Transcript Lee1

A safeguard to database intrusions
“This paper describes how the fingerprints for
database transactions can be represented and
presents an algorithm to learn and summarize
SQL statements into fingerprints.”
Learning Fingerprints for a Database Intrusion Detection
System, By Sin Yeung Lee, Wai Lup Low, and Pei Yuen
Wong. October 14-16, LNCS 2502, p. 264ff.
Prepared by Yuman Huang
Basic concepts

Database Intrusion refers to “the act of individuals
who use the database without authorisation, and
those who are authorised, but abuse their
privileges”.[1]

DIDAFIT detects database intrusions by matching
incoming transactions with fingerprints of the
signature database at the application level.

The authors claim that the paper is the only work
using SQL transaction fingerprints or signatures to
detect database intrusions.
Architecture for DIDAFIT
Building up an accurate signature database is an
essential part of the architecture. Accurate means “free
from error”, i.e. properly classifies SQL statements as
“legitimate” or “illegitimate”.
Comments

Criticism
Only work on a relational DB, based on SQL injection in
a SQL Server environment.
The security of the signature/fingerprint database has
not been considered in this paper.

Appreciation
It’s a way of protecting important database assets, for
instance, our credit card numbers at the application level.
Database administrator (DBA) plays an important role in
the learning process.
The role of a DBA
Optional:

To specify a trace log and a set of attributes with implicit
meaning for algorithm inputs.

To determine whether an attribute value contains implicit
meaning for operations and data sensitivity.
An attribute with “implicit meaning” means that its valid values are
restricted to a small list of pre-determined values, also carry
implications for operations and data sensitivity.
Required:

To confirm the legitimacy of a produced fingerprint, before it
being included to the signature database.
How DBA may affect the accuracy
If DBA has no enough knowledge or experience to
play his/her role, not only business rules are
overruled because of oversummarised fingerprints,
but also illegitimate fingerprints are included to the
signature database.


The accuracy of the signature database is ruined.
DIDAFIT is no longer a safeguard to database
intrusions, but a barrier of database performance.
Questions
 Can we use an expert system to support the
learning process instead of relying on DBA?
 Is it possible to apply the principles of
DIDAFIT on an object-oriented DB or a
native XML DB?