International Journal of Computer Information Systems, Vol. 3, No.

4, 2011

Prevention of Layer Based Attacks Using Active Intrusion Detection

SakthiPriya P Department Of Computer Science Engineering Hindustan University Chennai, India smartsakthis@gmail.com Murugan S Department Of Computer Science Engineering Hindustan University Chennai, India mailrugan@yahoo.com

Arunkumar R Department Of Computer Science Engineering Hindustan University Chennai, India arueng@gmail.com

Chrystal Amutha D Assistant Professor Department Of Computer Science Engineering Hindustan University Chennai, India chrystalamutha@gmail.com

ABSTRACT -Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. Many types of attacks which has been used by the attacker to breach the information security foundations such as authentication, availability, integrity, non-repudiation and authorization. The major issue of web application security is the network layer attacks like IP Spoofing, packet sniffing and eavesdropping, which can give the attackers unrestricted access to the database that underlie Web applications and has become increasingly frequent and serious. Resource unavailability is the major concern in the web application and many approaches is there to prevent such type of attacks. This proposed system has high attack detection accuracy which can be achieved by using Conditional Random Fields and high efficiency by implementing the Layered Approach. Its key insight is that OSI layer can understand the different types of attacks based up on the layers and if there is an attack in any layer, it will stop the transaction and audit the logs in the logs table. On the other hand from the Anomaly based method standpoint of view, it analyzes the transaction to find out the malicious access .This system was able to stop all of the successful attacks and did not generate any false positives.

Keywords disruption, IP Spoofing, packet sniffing, eavesdropping.

I.INTRODUCTION Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. System security, network security and Application oriented security are the three different types of security which comes under Information security. Firewall, cryptography and intrusion detection system can block different types of system and network oriented attacks, but application oriented attacks can bypass these types of mechanism. Firewalls, cryptography and intrusion detection system were developed with two things in mind, Access control and Protocol integrity. Not much attention was given to the vulnerability of the application layer. The hacker community realized this and changed their tactics to exploit weaknesses in applications - thereby circumventing the firewall.

October Issue

Page 166 of 179

ISSN 2229 5208

In order to achieve these goals more effectively, hackers have developed several innovative and sophisticated ways to attack the application layer. Different types of application oriented attacks are available for hackers to breach the information security goals such as Distributed Denial of Services and Crosssite scripting. These are the attacks which can bypass the traditional security mechanism and even its very difficult to analyze or audit that attacks taken place. Distributed Denial of service can block only by Server Oriented distributed intrusion detection system. Trust Management Helmet is the solution for the to prevent the Distributed Denial of service attacks. This technology will not allow to use server side programming language if it finds the attacks. Server should give priority to protecting the connectivity of good users. The trust to clients is evaluated based on their visiting history and used to schedule the service to their requests. This system was able to stop all of the successful attacks and did not generate any false positives. II. LITERATURE SURVEY K.K. Gupta, B. Nath, R. Kotagiri, [1] Intrusion detection faces a number of challenges; an intrusion detection system must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic. In this paper, we address these two issues of Accuracy and Efficiency using Conditional Random Fields and Layered Approach. We demonstrate that high attack detection accuracy can be achieved by using Conditional Random Fields and high efficiency by implementing the Layered Approach. Experimental results on the benchmark KDD '99 intrusion data set show that our proposed system based on Layered Conditional Random Fields outperforms other well-known methods such as the decision trees and the naive Bayes. The improvement in attack detection accuracy is very high, particularly, for the U2R attacks (34.8 percent improvement) and the R2L attacks (34.5 percent improvement). Statistical Tests also demonstrate higher confidence in detection accuracy for our method. Finally, we show that our system is robust and is able to handle noisy data without compromising performance.

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 N.B. Amor, [2] Bayes networks are powerful tools for decision and reasoning under uncertainty. A very simple form of Bayes networks is called naive Bayes, which are particularly efficient for inference tasks. However, naive Bayes are based on a very strong independence assumption. This paper offers an experimental study of the use of naive Bayes in intrusion detection. We show that even if having a simple structure, naive Bayes provide very competitive results. The experimental study is done on KDD'99 intrusion data sets. We consider three levels of attack granularities depending on whether dealing with whole attacks, or grouping them in four main categories or just focusing on normal and abnormal behaviors. In the whole experimentations, we compare the performance of naive Bayes networks with one of well known machine learning techniques which is decision tree. Moreover, compared the good performance of Bayes nets with respect to existing best results performed on KDD'99. D. Boughaci, [3] The ever increasing connectivity of current computer environments makes traditional Intrusion and Detection Systems more and more inefficient. The ability of moving processes across networks brings new security problems, but also gives us new ways of dealing with these environments. In this paper, we propose an architecture for a distributed stealth Intrusion Detection and Response System (IDRS) based on mobile agents mimicking behaviors of social insects. We present the motivations of an approach that solves several problems actually unchallenged and offers many new ways of thinking future IDRSs. We also depict the foundations of our architecture, discuss its main points, and expose partial results obtained from a prototype. Finally, implementation issues and future work are presented. Y. Bouzida and S. Gombault, [4] Most current intrusion detection systems are signature based ones or machine learning based methods. Despite the number of machine learning algorithms applied to KDD 99 cup, none of them have introduced a pre-model to reduce the huge information quantity present in the different KDD 99 datasets. We introduce a method that applies to the different datasets before performing any of the different machine learning algorithms applied to KDD 99

October Issue

Page 167 of 179

ISSN 2229 5208

intrusion detection cup. This method enables us to significantly reduce the information quantity in the different datasets without loss of information. Our method is based on Principal Component Analysis (PCA). It works by projecting data elements onto a feature space, which is actually a vector space Rd, that spans the significant variations among known data elements. We present two well known algorithms we deal with, decision trees and nearest neighbor, and we show the contribution of our approach to alleviate the decision process. We rely on some experiments we perform over network records from the KDD 99 dataset, first by a direct application of these two algorithms on the rough data, second after projection of the different datasets on the new feature space.Joseph, J.F.C. BuSung Lee Das, A. Boon-Chong Seet, [5] The uniqueness of security vulnerabilities in ad hoc networks has given rise to the need for designing novel intrusion detection algorithms, different from those present in conventional networks. In this work, we propose an autonomous host-based intrusion detection system for detecting malicious sinking behavior. The proposed detection system maximizes the detection accuracy by using cross-layer features to define a routing behavior. For learning and adaptation to new attack scenarios and network environments, two machine learning techniques are utilized. Support Vector Machines (SVMs) and Fisher Discriminant Analysis (FDA) are used together to exploit the better accuracy of SVM and faster speed of FDA. Instead of using all cross-layer features, features from MAC layer are associated/correlated with features from other layers, thereby reducing the feature set without reducing the information content. Various experiments are conducted with varying network conditions and malicious node behavior. The effects of factors such as mobility, traffic density, and the packet drop ratios of the malicious nodes are analyzed. Experiments based on simulation show that the proposed cross-layer approach aided by a combination of SVM and FDA performs significantly better than other existing approaches. T.G. Dietterich, et al, [6] Statistical learning problems in many fields involve sequential data. This paper formalizes the principal learning tasks and describes the methods that have been developed within the machine learning research community for addressing these

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 problems. These methods include sliding window methods, recurrent sliding windows, hidden Markov models, conditional random fields, and graph transformer networks. The paper also discusses some open research issues. III. PROBLEM DEFINITION AND MOTIVATION A. Motivation Information Security is the major concern in the all the fields like Ecommerce, E-business, Military and scientific information. Internet is the major source for all the companies which enhance their profit and business methodology. E-commerce, e-banking, and stock markets can access the information through internet. They can share their credit card numbers to the seller for buying products in the internet. Applications are very vulnerable for hackers, to expose their confidential information. All companies and individuals mainly concentrate on protecting information against these types of attacks. At present, nearly 1.5 million web pages have been severely affected by Different types of Distributed attacks. This proposal mainly concentrates on to protect a data from this type of attacks. This tool will be well suited for protecting this application in internet. B. Potential Drawbacks Of Existing System Many authors proposed different techniques to prevent web parameter attacks. But all these methods reported are to have a lot of pros and cons of its own proposal. The authors classified their mechanism as signature method, anomaly method and auditing method and it is discussed in this related work. Web application attacks can be blocked by different methods as mentioned earlier. Existing System is mainly concentrate on Third party services like Intrusion Detection System, Firewall and etc., On the other hand, the Anomaly Based Method monitors system and its web application behaviors. It set the baseline of network and system. The major drawbacks of this mechanism are it generates more false alarm rates. In Auditing and Logging Method, it provides a limited audit functionality of database management systems (DBMS). Inconsistency across DBMS types

October Issue

Page 168 of 179

ISSN 2229 5208

and the performance penalty are drawback of this system. New attempt has been proposed and worked out effectively against web parameter based attacks. Even the attacks are not traceable in many manners. Even the administrator find the attacks, there is no proof to identify the user. Even we are not stop at the beginning level and we stop only when it enters in to firewall or IDS. The first issue is this mechanism detects the attacks only which are present in the database. The second issue is, this mechanism reported to have increased time and space complexity. The approach adopted in this work to prevent the attacks in an effective way, which also expected to reduce the complexity is discussed in detail in the following section. C. Problem Definition The major issue of web application security is the network layer, which can give the attackers unrestricted access to the database that underlie Web applications and has become increasingly frequent and serious. In this paper, we are mainly concentrating on providing security in the Layered based approach. A layer is a collection of similar functions that provide services to the layer above it and receives services from the layer below it. On each layer, an instance provides services to the instances at the layer above and requests service from the layer below. A layer that provides error-free communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of the path. Two instances at one layer are connected by a horizontal connection on that layer.

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 connect to the server, it will analyze the user behavior and user transactions. It analyzes the comparisons as well as database transaction. If it finds any suspicious activity, it acts as an active agent to stop the transaction and audit the attacks. The following figure 1 clearly depicts the architecture of the system to prevent the SQL Injection attacks using the new combined approach. The following section outlines each modules work in detail. B. Layered Approach The Open Systems Interconnection model (OSI model) is a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a way of sub-dividing a communications system into smaller parts called layers. A layer is a collection of similar functions that provide services to the layer above it and receives services from the layer below it. On each layer, an instance provides services to the instances at the layer above and requests service from the layer below. C. Application Layer: The Application Layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. Application layer functions typically include identifying communication partners, determining resource availability, and synchronizing communication. When identifying communication partners, the application layer determines the identity and availability of communication partners for an application with data to transmit. We identify the attacks in this layer and use anomaly mechanism to capture any types of attacks is present in the request. Once its passed in this layer, it will cross the second layer. Application Layer Attacks are mentioned below: HTTP Code Red, Nimda Worms & Mutations Directory Traversal Attacks MDAC Buffer Overflows Cross-Site Scripting Attacks Chunked Transfer Encoding Attacks

IV. SYSTEM DESIGN A. Overview Our approach against Network Layered Attacks and its entirely based on Layered Management, which has been used to address security problems related to input validation. This approach describes seven modules which are used to detect the security issues. Before it get

October Issue

Page 169 of 179

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 D. Presentation Layer The Presentation Layer establishes context between Application Layer entities, in which the higherlayer entities may use different syntax and semantics if the presentation service provides a mapping between them. If a mapping is available, presentation service data units are encapsulated into session protocol data units, and passed down the stack. This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer. Here also need to analyze the data in this layered attacks and if any attacks are there, it will stop the transactions. E.Session Layer The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes check pointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session check pointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls. F.Transport Layer The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. Some protocols are state and connection oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. The Transport layer also provides the acknowledgement of the successful data transmission and sends the next data if no errors occurred. Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). G. Network Layer The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source host on one network to a destination host on a different network, while maintaining the quality of service requested by the Transport Layer (in contrast to the data link layer which connects hosts within the same network). The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layersending data throughout the extended network and making the Internet possible. This is a logical addressing scheme values are chosen by the network engineer. The addressing scheme is not hierarchical.

Application

Mod Present ation Mod Session Mod

Transport

Client

Database Server

Mod
Network
Web Server

Mod Data Link Mod Physical Mod

October Issue

Page 170 of 179

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 H.Data Link Layer The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. Local area network architecture, which included broadcast-capable multi-access media, was developed independently of the ISO work in IEEE Project 802. IEEE work assumed sub-layering and management functions not required for WAN use. In modern practice, only error detection, not flow control using sliding window, is present in data link protocols such as Point-to-Point Protocol (PPP), and, on local area networks, the IEEE 802.2 LLC layer is not used for most protocols on the Ethernet, and on other local area networks, its flow control and acknowledgment mechanisms are rarely used. Sliding window flow control and acknowledgment is used at the Transport Layer by protocols such as TCP, but is still used in niches where X.25 offers performance advantages. . V. CONCLUTION This system combines Layered Approach and Anomaly Method to protect the web application against Network Oriented Attacks. Our approach comprise of seven modules to find out the network based attacks. Our mechanism also provides advantages over the other existing techniques whose application requires customized and complex runtime environments. Traditional security mechanism such as IDS and firewall have not been sufficient to provide the security of web application, however, this mechanism is able to block abnormal approach to web application and to detect previously unknown attacks as well as variations of known attacks. The future enhancement of this mechanism is to test the methodology against all types of parallel attacks and in parallel manner and also test with system and network oriented attacks.
REFERENCES

[1] John Bellardo and Stefan Savage 802.11 Denial-ofService Attacks: Real Vulnerabilities and Practical Solutions [2]Kapil Kumar Gupta, Baikunth Nath, Ramamohanarao KotagiriLayered Approach Using Conditional Random Fields for Intrusion Detection [3]Kevin S. Killourhy, Roy A. Maxion and Kymie M. C. Tan A Defense-Centric Taxonomy Based on Attack Manifestations [4] Khaled Labib and V. Rao Vemuri Detecting And Visualizing Denial of-Service And Network Probe Attacks Using Principal Component Analysis [5] Renaud Bidou Denial of Service Attacks [6] Maheshkumar Sabhnani ,Gursel Serpen KDD Feature Set Complaint Heuristic Rules for R2L Attack Detection [6] Vitaly Shmatikov and Ming-Hsiu Wang Security against Probe-Response Attacks in Collaborative Intrusion Detection

October Issue

Page 171 of 179

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 AUTHORS PROFILE
Sakthipriya p, Chennai, 06.08.1989, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

Murugan S, Chennai, 09.09.1988, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

Arunkumar S, Chennai, 20.06.1987, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

Chrystal Amutha D,Assistant Professor Department Of Computer Science Engineering Hindustan University,Chennai, India chrystalamutha@gmail.com

October Issue

Page 172 of 179

ISSN 2229 5208