Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
IJCSN-2012-1-6-46

IJCSN-2012-1-6-46

Ratings: (0)|Views: 8|Likes:
Published by ijcsn
Intrusion detection systems play an important role in detecting
online intrusions and provide necessary alerts. Intrusion detection
can also be done for relational databases. Intrusion response
system for a relational database is essential to protect it from
external and internal attacks. We propose a new intrusion
response system for relational databases based on the database
response policies. We have developed an interactive language
that helps database administrators to determine the responses to
be provided by the response system based on the malicious
requests encountered by relational database. We also maintain a
policy database that maintains policies with respect to response
system. For searching the suitable policies algorithms are
designed and implemented. Matching the right policies and
policy administration are the two problems that are addressed in
this paper to ensure faster action and prevent any malicious
changes to be made to policy objects. Cryptography is also used
in the process of protecting the relational database from attacks.
The experimental results reveal that the proposed response
system is effective and useful.
Intrusion detection systems play an important role in detecting
online intrusions and provide necessary alerts. Intrusion detection
can also be done for relational databases. Intrusion response
system for a relational database is essential to protect it from
external and internal attacks. We propose a new intrusion
response system for relational databases based on the database
response policies. We have developed an interactive language
that helps database administrators to determine the responses to
be provided by the response system based on the malicious
requests encountered by relational database. We also maintain a
policy database that maintains policies with respect to response
system. For searching the suitable policies algorithms are
designed and implemented. Matching the right policies and
policy administration are the two problems that are addressed in
this paper to ensure faster action and prevent any malicious
changes to be made to policy objects. Cryptography is also used
in the process of protecting the relational database from attacks.
The experimental results reveal that the proposed response
system is effective and useful.

More info:

Categories:Types, Research, Science
Published by: ijcsn on Dec 03, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/03/2014

pdf

text

original

 
International Journal of Computer Science and Network (IJCSN) Volume 1, Issue 6, December 2012 www.ijcsn.org ISSN 2277-5420
110
Policies Based Intrusion Response System for DBMSPolicies Based Intrusion Response System for DBMSPolicies Based Intrusion Response System for DBMSPolicies Based Intrusion Response System for DBMS
1
Fatima Nayeem,
2
M.Vijayakamal
1
Dept of CSE, JNTU H, Sridevi Womens Engimeering CollegeHyderabad, Andhra Pradesh, India
 .
2
Dept of CSE, JNTU H, Sridevi Womens Engimeering CollegeHyderabad, Andhra Pradesh, India
Abstract
Intrusion detection systems play an important role in detectingonline intrusions and provide necessary alerts. Intrusion detectioncan also be done for relational databases. Intrusion responsesystem for a relational database is essential to protect it fromexternal and internal attacks. We propose a new intrusionresponse system for relational databases based on the databaseresponse policies. We have developed an interactive languagethat helps database administrators to determine the responses tobe provided by the response system based on the maliciousrequests encountered by relational database. We also maintain apolicy database that maintains policies with respect to responsesystem. For searching the suitable policies algorithms aredesigned and implemented. Matching the right policies andpolicy administration are the two problems that are addressed inthis paper to ensure faster action and prevent any maliciouschanges to be made to policy objects. Cryptography is also usedin the process of protecting the relational database from attacks.The experimental results reveal that the proposed responsesystem is effective and useful.
 Keywords
 Intrusion detection, intrusion response system, policies, relational database
1. Introduction
Relational databases are built on Relational Modelproposed by Dr. E. F. Codd. The relational model hasbecome a consistent and widely used DBMS in the world.The databases in this model are efficient in storing andretrieval of data besides providing authentication throughcredentials. However, there might be many other attacksapart from stealing credentials and intruding database.Adversaries may always try to intrude into the relationaldatabase for monetary or other gains [1]. The relationaldatabases are subjected to malicious attacks as they holdthe valuable business data which is sensitive in nature.Monitoring such database continuously is a task which isinevitable keeping the importance of database in mind.This is a strategy that is in top five database strategies asidentified by Gartner research which are meant for gettingrid of data leaks in organizations [2]. There are regulationsfrom governments like US with respect to managing datasecurely. The data management like HIAPP, GLBA, andPCI etc. is mentioned in the regulations as examples. Theattacks made by adversaries are changing and they havemore sophisticated. It does mean that there is thecompetition between the data protectors and securitybreakers like hackers. Hackers are using more and moresophisticated techniques to break security systems of IT.They also attack relational databases. For this reasonorganizations have to focus on the database security withmuch higher sophistication. Relational database systemsare also coming with built in security mechanisms usingcredentials, access control list and so on. However, theseare not sufficient when attacks are made by internaladversaries [3]. For this reason organizations have toreevaluate the security mechanisms to protect data. It doesmean that organizations have to take some additionalsecurity measure instead of relying on database built insecurity mechanisms. Some of the database related attacksare performed by hackers are named as data infiltration,and SQL injection which are malicious to database but notfor the underlying network and operating systems.The ID mechanism approach in this paper has twoimportant aspects. They are actually altered for databasemanagement systems. They are known as Anomalyresponse system and anomaly detection. The former isachieved using database access profiles or users and roles.Different levels of data can be recorded using profiles asexplored in [4]. This paper focuses on the second aspectthat is taking actions once detection of anomaly iscompleted. The proposed approach follows a proactiveapproach in showing alerts and blocking the anomalousrequest. The response actions are fine – grained and theyare not aggressive or conservative. Such actions maysuspend malicious request [5]. When a request issuspected, it is kept on hold until further authenticationsteps are carried out to verify the validity of the request. Itis also possible to mark a request tainted indicating that therequest is potentially suspicious. As there is need fordifferent responses based on the malicious requests, thekey is to address the response measure problem.When a response system is sought which takes actionsautomatically when malicious requests are encountered, itis not an easy task. The key idea to solve this is to monitorthe context in which such request is made. To address the
 
International Journal of Computer Science and Network (IJCSN) Volume 1, Issue 6, December 2012 www.ijcsn.org ISSN 2277-5420
111
problem a suitable response policy is required that cancater to the needs of all situations. Policy administrationand policy matching are the two issues addressed in termsof response policies. Response policy can be built asregular database object which takes care of particularresponse. However, it represents various challengersinstead of simply storing data as other database objects.The user which DBA role only can create policy objects inthe database. In this administration model the basicproblem is identified and named as conflict of interest.Insider threat is the main issue in this case which throwschallenges and demands such accurate response systemwhich is made up of response policies. In order toovercome this problem, an administration model isproposed. Separation of duties is given to various users.Among all users corresponding privileges are maintainedso as to make it more secure. Every policy operation isauthorized by DBA. The main contributions of this paperinclude provision for providing intrusion response policies;an administration model for monitoring those policies;algorithms for interacting with policy database effectively;implementing the schemes using DBMS.
2. Related Work
Databases have been subjected to malicious attacks in thepast. Intrusion response systems were developed to preventthat problem. Intrusion detection systems detect intrusionsand provide responses. They depend on the notion of response policies which were first explored in [5] whichalso provides details about arbitrary predicates and otherissues. It only used predicates with good quality. Policyadministration plays important roles in this paper. Finegrained response actions are explored in [6] whichprovides design and implementation of ACL for the same.The ACL is for authorization mechanism. There are someinternal threats from DBAs also. It is the worst case thathas to be handled. In order to overcome this principle of least privilege is followed. This means that DBAs aregiven privileges only to the required extent that is leastrequired privileges. This is achieved by creating roles andresponse policy objects. It is actually done throughprotected schema for administration of databases withrespect to vault policies [7]. Vault in databases is amechanism which is practically implemented by Oracledatabase which helps in reducing the risk of insiderattacks. DVSYS protected schema is used to store vaultdatabase objects. The schema protects itself againstimproper utilization of privileges given to users includingadministrators. The privileges include DROP ANY,SELECT ANY TABLE and so on. More details are suchprivileges are found in [7].Anomaly response system and Vault of Oracle databaseare presented in this paper in policy driven fashion. Thusthe proposed system follows something which is similar toOracle database vault. The response system thus resemblesthe vault system of Oracle. The advantages of thisapproach are described here. They are fundamentalchanges are required to access control mechanisms of DBMS; the principle of least privilege may not be suitablefor many organizations. Some work is found on thethreshold signature schemes in [8]. This paper providestechnique of threshold signatures for managing DBMSobjects. The policy matching problem addressed in thispaper is similar to [9]. There are many algorithms for thispurpose such as [9], [10], [11], [12], and [13]. Thealgorithm for event matching concept is as described in[20]. This is meant for preprocessing the concept of subscription trees as discussed in [10]. The leaves in thetree represent actual subscriptions. The algorithm walksthru the tree in order to find out matching subscriptions.However, the order of processing is not known. Arbitrarypredicates are needed for policy matching problem. Manysuch algorithms are described in [11]. Cache hit ratioimprovement is their main focus. However, our focus isnot that as we store policies and their content is cached inDBMS.The base policy of ours with respect to matching algorithmis similar to that of [12]. In this paper that is extendedwhere elimination of predicates that are no longer requiredto be evaluated. In [13] an internal binary tree is used bythe algorithm proposed for matching predicates. It isachieved based on equality and inequality predicates whileour problem needs to support arbitrary predicates. In [14]event matching using BDD (Binary Decision Diagrams) isproposed which also considers arbitrary predicates withdisjunctions support in the subscription language.However, in our work we need not to support disjunctionsand for this reason BDD based scheme is not used. Theproblem of continuous query processing is also related toevent matching which is explored in [15]. In this case theproblem is effectively addressed using matching multiplestreaming tuples that are related to various relations andstored queries or views. This is also somewhat differentfrom policy matching problem that we addressed in thispaper.
3. Proposed Intrusion Response System
The proposed intrusion response system for relationaldatabases is described in the subsequent sub sections. Itfocuses on the policy language, policy administration, andpolicy matching and attack prevention. The intrusionresponse system proposed here is influenced by [16]. Infact the policy language, policy matching and policyadministration used in this paper resemble [16].
 
International Journal of Computer Science and Network (IJCSN) Volume 1, Issue 6, December 2012 www.ijcsn.org ISSN 2277-5420
112
3.1 Policy Language
Considering the detection of an anomaly as a system event,this policy language is proposed. The attributes consideredfor anomaly detection are SQL command, role and user.These anomaly attributes and also the environment orcontext in which anomalous request is made are consideredand an Even driven language is developed. The language isinfluenced by [17]. For instance a rule in the eventlanguage is as follows.ON {Event} IF {Condition} THEN {Action}The structural attributes considered are database, schema,object type, SQL command and object attributes while theattributes used in the CONTEXTUAL aspect are user, role,client application, source IP, date and time etc. Some of the predicates used in the language includeRole != DBAObjs Not In {dbo.*}Source IP IN 192.168.0.1/12Response actions are categorized into very low severityactions, low severity actions, very aggressive actions andaggressive actions. All these actions either suspend or taintthe malicious request. The former keeps the request onhold until all security details are verified while the latter issimply marked as potential suspicious request. The lowseverity actions are NOP, LOG, and ALERT. The mediumseverity actions are TAINT, and SUSPEND while the highseverity actions are ABORT, DISCONNECT, REVOKE,and DENY. The response policy framework has thekeywords like ON, IF, THEN, CONFIRM, ON SUCCESS,ON FAILURE etc.
3.2 Policy Administration
Policies are stored in database and they are administered.The administration is done by DBAs. It is fine as far asexternal attacks are concerned. However, there is a concernwith internal attacks that are done by DBAs who aresupposed to protect databases from malicious attacks. Thispaper does not assume the DBMS to have secret key forverifying integrity of policies. The basic idea of ourapproach is that it does not trust a single DBA who hasaccess to secret key. Instead, the secret key is distributedamong DBAs. A threshold cryptographic scheme is used toovercome the security problems in sharing of secret key.
3.3 Policy Matching
The algorithms used for policy matching are taken from[16]. The policy matching is of two types. They are knownas base policy matching and ordered policy matching. Thebase policy matching algorithm is called when an anomalydetection event is fired by response engine. The predicatesdefined on every attribute are evaluated. In the process thealgorithm visits all policy nodes to compare with therequired policy. A policy is matched when number of predicates in the policy condition and the predicate matchcount are equal in number. The ordered policy matching onthe other hand does not go through predicates in any fixedorder. It uses a heuristic to decide the next predicated to bevisited. It uses descending order of policy count. It doesthis to know the correct predicates and to process them incorrect order. In this algorithm, sorting predicates in thedescending order is the preprocessing required.
4. Experimental Evaluation
The algorithms [16] are implemented and tested theproposed scheme which is meant for giving best responsewhen an anomalous request is encountered. The aim of theexperiments is to verify the overhead incurred by bothalgorithms namely basic policy matching algorithm andordered policy matching algorithm. Three sets of experiments are conducted. The first two sets compare theoverhead of the policy matching algorithm while the thirdset of experiments is meant for reporting signatureverification overhead. The results are shown below.
Fig. 1 – Experiment 1, Policy matching overhead vs. number of predicates
As can be seen in fig. 1, number of predicates is taken inhorizontal axis while vertical axis represents policymatching overhead. The results reveal that the base policymatching shows better performance when compared withordered policy matching in terms of overhead.
00.10.20.30.40.50.60.712345678910
   P   o    l   i   c   y   M   a   t   c    h   i   n   g   O   v   e   r    h   e   a    d
Number of Predicates
Base PolicyMatchingOrderedPolicyMatching

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->