An Intrusion Response System for Relational Databases

1. INTRODUCTION
RECENTLY, we have seen an interest in products that continuously monitor a database system and report any relevant suspicious activity. Database activity monitoring has been identified by Gartner research as one of the top five strategies that are crucial for reducing data leaks in organizations. Such step-up in data vigilance by organizations is partly driven by various US government regulations concerning data management such as SOX, PCI, GLBA, HIPAA, and so forth. Organizations have also come to realize that current attack techniques are more sophisticated, organized, and targeted than the broad-based hacking days of past. Often, it is the sensitive and proprietary data that is the real target of attackers. Also, with greater data integration, aggregation and disclosure, preventing data theft, from both inside and outside organizations, has become a major challenge. Standard database security mechanisms, such as access control, authentication, and encryption, are not of much help when it comes to preventing data theft from insiders. Such threats have thus forced organizations to reevaluate security strategies for their internal databases. Monitoring a database to detect potential intrusions, intrusion detection (ID), is a crucial technique that has to be part of any comprehensive security solution for high-assurance database security. Note that the ID systems that are developed must be tailored for a Database Management System (DBMS) since database-related attacks such as SQL injection and data exhilaration are not malicious for the underlying operating system or the network. Our approach to an ID mechanism consists of two main elements, specifically tailored to a DBMS: an anomaly detection (AD) system and an
Department of MCA, SVCET, Chittoor

1

An Intrusion Response System for Relational Databases

anomaly response system. The first element is based on the construction of database access profiles of roles and users, and on the use of such profiles for the ADtask. A user-request that does not conform to the normal access profiles is characterized as anomalous. Profiles can record information of different levels of details; we refer the reader to for additional information and experimental results. The second element of our approach the focus of this paper is in charge of taking some actions once an anomaly is detected. There are three main types of response actions that we refer to, respectively, as conservative actions, fine-grained actions, and aggressive actions. The conservative actions, such as sending an alert, allow the anomalous request to go through, whereas the aggressive actions can effectively block the anomalous request. Fine-grained response actions, on the other hand, are neither conservative nor aggressive. Such actions may suspend or taint an anomalous request. A suspended request is simply put on hold, until some specific actions are executed by the user, such as the execution of further authentication steps. A tainted request is marked as a potential suspicious request resulting in further monitoring of the user and possibly in the suspension or dropping of subsequent requests by the same user.

Department of MCA, SVCET, Chittoor

2

An Intrusion Response System for Relational Databases

2. OBJECTIVE
With greater data integration, aggregation and disclosure, preventing data theft, from both inside and outside organizations, has become a major challenge. Standard database security mechanisms, such as access control, authentication, and encryption, are not of much help when it comes to preventing data theft from insiders. Such threats have thus forced organizations to reevaluate security strategies for their internal databases. Monitoring a database to detect potential intrusions, intrusion detection (ID), is a crucial technique that has to be part of any comprehensive security solution for high-assurance database security. Our approach is to design an ID mechanism that consists of two main elements, specifically tailored to a DBMS: an anomaly detection (AD) system and an anomaly response system. The first element is based on the construction of database access profiles of roles and users, and on the use of such profiles for the AD task. A user request that does not conform to the normal access profiles is characterized as anomalous. The second element of our approach is in charge of taking some actions once an anomaly is detected.

Department of MCA, SVCET, Chittoor

3

An Intrusion Response System for Relational Databases

3. LITERATURE SURVEY
3.1. DOMAIN KNOWLEDGE
3.1.1 DATA MINING
Generally, data mining (sometimes called data or knowledge discovery) is the process of analyzing data from different perspectives and summarizing it into useful information - information that can be used to increase revenue, cuts costs, or both. Data mining software is one of a number of analytical tools for analyzing data. It allows users to analyze data from many different dimensions or angles, categorize it, and summarize the relationships identified. Technically, data mining is the process of finding correlations or patterns among dozens of fields in large relational databases. Although data mining is a relatively new term, the technology is not. However, continuous innovations in computer processing power, disk storage, and statistical software are dramatically increasing the accuracy of analysis while driving down the cost.

3.1.2 DATA AND KNOWLEDGE ENGINEERING
Database Systems and Knowledge base Systems share many common principles. Data & Knowledge Engineering (DKE) stimulates the exchange of ideas and interaction between these two related fields of interest. DKE reaches a worldwide audience of researchers, designers, managers and users. The major aim of the journal is to identify, investigate and analyze the underlying principles in the design and effective use of these systems. DKE achieves this aim by publishing
Department of MCA, SVCET, Chittoor

4

An Intrusion Response System for Relational Databases

original research results, technical advances and news items concerning data engineering, knowledge engineering, and the interface of these two fields. The problem of insider threats to DBMSs is being recognized as a major security threat by the organizations; in a 2004 E-crime watch survey conducted by CERT and US Secret Service, insider threat was identified as the second biggest threat after hackers. The solution to the insider threat problem requires among other techniques the adoption of mechanisms able to detect and respond to access anomalies by users internal to the organization owning the data. For our IDR system to provide stronger security guarantees, it needs to ensure that the activities of even the database administrators (DBAs) be monitored, and responded to if deemed malicious. This is a difficult problem to address since the policies that specify a response action need to be created for the DBAs who are, in turn, responsible for managing the same policies.

3.2. SYSTEM INTRODUCTION
Organizations have come to realize that current attack techniques are more sophisticated, organized, and targeted than the broad-based hacking days of past. Often, it is the sensitive and proprietary data that is the real target of attackers. Also, with greater data integration, aggregation and disclosure, preventing data theft, from both inside and outside organizations, has become a major challenge. Standard database security mechanisms, such as access control, authentication, and encryption, are not of much help when it comes to preventing data theft from insiders. Such threats have thus forced organizations to reevaluate security strategies for their internal databases. Monitoring a database to detect potential
Department of MCA, SVCET, Chittoor

5

An Intrusion Response System for Relational Databases

intrusions, intrusion detection (ID), is a crucial technique that has to be part of any comprehensive security solution for high-assurance database security.

3.3 PREVIOUS TAXONOMY
Title : The Cyber Enemy within ... Countering the Threat from Malicious Insiders. Authors: D. Brackney,T. Goan,A.Ott, and L. Martin. One of the most critical problems facing the information security community is the threat of a malicious insider abusing his computer privileges to modify, remove, or prevent access to an organization's data. An insider is considered trusted (at least implicitly) by his organization because he is granted access to its computing environment. Whether or not that insider is in fact trustworthy is a question that lies at the heart of the insider threat problem. Complicating this problem is the fact that there is no "one size fits all" description of a malicious insider. Motivations, objectives, cyber expertise, system privileges[1] all can and do vary from one case to the next. Title : Detecting Anomalous Access Patterns in Relational Databases. A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper[2], we propose such a mechanism. Our approach is based on mining SQL

Authors: A. Kamra, E. Terzi, and E. Bertino.

Department of MCA, SVCET, Chittoor

6

An Intrusion Response System for Relational Databases

queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. Title : Responding to Anomalous Database Requests. A. Kamra, E. Bertino, and R.V. Nehme.

Authors:

Organizations have recently shown increased interest in database activity monitoring and anomaly detection techniques to safeguard their internal databases. Once an anomaly is detected, a response from the database is needed to contain the effects of the anomaly. However, the problem of issuing an appropriate response to a detected database anomaly has received little attention so far. In this paper[3], we propose a framework and policy language for issuing a response to a database anomaly based on the characteristics of the anomaly. We also propose a novel approach to dynamically change the state of the access control system in order to contain the damage that may be caused by the anomalous request. We have also carried out an experimental evaluation to assess the performance overhead introduced by our response mechanism. The experimental results show that the techniques are very efficient. Title : Design and Implementation of SAACS: A State-Aware Access Control System. Authors: A. Kamra and E. Bertino. The intrusion response component of an overall intrusion detection system is responsible for issuing a suitable response to an anomalous request. We propose the notion of database response policies to support our intrusion response system tailored for a DBMS. Our interactive response policy language makes it very easy for the database administrators to specify appropriate response actions
Department of MCA, SVCET, Chittoor

7

An Intrusion Response System for Relational Databases

for different circumstances depending upon the nature of the anomalous request [4]. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. For the policy matching problem, we propose two algorithms that efficiently search the policy database for policies that match an anomalous request. We also extend the PostgreSQL DBMS with our policy matching mechanism, and report experimental results. The experimental evaluation shows that our techniques are very efficient.

3.4 OUR TAXONOMY
Our proposed solution is to design and implement an intrusion response system to overcome the drawbacks of the existing system. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. For the policy matching problem, we propose two algorithms that efficiently search the policy database for policies that match an anomalous request. We also extend the PostgreSQL DBMS with our policy matching mechanism, and report experimental results. The experimental evaluation shows that our techniques are very efficient. The other issue that we address is that of administration of response policies to prevent malicious modifications to policy objects from legitimate users. We propose a novel Joint Threshold Administration Model (JTAM) that is based on the principle of separation of duty. The key idea in JTAM is that a policy object is jointly administered by at least k database administrator (DBAs), that is, any modification made to a policy object will be invalid unless it has been authorized by at least k DBAs. We present design details of JTAM which is based on a cryptographic threshold signature
Department of MCA, SVCET, Chittoor

8

An Intrusion Response System for Relational Databases

scheme, and show how JTAM prevents malicious modifications to policy objects from authorized users. The main contributions can be summarized as follows: • We present a framework for specifying intrusion response policies in the context of a DBMS. • We present a novel administration model called JTAM for administration of response policies. • We present algorithms to efficiently search the policy database for policies that match an anomalous request.
• We extend the PostgreSQL DBMS with our response policy mechanism,

and conduct an experimental evaluation of our techniques.

3.4.1 POLICY LANGUAGE
The detection of an anomaly by the detection engine can be considered as a system event. The attributes of the anomaly, such as user, role, SQL command, then correspond to the environment surrounding such an event. Intuitively, a policy can be specified taking into account the anomaly attributes to guide the response engine in taking a suitable action. Keeping this in mind, we propose an EventCondition-Action (ECA) language for specifying response policies.

3.4.1.1 Attributes and Conditions
The anomaly detection mechanism provides its assessment of the anomaly using the anomaly attributes. We have identified two main categories for such attributes. The first category, referred to as contextual category includes all attributes describing the context of the anomalous request such as user, role,
Department of MCA, SVCET, Chittoor

9

An Intrusion Response System for Relational Databases

source, and time. The second category, referred to as structural category includes all attributes conveying information about the structure of the anomalous request such as SQL command, and accessed database objects.

3.4.1.2 Response Actions
Once a database request has been flagged off as anomalous, an action is executed by the response system to address the anomaly. The response action to be executed is specified as part of a response policy.

3.4.2 POLICY ADMINISTRATION
The main issue in the administration of response policies is how to protect a policy from malicious modifications made by a DBA that has legitimate access rights to the policy object. To address this issue, we propose an administration model referred to as the Joint Threshold Administration Model (JTAM).The threat scenario that we assume is that a DBA has all the privileges in the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete commands to make malicious modifications to the policies. Such actions are possible even if the policies are stored in the system catalogs. JTAM protects a response policy against malicious modifications by maintaining a digital signature on the policy definition. The signature is then validated either periodically or upon policy usage to verify the integrity of the policy definition. One of the key assumptions in JTAM is that we do not assume the DBMS to be in possession of a secret key for verifying the integrity of policies. If the DBMS had possessed such key, it could simply create a HMAC (Hashed Message Authentication Code) of each policy using its secret key, and later use the same
Department of MCA, SVCET, Chittoor

10

An Intrusion Response System for Relational Databases

key to verify the integrity of the policy. However, management of such secret key is an issue since we cannot assume the key to be hidden from a malicious DBA. The fundamental premise of our approach is that we do not trust a single DBA (with the secret key) to create or manage the response policies, but the threat is mitigated if the trust (the secret key) is distributed among multiple DBAs. This is also the fundamental problem in threshold cryptography, that is, the problem of secure sharing of a secret. We thus base JTAM on a threshold cryptographic signature scheme.

3.4.3 POLICY MATCHING
We present our algorithms for finding the set of policies matching an anomaly. Such search is executed by matching the attributes of the anomaly assessment with the conditions in the policies. . Policy matching is the problem of searching for policies applicable to an

anomalous request. When an anomaly is detected, the response system must search through the policy database and find policies that match the anomaly. Our ID mechanism is a real-time intrusion detection and response system; thus efficiency of the policy search procedure is crucial. There are two variations of our policy matching algorithm. The first algorithm, called the Base Policy Matching algorithm and the second algorithm is called the Ordered Policy Matching algorithm.

Department of MCA, SVCET, Chittoor

11

An Intrusion Response System for Relational Databases

3.4.4 RESPONSE ACTION SELECTION
In the event of multiple policies matching an anomaly, we must provide for a resolution scheme to determine the response to be issued. We propose the following two rank-based selection options that are based on the severity level of the response actions: Most Severe Policy (MSP) The severity level of a response policy is determined by the highest severity level of its response action. This strategy selects the most severe policy from the set of matching policies. Note that the response actions described in Section 3.1.2 are categorized according to their severity levels. Also, in the case of interactive ECA response policies, the severity of the policy is taken as the severity level of the Failure Action. Least Severe Policy (LSP) This strategy, unlike the MSP strategy, selects the least severe policy.

Department of MCA, SVCET, Chittoor

12

An Intrusion Response System for Relational Databases

4. PROBLEM IDENTIFICATION & SYSTEM FRAMEWORK
4.1 PROBLM DEFINITION & EXAMPLE
Data represent today an important asset for companies and organizations. Some of these data are worth millions of dollars and organizations take great care at controlling access to these data, with respect to both internal users, within the organization, and external users, outside the organization. Data security is also crucial when addressing issues related to privacy of data pertaining to individuals; companies and organizations managing such data need to provide strong guarantees about the confidentiality of these data in order to comply with legal regulations and policies. Overall, data security has a central role in the larger context of information systems security. Therefore, the development of Database Management Systems (DBMSs) with high-assurance security is a central research issue. The development of such DBMSs requires a revision of architectures and techniques adopted by traditional DBMS. An important component of this new generation security-aware DBMS is an Intrusion Detection (ID) mechanism. Even though DBMSs provide access control mechanisms, these mechanisms alone are not enough to guarantee data security; they need to be complemented by suitable ID mechanisms. However, despite the fact that building ID systems for networks and operating systems has been an active area of research, few ID systems exist that are specifically tailored to DBMS.

Department of MCA, SVCET, Chittoor

13

An Intrusion Response System for Relational Databases

For example, consider that a database user/application normally access data only from the human resources schema. Consider that such user/application submits a SQL command to the DBMS that accesses the financial records of the employees from the finance schema. Such anomalous access pattern of the SQL command may be the result of a SQL Injection vulnerability or privilege abuse by an authorized user. The key observation is that an ID system designed for a network or an operating system is ineffective against such database specific malicious actions.

4.2 SYSTEM FRAME WORK
Our proposed solution is to design and implement an intrusion response system to overcome the drawbacks of the existing system. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. For the policy matching problem, we propose two algorithms that efficiently search the policy database for policies that match an anomalous request. The other issue that we address is that of administration of response policies to prevent malicious modifications to policy objects from legitimate users. We propose a novel Joint Threshold Administration Model (JTAM) that is based on the principle of separation of duty. The key idea in JTAM is that a policy object is jointly administered by at least k database administrator (DBAs), that is, any modification made to a policy object will be invalid unless it has been authorized by at least k DBAs. We present design details of JTAM which

Department of MCA, SVCET, Chittoor

14

An Intrusion Response System for Relational Databases

is based on a cryptographic threshold signature scheme, and show how JTAM prevents malicious modifications to policy objects from authorized users.

Fig.4.1 System Frame Work

Department of MCA, SVCET, Chittoor

15

An Intrusion Response System for Relational Databases

4.3 SYSTEM FLOW CHART
A flow chart is graphical tool used to describe and analyze the movement of data through a system. The transformation of data from input to output, through processing, may be described logically associated with the system.

Fig.4.2 System Flow Chart

Department of MCA, SVCET, Chittoor

16

An Intrusion Response System for Relational Databases

4.4 SYSTEM REQUIREMENTS
4.4.1 FUNCTIONAL REQUIREMENTS
Functional requirements should include functions performed by specific screens, outlines of work-flows performed by the system and other business or compliance requirements the system must meet. The functionalities in my project are:  File should be browsed.  Select the conditions for the browsed file.  Send the file to the detector.
 Detector accepts the request and verifies whether it is anomaly or not.

 For anomaly requests the query is not processed and the detector takes appropriate actions.  For non-anomaly requests the query is processed and the sink is updated.

4.4.2 NON FUNCTIONAL REQUIREMENTS
The non functionalities in my project are: ACCESSIBILITY Accessibility can be viewed as the "ability to access" and possible benefit of some system or entity. Accessibility is often used to focus on people with disabilities and their right of access to the system. PERFORMANCE Computer performance is characterized by the amount of useful work accomplished by a computer system compared to the time and resources used.

Department of MCA, SVCET, Chittoor

17

An Intrusion Response System for Relational Databases

PORTABILITY Portability is the software-code base feature to be able to reuse the existing code instead of creating new code when moving software from an environment to another. SECURITY Security is the degree of protection against danger, loss, and criminals. Security has to be compared and contrasted with other related concepts: Safety, continuity, reliability.

4.4.3 HARDWARE REQUIREMENTS
Processor RAM Hard Disk Input device Output device : PENTIUM IV 2.6 GHz : 256Mb and above : 10 GB. : Standard Keyboard and Mouse. : VGA and High Resolution Monitor.

4.4.4 SOFTWARE REQUIREMENTS
Front End Operating System Back End : Java : Windows : SQL Server 2005

Department of MCA, SVCET, Chittoor

18

An Intrusion Response System for Relational Databases

5. SYSTEM DESIGN
5.1 DATABASE DESIGN
ENTITY RELATIONSHIP (E-R) DIAGRAM Logical or graphical representation of data for an organization using entities, attributes and their relationships is termed as an E-R diagram. Entity: An entity may be defined as a thing which is recognized as being capable of an independent existence and which can be uniquely identified. Entity is represented by rectangle.

Relationship: A relationship captures how two or more entities are related to one another. or

Attributes: Entities and relationships can both have attributes. Represented with ellipse.

Department of MCA, SVCET, Chittoor

19

An Intrusion Response System for Relational Databases

E-R DIAGRAM
Policy Id Policy Data

Policy DB

hav e Id Role

User Info

Name

Address

Fig. 5.1 E-R Diagram

TABLES Column Name PolicyId PolicyData Data Type varchar(10) varchar(20)

Table. 5.1 Policy Information

Column Name

Data Type
20

Department of MCA, SVCET, Chittoor

An Intrusion Response System for Relational Databases

Id Role Name Address

varchar(10) varchar(10) varchar(10) varchar(10)

Table. 5.2 User Details

5.2 MODULE DESCRIPTION
In this system we developed four modules for developing the system. The modules are explained below: • • • • Anomalous Request. Intrusion Detection. Protection Data Transmission. Intrusion Response

ANOMALOUS REQUEST Interactive response policy language makes it very easy for the database administrators to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The conservative actions, such as sending an alert, allow the anomalous request to go through, whereas the aggressive actions can effectively block the anomalous request. Recall that a response policy is created to select a response action to be executed in the event of an anomalous request. INTRUSION DETECTION

Department of MCA, SVCET, Chittoor

21

An Intrusion Response System for Relational Databases

Monitoring a database to detect potential intrusions, intrusion detection (ID), is a crucial technique that has to be part of any comprehensive security solution for high-assurance database security. We present a framework for specifying intrusion response policies in the context of a DBMS. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. Policy Matching . Policy matching is the problem of searching for policies applicable to an

anomalous request. When an anomaly is detected, the response system must search through the policy database and find policies that match the anomaly. Our ID mechanism is a real-time intrusion detection and response system; thus efficiency of the policy search procedure is crucial. Policy Administration The main issue in the administration of response policies is how to protect a policy from malicious modifications made by a DBA that has legitimate access rights to the policy object. .Propose an administration model referred to as the JTAM. The threat scenario that we assume is that a DBA has all the privileges in the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete commands to make malicious modifications to the policies. PROTECTION DATA TRANSMISSION Data protection must deal with two general problems. First, data must be protected from unauthorized access and tampering. This is the problem of data security. Second, data must be protected from errors by authorized system users.

Department of MCA, SVCET, Chittoor

22

An Intrusion Response System for Relational Databases

Concern for data security will take different forms in different system applications. Individual users may be concerned with personal privacy, and wish to limit access to private data files. Corporate organizations may seek to protect data related to proprietary interests. INTRUSION RESPONSE A condition is specified on the attributes of the detected anomaly. An action is the response action executed by the engine Our implementation of the response system can be configured to include/exclude other user-defined anomaly attributes. We address is that of administration of response policies to prevent malicious modifications to policy objects from legitimate users.

5.3 UML DIAGRAMS
The UML is applicable to object-oriented problem solving. Anyone interested in learning UML must be familiar with the underlying tenet of objectoriented problem solving -- it all begins with the construction of a model. A model is an abstraction of the underlying problem. The domain is the actual world from which the problem comes.

5.3.1 USE CASE DIAGRAM
Use case Diagrams represent the functionality of the system from a user’s point of view. Use cases are used during requirements elicitation and analysis to represent the functionality of the system. Use cases focus on the behavior of the system from external point of view.

Department of MCA, SVCET, Chittoor

23

An Intrusion Response System for Relational Databases

Actors are external entities that interact with the system. Examples of actors include users like administrator, bank customer …etc., or another system like central database.

BROW SE FILE

SEND FILE

IN TR UDER DETEC TED SENDER SYSTEM

IN SERT REORD

VIEW

D ETEC TION DETAILS

Fig.5.2 Use Case Diagram

Department of MCA, SVCET, Chittoor

24

An Intrusion Response System for Relational Databases

5.3.2 SEQUENCE DIAGRAM
A sequence diagram is an interaction diagram that details how operations are carried out -- what messages are sent and when. Sequence diagrams are organized according to time. The time progresses as you go down the page. The objects involved in the operation are listed from left to right according to when they take part in the message sequence.

:S N E EDR

:S S E YT M

BO S R WE
BO S G R W IN

FL DS L Y D I E I PA E

SN F E E D IL IN R D RD T C E T U E EE T D

S N IN ED G

IN E TF E S R IL
IN E T G S R IN

V W IE
POES G R C S IN

D P A SC N E TO T EF E IS L Y O T N F H IL

D T C IO D T I S E E T N E AL
A A Y IN NL Z G

D P A SA T C SA E C L Y R IS L Y T A K T A H A E

Fig.5.3 Sequence Diagram

Department of MCA, SVCET, Chittoor

25

An Intrusion Response System for Relational Databases

5.3.3 CLASS DIAGRAM
A Class diagram gives an overview of a system by showing its classes and the relationships among them. Class diagrams are static -- they display what interacts but not what happens when they do interact.
cla C ss lass M d o el J ra e F m D etecto r1 ~ ~ ~ + + + + + c lien 1 S k t_ : oc et c lien 2 S k t_ : oc et tem : lon p g D c r1() ete to D c r2() ete to D c r3() ete to initializ om ent() : v id eC pon o m in trin a (S g[]) : v oid s e :v erv r() oid ~ ~ ~ ~ ~ ~ ~ ~ + + + c nt_1: S k t lie oc e c nt_2: S k t lie oc e jTe tA x rea1: J Tex rea tA le ngth: int le ngth1: int s : S en tring = "" s er_ S e o k erv 1: erv rS c et s k t_ S k oc e 1: oc et te p: lo m ng add om ne C po nt(C ontain r, C pon e om ent, int, int, int, int) : v oid D etec tor3() in itializ C po e om nent() : v oid jB tton u 1_ac tion erfo ed c P rm (A tion v nt) : v id Ee o jTa bbe an dP e1_s C ged h tate han (C ang v nt) : v id eE e o m ain(S g[]) : v id trin o s er() : v erv oid D etecto r3 J ram F e

J ra e F m D etecto r2 ~ ~ ~ ~ + + + + c lien 1 S k t_ : oc et c lien 2 S k t_ : oc et c onten a tP ne: J anel P d : D taInp trea is a utS m tem : lon p g a ddC m ne t(C ta er, C po en int, int, int, int) : v o po n on in om n t, oid D c r2() ete to initializ om ent() : v id eC pon o jB utton 1_ac tion erfo ed(A tionE en : v P rm c v t) oid jTab dP e1_s be an tateC ged h han (C ange v nt) : v id Ee o m in trin a (S g[]) : v oid s e :v erv r() oid S 2() ink ~ ~ ~ ~ ~ ~ + + + c nte ane J an o ntP : P el des ation S tin : tring i: int = 1 R ie ed S ec v 1: tring rr: S tring = "" s rv e er_1: S rv oc et e erS k s c et_1: S k t ok oc e tran ferTim : J bel s e La add om e C pon nt(C ontain r, C pon e om ent, int, int, int, int) : v id o initializ om onen : v eC p t() oid jB utto n1_a tio erform d(A tio v nt) : v c nP e c nE e oid jTabb edP e1_ tateC ng an s ha ed(C geE ent) : v han v oid m ain(S tring[]) : v id o s rv e er() : v oid S 1 ink () S k1 in

J ram F e

J ram F e Su 1 o rce ~ ~ ~ ~ ~ + + + + + + a S : tring ([]) = {"S lec e t","P ... rob b S : tring ([]) = {"G raph ro ","p be... c onten a tP ne: J a l P ne d doub : le d t1: S g es trin d tination: S g es trin D etec J u t: B tton file path: J abe L l jB tton2 tionP rform u _ac e ed(A tion v t) : v c E en oid jB tton3 tionP rform u _ac e ed(A tion v t) : v c E en oid jC m oB 1_a tio erform d(A tio v o b ox c nP e c nE ent) : v oid jTe tF ld x ie 1_ac n erfo e c nE e : v id tio P rm d(A tio v nt) o m in trin a (S g[]) : v id o p aint(G raph s : v ic ) oid s dD en ata(S tring, in S t, tring) : v oid s es tring : S g etD t(S ) trin S ourc () e1 v w tion ie _ac perform d(A tio v nt) : v e c nE e oid ~ ~ ~ ~ ~ ~ + + + + c onten a tP ne: J anel P d tination: S es tring i: int = 1 jB utton1 J utton : B jLa bel1: J abel L jP el1: J a an P nel jP el2: J a an P nel jS rollP c ane J c 1: S rollP ne a jS rollP c ane J c 2: S rollP ne a jTab bed ane J bbed ane P 1: Ta P jTex re tA a1: J ex rea T tA jTex re tA a2: J ex rea T tA R iev ec ed1: S g trin rr: S tring = "" s er_1 S erS k t erv : erv oc e s k oc et_1 S k : oc et

J ra e F m S k in 2

J ra e F m S k in 3 ~ ~ ~ + + + c onten a tP ne: J anel P d tina es tion: S g trin i: int =1 jB utton J utton 1: B jLabel1 J : Lab el jP el1 J a an : P nel s k 1 S k oc et_ : oc et a ddC m ne t(C ta er, C po en int, int, int, int) : v o po n on in om n t, oid initializ om ent() : v id eC pon o jB utton 1_ac tion erfo ed(A tionE en : v P rm c v t) oid jTab dP e1_s be an tateC ged h han (C ange v nt) : v id Ee o m in trin a (S g[]) : v oid s e :v erv r() oid S 3() ink

ad om one dC p nt(C ntain C p e in in int, int) : v o er, om on nt, t, t, oid initializ om ent() : v id eC pon o jB utton1 tionP rform _ac e ed(A tionE en : v c v t) oid jTab bed ane ta hang P 1_s teC ed(C ngeE en : v ha v t) oid m in(S a tring : v []) oid s er() : v erv oid S 2() ink S 3() ink

Fig.5.4 Class Diagram
Department of MCA, SVCET, Chittoor

26

An Intrusion Response System for Relational Databases

Our class diagram has three kinds of relationships.

association -- a relationship between instances of the two classes. There is an association between two classes if an instance of one class must know about the other in order to perform its work. In a diagram, an association is a link connecting two classes.

aggregation -- an association in which one class belongs to a collection. An aggregation has a diamond end pointing to the part containing the whole.

generalization -- an inheritance link indicating one class is a super class of the other. A generalization has a triangle pointing to the super class.

Department of MCA, SVCET, Chittoor

27

An Intrusion Response System for Relational Databases

5.3.4 ACTIVITY DIAGRAM
An activity diagram is essentially a fancy flowchart. Activity diagrams and state chart diagrams are related. While a state chart diagram focuses attention on an object undergoing a process (or on a process as an object), an activity diagram focuses on the flow of activities involved in a single process. The activity diagram shows the how those activities depend on one another.

Start

BROWSE A FILE

SEND A FILE

NO INTRUSION RESPONSE SYSTEM

YES

SINK

End

Fig.5.5 Activity Diagram

Department of MCA, SVCET, Chittoor

28

An Intrusion Response System for Relational Databases

5.4 TECHNIQUES
The following are the techniques that are used in our project to our come the drawbacks that are arise in previous systems. They are • • Policy Matching Policy Administration

POLICY MATCHING
Policy matching is the problem of searching for policies applicable to an anomalous request. When an anomaly is detected, the response system must search through the policy database and find policies that match the anomaly. Our ID mechanism is a real-time intrusion detection and response system; thus efficiency of the policy search procedure is crucial.

POLICY ADMINISTRATION
The main issue in the administration of response policies is how to protect a policy from malicious modifications made by a DBA that has legitimate access rights to the policy object. .Propose an administration model referred to as the JTAM. The threat scenario that we assume is that a DBA has all the privileges in the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete commands to make malicious modifications to the policies.

Department of MCA, SVCET, Chittoor

29

An Intrusion Response System for Relational Databases

5.5 SYSTEM ARCHITECTURE
The system’s architecture consists of three main components: the traditional DBMS that handles the query execution, the profile creator module for collecting the training data and creating/maintaining the profiles, and the detection and response mechanisms integrated with the core DBMS functionality. These components form the new extended DBMS that is enhanced with an independent ID system operating at the database level.

Fig.5.6 System Architecture The flow of interactions for the IDR process is shown in Figure 5.5. During the training phase, the SQL commands submitted to the DBMS (or read from the audit log) are analyzed by the profile creator module to create the initial profiles of the database users. For every SQL command under detection, the feature selector
30

Department of MCA, SVCET, Chittoor

An Intrusion Response System for Relational Databases

module extracts the features from the queries in the format expected by the detection engine. The detection engine then runs the extracted features through the detection algorithm. If an anomaly detected, the detection mechanism submits its assessment of the SQL command to the response engine according to a predefined interface; otherwise the command information is sent to the profile creator process for updating the profiles. The response engine consults a policy base of existing response policies to issue a response depending on the assessment of the query submitted by the detection engine. Notice that the fact that a query is anomalous may not necessarily imply an intrusion. Other information and security policies must also be taken into account. For example, if the user logged under the role is performing some special activities to manage an emergency, the response mechanism may be instructed not to raise alarms in such circumstances. If the response engine decides to raise an alarm, certain actions for handling the alarm can be taken. The most common action is to send an alert to the security administrator. However other actions are possible, such as log the alarm, drop the query, or even take no action at all.

Department of MCA, SVCET, Chittoor

31

An Intrusion Response System for Relational Databases

6. IMPLEMENTATION
Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the user, confidence that the new system will work and be effective. The implementation stage involves careful planning, investigation of the existing system and it’s constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods.

6.1 TECHNOLOGY USED
JAVA
Java was designed to meet all the real world requirements with its key features, which are explained in the following paragraph. SIMPLE AND POWERFUL Java was designed to be easy for the professional programmer to learn and use efficiently. Java makes itself simple by not having surprising features. Since it exposes the inner working of a machine, the programmer can perform his desired actions without fear. SECURE Using Java Compatible Browser, anyone can safely download java applets without the fear of viral infection or malicious intent. Java achieves this protection by confining a java program to the java execution environment and by making it

Department of MCA, SVCET, Chittoor

32

An Intrusion Response System for Relational Databases

inaccessible to other parts of the computer. We can download applets with confidence that no harm will be done and no security will be breached. PORTABLE In java, the same mechanism that gives security also helps in portability. Many types of computers and operating systems are in use throughout the world and are connected to the internet. For downloading programs through different platforms connected to the internet, some portable, executable code is needed. Java’s answer to these problems is its well designed architecture. OBJECT-ORIENTED Java was designed to be source-code compatible with any other language. Java team gave a clean, usable, realistic approach to objects. The object model in java is simple and easy to extend, while simple types, such as integers, are kept as high-performance non -objects. DYNAMIC Java programs carry with them extensive amounts of run-time information that is used to verify and resolve accesses to objects at run-time. Using this concept it is possible to dynamically link code. Dynamic property of java adds strength to the applet environment, in which small fragments of byte code may be dynamically updated on a running system.

Department of MCA, SVCET, Chittoor

33

An Intrusion Response System for Relational Databases

SWING
Swing components facilitate efficient graphical user interface (GUI) development. These components are a collection of lightweight visual components. Swing components contain a replacement for the heavyweight AWT components as well as complex user interface components such as Trees and Tables. Swing components contain a pluggable look and feel (PL & F). This allows all applications to run with the native look and feel on different platforms. PL & F allows applications to have the same behaviour on various platforms. JFC contains operating system neutral look and feel. Swing components do not contain peers. Swing components allow mixing AWT heavyweight and Swing lightweight components in an application. The major difference between lightweight and heavyweight

components is that lightweight components can have transparent pixels while heavyweight components are always opaque. Lightweight components can be non-rectangular while heavyweight components are always rectangular. Swing components are JavaBeans compliant. This allows

components to be used easily in a Bean aware application building program. The root of the majority of the Swing hierarchy is the JComponent class. This class is an extension of the AWT Container class. Swing components comprise of a large percentage of the JFC release. The Swing component toolkit consists of over 250 pure Java classes
Department of MCA, SVCET, Chittoor

34

An Intrusion Response System for Relational Databases

and 75 Interfaces contained in about 10 Packages. They are used to build lightweight user interfaces. Swing consists of User Interface (UI) classes and non- User Interface classes. The non-User Interface classes provide services and other operations for the UI classes. Swing offers a number of advantages, which include  Wide variety of Components  Pluggable Look and Feel  MVC Architecture  Keystroke Handling  Action Objects  Nested Containers  Virtual Desktops  Compound Borders  Customized Dialogues  Standard Dialog Classes  Powerful Text Manipulation  Generic Undo Capabilities  Accessibility Support JAVA DATABASE CONNECTIVITY (JDBC) JDBC AND ODBC IN JAVA:

Department of MCA, SVCET, Chittoor

35

An Intrusion Response System for Relational Databases

Most popular and widely accepted database connectivity called Open Database Connectivity (ODBC) is used to access the relational databases. It offers the ability to connect to almost all the databases on almost all platforms. Java applications can also use this ODBC to communicate with a database. Then we need JDBC why? There are several reasons:  ODBC API was completely written in C language and it makes an extensive use of pointers. Calls from Java to native C code have a number of drawbacks in the security, implementation, robustness and automatic portability of applications.  ODBC is hard to learn. It mixes simple and advanced features together, and it has complex options even for simple queries.  ODBC drivers must be installed on client’s machine.

6.2 DATABASE
SQL SERVER A database management, or DBMS, gives the user access to their data and helps them transform the data into information. Such database management systems include dBase, paradox, IMS, SQL Server and SQL Server. These

systems allow users to create, update and extract information from their database. There are so many databases are available in the market and why I have choose this SQL server is nothing but my project follows the client/server architecture, so it should be execute both in the client as well as at the server side.

Department of MCA, SVCET, Chittoor

36

An Intrusion Response System for Relational Databases

So for maintaining the records at the server side, and to distribute them among the clients I have chosen this SQL server as a database for my project. SQL Server stores each data item in its own fields. In SQL Server, the fields relating to a particular person, thing or event are bundled together to form a single complete unit of data, called a record (it can also be referred to as raw or an occurrence). Each record is made up of a number of fields. No two fields in a record can have the same field name. During an SQL Server Database design project, the analysis of your business needs identifies all the fields or attributes of interest. If your business needs change over time, you define any additional fields or change the definition of existing fields. RELATIONAL Sometimes all the information of interest to a business operation can be stored in one table. SQL Server makes it very easy to link the data in multiple tables. Matching an employee to the department in which they work is one example. This is what makes SQL Server a relational database management system, or RDBMS. It stores data in two or more tables and enables you to define relationships between the tables and enables you to define relationships between the tables. The major advantages which suits my Project are • • • • Redundancy avoidance Data sharing Standards can be enforced More Secured
37

Department of MCA, SVCET, Chittoor

An Intrusion Response System for Relational Databases

Integrity can be maintained

6.3 MODULES IMPLEMENTATION
6.3.1 USER MODULE
• • •

Send request (Browse file) Select layer types (Conditions for request) Send the request Insert records (DBAs’ Profiles) View records

6.3.2 INTRUSION RESPONSE MODULE
• Accepts request • • • Request Validation Detector (Checks whether the request is anomaly or not) Response (Sends appropriate messages to user based on request)

Action (Takes appropriate actions based on severity of request)

Department of MCA, SVCET, Chittoor

38

An Intrusion Response System for Relational Databases

7. TESTING
The purpose of testing is to discover errors. Testing is the process of trying to discover every conceivable fault or weakness in a work product. It provides a way to check the functionality of components, sub assemblies, assemblies and/or a finished product It is the process of exercising software with the intent of ensuring that the software system meets its requirements and user expectations and does not fail in an unacceptable manner. There are various types of test. Each test type addresses a specific testing requirement.

7.1 SELECT TEST FACTOR
The particular module of the Project which is essential for the testing methodologies is sorted out first. This will help the testing process to be completed within time. The test factors for my project include encoding, verification and decoding process.

7.1.1 DETERMINE SDLC PHASE
This phase involves the structural testing of the system which will be used for easy implementations of the functions. Though structural testing is so much associated with the coding phase, the structural testing should be carried out at all the phases of the lifecycle.
Department of MCA, SVCET, Chittoor

39

An Intrusion Response System for Relational Databases

7.1.2 SELECT TYPE OF TEST
For selecting the appropriate testing process the project should be analyzed with the following three testing concepts:

STRUCTURAL TESTING Structural analysis based test sets are tend to uncover errors that occur during coding of the program. The properties of the test set are to reflect the internal structure of the program. Structural testing is designed to verify that the developed system and programs work as specified in the requirement. The objective is to ensure that the product is designed structurally sound and will function correctly. FUNCTIONAL TESTING Functional testing ensures that the requirements are properly satisfied by the application system. The functions are those tasks that the system is designed to accomplish. This is not concerned with how processing occurs but rather with the results of the processing. The functional analysis based test sets tend to uncover errors that occurred in implementing requirements or design

specifications. SELECT TECHNIQUE After selecting the appropriate testing methodology we have to select the necessary testing technique such as stress testing, execution testing, recovery testing, operation testing, compliance testing and security testing. We are performing operation testing.

Department of MCA, SVCET, Chittoor

40

An Intrusion Response System for Relational Databases

7.2 TYPES OF TESTS
7.2.1 UNIT TESTING
Unit testing involves the design of test cases that validate that the internal program logic is functioning properly, and that program input produce valid outputs. All decision branches and internal code flow should be validated. It is the testing of individual software units of the application .it is done after the completion of an individual unit before integration. This is a structural testing, that relies on knowledge of its construction and is invasive. Unit tests perform basic tests at component level and test a specific business process, application, and/or system configuration. Unit tests ensure that each unique path of a business process performs accurately to the documented specifications and contains clearly defined inputs and expected results.

7.2.2 INTEGRATION TESTING
Integration tests are designed to test integrated software components to determine if they actually run as one program. Testing is event driven and is more concerned with the basic outcome of screens or fields. Integration tests demonstrate that although the components were individually satisfaction, as shown by successfully unit testing, the combination of components is correct and consistent. Integration testing is specifically aimed at exposing the problems that arise from the combination of components.

7.2.3FUNCTIONAL TESTING

Department of MCA, SVCET, Chittoor

41

An Intrusion Response System for Relational Databases

Functional tests provide systematic demonstrations that functions tested are available as specified by the business and technical requirements, system documentation, and user manuals. Functional testing is centered on the following items: Valid Input Invalid Input Functions Output : identified classes of valid input must be accepted. : identified classes of invalid input must be rejected. : identified functions must be exercised. : identified classes of application outputs must be exercised.

7.2.4 SYSTEM TESTING
System testing ensures that the entire integrated software system meets requirements. It tests a configuration to ensure known and predictable results. An example of system testing is the configuration oriented system integration test. System testing is based on process descriptions and flows, emphasizing predriven process links and integration points. White Box Testing White Box Testing is a testing in which in which the software tester has knowledge of the inner workings, structure and language of the software, or at least its purpose. It is used to test areas that cannot be reached from a black box level. Black Box Testing Black Box Testing is testing the software without any knowledge of the inner workings, structure or language of the module being tested. Black box tests, as
Department of MCA, SVCET, Chittoor

42

An Intrusion Response System for Relational Databases

most other kinds of tests, must be written from a definitive source document, such as specification or requirements document, such as specification or requirements document. It is a testing in which the software under test is treated, as a black box .you cannot “see” into it. The test provides inputs and responds to outputs without considering how the software works.

7.3 TEST REPORTS
Test Type Test case Expected value Actual value Remarks Action

System path valid Functional Testing Searching file

-------

File browsed Enter correct system path

Select system path to search the System path invalid Path file specification error Selected probe --------

Process request Sends response and shuts the system File sent to Detector

Structural Testing

Selecting conditions

Select Selected Probe/R2L/U2R Normal/DOS

Intruder detected

Sending browsed file --------

Functional Testing

Sending file Send browsed file

File not browsed

No file detected Alerts the user to browse the file before sending -------Transfers the 43

Validation

Authenticati

Key shares from Authorized

Department of MCA, SVCET, Chittoor

An Intrusion Response System for Relational Databases

signatures Testing on DBAs’

request to detector No valid Blocks the authentication request from DBAs’ -------Ask for authentication from DBAs’. Leaves an alert and resend the valid request Update the destination database

Unauthorized signatures

Accepting valid request as probe/U2R/R2L System Testing Intrusion Detecting Accept normal request Sending anomaly request

Detects request as Intrusion

Valid data Validation Testing Updating Accepts only valid Destination requests data database Invalid data

---------

Data from Close sink detector is not accurate

Table.7.1 Test Cases

7.4 CONCLUSIONS
All the test cases mentioned above passed successfully. No defects encountered.

Department of MCA, SVCET, Chittoor

44

An Intrusion Response System for Relational Databases

8. FUTURE ENHANCEMENT
8.1 DETECTION MECHANISM
We have presented two scenarios for the intrusion detection task in databases. For the first scenario, when a role based access control system is in place, we identify role intruders, that is, users that while holding a specific role, behave in a manner that of some other role. The first limitation of our current approach is that we assume the user to activate only one role in a session. A possible research direction to extend the scheme is to assume multiple role activation by a user in a session. The second limitation of our approach is that we assume that the roles form a partitioning of the universe of database access behavior. With this assumption, we are not able to identify users that while holding a specific role, behave differently from that role and from any other role in the system. One approach towards identifying such behavior is to train a one class Support Vector Machine (SVM) with the normal role behavior SQL query features. Then any behavior deviating from the normal role behavior learned by the SVM classifier will be identified as anomalous. A similar approach may be adopted for the unsupervised learning scenario for the clusters of similar SQL queries. The one class SVM classifier, trained for every cluster, may be applied to detect SQL queries deviating from their representative cluster.

Department of MCA, SVCET, Chittoor

45

An Intrusion Response System for Relational Databases

Apart from the above mentioned research directions, the traditional issues related to application of machine learning techniques to real-world problems are applicable to our approach as well. Such issues include, but are not limited to, the problem of concept drift, the problem of over fitting or under fitting the training data, and so forth.

8.2 RESPONSE MECHANISM
The response mechanism described in this dissertation works on the basis of pre-configured policies. The policies are based on attributes related to the structure of a SQL query and also the context surrounding the query. In this regard, our response mechanism may be considered to be static by its ability to adjust. One possible research direction is to come up with more dynamic approaches that are suitable for responding to a database intrusion. An interactive response policy that requires a second factor of

authentication provides a second layer of defense when certain anomalous actions are executed against critical system resources such as anomalous access to system catalog tables. This opens the way to new research on how to organize applications to handle such interactions for the case of legacy applications and new applications. In the security area there is a lot work dealing with retrofitting legacy applications for authorization policy enforcement. We believe that such approaches can be extended to support such an interactive approach. For new applications, one can devise methodologies to organize applications that support such interactions. Notice that, however, because our approach is policy-based, the

Department of MCA, SVCET, Chittoor

46

An Intrusion Response System for Relational Databases

database administrators have the flexibility of designing policies that best fit the way applications are organized.

9. CONCLUSION
The response component of intrusion detection system for a DBMS is described. The response component is responsible for issuing a suitable response to an anomalous user request. An interactive Event-Condition-Action type response policy language is presented that makes it very easy for the database security administrator to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The two main issues that are addressed in the context of such response policies are policy matching, and policy administration. For the policy matching procedure, an algorithm is described to efficiently search the policy database for policies matching an anomalous request assessment. The other issue that is addressed is the administration of response policies to prevent malicious modifications to policy objects from legitimate users.

Department of MCA, SVCET, Chittoor

47

An Intrusion Response System for Relational Databases

10. APPENDICES
APPENDIX - I SOURCE CODE
Source1:
import java.awt.*; import java.awt.event.*; import javax.swing.*; import java.io.*; import java.net.*; import java.sql.*; public class Source1 extends JFrame { String fp; Double fs; Double tt; Double rt; Long ls; JTextArea jtr; private JLabel jLabel1; private JLabel jLabel2; private JLabel jLabel3; private JLabel filesize;
Department of MCA, SVCET, Chittoor

48

An Intrusion Response System for Relational Databases

private JLabel jfileSize; private JLabel transferTime; private JLabel jtransferTime; private JLabel filepath; private JLabel Jfilepath; private JLabel readTime; private JLabel JreadTime; private JTextArea show; private Long los; private JComboBox graph; private JButton view,insert; long loss; String str; private JTextField jTextField1; private JComboBox jComboBox1; private JTextArea jTextArea1; private JScrollPane jScrollPane1,jsp,jsp1,jsp2,jsp3; private JButton jButton1; private JButton jButton2; private JButton jButton3; private JPanel contentPane; private JButton Detect; private int lossspace; JScrollPane js; Object o; String dest1; int len; double d; double time; long read; double rd;
Department of MCA, SVCET, Chittoor

49

An Intrusion Response System for Relational Databases

private String r=""; String msg=""; int flag=1; int flag1=1; Socket n1_client; String destination; int limit; String a[]={"Select","Probe","Dos","R2L","U2R","Normal"}; int packets; int rem; String b[]={"Graph","probe","DOS","R2L","U2R"}; FileInputStream fis=null; Image im; public Source1() { super(); initializeComponent(); this.setVisible(true); try{ FileInputStream f=new FileInputStream(".//Detector.txt"); while((d=f.read())!=-1) { r+=(char)d; } }catch(Exception ex){ex.printStackTrace();} } private void initializeComponent() { jLabel1 = new JLabel(); jLabel2 = new JLabel();
Department of MCA, SVCET, Chittoor

50

An Intrusion Response System for Relational Databases

jLabel3 = new JLabel(); jTextField1 = new JTextField(); filesize=new JLabel(); jfileSize=new JLabel(); transferTime=new JLabel(); jtransferTime=new JLabel(); filepath=new JLabel(); Jfilepath=new JLabel(); readTime=new JLabel(); JreadTime=new JLabel(); jLabel1.setFont(new Font("Arial",Font.BOLD,15)); show=new JTextArea(70,80); jComboBox1 = new JComboBox(a); jTextArea1 = new JTextArea(); jScrollPane1 = new JScrollPane(); jButton1 = new JButton(); jButton2 = new JButton(); jButton3 = new JButton(); view=new JButton("View"); graph=new JComboBox(b); insert=new JButton("Insert"); Detect=new JButton("Detection"); jtr=new JTextArea(); js=new JScrollPane(); contentPane = (JPanel)this.getContentPane(); jLabel1.setText("<html><h1><b><u><font color=\'white',size=\"6\">SOURCE1</font><u></i></h1></html>"); filepath.setText("<html><font color=\'white',size=\"4\">lossSpace:</font></h1></html>"); jLabel1.setForeground(new Color(0, 0, 102));

Department of MCA, SVCET, Chittoor

51

An Intrusion Response System for Relational Databases

jLabel2.setText("<html><b><font color=\'white'>Layers No</font></b></html>"); readTime.setText("<html><font color=\'white',size=\"4\">ReadTime:</font></h1></html>"); jLabel3.setText("<html><b><font color=\'white' >Status Information</font></b></html>"); filesize.setBackground(new Color(255, 255, 255)); filesize.setText("<html><b><font color=\'white',size=\"4\">FileSize:</font></b></html>"); transferTime.setBackground(new Color(255,255,255)); transferTime.setText("<html><b><font color=\'white',size=\"4\">TransferTime:</font></b></html>"); jTextField1.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jTextField1_actionPerformed(e); } }); jComboBox1.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jComboBox1_actionPerformed(e); } }); Detect.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { Detect_actionperformed(e); } });
Department of MCA, SVCET, Chittoor

52

An Intrusion Response System for Relational Databases

jScrollPane1.setViewportView(jTextArea1); js.setViewportView(jtr); jButton1.setBackground(new Color(255, 255, 255)); jButton1.setText("<html><b><font color=\'black' >Browse</font></b></html>"); jButton1.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jButton1_actionPerformed(e); } }); jButton2.setBackground(new Color(255, 255, 255)); jButton2.setText("<html><b><font color=\'black' >Send</font></b></html>"); jButton2.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jButton2_actionPerformed(e); } }); insert.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { insert_actionperformed(e); }

}); view.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e)
Department of MCA, SVCET, Chittoor

53

An Intrusion Response System for Relational Databases

{ view_actionperformed(e); } }); jButton3.setText("Exit"); jButton3.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jButton3_actionPerformed(e); } }); graph.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent ae) { graph_actionPerformed(ae); } }); contentPane.setLayout(null); Color colr = new Color(210,105,30); contentPane.setBackground(colr); jLabel1.setForeground(colr); addComponent(contentPane, jLabel1, 158,14,136,28); addComponent(contentPane, jLabel2, 100,149,60,18); addComponent(contentPane, jLabel3, 165,180,118,23); addComponent(contentPane, jTextField1, 41,80,252,20); addComponent(contentPane, jComboBox1, 180,147,100,22); addComponent(contentPane, jScrollPane1, 60,200,295,246); addComponent(contentPane, jButton1, 317,78,83,28); addComponent(contentPane, jButton2, 317,147,83,28);
Department of MCA, SVCET, Chittoor

54

An Intrusion Response System for Relational Databases

addComponent(contentPane, jButton3, 317,450,83,28); addComponent(contentPane,filepath,60,500,136,28); addComponent(contentPane,Jfilepath,150,500,280,28); addComponent(contentPane,filesize,310,500,140,28); addComponent(contentPane,jfileSize,390,500,136,28); addComponent(contentPane,transferTime,60,550,136,28); addComponent(contentPane,jtransferTime,180,550,136,28); addComponent(contentPane,readTime,310,550,136,28); addComponent(contentPane,JreadTime,390,550,136,28); addComponent(contentPane,insert,30,600,136,28); addComponent(contentPane,view,80,600,136,28); addComponent(contentPane,graph,250,600,100,28); addComponent(contentPane,Detect,350,600,103,28); addComponent(contentPane,jtr,350,300,400,200); jtr.setVisible(false); this.setTitle("Source1 - extends JFrame"); this.setLocation(new Point(66, 48)); this.setSize(new Dimension(783, 635)); } private void addComponent(Container container,Component c,int x,int y,int width,int height) { c.setBounds(x,y,width,height); container.add(c); } private void jTextField1_actionPerformed(ActionEvent e) { System.out.println("\njTextField1_actionPerformed(ActionEvent called."); } e)

Department of MCA, SVCET, Chittoor

55

An Intrusion Response System for Relational Databases

private void jComboBox1_actionPerformed(ActionEvent e) { System.out.println("\njComboBox1_actionPerformed(ActionEvent called."); o = jComboBox1.getSelectedItem(); destination=""+o; flag=0; } private void jButton1_actionPerformed(ActionEvent e) { System.out.println("\njButton1_actionPerformed(ActionEvent called."); try { int b; Long l=0L; msg=""; FileDialog fd=new FileDialog(this,"Open",FileDialog.LOAD); JFileChooser jf=new JFileChooser(); int s=jf.showOpenDialog(null); File f1=jf.getSelectedFile(); str=f1.getPath(); File f=new File(str); long size1=f1.getTotalSpace(); long freespace=f1.getFreeSpace(); loss=size1-freespace; FileInputStream fos=new FileInputStream(str); long length=f.length(); int sizedata=fos.available();
Department of MCA, SVCET, Chittoor

e)

e)

56

An Intrusion Response System for Relational Databases

int n=sizedata/4; jTextField1.setText(str); while((b=fos.read())!=-1) { msg+=(char)b; l+=b; } byte by[]=new byte[fos.available()]; String sbyte=new String(by); jTextArea1.setText("Size"); fos.read(by); fos.close(); flag1=0; len=msg.length(); d=len/1024; time=d/60; read=l/1024; rd=read/60; String source=jTextField1.getText(); System.out.println(""+System.currentTimeMillis()); jTextArea1.append("\n\nSource1 Address::"+source+"\n\n"); jTextArea1.append("Selected File Path "+"<b>"+fd.getDirectory()+fd.getFile() +"</b>"+"\n\n"); jTextArea1.append("Total Size::"+len+"bytes"+"\n\n"); jTextArea1.append("Total space::"+size1+"bytes"+"\n\n"); jTextArea1.append("Total Freespace::"+freespace+"bytes"+"\n\n"); jTextArea1.append("Reading Files:"+l+"bytes"+"\n\n"); jfileSize.setText(""+d+"Kb"); Jfilepath.setText(""+loss); JreadTime.setText(""+rd+"Sec"); }
Department of MCA, SVCET, Chittoor

57

An Intrusion Response System for Relational Databases

catch (Exception ex) { ex.printStackTrace(); } } public void insert_actionperformed(ActionEvent e) { try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String ss="insert into sour1(layerports,filePath,fileSize,transferTime,readTime,lossSpace)values('"+jCom boBox1.getSelectedItem()+"','"+str+"',"+d+","+time+","+rd+","+loss+")"; stm.executeUpdate(ss); JOptionPane.showMessageDialog(null,"Record Inserted"); System.out.println("record inserted"); } catch(Exception ex) { ex.printStackTrace(); } } public void view_actionperformed(ActionEvent e) { addComponent(contentPane,show,280,600,236,58); try {
Department of MCA, SVCET, Chittoor

58

An Intrusion Response System for Relational Databases

System.out.println("retrieved************"); Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); ResultSet rs=stm.executeQuery("select * from sour1"); String tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"}; String stab[][]=new String[50][50]; for(int i=0;rs.next();i++) { stab[i][0]=rs.getString(1); stab[i][1]=rs.getString(2); stab[i][2]=Double.toString(rs.getDouble(3)); stab[i][3]=Double.toString(rs.getDouble(4)); stab[i][4]=Double.toString(rs.getDouble(5)); stab[i][5]=Double.toString(rs.getDouble(6)); System.out.println("record inserted"); } JTable jt=new JTable(stab,tb); int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED; int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED; JScrollPane jsp=new JScrollPane(jt,v,h); addComponent(contentPane,jsp,500,450,436,158); } catch(Exception ex) { }
Department of MCA, SVCET, Chittoor

59

An Intrusion Response System for Relational Databases

} public void graph_actionPerformed(ActionEvent ae) { Object o1=graph.getSelectedItem(); dest1=""+o1; System.out.println("a[3]="+a[3]+"a[4]="+a[4]); if(dest1.equalsIgnoreCase(a[1])) { final probe1chart demo = new probe1chart("Probe1 Layer"); demo.pack(); demo.setLocation(200,200); demo.setVisible(true); try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String str="select* from sour1 where layerports='"+a[1]+"'"; ResultSet rs=stm.executeQuery(str); String tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"}; String stab[][]=new String[50][50]; for(int i=0;rs.next();i++) { stab[i][0]=rs.getString(1); stab[i][1]=rs.getString(2); stab[i][2]=Double.toString(rs.getDouble(3)); stab[i][3]=Double.toString(rs.getDouble(4)); stab[i][4]=Double.toString(rs.getDouble(5));
Department of MCA, SVCET, Chittoor

60

An Intrusion Response System for Relational Databases

stab[i][5]=Double.toString(rs.getDouble(6)); } JTable p=new JTable(stab,tb); int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED; int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED; jsp=new JScrollPane(p,v,h); addComponent(contentPane,jsp,500,250,436,158); jsp1.setVisible(false); jsp2.setVisible(false); jsp3.setVisible(false); } catch(Exception ex) { } } else if(dest1.equalsIgnoreCase(a[2])) { final Doschart1 demo = new Doschart1("Dos1 Layer"); demo.pack(); demo.setLocation(200,200); demo.setVisible(true); try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String str="select* from sour1 where layerports='"+a[2]+"'"; ResultSet rs=stm.executeQuery(str);
Department of MCA, SVCET, Chittoor

61

An Intrusion Response System for Relational Databases

String tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"}; String stab[][]=new String[50][50]; for(int i=0;rs.next();i++) { stab[i][0]=rs.getString(1); stab[i][1]=rs.getString(2); stab[i][2]=Double.toString(rs.getDouble(3)); stab[i][3]=Double.toString(rs.getDouble(4)); stab[i][4]=Double.toString(rs.getDouble(5)); stab[i][5]=Double.toString(rs.getDouble(6)); } JTable p=new JTable(stab,tb); int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED; int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED; jsp1=new JScrollPane(p,v,h); addComponent(contentPane,jsp1,500,250,436,158); jsp.setVisible(false); jsp2.setVisible(false); jsp3.setVisible(false); } catch(Exception ex) { } } else if(dest1.equalsIgnoreCase(a[3])) { final R2Lchart1 demo = new R2Lchart1("R2L Layer"); demo.pack(); demo.setLocation(200,200);
Department of MCA, SVCET, Chittoor

62

An Intrusion Response System for Relational Databases

demo.setVisible(true); try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String str="select* from sour1 where layerports='"+a[3]+"'"; ResultSet rs=stm.executeQuery(str); String tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"}; String stab[][]=new String[50][50]; for(int i=0;rs.next();i++) { stab[i][0]=rs.getString(1); stab[i][1]=rs.getString(2); stab[i][2]=Double.toString(rs.getDouble(3)); stab[i][3]=Double.toString(rs.getDouble(4)); stab[i][4]=Double.toString(rs.getDouble(5)); stab[i][5]=Double.toString(rs.getDouble(6)); } JTable p=new JTable(stab,tb); int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED; int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED; jsp2=new JScrollPane(p,v,h); addComponent(contentPane,jsp2,500,250,436,158); jsp1.setVisible(false); jsp.setVisible(false); jsp3.setVisible(false);
Department of MCA, SVCET, Chittoor

63

An Intrusion Response System for Relational Databases

} catch(Exception ex) { } } else if(dest1.equalsIgnoreCase(a[4])) { System.out.println("U2RChart**************"); final U2Rchart1 demo = new U2Rchart1("U2R Layer"); demo.pack(); demo.setLocation(200,200); demo.setVisible(true); try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String str="select* from sour1 where layerports='"+a[4]+"'"; ResultSet rs=stm.executeQuery(str); String tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"}; String stab[][]=new String[50][50]; for(int i=0;rs.next();i++) { stab[i][0]=rs.getString(1); stab[i][1]=rs.getString(2); stab[i][2]=Double.toString(rs.getDouble(3)); stab[i][3]=Double.toString(rs.getDouble(4)); stab[i][4]=Double.toString(rs.getDouble(5));
Department of MCA, SVCET, Chittoor

64

An Intrusion Response System for Relational Databases

stab[i][5]=Double.toString(rs.getDouble(6)); } JTable p=new JTable(stab,tb); int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED; int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED; jsp3=new JScrollPane(p,v,h); addComponent(contentPane,jsp3,500,250,436,158); jsp1.setVisible(false); jsp2.setVisible(false); jsp.setVisible(false); } catch(Exception ex) { } } } public void paint(Graphics g) { g.drawImage(im, 0, 0, null); } private void Detect_actionperformed(ActionEvent ae) { try { Class.forName("oracle.jdbc.driver.OracleDriver"); Connection con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio n","intursion"); Statement stm=con.createStatement(); String sa1="select * from sour1 where layerports='"+a[1]+"'"; String sa2="select * from sour1 where layerports='"+a[2]+"'";
Department of MCA, SVCET, Chittoor

65

An Intrusion Response System for Relational Databases

String sa3="select * from sour1 where layerports='"+a[3]+"'"; String sa4="select * from sour1 where layerports='"+a[4]+"'"; //Probe ResultSet rs=stm.executeQuery(sa1); double s6=0,s8=0,s9=0; int i=1; while(rs.next()) { String s1=rs.getString(1); String s2=rs.getString(2); double s3=rs.getDouble(3); s6=rs.getDouble(4)+s6; s8=rs.getDouble(5)+s8; double s4=rs.getDouble(6); i++; System.out.println("TransferTime"+r); } double s7=s6/i; s9=s8/i; System.out.println("pobe transferTime="+s7+"\t"+"ReadTime"+s9); //Dos rs=stm.executeQuery(sa2); double st=0,sr=0,at,ar; int j=1; while(rs.next()) { String s1=rs.getString(1); String s2=rs.getString(2); double s3=rs.getDouble(3); st=rs.getDouble(4)+st; sr=rs.getDouble(5)+sr;
Department of MCA, SVCET, Chittoor

66

An Intrusion Response System for Relational Databases

double s4=rs.getDouble(6); j++; } at=st/j; ar=sr/j; System.out.println("Dos transferTime="+at+"\t"+"ReadTime"+ar); rs.close(); //R2L rs=stm.executeQuery(sa3); double st1=0,sr1=0,at1,ar1; int k=1; while(rs.next()) { String s1=rs.getString(1); String s2=rs.getString(2); double s3=rs.getDouble(3); st1=rs.getDouble(4)+st1; sr1=rs.getDouble(5)+sr1; double s4=rs.getDouble(6); k++; } at1=st1/k; ar1=sr1/k; System.out.println("R2L transferTime="+at1+"\t"+"ReadTime"+ar1); //U2R rs=stm.executeQuery(sa4); double st2=0,sr2=0,at2,ar2; int l=1; while(rs.next()) {
Department of MCA, SVCET, Chittoor

67

An Intrusion Response System for Relational Databases

String s1=rs.getString(1); String s2=rs.getString(2); double s3=rs.getDouble(3); st2=rs.getDouble(4)+st2; sr2=rs.getDouble(5)+sr2; double s4=rs.getDouble(6); l++; } at2=st2/l; ar2=sr2/l; System.out.println("U2R transferTime="+at2+"\t"+"ReadTime"+ar2); //rs3.close(); jtr.append("Name"+"\tAvgTransferTime"+"\t"+"AvgReadTime"+"\n"); jtr.append("====================================================== =============================\n"); jtr.append("Probe"+"\t"+(Math.abs(s7))+"\t"+""+Math.abs(s9)+"\n"); jtr.append("Dos"+"\t"+Math.abs(at)+"\t"+""+Math.abs(ar)+"\n"); jtr.append("R2L"+"\t"+Math.abs(at1)+"\t"+""+Math.abs(ar1)+"\n"); jtr.append("U2R"+"\t"+Math.abs(at2)+"\t"+""+Math.abs(ar2)+"\n"); jtr.setVisible(true); LineChartDemo6 ld=new LineChartDemo6("Detection",s7,s9,at,ar,at1,ar1,at2,ar2); ld.setSize(300,300); ld.setVisible(true); } catch(Exception ex) { ex.printStackTrace(); } } private void jButton2_actionPerformed(ActionEvent e)
Department of MCA, SVCET, Chittoor

68

An Intrusion Response System for Relational Databases

{ System.out.println("\njButton2_actionPerformed(ActionEvent e) called."); jtransferTime.setText(""+time); String dest; if(flag==0) { if(destination.equalsIgnoreCase(a[0])) { JOptionPane.showMessageDialog(null,"Select Destination!.."); } else if(destination.equalsIgnoreCase(a[1])) { JOptionPane.showMessageDialog(null,"This Is From PROBE Layer : This transaction need authentication from 4 DBAs"); String dba1sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 1 "); System.out.println("dba1sign : "+dba1sign); if(dba1sign!=null&&!dba1sign.equals("")){ int dba1conform= JOptionPane.showConfirmDialog(null,"DBA 1: Is it Conformed?"); System.out.println("dba1conform : "+dba1conform); if(dba1conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{
Department of MCA, SVCET, Chittoor

the

69

An Intrusion Response System for Relational Databases

JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba2sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 2 "); System.out.println("dba2sign : "+dba2sign); if(dba2sign!=null&&!dba2sign.equals("")){ int dba2conform= JOptionPane.showConfirmDialog(null,"DBA 2: Is it Conformed?"); System.out.println("dba2conform : "+dba2conform); if(dba2conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba3sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 3 "); System.out.println("dba3sign : "+dba3sign); if(dba3sign!=null&&!dba3sign.equals("")){ int dba3conform= JOptionPane.showConfirmDialog(null,"DBA 3: Is it Conformed?"); System.out.println("dba3conform : "+dba3conform);
Department of MCA, SVCET, Chittoor

70

An Intrusion Response System for Relational Databases

if(dba3conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba4sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 4 "); System.out.println("dba4sign : "+dba4sign); if(dba4sign!=null&&!dba4sign.equals("")){ int dba4conform= JOptionPane.showConfirmDialog(null,"DBA 4: Is it Conformed?"); System.out.println("dba4conform : "+dba4conform); if(dba4conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); }
Department of MCA, SVCET, Chittoor

71

An Intrusion Response System for Relational Databases

JOptionPane.showMessageDialog(null,"Now you can insert details of a file into Database "); dest=setDest(a[1]); sendData(r,111,dest); } else if(destination.equalsIgnoreCase(a[2])) { JOptionPane.showMessageDialog(null,"This Is From Dos Layer"); dest=setDest(a[2]); int a; sendData(r,111,dest); } else if(destination.equalsIgnoreCase(a[3])) { JOptionPane.showMessageDialog(null,"This Is From R2L layer"); JOptionPane.showMessageDialog(null,"This Is From PROBE Layer : This transaction need authentication from 4 DBAs"); String dba1sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 1 "); System.out.println("dba1sign : "+dba1sign); if(dba1sign!=null&&!dba1sign.equals("")){ int dba1conform= JOptionPane.showConfirmDialog(null,"DBA 1: Is it Conformed?"); System.out.println("dba1conform : "+dba1conform); if(dba1conform!=0){

Department of MCA, SVCET, Chittoor

72

An Intrusion Response System for Relational Databases

JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba2sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 2 "); System.out.println("dba2sign : "+dba2sign); if(dba2sign!=null&&!dba2sign.equals("")){ int dba2conform= JOptionPane.showConfirmDialog(null,"DBA 2: Is it Conformed?"); System.out.println("dba2conform : "+dba2conform); if(dba2conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); }
Department of MCA, SVCET, Chittoor

73

An Intrusion Response System for Relational Databases

String dba3sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 3 "); System.out.println("dba3sign : "+dba3sign); if(dba3sign!=null&&!dba3sign.equals("")){ int dba3conform= JOptionPane.showConfirmDialog(null,"DBA 3: Is it Conformed?"); System.out.println("dba3conform : "+dba3conform); if(dba3conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba4sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 4 "); System.out.println("dba4sign : "+dba4sign); if(dba4sign!=null&&!dba4sign.equals("")){ int dba4conform= JOptionPane.showConfirmDialog(null,"DBA 4: Is it Conformed?"); System.out.println("dba4conform : "+dba4conform); if(dba4conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not conformed signature this transaction is failed. Response Action : ShutDown");
Department of MCA, SVCET, Chittoor

74

An Intrusion Response System for Relational Databases

System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } JOptionPane.showMessageDialog(null,"Now you can insert details of a file into Database "); dest=setDest(a[3]); sendData(r,222,dest); } else if(destination.equalsIgnoreCase(a[4])) { JOptionPane.showMessageDialog(null,"This Is From U2R Layer"); JOptionPane.showMessageDialog(null,"This Is From PROBE Layer : This transaction need authentication from 4 DBAs"); String dba1sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 1 "); System.out.println("dba1sign : "+dba1sign); if(dba1sign!=null&&!dba1sign.equals("")){ int dba1conform= JOptionPane.showConfirmDialog(null,"DBA 1: Is it Conformed?"); System.out.println("dba1conform : "+dba1conform); if(dba1conform!=0){

Department of MCA, SVCET, Chittoor

75

An Intrusion Response System for Relational Databases

JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba2sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 2 "); System.out.println("dba2sign : "+dba2sign); if(dba2sign!=null&&!dba2sign.equals("")){ int dba2conform= JOptionPane.showConfirmDialog(null,"DBA 2: Is it Conformed?"); System.out.println("dba2conform : "+dba2conform); if(dba2conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 2 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); }

Department of MCA, SVCET, Chittoor

76

An Intrusion Response System for Relational Databases

String dba3sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 3 "); System.out.println("dba3sign : "+dba3sign); if(dba3sign!=null&&!dba3sign.equals("")){ int dba3conform= JOptionPane.showConfirmDialog(null,"DBA 3: Is it Conformed?"); System.out.println("dba3conform : "+dba3conform); if(dba3conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 3 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } String dba4sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of DBA 4 "); System.out.println("dba4sign : "+dba4sign); if(dba4sign!=null&&!dba4sign.equals("")){ int dba4conform= JOptionPane.showConfirmDialog(null,"DBA 4: Is it Conformed?"); System.out.println("dba4conform : "+dba4conform); if(dba4conform!=0){ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not conformed signature this transaction is failed. Response Action : ShutDown"); System.exit(0);
Department of MCA, SVCET, Chittoor

77

An Intrusion Response System for Relational Databases

} }else{ JOptionPane.showMessageDialog(null,"JTAM : Since DBA 4 not accepted / not entered signature this transaction is failed. Response Action : ShutDown"); System.exit(0); } JOptionPane.showMessageDialog(null,"Now you can insert details of a file into Database "); dest=setDest(a[4]); sendData(r,222,dest); } else if(destination.equalsIgnoreCase(a[5])) { JOptionPane.showMessageDialog(null,"This Is From Normal"); dest=setDest(a[5]); sendData(r,222,dest); } } else JOptionPane.showMessageDialog(null,"Load the File OR Select the Destination!.."); } private void jButton3_actionPerformed(ActionEvent e) { System.out.println("\njButton3_actionPerformed(ActionEvent called."); } public void sendData(String name,int port,String dest) {
Department of MCA, SVCET, Chittoor

e)

78

An Intrusion Response System for Relational Databases

try { n1_client=new Socket(name,port); DataOutputStream out=new DataOutputStream(n1_client.getOutputStream()); if(out!=null) { out.flush(); } int outgoing=0; byte buffer[]=msg.getBytes(); int len=buffer.length; int tlength=buffer.length/48; int length11=buffer.length%48; int len1=len; if(length11!=0) { tlength++; } out.writeInt(tlength); out.writeUTF(destination); int st=0; int end=48; jTextArea1.append("Packet Length:"+len+"\n"); String prefinal=""; String finalst=""; if(len<=48) { System.out.println("smaller than 48"); finalst=prefinal+msg+"\n"+"null";
Department of MCA, SVCET, Chittoor

79

An Intrusion Response System for Relational Databases

jTextArea1.append("packet\t"+(++outgoing) +"\t"+msg+"\n"); out.writeUTF(dest+msg); } else { System.out.println("else than 48"); jTextArea1.append("Packet: "+"\t"+(++outgoing) +"\t"+msg.substring(st,end)+"\n"); out.writeUTF(dest+msg.substring(st,end)); while(len1>48) { len1-=48; if(len1<=48) { System.out.println("greateer than 48"); jTextArea1.append("Packet: "+"\t"+(++outgoing) +"\t"+msg.substring(end,len)+"\n"); out.writeUTF(dest+msg.substring(end,len)); } else { System.out.println("else than 48"); int sp=end+48; jTextArea1.append("Packet: "+"\t"+ (++outgoing)+"\t"+msg.substring(end,sp)+"\n"); out.writeUTF(dest+msg.substring(end,sp)); end=sp; } }
Department of MCA, SVCET, Chittoor

80

An Intrusion Response System for Relational Databases

} } catch (Exception exp) { exp.printStackTrace(); } } public String setDest(String Destname) { String Destinationname=""; if(Destname.equalsIgnoreCase(a[1])) { Destinationname="Source1-->D1"; } else if(Destname.equalsIgnoreCase(a[2])) { Destinationname="Source1-->D2"; } else if(Destname.equalsIgnoreCase(a[3])) { Destinationname="Source1-->D3"; } else if (Destname.equalsIgnoreCase(a[4])) { Destinationname="Source1-->D4"; } else if (Destname.equalsIgnoreCase(a[5])) { Destinationname="Source1-->D5"; } return Destinationname;
Department of MCA, SVCET, Chittoor

81

An Intrusion Response System for Relational Databases

} } Detector1 import java.awt.*; import java.awt.event.*; import javax.swing.*; import java.io.*; import java.net.*; import java.lang.*; public class Detector1 extends JFrame { private JLabel jLabel1; private JTextArea jTextArea1; private JScrollPane jScrollPane1; private JButton jButton1; private JPanel contentPane; ServerSocket server_1; DataOutputStream dis1; DataOutputStream dis2; DataInputStream dis; Socket socket_1; Socket client_1; Socket client_2; long temp; int i=1; int length; int length1; String sen="";
Department of MCA, SVCET, Chittoor

82

An Intrusion Response System for Relational Databases

public Detector1() { super(); initializeComponent(); this.setVisible(true); try { server_1=new ServerSocket(111); FileInputStream f=new FileInputStream(".//Sink.txt"); while((length1=f.read())!=-1) { sen+=(char)length1; } System.out.println(sen); } catch (Exception exp) { exp.printStackTrace(); } this.setVisible(true); } private void initializeComponent() { jLabel1 = new JLabel(); jTextArea1 = new JTextArea(); jScrollPane1 = new JScrollPane(); jButton1 = new JButton(); contentPane = (JPanel)this.getContentPane(); jLabel1.setText("INTRUSION DETECTOR1"); jLabel1.setForeground(Color.white); jScrollPane1.setViewportView(jTextArea1);
Department of MCA, SVCET, Chittoor

83

An Intrusion Response System for Relational Databases

jButton1.setBackground(new Color(255, 255, 255)); jButton1.setText("Exit"); jButton1.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { jButton1_actionPerformed(e); } }); contentPane.setLayout(null); contentPane.setBackground(new Color(210,105,30)); addComponent(contentPane, jLabel1, 172,9,133,38); addComponent(contentPane, jScrollPane1, 26,37,441,341); addComponent(contentPane, jButton1, 204,390,83,28); this.setTitle("Detector1 - extends JFrame"); this.setLocation(new Point(0, 0)); this.setSize(new Dimension(505, 462)); } private void addComponent(Container container,Component c,int x,int y,int width,int height) { c.setBounds(x,y,width,height); container.add(c); } private void jButton1_actionPerformed(ActionEvent e) { System.out.println("\njButton1_actionPerformed(ActionEvent called."); } public void server() { try
Department of MCA, SVCET, Chittoor

e)

84

An Intrusion Response System for Relational Databases

{ String rr=""; socket_1=server_1.accept(); dis=new DataInputStream(socket_1.getInputStream()); int length=dis.readInt(); String destination=dis.readUTF(); if(destination.equalsIgnoreCase("probe")) { jTextArea1.append("\t**********************************\n"); jTextArea1.append("\tTHIS IS FROM PORT Probe \n"); jTextArea1.append("\t**********************************\n"); client_1=new Socket(sen,101); dis1=new DataOutputStream(client_1.getOutputStream()); dis1.writeInt(length); dis1.writeUTF(destination); while(length>0) { rr=dis.readUTF(); jTextArea1.append("Packet "+i+"\t"+rr+" Recieved...\n"); dis1=new DataOutputStream(client_1.getOutputStream()); dis1.writeUTF(rr); length--;
Department of MCA, SVCET, Chittoor

85

An Intrusion Response System for Relational Databases

i++; } i=1; } else if (destination.equalsIgnoreCase("Dos")) { jTextArea1.append("\t**********************************\n"); jTextArea1.append("\tTHIS FROM PORT U2R\n"); jTextArea1.append("\t**********************************\n"); while(length>0) { rr=dis.readUTF(); StringBuffer StringBuffer(rr); sb.delete(7,10); jTextArea1.append("\t\tPacket "+i+"\t"+rr.substring(4,15)+" Recieved...\n"); length--; i++; } i=1; int delay = 100; //milliseconds Timer t=new Timer(delay, new ActionListener() { int count=1; public actionPerformed(ActionEvent evt) { if(count<=10) { void sb=new IS

Department of MCA, SVCET, Chittoor

86

An Intrusion Response System for Relational Databases

ava.awt.Toolkit.getDefaultToolkit().beep(); count++; } else return; } }); t.start(); JOptionPane.showMessageDialog(null,"Detector1:From Policy Matching : This is an Anomalous Request :This modification to policy object is invalid"); JOptionPane.showMessageDialog(null,"Detector1:From authentication from k authorised users "); JOptionPane.showMessageDialog(null,"Detector1:Intursion System : Taken Aggresive action i.e.Shutdown !!!!!!"); System.exit(0); } else if (destination.equalsIgnoreCase("DoS1")) { jTextArea1.append("\t**********************************\n"); jTextArea1.append("\tTHIS IS FROM PORT Dos1\n"); jTextArea1.append("\t**********************************\n"); client_1=new Socket(sen,101); dis1=new DataOutputStream(client_1.getOutputStream()); dis1.writeInt(length); dis1.writeUTF(destination); while(length>0) {rr=dis.readUTF();
Department of MCA, SVCET, Chittoor

Policy

Administration : Intursion Response System : This request should get Response

87

An Intrusion Response System for Relational Databases

jTextArea1.append("Packet "+i+"\t"+rr+" Recieved...\n"); dis1=new DataOutputStream(client_1.getOutputStream()); dis1.writeUTF(rr); length--; i++; } i=1; } } catch (Exception exp) { exp.printStackTrace(); } }

Sink1
import java.awt.*; import java.awt.event.*; import javax.swing.*; import javax.swing.event.*; import java.io.*; import java.net.*; public class Sink1 extends JFrame { private JLabel jLabel1; private JTabbedPane jTabbedPane1; private JButton jButton1; private JPanel contentPane; private JTextArea jTextArea1;
Department of MCA, SVCET, Chittoor

88

An Intrusion Response System for Relational Databases

private JScrollPane jScrollPane1; private JPanel jPanel1; private JLabel transferTime; private JLabel JtransferTime; private JTextArea jTextArea2; private JScrollPane jScrollPane2; private JPanel jPanel2; String Recieved1; ServerSocket server_1; Socket socket_1; int i=1; String destination; String rr=""; public Sink1() { super(); initializeComponent(); try { server_1=new ServerSocket(101); } catch (Exception exp) { exp.printStackTrace(); } this.setVisible(true); } private void initializeComponent() { jLabel1=new JLabel(); jLabel1.setFont(new Font("Serief",Font.BOLD,16));
Department of MCA, SVCET, Chittoor

89

An Intrusion Response System for Relational Databases

jTabbedPane1 = new JTabbedPane(); jButton1 = new JButton(); contentPane = (JPanel)this.getContentPane(); jTextArea1 = new JTextArea(); jScrollPane1 = new JScrollPane(); jPanel1 = new JPanel(); jTabbedPane1.setForeground(Color.white); jTabbedPane1.setForeground(new Color(210,105,30)); transferTime=new JLabel(); JtransferTime=new JLabel(); transferTime.setText("TransferTime"); jTextArea2 = new JTextArea(); jScrollPane2 = new JScrollPane(); jPanel2 = new JPanel(); jLabel1.setForeground(Color.white); jTextArea1.setText("\t**********THIS PROBE*************\n\n"); jTextArea2.setText("\t**********THIS DoS1**************\n\n"); jTabbedPane1.addTab("Dest1", jPanel1); jTabbedPane1.addTab("Dest2", jPanel2); jTabbedPane1.addChangeListener(new ChangeListener() { public void stateChanged(ChangeEvent e) { jTabbedPane1_stateChanged(e); } }); jLabel1.setText("Sink1"); jButton1.setText("Exit"); jButton1.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e)
Department of MCA, SVCET, Chittoor

IS IS

FROM FROM

PORT PORT

90

An Intrusion Response System for Relational Databases

{ jButton1_actionPerformed(e); } }); contentPane.setLayout(null); contentPane.setBackground(new Color(210,105,30)); addComponent(contentPane, jLabel1, 232,9,193,38); addComponent(contentPane, jTabbedPane1, 21,44,473,374); addComponent(contentPane, jButton1, 228,425,88,32); addComponent(contentPane,transferTime,50,500,193,38); addComponent(contentPane,JtransferTime,100,500,193,38); jScrollPane1.setViewportView(jTextArea1); jPanel1.setLayout(null); addComponent(jPanel1, jScrollPane1, 23,19,418,301); jScrollPane2.setViewportView(jTextArea2); jPanel2.setLayout(null); addComponent(jPanel2, jScrollPane2, 22,19,416,302); this.setTitle("Sink1 - extends JFrame"); this.setLocation(new Point(0, 0)); this.setSize(new Dimension(544, 494)); } private void addComponent(Container container,Component c,int x,int y,int width,int height) { c.setBounds(x,y,width,height); container.add(c); } private void jTabbedPane1_stateChanged(ChangeEvent e) { System.out.println("\njTabbedPane1_stateChanged(ChangeEvent e) called.");
Department of MCA, SVCET, Chittoor

91

An Intrusion Response System for Relational Databases

} private void jButton1_actionPerformed(ActionEvent e) { System.out.println("\njButton1_actionPerformed(ActionEvent called."); } public void server() { try { String rr=""; socket_1=server_1.accept(); DataInputStream DataInputStream(socket_1.getInputStream()); int length=dis.readInt(); String destination=dis.readUTF(); while(length>0) { rr=dis.readUTF(); if(destination.equalsIgnoreCase("probe")) { jTextArea1.append("Packet "+i+"\t"+rr+" Recieved...\n"); } else if (destination.equalsIgnoreCase("Dos1")) { jTextArea2.append("Packet "+i+"\t"+rr+" Recieved...\n");}else OptionPane.showMessageDialog(null,"No length--; i++;
Department of MCA, SVCET, Chittoor

e)

dis=new

Packets Received");

92

An Intrusion Response System for Relational Databases

} i=1; } catch (Exception exp) { exp.printStackTrace(); } }

APPENDIX- II SCREEN SHOTS
Browse file: This screen is used to browse a file and send the selected request to the Intrusion Detetor based on the leyers number type.

Department of MCA, SVCET, Chittoor

93

An Intrusion Response System for Relational Databases

Screen Number: 1

Sink1: This is the destination point where the sent file is stored displayed in case of normal request.

Department of MCA, SVCET, Chittoor

94

An Intrusion Response System for Relational Databases

Screen Number: 2 Dectector1: This screen detects the request as anomaly or not and takes appropriate actions based on the layer number type

Screen Number: 3 Display Response: Here the response is displayed that is sent by the Intrusion Detector in case of normal request.
Department of MCA, SVCET, Chittoor

95

An Intrusion Response System for Relational Databases

Screen Number: 4 Request found: Here as the request is found not anomaly the JTAM asks for signature from remaining DB’s.

Screen Number: 5 Acceptance: Asks the DBA’s to conform their acceptance.

Department of MCA, SVCET, Chittoor

96

An Intrusion Response System for Relational Databases

Screen Number: 6 Display file:Display’s the browsed file after getting acceptance from all the DBA’s.

Screen Number: 7 Destination Screen: This is the destination screen that displays the sent file via Intrusion detector.
Department of MCA, SVCET, Chittoor

97

An Intrusion Response System for Relational Databases

Screen Number: 8 Response sent: Response sent by the Intrusion Detector in case of an anomals request is displayed.

Screen Number: 9 Response sent by system: Response sent by the system in case of not getting acceptance from K authorized users is displayed.
Department of MCA, SVCET, Chittoor

98

An Intrusion Response System for Relational Databases

Screen Number: 10 Action taken: An action is taken by the Intrusion response system

Screen Number: 11

APPENDIX- III
Department of MCA, SVCET, Chittoor

99

An Intrusion Response System for Relational Databases

BASE PAPER

Department of MCA, SVCET, Chittoor

100

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

101

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

102

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

103

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

104

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

105

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

106

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

107

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

108

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

109

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

110

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

111

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

112

An Intrusion Response System for Relational Databases

Department of MCA, SVCET, Chittoor

113

An Intrusion Response System for Relational Databases

APPENDIX- IV REFERENCES
[1] D. Brackney, T. Goan, A. Ott, and L. Martin, “The Cyber Enemy within ... Countering the Threat from Malicious Insiders,” Proc. Ann. Computer Security Applications Conf. (ACSAC). pp. 346-347, 2004. [2] A. Kamra, E. Terzi, and E. Bertino, “Detecting Anomalous Access Patterns in Relational Databases,” J. Very Large DataBases (VLDB), vol. 17, no. 5, pp. 1063-1077, 2008. [3] A. Kamra, E. Bertino, and R.V. Nehme, “Responding to Anomalous Database Requests,” Secure Data Management, pp. 50- 66, Springer, 2008. [4] A. Kamra and E. Bertino, “Design and Implementation of SAACS: A StateAware Access Control System,” Proc. Ann. Computer Security Applications Conf. (ACSAC), 2009. [5] A. Conry-Murray, “The Threat from within. Network Computing(Aug. 2005),” http://www.networkcomputing.com/showArticle jhtml?articleID=166400792, July 2009. [6] R. Mogull, “Top Five Steps to Prevent Data Loss and Information Leaks. Gartner Research (July 2006),” http://www.gartner.com, 2010. BOOKS [7] [8] [9] The Complete Reference Java J2SE, 5th Edition, Herbert Schildt, TMH. Software Engineering, Sommerville, 7th Edition. Software Testing techniques, Baris Breizer, Dreamtech, second Edition.

Department of MCA, SVCET, Chittoor

114

Sign up to vote on this title
UsefulNot useful