DIDAR: Database Intrusion Detection with Automated Recovery
Download as PPT, PDF0 likes457 views
The document discusses the concept of an intrusion tolerant database system designed to detect and recover from malicious transactions, ensuring data integrity and availability. It outlines various phases of intrusion detection including learning, detection, isolation, and recovery, employing data mining techniques to identify threats. The system categorizes security levels, ranging from low to paranoid, each providing different measures for damage containment and recovery automation.
DIDAR: Database Intrusion Detection with Automated Recovery
- 1. DIDAR – Database IntrusionDIDAR – Database Intrusion Detection with AutomatedDetection with Automated RecoveryRecovery Asankhaya SharmaAsankhaya Sharma Govindarajan SGovindarajan S Srivatsan VSrivatsan V Prof. DVLN SomayajuluProf. DVLN Somayajulu
- 2. An OverviewAn Overview The objective of Intrusion Tolerant Database is toThe objective of Intrusion Tolerant Database is to build a self healing system that can survive attacksbuild a self healing system that can survive attacks Detection, Isolate, Contain, Assess and RepairDetection, Isolate, Contain, Assess and Repair What is an Intrusion?What is an Intrusion? -Malicious Transactions that spread damage-Malicious Transactions that spread damage Intrusions can affectIntrusions can affect -Availability-Availability -Data Integrity-Data Integrity
- 3. The problem:The problem: Database IntrusionDatabase Intrusion ToleranceTolerance Attacks can succeed ->Attacks can succeed -> IntrusionsIntrusions Intrusions can seriously impair dataIntrusions can seriously impair data integrityintegrity andand availabilityavailability DBMS Authentication SQL Commands connect Access control Integrity control Database
- 4. Handling IntrusionsHandling Intrusions Using Data Mining Techniques to classify MaliciousUsing Data Mining Techniques to classify Malicious TransactionsTransactions Two kinds of analysis techniquesTwo kinds of analysis techniques -Signature Based-Signature Based -Anomaly Based-Anomaly Based Intrusion detection works in two phasesIntrusion detection works in two phases -Learning Phase-Learning Phase -Detection Phase-Detection Phase
- 5. DIDAR AlgorithmDIDAR Algorithm Learning PhaseLearning Phase Detection PhaseDetection Phase Isolation PhaseIsolation Phase Recovery PhaseRecovery Phase Blocking PhaseBlocking Phase Data Warehousing PhaseData Warehousing Phase Data Mining PhaseData Mining Phase
- 6. The general representation of the systemThe general representation of the system
- 7. Learning PhaseLearning Phase Build a model of legitimate queries using supervised learning Associate a quadruple <t,R,A,C> for each query which represents the fingerprint of the query wherewhere t’ stands for the type of query (SELECT, UPDATE or DELETE)t’ stands for the type of query (SELECT, UPDATE or DELETE) ’’R’ stands for the number of relations in the queryR’ stands for the number of relations in the query ’’A’ stands for the number of Attributes in the queryA’ stands for the number of Attributes in the query ’’C’ stands for the number of Conditions in the queryC’ stands for the number of Conditions in the query
- 8. Learning PhaseLearning Phase For each user in the database create a user access graph G (V, E) such that, V is the set of quadruples and E represent the access pattern of the queries in the database Thus in learning we read all the queries executingThus in learning we read all the queries executing in the database, fingerprint them and convert themin the database, fingerprint them and convert them into a quadruple and add a node in the user accessinto a quadruple and add a node in the user access graph.graph.
- 10. Building SQL-QueryBuilding SQL-Query ModelsModels Once the learning is finished the user access graph looks like something below. <0,2,3,1> <0,2,1,1> <2,1,2,3> <0,2,3,2> <0,2,4,3> <1,3,1,3> <1,2,3,2>
- 11. Detection PhaseDetection Phase Traverse the user access graph and look for aTraverse the user access graph and look for a matching node (say u) with same quadruple.matching node (say u) with same quadruple. If such a node is not found the transaction isIf such a node is not found the transaction is labeled malicious or else proceed again with thelabeled malicious or else proceed again with the next transaction.next transaction. For the next transaction simply check all the nodesFor the next transaction simply check all the nodes ‘v’ such that there is an edge between ‘u’ and ‘v’.‘v’ such that there is an edge between ‘u’ and ‘v’. This way malicious transactions can be identifiedThis way malicious transactions can be identified
- 12. Detection PhaseDetection Phase Provide a feedback mechanism, i.e if while in theProvide a feedback mechanism, i.e if while in the detection phase some legitimate transaction isdetection phase some legitimate transaction is identified as malicious the user can give feedbackidentified as malicious the user can give feedback and based on that insert a new node in the userand based on that insert a new node in the user access graph with the quadruple representing theaccess graph with the quadruple representing the fingerprint of the current transactionfingerprint of the current transaction <0,2,3,1> <0,2,1,1> <2,1,2,3> <0,2,3,2> <0,2,4,3> <1,3,1,3> <1,2,3,2> <2,1,2,3> New Node
- 14. Security LevelsSecurity Levels LowLow Only identifies the intrusions with the feedbackOnly identifies the intrusions with the feedback mechanism.mechanism. There is no damage containment or recovery.There is no damage containment or recovery. Allows user to formulate a proper securityAllows user to formulate a proper security perimeter with all possible transactions listed in theperimeter with all possible transactions listed in the user access graph while also been aware of theuser access graph while also been aware of the security.security.
- 15. Security LevelsSecurity Levels MediumMedium Low level of security plus damage containment isLow level of security plus damage containment is provided.provided. Damage Containment PhaseDamage Containment Phase -T-Take a lock manually on all the tablesake a lock manually on all the tables accessed in the malicious transaction.accessed in the malicious transaction. By taking a lock it can be ensured that noBy taking a lock it can be ensured that no other transaction can execute which can readother transaction can execute which can read data from the infected tables thus effectivelydata from the infected tables thus effectively containing the damage.containing the damage. The user can release the lock by rollback orThe user can release the lock by rollback or commit the transaction after preparing forcommit the transaction after preparing for manual recovery.manual recovery.
- 16. Security LevelsSecurity Levels HighHigh In addition to the medium level of security, even theIn addition to the medium level of security, even the recovery can be automated.recovery can be automated. Recovery PhaseRecovery Phase InIn automated recovery rollback the database to theautomated recovery rollback the database to the state just before the intrusion.state just before the intrusion. Create a transaction dependency graph beginningCreate a transaction dependency graph beginning from the malicious transaction.from the malicious transaction. Use this graph to redo all the benign transactions.Use this graph to redo all the benign transactions. No malicious transactions are executed and henceNo malicious transactions are executed and hence the database heals itself to a consistent state.the database heals itself to a consistent state.
- 17. Security LevelsSecurity Levels ParanoidParanoid Block PhaseBlock Phase For every intrusion that is detected successfully weFor every intrusion that is detected successfully we build a signature.build a signature. Now for each user in the database there is a list ofNow for each user in the database there is a list of signatures also associated.signatures also associated. Use this list of signatures to directly block aUse this list of signatures to directly block a transaction without the need to go through thetransaction without the need to go through the detection phasedetection phase
- 18. How to decide theHow to decide the Levels?Levels? At regular intervals (say daily) storeAt regular intervals (say daily) store the user access graph into a datathe user access graph into a data warehouse.warehouse. Based on the history of intrusions forBased on the history of intrusions for each user build a classifier with theeach user build a classifier with the help of data mining.help of data mining. Specify the security level based on theSpecify the security level based on the attacks attempted on user data.attacks attempted on user data.
- 20. Data Mining PhaseData Mining Phase
- 21. Thank You !!!Thank You !!!
- 22. ReferencesReferences 1.1. Pramote Luenam, Peng Liu, ThePramote Luenam, Peng Liu, The Design of anDesign of an Adaptive Intrusion Tolerant Database System,Adaptive Intrusion Tolerant Database System, Proceedings of the Foundations of Intrusion TolerantProceedings of the Foundations of Intrusion Tolerant Systems, 2003.Systems, 2003. 2.2. Yi Hu, Brajendra Panda, A Data Mining Approach forYi Hu, Brajendra Panda, A Data Mining Approach for Database Intrusion Detection, Proceedings of ACMDatabase Intrusion Detection, Proceedings of ACM Symposium on Applied Computing, 2004.Symposium on Applied Computing, 2004. 3.3. Wai Lup LOW, Joseph LEE, Peter TEOH, DIDAFITWai Lup LOW, Joseph LEE, Peter TEOH, DIDAFIT detecting intrusions in databases through fingerprintingdetecting intrusions in databases through fingerprinting transactions, Proceedings of International Conferencetransactions, Proceedings of International Conference on Enterprise Information Systems, 2002.on Enterprise Information Systems, 2002. 4.4. Bertino, E. Terzi, E. Kamra, A. Vakali, A, IntrusionBertino, E. Terzi, E. Kamra, A. Vakali, A, Intrusion Detection in RBAC-administered Databases,Detection in RBAC-administered Databases, Proceedings of 21st Annual Computer SecurityProceedings of 21st Annual Computer Security Applications Conference, 2005.Applications Conference, 2005.