Intrusion Detection and Containment in Database Systems - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Intrusion Detection and Containment in Database Systems

Description:

Intrusion Detection and ... can update temporal data More than one transactions in a period are flagged as malicious transactions Misuse Detection System for ... – PowerPoint PPT presentation

Number of Views:85
Avg rating:3.0/5.0
Slides: 21
Provided by: Abhijit4
Category:

less

Transcript and Presenter's Notes

Title: Intrusion Detection and Containment in Database Systems


1
Intrusion Detection and Containmentin Database
Systems
  • Abhijit Bhosale
  • M.Tech (IT)
  • School of Information Technology,
  • IIT Kharagpur

2
Topics
  • Intrusion and Intrusion Detection
  • Intrusion Detection in Database Systems
  • Data Mining Approach
  • Intrusion Detection in Real-time Database Systems
  • Misuse Detection System for Database Systems
  • Recovery from Malicious Transactions
  • Malicious Activity Recovery Transaction (MART)
  • Repair using Transaction Dependency Graph

3
Intrusion
  • Intrusion
  • The act of wrongfully entering upon, seizing, or
    taking possession of the property of another
  • Types of Attacks
  • Outsider Can be defended using physical
    protection and strong network security
    mechanisms.
  • Insider Usually Harder to defend

4
Intrusion Detection
  • Detection Techniques
  • Misuse Detection
  • Detect know patterns of intrusions
  • Anomaly Detection
  • Suspect the anomalous behaviors

5
Intrusion Detection in Databases
  • Under threat by insider attacks
  • Intruders get access to database
  • by employing SQL Injection to poorly coded
    web-based applications or
  • by stealing password of legitimate user
  • Very few existing misuse detection systems have
    concepts of misuse detection in database systems

6
Data Mining Approach
  • Proposed by Yi Hu and Brajendra Panda
  • Uses data dependencies (access correlation) among
    the data items to generate association rules
  • The rules give dependency of read/write
    operations of some items on write operations of
    some items
  • Less sensitive to user behavior changes

7
Data Mining Approach (cont.)
  • Definitions
  • Sequence Its an ordered list of read and/or
    write operations. E.g. ltr(x), w(x),cgt
  • Read sequence for data item x is a sequence
    containing w(x) preceded by all the read
    operations performed on different data items in
    the same transaction. E.g. ltr(y),r(z),w(x)gt
  • Write sequence for data item x is a sequence
    containing w(x) followed by all the write
    operations performed on different data items in
    the same transaction. E.g. ltw(x), w(a), w(b)gt
  • Weight of Data Dependency It indicates to what
    extend a data item x depends on other data items
    in the red or write sequence. The rweight and
    wweight denote the weight of read dependency and
    write dependency respectively.

8
Data Mining Approach (cont.)
  • The Methodology
  • Discovering Data Dependency is performed in tree
    steps
  • Sequential pattern discovery phase Discover
    sequential patterns in the database log
  • Sequence set generation phase Obtain read and
    write sequence sets.
  • Data dependency rules generation Read and Write
    dependency rules
  • The transactions which dont follow the read and
    write rules are marked as malicious transactions

9
Example
Sample Transactions
Sequential Patterns mined
10
Example (cont.)
Data Dependency Rules Min confidence 70
Read and Write Sequence Set
11
Intrusion Detection in Real-time Database Systems
  • Proposed by Lee and team
  • Considers Real-time Databases like used for Stock
    Market
  • Definitions
  • Sensor Transaction Which are responsible for
    updating the values of real-time data.
  • Temporal Data objects values of which change
    with time
  • Sensor transactions are periodic
  • In every period only one sensor transaction can
    update temporal data
  • More than one transactions in a period are
    flagged as malicious transactions

12
Misuse Detection System for Database Systems
  • DEMIDS - Proposed by Chung and his team
  • Uses audit logs to generate profiles
  • Profiles are used to detect the misuse behavior
  • Needs to be trained with normal behavior (no
    intrusion)

13
Components of DEMIDSs Architecture
14
Recovery from Malicious Transactions
  • Traditional Recovery mechanisms dont address the
    recovery of malicious transactions
  • Complete rollback and adding compensatory
    transactions is too time consuming.
  • There can be direct as well as indirectly
    affected transactions which need to be recovered.

15
Intrusion Tolerant Database Systems
  • The systems, which in addition to detect the
    system, also perform countermeasures to the
    successful attacks, are called intrusion tolerant
    systems

16
Malicious Activity Recovery Transaction (MART)
  • The flat transaction recovery can only remove
    direct effect of malicious transactions.
  • MART can solve this problem by nesting the flat
    transactions under MART.
  • The indirect effect can be removed by doing the
    roll back of the MART.

17
Repair using Transaction Dependency Graph
  • Uses Dependency Graph of bad and suspect
    transaction and undo the effects of all the bad
    and suspect transactions
  • Transaction Dependency Transaction Ti is
    dependent upon Tj if
  • Tj reads x after its updated by Ti
  • Ti does not abort before Tj reads x
  • Every transaction that updates x between the time
    Ti updates x and Tj reads x is aborted before Tj
    reads x.
  • Every source node in the DG(B) is bad transaction
    and every non source node is a suspect
    transaction.
  • If a good transaction is not affected by any bad
    transaction then than transaction need not be
    undone

18
Repair using Transaction Dependency Graph (cont.)
  • Dependency Graph
  • Dirty Data A data item is dirty if its a write
    set of any bad or suspect transaction.
  • All the dirty data items should be restored to
    the value they had before the first transaction
    in DG(B) wrote it.

History log
Dependency Graph
19
References
  • Yi Hu, Brajendra Panda A data mining approach
    for database intrusion detection. SAC 2004
    711-716
  • Paul Ammann , Sushil Jajodia , Peng Liu, Recovery
    from Malicious Transactions, IEEE Transactions on
    Knowledge and Data Engineering, v.14 n.5,
    p.1167-1185, September 2002
  • Lee, V. C.S., Stankovic, J. A., Son, S. H.
    Intrusion Detection in Real-time Database Systems
    Via Time Signatures. In Proceedings of the Sixth
    IEEE Real Time Technology and Applications
    Symposium, 2000.
  • Chung, C., Gertz M., and Levitt, K. DEMIDS A
    Misuse Detection System for Database Systems. In
    Third Annual IFIP TC-11 WG 11.5 Working
    Conference on Integrity and Internal Control in
    Information Systems, Kluwer Academic Publishers,
    pages 159-178, November 1999.

20
Questions
Write a Comment
User Comments (0)
About PowerShow.com