Intrusion Detection Approaches Misuse Detection Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Internet became a vital part in day to day life for wide-ranging population for many purposes like business transaction, instructive purpose etc. Since many organizations rely on online business transactions there is a need for their database to get secured from intruders. Every organization uses web application for accessing their data from the database, these applications uses user inputs to create a query for storing, retrieving data from the database. Although all the organizations concerned about their data security the attackers can still able to lure or corrupt their data by using the techniques like SQL injection, Client Side Cross Scripting, Privilege Escalation attack, Hijack future session attack, which are commonly referred to as intrusion. These attacks are done by inserting a malicious query as an input to the web application or by sending malicious content through web request. In this paper we present a novel based intrusion detection system based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are generally designed to audit the activity of intruders, save log files and record events. By monitoring both web requests and subsequent database queries, we are able to ferret out attacks that independent Intrusion Detection System would not be able to identify.




In recent years, widespread adoption of the internet has resulted into rapid advancement in information technologies. The internet is used by the general population for the purposes such as financial transactions, educational activities and countless other activities. This growth of the Internet use has unfortunately been accompanied by a growth of malicious activity in the Internet. The use of the internet for accomplishing important tasks such as transferring a balance from a bank account always comes with a security risk. Today's websites strive to keep their user's data confidential and after years of doing secure business online, these companies have become experts in information security.

The database systems behind these secure websites store non-critical data along with sensitive information, in a way that allows the information owners quick access while blocking break-in attempts from unauthorized users. A common break-in strategy is to try to access sensitive information from a database by first generating a query that will cause the database parser to malfunction, followed by applying this query to the desired database. Such an approach to gaining access to private information is called SQL injection. Since databases are everywhere and are accessible from the internet, dealing with SQL injection has become more important than ever.

Although current database systems have little vulnerability, the Computer Security Institute discovered that every year about 50% of databases experience at least one security breach. The loss of revenue associated with such breaches has been estimated to be over four million dollars.

An intrusion can be defined as any set of actions that attempt to compromise the confidentiality, integrity or availability of resource. An Intrusion detection system attempts to detect an intruder breaking or misusing system resources.

Intrusion Detection Approaches

Misuse Detection

It is based on the knowledge of vulnerabilities and known attack signatures. Misuse detection is concerned with detecting intruders who are attempting to break into a system by using some known vulnerabilities. Signature based IDS store patterns of Known attacks. It use stored behavior pattern to identify and detect attacks. It can detect only known attacks. The main drawback of Signature based IDS is that it cannot detect new attacks or previously unseen attacks

Anomaly Detection

Anomaly detection assumes that intrusions will always reflect some variation from normal pattern. This type of IDS stores normal behavior of system (using previously seen behavior). It is used to classify any behavior that violates it as attacks. Anomaly based IDS detects new attacks but it produces false alarm for legitimate but previously unseen system behavior which is termed as false positives.

Honeypot systems are system's setup to gather information about an attacker or intruder into the system. A Honeypot is designed to catch would be attackers before they invade the real servers and services.

The main idea of Honey pot is to setup an attractive system that appears to have some vulnerability for easy access to resources. Honeypots are setup not to capture the attacker but to monitor and learn from their actions, then find people how they probe and exploit the system and how those exploitations can be prevented.

In this paper, we propose a framework, which accurately detect attacks in multi-tier web application. We present a novel based Intrusion Detection System based on analyzing user behavior and by analyzing the user input queries using Honeypot technique to reduce false positives in Dynamic web application. Honey pots are designed to check the activity of intruders, save log files and record events. By collecting such data, the Honeypots work to improve security. By monitoring both web requests and subsequent database queries, we are able to ferret out attacks that independent IDS would not be able to identify.

Our approach can create normality models of isolated user sessions that include both the front-end HTTP requests and back-end Database Queries. To achieve this, we employ a lightweight virtualization technique to assign each user's web session to a committed container, an isolated virtual environment. We make use of the container ID to accurately associate the web request with the subsequent DB queries. IDS used predefined knowledge to identify an attack, it doesn't have the capability to identify any new attacks, but a Honeypot gives a real-time approaching on how the attack was happened, through which it is possible to strengthen their security.

IDS using Honeypot


Internet C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf


Figure 1 Concept Overview


1.2.1 J. Newsome, B. Karp, and D.X. Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms," Proc. IEEE Symp. Security and Privacy, 2003

Polygraph is a Signature based Intrusion Detection System. Polygraph, a signature generation system that produces signatures that match polymorphic worms. To protect multi-tiered web application, Intrusion detection systems have been widely used to detect known attacks by matching misused traffic patterns or signatures. This paper proposes Signature Generation Algorithm which defines polymorphic signature generation problem which propose classes of signature suited for matching polymorphic worm payloads and generate signatures in these classes. Signature classes for polymorphic worm includes

Conjunction Signatures

Token Subsequence Signatures

Bayes Signatures

Run Signature Generation algorithm on workloads consisting of samples of the polymorphic worms to evaluate the quality of the signature produced by the algorithm and evaluate the computational cost of signature generating algorithm. The Evaluation of signature generation algorithm on a range of polymorphic worms exhibits low false negatives


Signature based Intrusion Detection System use a database of previous attacks. It cannot detect new attacks or previously unseen attacks

1.2.2 C. Kruegel and G. Vigna, "Anomaly Detection of Web-Based Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2005.

This paper presents an Intrusion detection system that uses a number of anomaly detection techniques to detect attacks against web servers. Behavior models are built by performing a statistical analysis on historical data. This paper introduces a novel approach to perform anomaly detection using HTTP queries containing parameters. The parameter characteristics such as length, structure are earned from input data. The system correlates the server side programs with client queries with the parameters contained in the queries.

This anomaly detection approach analyzes HTTP requests as logged by most common web servers. The analysis focuses on GET requests that use parameters to pass values to server side programs. The system derives automatically the parameter pro-files associated with web applications from the analyzed data. The task of a model is to assign a probability value to either a query or one of the query's attributes. Based on the model's outputs, a decision is made that the query is either reported as potential attack or as normal. This conclusion is reached by calculating an anomaly score for each query attribute and for the whole query. Detection phase determines that the character distribution of a query attribute is an actual sample from the Idealized Character Distribution ICD. This is the first anomaly detection system specifically adapted to the detection of web based attacks.


They detect deviations from the learned patterns of the user behavior. It can detect new attacks but it produces false alarm for legitimate but previously unseen system behavior.


1.2.3 Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti, "Using Parse Tree Validation to Prevent SQL Injection Attacks", ACM 2005

It uses parsing technique to detect and prevent SQL Injection attack. This technique is based on comparing the parse tree of the SQL statement before including user's input with the result after including input at run time. By incorporating a simple SQL parser, it evaluate all user input without requiring a call to the database, thus reducing runtime costs. This aims to satisfy the following 3 criteria:

Eliminate the possibility of attack

Reduces the effort essential for the programmer

Minimize the run time overhead.

A Parse tree is the Data Structure built by the developer for the parsed representation of a statement. To parse the statement, the grammar of that parse statement's language is needed. In this method, by parsing two statements and comparing their parse trees, we can check if the two queries are equal. When attacker successfully injects SQL attack into the Database, the parse tree of the intended SQL query and the SQL query which was generated by an attacker differs.

This method reduces the effort required by the programmer, as it captures both the intended query and actual query, comparing them and throwing an exception when appropriate.


This technique was implemented only in a common web application platform J2EE and not in .NET framework and PHP. PHP has a technology called Magic Quotes which escapes input from the Requested Object automatically. This feature has caused programmer's difficulty.

1.2.4 Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, "Efficiently Tracking Application Interactions Using Lightweight Virtualization," Proc. First ACM Workshop Virtual Machine Security, 2008.

This paper proposes a general-purpose framework that harnesses the power of lightweight virtualization to track applications interactions in a scalable and efficient manner. The main goal is to use this framework for

Application auditing

Intrusion detection

System recovery from both attacks and programmatic faults.

In this framework, each Virtualized Environment is constructed in a novel way that limits the scope and type of application events that need to be monitored to protect integrity, interactions among VEs and system resources including the file system, memory, and network. This framework termed Journaling Computing System makes the following contributions

Model system events as transactions. All interactions among virtualized application's executions and interactions with remote hosts/servers need to be monitored.

Isolation and Monitoring of VEs.

JCS aims to address the basic problems of these two general approaches:

Protection of VE integrity

Amount of events needed to be monitored and logged.


In JCS, Summarizations preserve history for very long periods of time. So it occupies high disk space.

1.2.5. F. Valeur, G. Vigna, C. Krugel, and R.A. Kemmerer, "A Comprehensive Approach to Intrusion Detection Alert Correlation," IEEE Trans. Dependable and Secure Computing, vol. 1, no. 3, pp. 146-169, July-Sept. 2004.

This paper describes a multi component correlation process and a framework that performs the correlation analysis. The main objective of the correlation process is to produce a brief overview of security related activity which consists of a collection of components that transform intrusion detection sensor alerts into intrusion reports. This framework uses a pipeline architecture which consist of the following components

Alert Normalization

Alert Pre processing

Alert Fusion

Alert Verification

Thread Reconstruction

Attack Session Reconstruction

Focus Recognition

Multi step Correlation

Impact analysis

Alert Prioritization

The effectiveness of each component is dependent on the data sets being analyzed. The performance of the correlation process is influenced by

Topology of the network

Characteristics of the attack

Available meta data


The verification component was limited in that there were some alerts that could not be verified by using the active scanning approach. Therefore, we could not determine if these alerts were true positives.

1.2.6 D. Bates, A. Barth, and C. Jackson, "Regular Expressions Considered Harmful in Client-Side XSS Filters," Proc. 19th Int'l Conf. World Wide Web, 2010.

This paper proposes a new filter design that achieves both high performance and high precision by blocking scripts after HTML parsing but before execution. The implementation of this filter design is contributed to the WebKit, an open source rendering engine and the filter is now enabled by default in the Google Chrome browser.

This client-side XSS filter should be placed between the HTML parser and the JavaScript engine, instead of mediating between the network stack and the HTML parser. So this design achieves high performance and high fidelity. This post-parser design examines the semantics of HTTP response, as interpreted by the browser, without performing a time consuming and error-prone simulation.

The usefulness of the filter depends on what percentage of vulnerabilities the filter covers and the rate of false positives and false negatives. This new filter design block suspected attacks by preventing the injected script from being passed to the JavaScript engine rather than performing risky transformations on the HTML.


This Filter cannot mitigate stored XSS vulnerabilities because the attacker's script need not be present in the request. In case of stored XSS attack, the attackers stores malicious content in the target Website's server. Later, when the user visits the server, the server sends the attacker's content to the user's web browser.




C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf

Client I Client 2 … Client n


Intrusion Detection System


C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18252_.wmfWeb Server

Database Server

Figure 2.1 System Architecture Design


Honeypot is a unique system that is connected to the organization network in order to attract the attackers to get connects with them and from which it can learn their behavior, through which it is possible to identify any kind of new attacks. Furthermore it can be used to monitor behavior of an individual which gained access to the Honeypot. Honeypots are a unique tool to learn about the policy of hackers to compromise the system security.

Intrusion Detection System can be used as an extension of a Honeypot for improving their storage capabilities. The concept involved in Honeypot is that any packets or any traffic route to the Honeypot system is assumed that it was suspect for an attack. A system administrator cannot find any fault or attack sensation in their organization, he/she may get satisfied with the security they have for their organization, but by using Honeypot we can obtain the recorded information about an attack, which was failed to detect by the firewall.

IDS uses predefined knowledge to identify an attack, it doesn't have the capability to identify any new attacks by the blackhats, but a Honeypot gives a real-time approaching on how the attack was happened, through which it is possible to strengthen their security.




Get Clients

Store in Honeypots




Query String



Client 1

Client 2



Collecting Traffic


Data Store


Query String

Action of IDS

Real time

Unique Login



Attack Scenario

Status report

Figure 3.1 Data Flow Diagram


User request

Normal User


20] eb server

DB queriesDB server


DB replies


Inject attacks

Monitor and Record Intruder's activity, save log files

IDS using Honeypot

Detect Intrusions

Figure 3.2 Use Case Diagram



Classification of Modules

4.1 Building Honeypot

4.2 Traffic Collection

4.3 Attack Scenarios

4.4 Intrusion Detection System

4.5 Implementation Phase

4.1 Building Honeypot

In this module, Set up a Server and then fill it with attractive files. Build it hard but not impossible to break into. After that sit and wait for the attackers to show up. Monitor them as they gambol around in the server. Record their conversations and Study them like watching insects under a magnifying glass. The Honey pot system should appear as common system.


C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf


Figure 4.1 Building Honeypot

4.2 Traffic Collection

Database Server In this module, the Client sends request to the Web Server through Web browser. Then corresponding Queries were generated which were transferred from web server to Database server. Client gets response from Database Server through Web Server. All the traffic to a Honeypot should be considered suspicious. Honeypots are designed to review the activity of intruder, save log files and record events. By gathering activity of intruder, the Honey pots work well to improve security.

Web Server Web Requests Database Queries

VE 1

Client 1 Req 1 Ts 1

Res 1 Tr 1

VE 2

Client 2 Req 2 Ts 2

Res 2 Tr2

Client 3

VE 3 Req 3 Ts 3

Res 3 Tr3


Figure 4.2 Traffic Collection

4.3 Attack Scenarios

4.3.1 SQL Injection Attack

Database Server

Web Server

AttackerSQL injection is one of the most common type of attack in web connected Databases. Attacker inserts an unauthorized SQL statement through SQL data channel. This attack is caused by non validated input parameters. SQL injection attack is one of the most prominent threats today. SQL injection is a security vulnerability that occurs in the database layer of an application.


User request 2. Injected DB queries


4. Confidential 3. Confidential

information replies

Figure 4.3.1 SQL Injection Attack

4.3.2 Cross Site Scripting Attack

Attacker inserts malicious link into familiar website like blogs and waits for other visitors to visit the same website. When Victim user clicks that malicious link, Cross Site Scripting causes a user's web browser to execute a malicious script. It is a vulnerability that allows intruder to send malicious script to another user. Then it will execute the script which allows the attacker to access any cookies.

Victim clicks on malicious URL & request goes to target siteC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE12\AutoShap\BD18187_.wmf

Attacker Target Site

Malicious code is back to Victim's Browser & Browser started to execute the malicious code

Malicious link sent by attacker to Victim user

Figure 4.3.2 Cross Site Scripting attack

4.3.3 Privilege Escalation attack

Privilege means what a user is allowed to do. Common privileges include viewing files, editing files, deleting files. Privilege escalation means a user takes privileges they are not allowed to do. Privilege escalation occurs in 2 forms

Vertical privilege escalation attack

Horizontal privilege escalation attack

User Level Process

2. Privilege




User request

5. Response

Database Server

Admin Level

3. Admin Queries 4. DB replies

Figure 4.3.3 Privilege Escalation attack

4.3.4 Hijack future session attack

Web ServerThis attack is mainly aimed at the Web Server. An attacker takes over the web server and hijacks all the subsequent legitimate user sessions to launch attacks.


1. Took over

the server

Database Server

Normal User

Session Hijacked

2 Request 3. Queries Hijacked

4. False/ Fake


Figure 4.3.4 Hijack future session attack

Intrusion Detection System

4.4.1 Virtualization Container based Web Server

In our design, we make use of lightweight process containers, disposable servers for client sessions in the Web server. It is possible to initialize thousands of containers on a single physical machine and these virtualized containers can be discarded or quickly reinitialized to serve new sessions. A single physical web server runs many containers, each one an exact copy of the original web server. Our approach dynamically generates new containers and recycles used containers. As a result, a single physical server can run continuously and serve all web requests. Virtualization is used to isolate objects and enhance security performance.

Session Separated Web Server

Assign each session to a dedicated Web server container. Single user always deals with the same container of the Web server. As each user's web requests are isolated into a separate container, where an attacker can never break into other user's sessions. He cannot hijack other user sessions. So that legitimate sessions will not be compromised directly by an attacker.

4.4. Implementation phase

In this module, each Session will have some set of requests and queries. Each web request to the web server usually invokes number of SQL queries based on type of request i.e. request parameters. This framework was implemented using Apache Web server as front end web server and MySQL as back end database server. Attack tools such as Sqlmap, metasploit are used to launch attacks manually. Honeypot technique works by monitoring the intruder's activities during their use of Honeypot. Honey pots are generally designed to check the activity of intruder, save log files and record events. Using Honeypot, we can obtain the information about an attack like how the attack was happened, through which it is possible to strengthen the security.



In our framework, Communications are categorized as sessions which identify the mapping between web server request and subsequent DB queries. Using this approach, at database side, we are able to tell which DB transaction corresponds to which client request. This helps us to identify the mapping between web server request and corresponding Database queries. By using this mapping model, we detect abnormal behavior on a session or client level. Because of the isolation property of our container based web server design, an attacker can stay only within a web server container. So that attacker cannot hijack other user sessions. Intrusion detection system using Honeypot technique can able to detect intrusions more accurately by analyzing the user behavior and by analyzing input queries in order to reduce the false positive rate in Dynamic web application. Honeypot gives a real-time approach on how the attack was happened, through which it will be possible to strengthen the security.