1 / 20

Intrusion Detection and Containment in Database Systems

Intrusion Detection and Containment in Database Systems. Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur. Topics. Intrusion and Intrusion Detection Intrusion Detection in Database Systems Data Mining Approach Intrusion Detection in Real-time Database Systems

satinka
Télécharger la présentation

Intrusion Detection and Containment in Database Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intrusion Detection and Containmentin Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur

  2. Topics • Intrusion and Intrusion Detection • Intrusion Detection in Database Systems • Data Mining Approach • Intrusion Detection in Real-time Database Systems • Misuse Detection System for Database Systems • Recovery from Malicious Transactions • Malicious Activity Recovery Transaction (MART) • Repair using Transaction Dependency Graph Intrusion Detection and Containment in Database Systems

  3. Intrusion • Intrusion: • The act of wrongfully entering upon, seizing, or taking possession of the property of another • Types of Attacks • Outsider : Can be defended using physical protection and strong network security mechanisms. • Insider : Usually Harder to defend Intrusion Detection and Containment in Database Systems

  4. Intrusion Detection • Detection Techniques • Misuse Detection • Detect know patterns of intrusions • Anomaly Detection • Suspect the anomalous behaviors Intrusion Detection and Containment in Database Systems

  5. Intrusion Detection in Databases • Under threat by insider attacks • Intruders get access to database • by employing SQL Injection to poorly coded web-based applications or • by stealing password of legitimate user • Very few existing misuse detection systems have concepts of misuse detection in database systems Intrusion Detection and Containment in Database Systems

  6. Data Mining Approach • Proposed by Yi Hu and Brajendra Panda • Uses data dependencies (access correlation) among the data items to generate association rules • The rules give dependency of read/write operations of some items on write operations of some items • Less sensitive to user behavior changes Intrusion Detection and Containment in Database Systems

  7. Data Mining Approach (cont.) • Definitions • Sequence: It’s an ordered list of read and/or write operations. E.g. <r(x), w(x),c> • Read sequence for data item x is a sequence containing w(x) preceded by all the read operations performed on different data items in the same transaction. E.g. <r(y),r(z),w(x)> • Write sequence for data item x is a sequence containing w(x) followed by all the write operations performed on different data items in the same transaction. E.g. <w(x), w(a), w(b)> • Weight of Data Dependency: It indicates to what extend a data item x depends on other data items in the red or write sequence. The rweight and wweight denote the weight of read dependency and write dependency respectively. Intrusion Detection and Containment in Database Systems

  8. Data Mining Approach (cont.) • The Methodology • Discovering Data Dependency is performed in tree steps • Sequential pattern discovery phase : Discover sequential patterns in the database log • Sequence set generation phase: Obtain read and write sequence sets. • Data dependency rules generation: Read and Write dependency rules • The transactions which don’t follow the read and write rules are marked as malicious transactions Intrusion Detection and Containment in Database Systems

  9. Example Sample Transactions Sequential Patterns mined Intrusion Detection and Containment in Database Systems

  10. Example (cont.) Data Dependency Rules Min confidence = 70% Read and Write Sequence Set Intrusion Detection and Containment in Database Systems

  11. Intrusion Detection in Real-time Database Systems • Proposed by Lee and team • Considers Real-time Databases like used for Stock Market • Definitions • Sensor Transaction: Which are responsible for updating the values of real-time data. • Temporal Data objects: values of which change with time • Sensor transactions are periodic • In every period only one sensor transaction can update temporal data • More than one transactions in a period are flagged as malicious transactions Intrusion Detection and Containment in Database Systems

  12. Misuse Detection System for Database Systems • DEMIDS - Proposed by Chung and his team • Uses audit logs to generate profiles • Profiles are used to detect the misuse behavior • Needs to be trained with normal behavior (no intrusion) Intrusion Detection and Containment in Database Systems

  13. Components of DEMIDS’s Architecture Intrusion Detection and Containment in Database Systems

  14. Recovery from Malicious Transactions • Traditional Recovery mechanisms don’t address the recovery of malicious transactions • Complete rollback and adding compensatory transactions is too time consuming. • There can be direct as well as indirectly affected transactions which need to be recovered. Intrusion Detection and Containment in Database Systems

  15. Intrusion Tolerant Database Systems • The systems, which in addition to detect the system, also perform countermeasures to the successful attacks, are called intrusion tolerant systems Intrusion Detection and Containment in Database Systems

  16. Malicious Activity Recovery Transaction (MART) • The flat transaction recovery can only remove direct effect of malicious transactions. • MART can solve this problem by nesting the flat transactions under MART. • The indirect effect can be removed by doing the roll back of the MART. Intrusion Detection and Containment in Database Systems

  17. Repair using Transaction Dependency Graph • Uses Dependency Graph of bad and suspect transaction and undo the effects of all the bad and suspect transactions • Transaction Dependency : Transaction Ti is dependent upon Tj if • Tjreads x after it’s updated by Ti • Ti does not abort before Tj reads x • Every transaction that updates x between the time Ti updates x and Tj reads x is aborted before Tj reads x. • Every source node in the DG(B) is bad transaction and every non source node is a suspect transaction. • If a good transaction is not affected by any bad transaction then than transaction need not be undone Intrusion Detection and Containment in Database Systems

  18. Repair using Transaction Dependency Graph (cont.) • Dependency Graph • Dirty Data :A data item is dirty if it’s a write set of any bad or suspect transaction. • All the dirty data items should be restored to the value they had before the first transaction in DG(B) wrote it. History log Dependency Graph Intrusion Detection and Containment in Database Systems

  19. References • Yi Hu, Brajendra Panda: A data mining approach for database intrusion detection. SAC 2004: 711-716 • Paul Ammann , Sushil Jajodia , Peng Liu, Recovery from Malicious Transactions, IEEE Transactions on Knowledge and Data Engineering, v.14 n.5, p.1167-1185, September 2002 • Lee, V. C.S., Stankovic, J. A., Son, S. H. Intrusion Detection in Real-time Database Systems Via Time Signatures. In Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium, 2000. • Chung, C., Gertz M., and Levitt, K. DEMIDS: A Misuse Detection System for Database Systems. In Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Kluwer Academic Publishers, pages 159-178, November 1999. Intrusion Detection and Containment in Database Systems

  20. Questions Intrusion Detection and Containment in Database Systems

More Related