a survey on an intrusion detection and response system for relational databases › research ›...

A Survey On An Intrusion Detection And Response System For Relational Databases

Jitendra Parmar Neeraj SharmaM.Tech Scholar,Dept. of IT M.Tech Scholar,Dept. of CSES.A.T.I. Vidisha M.P. India S.V.I.T.S. Indore M.P. India

ABSTRACT

The Intrusion Detection System (IDS) notifies the systemadministrator that an intrusion has occurred or is occurringand the system administrator must respond to the intrusion.Regardless of the notification system engaged, there is adelay among detection of a possible intrusion and responseto that intrusion. The intrusion response component ofintrusion detection system is responsible for issuing asuitable response to an anomalous request. Intrusionresponse systems are mostly responsible for action taking orgenerating alarms or responding either way, so that thealert may be generated against intrusion attack. In thispaper we are presenting some techniques of intrusionresponse system (IRS) for databases. In this paper we alsodiscuss various techniques along with their results proposedby various researchers

1. INTRODUCTION

Protecting networks from computer security attacks is avital apprehension of computer security. In intrusionprevention and intrusion detection systems have been thesubject of much study and have been covered in severalexcellent survey papers. Intrusion detection systems seek todetect the behavior of an adversary by observing itsmanifestations on the system. The discovery is done atruntime when the attack has been launched. Organizationshave also come to realize that current attack techniques aremore complicated, prepared, and targeted than thesophisticated hacking days of past. Often, it is thesusceptible and proprietary data that is the real target ofattackers [1].

An intrusion-detection system (IDS) can be defined as atools, solution, and resources used to help identify, assess,and to claim unauthorized or unapproved network action.Intrusion detection is typically one part of an overallprotection system that is installed around a system ordevice—it is not a stand-alone protection measure. Anintrusion detection system (IDS) is an essential part in agood network security environment. It enables detection ofsuspicious packets and attacks. With the help of IDs, allnetwork traffic can be observed.

Traditional intrusion detection systems (IDS) in wirednetworks analyse the behaviour of the elements in thenetwork trying to identify anomalies produced by intrudersand, once identified, start a response against the intruders.These detection systems are usually placed in thoseelements with more confluent traffic such as routers,gateways, and switches. Unfortunately, in ad-hoc networks,those elements are not uses, and it is not possible to guesswhich nodes will route more traffic from its neighbours andinstall IDS systems only in those nodes [2].

Current intrusion detection systems (IDS) have limitedresponse mechanisms that are inadequate given the existingthreat. Although IDS investigate has focused on bettertechniques for intrusion detection, intrusion responseremains primarily a manual process. The IDS alerts thesystem administrator that an attack or intrusion hashappened or is taking place and the system administratormust react to the intrusion. In spite of the notificationmethod employed, there is a delay between detection of apossible intrusion and response to that intrusion. This delayin notification and response, varies from minutes to months,presents a window of occasion for attackers to exploit. Anautomated intrusion response system provides the bestpossible defence and shortens or closes this window ofopportunity until the system administrator can take an activerole in defending against the attack. Unfortunately, no suchresponse system exists.

Intrusion detection techniques are traditionally categorizedinto two methodologies: anomaly detection and misusedetection.

Anomalies based intrusion detection: Anomaly basedintrusion detection systems base their decisions onanomalies, belongings that do not usually occur. If a userunexpectedly starts a new program he never used or logs into a machine at 4 o’clock in the morning, the systemgenerates an alert announcing that something isn’t runningas usual.

Misuse detection: Misuse detection seizes intrusions interms of the characteristics of known attacks or systemvulnerabilities; any action that conforms to the pattern of aknown attack or vulnerability is considered intrusive.

624

International Journal of Engineering Research & Technology (IJERT)

Vol. 2 Issue 11, November - 2013

IJERT

IJERT

ISSN: 2278-0181

www.ijert.orgIJERTV2IS110495

The components of Intrusion Detection System can be ofthree types.

Network intrusion detection: Network intrusion detectionsystems listen to network communications. They areacquainted with intrusions which come during thenetworking environment. Essentially a network intrusiondetection system (NIDS) is a service which listens on anetwork interface looking for suspicious traffic. Networkintrusion detection systems are mostly signature based.

Host Based Intrusion Detection: Host intrusion detectionsystems (HIDS) inhabit on a resource supervised. Thisresource is mostly a computer server or workstation. HIDSseem at produced log files, changes in the file system orcheck for changes in the process table. Their objective is toidentify intrusions into a host.

Signature based intrusion detection: Signature basedintrusion is based on signatures of known attacks. Thesesignatures are accumulated and evaluated against events orreceived traffic. If a pattern matches, an alert is generated.

The autonomous intrusion response systems (IRSs) aredesigned to respond at runtime to the attack in development.The goals of an IRS may be a combination of the following– to contain the effect of the current attack if the underlyingmodel is that it is a multi-stage attack, to recover theexaggerated services, and to take longer term actions ofreconfiguration of the system to make future attacks of asimilar kind less expected to be successful. There arenumerous challenges in the design of an IRS. First, theattacks through automated scripts are fast moving throughthe different services in the system. Second, the nature ofthe distributed applications enables the spread of the attack,since under normal behavior the services have interactionsamong them and a compromised service can contaminateanother. Third, the owner of the distributed system does nothave knowledge of or access to the internals of the differentservices.

Monitoring a database to detect potential intrusions,intrusion detection (ID), is a crucial technique that has to bepart of any comprehensive security solution for high-assurance database security. The ID systems that aredeveloped must be tailored for a Database ManagementSystem (DBMS) since database-related attacks such as SQLinjection and data ex-filtration are not malicious for theunderlying operating system or the network [1].

A. Intrusion Response Approaches

There are three principal approaches for intrusion response:notification, manual response, and automatic response.

i. Notification

The majority of intrusion detection and response systemsare notification based systems that generate reports andalarms only. Periodic reports were the earliest form ofintrusion response. Ranging in frequency from daily tomonthly, reports record suspicious users so that the systemadministrator could further investigate potential intrusions.The frequency of reporting delimits the window ofopportunity that an attacker can exploit. Reporting is still animportant component of any intrusion response system isnot a viable means of intrusion response by itself.

Alarms generate immediate messages to alert the systemadministrator to potential intrusive behaviour. Alarms canbe presented in a variety of formats including emailmessages, console alerts, and/or pager activations. Afternotification, further intrusion response is left as theresponsibility of the system administrator.

ii. Manual Response

Some systems provide the additional capability for thesystem administrator to initiate a manual response from apre-programmed set of responses. These systems oftenguide the user through the selection of correct responseswhile allowing the system administrator to make the finaldecision on appropriate responses. This allows a systemadministrator to respond more rapidly to intrusions and forinexperienced system administrators to receive assistance inselecting the correct response. While this capability is moreuseful than notification, there is still a time gap betweenwhen the intrusion is detected and when the systemadministrator initiates a response. This window of exploitiveopportunity is still too large into today's computingenvironment and manual response systems are beingreplaced by systems that incorporate automatic intrusionresponse.

iii. Automatic Intrusion Response

Automatic intrusion response systems do not wait for thesystem administrator to initiate a response but insteadautomatically respond to intrusive behaviour. There are twoapproaches to providing automatic intrusion response:decision tables and rule-based systems. The most commonapproach is for the use of a simple decision table where aparticular response is associated with a particular attack.Whenever an attack occurs, the response is executed. If theattack occurs one thousand times in a row (e.g. a denial ofservice attack), the same response is executed one thousandtimes. Some automatic intrusion response systems employ arule-based decision module to determine the appropriateresponse to intrusive behaviour.

B. Intrusion Response Techniques

625



IJERT

IJERT

ISSN: 2278-0181


There are a variety of techniques for responding to anintrusion. These techniques range from generating a reportto launching a counterattack against the attacker. Indetermining the appropriate response to an intrusion, thereare a number of criteria that must be considered todetermine an appropriate response. These criteria are:

Timing: The timing of detection and responsedetermines which responses may be appropriate.Different responses are appropriate prior to anattack, during an attack, and after an attack.

Type of Attacker: The response should be tailoredso as to be effective against the kind of attacker.There is dissimilarity in responding to "scriptkiddy" as opposed to an attack launched by amilitary organization.

Type of Attack: Responses to intrusion should betailored to the type of attack. If a user account iscompromised, locking that user account is anappropriate response. Locking a user account,however, would be ineffective against a racecondition exploit.

Implications of the Attack: Different systemshave differing degrees of importance within anorganization. This difference in criticality shouldlead to different responses, to the same attack,against different targets. For example, the responseshould be different if it is a denial of service attackagainst a single workstation as compared to abuffer overflow attack against an institutionalDomain Name Server.

Degree of Suspicion: Intrusion detection is not anexact science and as a result, intrusion detectionsystems can generate false positive results. Someuser activity is clearly intrusive while other activitymay be indicative of intrusive behaviour or may benormal user activity. The response must betempered by the strength of suspicion that an actualintrusion is occurring.

Environmental Constraints: Legal, ethical,institutional, and resource constraints limit whatresponses are appropriate.

i. Generate a Report

All intrusive behaviour should be logged so that it can bereviewed by a system administrator. These reports providecritical information for the resolution of ongoing incidentsand facilitate long-term analysis of security attacks.

ii. Generate an Alarm

The success of an attack is dependent on the time betweendetection and response. Alarms, implemented through emailmessages, console messages, pagers, or even loudspeakerannouncements, notify the system administrator that an

attack is underway. Not all intrusive behaviour, however,should generate an alarm. There is a difference, for example,between a single failed SUDO attempt and one hundredfailed SUDO attempts from the same user. The latter shouldgenerate an alarm while the former probably should notexcept on the most sensitive systems.

iii. Lock User Account

If a user account has been compromised, an appropriateresponse would be to lock that user's account so that itcannot be used to launch future attacks.

iv. Suspend User Jobs

If there are indications of intrusive behaviour as well asnormal user operations, the suspension of user jobs andtermination of user sessions allows the system administratorthe opportunity to terminate any intrusive jobs while notcorrupting valid user tasks. While termination of usersessions without suspension of user jobs would be a morecommon response, there are circumstances when it wouldbe desirable to suspend user jobs.

v. Terminate User Session

If a user is involved in intrusive behaviour, the user'ssession should be terminated and the user's account lockedto prevent future damage.

vi. Enable Additional Logging

Some user behaviour cannot be unambiguouslycharacterized as intrusive behaviour but is nonethelessindicative of possible intrusive behaviour. In such cases,enabling additional logging allows for the gathering ofadditional information that may help in classifying the user'sbehaviour.

vii. Enable Remote Logging

Additional logging may not be sufficient against certaintypes of attacks or attackers and instead, remotely logging toanother system or a non-changeable media (such as CD-ROM or a printer) may be a better technique for gatheringadditional information on the attacker.

viii. Block IP Address

If the IP address of an attacking system can be identified,some network attacks can be neutralized by blocking, at arouter, all traffic from that address. While this protection isoften temporary if the attacker can change their IP address,it will slow the attacker and allow the intrusion responsesystem or system administrator more time to respond to anattack.

ix. Enable additional intrusion detection tools

Because intrusion detection tools are imperfect andconsume system resources, intrusion response systems may

626



IJERT

IJERT

ISSN: 2278-0181


enable additional intrusion detection tools as the degree ofsuspicion increases that an intrusion is ongoing. Morerobust and costly detection tools are employed as additionalindicators of intrusive behaviour are found.

x. Shutdown Host

Sometimes the only mechanism for protecting againstfurther system compromise is to shut down the machine.While this is a draconian measure, it is sometimes the onlymechanism for protecting a host under an active attack.

xi. Disconnect from the Network

For network-based attacks, disconnecting from the networkis less draconian than shutting down the host but has thesame effect - network-based attacks can no longer affect thesystem allowing the system administrator time to responseto an attack and repair any damage to the attacked system.

xii. Disabling the Attacked Ports or Services

If a single service or well-known port is being used as thebasis for the attack, that port or service can be disabledeffectively stopping the attack without affecting any of theother services offered by the system.

xiii. Warn the Intruder

Most attackers operate with the assumption that they arenot being actively monitored or that they can evadeintrusion detection systems. Telling the intruder that theyare actively being monitored all that is required for them toabandon the attack.

xiv. Trace connection

Criminal prosecution of computer attackers, while a viableresponse to intrusions, is outside the scope of intrusionresponse systems. However, tracing by the networkconnection of an attacker so that the attacker can bepositively identified is a viable response. As a side effect,the attempt to trace back a connection can be detected by theattacker. For less experienced attackers, the fact thatsomeone is actively trying to trace them will often result inthe termination of the attack.

xv. Force Additional Authentication

Forcing additional authentication slows down or stops anattack while allowing authorized users to continue to use theaffected system. The suspected intruder must provideadditional proof of their identity before they can executecommands.

xvi. Create Backups

Attacks against the integrity of a system can be thwarted bycreating up-to-date system backups for system restorationand file comparison. While it is often impractical tomaintain real-time backups of all modified files, as the

degree of suspicion that the system is being attackedincreases, the time interval between backups should bedecreased so as to limit lost or corrupted data.

xvii. Employ Temporary Shadow Files

A temporary shadow file is a duplicate file created andencrypted to protect the original file. When an intruderattempts to modify a critical system file, all modificationsare saved in a second file and the original file remainsunchanged. Additional modification attempts result inchanges to the temporary shadow file and not the originalfile.

xviii. Restrict User Activity

Suspicious users may be restricted to a special user shellthat allows some functionality while limiting the ability ofthe user to execute certain commands. This will slow theuser's ability to damage the system without terminating auser session, suspending user jobs, or requiring additionalauthentication.

2. BACKGROUND

Intrusion Response systems are becoming increasinglyimportant due to connectivity, increased threats, andincreased financial incentive for attackers. The advent of theWWW has led to increased interconnectivity, increaseddemands for network services, and increased threats.Electronic commerce not only offers new services forcustomers but new opportunities for significant financialreward to intruders. The response component is responsiblefor issuing a suitable response to an anomalous user request.On behalf of this component IDS further decide to takeaction.

3. RELATED WORK

Ashish Kamra et al [1] proposed Design andImplementation of an Intrusion Response System forRelational Databases. They describe response component ofintrusion detection system for a DBMS. They offer thenotion of database response policies for specifyingappropriate response actions. In this an interactive Event-Condition-Action type response policy language that makesit very easy for the database security administrator tospecify appropriate response actions for differentcircumstances depending upon the nature of the anomalousrequest. The two main issues are addressed in the context ofsuch response policies ‘policy matching’ and ‘policyadministration’. Policy matching procedure describedalgorithms to efficiently search the policy database forpolicies matching an anomalous request assessment. As perresult obtained proposed scheme was very efficient [1].

This approach to an ID mechanism consists of twoessentials, distinctively tailored to a DBMS: an anomaly

627



IJERT

IJERT

ISSN: 2278-0181


detection (AD) system and an anomaly response system.The primary component is based on the production ofdatabase access profiles of roles and users, and on theemploy of such profiles for the AD job. A user demand thatdoes not conform to the standard access profiles ischaracterized as anomalous [1].

The second element of approach is in charge of takingsome actions once an anomaly is sensed. There are threekinds of response actions conventional actions, fine-grainedactions, and aggressive actions. The unadventurousproceedings, such as conveyance an alert, allow theuncharacteristic request to go throughout, whereas theaggressive actions can effectively block the uncharacteristicrequest. Fine-grained response procedures, on another hand,are neither conservative nor destructive. Such proceedingsmay suspend or taint an anomalous request [3, 4]. Asuspended request is basically put on hold, until someexplicit actions are implemented by the user, like theexecution of further authentication steps. A contaminatedrequest is discernible as a potential suspicious requestresulting in further monitoring of the user and possibly inthe suspension or dropping of subsequent requests by thesame user [1].

In year of 2012, Dubey et al [2] proposed a MultipleCritical Node Detection in MANET for SecureCommunication. In this scheme they mainly concentrate thecost of intrusion detection system and the effectivepositioning. They focused on those routing systems todetect misbehavior from the nodes and differentiate if themisbehavior is produced by an intruder or, in the other hand,if is the normal misbehave in mobile wireless networks (e.g.lack of signal, routing tables not updated).

The reputations of the nodes, based on their past history ofrelaying packets, can be accessed by their neighbors toguarantee that the packet will be relayed by the node. Herewe present an intrusion detection scheme (IDS) to detectand defend against malicious nodes’ attacks in MANET.The IDS are applied on the critical nodes because it is theperfect location to identify misbehavior of connected nodes.If the possibility of congestion will occur in the networkthen senders are reduce their transfer rate. If the channelcarry on to be congested because some sender nodes do notreduce their sending rate, it can be found by the destination.It checks the previous sending rate of a flow with its currenttransfer rate. When both the rates are identical, theconsequent sender of the flow is considered as an attacker.Once the malicious nodes are identified kill those nodes [2].

The vital (critical) node test detects nodes whose failurewith malicious behaviour spread over the network thatdisconnects or significantly degrades the performance of thenetwork (i.e. introduces unacceptably long unconventionalpaths). Figure 1 represents the attacker free network by thatnumbers of nodes are communicate with each other though

a common link for example if A3 want to send their data toC3 then data first come to B then C then C3. In this fignumber of nodes are depends on a single node and a singlepath through that node. These nodes are the vital or criticalnodes and the link between them are called critical link [2].

Figure 1: Attack free communication among the nodes [2].

Attackers or malicious nodes jam that type of network bysending the huge number of data and routing packetsthrough a common link then congestion occur in thenetwork. Single attacker not affect the network easily butmultiple critical nodes are easily destroyed that type ofnetwork. Fig 2 show the network affected by maliciousnodes [2].

Figure 2: The presence of attack on critical nodes [2].

In this figure the nodes A, B and C are the critical nodes.The link A to B and B to C or vice versa having a capacityto forwarded maximum amount of data suppose 2megabytes/sec. And the capacities of sending data ofconnected nodes are also limited and each and every node inthe network is do their work under limitation. Now themalicious nodes are uncertainly deliver routing packets anddata packets in the network by that congestion occur in thenetwork [2].

In year 2012 Cheng-Yuan Ho et al [5] proposed “StatisticalAnalysis of False Positives and False Negatives from RealTraffic with Intrusion Detection/Prevention Systems. Thismechanism is beneficial for false positive/negativeassessment with multiple Intrusion Detection Systems,Intrusion Protection Systems to collect False Positive and

628



IJERT

IJERT

ISSN: 2278-0181


False Negative cases from real-world traffic and statisticallyanalyze these cases.

According to [5] the false positive/negative assessment(FPNA) collected more than two thousand False Positivesand False Negatives during sixteen months. 92.85 percent offalse cases were False Positives and 7.15 percent were FalseNegatives. Although there are thousands of False Positiveand False Negative cases in this work, these FalsePositives/FALSE Negatives are detected by the signature-based IDSs/IPSs. Maybe some False Positives or FalseNegatives occur in the anomaly-based IDSs/IPSs, andaccordingly, new DUTs, including anomaly-based oronline/cloud IDSs/IPSs.

False Positives and False Negatives of the IDS/IPS aremystery terms that illustrate a situation where the IDS/IPSmakes a mistake. The former means that the IDS/IPStriggers an alert when there is no malicious activity in thetraffic while the latter means that there is no alert raised bythe IDS/IPS when malicious traffic passes through it. Theevaluation is important to IDS/IPS developers trying tooptimize the correctness of detection by reducing both FalsePositives and False Negatives, because the False Positives /False Negatives rate limits the performance of networksecurity systems due to the base-rate fallacy phenomenon[5].

In the same year 2012 Martinez et al [6] proposedCustomized Policies for Handling Partial Information inRelational Databases. In this they propose the generalconcept of partial information policy (PIP) operator tohandle incompleteness in relational databases. PIPmachinists build upon partiality frameworks for unfinishedinformation, but contain different types of unfinished data(e.g., a value exists but is not known; a value does not exist;a value may or may not exist). Dissimilar users in the realworld have different ways in which they want to handleincompleteness - PIP operators allow them to specify apolicy that matches their attitude to risk and theirknowledge of the application. They also offered indexstructures for efficiently evaluating PIP operators. As pertheir result, it is shown that the adoption of such indexstructures allows to efficiently managing very large datasets.Additionally they also showed that PIP operators can becombined with relational algebra operators, giving evenmore capabilities to users to manage their incomplete data[6].

In this they worked with two data sets containing extensiveincomplete information. One encloses data connected withterror groups. The other is one of the most authoritative datasets about education in the world from the World Bank andUNESCO. This Data was collected manually throughextensive surveys, there are many incomplete entries. Theincompleteness is due to many factors (like conflict in thecountry). In all the works dealing with the management of

incomplete databases, the DBMS dictates how incompleteinformation should be handled. However, the stock analystknows stocks, the market, and his own management’s orclient’s attitude toward risk better than a DB developer whohas never seen the stock DB [6].

As per result analysis they first compared the times takenby the naive and index based approaches to evaluate a PIPoperator. They varied the size of the DB up to 15 milliontuples and the “amount of incompleteness” by randomlyselecting tuples and inserting nulls in them. The executiontimes for the index approach include both the time tocompute the result of a PIP operator and the time taken tocompute the associated indexes. The gap between the twoapproaches increases significantly as the DB size increaseswith the index-based approach significantly outperforming.Later on they measured the time to execute tuple insertions,deletions, and updates. The index-based approach is fasterthan the naive approach, when tuple deletions areperformed, but slower for tuple insertions and updates,though the differences are negligible and do notsignificantly increase as the database size increases. Thissmall overhead is due to the management of the differentdata structures the index-based approach relies on and ispaid back by the better performances achieved for PIPoperator evaluation. As per above result shows thatevaluating PIP operators is significantly faster with ourindex structures, but tuple insertions and updates are slightlyslower (though tuple deletions are faster) [6].

SHI and ZHU proposed a fine-grained access control modelfor relational databases [7]. In this they propose a new Fine-Grained Access Control (FGAC) model which supports thespecification of open access control policies with closedaccess control policies in relational databases. Forintegrating FGAC into relational databases, it is necessaryto provide a FGAC model which can support thespecification of many access control policies. ProposedFGAC model has two key features: supporting thespecification of open access control policies as well asclosed access control policies, and supporting multiplepolicies. This model was implemented as a component ofdatabase management system [7].

In the projected FGAC model, they apply the policy filterwith the Allowed Filter and the Prohibited Filter to identifywhich information can be admittance and which informationis prohibited. Filters permit the FGAC model to supportclosed admittance control policies and open access controlpolicies. This FGAC model takes the restricted object tosubstitute the object in the traditional access control modelin relational databases. Because object is a special case ofthe restricted object, the FGAC model is extended fromtraditional access control models, and can be compatiblewith them [7].

629



IJERT

IJERT

ISSN: 2278-0181


FGAC controls the access of users in a relational databaseand the access modes include select, insert, update, anddelete. In relational databases, there exist mainly twoapproaches to granting privileges to users. One is to directlyassign permissions to users, and the other is to grantprivileges to the roles that users are assigned. FGAC modelsshould support both of these authorization approaches.When FGAC is enforced in relational databases, not onlyshould the cost of the implementation of the select operationbe evaluated, but also the performance of the DBMS. TheFGAC policies did affect the performance; the systemperformance was rational, almost linear and thus acceptable.Performance results showed that the proposed model andthe implementation approach are feasible [7].

Baohua et al [8] proposed A Formal Multilevel DatabaseSecurity Model. A multilevel database security modelincreases integrity examination in the foundation of originalsecret request. The comparison way of the subject and theobject is corresponded with the manner of operatingmethod, and it strengthens the security and the usability ofthe system. The formal multilevel database security modelis applied in LogicSQL security database managementsystem. System.LogicSQL database is the independentdevelopment high security rank database based on theLinux. The multilevel database protection model is appliedin the LogicSQL database management system [8].

Sohail and Hyder [9] proposed Security Issues inDatabases. The security issues and requirements fordiscretionary and mandatory security models for theprotection of conventional database systems and objectoriented database systems are illustrated in [9]. Severalproposals for discretionary and mandatory security modelsfor the protection of conventional databases and object-oriented database systems are presented. Still, there is not astandard for designing these security models. This studygives a collected picture of different security issues ofdatabase; it can be extended to define, design andimplement an effective security policy on a databaseenvironment and provides a consolidated view of databasesecurity.

As database technology look forward into new applicationsareas, the requirements changes and become more critical aswell as demanding. Object model provides a superset of thefunctionalities of relational database management system.Many of the commercial relational database managementsystems are incorporating object-oriented concepts tofacilitate database design and development in theincreasingly object-oriented world. The incorporation ofobject-oriented concepts offers new tools for securing thedata stored in the object databases. Security issues inrelational databases are achieved comparatively with ease ascompared to object databases since it is based on someformal mathematical model [9].

In [9] authors also discuss about various security problemsin object oriented database system namely PolyinstantiationAggregation and Inference problem.

a. Polyinstantiation: This problem arises when users withdifferent security levels attempt to use the identicalinformation. The assortment of clearances and sensitivitiesin a protected data base system result in conflicts betweenthe objects that can be accessed and modified by the users.Through the use of polyinstantiation, information ispositioned in multiple locations, generally with dissimilarsecurity levels. Perceptibly, the more susceptibleinformation is omitted from the instances with lowersecurity levels. Although polyinstantiation solves themultiparty update divergence problem, it elevates apotentially greater problem in the variety of ensuring theintegrity of the data within the database. Without somescheme of concurrently updating all incidents of the data inthe database, the truthfulness of the information rapidlydisappears. In quintessence, the system becomes acollection of numerous distinct data base systems, each withits own data [9].

i. Object Value polyinstantiation: an unclassified userviews a specific object different from a Secret subjectviews.

ii. Class Structure polyinstantiation: an Unclassifiedsubject views a specific class consisting of the instancevariables different from a Secret subject views in terms ofinstance variables.

iii. Class method polyinstantiation: an unclassified userviews EMP as having the methods get-name, change-namewhile the Secret subject views EMP as having methods get-name, change-name, get-salary, change-salary.

iv. Method polyinstantiation: an unclassified user views amethod update-salary to have one parameter which is theamount by which the salary should be increased. A Secretuser views this method as having two parameters; one is theamount and the other is the new salary value which isreturned to the user.

b. Aggregation: The aggregation problem occurs when auser can from aggregates of related items, all of which areclassified at some level, that deduce classified data. Thehigher level information (which may be thought to besubject to a higher level of security clearance) may beinferred from a large number of lower level data items [9].

c. Inference problem: The word “inference” means“forming a conclusion from premises”. Many user of anydatabase can illustrate inferences from the information theyhave obtained from the database and prior additionalinformation (known as supplementary knowledge) theyhave. The inference can lead to information disclosure if the

630



IJERT

IJERT

ISSN: 2278-0181


user is able to access to information they are not authorizedto read. This is the inference problem in the databasesecurity [9].

In year 2012 T. Swetha et al [10] proposed DatabaseIntrusion Detection Response System. The intrusiondetection system is responsible for issuing a suitableresponse to request. They describe the database responsepolicies to support intrusion response system. It is very easyfor the database administrators to specify appropriateresponse actions for different circumstances depending uponthe nature of the anomalous request.

The response component is responsible for issuing a suitableresponse to an anomalous user request. They [10] offeredthe concept of database response policies for specifyingappropriate response actions. They [10] accessible aninteractive Event-Condition-Action type response policylanguage that makes it very easy for the database securityadministrator to specify appropriate response actions fordifferent circumstances depending upon the nature of theanomalous request. In this ID mechanism consists of twochief elements, exclusively tailored to a DBMS: an anomalydetection (AD) system and an anomaly response system.The very first component is based on the construction ofdatabase access profiles of functions and users, and on theuse of such profiles for the Attack. A user-request that doesnot be conservative to the normal access profiles ischaracterized as anomalous. The second element of thisapproach is in charge of taking some actions once ananomaly is identified. There are main three types ofresponse actions respectively, conservative actions, fine-grained actions, and aggressive actions. As per resultobtained this algorithm was efficient [10].

D. Jayanthi and M. Suresh [11] proposed IntrusionResponse System for Relational Databases Using JointThreshold Administration Model. The intrusion responsecomponent of an overall intrusion detection system isresponsible for issuing a suitable response to an anomalousrequest. The database response policies to support theintrusion response system tailored for a DBMS is proposed,which makes easy for the database Administrators to specifyappropriate response actions based on the characteristics ofanomalous request [11].

This work proposed an interactive Event-Condition-Actiontype response policy language that makes it very easy forthe database security administrator to specify appropriateresponse actions for different circumstances depending uponthe nature of the anomalous request is presented. Thedetection of an anomaly by the detection engine can beconsidered as the system event. An Event-Condition-Action(ECA) language is used for specifying response policies. AnECA rule is typically organized as follows:

ON {Event} IF {Condition} THEN {Action}

If the event arises and the condition evaluates to true, thespecified action is executed. In this context, an event is thedetection of an anomaly by the detection engine. Acircumstance is individual on the attributes of the detectedanomaly and on the attributes representing the internal stateof the DBMS. An action is the internal response actionexecuted by the engine [10].

The other issue that is the administration of responsepolicies to prevent malicious modifications to policy objectsfrom legitimate users. And also avoid from raising falsealarm. JTAM, a novel administration model, based onShoup’s [12] threshold cryptographic signature scheme isproposed. An interactive response policy that requires asecond factor of authentication will provide a second layerof defense when certain anomalous actions are executedagainst critical system resources such as anomalous accessto system catalog tables. This opens the technique to newresearch on how to organize applications to handle suchinteractions for the case of legacy applications and newapplications. In the safety measures area there is a lot workdealing with retrofitting legacy applications forauthorization policy enforcement. Such approaches can beextended to support such an interactive method. For newapplications, one can formulate methodologies to organizeapplications that support such interactions. However,because the approach is strategy based, the DBAs have theelasticity of designing policies that best fit the wayapplications are organized [11].

Fatima Nayeem et al [13] proposed Policies BasedIntrusion Response System for DBMS. Intrusion responsesystem for a relational database is essential to protect it fromexternal and internal attacks. They offer a new intrusionresponse system for relational databases based on thedatabase response policies. They developed an interactivelanguage that helps database administrators to determine theresponses to be provided by the response system based onthe malicious requests encountered by relational database.They also maintain a policy database that maintains policieswith esteem to response system. For penetrating theappropriate policies algorithms are designed andimplemented. The proposed system also takes care ofinternal attacks from DBAs who have privileges to doimportant activities. Even for administrators also role basedaccess restrictions are provided. According to resultproposed response system is effective and can provideaccurate responses based on the response policiesmaintained in the policy database.

The ID mechanism approach [13] has two importantaspects. They are actually altered for database managementsystems. They are acknowledged as Anomaly responsesystem and anomaly detection. The former is achieved usingdatabase access profiles or users and roles. This paperfocuses on the second aspect that is taking actions oncedetection of anomaly is completed. The proposed approach

631



IJERT

IJERT

ISSN: 2278-0181


follows a proactive approach in showing alerts and blockingthe anomalous request. The response actions are fine –grained and they are not aggressive or conservative. When arequest is suspected, it is kept on hold until furtherauthentication steps are carried out to verify the validity ofthe request. It is also possible to mark a request taintedindicating that the request is potentially suspicious. As thereis need for different responses based on the maliciousrequests, the key is to address the response measure problem[13].

When a response system is required which takes actionsinvoluntarily when malicious requests are encountered, it isnot a simple task. The key idea to solve this is to monitorthe context in which such request is made. To address theproblem a suitable response policy is required that can caterto the needs of all situations. Policy administration andpolicy matching are the two issues addressed in terms ofresponse policies. Response policy can be built as regulardatabase object which takes care of particular response.However, it represents various challengers instead of simplystoring data as other database objects. The user which DBArole only can create policy objects in the database. In thisadministration model the basic problem is identified andnamed as conflict of interest. Insider threat is the main issuein this case which throws challenges and demands suchaccurate response system which is made up of responsepolicies [13].

K.Shanmuga Priya proposed Database Response Policies toSupport Intrusion Response System for DBMS [14]. Adatabase to detect potential intrusions, intrusion detection(ID), is a crucial technique that has to be part of anycomprehensive security solution for high assurance databasesecurity. The two main issues that address in the context ofsuch response policies are that of policy matching andpolicy administration. Policy corresponding is the difficultyof searching for policies applicable to an uncharacteristicrequest. Whenever an anomaly is detected, the responsescheme must investigate in the course of the policy databaseand find policies that match the anomaly. The second issuethat address is that of administration of response policies. Aresponse policy can be considered as a regular databaseobject such as a table or a view [14].

Response Actions: The response action to be executed isspecified as part of a response policy. The conservativeactions are low rigorousness actions. Such actions mayregister the anomaly details or throw an alert, but they donot proactively avoid an intrusion. On the other handAggressive actions are high severity responses. Such actionsare skilled of preventing an intrusion proactively bydropping the request, separating the user orrevoking/denying the indispensable privileges. Fine-grainedresponse actions are neither too conventional nor tooaggressive. Such actions may suspend or contaminate ananomalous request. A suspended request is basically put on

hold, until a few specific actions are accomplished by theuser. A tainted request is merely marked as a potentialsuspicious request resulting in further monitoring the user insuspension or dropping of subsequent requests by the sameuser [14].

Interactive ECA Response Policies: An ECA policy issufficient to trigger simple response measures such asdisconnecting users, falling an anomalous demand,conveyance an alert, and so forth. In several cases,conversely, it is to engage in interactions with users. Forexample, suppose the detection of an anomaly, want toexecute a fine grained response action by suspending theanomalous request. Then the user to authenticate, using asecond authentication factor as the subsequently action. Incase the verification fails, the client is disconnected. If not,the request continues. As ECA strategies are not capable tosupport such progression of actions and then enlarge with aconfirmation action construct. A confirmation action is thesucceeding course of action after the early response action.Its intention is to interact with the user to determine theeffects of the preliminary action. If the authentication actionis successful, the resolution action is implemented; else thefailure action is executed [14].

Policy Administration: The main issue in theadministration of response policies is how to protect apolicy from malicious modifications made by a DBA thathas legitimate access rights to the policy object. To addressthis issue, an administration model referred to as the JTAMis proposed. The JTAM protects a response policy againstmalicious modifications by maintaining a digital signatureon the policy characterization. The signature is thenauthenticating either periodically or upon policy usage toverify the integrity of the policy definition. If the DBMShad possessed such key, it could simply create a HMAC(Hashed Message Authentication Code) of each policyusing its confidential key, and later use the equivalent key tocorroborate the integrity of the policy [14].

JTAM Setup: Before the response policies can be used, anumber of security constraints are registered with theDBMS as part of an on one occasion registration phase. Thefeatures of the registration phase are as follows: Theparameter l is set equal to the number of DBAs registeredwith the DBMS. Such requirement allows any DBA togenerate a valid signature share on a policy entity, in thismanner making this approach very stretchy. This is becauseit relies on a special property of the RSA modulus,explicitly, that it should be the product of two secureprimes. The DBMS is to be the trusted component thatgenerates the security parameters [14].

Base Policy Matching: The policy matching algorithm isinvoked when the response engine receives an anomalydetection assessment. For every attribute A in the anomalyassessment, the algorithm estimates the predicates defined

632



IJERT

IJERT

ISSN: 2278-0181


on A. After calculating a predicate, the algorithm trace allthe policy nodes associated to the estimated predicate node.If the predicate calculates to true, the scheme increments thepredicate-match count of the attached policy nodes by one.A policy is coordinated when its predicate-match-countbecomes equivalent to the number of predicates in thepolicy condition. On the other hand, if the predicateestimates to false, the scheme identifies the linked policynodes as invalidated [14].

Ordered Policy Matching: The searching procedure is inthe base policy matching algorithm. This algorithm does notgo through the predicates according to a fixed order. Aheuristic by which the predicates are evaluated indescending order of their policy-count; the policy-count of apredicate being the number of policies that the predicatebelongs to. The ordered policy matching algorithm is thatchoosing the correct order of predicates is important as itmay lead to an early termination of the policy searchprocedure either by invalidating all the policies or byexhausting all the predicates [14].

The response component is responsible for issuing a suitableresponse to an anomalous user demand. An interactiveEvent-Condition-Action type reaction policy language isconstructing it very easy for the database. The two mainissues that addressed in the context of such responsepolicies are policy corresponding, and policy administration.For the policy matching procedure, the algorithms areefficiently to search the policy database for policiesmatching an anomalous request. The other issue is theadministration of response policies to prevent maliciousmodifications to policy objects from legitimate users [14].

R.Jothi and N. Rathika proposed Multi-HandAdministration with an Intrusion Response System inDatabases [15]. They recommend the notion of databaseresponse policies to sustain intrusion response systemtailored for a DBMS. Interactive response policy languagemakes it very straightforward for the databaseadministrators to identify appropriate response actions fordifferent circumstances depending upon the temperament ofthe anomalous request.

This approach to an ID method consists of two majorfundamentals, exclusively tailored to a DBMS: an anomalydetection (AD) system and an anomaly response system.The primary component is based on the construction ofdatabase entrance profiles of roles and users, and using suchprofiles for the AD task. A user request that does not beconventional to the normal access profiles is characterizedas anomalous [15].

There are three most important types of response actionsthat are correspondingly, as conventional actions, fine-grained actions, and aggressive actions. The conventionalactions, such as sending an alert, permit the anomalous

request to go through, while the aggressive actions cansuccessfully block the anomalous demand. Fine-grainedresponse actions, on the other hand, are neither conventionalnor aggressive [15].

Anomaly Attributes: The detection mechanism foranomaly gives the anomaly estimation with the help ofanomaly attributes. Two foremost categories for thoseattributes have been acknowledged such as contextualcategory and structural category. Contextual categoryincludes the whole attributes elaborating the perspective ofthe anomalous requests like user, role, source and time.Structural category includes the total attributes which areconveying information about the anomalous requeststructure like admittance database objects and SQLcommand. By using the attributes of the anomaly thedetection engine surrenders the characterization of theanomaly [15].

Policy Administration: The main problem in theadministration progression of policy responding is how tosafeguard the policy from malicious modifications whichare done by the DBA who has the authentic access rights forthe object of the policy. To address this issue, they [15] hadnoted the following things.

Implementation of conformation actions similar to secondfactor of authentication or the re authentication needscertain modifications in the communication protocol amongthe server and the database clients. These cases are used inthe circumstances such as confirmation actions that areuseful while the malicious subjects are able to bypass theinitial authentication mechanism for the databasemanagement system because of the vulnerability in thesoftware like overflow of buffer or because of attacks in thesocial engineering like using the some others unlockedunattended terminal [15].

While considering the interactive response that the user isnot requisite the resolution or malfunction or conformationactions that may be misplaced from the policy [15].

The vulnerability case they presuppose is that the DBA hasthe complete rights in the DBMS and so it is capable ofexecuting the subjective SQL update, insert and deletecommands in order to do certain malevolent modificationsto the policies. These are possible even when the policiesare stored in the system catalog itself. JTAM protects theresponse policy in opposition to the modifications duringthe progression of digital signature on the policy description.Then the signature is confirmed and validated occasionallyor upon the usage of the policy in order to ensure the policydefinition integrity. The basic theory of the approach is thatthey don’t trust a solitary DBA for creating or managing theresponse policies but hazard the mitigated if the expectationis disturbed among various DBAs. Thus creating a response

633



IJERT

IJERT

ISSN: 2278-0181


policy is not an individual predicament it should belegitimate with k DBAs [15].

JTAM: Sooner than the response policies can be used, anumber of security parameters are registered with theDBMS as ingredient of a onetime registration phase. Thedetails of the registration phase are as follows: Theparameter l is set equivalent to the number of DBAsregistered with the DBMS. Such prerequisite allows anyDBA to produce a convincing signature share on a policyobject, thereby making this approach very flexible. Shoup’sscheme [12] also necessitates a trusted dealer to engenderthe security parameters. This is because it relies on anextraordinary property of the RSA modulus, namely, that itmust be the product of two safe primes [15].

Signature Share Verification: It is possible for a maliciousadministrator to replace a valid signature share with someother signature share that is generated on a different policydefinition. Nevertheless, such attack will be unsuccessful asthe final signature that is formed by the signature sharecombining algorithm will not be legitimate. Note that bysubmitting an unacceptable signature share, a maliciousadministrator can obstruct the creation of an applicablepolicy. They do not see this as a most important problemsince the threat scenario that is address is maliciousmodifications to obtainable policies, and not generation ofpolicies themselves [15].

Final Signature Verification: A final signature on a policyis present in all the policy states except the CREATED state.As explained earlier, the concluding signature is confirmedusing the public key (n, e) corresponding to the value of k.The public key is assumed to be signed using a trusted thirdparty certificate that cannot be forged. Thus, if a maliciousDBA replaces the server produced public key, the finishingsignature will be overthrow. Separately from verifying thefinal signature instantaneously after policy commencement,suspension, and fall, the signature must also be verifiedbefore a policy may be considered in the policy matchingprocess. Such approach ensures that only the set of responsepolicies, that have not been interfered, are considered forresponding to an anomaly [15].

Malicious Policy Update: A policy may be modified by amalicious DBA using the SQL update statement.Conversely, all policy explanation attributes that require tobe protected are hashed and signed; consequently anymodification to such attributes in the course of the SQLupdate command will overthrow the final signature on thepolicy [15].

Malicious Policy Deletion: An authorized policy may bedeleted by a malicious DBA using the SQL delete command.However in JTAM, a policy tuple is not at all physicallydeleted; only its state is distorted to DELETED. Thus, asignature on the policy-count can be used to identify

malicious removal of policy tuples. The comprehensiveapproach is as follows: When the Create Response Policyauthority is executed; the DBMS counts the number ofpolicy tuples present in the database. It augmentation suchpolicy-count by one to explanation for the new policy beingcreated [15].

A hash is taken on the new policy-count and state = VALID,and a signature share is generated on such hash. Thesignature share, strategy or policy id of the policy beingcreated, the k value of the policy being created, and theinitial state = INVALID are all stored in thesys_response_policy_count catalog. Note that the policy idthat is inserted in the sys_response_policy_count tablerepresents the latest policy that has been created. Duringpolicy commencement, the DBMS first checks if the policyid present in sys_response_policy_count matches the id ofthe policy currently being activated. If the confirm succeeds,it counts the number of policy tuples in the database, andgenerates a signature allocate on the hash of the policy-count, and state = VALID. If the check fails, no signatureshare is generated [15].

Signature Replay Attacks: A malicious DBA can create acopy of the ultimate signature on a policy. It can then repeatthe copied signature, that is, it can substitute the existingsignature on the policy with the derivative signature andchange the policy state to the state corresponding to theunoriginal signature. This attack is probable since theypermit alterations to an existing policy object. To addressthis attack, they duplicate the policy state to a systemcolumn of the sys_response_policy catalog. A systemdiscourse of a table is a column that is managed exclusivelyby the DBMS and its contents cannot be modified by anyuser. In case the policy condition in the system column doesnot equivalent the policy state in the column observable tothe user, a policy integrity violation is detected [15].

Policy Replay Attacks: A malicious DBA may insert apreviously authorized policy tuple, whose circumstanceshave been misrepresented to DROPPED, into thesys_response_policy catalog. Such attack can be prohibitedas follows: There is a unique policy id connected with eachpolicy tuple that is generated by the DBMS. If a maliciousDBA tries to insert a beforehand authorized policy tuple, theDBMS will generate a fresh policy id for the new tuple.Since the hash of the policy, H (Pol), takes into account thepolicy id, the final signature on such maliciously insertedpolicy tuple will be invalidated [15].

The response component of intrusion detection system for aDBMS is described. The response component is responsiblefor issuing a suitable response to an anomalous user request.An interactive Event-Condition-Action type response policylanguage is presented that makes it very easy for thedatabase security administrator to specify appropriate

634



IJERT

IJERT

ISSN: 2278-0181


response actions for different circumstances depending uponthe nature of the anomalous request [15].

4. CONCLUSION

The intrusion response element of taken as a wholeintrusion detection system is conscientious for issuing anappropriate response to an anomalous request. In today’sscenario database related transactions are growing rapidly.Data correspond to today a significant asset for companiesand organizations. Some of these data are significancemillions of dollars and organizations take enormous care atcontrolling entrance to these data, with respect to bothinternal users, within the organization, and external users,outside the organization. Monitoring a database todistinguish prospective intrusions, intrusion detection (ID),is an essential technique that has to be part of anywidespread security solution for high-assurance databasesecurity. Here we present recent trends of security in respectto database. There are various techniques used for betterperformance of database system to detect anomaly and othersecurity related issues.

REFERENCES

[1] Ashish Kamra and Elisa Bertino “Design and Implementationof an Intrusion Response System for Relational Databases”, IEEETransactions on Knowledge and Data Engineering, Vol. 23, No. 6,pp. 875-888, June 2011.[2] Ghanshyam Prasad Dubey, Neetesh Gupta, Amit Sinhal,“Multiple Critical Node Detection in MANET for SecureCommunication”, Proceedings in International Conference onComputer and Communication (ICCC-2012), pp. 521-529, 2012.[3] A. Kamra, E. Bertino, and R.V. Nehme, “Responding toAnomalous Database Requests,” Secure Data Management, pp. 50-66, Springer, 2008.[4] A. Kamra and E. Bertino, “Design and Implementation ofSAACS: A State-Aware Access Control System,” ProceedingsAnnual Computer Security Applications Conference (ACSAC),2009.[5] Cheng-Yuan Ho, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang,and Wei-Hsuan Tai “Statistical Analysis of False Positives andFalse Negatives from Real Traffic with IntrusionDetection/Prevention Systems”, IEEE Communications Magazine,Vol. 50, Issue 3, pp. 146 - 154, 2012.[6] Maria Vanina Martinez, Cristian Molinaro, John Grant, and V.S. Subrahmanian “Customized Policies for Handling PartialInformation in Relational Databases”, IEEE Transactions onKnowledge and Data Engineering, pp. 1-18, 2012.[7] Jie SHI, Hong ZHU “A fine-grained access control model forrelational databases”, Journal of Zhejiang University-SCIENCE C(Computers & Electronics), ISSN 1869-196X, vol. 11, issue 8, pp.575-586, 2011.[8] WANG Baohua, MA Xinqiang , LI Danning “A FormalMultilevel Database Security Model”, IEEE 2008 InternationalConference on Computational Intelligence and Security, pp. 252-256, 2008.[9] Sohail IMRAN and Dr. Irfan Hyder “Security Issues inDatabases”, 2009 Second International Conference on FutureInformation Technology and Management Engineering, pp. 541 –545, 2009.

[10] T. Swetha B. Krishna Prasad P. V. Kumar “Database IntrusionDetection Response System”, International Journal of AdvancedResearch and Innovations (IJARAI), ISSN Online: 2319 – 9253,Vol. 1, Issue - 1, pp. 65 – 72, dec-2012.[11] D. Jayanthi and M. Suresh “Intrusion Response System forRelational Databases Using Joint Threshold AdministrationModel”, International Conference on Computing and ControlEngineering (ICCCE 2012), 12& 13 April 2012.[12] V. Shoup, “Practical Threshold Signatures”, ProceedingsInternational Conference on Theory and Application ofCryptographic Techniques (EUROCRYPT), pp. 207- 220, 2000.[13] Fatima Nayeem, M.Vijayakamal “Policies Based IntrusionResponse System for DBMS”, International Journal of ComputerScience and Network (IJCSN), ISSN 2277-5420, Volume 1, Issue6, pp. 110 – 114, December 2012.[14] K.Shanmuga Priya “Database Response Policies to SupportIntrusion Response System for Dbms”, International Journal ofCommunications and Engineering, ISSN No: 0988-0382, Volume03, No.3, Issue 03, March 2012.[15] R. Jothi and N. Rathika “Multi-Hand Administration with anIntrusion Response System in Databases”, International Journal ofAgriculture Innovations a Research.

Author(s)

Jitendra Parmar: Has completed hisB.E. in Information Technology fromNIIST (RGPV) BHOPAL (M.P.) in theyear 2010 and is pursuing M.Tech inSoftware System from Samrat AshokTechnological Institute Vidisha M.P.INDIA

Neeraj Sharma: Has completed hisB.E. in Information Technology fromMITS (RGPV) UJJAIN (M.P.) in theyear 2010 and is pursuing M.Tech inSoftware Engineering from ShriVaishnav Institute Of Technology &Science Indore M.P. INDIA

635



IJERT

IJERT

ISSN: 2278-0181


a survey on an intrusion detection and response system for relational databases › research ›...

Documents