Professional Documents
Culture Documents
References :
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.
M.Karthikeyan /AP/CSE/SRMIST
15CS338E – DATABASE SECURITY AND PRIVACY
UNIT I : SECURITY ARCHITECTURE & OPERATING SYSTEM SECURITY
FUNDAMENTALS
Security Architecture:
Introduction
Information Systems
Database Management Systems
Information Security Architecture
Database Security
Asset Types and value
Security Methods
Operating System Security Fundamentals:
Introduction
Operating System Overview
Security Environment
Components
Authentication Methods
User Administration
Password Policies
Vulnerabilities
E-mail Security
Security Architecture: Introduction
Statistics shows that virus alerts, email spamming, identity theft, data theft,
and types of security breaches on the rise.
Database Security is the degree to which all the data is fully protected from
tampering or unauthorised acts.
The great challenge is to develop a new database security policy to secure data
and prevent integrity data violations.
Most of the DBMS did not have a security mechanism for authentication and
encryption until recently.
Information Systems
In today’s global market , corporate companies all
over the world to gain a portion of market share.
M.Karthikeyan /AP/CSE/SRMIST
Information Systems …
Characteristics of Information System categories
People Consists of :
Domain Experts
Knowledge Engineers
Power Users
Information Systems …
Components of Information System
M.Karthikeyan /AP/CSE/SRMIST
Information Systems …
• Components of Information System …
M.Karthikeyan /AP/CSE/SRMIST
Database Management System
Database :
Mainly used for storing and retrieving the data for processing
M.Karthikeyan /AP/CSE/SRMIST
Database Management System …
DBMS
Purpose of DBMS
Integrity problems
Atomicity of updates
Security problems
M.Karthikeyan /AP/CSE/SRMIST
Database Management System …
DBMS Architecture
Information Security Architecture
Information Security
M.Karthikeyan /AP/CSE/SRMIST
Information Security Architecture …
CIA Triangle
Confidentiality Integrity
Information is classified Information is accurate and
into different levels of protected from tampering by
confidentiality to ensure unauthorised persons
that only authorised users Information is consistent and
access the information validated
Availability
Information is available all the times only
for authorised and authenticated persons
System is protected from being shutdown
due to external or internal threats or
attacks
M.Karthikeyan /AP/CSE/SRMIST
Information Security Architecture …
Logical
and
Physical Assets
Information Security Architecture …
Components of Information Security Architecture
Policies and Procedures
- Documented procedures and company policies that
elaborate on how security is to be carried out
Security personnel and Administrators
- People who enforce and keep security in order
Detection equipment
- Devices that authenticate employees and Detect equipment that is
prohibited by the company
Security Programs
- Tools that protect computer systems’ server
Monitoring Equipment
- Devices that monitor physical properties , employees and other
important assets
Monitoring Applications
- Utilities and applications used to monitor network traffic and Internet
activities
Auditing Procedures and Tools
- Checks and Controls put in place to ensure that security measures are
working
M.Karthikeyan /AP/CSE/SRMIST
Database Security
One of the functions of DBMS is to empower DBA to implement and
enforce security at all levels of security
A security access point is a place where database security must be
protected and applied
The Security access points illustrated in the below figure
M.Karthikeyan /AP/CSE/SRMIST
Database Security Access Points
People – Individuals who have been granted privileges and permissions to
access networks, workstations, servers, databases, data files and data
Network – One of the most sensitive security access points. Protect the
network and provide network access only to applications,
operating systems and databases.
Data – The data access point deals with data design needed to enforce data
integrity
M.Karthikeyan /AP/CSE/SRMIST
Database security enforcement
M.Karthikeyan /AP/CSE/SRMIST
Data Integrity violation process
Security gaps are points at which security is missing and the systems is vulnerable.
Vulnerabilities are kinks in the system that must be watched because they can
become threats.
In the world of information security , a threat is defined as a security risk that has
high possibility of becoming a system breach.
M.Karthikeyan /AP/CSE/SRMIST
Database Security Levels
Menaces to Databases
Security vulnerability
– A weakness in any of the information system components that can be
exploited to violate the integrity , confidentiality, or accessibility of the
system
Security Threat
– A security violation or attack that can happen any time because of
a security vulnerability
Security risk
– A known security gap that a company intentionally leaves open
Types of Vulnerabilities
Vulnerability means “ Susceptible to Attacks” ( Source :www.dictionary.com)
Intruders, Attackers and Assailers exploit vulnerabilities in Database environment to
prepare and start their attacks.
Hackers usually explore the weak points of a system until they gain entry
Once the intrusion point is identified , Hackers unleash their array of attacks
Virus
Malicious Code
Worms
Other Unlawful violations
To protect the system the administrator should understand the types of
vulnerabilities
The below figure shows the types of vulnerabilities
M.Karthikeyan /AP/CSE/SRMIST
Types of Vulnerabilities …
Category Description Examples
Installation Results from default Incorrect application
and installation configuration
Configuration Configuration that is known Failure to change default
publicly passwords
Does not enforce any Failure to change default
security measures privileges
Improper configuration or Using default installation
Installation may result in which does not enforce high
security risks security measures
User Mistakes Security vulnerabilities are Lack of Auditing controls
tied to humans too Untested recovery plan
Carelessness in Lack of activity monitoring
implementing procedures Lack of protection against
Failure to follow through malicious code
Accidental errors Lack of applying patches as
they are released
Bad authentication or
implementation
Social Engineering
Lack of technical
information
Susceptibility to scam
M.Karthikeyan /AP/CSE/SRMIST
Types of Vulnerabilities …
Managers at all the levels are constantly working to assess and mitigate risks to
ensure the continuity of the department operations.
Administrators should understand the weakness and threats related to the system
M.Karthikeyan /AP/CSE/SRMIST
Asset Types and Their Values
M.Karthikeyan /AP/CSE/SRMIST
Database Security Methods
Security methods used to protect database environment components
Database
Component Security Methods
Protected
People Physical limits on access to hardware and documents
Through the process of identification and authentication make
certain that the individual is who is claim s to be through the use of
devices, such as ID cards, eye scans, and passwords
Training courses on the importance of security and how to guard
assets
Establishment of security policies and procedures
Applications Authentication of users who access applications
Business rules
Single sign-on ( A method for signing on once for different
applications and web sites)
Network Firewalls to block network intruders
Virtual Private Network (VPN)
Authentication
Database Security Methods …
Database Component
Protected Security Methods
OS Authentication
Intrusion Detection
Password Policies
User accounts
DBMS Authentication
Audit Mechanism
Database resource limits
Password poilicy
Data files File permission
Access Monitoring
Data Data Validation
Data Constraints
Data Encryption
Data Access
M.Karthikeyan /AP/CSE/SRMIST
Database Security Methodology
The below figure presents database security methodology side by side
with the software development life cycle (SDLC) methodology
Database Security Methodology…
The following list presents the definition of each phase of the
database security methodology
M.Karthikeyan /AP/CSE/SRMIST
Operating System Security Fundamentals
M.Karthikeyan /AP/CSE/SRMIST
Operating System Security Fundamentals …
Multitasking
Multisharing
Windows by Microsoft
Macintosh by Apple
M.Karthikeyan /AP/CSE/SRMIST
The OS Security Environment
Model :
Bank Building – OS
Safe – DB
Money - Data
The Components of an OS Security Environment
M.Karthikeyan /AP/CSE/SRMIST
Services
Users employ these utilities to gain access to OS and all the features
the users are authorised to use.
If the services are not secured and configured properly , each service
becomes a vulnerability and access point and can lead to a security
threat.
M.Karthikeyan /AP/CSE/SRMIST
Files
Files are another one component of OS.
File Permission
File Transfer
File Sharing
M.Karthikeyan /AP/CSE/SRMIST
Files …
File Permission
• Every OS has a method of implementing file permission to grant read, write or
execute privileges to different users.
• The following figure gives how the file permissions are assigned to a user in
windows
M.Karthikeyan /AP/CSE/SRMIST
Files …
In UNIX, file permissions work differently than windows.
For each file there are three permission settings
Each setting consists of rwx ( r – read, w – write and x – execute)
1. First rwx is Owner of the file
2. Second rwx is Group to which owner belongs
3. Third rwx is All other users
The given images gives the details of UNIX file permission.
M.Karthikeyan /AP/CSE/SRMIST
Files …
File Transfer – moving the file from one location to another location in a
disk/web/cloud
FTP is an Internet service that allows transferring files from one computer to
another
FTP clients and servers transmit usernames and passwords in plaintext
format( Not Encrypted). This means any hacker can sniff network traffic and
be able to get the logon information easily.
Files also transferred as plaintext format
A root account cannot be used to transfer file using FTP
Anonymous FTP is the ability to log on to the FTP server without being
authenticated.
This method is usually used to provide access to files in the public domain.
M.Karthikeyan /AP/CSE/SRMIST
Files …
Here are some best practices for transferring files
Never use the normal FTP Utility. Instead, use the secure FTP utility , if
possible.
Make two FTP directories: one for file uploads with write permission
only and another one file is for file downloads with read permission.
Use specific accounts for FTP that do not have access to any files or
directories outside the file UPLOAD and DOWNLOAD directories.
Turn on logging , and scan the FTP logs for unusual activities on a
regular basis.
M.Karthikeyan /AP/CSE/SRMIST
Files …
Sharing files naturally leads to security risks and threats
The peer-to-peer technology is on rise( very well developed now)
Peer-to-Peer programs allow users to share the files over internet
If you were conduct a survey of users that use Peer-to-Peer programs,
majority of the users’ machines are infected with some sort of virus,
spyware, or worm.
Most companies prohibit the use of such programs.
The main reason for blocking these programs are
Malicious Code
Adware and spyware
Privacy and confidentiality
Pornography
Copy right issues
M.Karthikeyan /AP/CSE/SRMIST
Memory
You may wonder how memory is an access points to security violations
There are many badly written programs and utilities that could change
the content of memory
M.Karthikeyan /AP/CSE/SRMIST
Authentication Methods
M.Karthikeyan /AP/CSE/SRMIST
Digital Authentication used by many OS
Digital Certificate
Widely used in e-commerce
Is a passport that identifies and verifies the holder of the certificate
Is an electronic file issued by a trusted party ( Known as certificate authority ) and cannot
be forged or tampered with.
Digital Card
Also known as security card or smart card
Similar to credit card in dimensions but instead of magnetic strip
It has an electronic circuit that stores the user identification information
Kerberos
Developed by Massachusetts Institute of Technology (MIT) , USA
It is to enable two parties to exchange information over an open network by assigning a
unique key. Called ticket , to each user.
The ticket is used to encrypt communicated messages
M.Karthikeyan /AP/CSE/SRMIST
Digital Authentication used by many OS …
Lightweight Directory Access Protocol (LDAP)
Developed by University of Michigan, USA
Uses centralized directory database storing information about people,
offices and machines in a hierarchical manner
LDAP directory can be easily distributed to many network servers.
You can use LADP to store information about
• Users (User name and User id)
• Passwords
• Internal telephone directory
• Security keys
Use LADP for these following reasons
• LDAP can be used across all platforms ( OS independent )
• Easy to maintain
• Can be employed for multiple purposes
LDAP architecture is Client / Server based
Digital Authentication used by many OS …
M.Karthikeyan /AP/CSE/SRMIST
Digital Authentication used by many OS …
M.Karthikeyan /AP/CSE/SRMIST
Authorization
M.Karthikeyan /AP/CSE/SRMIST
User Administration
M.Karthikeyan /AP/CSE/SRMIST
Vulnerabilities of OS
The top vulnerabilities to Windows The top vulnerabilities to UNIX Systems
Systems
BIND Domain Name System
IIS (Internet Information Server)
RPC (Remote Procedure Call)
MSSQL (Microsoft SQL Server)
Apache Web Server
Windows Authentication
General UNIX authentication accounts with
IE (Internet Explorer) no / weak passwords
Windows Remote Access Services Clear text services
M.Karthikeyan /AP/CSE/SRMIST
E-mail Security
E-mail may be the tool most frequently used by hackers to exploit viruses, worms,
E-mail was the medium used in many of the most famous worm and virus attacks
For example :
Love Bug Worm
I LOVE YOU worm
Mydoom worm
Melissa virus
E-mail is not only to used to send viruses and worms, nut to send spam e-mail, private and
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of
Computer Science and Engineering
SRMIST, Chennai
References :
2) Charu C. Aggarwal, Philip S Yu, “Privacy Preserving Data Mining”: Models and
Algorithms, Kluwer Academic Publishers, 2008
3) Ron Ben Natan, ”Implementing Database Security and Auditing”, Elsevier Digital
Press, 2005.
Administration of Users
Introduction
Authentication
Creating Users
SQL Server
User Removing
Modifying Users
Default Users
Remote Users
Database Links
Linked Servers
Remote Servers
Practices for administrators and Managers- Best Practices
Profiles, Password Policies, Privileges and Roles
Introduction
Defining and Using Profiles
Designing and Implementing Password Policies
Granting and Revoking User Privileges
Creating, Assigning and Revoking User Roles-Best Practices
Introduction
Authentication and Authorization are essential services for every
OS
Another service is Administration of Users
Administrators use this functionality
• Creating users
• Set Password Policies
• Grant privileges
Administration Policies
Documentation includes all policies for handling new and terminated employees, managers,
system and database administrator, database managers, operation managers, and human
resources.
A detailed document should describe guidelines for every task that is required for all common
administrative situations.
Security Procedures
This is an outline of a step-by-step process for performing administrative task according to
company policies.
This provides the full description of all predefined roles, outlining all
tasks for which the role is responsible and the role’s relationship to
other roles
Document Completion DBA Completes all the paper work and documentation for new employees
DBA provides list of access operations that are necessary for employees to
Access Identification perform their jobs
Account application Completion DBA completes the database user account application form
This clause is required for and used for SSL-authenticated external users only.
The certificate_DN is the distinguished name in the user's PKI certificate in the
user's wallet.
GLOBALLY Clause
The GLOBALLY clause lets you create a global user. Such a user must be
authorized by the enterprise directory service (Oracle Internet Directory).
Specify the default tablespace for objects that the user creates. If you omit this
clause, then the user's objects are stored in the database default tablespace. If no
default tablespace has been specified for the database, then the user's objects are
stored in the SYSTEM tablespace.
Specify the tablespace or tablespace group for the user's temporary segments. If you omit this
clause, then the user's temporary segments are stored in the database default temporary
Specify tablespace_group_name to indicate that the user can save temporary segments in any
The tablespace must be a temporary tablespace and must have a standard block size.
space management.
QUOTA Clause
Use the QUOTA clause to specify the maximum amount of space the user can
allocate in the tablespace.
A CREATE USER statement can have multiple QUOTA clauses for multiple
tablespaces.
UNLIMITED lets the user allocate space in the tablespace without bound.
Restriction on the QUOTA Clause You cannot specify this clause for a
temporary tablespace.
PASSWORD EXPIRE Clause
Specify PASSWORD EXPIRE if you want the user's password to expire. This
setting forces the user or the DBA to change the password before the user can
log in to the database.
ACCOUNT Clause
Specify ACCOUNT LOCK to lock the user's account and disable access.
Specify ACCOUNT UNLOCK to unlock the user's account and enable access to
the account.
26-10-2021 Dr. B. Muruganantham 14
Creating users …
Once the user is created you can modify a user account with an
ALTER USER statement using clause listed in the previous
example
For example,
If you have a local windows account named ‘bmnantha’ on the SQL Server itself
where the server name is myserver, you enter the following
NOTE : A login must be between 1 to 128 characters in length and cannot contain
any spaces.
To create a new login associated with a Windows account (Windows Integrated) in Enterprise Manager,
take the following steps
5. Click Logins
9. Select the default database for the login from the Database drop-down list.
10. Select the default language for the login from the language drop-down list.
For example
To create a SQL Server login named ‘bmnantha’ with password ‘manish’
you issue the following command
If the user does not have any objects , the command is successfully executed. If the user own
any objects CASECADE option should be used
SQL server default users, will be created at the time of SQL Server
software installation
All the DB user accounts are created and stored in the DB regardless of
whether they are connected locally or remotely.
SQL Server does not support this type of remote user authentication.
Authentication Methods
Authentication methods for connecting ORACLE10g DB using DB link
mechanism.
There are three types of authentication methods when creating a DB link.
Authentication Method 1: CURRENT USER
This authentication method orders ORACLE10g to use the current user
credentials for authentication to the DB to which the user is trying to link.
Linked Server
Along the same line as Linked Servers , you can communicate with
another SQL server by creating remote server
Always change the default password and never write it, or save it in a file that
neither encrypted nor safe.
Never share the user accounts with anyone , especially DBA accounts.
Always document and create logs for changes to removals of database user
accounts.
These are the best practices for administrating users, privileges , and
roles…
Never remove an account even if it is out dated, Instead disable or revoke
connections privileges of the account.
Give access permission to users only as required and use different logins
and passwords for different applications.
For home security , in addition to changing the key , you might install an
alarm, , motion detector, camera, etc.,
The company needs to protect its assets and enforce stringent (strict,
precise, and exacting) guidelines to protect the keys to computer accounts.
• For this reason some DBMSs have implemented the profile concept.
PROFILE
PASSWORD RESOURCES
Aging CPU
Usage Memory
Verification Connections
Create profile
To view all profiles created in the database , query the data dictionary view,
DBA_PROFILES
16 rows selected.
In SQL Server 2000 or 2005 profiles of similar objects are not available
The stronger the password, the longer it takes a hacker to break it.
In this method all the server applications and the resources they provide are tightly
integrated with the Windows server system and its security architecture.
NTLM
When the user attempt to access a resource , the server hosting the
resource “challenges” , user to prove his / her identity.
Message 1 : Sent from the client to the server and is the initial request for authentication
Message 2 : Sent from the server to client, contains challenge ( Eight bytes of Random
Data)
Workstation Server
Message 1
Message 2
Message 3
The response is a 24-byte DES encrypted hash of the 8 byte challenge that can be decrypted
only by a set of DES keys created using the user’s password.
The benefit to NTLM is that password are verified without ever actually sending the
password across the Web
26-10-2021 Dr. B. Muruganantham 62
Designing and Implementing password policies …
Kerberos
Instead of using password encrypt / decrypt challenge / response messages, a secret key,
known only to the server and client and also unique to the session, used to encrypt the
handshake data.
This allows not only for the server to validate the authenticity of client , but for the client
to validate the authenticity of the server.
This is an important difference and is one the reason Kerberos is more secure than NTLM
The KDC generates the secret key for each session established.
The new session ticket , containing the new key, has a time-out value associated with it.
The client encrypts its request for a resource with the secret key.
The server decrypts the message using the same key, decrypts just
on time stamp on the message and send back to client.
This tells the server and the client has the same key for the session
which is established.
Workstation Server
Clients wants to access a Server
KDC issues key : Kclient {Scs for Server} , ticket = Kserver {Scs for Client}
Workstation Server
Scs { Client Credentials , time}, ticket = Kserver { Scs for Client }
Scs { time }
Privileges in ORACLE
System Privileges :
There are more than 100
system privileges in
ORACLE , these are some
important frequently used
privileges Object Privileges:
All DML are come
CREATE USER
CREATE SESSION
into object privileges
CREATE ROLE
CREATE PROCEDURE INSERT
CREATE TRIGGER UPDATE
CREATE TABLESPACE DELETE
CREATE TYPE SELECT
CREATE DATABASE LINK INDEX
CREATE TABLE REFERENCES
CREATE VIEW
CREATE SEQUENCE
DROP VIEW
DROP USER
DRO P TABLE
The schema owner of emp object get back the select privilege to user
bmnantha
Diskadmin – Can manage the disk files for the server and database
CREATE VIEW
CREATE PROCEDURE
CREATE FUNCTION
CREATE DEFAULT
CREATE ROLE
BACKUP DATABASE
BACKUP LOG
NOT IDENTIFIED Clause - Specify NOT IDENTIFIED to indicate that this role is
authorized by the database and that no password is
required to enable the role.
IDENTIFIED Clause - Use the IDENTIFIED clause to indicate that a user must be
authorized by the specified method before the role is
enabled with the SET ROLE statement.
You can add a layer of security to roles by specifying a password, as in the following
example:
CREATE ROLE dw_manager IDENTIFIED BY warehouse;
Users who are subsequently granted the dw_manager role must specify the
password warehouse to enable the role with the SET ROLE statement.
Grant succeeded
Grant succeeded
use northwind
exec sp_addrole ‘sales’
Example : To drop the user ‘bm_nantha’ from the role sales, issue the following
statement
use northwind
exec sp_droprolemember ‘sales’ , ‘jason’
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of
Computer Science and
Engineering
SRMIST, Chennai
References :
Dr.B.Muruganantham
26-10-2021 2
AP / CSE / SRMIST
UNIT III - Database Application Security Models &
Virtual Private Databases
Introduction
Types of Users
Security Models
Application Types
Application Security Models
Data Encryption
Overview of VPD
Implementation of VPD using Views
Application Context in Oracle
Implementing Oracle VPD
Viewing VPD Policies and Application contexts using
Data Dictionary
Policy Manager Implementing Row
Column level Security with SQL Server
Dr.B.Muruganantham
26-10-2021 3
AP / CSE / SRMIST
Introduction
Application
A program that solves a problem or performs a specific business
function
Database
A collection of related data files used by an applications
DBMS
A collection of programs that maintain data files (Database)
Dr.B.Muruganantham
26-10-2021 4
AP / CSE / SRMIST
Types of Users
Database user- user account that has database roles and/or privileges assigned
to it
Virtual user – An account that has access to the database through another
database account; a virtual user is referred to in some cases as a proxy user
Dr.B.Muruganantham
26-10-2021 5
AP / CSE / SRMIST
Security Models
Dr.B.Muruganantham
26-10-2021 6
AP / CSE / SRMIST
Security Models…
Access Matrix Model
A conceptual model that specifies the right that each subject
– possesses for each object
Subjects in rows and objects in columns
Object 1 Object 2 . . . Object m
. . . .
. . . .
. . . .
Dr.B.Muruganantham
26-10-2021 7
AP / CSE / SRMIST
Security Models…
Access Matrix Model - Example
Dr.B.Muruganantham
26-10-2021 8
AP / CSE / SRMIST
Security Models…
Access mode indicates that the subject can perform any task or not
Static Modes
Dynamic Modes
Dr.B.Muruganantham
26-10-2021 9
AP / CSE / SRMIST
Security Models…
Access Modes – Static Modes
Dr.B.Muruganantham
26-10-2021 10
AP / CSE / SRMIST
Security Models…
Access Modes – Dynamic Modes
Dr.B.Muruganantham
26-10-2021 11
AP / CSE / SRMIST
Application Types
Mainframe applications
Web Applications
Dr.B.Muruganantham
26-10-2021 12
AP / CSE / SRMIST
Application Types …
Mainframe applications
MIS mainly developed for Mainframe projects The following figure is Mainframe
application architecture
Workstation Mainframe
Server
CODE
DB
Server
Dr.B.Muruganantham
26-10-2021 13
AP / CSE / SRMIST
Application Types …
Client / Server Applications
To overcome the limitations in MIS department the client / server architecture was
introduced
It is based on a business model, client request and the server respond
Client / Server architecture became a dominating configuration for all applications
Flexible
Scalable
Processing power
Three main components typically found in Client / Server architecture
User interface component – Represents all screens, reports, etc.,
Business logic component – Contains all the codes related to data
validations
Data access component – Contains all the codes related to retrieves,
inserts, deletes and updates
Dr.B.Muruganantham
26-10-2021 14
AP / CSE / SRMIST
Application Types …
The following figure represents the logical components of a client server architecture
CLIENT
Tier 1
User
Tier 2
Interface Business
Tier 3
Logic Business
Tier 4
Logic
Tier 5
SERVER
Dr.B.Muruganantham
26-10-2021 15
AP / CSE / SRMIST
Application Types …
Client / Server Applications
The following figure represents the physical architecture of a client/server
application
Client Server
DB
User Business Data Server
Interface Logic Access
Dr.B.Muruganantham
26-10-2021 16
AP / CSE / SRMIST
Application Types …
Web Applications
Client server application once dominated but not for long.
Another architecture evolved with rise of dot-com and Web-based companies
The new client / server architecture is based on the web and it is referred as a web
application or a Web-based application
Web application uses HTTP protocol to connect and communicate to the server.
Web pages are embedded with other web services.
The following figure represents the logic components of Web application
architecture
CLIENT
Dr.B.Muruganantham
26-10-2021 17
AP / CSE / SRMIST
Application Types …
Components of Web application
Database server layer – A software program that stores and manages data
Dr.B.Muruganantham
26-10-2021 18
AP / CSE / SRMIST
Application Types …
The following figure shows a physical architecture that is typical for a
web-based application.
In this architecture , each layer resides on a separate computer
Server
Client
Application Server
Business Logic
Web Server
DB
Internet Server
Dr.B.Muruganantham
26-10-2021 19
AP / CSE / SRMIST
Application Types …
Dr.B.Muruganantham
26-10-2021 20
AP / CSE / SRMIST
Application Types …
The following figure shows the Physical and Logical structure of a data
warehouse
Server
DB
Server
Client Server
Transform
Data Source
DB
Server Data Application
Server
Server
Data
Warehouse DB
Database Server
Application
Server
Dr.B.Muruganantham
26-10-2021 21
AP / CSE / SRMIST
Application Security Models
Dr.B.Muruganantham
26-10-2021 22
AP / CSE / SRMIST
Application Security Models …
Security Model based on Database Roles
This model depends on the application to authenticate the application users
by maintaining an end users in a table with their encrypted passwords
In this model each end user is assigned a database role
The user can access whatever the privileges are assigned to the role
In this model proxy user needed to activate assigned roles
The following figure shows the data model for this application (Security data
model based on database roles)
Dr.B.Muruganantham
26-10-2021 23
AP / CSE / SRMIST
Application Security Models …
The following list presents the a brief description of these columns
Dr.B.Muruganantham
26-10-2021 24
AP / CSE / SRMIST
Application Security Models …
Tables used in security data model based on database roles
Dr.B.Muruganantham
26-10-2021 25
AP / CSE / SRMIST
Application Security Models …
Architecture of a security data model based on database roles
Application
Authorization table
End User
Dr.B.Muruganantham
26-10-2021 26
AP / CSE / SRMIST
Application Security Models …
The following points on this type of security model are worth noting:
Therefore it is DB independent
If the roles are implemented poorly , the model does not work properly
Dr.B.Muruganantham
26-10-2021 27
AP / CSE / SRMIST
Application Security Models …
Implementation in ORACLE
1. Creating the users by entering the following code:
Creating Application Owner
SQL > CREATE USER APP_OWNER IDENTIFIED BY APP_OWNER
2 DEFAULT TABLESPACE USERS
3 TEMPORARY TABLESPACE TEMP
4 QUOTA UNLIMITED ON USERS;
User created
Dr.B.Muruganantham
26-10-2021 28
AP / CSE / SRMIST
Application Security Models …
Creating Application tables
Dr.B.Muruganantham
26-10-2021 30
AP / CSE / SRMIST
Application Security Models …
Assign grants
Dr.B.Muruganantham
26-10-2021 31
AP / CSE / SRMIST
Application Security Models …
2. Add rows to the CUSTOMER table
SQL> COMMIT
Commit complete
Dr.B.Muruganantham
26-10-2021 32
AP / CSE / SRMIST
Application Security Models …
3. Add a row for an application user called APP_USER:
Dr.B.Muruganantham
26-10-2021 33
AP / CSE / SRMIST
Application Security Models …
Dr.B.Muruganantham
26-10-2021 34
AP / CSE / SRMIST
Application Security Models …
Application roles are the special roles you create in the database, that are then
activated at the time of authorization.
Dr.B.Muruganantham
26-10-2021 35
AP / CSE / SRMIST
Application Security Models …
Creating Application Roles using the command line
Where :
@rolename – The name of the application role ( The value must be a valid
identifier and cannot already exist in the database)
@password – The password required to activate the role. (SQL Server stores
the password as an encrypted hash)
Example :
To create the application role of clerk for your Pharmacy database , use this command
Dr.B.Muruganantham
26-10-2021 36
AP / CSE / SRMIST
Application Security Models …
Dr.B.Muruganantham
26-10-2021 37
AP / CSE / SRMIST
Application Security Models …
Where
@rolename – The Application role to drop.
Dr.B.Muruganantham
26-10-2021 38
AP / CSE / SRMIST
Application Security Models …
Security Model based on Application Roles
Depends on the application authenticate the application users.
Authentication is accomplished by maintaining all end users in a table with their
encrypted passwords.
Each end user is assigned an application role to read / write specific modules of
the applications.
The following table contains the description of tables used for this model.
APPLICATION_USERS
APPLICATION USERS
APP_USER_ID
APP_ROLE_ID
APP_ROLE_ID (FK)
APP_USERNAME APP_ROLE_NAME
APP_ENC_PASSWORD APP_ROLE_DESCRIPTION
FIRST_NAME APP_ROLE_PRIVILEGE
LAST_NAME CTL_INS_DTTM
CTL_INS_DTTM CTL_UPD_DTTM
CTL_UPD_DTTM CTL_UPD_USER
CTL_UPD_USER CTL_REC_STAT
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 39
AP / CSE / SRMIST
Application Security Models …
Architecture of Security Model based on Application Roles
Application
Authorization table
End User
Schema Owner
Dr.B.Muruganantham
26-10-2021 40
AP / CSE / SRMIST
Application Security Models …
Security Model based on Application Roles
This model is primitive and does not allow the flexibility required to make
changes necessary for security
Privileges are limited to any combination like read, add, read / update /
admin and so on
Dr.B.Muruganantham
26-10-2021 41
AP / CSE / SRMIST
Application Security Models …
Security Model based on Application Functions
Based on application functions depends on the application to authenticate the
application users
Application divided into functions
The following figure represents a data model for this type of application
APPLICATION_USERS APPLICATION_USERS_FUNCTIONS APPLICATION_FUNCTIONS
APP_USER_ID APP_FUNCTION_ID
APP_USER_ID (FK)
APP_FUNCTION_ID (FK)
APP_ROLE_ID (FK) APP_FUNCTION_NAME
APP_FUNCTION_PRIVILEGE_ID (FK)
APP_USERNAME APP_FUNCTION_DESCRIPTION
APP_ENC_PASSWORD CTL_INS_DTTM CTL_INS_DTTM
FIRST_NAME CTL_UPD_DTTM CTL_UPD_DTTM
LAST_NAME CTL_UPD_USER CTL_UPD_USER
CTL_INS_DTTM CTL_REC_STAT CTL_REC_STAT
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
APPLICATION_FUNCTION_PRIVILEGE
APP_FUNCTION_PRIVILEGE_ID
APP_FUNCTION_PRIVILEGE_OPERATION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 42
AP / CSE / SRMIST
Application Security Models …
Architecture of Security Model based on Application Functions
Application
Authorization
End User tables owned
Schema Owner by application
owner
Schema Owner
Dr.B.Muruganantham
26-10-2021 43
AP / CSE / SRMIST
Application Security Models …
Dr.B.Muruganantham
26-10-2021 44
AP / CSE / SRMIST
Application Security Models …
Security model based on Application Roles and Functions
It is a combination of both the role and function security model
The application authenticates users by maintaining all end users in a table with
their encrypted passwords
Applications are divided into functions and roles are assigned to functions that
are in turn assigned to users.
Dr.B.Muruganantham
26-10-2021 45
AP / CSE / SRMIST
Application Security Models …
The following figure represents a data model for Security Model Based
on Application showing the ER Diagram
Dr.B.Muruganantham
26-10-2021 46
AP / CSE / SRMIST
Application Security Models …
Application
Authorization
table
Schema Owner
Schema Owner
Dr.B.Muruganantham
26-10-2021 47
AP / CSE / SRMIST
Application Security Models …
Dr.B.Muruganantham
26-10-2021 48
AP / CSE / SRMIST
Application Security Models …
Security Model Based on Application Tables
Depends on application to authenticate users by maintaining all end users in a
table with their encrypted passwords
All application provides privileges to the user based on tables
User is assigned access privilege to each table owned by the application owner
The following figure represents a data model for this security model
APPLICATION_USERS APPLICATION_USER_TABLES APPLICATION_TABLES
APPLICATION_TABLE_PRIVILEGES
APP_TABLE_PREVILIGES_ID
APP_TABLE_PRIVILEGE_DESCRIPTION
CTL_INS_DTTM
CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STAT
Dr.B.Muruganantham
26-10-2021 49
AP / CSE / SRMIST
Application Security Models …
Architecture of a Security Model Based on Application Tables
Application
Authorization
table
Schema Owner
Schema Owner
Dr.B.Muruganantham
26-10-2021 50
AP / CSE / SRMIST
Application Security Models …
Dr.B.Muruganantham
26-10-2021 51
AP / CSE / SRMIST
Application Security Models …
Characteristics of Security Model
Is flexible in implementing
application security No No No Yes No
Maintenance of application
security does not require No No No Yes No
specific DB privileges
Dr.B.Muruganantham
26-10-2021 52
AP / CSE / SRMIST
Data Encryption
Encryption is a security method in which information is encoded in
such a way that only authorized user can read it.
Types of Encryption
Dr.B.Muruganantham
26-10-2021 53
AP / CSE / SRMIST
Data Encryption
Symmetric key encryption algorithm uses same cryptographic keys for both
encryption and decryption of cipher text.
Public key encryption algorithm uses pair of keys, one of which is a secret key and
one of which is public. These two keys are mathematically linked with each other.
Dr.B.Muruganantham
26-10-2021 54
AP / CSE / SRMIST
Virtual Private Databases
VPD (Virtual Private Database) is shared database schema containing data
that belongs to many users , and each user can view or manipulate
the data the user owns
Schema Owner
Dr.B.Muruganantham
26-10-2021 55
AP / CSE / SRMIST
Virtual Private Databases
Dr.B.Muruganantham
26-10-2021 56
AP / CSE / SRMIST
Virtual Private Databases
Architecture of Virtual Private Database
DBMS_RLS
Package
EMP Table
-----
Submits Query is rewritten to become
SELECT * FROM PRODUCTS ------ SELECT * FROM PRODUCTS
WHERE DEPTID = 20
-----
Policy
Function
Dr.B.Muruganantham
26-10-2021 57
AP / CSE / SRMIST
Virtual Private Databases
Test VPD
Dr.B.Muruganantham
26-10-2021 58
AP / CSE / SRMIST
Virtual Private Databases
Setup Test Environment
First we must create a user to act as the schema owner for this example. Obviously,
you will perform the following tasks using your current schema owner.
Dr.B.Muruganantham
26-10-2021 59
AP / CSE / SRMIST
Virtual Private Databases
CONN schemaowner/schemaowner@service
CREATE TABLE users (id NUMBER(10) NOT NULL, ouser VARCHAR2(30) NOT
NULL, first_name VARCHAR2(50) NOT NULL, last_name VARCHAR2(50) NOT
NULL);
COMMIT;
Dr.B.Muruganantham
26-10-2021 60
AP / CSE / SRMIST
Virtual Private Databases
Create an Application Context
Grant CREATE ANY CONTEXT to the schema owner then create the context and
context package.
CONNECT schemaowner/schemaowner@service;
Dr.B.Muruganantham
26-10-2021 61
AP / CSE / SRMIST
Virtual Private Databases
Next we create the context_package body which will actually set the user context.
BEGIN
SELECT id INTO v_id FROM users WHERE ouser = v_ouser;
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', v_id);
EXCEPTION WHEN NO_DATA_FOUND THEN
DBMS_SESSION.set_context('SCHEMAOWNER','USER_ID', 0);
END;
DBMS_SESSION.set_context('SCHEMAOWNER','SETUP','FALSE');
END set_context;
END context_package;
Dr.B.Muruganantham
26-10-2021 62
AP / CSE / SRMIST
Virtual Private Databases
Next we make sure that all users have access to the Context_Package.
Next we must create a trigger to fire after the user logs onto the database.
Dr.B.Muruganantham
26-10-2021 63
AP / CSE / SRMIST
Virtual Private Databases
Create Security Policies
In order for the context package to have any effect on the users interaction with
the database, we need to define a security_package for use with the security
policy. This package will tell the database how to treat any interactions with the
specified table.
CONNECT schemaowner/schemaowner@service;
Dr.B.Muruganantham
26-10-2021 64
AP / CSE / SRMIST
Virtual Private Databases
Next we create the security_package body.
CREATE OR REPLACE PACKAGE BODY Security_Package IS
FUNCTION user_data_select_security(owner VARCHAR2, objname VARCHAR2) RETURN VARCHAR2 IS
predicate VARCHAR2(2000);
BEGIN
predicate := '1=2';
IF (SYS_CONTEXT('USERENV','SESSION_USER') = 'SCHEMAOWNER') THEN
predicate := NULL;
ELSE
predicate := 'USER_ID = SYS_CONTEXT(''SCHEMAOWNER'',''USER_ID'')';
END IF;
RETURN predicate;
END user_data_select_security;
BEGIN
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_INSERT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_INSERT_SECURITY',
'INSERT', TRUE);
DBMS_RLS.add_policy('SCHEMAOWNER', 'USER_DATA',
'USER_DATA_SELECT_POLICY',
'SCHEMAOWNER', 'SECURITY_PACKAGE.USER_DATA_SELECT_SECURITY',
'SELECT');
END;
Dr.B.Muruganantham
26-10-2021 66
AP / CSE / SRMIST
Virtual Private Databases
Test VPD
Finally, test that the VPD is working correctly.
CONNECT user1/user1@service;
COMMIT;
CONNECT user2/user2@service
COMMIT;
CONNECT schemaowner/schemaowner@service
CONNECT user1/user1@Service;
CONNECT user2/user2@Service
Dr.B.Muruganantham
26-10-2021 67
AP / CSE / SRMIST
Virtual Private Databases
Column level Security with SQL Server
Column level permissions provide a more granular level of security for data in
your database. You do not need to execute a separate GRANT or DENY
statements for each column; just name them all in a query:
GO
GO
If you execute a DENY statement at table level to a column for a user, and after
that you execute a GRANT statement on the same column, the DENY permission
is removed and the user can have access to that column. Similarly, if you execute
GRANT and then DENY, the DENY permission will be in force.
Dr.B.Muruganantham
26-10-2021 68
AP / CSE / SRMIST
18CSE455T - Database Security and Privacy
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of
Computer Science and
Engineering
SRMIST, Chennai
References :
Dr.B.Muruganantham
12-11-2021 2
AP / CSE /SRMIST
UNIT IV-AUDITING DATABASE ACTIVITIES
Introduction
Using Oracle Database Activities
Creating DLL Triggers with Oracle
Auditing Database Activities with Oracle Auditing
Server Activity with SQL Server 2000
Security and Auditing Project Case Study
Dr.B.Muruganantham
12-11-2021 3
AP / CSE /SRMIST
Introduction
Dr.B.Muruganantham
12-11-2021 4
AP / CSE /SRMIST
Introduction
SECURITY
AUDITING
The auditing mechanism would enable
users to trace changes to sensitive data
Dr.B.Muruganantham
12-11-2021 5
AP / CSE /SRMIST
Auditing Overview
Definitions
In general, an audit examines the documentation that reflects the action, practices
and conduct of business or individual.
The list that follows contains general auditing and database auditing definitions.
Audit / Auditing - The process of examining and validating documents, data,
processes, systems, or other activities to ensure that the
audited entity complies with its objective
Audit log – A document that contains all activities that are being audited
ordered in a chronological manner.
Dr.B.Muruganantham
12-11-2021 6
AP / CSE /SRMIST
Auditing Overview
Definitions …
Auditor – A person with proper qualifications and ethics, who is authorized to examine, verify,
and validate documents, data, processes, systems, or activities and to produce an
audit report
Audit report – A document that contains the audit findings and is generated by an
individual(s) conducting the audit
Audit trail – A chronological record of document changes, data changes, system activities, or
operational events
Data audit – A chronological record of data changes stored in a log file or a database table
object
Internal auditing – Auditing activities conducted by the staff members of the organization.
External auditing - Auditing activities conducted by the staff members outside of the
organization.
Dr.B.Muruganantham
12-11-2021 7
AP / CSE /SRMIST
Auditing Activities
Auditing activities are performed as a part of an audit, audit process or audit plan
The following list presents the auditing activities
(Note : Activities are not listed in any specific order)
Evaluate and apprise the effectiveness and adequacy of the audited entity
according to the auditing objectives and procedures
Ascertain and review the reliability and integrity of the audited entity
Ensures the organization being audited is in compliance with the policies,
procedures, regulations, laws, and standards of the government and the
industry.
Establish plans , policies, and procedures for conducting audits.
Keep abreast of all changes to the audited entity.
Keep abreast of updates and new audit regulations, laws, standards, and
policies set by industry, government, or the company itself.
Provide all audit details to all company employee involved in the audit. These
details include : resources requirements, audit plans, and audit schedules.
Dr.B.Muruganantham
12-11-2021 8
AP / CSE /SRMIST
Auditing Activities…
Publish audit guidelines and procedures to the company itself and its partners
and clients when appropriate.
Act as liaison between the company and the external audit team.
Act as a consultant to architects, developers and business analysts to ensure
that the company being audited is structured in accordance with the audited
objectives
Organize and conduct internal audits
Ensure all the contractual items are met by the organization being audited.
Dr.B.Muruganantham
12-11-2021 9
AP / CSE /SRMIST
Auditing Environment
Components of Auditing Environment
Objectives
An audit without objectives is useless
To conduct audit you must know what the audit you must know what the audited entity is
to be measured
Usually , the objectives are set by the organization , industry standards, or government
regulations and laws
Procedures
To conduct an audit, step-by-step instructions and tasks must be documented ahead of
time.
In the case of government conducted audit, all instructions are available public
In the case of organizational audit, specialized personal document the procedure to be
used not only for the business itself, but also for the audit
People
Every auditing environment must have an auditor , even in the case of automatic audit
Other people involved in the audit are employees, manager, and anyone being audited
Audited entities
This includes people, documents, processes, systems, activities or any operation that are
being audited
Dr.B.Muruganantham
12-11-2021 10
AP / CSE /SRMIST
Auditing Environment …
The following figure shows the four major components of the auditing
environment
AUDITING
EINVIRONMENT
Dr.B.Muruganantham
12-11-2021 11
AP / CSE /SRMIST
Database Auditing Environment …
The following figure shows the five major components of the auditing
environment
Database
AUDITING
EINVIRONMENT
Dr.B.Muruganantham
12-11-2021 12
AP / CSE /SRMIST
Auditing Process
The Quality Assurance (QA) team retested every database application function
and try to find bugs.
The purpose of QA process in software engineering to make sure that the system
is bug free and that the system is functioning according to its specification.
The auditing process ensures that the system is working and complies with the
policies, standards, regulations or laws set forth by organization, industry or
government.
Dr.B.Muruganantham
12-11-2021 13
AP / CSE /SRMIST
Auditing Process …
Another way to distinguish between QA and Auditing Process is by examining
the timing of each
Dr.B.Muruganantham
12-11-2021 14
AP / CSE /SRMIST
Auditing Process …
Differences in QA , Auditing and Performance Monitoring processes
Dr.B.Muruganantham
12-11-2021 15
AP / CSE /SRMIST
Auditing Process …
The below figure illustrates the auditing process flow
Ensures that Identify the
auditing changes and
objectives are provide
met according feedback to the
to business system
Make sure all policies and development
objectives are specifications phase
well defined
Planning, Analysis,
Design, Development, UNDERSTAND REVIEW, VERIFY & REPORT &
PRODUCTION OBJECTIVE VALIDATE DOCUMENT
Testing, and
Implementation
Policies , Laws ,
Regulations and
Industry standards
must be
incorporated as the
part of System
requirements and
Specification
Dr.B.Muruganantham
12-11-2021 16
AP / CSE /SRMIST
Auditing Objectives
Auditing objectives are established as a part of the development process of the entity to
be audited
For example , when a software application is being coded, the developers include in their
software development design objectives the capability to audit the application
Auditing objectives are established and documented for the following reasons:
Complying – Identify all company policies , government regulations, laws and the
industry standards with which your company comply.
Informing – All policies, regulations, laws and standards must be published and
communicated to all parties involved in the development and operation
of the audited entity.
Planning – Knowing all the objectives enables the author to plan and document
procedures to asses the audited entity.
Dr.B.Muruganantham
12-11-2021 17
AP / CSE /SRMIST
Auditing Objectives
The top ten database auditing objectives
Data Integrity – Ensure that data is valid and in full referential integrity
Applications Users and roles – Ensures that users are assigned roles that correspond
to their responsibilities and duties
Data Confidentiality – Identify who can read data and what data can be read
Access Control – Ensures that the application records times and duration when a
user logs onto the database or application
Data changes – Create an audit trail of all data changes
Data Structure Changes – Ensures that the database logs all data structure changes
Database or application availability – Record the number of occurrences and
duration of application or database shutdowns all the startup times . Also, record all
reason for any unavailability.
Change Control – Ensure that a change control mechanism is incorporated to track
necessary and planned changes to the database or application.
Physical Access – Record the physical access to the application or the database where
the software and hardware resides.
Auditing Reports – Ensure that reports are generated on demand or automatically ,
showing all auditable activities
Dr.B.Muruganantham
12-11-2021 18
AP / CSE /SRMIST
Auditing Classification and Types
Audit Classifications
Every industry and business sector uses different classifications of audits.
Definition of each classification can differ from business to business.
Will discuss most generic definition of audit classifications.
Internal Audit
An internal audit is an audit that is conducted by a staff member of the company
being audited
The purpose and intention of an internal audit is to :
Verify that all auditing objectives are met by conducting a well-planned and
scheduled audit
Investigate a situation that was promoted by an internal event or incident.
This audit is random , not planned or scheduled.
Dr.B.Muruganantham
12-11-2021 19
AP / CSE /SRMIST
Auditing Classification and Types …
External Audit
An external audit is conducted by a party outside the company that is being
audited.
The purpose and intention of an External audit is to :
Dr.B.Muruganantham
12-11-2021 20
AP / CSE /SRMIST
Auditing Classification and Types …
Automatic Audit
Manual Audit
Hybrid Audit
Dr.B.Muruganantham
12-11-2021 21
AP / CSE /SRMIST
Auditing Classification and Types …
Audit Types
Financial Audit – Ensures that all financial transactions are accounted for an
comply with law.
Ex : Companies save all trading transactions for a period of time
to comply with government regulations
Security Audit – Evaluates if the system is as secure as it should be.
The audit identifies security gaps and vulnerabilities
Compliance Audit – Verifies that the system complies with industry standards,
government regulations, or partner and client policies
Dr.B.Muruganantham
12-11-2021 22
AP / CSE /SRMIST
Auditing Classification and Types …
Product Audit – Performed to ensure that the product complies with industry
standards. This audit sometimes confused with testing, but it
should not be.
A product audit does not include auditing of its functionality but
entails how it was produced and who worked on its development.
Benefits
Enforces company policies, government regulations and laws
Develops controls that can be used for purposes other than auditing
Dr.B.Muruganantham
12-11-2021 24
AP / CSE /SRMIST
Benefits and Side Effects of Auditing
Side Effects
From a DB perspective
Dr.B.Muruganantham
12-11-2021 25
AP / CSE /SRMIST
Auditing Models
Action
Start
Before auditing models, it is more Yes
Dr.B.Muruganantham
12-11-2021 26
AP / CSE /SRMIST
Auditing Models …
Simple Auditing Model 1
The first auditing model is The given figure illustrates this SIMPLE MODEL 1
called ‘SIMPLE” because it is APP_ENTITY
APP_ACTION _TYPE
APP_AUDIT _ACTION
easy to understand and ENTITY_ID ACTION_TYPE_ID
AUDIT_ACTION_ID
develop. ENTITY_NAME ACTION_TYPE_DESC
ENTITY_TYPE ENTITY_ID (FK) CTL_REC_STAT
CTL_REC_STAT ACTION_TYPE_ID (FK)
This model registers audited AUDIT_START_DATE
AUDIT_EXPIRE_DATE
entities in the audit model CTL_INS_DTTM
repository to CTL_UPD_DTTM
chronologically track CTL_UPD_USER
CTL_REC_STAT
activities performed on or
by these entities.
APP_AUDIT _DATA
An entity can be a user, AUDIT_DATE_ID
table, column, and an AUDIT_ACTION_ID (FK)
activity can be a DML AUDIT_DATA
transaction and logon and AUD_INS_DTTM
AUD_UPD_DTTM
logoff times. AUD_UPD_USER
AUD_REC_STAT
Dr.B.Muruganantham
12-11-2021
AP / CSE /SRMIST 27
Auditing Models …
Simple Auditing Model 2
The given figure illustrates this Simple auditing
model 2
In this model , only column
value changes are stored for
APP_AUDIT_TABLE
audit purposes.
TABLE_ID
TABLE_NAME
The audit data table
TABLE_DESCRIPTION
APP_AUDIT_DATA contains APP_AUDIT_DATA
AUDIT
chronological data on all AUDIT_DATA_ID ARCHIVE
changes on column that are ARCHIVE_COUNT
TABLE_ID (FK)
PURGE
registered in AUDIT_DATA
PURGE_COUNT
CTL_INS_DTTM
APP_AUDIT_TABLE. COLUMNS
CTL_UPD_DTTM
COLUMNS_COUNTSR
CTL_UPD_USER
START_DATE
CTL_REC_STAT
There is a purging and archiving END_DATE
mechanism is used to help CTL_INS_DTTM
CTL_UPD_DTTM
reduce the amount of data CTL_UPD_USER
stored in DB. CTL_REC_STAT
Dr.B.Muruganantham
12-11-2021 28
AP / CSE /SRMIST
Auditing Models …
Of course the repository for tis model is more complex than previous models
Dr.B.Muruganantham
12-11-2021 29
AP / CSE /SRMIST
Auditing Models …
The following figure presents the flow of the user interface
Audit Table
Audit User
Interface
Table
Data
Table
Name
Populate
Table Request Table
4 Table Name User
Perform Data
Name Name
audit
check
3 5
Table 6 7
1 Set Set
Name View Build
Populate tables Users
Audit Audit
tables for for
Data View
audit Audit
2
Perform
Audit
Audit
Table
Data Audit
Audit Name Table
Data User
Data Table Name Table Data
Column Table Data
Name
Name Name
Dr.B.Muruganantham
12-11-2021 30
AP / CSE /SRMIST
Auditing Models …
Data model of the repository for an Advanced Auditing Model
APP_TABLES APP_USERS
APP_COLUMNS
ENTITY_ID ENTITY_ID
ENTITY_ID
TABLE_ID USER_ID
COLUMN_NAME TABLE_NAME TABLE_NAME
TABLE_ID (FK) CTL_REC_STAT CTL_REC_STAT
CTL_REC_STAT
APP_AUDIT_ACTION
AUDIT_ACTION_ID
ENTITY_ID (FK)
ENTITY_TYPE
ACTION_TYPE_ID (FK)
AUDIT_START_DATE
AUDIT_EXPIRE_DATE APP_AUDIT_DATA
CTL_INS_DTTM AUDIT_DATA_ID
CTL_UPD_DTTM
APP_ACTION_TYPE CTL_UPD_USER AUDIT_ACTION_ID
CTL_REC_STAT (FK)
ACTION_TYPE_ID AUDIT_DATA
ACTION_TYPE_DESC CTL_INS_DTTM
CTL_REC_STAT CTL_UPD_DTTM
CTL_UPD_USER
CTL_REC_STA
Dr.B.Muruganantham
12-11-2021 31
AP / CSE /SRMIST
Auditing Models …
Historical Data Model
This model is used for applications that require a record of the whole row
when a DML transaction is performed on the table
Typically used in most financial applications
With this model , the whole row is stored in the HISTORY table, before it is
changed or deleted
The following figures illustrates this model
APP_DATA_TABLE
APP_DATA_TABLE _HISTORY
PRIMARY_KEY_COLUMN
PRIMARY_KEY_COLUMN
DATA_COLUMN_01 DATA_COLUMN_01
DATA_COLUMN_02 DATA_COLUMN_02
……………………………. …………………………….
……………………………. …………………………….
……………………………. …………………………….
DATA_COLUMN_n DATA_COLUMN_n
CTL_INS_DTTM CTL_INS_DTTM
CTL_UPD_DTTM CTL_UPD_DTTM
CTL_UPD_USER CTL_UPD_USER
CTL_REC_STAT CTL_REC_STAT
Dr.B.Muruganantham
12-11-2021 32
AP / CSE /SRMIST
Auditing Models …
Auditing Application Actions Model
There may be a requirement for an application to audit specific operations or
actions
The following figure represents a Data Model of a repository for auditing
application actions
Dr.B.Muruganantham
12-11-2021 33
AP / CSE /SRMIST
Auditing Models …
C2 Security
C2 security is a type of security rating that evaluates the security framework for
computer products used in government and military organizations and institutes.
The standard was conceived by the U.S. National Computer Security Center (NCSC)
to create a minimum security benchmark for all computing products and
applications that process confidential government and military information.
The National Security Administration has given a C2 security rating to Microsoft SQL
Server 2000.
This means that the server passes requirements set by the Department of Defence
and is typically implemented in military and government applications
Dr.B.Muruganantham
12-11-2021 34
AP / CSE /SRMIST
Auditing Models …
Requirements for enabling C2 auditing in SQL Server include the following :
The Microsoft Windows Server must be configured as C2 system
Windows Integrated Authentication is supported, but SQL native security
is not supported
Only transactional replication is supported
• SQL Mail
• English Query
• DTC
Dr.B.Muruganantham
12-11-2021 35
AP / CSE /SRMIST
Oracle Triggers
Dr.B.Muruganantham
12-11-2021 36
AP / CSE /SRMIST
Oracle Triggers …
ORACLE trigger timings or events for DML events
Application
User
TABLE ROW
Dr.B.Muruganantham
12-11-2021 37
AP / CSE /SRMIST
Oracle Triggers …
Trigger Syntax
CREATE [ OR REPLACE ] TRIGGER <trigger_name>
Trigger Timing
[BEFORE | AFTER | INSTEAD OF ]
END;
Dr.B.Muruganantham
12-11-2021 38
AP / CSE /SRMIST
Oracle Triggers …
The given syntax shows the different optional statements that are present in trigger
creation.
Dr.B.Muruganantham
12-11-2021 39
AP / CSE /SRMIST
Oracle Triggers …
ORACLE Trigger Execution
A trigger can be in either of two distinct modes:
Enabled - An enabled trigger executes its trigger action if a triggering statement is
issued and the trigger restriction (if any) evaluates to TRUE.
Disabled - A disabled trigger does not execute its trigger action, even if a triggering
statement is issued and the trigger restriction (if any) would evaluate to
TRUE.
For enabled triggers, Oracle automatically
executes triggers of each type in a planned firing sequence when more than one
trigger is fired by a single SQL statement
performs integrity constraint checking at a set point in time with respect to the
different types of triggers and guarantees that triggers cannot compromise integrity
constraints
provides read-consistent views for queries and constraints
manages the dependencies among triggers and objects referenced in the code of the
trigger action
uses two-phase commit if a trigger updates remote tables in a distributed database
if more than one trigger of the same type for a given statement exists, Oracle fires
each of those triggers in an unspecified order
Dr.B.Muruganantham
12-11-2021 40
AP / CSE /SRMIST
Oracle Triggers …
The following figure gives the Order of trigger execution
3 BEFORE Trigger
Row
4 AFTER Trigger level
1 BEFORE Trigger
ROW
Statement
level
2 AFTER Trigger
TABLE
Dr.B.Muruganantham
12-11-2021 41
AP / CSE /SRMIST
Oracle Triggers …
Example : Row level Trigger
Dr.B.Muruganantham
12-11-2021 42
AP / CSE /SRMIST
Oracle Triggers …
Example : Statement level Trigger
Dr.B.Muruganantham
12-11-2021 43
AP / CSE /SRMIST
Oracle Triggers …
User can view all triggers created on a table by using USER_TRIGGERS data
dictionary view.
The structure of USER_TRIGGERS view is as follows
Dr.B.Muruganantham
12-11-2021 45
AP / CSE /SRMIST
SQL Server Triggers…
In this syntax:
The schema_name is the name of the schema to which the new trigger belongs.
The schema name is optional.
The event is listed in the AFTER clause. The event could be INSERT, UPDATE,
or DELETE. A single trigger can fire in response to one or more actions against
the table.
The NOT FOR REPLICATION option instructs SQL Server not to fire the trigger
when data modification is made as part of a replication process.
The sql_statements is one or more Transact-SQL used to carry out actions once
an event occurs.
Dr.B.Muruganantham
12-11-2021 46
AP / CSE /SRMIST
Auditing Database Activities with ORACLE
The activities are divided into two types based on the type of SQL command
statement used :
Dr.B.Muruganantham
12-11-2021 47
AP / CSE /SRMIST
Auditing Database Activities with ORACLE
Auditing DDL Activities
ORACLE uses a SQL-based audit command
The following figure presents the audit syntax diagram ( ORACLE 10g)
Dr.B.Muruganantham
12-11-2021 48
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Audit command syntax Where :
AUDIT Statement option – Tells ORACLE to audit the specified
{ DDL or DCL statement
{ { statement_option | ALL } DDL – CREATE, ALTER, DROP and TRUNCATE
[,{statement_option | ALL }] …… DCL – GRANT , REVOKE
|,{syetem_privilege | ALL System privilege – Tell ORACLE to audit the specified
PRIVILEGES } privilege such as SELECT, CREATE ANY, or ALTER ANY
}
[BY { proxy [,proxy]….. Object_option – Specifies the type of privileges for the
| user [,user]….. specified object to be audited
] BY SESSION – Tells ORACLE to record audit data once
| per session even if the audited statement issued multiple
{Object_option [, object_option ] …… | times in session
ALL }
BY ACCESS - Tells ORACLE to record audit data every
ON { [ schema. ] object
time audited statement is issued.
|DIRECTORY directory_name
|DEFAULT WHENEVER SUCCESSFUL – Tells ORACLE to capture
} audit data only when the audited command is successful
}
WHENEVER NOT SUCCESSFUL- Tells ORACLE to
[ BY {SESSION | ACCESS } } capture audit data only when the audited command fails
[WHENEVER [NOT] SUCESSFUL ] ;
Dr.B.Muruganantham
12-11-2021 49
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
DDL activities Example :
Suppose you want to audit a table named CUSTOMER every time it is altered or
every time a record from a table deleted.
The following steps show you how to do this.
Before perform , drop are disable all triggers associated with CUSTOMER table.
Step 1 : Use any user other than SYS or SYSTEM to create the CUSTOMER
Table created
Dr.B.Muruganantham
12-11-2021 50
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Step 2 : Add three rows into the CUSTOMER table and commit changes
1 row created
1 row created
1 row created
Dr.B.Muruganantham
12-11-2021 51
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Step 3 : Log on as SYS or SYSTEM to enable auditing , as specified in this example
the first statement for ALTER and the next is for DELETE
Audit succeeded.
Audit succeeded.
Dr.B.Muruganantham
12-11-2021 52
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Step 4 : Login as the owner of CUSTOMER table, DBSEC delete a row and modify
the structure of the table, as specified in the following code
1 row deleted.
Table altered
Dr.B.Muruganantham
12-11-2021 53
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
In this step you will see the audit records stored in the auditing tables caused by the DELETE
and ALTER statements issued in step 4.
Step 5 : Login in as SYSTEM and view the DBA_AUDIT_TRAIL
Two records will be available as shown in the figure below
Dr.B.Muruganantham
12-11-2021 54
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
When audit process got over of a specific object or command, you may turn it
off by using the NO AUDIT statement.
The following step turns off auditing on the two statements issued in step 3.
Noaudit succeeded.
Noaudit succeeded.
Dr.B.Muruganantham
12-11-2021 55
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
DCL Activities Example:
You are auditing the GRANT privilege issued on a TEMP table owned by DBSEC.
The following steps shows how to audit the DCL statements audited.
The same steps to be followed for all DCL Commands.
SQL> COMMIT;
Commit complete.
Dr.B.Muruganantham
12-11-2021 56
AP / CSE /SRMIST
Auditing Database Activities with ORACLE …
Step 2: Log on as DBSEC and grant SELECT and UPDATE privileges to SYSTEM on
TEMP table
SQL> CONN DBSEC
Enter password : *****
Connected.
2 rows selected
Dr.B.Muruganantham
12-11-2021 57
AP / CSE /SRMIST
Auditing Server Activity with SQL Server 2000
Microsoft SQL Server 2000 provides auditing as a way to track and log activity for
each SQL Server occurrence
User must be a member of the sysadmin fixed server role to enable or modify
auditing
Every modification of an audit is an auditable event
There are two types of auditing in SQL Server 2000
Auditing
C2Auditing
Auditing can have significant impact on performance
The audit trail analysis can also be costly in terms of system
It is recommended that SQL profiler be run on a server separate from the
production server
Dr.B.Muruganantham
12-11-2021 58
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Implementing SQL Profiler
One of the tools that accompanies SQL Server 2000 is SQL Profiler
This tool provides the user interface for auditing events.
You can audit several types of events using SQL Profiler
Dr.B.Muruganantham
12-11-2021 59
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Dr.B.Muruganantham
12-11-2021 60
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
SQL Server configuration
Dr.B.Muruganantham
12-11-2021 61
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
After the audit level is set, you can then use SQL Profiler to monitor security
events.
The following events can be audited
Dr.B.Muruganantham
12-11-2021 62
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
You can start SQL Profiler by selecting it from the program group on the Start
menu or from the tools menu in Enterprise.
To start a new Audit Trace from the file menu, Click New , then Trace
It is shown in the below figure
Dr.B.Muruganantham
12-11-2021 63
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
The new trace dialog box appears,
as shown in the figure
Dr.B.Muruganantham
12-11-2021 64
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
On the events tab, you specify
events to be audited and in which
category they belong
Dr.B.Muruganantham
12-11-2021 65
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Add the Login Change Password
security event to the trace by
performing following steps
Dr.B.Muruganantham
12-11-2021 66
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Dr.B.Muruganantham
12-11-2021 67
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Dr.B.Muruganantham
12-11-2021 68
AP / CSE /SRMIST
Auditing Server Activity with SQL Server
2000 …
Dr.B.Muruganantham
12-11-2021 AP / CSE /SRMIST 69
Security and Auditing Project Case Study
Introduction
DBA are often asked to provide an effective data security and auditing design
The case studies follow require you to use these concepts, methods, and
techniques to solve data accessibility
This cases can be implemented in either ORACLE or SQL Server
Dr.B.Muruganantham
12-11-2021 70
AP / CSE /SRMIST
Security and Auditing Project Case Study
CASE 1 : Developing an Online Database
The main mission of the Web site is to provide a forum for database
technical tips, issues, and scripts.
The CIO and his technical team held a meeting to draft the requirements
for the new web site and decided that it would include the following.
Technical documents
A forum where members can exchange ideas and share experiences
Online access
A tips section
Technical support for error messages
Dr.B.Muruganantham
12-11-2021 71
AP / CSE /SRMIST
Security and Auditing Project Case Study
Immediately after the meeting, the newly appointed project manager asks you to
implement security for the site.
The manager mentions that the security of a public database is so important that
the CIO himself / herself has outlined the security requirements, as follows
The online DB will have 10 public host database accounts that allow multiple
sessions
The password of a public host account must be reset to its original setting whenever
disconnects or logoffs occur
Dr.B.Muruganantham
12-11-2021 72
AP / CSE /SRMIST
Security and Auditing Project Case Study
Note : You may add other security auditing features, as long as you do not
overlook any of the requirements in this list
Dr.B.Muruganantham
12-11-2021 73
AP / CSE /SRMIST
Security and Auditing Project Case Study
The main objective of the virtual private database feature is allow each client to
administer his own payroll data without violating the privacy of other clients.
Dr.B.Muruganantham
12-11-2021 74
AP / CSE /SRMIST
Security and Auditing Project Case Study
The given figure represents the payroll application model for case 2
EMPLOYEE COMPANY PAYROLL_PERIOD
EMPLOYEE_ID COMPANY_ID PP_ID
COMPANY_ID (FK) PP_ID (FK) PP_DESCRIPTION
TAX_ID CONTACT_NAME
FIRST_NAME STREET_NAME
LAST_NAME CITY
HOURLY_SALARY STATE COMPANY_ADMINISTRATORS
FED_CODE ZIPCODE CA_ID
STATE_CODE PHONE
FAX COMPANY_ID (FK)
MEDICAL_ELECTION
EMAIL FIRST_NAME
FOUR01_ELECTION
URL LAST_NAME
MEDICAL_DEDUCTION
STATUS SYSTEM_USERNAME
OTHER_DEDUCTION
SICK_DAYS
VACATION_DAYS
TIMESHEET
TS_ID DAILY_WORK_HOURS
Dr.B.Muruganantham
12-11-2021 75
AP / CSE /SRMIST
Security and Auditing Project Case Study
Your job is to develop a new database application to keep track of the jobs
awarded to different contractors
After several interviews with clerks and managers , you found out that a prior
attempt at application development by a consulting company resulted in a
draft of an entity – relationship ( ER ) diagram
The ER diagram depicts all the required information about the contractors
and the awarded jobs.
Dr.B.Muruganantham
12-11-2021 76
AP / CSE /SRMIST
Security and Auditing Project Case Study
The given figure presents Contractor job data model for case 3
CONTRACTOR JOB
CONTRACTOR_ID JOB_ID
TAX_ID CONTRACTOR_ID ( FK )
CONTRACTOR_TYPE_ID ( FK ) JOB_TYPE_ID ( FK )
CONTRACTOR_NAME JOB_DESRIPTION
STREET_ADDRESS_01 JOB_CLASSIFICATION
STREET_ADDRESS_02 JOB_RATE
CITY START_DATE
STATE COMPLETION_DATE
ZIPCODE DAILY_PENALTY
CONTACT_NAME PAYMENT_AGREEMENT
PHONE
FAX
MOBILE_PHONE
EMAIL
URL
CONTRACTOR_STATUS
CONTRACTOR JOB_TYPE
CONTRACTOR_TYPE_ID JOB_TYPE_ID
CONTRACTOR_TYPE_DESCRIPTION JOB_TYPE_DESCRIPTION
Dr.B.Muruganantham
12-11-2021 77
AP / CSE /SRMIST
Security and Auditing Project Case Study
During your meeting with the project manager for this application , you are
asked to design an application with the following capabilities
Obtain the approval of project manager before accepting any contract job
for more than $10,000
The DEPARTMENT CLERK level allows clerks to add and update records
The need your help to solve a series of database and application violations
When you meet with the hiring manager, he/she explains that there has been
a series of inexplicable, suspicious activities on the applications and
production databases
Dr.B.Muruganantham
12-11-2021 79
AP / CSE /SRMIST
Security and Auditing Project Case Study
Also the company want to have an audit trail for all these activities but that
company was not interested in historical changes trail
Audit trail of users that are modifying structures of the application schema
tables
Dr.B.Muruganantham
12-11-2021 80
AP / CSE /SRMIST
Security and Auditing Project Case Study
Sample data model for case 4
You may use two tables illustrated in the given figure as sample of application
schema tables.
PHYSICIAN ALERT_SCHEDULE
PHYSICIAN_ID ALERT_ID
FIRST_NAME PHYSICIAN_ID ( FK )
LAST_NAME ALERT_TIMESTAMP
MOBILE_NUMBER ALERT_STATUS
PAGER_NUMBER ALERT_COUNT
RESPONSE
Dr.B.Muruganantham
12-11-2021 81
AP / CSE /SRMIST
Security and Auditing Project Case Study
The main requirement of this project is to create a security data model that
will be used for by the central authorization module
Application users
Roles
Applications
Application Modules
Dr.B.Muruganantham
12-11-2021 82
AP / CSE /SRMIST
Security and Auditing Project Case Study
Your mission is to create an authorization data model with a relevant auditing repository
There must be one database user account for the application schema owner
Each application user is assigned a security level that indicates the type of operations the
user can perform within the application.
The security model should have the flexibility to logically lock, disable and remove
accounts
The security module must be coupled with an auditing module that meets these
auditing requirements
It must have an audit trail of the date and time a user connects and disconnects
from application
It must have an audit trail of application operations that includes the date and
time operations were performed by the application user
It must have an audit trail of all activities and operations performed on the
security module
The auditing module must be coupled with the security module
Dr.B.Muruganantham
12-11-2021 84
AP / CSE /SRMIST
15CS338E - Database Security and Privacy
Prepared by
Dr. B. Muruganantham
Assistant Professor
Department of
Computer Science and
Engineering
SRMIST, Chennai
References :
Dr.B.Muruganantham
12-11-2021 2
AP/CSE/SRMIST
UNIT V - PRIVACY PRESERVING DATA MINING
TECHNIQUES
Introduction
Privacy Preserving Data Mining Algorithms
General Survey
Randomization Methods
Group Based Anonymization
Distributed Privacy Preserving Data Mining
Curse of Dimensionality
Application of Privacy Preserving Data Mining
Dr.B.Muruganantham
12-11-2021 3
AP/CSE/SRMIST
Introduction - privacy-preserving data mining
This tutorial will try to explore different topics from the perspective of different
communities and give a fused idea of the work in different communities.
Dr.B.Muruganantham
12-11-2021 4
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms
Furthermore, the problem has been discussed in multiple communities such as the
database community, the statistical disclosure control community and the
cryptography community.
The key directions in the field of privacy-preserving data mining are as follows:
Privacy-Preserving Data Publishing
Changing the results of Data Mining Applications to preserve privacy
Query Auditing
Cryptographic Methods for Distributed Privacy
Theoretical Challenges in High Dimensionality
Dr.B.Muruganantham
12-11-2021 5
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
Dr.B.Muruganantham
12-11-2021 6
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
Changing the results of Data Mining Applications to
preserve privacy :
This has spawned a field of privacy in which the results of data mining
algorithms such as association rule mining are modified in order to
preserve the privacy of the data.
Dr.B.Muruganantham
12-11-2021 7
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
Query Auditing:
Such methods are akin to the previous case of modifying the results of
data mining algorithms
In many cases, the data may be distributed across multiple sites, and the
owners of the data across these different sites may wish to compute a
common function.
Dr.B.Muruganantham
12-11-2021 8
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
Real data sets are usually extremely high dimensional, and this
makes the process of privacy-preservation extremely difficult both
from a computational and effectiveness point of view.
Dr.B.Muruganantham
12-11-2021 9
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms …
General Survey:
The idea is to provide an overview of the field for a new reader from the
perspective of the data mining community.
Dr.B.Muruganantham
12-11-2021 10
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Statistical Methods for Disclosure Control
Measures of Anonymity
The k-anonymity Method
The Randomization Method
Quantification of Privacy
Utility Based Privacy-Preserving Data Mining
Mining Association Rules under Privacy Constraints
Cryptographic Methods for Information Sharing and Privacy
Privacy Attacks
Query Auditing and Inference Control
Privacy and the Dimensionality Curse
Personalized Privacy Preservation
Privacy-Preservation of Data Streams
Conclusions and Summary
Dr.B.Muruganantham
12-11-2021 11
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Measures of Anonymity
Dr.B.Muruganantham
12-11-2021 13
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
The k-anonymity Method
For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.
For example, if the identifications from the records are removed, attributes
such as the birth date and zip-code an be used in order to uniquely identify
the identities of the underlying records.
Dr.B.Muruganantham
12-11-2021 14
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Dr.B.Muruganantham
12-11-2021 15
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Quantification of Privacy
Dr.B.Muruganantham
12-11-2021 16
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Dr.B.Muruganantham
12-11-2021 17
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Mining Association Rules under Privacy Constraints
There are two aspects to the privacy preserving association rule mining
problem
Dr.B.Muruganantham
12-11-2021 18
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Cryptographic Methods for Information Sharing and Privacy
In many cases, multiple parties may wish to share aggregate private data,
without leaking any sensitive information at their end
For example, different superstores with sensitive sales data may wish to
coordinate among themselves in knowing aggregate trends without
leaking the trends of their individual stores.
Horizontal Partitioning: In this case, the different sites may have different
sets of records containing the same attributes.
Vertical Partitioning: In this case, the different sites may have different
attributes of the same sets of records.
Dr.B.Muruganantham
12-11-2021 19
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Privacy Attacks
Dr.B.Muruganantham
12-11-2021 20
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Query Auditing and Inference Control
Many private databases are open to querying. This can compromise the
security of the results, when the adversary can use different kinds of
queries in order to undermine the security of the data.
There are two primary methods for preventing this kind of attack:
Query Output Perturbation: In this case, we add noise to the output of the
query result in order to preserve privacy.
Dr.B.Muruganantham
12-11-2021 21
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Privacy and the Dimensionality Curse
Dr.B.Muruganantham
12-11-2021 22
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Dr.B.Muruganantham
12-11-2021 23
AP/CSE/SRMIST
Privacy Preserving Data Mining Algorithms –
A General Survey
Conclusions and Summary
The broad areas of privacy are as follows:
Privacy-Preserving Applications:
This corresponds to designing data management and mining algorithms in such a way that
the privacy remains preserved. Some examples include association rule mining,
classification, and query processing.
Utility Issues:
Since the perturbed data may often be used for mining and management purposes,
its utility needs to be preserved. Therefore, the data mining and privacy transformation
techniques need to be designed effectively, so to preserve the utility of the results.
Dr.B.Muruganantham
12-11-2021 24
AP/CSE/SRMIST
Randomization Method
The randomization method is a technique for privacy-preserving data
mining in which noise is added to the data in order to mask the attribute
values of records.
Dr.B.Muruganantham
12-11-2021 25
AP/CSE/SRMIST
Randomization Method …
The method of randomization can be described as follows.
For record xi ∈ X
These noise components are drawn independently, and are denoted y1 . . . yN.
Dr.B.Muruganantham
12-11-2021 26
AP/CSE/SRMIST
Randomization Method …
Thus, if X be the random variable denoting the data distribution
for the original record
Y be the random variable describing the noise distribution
Z be the random variable denoting the final record
We have:
Z=X+Y
X=Z−Y
Now, we note that N instantiations of the probability distribution Z
are known, whereas the distribution Y is known publicly.
For a large enough number of values of N, the distribution Z can be
approximated closely by using a variety of methods such as kernel
density estimation.
By subtracting Y from the approximated distribution of Z, it is
possible to approximate the original probability distribution X
Dr.B.Muruganantham
12-11-2021 27
AP/CSE/SRMIST
Randomization Method …
This is not true of other methods such as k-anonymity which require the
knowledge of other records in the data.
Dr.B.Muruganantham
12-11-2021 28
AP/CSE/SRMIST
Randomization Method …
Privacy Quantification
The quantity used to measure privacy should indicate how closely the
original value of an attribute can be estimated.
For example,
If the perturbing additive is uniformly distributed in an interval
of width 2α, then α is he amount of privacy at confidence level 50%
and 2α is the amount of privacy at confidence level 100%.
Dr.B.Muruganantham
12-11-2021 29
AP/CSE/SRMIST
Randomization Method …
Dr.B.Muruganantham
12-11-2021 30
AP/CSE/SRMIST
Randomization Method …
Multiplicative Perturbations
Dr.B.Muruganantham
12-11-2021 31
AP/CSE/SRMIST
Randomization Method …
As in the case of additive perturbations, multiplicative perturbations are not
entirely safe from adversarial attacks.
However, with some prior knowledge, two kinds of attacks are possible
Dr.B.Muruganantham
12-11-2021 32
AP/CSE/SRMIST
Randomization Method …
Data Swapping
Noise addition or multiplication is not the only technique which can be used to
perturb the data.
A related method is that of data swapping, in which the values across different records
are swapped in order to perform the privacy-preservation
One advantage of this technique is that the lower order marginal totals of the data are
completely preserved and are not perturbed at all.
This technique does not follow the general principle in randomization which allows
the value of a record to be perturbed independent;y of the other records.
Dr.B.Muruganantham
12-11-2021 33
AP/CSE/SRMIST
Group Based Anonymization
The randomization method is a simple technique which can be easily
implemented at data collection time, because the noise added to a given record
is independent of the behavior of other data records.
This is also a weakness because outlier records can often be difficult to mask.
Dr.B.Muruganantham
12-11-2021 34
AP/CSE/SRMIST
Group Based Anonymization …
The k-Anonymity Framework
For example, attributes such as age, zip-code and sex are available
in public records such as census rolls.
When these attributes are also available in a given data set, they can
be used to infer the identity of the corresponding individual.
Dr.B.Muruganantham
12-11-2021 35
AP/CSE/SRMIST
Group Based Anonymization …
In k-anonymity techniques, it reduce the granularity of representation of
these pseudo-identifiers with the use of techniques such as generalization and
suppression.
It is clear that such methods reduce the risk of identification with the use of
public records, while reducing the accuracy of applications on the transformed
data.
Dr.B.Muruganantham
12-11-2021 36
AP/CSE/SRMIST
Group Based Anonymization …
Dr.B.Muruganantham
12-11-2021 37
AP/CSE/SRMIST
Group Based Anonymization …
It was note that the problem of optimal anonymization is inherently a difficult
one.
It has been shown that the problem of optimal k-anonymization is NP-hard.
Nevertheless, the problem can be solved quite effectively by the use of a number of
heuristic methods.
The values of the attributes are discretized into intervals quantitative attributes) or
grouped into different sets of values (categorical attributes). Each such grouping is
an item.
For a given attribute, the corresponding items are also ordered. An index is
created using these attribute-interval pairs (or items) and a set enumeration tree is
constructed on these attribute-interval pairs.
Dr.B.Muruganantham
12-11-2021 39
AP/CSE/SRMIST
Group Based Anonymization …
First, it checks k-anonymity for each single attribute, and removes all
those generalizations which do not satisfy k-anonymity. Then, it
computes generalizations in pairs, again pruning those pairs which do
not satisfy the k-anonymity constraints.
Dr.B.Muruganantham
12-11-2021 40
AP/CSE/SRMIST
Personalized Privacy-Preservation
Not all individuals or entities are equally concerned about their privacy.
• This leads to the natural problem that we may wish to treat the records in
a given data set very differently for anonymization purposes.
• From a technical point of view, this means that the value of k for
anonymization is not fixed but may vary with the record.
Dr.B.Muruganantham
12-11-2021 41
AP/CSE/SRMIST
Personalized Privacy-Preservation…
This technique constructs groups of non-homogeneous size from the data,
such that it is guaranteed that each record lies in a group whose size is at
least equal to its anonymity level
This technique assumes that an individual can specify a node of the domain
generalization hierarchy in order to decide the level of anonymity that he
can work with.
This approach has the advantage that it allows for direct protection
Dr.B.Muruganantham
12-11-2021 42
AP/CSE/SRMIST
Utility Based Privacy Preservation
The process of privacy-preservation leads to loss of information for data mining
purposes.
This loss of information can also be considered a loss of utility for data mining
purposes.
Since some negative results on the curse of dimensionality suggest that a lot of
attributes may need to be suppressed in order to preserve anonymity, it is
extremely important to do this carefully in order to preserve utility.
Generalization height
Size of anonymized group
Discernability measures of attribute values
Privacy information loss ratio
Dr.B.Muruganantham
12-11-2021 43
AP/CSE/SRMIST
Utility Based Privacy Preservation…
This kind of approach has greater flexibility, since it can tailor the
generalization process to a particular region of the data set.
Dr.B.Muruganantham
12-11-2021 44
AP/CSE/SRMIST
Utility Based Privacy Preservation…
Another indirect approach to utility based anonymization is to make the privacy-
preservation algorithms more aware of the workload.
Typically, data recipients may request only a subset of the data in many cases, and
the union of these different requested parts of the data set is referred to as the
workload.
A workload in which some records are used more frequently than others tends to
suggest a different anonymization than one which is based on the entire data set.
In such cases, the utility measure is often affected by the underlying application at
hand.
Dr.B.Muruganantham
12-11-2021 45
AP/CSE/SRMIST
Sequential Releases
Privacy-preserving data mining poses unique problems for dynamic applications
such as data streams because in such cases, the data is released sequentially.
In other cases, different views of the table may be released sequentially.
Once a data block is released, it is no longer possible to go back and increase the
level of generalization.
On the other hand, new releases may sharpen an attacker’s view of the data and may
make the overall data set more susceptible to attack.
A technique discussed in relies on lossy joins in order to cripple an attack based on
global quasi identifiers.
The intuition behind this approach is that if the join is lossy enough, it will reduce
the confidence of the attacker in relating the release from previous views to the
current release.
A new generalization principle called m-invariance is proposed, which effectively
limits the risk of privacy-disclosure in re-publication.
The broad idea in this approach is to progressively and consistently increase the
generalization granularity, so that the released data satisfies the k-anonymity
requirement both with respect to the current table, as well as with respect to the
previous releases
Dr.B.Muruganantham
12-11-2021 46
AP/CSE/SRMIST
The l -diversity Method
The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
The k-anonymity is an attractive technique because of the simplicity of the
definition and the numerous algorithms available to perform the anonymization.
Nevertheless the technique is susceptible to many kinds of attacks especially
when background knowledge is available to the attacker
Some kinds of such attacks are as follows:
Homogeneity Attack:
In this attack, all the values for a sensitive attribute within a group of k
records are the same. Therefore, even though the data is k-anonymized,
the value of the sensitive attribute for that group of k records can be
predicted exactly.
Background Knowledge Attack:
In this attack, the adversary can use an association between one or more
quasi-identifier attributes with the sensitive attribute in order to narrow
down possible values of the sensitive field further
Dr.B.Muruganantham
12-11-2021 47
AP/CSE/SRMIST
The l -diversity Method
While k-anonymity is effective in preventing identification of a record, it may
not always be effective in preventing inference of the sensitive values of the
attributes of that record.
when there are multiple sensitive attributes, then the l-diversity problem
becomes especially challenging because of the curse of dimensionality.
Dr.B.Muruganantham
12-11-2021 48
AP/CSE/SRMIST
The t-closeness Model
• A t-closeness model was proposed which uses the property that the
distance between the distribution of the sensitive attribute within an
anonymized group should not be different from the global distribution
by more than a threshold t.
Dr.B.Muruganantham
12-11-2021 49
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining
The key goal in most distributed methods for privacy-preserving data mining is
to allow computation of useful aggregate statistics over the entire data set
without compromising the privacy of the individual data sets within the
different participant.
For this purpose, the data sets may either be horizontally partitioned or be
vertically partitioned.
In horizontally partitioned data sets, the individual records are spread out
across multiple entities, each of which have the same set of attributes.
In vertical partitioning, the individual entities may have different attributes (or
views) of the same set of records.
Dr.B.Muruganantham
12-11-2021 50
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining …
The problem of distributed privacy-preserving data mining overlaps closely with a
field in cryptography for determining secure multi-party computations.
For example, in a 2-party setting, Alice and Bob may have two inputs x and y
respectively, and may wish to both compute the function f(x, y) without revealing
x or y to each other.
This problem can also be generalized across k parties by designing the k argument
function h(x1 . . . xk). Many data mining algorithms may be viewed in the context
of repetitive computations of many such primitive functions such as the scalar dot
product, secure sum etc.
In order to compute the function f(x, y) or h(x1 . . . , xk), a protocol will have to
designed for exchanging information in such a way that the function is computed
without compromising privacy.
Dr.B.Muruganantham
12-11-2021 51
AP/CSE/SRMIST
Distributed Privacy-Preserving Data Mining …
That the robustness of the protocol depends upon the level of trust one is
willing to place on the two participants Alice and Bob.
Semi-honest Adversaries:
In this case, the participants Alice and Bob are curious and attempt to
learn from the information received by them during the protocol, but
do not deviate from the protocol themselves. In many situations, this
may be considered a realistic model of adversarial behavior.
Malicious Adversaries:
In this case, Alice and Bob may vary from the protocol, and may send
sophisticated inputs to one another to learn from the information
received from each other.
Dr.B.Muruganantham
12-11-2021 52
AP/CSE/SRMIST
The Curse of Dimensionality
Many privacy-preserving data-mining methods are inherently limited by the
curse of dimensionality in the presence of public information.
This is generally true, since adversaries may be familiar with the subject of
interest and may have greater information about them than what is publicly
available.
Dr.B.Muruganantham
12-11-2021 53
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining
Dr.B.Muruganantham
12-11-2021 54
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Medical Databases: The Scrub and Datafly Systems
Scrub :
The scrub system was designed for de-identification of clinical notes and letters which
typically occurs in the form of textual data.
Clinical notes and letters are typically in the form of text which contain references to
patients, family members, addresses, phone numbers or providers.
Traditional techniques simply use a global search and replace procedure in order to
provide privacy.
However clinical notes often contain cryptic references in the form of abbreviations
which may only be understood either by other providers or members of the same
institution.
Therefore traditional methods can identify no more than 30-60% of the identifying
information in the data
The Scrub System uses local knowledge sources which compete with one another based
on the certainty of their findings.
Such a system is able to remove more than 99% of the identifying information from the
data.
Dr.B.Muruganantham
12-11-2021 55
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Datafly Systems:
The system was designed in response to the concern that the process of
removing only directly identifying attributes such as social security
numbers was not sufficient to guarantee privacy.
Dr.B.Muruganantham
12-11-2021 56
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Typically, the user of Datafly will set the anonymity level depending
upon the profile of the data recipient in question.
Dr.B.Muruganantham
12-11-2021 57
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Bioterrorism Applications
Dr.B.Muruganantham
12-11-2021 58
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Homeland Security Applications
A number of applications for homeland security are inherently
intrusive because of the very nature of surveillance.
Some examples of such applications are as follows:
Credential Validation Problem:
• Trying to match the subject of the credential to the person
presenting the credential.
• For example, the theft of social security numbers presents a
serious threat to homeland security.
Identity Theft:
• A related technology is to use a more active approach to
avoid identity theft.
• The identity angel system , crawls through cyberspace, and
determines people who are at risk from identity theft.
• This information can be used to notify appropriate parties.
Dr.B.Muruganantham
12-11-2021 59
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Dr.B.Muruganantham
12-11-2021 60
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Video-Surveillance:
Dr.B.Muruganantham
12-11-2021 61
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
The Watch List Problem:
The motivation behind this problem is that the government typically has
a list of known terrorists or suspected entities which it wishes to track
from the population.
Dr.B.Muruganantham
12-11-2021 62
AP/CSE/SRMIST
Applications of Privacy-Preserving Data Mining …
Genomic Privacy
• Recent years have seen tremendous advances in the science of DNA
sequencing and forensic analysis with the use of DNA.
• As result, the databases of collected DNA are growing very fast in the both the
medical and law enforcement communities.
• DNA data is considered extremely sensitive, since it contains almost uniquely
identifying information about an individual.
• As in the case of multi-dimensional data, simple removal of directly
identifying data such as social security number is not sufficient to prevent re-
identification.
• It has been shown that a software called CleanGene can determine the
identifiability of DNA entries independent of any other demographic or other
identifiable information.
• The software relies on publicly available medical data and knowledge of
particular diseases in order to assign identifications to DNA entries.
• Another method for compromising the privacy of genomic data is that of trail
re-identification, in which the uniqueness of patient visit patterns is exploited
in order to make identifications.
Dr.B.Muruganantham
12-11-2021 63
AP/CSE/SRMIST