030 final documentation

An Intrusion Response System for Relational Databases

1. INTRODUCTION

RECENTLY, we have seen an interest in products that continuously monitor

a database system and report any relevant suspicious activity. Database activity

monitoring has been identified by Gartner research as one of the top five strategies

that are crucial for reducing data leaks in organizations. Such step-up in data

vigilance by organizations is partly driven by various US government regulations

concerning data management such as SOX, PCI, GLBA, HIPAA, and so forth.

Organizations have also come to realize that current attack techniques are more

sophisticated, organized, and targeted than the broad-based hacking days of past.

Often, it is the sensitive and proprietary data that is the real target of attackers.

Also, with greater data integration, aggregation and disclosure, preventing data

theft, from both inside and outside organizations, has become a major challenge.

Standard database security mechanisms, such as access control, authentication,

and encryption, are not of much help when it comes to preventing data theft from

insiders. Such threats have thus forced organizations to reevaluate security

strategies for their internal databases. Monitoring a database to detect potential

intrusions, intrusion detection (ID), is a crucial technique that has to be part of any

comprehensive security solution for high-assurance database security. Note that

the ID systems that are developed must be tailored for a Database Management

System (DBMS) since database-related attacks such as SQL injection and data

exhilaration are not malicious for the underlying operating system or the network.

Our approach to an ID mechanism consists of two main elements,

specifically tailored to a DBMS: an anomaly detection (AD) system and an

Department of MCA, SVCET, Chittoor 1


anomaly response system. The first element is based on the construction of

database access profiles of roles and users, and on the use of such profiles for the

ADtask. A user-request that does not conform to the normal access profiles is

characterized as anomalous.

Profiles can record information of different levels of details; we refer the

reader to for additional information and experimental results. The second element

of our approach the focus of this paper is in charge of taking some actions once an

anomaly is detected. There are three main types of response actions that we refer

to, respectively, as conservative actions, fine-grained actions, and aggressive

actions. The conservative actions, such as sending an alert, allow the anomalous

request to go through, whereas the aggressive actions can effectively block the

anomalous request. Fine-grained response actions, on the other hand, are neither

conservative nor aggressive. Such actions may suspend or taint an anomalous

request. A suspended request is simply put on hold, until some specific actions are

executed by the user, such as the execution of further authentication steps. A

tainted request is marked as a potential suspicious request resulting in further

monitoring of the user and possibly in the suspension or dropping of subsequent

requests by the same user.



2. OBJECTIVE

With greater data integration, aggregation and disclosure, preventing data







comprehensive security solution for high-assurance database security.

Our approach is to design an ID mechanism that consists of two main

elements, specifically tailored to a DBMS: an anomaly detection (AD) system and

an anomaly response system. The first element is based on the construction of

database access profiles of roles and users, and on the use of such profiles for the

AD task. A user request that does not conform to the normal access profiles is

characterized as anomalous. The second element of our approach is in charge of

taking some actions once an anomaly is detected.



3. LITERATURE SURVEY

3.1. DOMAIN KNOWLEDGE

3.1.1 DATA MINING

Generally, data mining (sometimes called data or knowledge discovery) is

the process of analyzing data from different perspectives and summarizing it into

useful information - information that can be used to increase revenue, cuts costs,

or both. Data mining software is one of a number of analytical tools for analyzing

data. It allows users to analyze data from many different dimensions or angles,

categorize it, and summarize the relationships identified. Technically, data mining

is the process of finding correlations or patterns among dozens of fields in large

relational databases.

Although data mining is a relatively new term, the technology is not.

However, continuous innovations in computer processing power, disk storage, and

statistical software are dramatically increasing the accuracy of analysis while

driving down the cost.

3.1.2 DATA AND KNOWLEDGE ENGINEERING

Database Systems and Knowledge base Systems share many common

principles. Data & Knowledge Engineering (DKE) stimulates the exchange of ideas

and interaction between these two related fields of interest. DKE reaches a world-

wide audience of researchers, designers, managers and users. The major aim of

the journal is to identify, investigate and analyze the underlying principles in the

design and effective use of these systems. DKE achieves this aim by publishing



original research results, technical advances and news items concerning data

engineering, knowledge engineering, and the interface of these two fields.

The problem of insider threats to DBMSs is being recognized as a major

security threat by the organizations; in a 2004 E-crime watch survey conducted by

CERT and US Secret Service, insider threat was identified as the second biggest

threat after hackers. The solution to the insider threat problem requires among

other techniques the adoption of mechanisms able to detect and respond to

access anomalies by users internal to the organization owning the data. For our

IDR system to provide stronger security guarantees, it needs to ensure that the

activities of even the database administrators (DBAs) be monitored, and

responded to if deemed malicious. This is a difficult problem to address since the

policies that specify a response action need to be created for the DBAs who are, in

turn, responsible for managing the same policies.

3.2. SYSTEM INTRODUCTION

Organizations have come to realize that current attack techniques are more

sophisticated, organized, and targeted than the broad-based hacking days of past.

Often, it is the sensitive and proprietary data that is the real target of attackers.

Also, with greater data integration, aggregation and disclosure, preventing data









comprehensive security solution for high-assurance database security.

3.3 PREVIOUS TAXONOMY

Title : The Cyber Enemy within ... Countering the Threat from Malicious

Insiders.

Authors: D. Brackney,T. Goan,A.Ott, and L. Martin.

One of the most critical problems facing the information security community

is the threat of a malicious insider abusing his computer privileges to modify,

remove, or prevent access to an organization's data. An insider is considered

trusted (at least implicitly) by his organization because he is granted access to its

computing environment. Whether or not that insider is in fact trustworthy is a

question that lies at the heart of the insider threat problem. Complicating this

problem is the fact that there is no "one size fits all" description of a malicious

insider. Motivations, objectives, cyber expertise, system privileges[1] all can and

do vary from one case to the next.

Title : Detecting Anomalous Access Patterns in Relational Databases.

Authors: A. Kamra, E. Terzi, and E. Bertino.

A considerable effort has been recently devoted to the development of

Database Management Systems (DBMS) which guarantee high assurance and

security. An important component of any strong security solution is represented by

Intrusion Detection (ID) techniques, able to detect anomalous behavior of

applications and users. To date, however, there have been few ID mechanisms

proposed which are specifically tailored to function within the DBMS. In this

paper[2], we propose such a mechanism. Our approach is based on mining SQL



queries stored in database audit log files. The result of the mining process is used

to form profiles that can model normal database access behavior and identify

intruders. We consider two different scenarios while addressing the problem.

Title : Responding to Anomalous Database Requests.

Authors: A. Kamra, E. Bertino, and R.V. Nehme.

Organizations have recently shown increased interest in database activity

monitoring and anomaly detection techniques to safeguard their internal

databases. Once an anomaly is detected, a response from the database is needed

to contain the effects of the anomaly. However, the problem of issuing an

appropriate response to a detected database anomaly has received little attention

so far. In this paper[3], we propose a framework and policy language for issuing a

response to a database anomaly based on the characteristics of the anomaly. We

also propose a novel approach to dynamically change the state of the access

control system in order to contain the damage that may be caused by the

anomalous request. We have also carried out an experimental evaluation to

assess the performance overhead introduced by our response mechanism. The

experimental results show that the techniques are very efficient.

Title : Design and Implementation of SAACS: A State-Aware Access

Control System.

Authors: A. Kamra and E. Bertino.

The intrusion response component of an overall intrusion detection system

is responsible for issuing a suitable response to an anomalous request. We

propose the notion of database response policies to support our intrusion response

system tailored for a DBMS. Our interactive response policy language makes it

very easy for the database administrators to specify appropriate response actions



for different circumstances depending upon the nature of the anomalous request

[4]. The two main issues that we address in context of such response policies are

that of policy matching, and policy administration. For the policy matching problem,

we propose two algorithms that efficiently search the policy database for policies

that match an anomalous request. We also extend the PostgreSQL DBMS with our

policy matching mechanism, and report experimental results. The experimental

evaluation shows that our techniques are very efficient.

3.4 OUR TAXONOMY

Our proposed solution is to design and implement an intrusion

response system to overcome the drawbacks of the existing system. The two main

issues that we address in context of such response policies are that of policy

matching, and policy administration. For the policy matching problem, we propose

two algorithms that efficiently search the policy database for policies that match an

anomalous request. We also extend the PostgreSQL DBMS with our policy

matching mechanism, and report experimental results. The experimental

evaluation shows that our techniques are very efficient. The other issue that we

address is that of administration of response policies to prevent malicious

modifications to policy objects from legitimate users. We propose a novel Joint

Threshold Administration Model (JTAM) that is based on the principle of separation

of duty. The key idea in JTAM is that a policy object is jointly administered by at

least k database administrator (DBAs), that is, any modification made to a policy

object will be invalid unless it has been authorized by at least k DBAs. We present

design details of JTAM which is based on a cryptographic threshold signature



scheme, and show how JTAM prevents malicious modifications to policy objects

from authorized users.

The main contributions can be summarized as follows:

We present a framework for specifying intrusion response policies in the

context of a DBMS.

We present a novel administration model called JTAM for administration of

response policies.

We present algorithms to efficiently search the policy database for policies

that match an anomalous request.

We extend the PostgreSQL DBMS with our response policy mechanism,

and conduct an experimental evaluation of our techniques.

3.4.1 POLICY LANGUAGE

The detection of an anomaly by the detection engine can be considered as

a system event. The attributes of the anomaly, such as user, role, SQL command,

then correspond to the environment surrounding such an event. Intuitively, a policy

can be specified taking into account the anomaly attributes to guide the response

engine in taking a suitable action. Keeping this in mind, we propose an Event-

Condition-Action (ECA) language for specifying response policies.

3.4.1.1 Attributes and Conditions

The anomaly detection mechanism provides its assessment of the anomaly

using the anomaly attributes. We have identified two main categories for such

attributes. The first category, referred to as contextual category includes all

attributes describing the context of the anomalous request such as user, role,



source, and time. The second category, referred to as structural category includes

all attributes conveying information about the structure of the anomalous request

such as SQL command, and accessed database objects.

3.4.1.2 Response Actions

Once a database request has been flagged off as anomalous, an action is

executed by the response system to address the anomaly. The response action to

be executed is specified as part of a response policy.

3.4.2 POLICY ADMINISTRATION

The main issue in the administration of response policies is how to protect a

policy from malicious modifications made by a DBA that has legitimate access

rights to the policy object. To address this issue, we propose an administration

model referred to as the Joint Threshold Administration Model (JTAM).The threat

scenario that we assume is that a DBA has all the privileges in the DBMS, and

thus it is able to execute arbitrary SQL insert, update, and delete commands to

make malicious modifications to the policies. Such actions are possible even if the

policies are stored in the system catalogs. JTAM protects a response policy

against malicious modifications by maintaining a digital signature on the policy

definition. The signature is then validated either periodically or upon policy usage

to verify the integrity of the policy definition.

One of the key assumptions in JTAM is that we do not assume the DBMS to

be in possession of a secret key for verifying the integrity of policies. If the DBMS

had possessed such key, it could simply create a HMAC (Hashed Message

Authentication Code) of each policy using its secret key, and later use the same



key to verify the integrity of the policy. However, management of such secret key is

an issue since we cannot assume the key to be hidden from a malicious DBA. The

fundamental premise of our approach is that we do not trust a single DBA (with the

secret key) to create or manage the response policies, but the threat is mitigated if

the trust (the secret key) is distributed among multiple DBAs. This is also the

fundamental problem in threshold cryptography, that is, the problem of secure

sharing of a secret. We thus base JTAM on a threshold cryptographic signature

scheme.

3.4.3 POLICY MATCHING

We present our algorithms for finding the set of policies matching an

anomaly. Such search is executed by matching the attributes of the anomaly

assessment with the conditions in the policies.

. Policy matching is the problem of searching for policies applicable to an

anomalous request. When an anomaly is detected, the response system must

search through the policy database and find policies that match the anomaly. Our

ID mechanism is a real-time intrusion detection and response system; thus

efficiency of the policy search procedure is crucial. There are two variations of our

policy matching algorithm. The first algorithm, called the Base Policy Matching

algorithm and the second algorithm is called the Ordered Policy Matching

algorithm.



3.4.4 RESPONSE ACTION SELECTION

In the event of multiple policies matching an anomaly, we must provide for a

resolution scheme to determine the response to be issued. We propose the

following two rank-based selection options that are based on the severity level of

the response actions:

Most Severe Policy (MSP)

The severity level of a response policy is determined by the highest

severity level of its response action. This strategy selects the most severe policy

from the set of matching policies. Note that the response actions described in

Section 3.1.2 are categorized according to their severity levels. Also, in the case of

interactive ECA response policies, the severity of the policy is taken as the severity

level of the Failure Action.

Least Severe Policy (LSP)

This strategy, unlike the MSP strategy, selects the least severe policy.



4. PROBLEM IDENTIFICATION & SYSTEM

FRAMEWORK

4.1 PROBLM DEFINITION & EXAMPLE

Data represent today an important asset for companies and organizations.

Some of these data are worth millions of dollars and organizations take great care

at controlling access to these data, with respect to both internal users, within the

organization, and external users, outside the organization. Data security is also

crucial when addressing issues related to privacy of data pertaining to individuals;

companies and organizations managing such data need to provide strong

guarantees about the confidentiality of these data in order to comply with legal

regulations and policies. Overall, data security has a central role in the larger

context of information systems security. Therefore, the development of Database

Management Systems (DBMSs) with high-assurance security is a central research

issue. The development of such DBMSs requires a revision of architectures and

techniques adopted by traditional DBMS. An important component of this new

generation security-aware DBMS is an Intrusion Detection (ID) mechanism. Even

though DBMSs provide access control mechanisms, these mechanisms alone are

not enough to guarantee data security; they need to be complemented by suitable

ID mechanisms. However, despite the fact that building ID systems for networks

and operating systems has been an active area of research, few ID systems exist

that are specifically tailored to DBMS.



For example, consider that a database user/application normally access

data only from the human resources schema. Consider that such user/application

submits a SQL command to the DBMS that accesses the financial records of the

employees from the finance schema. Such anomalous access pattern of the SQL

command may be the result of a SQL Injection vulnerability or privilege abuse by

an authorized user. The key observation is that an ID system designed for a

network or an operating system is ineffective against such database specific

malicious actions.

4.2 SYSTEM FRAME WORK

Our proposed solution is to design and implement an intrusion response

system to overcome the drawbacks of the existing system. The two main issues

that we address in context of such response policies are that of policy matching,

and policy administration. For the policy matching problem, we propose two

algorithms that efficiently search the policy database for policies that match an

anomalous request. The other issue that we address is that of administration of

response policies to prevent malicious modifications to policy objects from

legitimate users. We propose a novel Joint Threshold Administration Model

(JTAM) that is based on the principle of separation of duty. The key idea in JTAM

is that a policy object is jointly administered by at least k database administrator

(DBAs), that is, any modification made to a policy object will be invalid unless it

has been authorized by at least k DBAs. We present design details of JTAM which



is based on a cryptographic threshold signature scheme, and show how JTAM

prevents malicious modifications to policy objects from authorized users.

Fig.4.1 System Frame Work



4.3 SYSTEM FLOW CHART

A flow chart is graphical tool used to describe and analyze the movement of

data through a system. The transformation of data from input to output, through

processing, may be described logically associated with the system.

Fig.4.2 System Flow Chart



4.4 SYSTEM REQUIREMENTS

4.4.1 FUNCTIONAL REQUIREMENTS

Functional requirements should include functions performed by specific

screens, outlines of work-flows performed by the system and other business or

compliance requirements the system must meet.

The functionalities in my project are:

File should be browsed.

Select the conditions for the browsed file.

Send the file to the detector.

Detector accepts the request and verifies whether it is anomaly or not.

For anomaly requests the query is not processed and the detector takes

appropriate actions.

For non-anomaly requests the query is processed and the sink is updated.

4.4.2 NON FUNCTIONAL REQUIREMENTS

The non functionalities in my project are:

ACCESSIBILITY

Accessibility can be viewed as the "ability to access" and possible benefit of

some system or entity. Accessibility is often used to focus on people with

disabilities and their right of access to the system.

PERFORMANCE

Computer performance is characterized by the amount of useful work

accomplished by a computer system compared to the time and resources used.



PORTABILITY

Portability is the software-code base feature to be able to reuse the existing

code instead of creating new code when moving software from an environment to

another.

SECURITY

Security is the degree of protection against danger, loss, and criminals.

Security has to be compared and contrasted with other related concepts: Safety,

continuity, reliability.

4.4.3 HARDWARE REQUIREMENTS

Processor : PENTIUM IV 2.6 GHz

RAM : 256Mb and above

Hard Disk : 10 GB.

Input device : Standard Keyboard and Mouse.

Output device : VGA and High Resolution Monitor.

4.4.4 SOFTWARE REQUIREMENTS

Front End : Java

Operating System : Windows

Back End : SQL Server 2005



5. SYSTEM DESIGN

5.1 DATABASE DESIGN

ENTITY RELATIONSHIP (E-R) DIAGRAM

Logical or graphical representation of data for an organization using entities,

attributes and their relationships is termed as an E-R diagram.

Entity: An entity may be defined as a thing which is recognized as being capable

of an independent existence and which can be uniquely identified.

Entity is represented by rectangle.

Relationship: A relationship captures how two or more entities are related to one

another.

or

Attributes: Entities and relationships can both have attributes. Represented with

ellipse.


http://en.wikipedia.org/wiki/Entity


E-R DIAGRAM

Fig. 5.1 E-R Diagram

TABLES

Column Name Data Type

PolicyId varchar(10)

PolicyData varchar(20)


Policy DB

Policy IdPolicy Id Policy DataPolicy Data

havehave

User Info

RoleRoleIdId

AddressAddressNameName


Table. 5.1 Policy Information

Column Name Data Type

Id varchar(10)

Role varchar(10)

Name varchar(10)

Address varchar(10)

Table. 5.2 User Details

5.2 MODULE DESCRIPTION

In this system we developed four modules for developing the system. The

modules are explained below:

Anomalous Request.

Intrusion Detection.

Protection Data Transmission.

Intrusion Response

ANOMALOUS REQUEST

Interactive response policy language makes it very easy for the database

administrators to specify appropriate response actions for different circumstances

depending upon the nature of the anomalous request. The conservative actions,

such as sending an alert, allow the anomalous request to go through, whereas the



aggressive actions can effectively block the anomalous request. Recall that a

response policy is created to select a response action to be executed in the event

of an anomalous request.

INTRUSION DETECTION

Monitoring a database to detect potential intrusions, intrusion detection (ID),

is a crucial technique that has to be part of any comprehensive security solution for

high-assurance database security. We present a framework for specifying intrusion

response policies in the context of a DBMS.

The two main issues that we address in context of such response policies are that

of policy matching, and policy administration.

Policy Matching

. Policy matching is the problem of searching for policies applicable to an




efficiency of the policy search procedure is crucial.

Policy Administration



rights to the policy object. .Propose an administration model referred to as the

JTAM. The threat scenario that we assume is that a DBA has all the privileges in

the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete

commands to make malicious modifications to the policies.



PROTECTION DATA TRANSMISSION

Data protection must deal with two general problems. First, data must be

protected from unauthorized access and tampering. This is the problem of data

security. Second, data must be protected from errors by authorized system users.

Concern for data security will take different forms in different system applications.

Individual users may be concerned with personal privacy, and wish to limit access

to private data files. Corporate organizations may seek to protect data related to

proprietary interests.

INTRUSION RESPONSE

A condition is specified on the attributes of the detected anomaly. An action

is the response action executed by the engine Our implementation of the response

system can be configured to include/exclude other user-defined anomaly

attributes. We address is that of administration of response policies to prevent

malicious modifications to policy objects from legitimate users.

5.3 UML DIAGRAMS

The UML is applicable to object-oriented problem solving. Anyone

interested in learning UML must be familiar with the underlying tenet of object-

oriented problem solving -- it all begins with the construction of a model. A model is

an abstraction of the underlying problem. The domain is the actual world from

which the problem comes.



5.3.1 USE CASE DIAGRAM

Use case Diagrams represent the functionality of the system from a user’s

point of view. Use cases are used during requirements elicitation and analysis to

represent the functionality of the system. Use cases focus on the behavior of the

system from external point of view.

Actors are external entities that interact with the system. Examples of actors

include users like administrator, bank customer …etc., or another system like

central database.



SEND FILE

INTRUDER DETECTED

BROWSE FILE

INSERT REORD

VIEW

SENDER

DETECTION DETAILS

SYSTEM

Fig.5.2 Use Case Diagram

5.3.2 SEQUENCE DIAGRAM

A sequence diagram is an interaction diagram that details how operations

are carried out -- what messages are sent and when. Sequence diagrams are

organized according to time. The time progresses as you go down the page. The



objects involved in the operation are listed from left to right according to when they

take part in the message sequence.

: SENDER : SYSTEM

BROWSE BROWSING

FILE DISPLAYED

SEND FILE SENDING

INTRUDER DETECTED

INSERT FILE INSERTING

VIEW

DISPLAYS CONTENT OF THE FILE

DETECTION DETAILS ANALYZING

PROCESSING

DISPLAYS ATTACKS AT EACH LAYER

Fig.5.3 Sequence Diagram

5.3.3 CLASS DIAGRAM

A Class diagram gives an overview of a system by showing its classes and

the relationships among them. Class diagrams are static -- they display what

interacts but not what happens when they do interact.



class Class Model

JFrame

Detector1

~ client_1: Socket~ client_2: Socket~ temp: long

+ Detector1()+ Detector2()+ Detector3()- initializeComponent() : void+ main(String[]) : void+ server() : void

JFrame

Detector2

~ client_1: Socket~ client_2: Socket- contentPane: JPanel~ dis: DataInputStream~ temp: long

- addComponent(Container, Component, int, int, int, int) : void+ Detector2()- initializeComponent() : void- jButton1_actionPerformed(ActionEvent) : void- jTabbedPane1_stateChanged(ChangeEvent) : void+ main(String[]) : void+ server() : void+ Sink2()

JFrame

Detector3

~ client_1: Socket~ client_2: Socket- jTextArea1: JTextArea~ length: int~ length1: int~ sen: String = ""~ server_1: ServerSocket~ socket_1: Socket~ temp: long

- addComponent(Container, Component, int, int, int, int) : void+ Detector3()- initializeComponent() : void- jButton1_actionPerformed(ActionEvent) : void- jTabbedPane1_stateChanged(ChangeEvent) : void+ main(String[]) : void+ server() : void

JFrame

Sink1

- contentPane: JPanel~ destination: String~ i: int = 1~ Recieved1: String~ rr: String = ""~ server_1: ServerSocket~ socket_1: Socket- transferTime: JLabel

- addComponent(Container, Component, int, int, int, int) : void- initializeComponent() : void- jButton1_actionPerformed(ActionEvent) : void- jTabbedPane1_stateChanged(ChangeEvent) : void+ main(String[]) : void+ server() : void+ Sink1()

JFrame

Sink2

- contentPane: JPanel~ destination: String~ i: int = 1- jButton1: JButton- jLabel1: JLabel- jPanel1: JPanel- jPanel2: JPanel- jScrollPane1: JScrollPane- jScrollPane2: JScrollPane- jTabbedPane1: JTabbedPane- jTextArea1: JTextArea- jTextArea2: JTextArea~ Recieved1: String~ rr: String = ""~ server_1: ServerSocket~ socket_1: Socket

- addComponent(Container, Component, int, int, int, int) : void- initializeComponent() : void- jButton1_actionPerformed(ActionEvent) : void- jTabbedPane1_stateChanged(ChangeEvent) : void+ main(String[]) : void+ server() : void+ Sink2()+ Sink3()JFrame

Sink3

- contentPane: JPanel~ destination: String~ i: int = 1- jButton1: JButton- jLabel1: JLabel- jPanel1: JPanel~ socket_1: Socket

- addComponent(Container, Component, int, int, int, int) : void- initializeComponent() : void- jButton1_actionPerformed(ActionEvent) : void- jTabbedPane1_stateChanged(ChangeEvent) : void+ main(String[]) : void+ server() : void+ Sink3()

JFrame

Source1

~ a: String ([]) = {"Select","Prob...~ b: String ([]) = {"Graph","probe...- contentPane: JPanel~ d: double~ dest1: String~ destination: String- Detect: JButton- fi lepath: JLabel

- jButton2_actionPerformed(ActionEvent) : void- jButton3_actionPerformed(ActionEvent) : void- jComboBox1_actionPerformed(ActionEvent) : void- jTextField1_actionPerformed(ActionEvent) : void+ main(String[]) : void+ paint(Graphics) : void+ sendData(String, int, String) : void+ setDest(String) : String+ Source1()+ view_actionperformed(ActionEvent) : void

Fig.5.4 Class Diagram

Our class diagram has three kinds of relationships.



association -- a relationship between instances of the two classes. There is

an association between two classes if an instance of one class must know

about the other in order to perform its work. In a diagram, an association is

a link connecting two classes.

aggregation -- an association in which one class belongs to a collection. An

aggregation has a diamond end pointing to the part containing the whole.

generalization -- an inheritance link indicating one class is a super class of

the other. A generalization has a triangle pointing to the super class.

5.3.4 ACTIVITY DIAGRAM



An activity diagram is essentially a fancy flowchart. Activity diagrams and

state chart diagrams are related. While a state chart diagram focuses attention on

an object undergoing a process (or on a process as an object), an activity diagram

focuses on the flow of activities involved in a single process. The activity diagram

shows the how those activities depend on one another.

Start

BROWSE A FILE

SEND A FILE

INTRUSION RESPONSE SYSTEM

SINK

End

YES

NO

Fig.5.5 Activity Diagram

5.4 TECHNIQUES



The following are the techniques that are used in our project to our come

the drawbacks that are arise in previous systems. They are

Policy Matching

Policy Administration

POLICY MATCHING

Policy matching is the problem of searching for policies applicable to an




efficiency of the policy search procedure is crucial.

POLICY ADMINISTRATION



rights to the policy object. .Propose an administration model referred to as the

JTAM. The threat scenario that we assume is that a DBA has all the privileges in

the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete

commands to make malicious modifications to the policies.

5.5 SYSTEM ARCHITECTURE



The system’s architecture consists of three main components: the traditional

DBMS that handles the query execution, the profile creator module for collecting

the training data and creating/maintaining the profiles, and the detection and

response mechanisms integrated with the core DBMS functionality. These

components form the new extended DBMS that is enhanced with an independent

ID system operating at the database level.

Fig.5.6 System Architecture

The flow of interactions for the IDR process is shown in Figure 5.5. During

the training phase, the SQL commands submitted to the DBMS (or read from the

audit log) are analyzed by the profile creator module to create the initial profiles of

the database users. For every SQL command under detection, the feature selector

module extracts the features from the queries in the format expected by the

detection engine. The detection engine then runs the extracted features through



the detection algorithm. If an anomaly detected, the detection mechanism submits

its assessment of the SQL command to the response engine according to a pre-

defined interface; otherwise the command information is sent to the profile creator

process for updating the profiles.

The response engine consults a policy base of existing response policies to

issue a response depending on the assessment of the query submitted by the

detection engine. Notice that the fact that a query is anomalous may not

necessarily imply an intrusion. Other information and security policies must also be

taken into account. For example, if the user logged under the role is performing

some special activities to manage an emergency, the response mechanism may

be instructed not to raise alarms in such circumstances. If the response engine

decides to raise an alarm, certain actions for handling the alarm can be taken. The

most common action is to send an alert to the security administrator. However

other actions are possible, such as log the alarm, drop the query, or even take no

action at all.

6. IMPLEMENTATION



Implementation is the stage of the project when the theoretical design is turned

out into a working system. Thus it can be considered to be the most critical stage

in achieving a successful new system and in giving the user, confidence that the

new system will work and be effective.

The implementation stage involves careful planning, investigation of the

existing system and it’s constraints on implementation, designing of methods to

achieve changeover and evaluation of changeover methods.

6.1 TECHNOLOGY USED

JAVAJava was designed to meet all the real world requirements with its key

features, which are explained in the following paragraph.

SIMPLE AND POWERFUL

Java was designed to be easy for the professional programmer to learn and

use efficiently. Java makes itself simple by not having surprising features. Since it

exposes the inner working of a machine, the programmer can perform his desired

actions without fear.

SECURE

Using Java Compatible Browser, anyone can safely download java applets

without the fear of viral infection or malicious intent. Java achieves this protection

by confining a java program to the java execution environment and by making it

inaccessible to other parts of the computer. We can download applets with

confidence that no harm will be done and no security will be breached.



PORTABLE

In java, the same mechanism that gives security also helps in portability.

Many types of computers and operating systems are in use throughout the world

and are connected to the internet. For downloading programs through different

platforms connected to the internet, some portable, executable code is needed.

Java’s answer to these problems is its well designed architecture.

OBJECT-ORIENTED

Java was designed to be source-code compatible with any other

language. Java team gave a clean, usable, realistic approach to objects. The

object model in java is simple and easy to extend, while simple types, such as

integers, are kept as high-performance non -objects.

DYNAMIC

Java programs carry with them extensive amounts of run-time information

that is used to verify and resolve accesses to objects at run-time. Using this

concept it is possible to dynamically link code. Dynamic property of java adds

strength to the applet environment, in which small fragments of byte code may be

dynamically updated on a running system.

SWING

Swing components facilitate efficient graphical user interface (GUI)

development. These components are a collection of lightweight visual

components. Swing components contain a replacement for the heavyweight



AWT components as well as complex user interface components such as

Trees and Tables.

Swing components contain a pluggable look and feel (PL & F). This

allows all applications to run with the native look and feel on different platforms.

PL & F allows applications to have the same behaviour on various platforms.

JFC contains operating system neutral look and feel. Swing components do not

contain peers. Swing components allow mixing AWT heavyweight and Swing

lightweight components in an application.

The major difference between lightweight and heavyweight

components is that lightweight components can have transparent pixels while

heavyweight components are always opaque. Lightweight components can be

non-rectangular while heavyweight components are always rectangular.

Swing components are JavaBeans compliant. This allows

components to be used easily in a Bean aware application building program.

The root of the majority of the Swing hierarchy is the JComponent class. This

class is an extension of the AWT Container class.

Swing components comprise of a large percentage of the JFC

release. The Swing component toolkit consists of over 250 pure Java classes

and 75 Interfaces contained in about 10 Packages. They are used to build

lightweight user interfaces. Swing consists of User Interface (UI) classes and

non- User Interface classes. The non-User Interface classes provide services

and other operations for the UI classes.



Swing offers a number of advantages, which include

Wide variety of Components

Pluggable Look and Feel

MVC Architecture

Keystroke Handling

Action Objects

Nested Containers

Virtual Desktops

Compound Borders

Customized Dialogues

Standard Dialog Classes

Powerful Text Manipulation

Generic Undo Capabilities

Accessibility Support

JAVA DATABASE CONNECTIVITY (JDBC)

JDBC AND ODBC IN JAVA:

Most popular and widely accepted database connectivity

called Open Database Connectivity (ODBC) is used to access the

relational databases. It offers the ability to connect to almost all the

databases on almost all platforms. Java applications can also use this

ODBC to communicate with a database. Then we need JDBC why? There

are several reasons:



ODBC API was completely written in C language and it makes an ex-

tensive use of pointers. Calls from Java to native C code have a num-

ber of drawbacks in the security, implementation, robustness and auto-

matic portability of applications.

ODBC is hard to learn. It mixes simple and advanced features to-

gether, and it has complex options even for simple queries.

ODBC drivers must be installed on client’s machine.

6.2 DATABASE

SQL SERVER

A database management, or DBMS, gives the user access to their data

and helps them transform the data into information. Such database management

systems include dBase, paradox, IMS, SQL Server and SQL Server. These

systems allow users to create, update and extract information from their database.

There are so many databases are available in the market and why I have

choose this SQL server is nothing but my project follows the client/server

architecture, so it should be execute both in the client as well as at the server side.

So for maintaining the records at the server side, and to distribute them among the

clients I have chosen this SQL server as a database for my project.

SQL Server stores each data item in its own fields. In SQL Server, the

fields relating to a particular person, thing or event are bundled together to form a

single complete unit of data, called a record (it can also be referred to as raw or an

occurrence). Each record is made up of a number of fields. No two fields in a

record can have the same field name.



During an SQL Server Database design project, the analysis of your

business needs identifies all the fields or attributes of interest. If your business

needs change over time, you define any additional fields or change the definition of

existing fields.

RELATIONAL

Sometimes all the information of interest to a business operation can be

stored in one table. SQL Server makes it very easy to link the data in multiple

tables. Matching an employee to the department in which they work is one

example. This is what makes SQL Server a relational database management

system, or RDBMS. It stores data in two or more tables and enables you to define

relationships between the tables and enables you to define relationships between

the tables. The major advantages which suits my Project are

Redundancy avoidance

Data sharing

Standards can be enforced

More Secured

Integrity can be maintained

6.3 MODULES IMPLEMENTATION

6.3.1 USER MODULE

Send request (Browse file)

Select layer types (Conditions for request)

Send the request



Insert records (DBAs’ Profiles)

View records

6.3.2 INTRUSION RESPONSE MODULE

Accepts request

Request Validation

Detector (Checks whether the request is anomaly or not)

Response (Sends appropriate messages to user based on request)

Action (Takes appropriate actions based on severity of request)

7. TESTING

The purpose of testing is to discover errors. Testing is the process of trying

to discover every conceivable fault or weakness in a work product. It provides a

way to check the functionality of components, sub assemblies, assemblies and/or

a finished product It is the process of exercising software with the intent of



ensuring that the software system meets its requirements and user expectations

and does not fail in an unacceptable manner. There are various types of test. Each

test type addresses a specific testing requirement.

7.1 SELECT TEST FACTOR

The particular module of the Project which is essential for the testing

methodologies is sorted out first. This will help the testing process to be completed

within time. The test factors for my project include encoding, verification and

decoding process.

7.1.1 DETERMINE SDLC PHASE

This phase involves the structural testing of the system which will be used

for easy implementations of the functions. Though structural testing is so much

associated with the coding phase, the structural testing should be carried out at all

the phases of the lifecycle.

7.1.2 SELECT TYPE OF TEST

For selecting the appropriate testing process the project should be

analyzed with the following three testing concepts:

STRUCTURAL TESTING

Structural analysis based test sets are tend to uncover errors that occur

during coding of the program. The properties of the test set are to reflect the

internal structure of the program. Structural testing is designed to verify that the

developed system and programs work as specified in the requirement. The

objective is to ensure that the product is designed structurally sound and will



function correctly.

FUNCTIONAL TESTING

Functional testing ensures that the requirements are properly satisfied by

the application system. The functions are those tasks that the system is designed

to accomplish. This is not concerned with how processing occurs but rather with

the results of the processing. The functional analysis based test sets tend to

uncover errors that occurred in implementing requirements or design

specifications.

SELECT TECHNIQUE

After selecting the appropriate testing methodology we have to select the

necessary testing technique such as stress testing, execution testing, recovery

testing, operation testing, compliance testing and security testing. We are

performing operation testing.

7.2 TYPES OF TESTS

7.2.1 UNIT TESTING

Unit testing involves the design of test cases that validate that the internal

program logic is functioning properly, and that program input produce valid

outputs. All decision branches and internal code flow should be validated. It is the

testing of individual software units of the application .it is done after the completion

of an individual unit before integration. This is a structural testing, that relies on

knowledge of its construction and is invasive. Unit tests perform basic tests at

component level and test a specific business process, application, and/or system

configuration. Unit tests ensure that each unique path of a business process



performs accurately to the documented specifications and contains clearly defined

inputs and expected results.

7.2.2 INTEGRATION TESTING

Integration tests are designed to test integrated software components to

determine if they actually run as one program. Testing is event driven and is more

concerned with the basic outcome of screens or fields. Integration tests

demonstrate that although the components were individually satisfaction, as shown

by successfully unit testing, the combination of components is correct and

consistent. Integration testing is specifically aimed at exposing the problems that

arise from the combination of components.

7.2.3FUNCTIONAL TESTING

Functional tests provide systematic demonstrations that functions tested are

available as specified by the business and technical requirements, system

documentation, and user manuals.

Functional testing is centered on the following items:

Valid Input : identified classes of valid input must be accepted.

Invalid Input : identified classes of invalid input must be rejected.

Functions : identified functions must be exercised.

Output : identified classes of application outputs must be

exercised.

7.2.4 SYSTEM TESTING

System testing ensures that the entire integrated software system meets

requirements. It tests a configuration to ensure known and predictable results. An



example of system testing is the configuration oriented system integration test.

System testing is based on process descriptions and flows, emphasizing pre-

driven process links and integration points.

White Box Testing

White Box Testing is a testing in which in which the software tester has

knowledge of the inner workings, structure and language of the software, or at

least its purpose. It is used to test areas that cannot be reached from a black box

level.

Black Box Testing

Black Box Testing is testing the software without any knowledge of the inner

workings, structure or language of the module being tested. Black box tests, as

most other kinds of tests, must be written from a definitive source document, such

as specification or requirements document, such as specification or requirements

document. It is a testing in which the software under test is treated, as a black

box .you cannot “see” into it. The test provides inputs and responds to outputs

without considering how the software works.

7.3 TEST REPORTS

Test Type Test case Expected value

Actual value Remarks Action

Functional Testing

Searching file

Select system path to search

System path valid ------- File browsed



the file

System path invalid

Path specification error

Enter correct system path

Structural Testing

Selecting conditions

Select Probe/R2L/U2

R

Selected probe -------- Process request

Selected Normal/DOS

Intruder detected

Sends response and shuts the system

Functional Testing

Sending fileSend browsed

file

Sending browsed file

-------- File sent to Detector

File not browsed No file detected

Alerts the user to browse the file before sending

Validation Testing

Authentication

Key shares from DBAs’

Authorized signatures

-------- Transfers the request to detector

Unauthorized signatures

No valid authentication from DBAs’

Blocks the request

System Testing

Intrusion Detecting

Accept normal request

Accepting valid request as probe/U2R/R2L

-------- Ask for authentication from DBAs’.

Sending anomaly request

Detects request as Intrusion

Leaves an alert and resend the valid



request

Validation Testing

Updating Destination database

Accepts only valid requests

data

Valid data --------- Update the destination database

Invalid data Data from detector is not accurate

Close sink

Table.7.1 Test Cases

7.4 CONCLUSIONS

All the test cases mentioned above passed successfully. No defects

encountered.

8. FUTURE ENHANCEMENT

8.1 DETECTION MECHANISM

We have presented two scenarios for the intrusion detection task in

databases. For the first scenario, when a role based access control system is in



place, we identify role intruders, that is, users that while holding a specific role,

behave in a manner that of some other role. The first limitation of our current

approach is that we assume the user to activate only one role in a session. A

possible research direction to extend the scheme is to assume multiple role

activation by a user in a session. The second limitation of our approach is that we

assume that the roles form a partitioning of the universe of database access

behavior. With this assumption, we are not able to identify users that while holding

a specific role, behave differently from that role and from any other role in the

system. One approach towards identifying such behavior is to train a one class

Support Vector Machine (SVM) with the normal role behavior SQL query features.

Then any behavior deviating from the normal role behavior learned by the SVM

classifier will be identified as anomalous. A similar approach may be adopted for

the unsupervised learning scenario for the clusters of similar SQL queries. The one

class SVM classifier, trained for every cluster, may be applied to detect SQL

queries deviating from their representative cluster.

Apart from the above mentioned research directions, the traditional issues

related to application of machine learning techniques to real-world problems are

applicable to our approach as well. Such issues include, but are not limited to, the

problem of concept drift, the problem of over fitting or under fitting the training data,

and so forth.

8.2 RESPONSE MECHANISM

The response mechanism described in this dissertation works on the basis

of pre-configured policies. The policies are based on attributes related to the



structure of a SQL query and also the context surrounding the query. In this

regard, our response mechanism may be considered to be static by its ability to

adjust. One possible research direction is to come up with more dynamic

approaches that are suitable for responding to a database intrusion.

An interactive response policy that requires a second factor of

authentication provides a second layer of defense when certain anomalous actions

are executed against critical system resources such as anomalous access to

system catalog tables. This opens the way to new research on how to organize

applications to handle such interactions for the case of legacy applications and

new applications. In the security area there is a lot work dealing with retrofitting

legacy applications for authorization policy enforcement. We believe that such

approaches can be extended to support such an interactive approach. For new

applications, one can devise methodologies to organize applications that support

such interactions. Notice that, however, because our approach is policy-based, the

database administrators have the flexibility of designing policies that best fit the

way applications are organized.

9. CONCLUSION

The response component of intrusion detection system for a DBMS is

described. The response component is responsible for issuing a suitable response

to an anomalous user request. An interactive Event-Condition-Action type

response policy language is presented that makes it very easy for the database



security administrator to specify appropriate response actions for different

circumstances depending upon the nature of the anomalous request. The two

main issues that are addressed in the context of such response policies are policy

matching, and policy administration. For the policy matching procedure, an

algorithm is described to efficiently search the policy database for policies

matching an anomalous request assessment. The other issue that is addressed is

the administration of response policies to prevent malicious modifications to policy

objects from legitimate users.

10. APPENDICES

APPENDIX - I

SOURCE CODE

Source1:



import java.awt.*;

import java.awt.event.*;

import javax.swing.*;

import java.io.*;

import java.net.*;

import java.sql.*;

public class Source1 extends JFrame

{

String fp;

Double fs;

Double tt;

Double rt;

Long ls;

JTextArea jtr;

private JLabel jLabel1;



private JLabel filesize;

private JLabel jfileSize;

private JLabel transferTime;

private JLabel jtransferTime;

private JLabel filepath;

private JLabel Jfilepath;

private JLabel readTime;

private JLabel JreadTime;

private JTextArea show;

private Long los;

private JComboBox graph;

private JButton view,insert;

long loss;

String str;



private JTextField jTextField1;

private JComboBox jComboBox1;

private JTextArea jTextArea1;

private JScrollPane jScrollPane1,jsp,jsp1,jsp2,jsp3;

private JButton jButton1;



private JPanel contentPane;

private JButton Detect;

private int lossspace;

JScrollPane js;

Object o;

String dest1;

int len;

double d;

double time;

long read;

double rd;

private String r="";

String msg="";

int flag=1;

int flag1=1;

Socket n1_client;

String destination;

int limit;

String a[]={"Select","Probe","Dos","R2L","U2R","Normal"};

int packets;

int rem;

String b[]={"Graph","probe","DOS","R2L","U2R"};

FileInputStream fis=null;

Image im;



public Source1()

{

super();

initializeComponent();

this.setVisible(true);

try{

FileInputStream f=new FileInputStream(".//Detector.txt");

while((d=f.read())!=-1)

{

r+=(char)d;

}

}catch(Exception ex){ex.printStackTrace();}

}

private void initializeComponent()

{

jLabel1 = new JLabel();



jTextField1 = new JTextField();

filesize=new JLabel();

jfileSize=new JLabel();

transferTime=new JLabel();

jtransferTime=new JLabel();

filepath=new JLabel();

Jfilepath=new JLabel();

readTime=new JLabel();

JreadTime=new JLabel();

jLabel1.setFont(new Font("Arial",Font.BOLD,15));

show=new JTextArea(70,80);

jComboBox1 = new JComboBox(a);


jTextArea1 = new JTextArea();

jScrollPane1 = new JScrollPane();

jButton1 = new JButton();



view=new JButton("View");

graph=new JComboBox(b);

insert=new JButton("Insert");

Detect=new JButton("Detection");

jtr=new JTextArea();

js=new JScrollPane();

contentPane = (JPanel)this.getContentPane();

jLabel1.setText("<html><h1>SOURCE1</h1></html>");

filepath.setText("<html>lossSpace:</h1></html>");

jLabel1.setForeground(new Color(0, 0, 102));

jLabel2.setText("<html>Layers

No</html>");

readTime.setText("<html>ReadTime:</h1></html>");

jLabel3.setText("<html>Status

Information</html>");

filesize.setBackground(new Color(255, 255, 255));

filesize.setText("<html>FileSize:</html>");

transferTime.setBackground(new Color(255,255,255));

transferTime.setText("<html>TransferTime:</html>");

jTextField1.addActionListener(new ActionListener() {

public void actionPerformed(ActionEvent e)

{

jTextField1_actionPerformed(e);

}

});

jComboBox1.addActionListener(new ActionListener() {


{

jComboBox1_actionPerformed(e);

}

});

Detect.addActionListener(new ActionListener() {


{

Detect_actionperformed(e);

}

});

jScrollPane1.setViewportView(jTextArea1);

js.setViewportView(jtr);

jButton1.setBackground(new Color(255, 255, 255));

jButton1.setText("<html>Browse</html>");

jButton1.addActionListener(new ActionListener() {


{

jButton1_actionPerformed(e);

}

});


jButton2.setText("<html>Send</html>");




{


}

});

insert.addActionListener(new ActionListener() {


{

insert_actionperformed(e);

}

});

view.addActionListener(new ActionListener() {


{

view_actionperformed(e);

}

});

jButton3.setText("Exit");



{


}

});

graph.addActionListener(new ActionListener()

{



public void actionPerformed(ActionEvent ae)

{

graph_actionPerformed(ae);

}

});

contentPane.setLayout(null);

Color colr = new Color(210,105,30);

contentPane.setBackground(colr);

jLabel1.setForeground(colr);

addComponent(contentPane, jLabel1, 158,14,136,28);



addComponent(contentPane, jTextField1, 41,80,252,20);

addComponent(contentPane, jComboBox1, 180,147,100,22);

addComponent(contentPane, jScrollPane1, 60,200,295,246);

addComponent(contentPane, jButton1, 317,78,83,28);



addComponent(contentPane,filepath,60,500,136,28);

addComponent(contentPane,Jfilepath,150,500,280,28);

addComponent(contentPane,filesize,310,500,140,28);

addComponent(contentPane,jfileSize,390,500,136,28);

addComponent(contentPane,transferTime,60,550,136,28);

addComponent(contentPane,jtransferTime,180,550,136,28);

addComponent(contentPane,readTime,310,550,136,28);

addComponent(contentPane,JreadTime,390,550,136,28);

addComponent(contentPane,insert,30,600,136,28);

addComponent(contentPane,view,80,600,136,28);

addComponent(contentPane,graph,250,600,100,28);

addComponent(contentPane,Detect,350,600,103,28);

addComponent(contentPane,jtr,350,300,400,200);



jtr.setVisible(false);

this.setTitle("Source1 - extends JFrame");

this.setLocation(new Point(66, 48));

this.setSize(new Dimension(783, 635));

}

private void addComponent(Container container,Component c,int x,int y,int

width,int height)

{

c.setBounds(x,y,width,height);

container.add(c);

}

private void jTextField1_actionPerformed(ActionEvent e)

{

System.out.println("\njTextField1_actionPerformed(ActionEvent e)

called.");

}

private void jComboBox1_actionPerformed(ActionEvent e)

{

System.out.println("\njComboBox1_actionPerformed(ActionEvent e)

called.");

o = jComboBox1.getSelectedItem();

destination=""+o;

flag=0;

}

private void jButton1_actionPerformed(ActionEvent e)

{

System.out.println("\njButton1_actionPerformed(ActionEvent e)

called.");

try



{

int b;

Long l=0L;

msg="";

FileDialog fd=new

FileDialog(this,"Open",FileDialog.LOAD);

JFileChooser jf=new JFileChooser();

int s=jf.showOpenDialog(null);

File f1=jf.getSelectedFile();

str=f1.getPath();

File f=new File(str);

long size1=f1.getTotalSpace();

long freespace=f1.getFreeSpace();

loss=size1-freespace;

FileInputStream fos=new FileInputStream(str);

long length=f.length();

int sizedata=fos.available();

int n=sizedata/4;

jTextField1.setText(str);

while((b=fos.read())!=-1)

{

msg+=(char)b;

l+=b;

}

byte by[]=new byte[fos.available()];

String sbyte=new String(by);

jTextArea1.setText("Size");

fos.read(by);

fos.close();

flag1=0;

len=msg.length();


d=len/1024;

time=d/60;

read=l/1024;

rd=read/60;

String source=jTextField1.getText();

System.out.println(""+System.currentTimeMillis());

jTextArea1.append("\n\nSource1 Address::"+source+"\n\n");

jTextArea1.append("Selected File Path "+""+fd.getDirectory()+fd.getFile()

+""+"\n\n");

jTextArea1.append("Total Size::"+len+"bytes"+"\n\n");

jTextArea1.append("Total space::"+size1+"bytes"+"\n\n");

jTextArea1.append("Total Freespace::"+freespace+"bytes"+"\n\n");

jTextArea1.append("Reading Files:"+l+"bytes"+"\n\n");

jfileSize.setText(""+d+"Kb");

Jfilepath.setText(""+loss);

JreadTime.setText(""+rd+"Sec");

}

catch (Exception ex)

{

ex.printStackTrace();

}

}

public void insert_actionperformed(ActionEvent e)

{

try

{

Class.forName("oracle.jdbc.driver.OracleDriver");

Connection

con=DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:xe","intursio

n","intursion");

Statement stm=con.createStatement();


String ss="insert into

sour1(layerports,filePath,fileSize,transferTime,readTime,lossSpace)values('"+jCom

boBox1.getSelectedItem()+"','"+str+"',"+d+","+time+","+rd+","+loss+")";

stm.executeUpdate(ss);

JOptionPane.showMessageDialog(null,"Record Inserted");

System.out.println("record inserted");

}

catch(Exception ex)

{


}

}

public void view_actionperformed(ActionEvent e)

{

addComponent(contentPane,show,280,600,236,58);

try

{

System.out.println("retrieved************");


Connection


n","intursion");


ResultSet rs=stm.executeQuery("select * from sour1");

String

tb[]={"Layers","FilePath","FileSize","TransferTime","ReadTime","LossSpace"};

String stab[][]=new String[50][50];

for(int i=0;rs.next();i++)

{

stab[i][0]=rs.getString(1);




stab[i][2]=Double.toString(rs.getDouble(3));




System.out.println("record inserted");

}

JTable jt=new JTable(stab,tb);

int v=ScrollPaneConstants.VERTICAL_SCROLLBAR_AS_NEEDED;

int h=ScrollPaneConstants.HORIZONTAL_SCROLLBAR_AS_NEEDED;

JScrollPane jsp=new JScrollPane(jt,v,h);

addComponent(contentPane,jsp,500,450,436,158);

}

catch(Exception ex)

{

}

}

public void graph_actionPerformed(ActionEvent ae)

{

Object o1=graph.getSelectedItem();

dest1=""+o1;

System.out.println("a[3]="+a[3]+"a[4]="+a[4]);

if(dest1.equalsIgnoreCase(a[1]))

{

final probe1chart demo = new probe1chart("Probe1 Layer");

demo.pack();

demo.setLocation(200,200);

demo.setVisible(true);

try

{




Connection


n","intursion");


String str="select* from sour1 where layerports='"+a[1]+"'";

ResultSet rs=stm.executeQuery(str);

String




{







}

JTable p=new JTable(stab,tb);



jsp=new JScrollPane(p,v,h);

addComponent(contentPane,jsp,500,250,436,158);

jsp1.setVisible(false);



}

catch(Exception ex)

{

}



}

else if(dest1.equalsIgnoreCase(a[2]))

{

final Doschart1 demo = new Doschart1("Dos1 Layer");

demo.pack();



try

{


Connection


n","intursion");




String




{







}






jsp1=new JScrollPane(p,v,h);

addComponent(contentPane,jsp1,500,250,436,158);

jsp.setVisible(false);



}

catch(Exception ex)

{

}

}


{

final R2Lchart1 demo = new R2Lchart1("R2L Layer");

demo.pack();



try

{


Connection


n","intursion");




String






{







}









}

catch(Exception ex)

{

}

}


{

System.out.println("U2RChart**************");

final U2Rchart1 demo = new U2Rchart1("U2R Layer");

demo.pack();



try

{




Connection


n","intursion");




String




{







}









}

catch(Exception ex)

{

}



}

}

public void paint(Graphics g)

{

g.drawImage(im, 0, 0, null);

}

private void Detect_actionperformed(ActionEvent ae)

{

try

{


Connection


n","intursion");


String sa1="select * from sour1 where layerports='"+a[1]+"'";




//Probe

ResultSet rs=stm.executeQuery(sa1);

double s6=0,s8=0,s9=0;

int i=1;

while(rs.next())

{

String s1=rs.getString(1);


double s3=rs.getDouble(3);

s6=rs.getDouble(4)+s6;

s8=rs.getDouble(5)+s8;




i++;

System.out.println("TransferTime"+r);

}

double s7=s6/i;

s9=s8/i;

System.out.println("pobe transferTime="+s7+"\t"+"ReadTime"+s9);

//Dos

rs=stm.executeQuery(sa2);

double st=0,sr=0,at,ar;

int j=1;

while(rs.next())

{




st=rs.getDouble(4)+st;

sr=rs.getDouble(5)+sr;


j++;

}

at=st/j;

ar=sr/j;

System.out.println("Dos transferTime="+at+"\t"+"ReadTime"+ar);

rs.close();

//R2L


double st1=0,sr1=0,at1,ar1;

int k=1;

while(rs.next())

{






st1=rs.getDouble(4)+st1;

sr1=rs.getDouble(5)+sr1;


k++;

}

at1=st1/k;

ar1=sr1/k;

System.out.println("R2L transferTime="+at1+"\t"+"ReadTime"+ar1);

//U2R


double st2=0,sr2=0,at2,ar2;

int l=1;

while(rs.next())

{




st2=rs.getDouble(4)+st2;

sr2=rs.getDouble(5)+sr2;


l++;

}

at2=st2/l;

ar2=sr2/l;

System.out.println("U2R transferTime="+at2+"\t"+"ReadTime"+ar2);

//rs3.close();

jtr.append("Name"+"\tAvgTransferTime"+"\t"+"AvgReadTime"+"\n");



jtr.append("======================================================

=============================\n");

jtr.append("Probe"+"\t"+(Math.abs(s7))+"\t"+""+Math.abs(s9)+"\n");

jtr.append("Dos"+"\t"+Math.abs(at)+"\t"+""+Math.abs(ar)+"\n");

jtr.append("R2L"+"\t"+Math.abs(at1)+"\t"+""+Math.abs(ar1)+"\n");

jtr.append("U2R"+"\t"+Math.abs(at2)+"\t"+""+Math.abs(ar2)+"\n");

jtr.setVisible(true);

LineChartDemo6 ld=new

LineChartDemo6("Detection",s7,s9,at,ar,at1,ar1,at2,ar2);

ld.setSize(300,300);

ld.setVisible(true);

}

catch(Exception ex)

{


}

}


{


called.");

jtransferTime.setText(""+time);

String dest;

if(flag==0)

{

if(destination.equalsIgnoreCase(a[0]))

{

JOptionPane.showMessageDialog(null,"Select the

Destination!..");

}

else if(destination.equalsIgnoreCase(a[1]))



{

JOptionPane.showMessageDialog(null,"This Is From

PROBE Layer : This transaction need authentication from 4 DBAs");

String

dba1sign=JOptionPane.showInputDialog("JTAM : Enter Threshold Signature of

DBA 1 ");

System.out.println("dba1sign : "+dba1sign);

if(dba1sign!=null&&!dba1sign.equals("")){

int dba1conform= JOptionPane.showConfirmDialog(null,"DBA

1: Is it Conformed?");

System.out.println("dba1conform : "+dba1conform);

if(dba1conform!=0){

JOptionPane.showMessageDialog(null,"JTAM : Since DBA

1 not conformed signature this transaction is failed. Response Action :

ShutDown");

System.exit(0);

}

}else{

JOptionPane.showMessageDialog(null,"JTAM : Since DBA 1

not accepted / not entered signature this transaction is failed. Response Action :

ShutDown");

System.exit(0);

}

String dba2sign=JOptionPane.showInputDialog("JTAM : Enter

Threshold Signature of DBA 2 ");






if(dba2conform!=0){





ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}








if(dba3conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}










if(dba4conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}

JOptionPane.showMessageDialog(null,"Now you can insert

details of a file into Database ");

dest=setDest(a[1]);

sendData(r,111,dest);

}


{


Dos Layer");

dest=setDest(a[2]);

int a;




}


{


R2L layer");

JOptionPane.showMessageDialog(null,"This Is From PROBE

Layer : This transaction need authentication from 4 DBAs");

String


DBA 1 ");






if(dba1conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}

String


DBA 2 ");








if(dba2conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}

String


DBA 3 ");






if(dba3conform!=0){



ShutDown");

System.exit(0);

}



}else{



ShutDown");

System.exit(0);

}








if(dba4conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}



dest=setDest(a[3]);


}




{


U2R Layer");


PROBE Layer : This transaction need authentication from 4 DBAs");

String


DBA 1 ");






if(dba1conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}










if(dba2conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}








if(dba3conform!=0){



ShutDown");

System.exit(0);

}

}else{





ShutDown");

System.exit(0);

}








if(dba4conform!=0){



ShutDown");

System.exit(0);

}

}else{



ShutDown");

System.exit(0);

}



dest=setDest(a[4]);


}


{




Normal");

dest=setDest(a[5]);


}

}

else

JOptionPane.showMessageDialog(null,"Load the File OR Select the

Destination!..");

}


{


called.");

}

public void sendData(String name,int port,String dest)

{

try

{

n1_client=new Socket(name,port);

DataOutputStream out=new

DataOutputStream(n1_client.getOutputStream());

if(out!=null)

{

out.flush();

}

int outgoing=0;

byte buffer[]=msg.getBytes();

int len=buffer.length;

int tlength=buffer.length/48;

int length11=buffer.length%48;


int len1=len;

if(length11!=0)

{

tlength++;

}

out.writeInt(tlength);

out.writeUTF(destination);

int st=0;

int end=48;

jTextArea1.append("Packet Length:"+len+"\n");

String prefinal="";

String finalst="";

if(len<=48)

{

System.out.println("smaller than 48");

finalst=prefinal+msg+"\n"+"null";

jTextArea1.append("packet\t"+(++outgoing)+"\

t"+msg+"\n");

out.writeUTF(dest+msg);

}

else

{

System.out.println("else than 48");

jTextArea1.append("Packet: "+"\t"+(++outgoing)

+"\t"+msg.substring(st,end)+"\n");

out.writeUTF(dest+msg.substring(st,end));

while(len1>48)

{

len1-=48;

if(len1<=48)

{

System.out.println("greateer than 48");

jTextArea1.append("Packet: "+"\t"+(++outgoing)

+"\t"+msg.substring(end,len)+"\n");

out.writeUTF(dest+msg.substring(end,len));

}

else

{

System.out.println("else than 48");

int sp=end+48;

jTextArea1.append("Packet: "+"\t"+

(++outgoing)+"\t"+msg.substring(end,sp)+"\n");

out.writeUTF(dest+msg.substring(end,sp));

end=sp;

}

}

}

}

catch (Exception exp)

{

exp.printStackTrace();

}

}

public String setDest(String Destname)

{

String Destinationname="";

if(Destname.equalsIgnoreCase(a[1]))

{

Destinationname="Source1-->D1";

}


else if(Destname.equalsIgnoreCase(a[2]))

{


}

else if(Destname.equalsIgnoreCase(a[3]))

{


}

else if (Destname.equalsIgnoreCase(a[4]))

{


}

else if (Destname.equalsIgnoreCase(a[5]))

{


}

return Destinationname;

}

}

Detector1

import java.awt.*;



import java.io.*;

import java.net.*;

import java.lang.*;

public class Detector1 extends JFrame

{





private JScrollPane jScrollPane1;



ServerSocket server_1;

DataOutputStream dis1;

DataOutputStream dis2;

DataInputStream dis;

Socket socket_1;

Socket client_1;

Socket client_2;

long temp;

int i=1;

int length;

int length1;

String sen="";

public Detector1()

{

super();



try

{

server_1=new ServerSocket(111);

FileInputStream f=new FileInputStream(".//Sink.txt");

while((length1=f.read())!=-1)

{

sen+=(char)length1;

}

System.out.println(sen);



}


{


}


}


{






jLabel1.setText("INTRUSION DETECTOR1");

jLabel1.setForeground(Color.white);






{


}

});


contentPane.setBackground(new Color(210,105,30));


addComponent(contentPane, jScrollPane1, 26,37,441,341);


this.setTitle("Detector1 - extends JFrame");





}


width,int height)

{


container.add(c);

}


{


called.");

}

public void server()

{

try

{

String rr="";

socket_1=server_1.accept();

dis=new

DataInputStream(socket_1.getInputStream());

int length=dis.readInt();

String destination=dis.readUTF();

if(destination.equalsIgnoreCase("probe"))

{

jTextArea1.append("\t**********************************\n");

jTextArea1.append("\tTHIS

IS FROM PORT Probe \n");



jTextArea1.append("\

t**********************************\n");

client_1=new

Socket(sen,101);

dis1=new

DataOutputStream(client_1.getOutputStream());

dis1.writeInt(length);

dis1.writeUTF(destination);

while(length>0)

{

rr=dis.readUTF();

jTextArea1.append("Packet

"+i+"\t"+rr+" Recieved...\n");

dis1=new


dis1.writeUTF(rr);

length--;

i++;

}

i=1;

}

else if (destination.equalsIgnoreCase("Dos"))

{


jTextArea1.append("\tTHIS IS

FROM PORT U2R\n");


while(length>0)

{

rr=dis.readUTF();


StringBuffer sb=new

StringBuffer(rr);

sb.delete(7,10);

jTextArea1.append("\t\tPacket

"+i+"\t"+rr.substring(4,15)+" Recieved...\n");

length--;

i++;

}

i=1;

int delay = 100; //milliseconds

Timer t=new Timer(delay,

new ActionListener() {

int count=1;

public void

actionPerformed(ActionEvent evt) {

if(count<=10)

{

ava.awt.Toolkit.getDefaultToolkit().beep();

count++;

}

else

return;

}

});

t.start();

JOptionPane.showMessageDialog(null,"Detector1:From Policy Matching :

This is an Anomalous Request :This modification to policy object is invalid");

JOptionPane.showMessageDialog(null,"Detector1:From Policy

Administration : Intursion Response System : This request should get

authentication from k authorised users ");


JOptionPane.showMessageDialog(null,"Detector1:Intursion Response

System : Taken Aggresive action i.e.Shutdown !!!!!!");

System.exit(0);

}

else if (destination.equalsIgnoreCase("DoS1"))

{ jTextArea1.append("\

t**********************************\n");

jTextArea1.append("\tTHIS

IS FROM PORT Dos1\n");


client_1=new

Socket(sen,101);

dis1=new


dis1.writeInt(length);

dis1.writeUTF(destination);

while(length>0)

{rr=dis.readUTF();

jTextArea1.append("Packet

"+i+"\t"+rr+" Recieved...\n");

dis1=new


dis1.writeUTF(rr);

length--;

i++;

}

i=1;

}

}


{




}

}

Sink1

import java.awt.*;



import javax.swing.event.*;

import java.io.*;

import java.net.*;

public class Sink1 extends JFrame

{


private JTabbedPane jTabbedPane1;





private JPanel jPanel1;

private JLabel transferTime;

private JLabel JtransferTime;



private JPanel jPanel2;

String Recieved1;

ServerSocket server_1;

Socket socket_1;

int i=1;

String destination;

String rr="";



public Sink1()

{

super();


try

{

server_1=new ServerSocket(101);

}


{


}


}


{

jLabel1=new JLabel();

jLabel1.setFont(new Font("Serief",Font.BOLD,16));

jTabbedPane1 = new JTabbedPane();





jPanel1 = new JPanel();

jTabbedPane1.setForeground(Color.white);

jTabbedPane1.setForeground(new Color(210,105,30));

transferTime=new JLabel();

JtransferTime=new JLabel();

transferTime.setText("TransferTime");





jPanel2 = new JPanel();

jLabel1.setForeground(Color.white);

jTextArea1.setText("\t**********THIS IS FROM PORT

PROBE*************\n\n");

jTextArea2.setText("\t**********THIS IS FROM PORT

DoS1**************\n\n");

jTabbedPane1.addTab("Dest1", jPanel1);

jTabbedPane1.addTab("Dest2", jPanel2);

jTabbedPane1.addChangeListener(new ChangeListener() {

public void stateChanged(ChangeEvent e)

{

jTabbedPane1_stateChanged(e);

}

});

jLabel1.setText("Sink1");




{


}

});


contentPane.setBackground(new Color(210,105,30));


addComponent(contentPane, jTabbedPane1, 21,44,473,374);


addComponent(contentPane,transferTime,50,500,193,38);

addComponent(contentPane,JtransferTime,100,500,193,38);


jPanel1.setLayout(null);



addComponent(jPanel1, jScrollPane1, 23,19,418,301);


jPanel2.setLayout(null);

addComponent(jPanel2, jScrollPane2, 22,19,416,302);

this.setTitle("Sink1 - extends JFrame");



}


width,int height)

{


container.add(c);

}

private void jTabbedPane1_stateChanged(ChangeEvent e)

{

System.out.println("\njTabbedPane1_stateChanged(ChangeEvent e)

called.");

}


{


called.");

}

public void server()

{

try

{

String rr="";

socket_1=server_1.accept();



DataInputStream dis=new

DataInputStream(socket_1.getInputStream());

int length=dis.readInt();

String destination=dis.readUTF();

while(length>0)

{

rr=dis.readUTF();

if(destination.equalsIgnoreCase("probe"))

{

jTextArea1.append("Packet "+i+"\t"+rr+" Recieved...\n");

}

else if

(destination.equalsIgnoreCase("Dos1"))

{

jTextArea2.append("Packet "+i+"\

t"+rr+" Recieved...\n");}else OptionPane.showMessageDialog(null,"No Packets

Received");

length--;

i++;

}

i=1;

}


{


}

}



APPENDIX- II

SCREEN SHOTS

Browse file: This screen is used to browse a file and send the selected request to

the Intrusion Detetor based on the leyers number type.

Screen Number: 1



Sink1: This is the destination point where the sent file is stored displayed in case

of normal request.

Screen Number: 2

Dectector1: This screen detects the request as anomaly or not and takes

appropriate actions based on the layer number type

Screen Number: 3



Display Response: Here the response is displayed that is sent by the Intrusion

Detector in case of normal request.

Screen Number: 4

Request found: Here as the request is found not anomaly the JTAM asks for

signature from remaining DB’s.

Screen Number: 5



Acceptance: Asks the DBA’s to conform their acceptance.

Screen Number: 6

Display file:Display’s the browsed file after getting acceptance from all the DBA’s.

Screen Number: 7



Destination Screen: This is the destination screen that displays the sent file via

Intrusion detector.

Screen Number: 8

Response sent: Response sent by the Intrusion Detector in case of an anomals

request is displayed.

Screen Number: 9



Response sent by system: Response sent by the system in case of not getting

acceptance from K authorized users is displayed.

Screen Number: 10

Action taken: An action is taken by the Intrusion response system

Screen Number: 11



APPENDIX- III

BASE PAPER



APPENDIX- IV

REFERENCES

[1] D. Brackney, T. Goan, A. Ott, and L. Martin, “The Cyber Enemy within ... Countering the Threat from Malicious Insiders,” Proc. Ann. Computer Security Applications Conf. (ACSAC). pp. 346-347, 2004.

[2] A. Kamra, E. Terzi, and E. Bertino, “Detecting Anomalous Access Patterns in Relational Databases,” J. Very Large DataBases (VLDB), vol. 17, no. 5, pp. 1063-1077, 2008.

[3] A. Kamra, E. Bertino, and R.V. Nehme, “Responding to Anomalous Database Requests,” Secure Data Management, pp. 50- 66, Springer, 2008.

[4] A. Kamra and E. Bertino, “Design and Implementation of SAACS: A State- Aware Access Control System,” Proc. Ann. Computer Security Applications Conf. (ACSAC), 2009.

[5] A. Conry-Murray, “The Threat from within. Network Computing(Aug. 2005),” http://www.networkcomputing.com/showArticle jhtml?articleID=166400792, July 2009.

[6] R. Mogull, “Top Five Steps to Prevent Data Loss and Information Leaks. Gartner Research (July 2006),” http://www.gartner.com, 2010.

BOOKS

[7] The Complete Reference Java J2SE, 5th Edition, Herbert Schildt, TMH.

[8] Software Engineering, Sommerville, 7th Edition.

[9] Software Testing techniques, Baris Breizer, Dreamtech, second Edition.


http://www.gartner.com/

http://www.networkcomputing.com/showArticle

030 final documentation

Documents

relational

connection

statement

resultset

make malicious

prevent malicious

enter threshold

comprehensive