Intrusion Detection and Containment in Database Systems

1
Intrusion Detection and Containmentin Database
Systems

• Abhijit Bhosale
• M.Tech (IT)
• School of Information Technology,
• IIT Kharagpur

2
Topics

• Intrusion and Intrusion Detection
• Intrusion Detection in Database Systems
• Data Mining Approach
• Intrusion Detection in Real-time Database Systems
  
• Misuse Detection System for Database Systems
• Recovery from Malicious Transactions
• Malicious Activity Recovery Transaction (MART)
• Repair using Transaction Dependency Graph

3
Intrusion

• Intrusion
• The act of wrongfully entering upon, seizing, or
  taking possession of the property of another
• Types of Attacks
• Outsider Can be defended using physical
  protection and strong network security
  mechanisms.
• Insider Usually Harder to defend

4
Intrusion Detection

• Detection Techniques
• Misuse Detection
• Detect know patterns of intrusions
• Anomaly Detection
• Suspect the anomalous behaviors

5
Intrusion Detection in Databases

• Under threat by insider attacks
• Intruders get access to database
• by employing SQL Injection to poorly coded
  web-based applications or
• by stealing password of legitimate user
• Very few existing misuse detection systems have
  concepts of misuse detection in database systems

6
Data Mining Approach

• Proposed by Yi Hu and Brajendra Panda
• Uses data dependencies (access correlation) among
  the data items to generate association rules
• The rules give dependency of read/write
  operations of some items on write operations of
  some items
• Less sensitive to user behavior changes

7
Data Mining Approach (cont.)

• Definitions
• Sequence Its an ordered list of read and/or
  write operations. E.g. ltr(x), w(x),cgt
• Read sequence for data item x is a sequence
  containing w(x) preceded by all the read
  operations performed on different data items in
  the same transaction. E.g. ltr(y),r(z),w(x)gt
• Write sequence for data item x is a sequence
  containing w(x) followed by all the write
  operations performed on different data items in
  the same transaction. E.g. ltw(x), w(a), w(b)gt
• Weight of Data Dependency It indicates to what
  extend a data item x depends on other data items
  in the red or write sequence. The rweight and
  wweight denote the weight of read dependency and
  write dependency respectively.

8
Data Mining Approach (cont.)

• The Methodology
• Discovering Data Dependency is performed in tree
  steps
• Sequential pattern discovery phase Discover
  sequential patterns in the database log
• Sequence set generation phase Obtain read and
  write sequence sets.
• Data dependency rules generation Read and Write
  dependency rules
• The transactions which dont follow the read and
  write rules are marked as malicious transactions
  

9
Example
Sample Transactions
Sequential Patterns mined
10
Example (cont.)
Data Dependency Rules Min confidence 70
Read and Write Sequence Set
11
Intrusion Detection in Real-time Database Systems

• Proposed by Lee and team
• Considers Real-time Databases like used for Stock
  Market
• Definitions
• Sensor Transaction Which are responsible for
  updating the values of real-time data.
• Temporal Data objects values of which change
  with time
• Sensor transactions are periodic
• In every period only one sensor transaction can
  update temporal data
• More than one transactions in a period are
  flagged as malicious transactions

12
Misuse Detection System for Database Systems

• DEMIDS - Proposed by Chung and his team
• Uses audit logs to generate profiles
• Profiles are used to detect the misuse behavior
• Needs to be trained with normal behavior (no
  intrusion)

13
Components of DEMIDSs Architecture
14
Recovery from Malicious Transactions

• Traditional Recovery mechanisms dont address the
  recovery of malicious transactions
• Complete rollback and adding compensatory
  transactions is too time consuming.
• There can be direct as well as indirectly
  affected transactions which need to be recovered.

15
Intrusion Tolerant Database Systems

• The systems, which in addition to detect the
  system, also perform countermeasures to the
  successful attacks, are called intrusion tolerant
  systems

16
Malicious Activity Recovery Transaction (MART)

• The flat transaction recovery can only remove
  direct effect of malicious transactions.
• MART can solve this problem by nesting the flat
  transactions under MART.
• The indirect effect can be removed by doing the
  roll back of the MART.

17
Repair using Transaction Dependency Graph

• Uses Dependency Graph of bad and suspect
  transaction and undo the effects of all the bad
  and suspect transactions
• Transaction Dependency Transaction Ti is
  dependent upon Tj if
• Tj reads x after its updated by Ti
• Ti does not abort before Tj reads x
• Every transaction that updates x between the time
  Ti updates x and Tj reads x is aborted before Tj
  reads x.
• Every source node in the DG(B) is bad transaction
  and every non source node is a suspect
  transaction.
• If a good transaction is not affected by any bad
  transaction then than transaction need not be
  undone

18
Repair using Transaction Dependency Graph (cont.)

• Dependency Graph
• Dirty Data A data item is dirty if its a write
  set of any bad or suspect transaction.
• All the dirty data items should be restored to
  the value they had before the first transaction
  in DG(B) wrote it.

History log
Dependency Graph
19
References

• Yi Hu, Brajendra Panda A data mining approach
  for database intrusion detection. SAC 2004
  711-716
• Paul Ammann , Sushil Jajodia , Peng Liu, Recovery
  from Malicious Transactions, IEEE Transactions on
  Knowledge and Data Engineering, v.14 n.5,
  p.1167-1185, September 2002
• Lee, V. C.S., Stankovic, J. A., Son, S. H.
  Intrusion Detection in Real-time Database Systems
  Via Time Signatures. In Proceedings of the Sixth
  IEEE Real Time Technology and Applications
  Symposium, 2000.
• Chung, C., Gertz M., and Levitt, K. DEMIDS A
  Misuse Detection System for Database Systems. In
  Third Annual IFIP TC-11 WG 11.5 Working
  Conference on Integrity and Internal Control in
  Information Systems, Kluwer Academic Publishers,
  pages 159-178, November 1999.

20
Questions