didar: database intrusion detection with automated recovery
TRANSCRIPT
DIDAR – Database Intrusion DIDAR – Database Intrusion Detection with Automated Detection with Automated
RecoveryRecovery
Asankhaya Asankhaya SharmaSharmaGovindarajan SGovindarajan SSrivatsan VSrivatsan V
Prof. DVLN SomayajuluProf. DVLN Somayajulu
An OverviewAn Overview The objective of Intrusion Tolerant Database is The objective of Intrusion Tolerant Database is
to build a self healing system that can survive to build a self healing system that can survive attacksattacks
Detection, Isolate, Contain, Assess and RepairDetection, Isolate, Contain, Assess and Repair
What is an Intrusion?What is an Intrusion? -Malicious Transactions that spread damage-Malicious Transactions that spread damage
Intrusions can affectIntrusions can affect -Availability-Availability -Data Integrity -Data Integrity
The problem: The problem: Database Intrusion ToleranceDatabase Intrusion Tolerance
Attacks can succeed -> Attacks can succeed -> IntrusionsIntrusions Intrusions can seriously impair data Intrusions can seriously impair data
integrityintegrity and and availabilityavailability
DBMS
Authentication
SQLCommands
connect
Access control
Integrity control
Database
Handling IntrusionsHandling Intrusions Using Data Mining Techniques to classify Using Data Mining Techniques to classify
Malicious TransactionsMalicious Transactions
Two kinds of analysis techniquesTwo kinds of analysis techniques -Signature Based-Signature Based -Anomaly Based-Anomaly Based Intrusion detection works in two phasesIntrusion detection works in two phases -Learning Phase-Learning Phase -Detection Phase-Detection Phase
DIDAR AlgorithmDIDAR Algorithm Learning PhaseLearning Phase Detection PhaseDetection Phase Isolation PhaseIsolation Phase Recovery PhaseRecovery Phase Blocking PhaseBlocking Phase Data Warehousing PhaseData Warehousing Phase Data Mining PhaseData Mining Phase
The general representation of the system The general representation of the system
Learning PhaseLearning Phase Build a model of legitimate queries using supervised learning
Associate a quadruple <t,R,A,C> for each query which represents
the fingerprint of the query
where where t’ stands for the type of query (SELECT, UPDATE or DELETE)t’ stands for the type of query (SELECT, UPDATE or DELETE)
’ ’R’ stands for the number of relations in the queryR’ stands for the number of relations in the query
’ ’A’ stands for the number of Attributes in the queryA’ stands for the number of Attributes in the query
’ ’C’ stands for the number of Conditions in the queryC’ stands for the number of Conditions in the query
Learning PhaseLearning Phase For each user in the database create a user
access graph G (V, E) such that, V is the set of quadruples and E represent the access pattern of the queries in the database
Thus in learning we read all the queries Thus in learning we read all the queries executing in the database, fingerprint them executing in the database, fingerprint them and convert them into a quadruple and add a and convert them into a quadruple and add a node in the user access graph. node in the user access graph.
Learning PhaseLearning Phase
Building SQL-Query Building SQL-Query ModelsModels
Once the learning is finished the user access graph looks like something below.
<0,2,3,1>
<0,2,1,1>
<2,1,2,3> <0,2,3,2><0,2,4,3>
<1,3,1,3>
<1,2,3,2>
Detection PhaseDetection Phase Traverse the user access graph and look for a Traverse the user access graph and look for a
matching node (say u) with same quadruple. matching node (say u) with same quadruple. If such a node is not found the transaction is If such a node is not found the transaction is
labeled malicious or else proceed again with labeled malicious or else proceed again with the next transaction. the next transaction.
For the next transaction simply check all the For the next transaction simply check all the nodes ‘v’ such that there is an edge between nodes ‘v’ such that there is an edge between ‘u’ and ‘v’. This way malicious transactions ‘u’ and ‘v’. This way malicious transactions can be identifiedcan be identified
Detection PhaseDetection Phase Provide a feedback mechanism, i.e if while in the Provide a feedback mechanism, i.e if while in the
detection phase some legitimate transaction is detection phase some legitimate transaction is identified as malicious the user can give identified as malicious the user can give feedback and based on that insert a new node in feedback and based on that insert a new node in the user access graph with the quadruple the user access graph with the quadruple representing the fingerprint of the current representing the fingerprint of the current transactiontransaction
<0,2,3,1>
<0,2,1,1>
<2,1,2,3>
<0,2,3,2>
<0,2,4,3>
<1,3,1,3>
<1,2,3,2>
<2,1,2,3>
New Node
Detection PhaseDetection Phase
Security LevelsSecurity Levels LowLow Only identifies the intrusions with the Only identifies the intrusions with the
feedback mechanism.feedback mechanism.
There is no damage containment or There is no damage containment or recovery. recovery.
Allows user to formulate a proper security Allows user to formulate a proper security perimeter with all possible transactions listed perimeter with all possible transactions listed in the user access graph while also been in the user access graph while also been aware of the security.aware of the security.
Security LevelsSecurity LevelsMediumMedium Low level of security plus damage Low level of security plus damage
containment is provided.containment is provided. Damage Containment PhaseDamage Containment Phase
-T-Take a lock manually on all the tables ake a lock manually on all the tables accessed in the malicious transaction. accessed in the malicious transaction.
By taking a lock it can be ensured that By taking a lock it can be ensured that no other transaction can execute which no other transaction can execute which can read data from the infected tables can read data from the infected tables thus effectively containing the damage.thus effectively containing the damage.
The user can release the lock by The user can release the lock by rollback or commit the transaction after rollback or commit the transaction after preparing for manual recovery.preparing for manual recovery.
Security LevelsSecurity Levels HighHigh
In addition to the medium level of security, even In addition to the medium level of security, even
the recovery can be automated. the recovery can be automated. Recovery PhaseRecovery Phase
InIn automated recovery rollback the database automated recovery rollback the database to the state just before the intrusion. to the state just before the intrusion.
Create a transaction dependency graph Create a transaction dependency graph beginning from the malicious transaction. beginning from the malicious transaction.
Use this graph to redo all the benign Use this graph to redo all the benign transactions. No malicious transactions are transactions. No malicious transactions are executed and hence the database heals itself executed and hence the database heals itself to a consistent state. to a consistent state.
Security LevelsSecurity Levels
ParanoidParanoid
Block PhaseBlock Phase For every intrusion that is detected successfully For every intrusion that is detected successfully
we build a signature.we build a signature. Now for each user in the database there is a list Now for each user in the database there is a list
of signatures also associated.of signatures also associated. Use this list of signatures to directly block a Use this list of signatures to directly block a
transaction without the need to go through the transaction without the need to go through the detection phasedetection phase
How to decide the How to decide the Levels?Levels? At regular intervals (say daily) At regular intervals (say daily)
store the user access graph into a store the user access graph into a data warehouse.data warehouse.
Based on the history of intrusions Based on the history of intrusions for each user build a classifier with for each user build a classifier with the help of data mining.the help of data mining.
Specify the security level based on Specify the security level based on the attacks attempted on user the attacks attempted on user data.data.
Data Warehousing Data Warehousing PhasePhase
Data Mining PhaseData Mining Phase
Thank You !!!Thank You !!!
ReferencesReferences1.1. Pramote Luenam, Peng Liu, ThePramote Luenam, Peng Liu, The Design of an Design of an
Adaptive Intrusion Tolerant Database System, Adaptive Intrusion Tolerant Database System, Proceedings of the Foundations of Intrusion Proceedings of the Foundations of Intrusion Tolerant Systems, 2003.Tolerant Systems, 2003.
2.2. Yi Hu, Brajendra Panda, A Data Mining Approach Yi Hu, Brajendra Panda, A Data Mining Approach for Database Intrusion Detection, Proceedings of for Database Intrusion Detection, Proceedings of ACM Symposium on Applied Computing, 2004.ACM Symposium on Applied Computing, 2004.
3.3. Wai Lup LOW, Joseph LEE, Peter TEOH, DIDAFIT Wai Lup LOW, Joseph LEE, Peter TEOH, DIDAFIT detecting intrusions in databases through detecting intrusions in databases through fingerprinting transactions, Proceedings of fingerprinting transactions, Proceedings of International Conference on Enterprise International Conference on Enterprise Information Systems, 2002.Information Systems, 2002.
4.4. Bertino, E. Terzi, E. Kamra, A. Vakali, A, Intrusion Bertino, E. Terzi, E. Kamra, A. Vakali, A, Intrusion Detection in RBAC-administered Databases, Detection in RBAC-administered Databases, Proceedings of 21st Annual Computer Security Proceedings of 21st Annual Computer Security Applications Conference, 2005.Applications Conference, 2005.