Presentation is loading. Please wait.

Presentation is loading. Please wait.

DIDAR – Database Intrusion Detection with Automated Recovery Asankhaya Sharma Govindarajan S Srivatsan V Prof. DVLN Somayajulu.

Published byLucas Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "DIDAR – Database Intrusion Detection with Automated Recovery Asankhaya Sharma Govindarajan S Srivatsan V Prof. DVLN Somayajulu."— Presentation transcript:

1 DIDAR – Database Intrusion Detection with Automated Recovery Asankhaya Sharma Govindarajan S Srivatsan V Prof. DVLN Somayajulu

2 An Overview The objective of Intrusion Tolerant Database is to build a self healing system that can survive attacks The objective of Intrusion Tolerant Database is to build a self healing system that can survive attacks Detection, Isolate, Contain, Assess and Repair Detection, Isolate, Contain, Assess and Repair What is an Intrusion? What is an Intrusion? -Malicious Transactions that spread damage -Malicious Transactions that spread damage Intrusions can affect Intrusions can affect -Availability -Availability -Data Integrity -Data Integrity

3 The problem: Database Intrusion Tolerance Attacks can succeed -> Intrusions Attacks can succeed -> Intrusions Intrusions can seriously impair data integrity and availability Intrusions can seriously impair data integrity and availability DBMS Authentication SQL Commands connect Access control Integrity control Database

4 Handling Intrusions Using Data Mining Techniques to classify Malicious Transactions Using Data Mining Techniques to classify Malicious Transactions Two kinds of analysis techniques Two kinds of analysis techniques -Signature Based -Signature Based -Anomaly Based -Anomaly Based Intrusion detection works in two phases Intrusion detection works in two phases -Learning Phase -Learning Phase -Detection Phase -Detection Phase

5 DIDAR Algorithm Learning Phase Learning Phase Detection Phase Detection Phase Isolation Phase Isolation Phase Recovery Phase Recovery Phase Blocking Phase Blocking Phase Data Warehousing Phase Data Warehousing Phase Data Mining Phase Data Mining Phase

6 The general representation of the system The general representation of the system

7 Learning Phase Build a model of legitimate queries using supervised learning Associate a quadruple for each query which represents the fingerprint of the query where where t’ stands for the type of query (SELECT, UPDATE or DELETE) t’ stands for the type of query (SELECT, UPDATE or DELETE) ’R’ stands for the number of relations in the query ’R’ stands for the number of relations in the query ’A’ stands for the number of Attributes in the query ’A’ stands for the number of Attributes in the query ’C’ stands for the number of Conditions in the query ’C’ stands for the number of Conditions in the query

8 Learning Phase For each user in the database create a user access graph G (V, E) such that, V is the set of quadruples and E represent the access pattern of the queries in the database Thus in learning we read all the queries executing in the database, fingerprint them and convert them into a quadruple and add a node in the user access graph. Thus in learning we read all the queries executing in the database, fingerprint them and convert them into a quadruple and add a node in the user access graph.

9 Learning Phase

10 Building SQL-Query Models Once the learning is finished the user access graph looks like something below.

11 Detection Phase Traverse the user access graph and look for a matching node (say u) with same quadruple. Traverse the user access graph and look for a matching node (say u) with same quadruple. If such a node is not found the transaction is labeled malicious or else proceed again with the next transaction. If such a node is not found the transaction is labeled malicious or else proceed again with the next transaction. For the next transaction simply check all the nodes ‘v’ such that there is an edge between ‘u’ and ‘v’. This way malicious transactions can be identified For the next transaction simply check all the nodes ‘v’ such that there is an edge between ‘u’ and ‘v’. This way malicious transactions can be identified

12 Detection Phase Provide a feedback mechanism, i.e if while in the detection phase some legitimate transaction is identified as malicious the user can give feedback and based on that insert a new node in the user access graph with the quadruple representing the fingerprint of the current transaction Provide a feedback mechanism, i.e if while in the detection phase some legitimate transaction is identified as malicious the user can give feedback and based on that insert a new node in the user access graph with the quadruple representing the fingerprint of the current transaction New Node

13 Detection Phase

14 Security Levels Low Low Only identifies the intrusions with the feedback mechanism. Only identifies the intrusions with the feedback mechanism. There is no damage containment or recovery. There is no damage containment or recovery. Allows user to formulate a proper security perimeter with all possible transactions listed in the user access graph while also been aware of the security. Allows user to formulate a proper security perimeter with all possible transactions listed in the user access graph while also been aware of the security.

15 Security Levels Medium Low level of security plus damage containment is provided. Low level of security plus damage containment is provided. Damage Containment Phase Damage Containment Phase -Take a lock manually on all the tables accessed in the malicious transaction. -Take a lock manually on all the tables accessed in the malicious transaction. By taking a lock it can be ensured that no other transaction can execute which can read data from the infected tables thus effectively containing the damage. By taking a lock it can be ensured that no other transaction can execute which can read data from the infected tables thus effectively containing the damage. The user can release the lock by rollback or commit the transaction after preparing for manual recovery. The user can release the lock by rollback or commit the transaction after preparing for manual recovery.

16 Security Levels High High In addition to the medium level of security, even the recovery can be automated. In addition to the medium level of security, even the recovery can be automated. Recovery Phase Recovery Phase In automated recovery rollback the database to the state just before the intrusion. In automated recovery rollback the database to the state just before the intrusion. Create a transaction dependency graph beginning from the malicious transaction. Create a transaction dependency graph beginning from the malicious transaction. Use this graph to redo all the benign transactions. No malicious transactions are executed and hence the database heals itself to a consistent state. Use this graph to redo all the benign transactions. No malicious transactions are executed and hence the database heals itself to a consistent state.

17 Security Levels Paranoid Block Phase Block Phase For every intrusion that is detected successfully we build a signature. For every intrusion that is detected successfully we build a signature. Now for each user in the database there is a list of signatures also associated. Now for each user in the database there is a list of signatures also associated. Use this list of signatures to directly block a transaction without the need to go through the detection phase Use this list of signatures to directly block a transaction without the need to go through the detection phase

18 How to decide the Levels? At regular intervals (say daily) store the user access graph into a data warehouse. At regular intervals (say daily) store the user access graph into a data warehouse. Based on the history of intrusions for each user build a classifier with the help of data mining. Based on the history of intrusions for each user build a classifier with the help of data mining. Specify the security level based on the attacks attempted on user data. Specify the security level based on the attacks attempted on user data.

19 Data Warehousing Phase

20 Data Mining Phase

21 Thank You !!!

22 References 1. Pramote Luenam, Peng Liu, The Design of an Adaptive Intrusion Tolerant Database System, Proceedings of the Foundations of Intrusion Tolerant Systems, 2003. 2. Yi Hu, Brajendra Panda, A Data Mining Approach for Database Intrusion Detection, Proceedings of ACM Symposium on Applied Computing, 2004. 3. Wai Lup LOW, Joseph LEE, Peter TEOH, DIDAFIT detecting intrusions in databases through fingerprinting transactions, Proceedings of International Conference on Enterprise Information Systems, 2002. 4. Bertino, E. Terzi, E. Kamra, A. Vakali, A, Intrusion Detection in RBAC-administered Databases, Proceedings of 21st Annual Computer Security Applications Conference, 2005.

Download ppt "DIDAR – Database Intrusion Detection with Automated Recovery Asankhaya Sharma Govindarajan S Srivatsan V Prof. DVLN Somayajulu."

Similar presentations

1 Lecture 11: Transactions: Concurrency. 2 Overview Transactions Concurrency Control Locking Transactions in SQL.

1 Lecture 11: Transactions: Concurrency. 2 Overview Transactions Concurrency Control Locking Transactions in SQL.
Transaction Management: Concurrency Control CS634 Class 17, Apr 7, 2014 Slides based on “Database Management Systems” 3 rd ed, Ramakrishnan and Gehrke.

Transaction Management: Concurrency Control CS634 Class 17, Apr 7, 2014 Slides based on “Database Management Systems” 3 rd ed, Ramakrishnan and Gehrke.
TRANSACTION PROCESSING SYSTEM ROHIT KHOKHER. TRANSACTION RECOVERY TRANSACTION RECOVERY TRANSACTION STATES SERIALIZABILITY CONFLICT SERIALIZABILITY VIEW.

TRANSACTION PROCESSING SYSTEM ROHIT KHOKHER. TRANSACTION RECOVERY TRANSACTION RECOVERY TRANSACTION STATES SERIALIZABILITY CONFLICT SERIALIZABILITY VIEW.
Lock-Based Concurrency Control

Lock-Based Concurrency Control
Understand Database Security Concepts

Understand Database Security Concepts
1 Data Concurrency David Konopnicki 1997 Revised by Mordo Shalom 2004.

1 Data Concurrency David Konopnicki 1997 Revised by Mordo Shalom 2004.
Database Management System

Database Management System
A safeguard to database intrusions “This paper describes how the fingerprints for database transactions can be represented and presents an algorithm to.

A safeguard to database intrusions “This paper describes how the fingerprints for database transactions can be represented and presents an algorithm to.
Data Mining and Intrusion Detection

Data Mining and Intrusion Detection
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.

Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
Final Exam Coverage. E/R Converting E/R to Relations. SQL. –Joins and outerjoins –Subqueries –Aggregations –Views –Inserts, updates, deletes –Ordering.

Final Exam Coverage. E/R Converting E/R to Relations. SQL. –Joins and outerjoins –Subqueries –Aggregations –Views –Inserts, updates, deletes –Ordering.
Database Seminar Spring 2008 1 Supervisor: Dr. Michalis Petropoulos Presented by: Sergey Chernokozinskiy.

Database Seminar Spring Supervisor: Dr. Michalis Petropoulos Presented by: Sergey Chernokozinskiy.
Database Administration Chapter Six DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.

Database Administration Chapter Six DAVID M. KROENKE’S DATABASE CONCEPTS, 2 nd Edition.
Transaction Management and Concurrency Control

Transaction Management and Concurrency Control
Transaction Management and Concurrency Control

Transaction Management and Concurrency Control
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.
DBMS Functions Data, Storage, Retrieval, and Update

DBMS Functions Data, Storage, Retrieval, and Update
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Database Administration Part 1 Chapter Six CSCI260 Database Applications.

Database Administration Part 1 Chapter Six CSCI260 Database Applications.
Functions of a Database Management System. Functions of a DBMS C.J. Date n Indexing n Views n Security n Integrity n Concurrency n Backup/Recovery n Design.

Functions of a Database Management System. Functions of a DBMS C.J. Date n Indexing n Views n Security n Integrity n Concurrency n Backup/Recovery n Design.

Similar presentations

Ads by Google