Intrusion Detection and Containment in Database Systems
Download
Report
Transcript Intrusion Detection and Containment in Database Systems
Intrusion Detection and Containment
in Database Systems
Abhijit Bhosale
M.Tech (IT)
School of Information Technology,
IIT Kharagpur
Topics
Intrusion and Intrusion Detection
Intrusion Detection in Database Systems
Data Mining Approach
Intrusion Detection in Real-time Database Systems
Misuse Detection System for Database Systems
Recovery from Malicious Transactions
Malicious Activity Recovery Transaction (MART)
Repair using Transaction Dependency Graph
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
2
Intrusion
Intrusion:
The act of wrongfully entering upon, seizing, or taking
possession of the property of another
Types of Attacks
• Outsider : Can be defended using physical protection and
strong network security mechanisms.
• Insider : Usually Harder to defend
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
3
Intrusion Detection
Detection Techniques
Misuse Detection
• Detect know patterns of intrusions
Anomaly Detection
• Suspect the anomalous behaviors
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
4
Intrusion Detection in
Databases
Under threat by insider attacks
Intruders get access to database
by employing SQL Injection to poorly coded web-based
applications or
by stealing password of legitimate user
Very few existing misuse detection systems have
concepts of misuse detection in database
systems
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
5
Data Mining Approach
Proposed by Yi Hu and Brajendra Panda
Uses data dependencies (access correlation)
among the data items to generate association
rules
The rules give dependency of read/write
operations of some items on write operations of
some items
Less sensitive to user behavior changes
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
6
Data Mining Approach (cont.)
Definitions
Sequence: It’s an ordered list of read and/or write operations.
E.g. <r(x), w(x),c>
Read sequence for data item x is a sequence containing w(x)
preceded by all the read operations performed on different
data items in the same transaction. E.g. <r(y),r(z),w(x)>
Write sequence for data item x is a sequence containing w(x)
followed by all the write operations performed on different
data items in the same transaction. E.g. <w(x), w(a), w(b)>
Weight of Data Dependency : It indicates to what extend a
data item x depends on other data items in the red or write
sequence. The rweight and wweight denote the weight of
read dependency and write dependency respectively.
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
7
Data Mining Approach (cont.)
The Methodology
Discovering Data Dependency is performed in tree
steps
• Sequential pattern discovery phase : Discover sequential
patterns in the database log
• Sequence set generation phase: Obtain read and write
sequence sets.
• Data dependency rules generation: Read and Write
dependency rules
The transactions which don’t follow the read and write
rules are marked as malicious transactions
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
8
Example
Sample Transactions
1 Nov 2004
Sequential Patterns mined
Intrusion Detection and Containment
in Database Systems
9
Example (cont.)
Data Dependency Rules
Min confidence = 70%
Read and Write Sequence Set
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
10
Intrusion Detection in Realtime Database Systems
Proposed by Lee and team
Considers Real-time Databases like used for Stock Market
Definitions
Sensor Transaction: Which are responsible for updating the values of
real-time data.
Temporal Data objects: values of which change with time
Sensor transactions are periodic
In every period only one sensor transaction can update
temporal data
More than one transactions in a period are flagged as
malicious transactions
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
11
Misuse Detection System
for Database Systems
DEMIDS - Proposed by Chung and his team
Uses audit logs to generate profiles
Profiles are used to detect the misuse behavior
Needs to be trained with normal behavior (no
intrusion)
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
12
Components of DEMIDS’s
Architecture
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
13
Recovery from Malicious
Transactions
Traditional Recovery mechanisms don’t
address the recovery of malicious
transactions
Complete rollback and adding
compensatory transactions is too time
consuming.
There can be direct as well as indirectly
affected transactions which need to be
recovered.
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
14
Intrusion Tolerant Database
Systems
The systems, which in addition to detect the system, also
perform countermeasures to the successful attacks, are
called intrusion tolerant systems
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
15
Malicious Activity Recovery
Transaction (MART)
The flat transaction recovery can only remove direct effect
of malicious transactions.
MART can solve this problem by nesting the flat
transactions under MART.
The indirect effect can be removed by doing the roll back
of the MART.
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
16
Repair using Transaction
Dependency Graph
Uses Dependency Graph of bad and suspect transaction
and undo the effects of all the bad and suspect
transactions
Transaction Dependency : Transaction Ti is dependent
upon Tj if
Tj reads x after it’s updated by Ti
Ti does not abort before Tj reads x
Every transaction that updates x between the time Ti updates
x and Tj reads x is aborted before Tj reads x.
Every source node in the DG(B) is bad transaction and
every non source node is a suspect transaction.
If a good transaction is not affected by any bad transaction
then than transaction need not be undone
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
17
Repair using Transaction
Dependency Graph (cont.)
Dependency Graph
History log
Dependency
Graph
Dirty Data :A data item is dirty if it’s a write set
of any bad or suspect transaction.
All the dirty data items should be restored to the
value they had before the first transaction in
DG(B) wrote it.
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
18
References
Yi Hu, Brajendra Panda: A data mining approach for database intrusion
detection. SAC 2004: 711-716
Paul Ammann , Sushil Jajodia , Peng Liu, Recovery from Malicious
Transactions, IEEE Transactions on Knowledge and Data Engineering,
v.14 n.5, p.1167-1185, September 2002
Lee, V. C.S., Stankovic, J. A., Son, S. H. Intrusion Detection in Real-time
Database Systems Via Time Signatures. In Proceedings of the Sixth IEEE
Real Time Technology and Applications Symposium, 2000.
Chung, C., Gertz M., and Levitt, K. DEMIDS: A Misuse Detection System
for Database Systems. In Third Annual IFIP TC-11 WG 11.5 Working
Conference on Integrity and Internal Control in Information Systems,
Kluwer Academic Publishers, pages 159-178, November 1999.
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
19
Questions
1 Nov 2004
Intrusion Detection and Containment
in Database Systems
20