
detection because of the fact that the intrusion sensor has
a more precise normality model that detects a wider
range of threats. We achieved this by isolating the flow
of information from each webserver session with the use
of a lightweight virtualization. Furthermore, we
quantified the detection accuracy of our approach after

International Journal of Computer Trends and Technology (IJCTT) volume 4 Issue 8August 2013
ISSN: 2231-2803 Page 2857

we attempted to model static and dynamic web requests
with the back-end file systemand database queries.


[1] DoubleGuard: Detecting Intrusions in Multitier Web
Applications Meixing Le, Angelos Stavrou,
Member, IEEE, and Brent ByungHoon Kang,
VOL. 9, NO. 4, JULY/AUGUST 2012
[3] Intrusions Detection in Threetier Web Applications
using DoubleGuard System Binal M. Patel,
International J ournal of Computer Science and
Management Research
[4] Cross site script http:// www. ibm.

[5] H. Debar, M. Dacier, and A. Wespi. Towards a
taxonomy of intrusiondetection systems.Computer
Networks, 31(8), 1999.
[6] XSS flaws https://
[7]Five Common Web Application
es /five-common-web-application vulnerabilities,2011.
[8] SnortThe Open Source Network Intrusion
Detection System,, 2004.
[9] S.J.Templeton and K. Levitt, A Requires/Provides
Model for Computer Attacks, Proc. New Security
Paradigms Workshop, pp. 31-38, Sept. 2000.