This document proposes an intrusion response system for relational databases that uses database response policies. It addresses policy matching to find policies that match anomalous requests, and policy administration to prevent malicious modifications. A novel Joint Threshold Administration Model (JTAM) is proposed, where a policy object requires authorization from at least k database administrators (DBAs) to be modified, preventing abuse by a single DBA. The system aims to restrict employee access to confidential organizational data and determine an appropriate response depending on the severity of any anomalous access attempts.
This document proposes an intrusion response system for relational databases that uses database response policies. It addresses policy matching to find policies that match anomalous requests, and policy administration to prevent malicious modifications. A novel Joint Threshold Administration Model (JTAM) is proposed, where a policy object requires authorization from at least k database administrators (DBAs) to be modified, preventing abuse by a single DBA. The system aims to restrict employee access to confidential organizational data and determine an appropriate response depending on the severity of any anomalous access attempts.
This document proposes an intrusion response system for relational databases that uses database response policies. It addresses policy matching to find policies that match anomalous requests, and policy administration to prevent malicious modifications. A novel Joint Threshold Administration Model (JTAM) is proposed, where a policy object requires authorization from at least k database administrators (DBAs) to be modified, preventing abuse by a single DBA. The system aims to restrict employee access to confidential organizational data and determine an appropriate response depending on the severity of any anomalous access attempts.
Design and Implementation of an Intrusion Response
System for Relational Databases
ABSTRACT: The intrusion response component of an overall intrusion detection system is responsible for issuing a suitable response to an anomalous request. We propose the notion of database response policies to support our intrusion response system tailored for a DBMS. Our interactive response policy language makes it very easy for the database administrators to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The to main issues that e address in conte!t of such response policies are that of policy matching" and policy administration. #or the policy matching problem" e search the policy database for policies that match an anomalous request. The other issue that e address is that of administration of response policies to prevent malicious modifications to policy ob$ects from legitimate users. We propose a novel %oint Threshold &dministration Model '%T&M( that is based on the principle of separation of duty. The key idea in %T&M is that a policy ob$ect is $ointly administered by at least k database administrator 'DB&s(" that is" any modification made to a policy ob$ect ill be invalid unless it has been authori)ed by at least k DB&s. We present design details of %T&M hich is based on a cryptographic threshold signature scheme" and sho ho %T&M prevents malicious modifications to policy ob$ects from authori)ed users. 'T*+ B+,OW -O.T+.T /S %0ST #O1 0.D+1ST&.D/.2 3013OS+4 The main idea behind this pro$ect is to prevent an employee of an organi)ation from accessing or modifying the confidential data of the organi)ation. /f at all an employee tries to access or modify the data then hat are the responses to be taken depending on the severity of the data. This ould be done by restricting the employees through privileges. & policy means a database table ith list of operations that can be done on it like any or all of S+,+-T or /.S+1T or 03D&T+ or D+,+T+. 3olicy matching means matching the database query entered by the employee 'like select 5 from employees( against his6her privileges" i.e. hether the employee is having permission to e!ecute that particular operation in that particular table. #or e!ample" suppose a DB& created a policy 37 on table +M3,O8++S ith accessible operations S+,+-T and another policy 39 on the same table ith accessible operations /.S+1T"03D&T+. We maintain a column called :associated policies; in the employees information table. .o suppose that a DB& has associated 37 to an employee +7.This means that +7 can no e!ecute the query S+,+-T 5 #1OM +M3,O8++S but suppose +7 tries to e!ecute query /.S+1T /.TO +M3,O8++S or 03D&T+ +M3,O8++S query then this e call as an anomalous request and an alert message ill be displayed immediately after the employee submits the query. & log file ill be sent to the DB& hich contains all the invalid attempts made by the employee. Depending on the severity of the anomalous request the DB& takes a necessary action i.e. either drop all the associated policies for that employee or issue a arning. 1efer to the later pages for more details about response actions. One important point to remember is that e assume that by default there is one DB& ho creates other DB&s and employees or users. This DB& can be assumed as central DB&. Other DB&s cannot create anymore DB&s or users. /t<s all in the hands of the central DB& .Other DB&s can only create policies" vote for the policies "associate policies to users" take response actions for an anomalous request. 3olicy &dministration means hen a DB& creates a policy say 3= then first it must be approved to be associated to employees or users. #or approval e place a voting system herein all the DB&s'including the DB& ho created the policy( vote for or against the policy i.e. either :&331O>+; or :1+%+-T;. The policy voting ill be for to days and all the votes of DB&s ho do not vote ithin those to days ill be considered as :1+%+-T; i.e. against the policy. &fter to days depending on the ma$ority of votes for or against the policy the policy ill be approved or re$ected by the system automatically respectively. #or e!ample if there are five DB&s and in that three vote for the policy and to vote against it then the policy ill be approved else re$ected vice versa. /n case of a tie in the number of votes the policy ill be re$ected.( INTRODUCTION: 1ecently" e have seen an interest in products that continuously monitor a database system and report any relevant suspicious activity. Database activity monitoring has been identified by 2artner research as one of the top five strategies that are crucial for reducing data leaks in organi)ations. Such step?up in data vigilance by organi)ations is partly driven by various 0S government regulations concerning data management such as SO@" 3-/" 2,B&" */3&&" and so forth. Organi)ations have also come to reali)e that current attack techniques are more sophisticated" organi)ed" and targeted than the broad? based hacking days of past. Often" it is the sensitive and proprietary data that is the real target of attackers. &lso" ith greater data integration" aggregation and disclosure" preventing data theft" from both inside and outside organi)ations" has become a ma$or challenge. Standard database security mechanisms" such as access control" authentication" and encryption" are not of much help hen it comes to preventing data theft from insiders Such threats have thus forced organi)ations to reevaluate security strategies for their internal databases. Monitoring a database to detect potential intrusions" intrusion detection '/D(" is a crucial technique that has to be part of any comprehensive security solution for high?assurance database security. .ote that the /D systems that are developed must be tailored for a Database Management System 'DBMS( since database?related attacks such as SA, in$ection and data e!filtration are not malicious for the underlying operating system or the netork. Eisting system: Organi)ations have also come to reali)e that current attack techniques are more sophisticated" organi)ed" and targeted than the broad?based hacking days of past. Often" it is the sensitive and proprietary data that is the real target of attackers. &lso" ith greater data integration" aggregation and disclosure" preventing data theft" from both inside and outside organi)ations" has become a ma$or challenge. Standard database security mechanisms" such as access control" authentication" and encryption" are not of much help hen it comes to preventing data theft from insiders. Such threats have thus forced organi)ations to reevaluate security strategies for their internal databases. Monitoring a database to detect potential intrusions" intrusion detection '/D(" is a crucial technique that has to be part of any comprehensive security solution for high?assurance database security. !roposed system: /D mechanism consists of to main elements" specifically tailored to a DBMS4 an anomaly detection '&D( system and an anomaly response system. The first element is based on the construction of database access profiles of roles and users" and on the use of such profiles for the &ttack. & user?request that does not conform to the normal access profiles is characteri)ed as anomalous. 3rofiles can record information of different levels of detailsB e refer the reader to for additional information and e!perimental results. The second element of our approachC the focus of this paperCis in charge of taking some actions once an anomaly is detected. There are three main types of response actions that e refer to" respectively" as conservative actions" fine?grained actions" and aggressive actions. The conservative actions" such as sending an alert" allo the anomalous request to go through" hereas the aggressive actions can effectively block the anomalous request. #ine?grained response actions" on the other hand" are neither conservative nor aggressive. Such actions may suspend or taint an anomalous request . & suspended request is simply put on hold" until some specific actions are e!ecuted by the user" such as the e!ecution of further authentication steps. & tainted request is marked as a potential suspicious request resulting in further monitoring of the user and possibly in the suspension or dropping of subsequent requests by the same user. "ODU#ES USER AD"INISTRATION $ AUT%ENTICATION The DB& is centrally responsible for DB and user maintenance. By default there is only one DB&. The DB& then creates other DB&<s and users. These users are maintained ith appropriate privileges or permissions. Only these users can login and access the database ob$ects. !O#IC& AD"INISTRATION The main issue in the administration of response policies is ho to protect a policy from malicious modifications made by a DB& that has legitimate access rights to the policy ob$ect. To address this issue" e propose an administration model referred to as the %T&M. The threat scenario that e assume is that a DB& has all the privileges in the DBMS" and thus it is able to e!ecute arbitrary SA, insert" update" and delete commands to make malicious modifications to the policies. Such actions are possible even if the policies are stored in the system catalogs.= %T&M protects a response policy against malicious modifications by maintaining a digital signature on the policy definition.. The fundamental premise of our approach is that e do not trust a single DB& 'ith the secret key( to create or manage the response policies" but the threat is mitigated if the trust 'the secret key( is distributed among multiple DB&s. +ach DB& ho floats a policy has the policy in cipher te!t. Only hen the appropriate keys as associated ith the other DB&<s are provided they unlock the cipher te!t and then place their opinion or status on the policies. Only hen a ma$ority of DB&<s approve the policy the policy can be associated ith the created users. The policy also associates ith a response action that has to be performed hen an anomaly is detected. !O#IC& ACTI'ATION Once the policy has been created" it must be authori)ed for activation by at least k ? 7 administrators after hich the DBMS changes the state of the policy to &-T/>&T+D. &n activated policy can be assigned to a user. & policy identifies the ob$ects and privileges the assigned user has on the ob$ect. Before the response policies can be used" some security parameters are registered ith the DBMS as part of a onetime registration phase. The details of the registration phase are as follos4 The parameter l is set equal to the number of DB&s registered ith the DBMS. Such requirement allos any DB& to generate a valid signature share on a policy ob$ect" thereby making our approach very fle!ible. ANO"A#& DETECTION This element is based on the construction of database access profiles of roles and users" and on the use of such 3rofiles for the &D task. & user?request that does not conform to the normal access profiles is characteri)ed as anomalous. The fundamental problem in such administration model is that of conflict?of?interest. The main issue is essentially that of insider threats" that is" ho to protect a response policy ob$ect from malicious modifications made by a database user that has legitimate access rights to the policy ob$ect. ANO"A#& RES!ONSE S&STE" This element is in charge of taking some actions once an anomaly is detected. There are three main types of response actions" that e refer to" respectively" as conservative actions" fine?grained actions" and aggressive actions. The conservative actions" such as sending an alert" allo the anomalous request to go through" hereas the aggressive actions can effectively block the anomalous request. #ine?grained response actions" on the other hand" are neither conservative nor aggressive. Such actions may suspend or taint an anomalous request. & suspended request is simply put on hold" until some specific actions are e!ecuted by the user" such as the e!ecution of further authentication steps. & tainted request is marked as a potential suspicious request resulting in further monitoring of the user and possibly in the suspension or dropping of subsequent requests by the same user. S&STE" #O( $ ACCESS IN)O This module provides the DB& ith anomalies detected and reports various activities or attempted activities made by the users. The DB& uses this to generate various reports based on hich an action or the revoke of privileges are made. CONC#USION $ )UTURE *OR+ /n this paper" e have described the response component of our intrusion detection system for a DBMS. The response component is responsible for issuing a suitable response to an anomalous user request. We proposed the notion of database response policies for specifying appropriate response actions. We presented an interactive +vent? -ondition?&ction type response policy language that makes it very easy for the database security administrator to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The to main issues that e addressed in the conte!t of such response policies are policy matching" and policy administration. We plan to e!tend our ork on the folloing lines. &n interactive response policy that requires a second factor of authentication ill provide a second layer of defense hen certain anomalous actions are e!ecuted against critical system resources such as anomalous access to system catalog tables. This opens the ay to ne research on ho to organi)e applications to handle such interactions for the case of legacy applications and ne applications. %ARD*ARE CON)I(URATION,"IN- The hardare used for the development of the pro$ect is4 31O-+SSO1 4 3+.T/0M /> '9.92h)( 1&M 4 D79 Mb 1&M MO./TO1 4 7D; -O,O1 *&1D D/SE 4 7F 2B Space SO)T*ARE CON)I(URATION The softare used for the development of the pro$ect is4 O3+1&T/.2 S8ST+M 4 Windos @3 3rofessional or higher +.>/1O.M+.T 4 >isual Studio ..+T 9FFG ..+T #1&M+WO1E 4 >ersion =.D ,&.20&2+ 4 >B..+T B&-E +.D 4 SA, server 9FFD RE)ERENCES H7I &. -onry?Murray" :The Threat from ithin. .etork -omputing '&ug. 9FFD("; http466.netorkcomputing.com6sho&rticle. $htmlJarticle/DK7LLMFFNO9" %uly 9FFO. H9I 1. Mogull" :Top #ive Steps to 3revent Data ,oss and /nformation ,eaks. 2artner 1esearch '%uly 9FFL("; http466.gartner.com" 9F7F. H=I M. .icolett and %. Wheatman" :Dam Technology 3rovides Monitoring and &nalytics ith ,ess Overhead. 2artner 1esearch '.ov. 9FFN("; http466.gartner.com" 9F7F. HMI 1.B. .atan" /mplementing Database Security and &uditing. Digital 3ress" 9FFD. HDI D. Brackney" T. 2oan" &. Ott" and ,. Martin" :The -yber +nemy ithin ... -ountering the Threat from Malicious /nsiders"; 3roc. &nn. -omputer Security &pplications -onf. '&-S&-(. pp. =ML?=MN" 9FFM. HLI &. Eamra" +. Ter)i" and +. Bertino" :Detecting &nomalous &ccess 3atterns in 1elational Databases"; %. >ery ,arge DataBases '>,DB(" vol. 7N" no. D" pp. 7FL=?7FNN" 9FFG. HNI &. Eamra" +. Bertino" and 1.>. .ehme" :1esponding to &nomalous Database 1equests"; Secure Data Management" pp. DF? LL" Springer" 9FFG. HGI &. Eamra and +. Bertino" :Design and /mplementation of S&&-S4 & State?&are &ccess -ontrol System"; 3roc. &nn. -omputer Security &pplications -onf. '&-S&-(" 9FFO. HOI :3ostgresql G.=. The 3ostgresql 2lobal Development 2roup"; http466.postgresql.org6" %uly 9FFG. H7FI %. Widom and S. -eri" &ctive Database Systems4 Triggers and 1ules for &dvanced Database 3rocessing. Morgan Eaufmann" 7OOD. H77I :Oracle Database -oncepts 77g 1elease 7 '77.7("; http466 donload.oracle.com6docs6cd6B9G=DOPF76server.7776b9G=7G6 datadict.htm" %uly 9FFO. H79I >. Shoup" :3ractical Threshold Signatures"; 3roc. /nt<l -onf. Theory and &pplication of -ryptographic Techniques '+01O-183T(" pp. 9FN? 99F" 9FFF. H7=I 1. 2ennaro" T. 1abin" S. %arecki" and *. Erac)yk" :1obust and +fficient Sharing of 1S& #unctions"; %. -ryptology" vol. 9F" no. =" pp. =O=?MFF" 9FFN. H7MI D. Eincaid and W. -heney" .umerical &nalysis4 Mathematics of Scientific -omputing. Brooks -ole" 9FF7. H7DI :Openpgp Message #ormat. rfc MGFF"; http466.ietf.org6rfc6 rfcMGGF.t!t" %uly 9FFO. H7LI &.%. Mene)es" 3.-. van Oorschot" and S.&. >anstone" *andbook of &pplied -ryptography. -1- 3ress" 9FF7. H7NI -.E. Eoc" :*igh?Speed 1S& /mplementation"; Technical 1eport tr?9F7" >ersion 9.F" 1S& ,aboratories" 7OOM. H7GI :Oracle Database >ault &dministrator<s 2uide 77g 1elease 7 '77.7("; http466donload.oracle.com6docs6cd6B9G=DOPF76 server.7776b=79996toc.htm" %an. 9FFO. H7OI #. #abret" #. ,lirbat" %.&. 3ereira" /. 1ocquencourt" and D. Shasha" :+fficient Matching for -ontent?Based 3ublish6Subscribe Systems"; technical report" /.1/&" 9FFF. H9FI M.E. &guilera" 1.+. Strom" D.-. Sturman" M. &stley" and T.D. -handra" :Matching +vents in a -ontent?Based Subscription System"; 3roc. Symp. 3rinciples of Distributed -omputing '3OD-(" pp. D=?L7" 7OOO.