Design and Implementation of an Intrusion Response

System for Relational Databases
ABSTRACT:
The intrusion response component of an overall intrusion detection system is
responsible for issuing a suitable response to an anomalous request. We propose the
notion of database response policies to support our intrusion response system tailored for
a DBMS. Our interactive response policy language makes it very easy for the database
administrators to specify appropriate response actions for different circumstances
depending upon the nature of the anomalous request. The to main issues that e
address in conte!t of such response policies are that of policy matching" and policy
administration. #or the policy matching problem" e search the policy database for
policies that match an anomalous request. The other issue that e address is that of
administration of response policies to prevent malicious modifications to policy ob$ects
from legitimate users. We propose a novel %oint Threshold &dministration Model
'%T&M( that is based on the principle of separation of duty. The key idea in %T&M is that
a policy ob$ect is $ointly administered by at least k database administrator 'DB&s(" that is"
any modification made to a policy ob$ect ill be invalid unless it has been authori)ed by
at least k DB&s. We present design details of %T&M hich is based on a cryptographic
threshold signature scheme" and sho ho %T&M prevents malicious modifications to
policy ob$ects from authori)ed users.
'T*+ B+,OW -O.T+.T /S %0ST #O1 0.D+1ST&.D/.2 3013OS+4
The main idea behind this pro$ect is to prevent an employee of an organi)ation from
accessing or modifying the confidential data of the organi)ation. /f at all an employee tries to
access or modify the data then hat are the responses to be taken depending on the severity of the
data. This ould be done by restricting the employees through privileges. & policy means a
database table ith list of operations that can be done on it like any or all of S+,+-T or /.S+1T
or 03D&T+ or D+,+T+. 3olicy matching means matching the database query entered by the
employee 'like select 5 from employees( against his6her privileges" i.e. hether the employee is
having permission to e!ecute that particular operation in that particular table. #or e!ample"
suppose a DB& created a policy 37 on table +M3,O8++S ith accessible operations S+,+-T
and another policy 39 on the same table ith accessible operations /.S+1T"03D&T+. We
maintain a column called :associated policies; in the employees information table. .o suppose
that a DB& has associated 37 to an employee +7.This means that +7 can no e!ecute the query
S+,+-T 5 #1OM +M3,O8++S but suppose +7 tries to e!ecute query /.S+1T /.TO
+M3,O8++S or 03D&T+ +M3,O8++S query then this e call as an anomalous request and
an alert message ill be displayed immediately after the employee submits the query. & log file
ill be sent to the DB& hich contains all the invalid attempts made by the employee.
Depending on the severity of the anomalous request the DB& takes a necessary action i.e. either
drop all the associated policies for that employee or issue a arning. 1efer to the later pages for
more details about response actions.
One important point to remember is that e assume that by default there is one DB& ho
creates other DB&s and employees or users. This DB& can be assumed as central DB&. Other
DB&s cannot create anymore DB&s or users. /t<s all in the hands of the central DB& .Other
DB&s can only create policies" vote for the policies "associate policies to users" take response
actions for an anomalous request.
3olicy &dministration means hen a DB& creates a policy say 3= then first it must be
approved to be associated to employees or users. #or approval e place a voting system herein
all the DB&s'including the DB& ho created the policy( vote for or against the policy i.e. either
:&331O>+; or :1+%+-T;. The policy voting ill be for to days and all the votes of DB&s
ho do not vote ithin those to days ill be considered as :1+%+-T; i.e. against the policy.
&fter to days depending on the ma$ority of votes for or against the policy the policy ill be
approved or re$ected by the system automatically respectively. #or e!ample if there are five
DB&s and in that three vote for the policy and to vote against it then the policy ill be
approved else re$ected vice versa. /n case of a tie in the number of votes the policy ill be
re$ected.(
INTRODUCTION:
1ecently" e have seen an interest in products that continuously monitor a database
system and report any relevant suspicious activity. Database activity monitoring has been
identified by 2artner research as one of the top five strategies that are crucial for
reducing data leaks in organi)ations. Such step?up in data vigilance by organi)ations is
partly driven by various 0S government regulations concerning data management such as
SO@" 3-/" 2,B&" */3&&" and so forth. Organi)ations have also come to reali)e that
current attack techniques are more sophisticated" organi)ed" and targeted than the broad?
based hacking days of past. Often" it is the sensitive and proprietary data that is the real
target of attackers. &lso" ith greater data integration" aggregation and disclosure"
preventing data theft" from both inside and outside organi)ations" has become a ma$or
challenge. Standard database security mechanisms" such as access control" authentication"
and encryption" are not of much help hen it comes to preventing data theft from insiders
Such threats have thus forced organi)ations to reevaluate security strategies for their
internal databases. Monitoring a database to detect potential intrusions" intrusion
detection '/D(" is a crucial technique that has to be part of any comprehensive security
solution for high?assurance database security. .ote that the /D systems that are developed
must be tailored for a Database Management System 'DBMS( since database?related
attacks such as SA, in$ection and data e!filtration are not malicious for the underlying
operating system or the netork.
Eisting system:
Organi)ations have also come to reali)e that current attack techniques are more
sophisticated" organi)ed" and targeted than the broad?based hacking days of past. Often" it
is the sensitive and proprietary data that is the real target of attackers. &lso" ith greater
data integration" aggregation and disclosure" preventing data theft" from both inside and
outside organi)ations" has become a ma$or challenge. Standard database security
mechanisms" such as access control" authentication" and encryption" are not of much help
hen it comes to preventing data theft from insiders. Such threats have thus forced
organi)ations to reevaluate security strategies for their internal databases. Monitoring a
database to detect potential intrusions" intrusion detection '/D(" is a crucial technique that
has to be part of any comprehensive security solution for high?assurance database
security.
!roposed system:
/D mechanism consists of to main elements" specifically tailored to a DBMS4 an
anomaly detection '&D( system and an anomaly response system. The first element is
based on the construction of database access profiles of roles and users" and on the use of
such profiles for the &ttack. & user?request that does not conform to the normal access
profiles is characteri)ed as anomalous. 3rofiles can record information of different levels
of detailsB e refer the reader to for additional information and e!perimental results. The
second element of our approachC the focus of this paperCis in charge of taking some
actions once an anomaly is detected. There are three main types of response actions that
e refer to" respectively" as conservative actions" fine?grained actions" and aggressive
actions. The conservative actions" such as sending an alert" allo the anomalous request
to go through" hereas the aggressive actions can effectively block the anomalous
request. #ine?grained response actions" on the other hand" are neither conservative nor
aggressive. Such actions may suspend or taint an anomalous request . & suspended
request is simply put on hold" until some specific actions are e!ecuted by the user" such
as the e!ecution of further authentication steps. & tainted request is marked as a potential
suspicious request resulting in further monitoring of the user and possibly in the
suspension or dropping of subsequent requests by the same user.
"ODU#ES
USER AD"INISTRATION $ AUT%ENTICATION
The DB& is centrally responsible for DB and user maintenance. By default there is only
one DB&. The DB& then creates other DB&<s and users. These users are maintained ith
appropriate privileges or permissions. Only these users can login and access the database
ob$ects.
!O#IC& AD"INISTRATION
The main issue in the administration of response policies is ho to protect a policy from
malicious modifications made by a DB& that has legitimate access rights to the policy
ob$ect. To address this issue" e propose an administration model referred to as the
%T&M. The threat scenario that e assume is that a DB& has all the privileges in the
DBMS" and thus it is able to e!ecute arbitrary SA, insert" update" and delete commands
to make malicious modifications to the policies. Such actions are possible even if the
policies are stored in the system catalogs.= %T&M protects a response policy against
malicious modifications by maintaining a digital signature on the policy definition.. The
fundamental premise of our approach is that e do not trust a single DB& 'ith the secret
key( to create or manage the response policies" but the threat is mitigated if the trust 'the
secret key( is distributed among multiple DB&s. +ach DB& ho floats a policy has the
policy in cipher te!t. Only hen the appropriate keys as associated ith the other DB&<s
are provided they unlock the cipher te!t and then place their opinion or status on the
policies. Only hen a ma$ority of DB&<s approve the policy the policy can be associated
ith the created users. The policy also associates ith a response action that has to be
performed hen an anomaly is detected.
!O#IC& ACTI'ATION
Once the policy has been created" it must be authori)ed for activation by at least k ? 7
administrators after hich the DBMS changes the state of the policy to &-T/>&T+D.
&n activated policy can be assigned to a user. & policy identifies the ob$ects and
privileges the assigned user has on the ob$ect.
Before the response policies can be used" some security parameters are registered ith
the DBMS as part of a onetime registration phase. The details of the registration phase
are as follos4 The parameter l is set equal to the number of DB&s registered ith the
DBMS. Such requirement allos any DB& to generate a valid signature share on a policy
ob$ect" thereby making our approach very fle!ible.
ANO"A#& DETECTION
This element is based on the construction of database access profiles of roles and users"
and on the use of such 3rofiles for the &D task. & user?request that does not conform to
the normal access profiles is characteri)ed as anomalous. The fundamental problem in
such administration model is that of conflict?of?interest. The main issue is essentially that
of insider threats" that is" ho to protect a response policy ob$ect from malicious
modifications made by a database user that has legitimate access rights to the policy
ob$ect.
ANO"A#& RES!ONSE S&STE"
This element is in charge of taking some actions once an anomaly is detected. There are
three main types of response actions" that e refer to" respectively" as conservative
actions" fine?grained actions" and aggressive actions. The conservative actions" such as
sending an alert" allo the anomalous request to go through" hereas the aggressive
actions can effectively block the anomalous request. #ine?grained response actions" on
the other hand" are neither conservative nor aggressive. Such actions may suspend or taint
an anomalous request. & suspended request is simply put on hold" until some specific
actions are e!ecuted by the user" such as the e!ecution of further authentication steps. &
tainted request is marked as a potential suspicious request resulting in further monitoring
of the user and possibly in the suspension or dropping of subsequent requests by the same
user.
S&STE" #O( $ ACCESS IN)O
This module provides the DB& ith anomalies detected and reports various activities or
attempted activities made by the users. The DB& uses this to generate various reports
based on hich an action or the revoke of privileges are made.
CONC#USION $ )UTURE *OR+
/n this paper" e have described the response component of our intrusion detection
system for a DBMS. The response component is responsible for issuing a suitable
response to an anomalous user request. We proposed the notion of database response
policies for specifying appropriate response actions. We presented an interactive +vent?
-ondition?&ction type response policy language that makes it very easy for the database
security administrator to specify appropriate response actions for different circumstances
depending upon the nature of the anomalous request. The to main issues that e
addressed in the conte!t of such response policies are policy matching" and policy
administration.
We plan to e!tend our ork on the folloing lines. &n interactive response policy that
requires a second factor of authentication ill provide a second layer of defense hen
certain anomalous actions are e!ecuted against critical system resources such as
anomalous access to system catalog tables. This opens the ay to ne research on ho to
organi)e applications to handle such interactions for the case of legacy applications and
ne applications.
%ARD*ARE CON)I(URATION,"IN-
The hardare used for the development of the pro$ect is4
31O-+SSO1 4 3+.T/0M /> '9.92h)(
1&M 4 D79 Mb 1&M
MO./TO1 4 7D; -O,O1
*&1D D/SE 4 7F 2B Space
SO)T*ARE CON)I(URATION
The softare used for the development of the pro$ect is4
O3+1&T/.2 S8ST+M 4 Windos @3 3rofessional or higher
+.>/1O.M+.T 4 >isual Studio ..+T 9FFG
..+T #1&M+WO1E 4 >ersion =.D
,&.20&2+ 4 >B..+T
B&-E +.D 4 SA, server 9FFD
RE)ERENCES
H7I &. -onry?Murray" :The Threat from ithin. .etork -omputing '&ug. 9FFD(";
http466.netorkcomputing.com6sho&rticle. $htmlJarticle/DK7LLMFFNO9" %uly 9FFO.
H9I 1. Mogull" :Top #ive Steps to 3revent Data ,oss and /nformation ,eaks. 2artner
1esearch '%uly 9FFL("; http466.gartner.com" 9F7F.
H=I M. .icolett and %. Wheatman" :Dam Technology 3rovides Monitoring and &nalytics
ith ,ess Overhead. 2artner 1esearch '.ov. 9FFN("; http466.gartner.com" 9F7F.
HMI 1.B. .atan" /mplementing Database Security and &uditing. Digital 3ress" 9FFD.
HDI D. Brackney" T. 2oan" &. Ott" and ,. Martin" :The -yber +nemy ithin ...
-ountering the Threat from Malicious /nsiders"; 3roc. &nn. -omputer Security
&pplications -onf. '&-S&-(. pp. =ML?=MN" 9FFM.
HLI &. Eamra" +. Ter)i" and +. Bertino" :Detecting &nomalous &ccess 3atterns in
1elational Databases"; %. >ery ,arge DataBases '>,DB(" vol. 7N" no. D" pp. 7FL=?7FNN"
9FFG.
HNI &. Eamra" +. Bertino" and 1.>. .ehme" :1esponding to &nomalous Database
1equests"; Secure Data Management" pp. DF? LL" Springer" 9FFG.
HGI &. Eamra and +. Bertino" :Design and /mplementation of S&&-S4 & State?&are
&ccess -ontrol System"; 3roc. &nn. -omputer Security &pplications -onf. '&-S&-("
9FFO.
HOI :3ostgresql G.=. The 3ostgresql 2lobal Development 2roup";
http466.postgresql.org6" %uly 9FFG.
H7FI %. Widom and S. -eri" &ctive Database Systems4 Triggers and 1ules for &dvanced
Database 3rocessing. Morgan Eaufmann" 7OOD.
H77I :Oracle Database -oncepts 77g 1elease 7 '77.7("; http466
donload.oracle.com6docs6cd6B9G=DOPF76server.7776b9G=7G6 datadict.htm" %uly 9FFO.
H79I >. Shoup" :3ractical Threshold Signatures"; 3roc. /nt<l -onf. Theory and
&pplication of -ryptographic Techniques '+01O-183T(" pp. 9FN? 99F" 9FFF.
H7=I 1. 2ennaro" T. 1abin" S. %arecki" and *. Erac)yk" :1obust and +fficient Sharing
of 1S& #unctions"; %. -ryptology" vol. 9F" no. =" pp. =O=?MFF" 9FFN.
H7MI D. Eincaid and W. -heney" .umerical &nalysis4 Mathematics of Scientific
-omputing. Brooks -ole" 9FF7.
H7DI :Openpgp Message #ormat. rfc MGFF"; http466.ietf.org6rfc6 rfcMGGF.t!t" %uly
9FFO.
H7LI &.%. Mene)es" 3.-. van Oorschot" and S.&. >anstone" *andbook of &pplied
-ryptography. -1- 3ress" 9FF7.
H7NI -.E. Eoc" :*igh?Speed 1S& /mplementation"; Technical 1eport tr?9F7" >ersion
9.F" 1S& ,aboratories" 7OOM.
H7GI :Oracle Database >ault &dministrator<s 2uide 77g 1elease 7 '77.7(";
http466donload.oracle.com6docs6cd6B9G=DOPF76 server.7776b=79996toc.htm" %an. 9FFO.
H7OI #. #abret" #. ,lirbat" %.&. 3ereira" /. 1ocquencourt" and D. Shasha" :+fficient
Matching for -ontent?Based 3ublish6Subscribe Systems"; technical report" /.1/&" 9FFF.
H9FI M.E. &guilera" 1.+. Strom" D.-. Sturman" M. &stley" and T.D. -handra" :Matching
+vents in a -ontent?Based Subscription System"; 3roc. Symp. 3rinciples of Distributed
-omputing '3OD-(" pp. D=?L7" 7OOO.