INTRUSION RESPONSE SYSTEM TO AVOID ANOMALOUS REQUEST IN RDBMS

Similar documents
S. Pothumani Dept of CSE Bharath University India.

Efficient Implementation of Insider and Outsider Activity Response System for RDB

Anomaly Response System for Relational Database System Using Joint Administration Model

Graduate School ETD Form 9 (Revised 12/07) PURDUE UNIVERSITY GRADUATE SCHOOL Thesis/Dissertation Acceptance

Timestamps and authentication protocols

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

A Limitation of BAN Logic Analysis on a Man-in-the-middle Attack

Authentication Part IV NOTE: Part IV includes all of Part III!

Binary Protector: Intrusion Detection in Multitier Web Applications

Presentation by Brett Meyer

The Modified Scheme is still vulnerable to. the parallel Session Attack

Remote user authentication using public information

SECURING DISTRIBUTED ACCOUNTABILITY FOR DATA SHARING IN CLOUD COMPUTING

Double Guard: Detecting intrusions in Multitier web applications with Security

Mechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.

An Efficient Stream Cipher Using Variable Sizes of Key-Streams

Introduction. Ahmet Burak Can Hacettepe University. Information Security

INFORMATION ASSURANCE DIRECTORATE

Multivariate Correlation Analysis based detection of DOS with Tracebacking

CyberArk Privileged Threat Analytics

Reliable Broadcast Message Authentication in Wireless Sensor Networks

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

The requirements were developed with the following objectives in mind:

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

A Remote Biometric Authentication Protocol for Online Banking

Effective Intrusion Type Identification with Edit Distance for HMM-Based Anomaly Detection System

(2½ hours) Total Marks: 75

Attribute Based Encryption with Privacy Protection in Clouds

The GenCyber Program. By Chris Ralph

Buffer Overflow attack avoiding Signature free technique

C1: Define Security Requirements

Database access control, activity monitoring and real time protection

Intruders, Human Identification and Authentication, Web Authentication

Operating Systems Design Exam 3 Review: Spring Paul Krzyzanowski

Insider Threats. Nathalie Baracaldo. School of Information Sciences. March 26 th, 2015

Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Web Prior Architecture to Avoid Threats and Enhance Intrusion Response System

Detecting Insider Attacks on Databases using Blockchains

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle

A Rule-Based Intrusion Alert Correlation System for Integrated Security Management *

Survey Paper on Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud

KALASALINGAM UNIVERSITY

Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network

ISeCure. The ISC Int'l Journal of Information Security. A Hybrid Approach for Database Intrusion Detection at Transaction and Inter-transaction Levels

The Password Change Phase is Still Insecure

Intrusion Detection Using Data Mining Technique (Classification)

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Building on existing security

ISSN: [Shubhangi* et al., 6(8): August, 2017] Impact Factor: 4.116

Secure Image Encryption Authentication Compression System

- Table of Contents -

Security Technologies for Dynamic Collaboration

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

Certification Report

A SYSTEM FOR DETECTION AND PRVENTION OF PATH BASED DENIAL OF SERVICE ATTACK

A Simple Secure Auditing for Cloud Storage

Identity Theft Policies and Procedures

Container Based Intrusion Detection System in Multitier Web Applications

Chapter 3: User Authentication

A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Solutions Business Manager Web Application Security Assessment

Secure Role-Based Access Control on Encrypted Data in Cloud Storage using ARM

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Web Application Firewall Subscription on Cyberoam UTM appliances

Effective Cluster Based Certificate Revocation with Vindication Capability in MANETS Project Report

Cryptography V: Digital Signatures

Network Security Issues and Cryptography

19.1. Security must consider external environment of the system, and protect it from:

Signature Amortization Using Multiple Connected Chains

Protection and Security

Using Commutative Encryption to Share a Secret

An Autonomic Framework for Integrating Security and Quality of Service Support in Databases

Cryptography V: Digital Signatures

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

ENCRYPTED DATABASE INTEGRITY IN DATABASE SERVICE PROVIDER MODEL

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Chapter 15: Security. Operating System Concepts 8 th Edition,

Application of ESA in the CAVE Mode Authentication

Understanding Cisco Cybersecurity Fundamentals

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Oracle Database Auditing

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Handling Web and Database Requests Using Fuzzy Rules for Anomaly Intrusion Detection

Category: Informational March Methods for Avoiding the "Small-Subgroup" Attacks on the Diffie-Hellman Key Agreement Method for S/MIME

Post-Class Quiz: Access Control Domain

Chapter 9. Firewalls

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

CSE 565 Computer Security Fall 2018

White Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

RSA INCIDENT RESPONSE SERVICES

Web Security Vulnerabilities: Challenges and Solutions

Top-Down Network Design

Authenticated Key Agreement without Subgroup Element Verification

NEW MODIFIED LEFT-TO-RIGHT RADIX-R REPRESENTATION FOR INTEGERS. Arash Eghdamian 1*, Azman Samsudin 1

Transcription:

Vol.2, Issue.1, Jan-Feb 2012 pp-412-416 ISSN: 2249-6645 INTRUSION RESPONSE SYSTEM TO AVOID ANOMALOUS REQUEST IN RDBMS Akila.L 1, Mrs.DeviSelvam 2 1 II M.E CSE,Sri shakthi Institute Of Engineering and Technology,Anna University,Coimbatore 2 Asst.prof CSE,Sri shakthi Institute Of Engineering and Technology,Anna University,Coimbatore Abstract: The intrusion response component of an overall intrusion detection system is responsible for issuing a suitable response to an anomalous request. In the existing system, Intrusion Detection mechanism consists of two main elements, specifically tailored to a DBMS: anomaly detection (AD) system and an anomaly response system. In anomaly response system conservative actions, fine-grained actions, and aggressive actions methods are used. The proposed system mainly concentrates on response policies by using policy matching and policy administration. For the policy matching problem, we propose two algorithms that efficiently search the policy database for policies that match an anomalous request. We also extend the PostgreSQL DBMS with our policy matching mechanism, and report experimental results. The other issue that we address is that of administration of response policies to prevent malicious modifications to policy objects from legitimate users. We propose a novel Joint Threshold Administration Model (JTAM) that is based on the principle of separation of duty. The key idea in JTAM is that a policy object is jointly administered by at least k database administrator (DBAs), that is, any modification made to a policy object will be invalid unless it has been authorized by at least k DBAs out of L. We present design details of JTAM which is based on a cryptographic threshold signature scheme, and show how JTAM prevents malicious modifications to policy objects from authorized users. Index Terms: PostgreSQL DBMS, Joint Threshold Administration Model, Threshold signatures. I. INTRODUCTION Our approach to an ID mechanism consists of two main elements, specifically tailored to a DBMS: an anomalydetection (AD) system and an anomaly response system.the first element is based on the construction of databaseaccess profiles of roles and users, and on the use of such profiles for theadtask.auser-request that does not conform to the normal access profiles is characterized as anomalous. Profiles can record information of different levels of details;we refer the reader to for additional information and experimental results. The second element of our approach the focus of this paper is in charge of taking some actions once an anomaly is detected. There are three main types of response actions that we refer to, respectively, as conservative actions, fine-grained actions, and aggressive actions. The conservative actions, such as sending an alert, allow the anomalous request to go through, whereas the aggressive actions can effectively block the anomalous request. Fine-grained response actions, on the other hand, are neither conservative nor aggressive. Such actions may suspend or taint an anomalous request. A suspended request is simply put on hold, until some specific actions are executed by the user, such as the execution of further authentication steps. A tainted request is marked as a potential suspicious request resulting in further monitoring of the user and possibly in the suspension or dropping of subsequent requests by the same user. The two main issues that we address in the context of such response policies are that of policy matching and policy administration. Policy matching is the problem of searching for policies applicable to an anomalous request. When an anomaly is detected, the response system must search through the policy database and find policies that match the anomaly. Our ID mechanism is a real-time intrusion detection and response system; thus efficiency of the policy search procedure is crucial. In Section 4, we present two efficient algorithms that take as input the anomalous request details[4], and search through the policy database to find the matching policies. We implement our policy matching scheme in the PostgreSQL DBMS [7], and discuss relevant implementation issues. We also report experimental results that show that our techniques are very efficient. II.AN OVERVIEW OF RELATED WORK Administration model is based on the well known security principle of separation of duties (SoD). SoD is a principle whereby multiple users are required in order to complete a given task. As a security principle, the primary objective of SoD is prevention of fraud (insider threats), and user generated errors. Such objective is traditionally achieved by dividing the task and its associated privileges among multiple users. 412 P a g e

Vol.2, Issue.1, Jan-Feb 2012 pp-412-416 ISSN: 2249-6645 However, the approach of using privilege 1. We present a framework for specifying dissemination is not applicable to our case as we assume intrusion response policies in the context of a DBMS. the DBAs to possess all possible privileges in the DBMS. 2. We present a novel administration model called Our approach instead applies the technique of threshold JTAM for administration of response policies. cryptography signatures to achieve SoD. A DBA 3. We present algorithms to efficiently search the policy authorizes a policy operation, such as create or drop, by database for policies that match an anomalous request. submitting a signature share on the policy. At least k 4. We extend the PostgreSQL DBMS with our response signature shares are required to form a valid final signature policy mechanism, and conduct an experimental on a policy, where k is a threshold parameter defined for evaluation of our techniques. each policy at the time of policy creation. The final signature is then validated either periodically or upon policy usage to detect any malicious modifications to the policies. The key idea in our approach is that a policy operation is invalid unless it has been authorized by at least k DBAs. We thus refer to our administration model as the Joint Threshold Administration Model (JTAM) for managing response policy objects. To the best of our knowledge, ours is the only work proposing such administration model in the context of management of DBMS objects. The three main advantages of JTAM are as follows: First, it requires no changes to the existing access control mechanisms of a DBMS for achieving SoD. Second, the final signature on a policy is nonrepudiable, thus making the DBAs accountable for authorizing a policy operation. Third, and probably the most important, JTAM allows an organization to utilize existing manpower resources to address the problem of insider threats since it is no longer required to employ additional users as policy administrators. III. CREATION OF INTRUSION RESPONSE SYSTEM The main contributions of this paper can be summarized as follows: In this section, we describe the signature share generation, the signature share combining, and the final signature verification operations, in the context of the administrative lifecycle of a response policy object. The steps in the lifecycle of a policy object are policy creation, activation, suspension, alteration, and deletion. The lifecycle is shown in Fig. 1 using a policy state transition diagram. The initial state of a policy object after policy creation is CREATED. After the policy has been authorized by k _ 1 administrators, the policy state is changed to ACTIVATED. A policy in an ACTIVATED state is operational, that is, it is considered by the policy matching procedure in its search for matching policies. If a policy needs to be altered, dropped or made nonoperational, it must be moved to the SUSPENDED state. The transition from the ACTIVATED state to the SUSPENDED state must also be authorized by k _ 1 administrators, before which the policy is in the SUSPEND IN-PROGRESS state. Note that a policy in the SUSPEND IN-PROGRESS state is also considered to be operational. From the SUSPENDED state, a policy can be either moved back to the CREATED state or it can be moved to the DROPPED state. A single administrator can move a policy to the CREATED state from the SUSPENDED state, while a policy drop operation must be authorized by k _ 1 administrators (before which the policy is in the DROP IN-PROGRESS state). We begin our detailed discussion of a policy object s lifecycle with the policy creation procedure. OVERALL PROCESS OF INTRUSION RESPONSE SYSTEM Fig.1. Policy state transition diagram. Fig.2.Flow of process 413 P a g e

Vol.2, Issue.1, Jan-Feb 2012 pp-412-416 ISSN: 2249-6645 Client requests to the server for performing their JTAM is that we do not assume the DBMS to be operations in the database. For that, the server does the in possession of a secret key for verifying the integrity of following policy methods like policy administration, policies. If the DBMS had possessed such key, it could policy authorization to find whether the client is intruder or simply create a HMAC (Hashed Message Authentication not. After performing the policy methods, the server Code) of each policy using its secret key, and later use the responds to the client. By the way the intruders are found. same key to verify the integrity of the policy. The working principle of each components in the fig.2 are explained below, A.SERVER We address in the context of such response policies are that of policy matching and policy Administration when an anomaly is detected, the response system must search through the policy database and find policies that match the anomaly. Our ID mechanism is a real-time intrusion detection and response system; thus efficiency of the policy search procedure is crucial. C.POLICY AUTHORIZATION The detection of an anomaly by the detection engine can be considered as a system event. The attributes of the anomaly, such as user, role, SQL command, then correspond to the environment surrounding such an event. Intuitively, a policy can be specified taking into account the anomaly attributes to guide the response engine in taking a suitable action. Keeping this in mind, we propose an Event- Condition-Action (ECA) language for specifying response policies[1]. The second issue that we address is that of administration of response policies. Intuitively, a response policy can be considered as a regular database object such as a table or a view. Privileges, such as create policy and drop policy that are specific to a policy object type can be defined to administer policies. However, a response policy object presents a different set of challenges than other database object types. Interactive response policy language makes it very easy for the database administrators to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. An anomaly detection (AD) system and an anomaly response system. The first element is based on the construction of database access profiles of roles and users, and on the use of such profiles for the AD task. A user request that does not conform to the normal access profiles is characterized as anomalous. Profiles can record information of different levels of details; we refer the reader to for additional information and experimental results. B.POLICY ADMINISTRATION An administration model referred to as the JTAM. The threat scenario that we assume is that a DBA has all the privileges in the DBMS, and thus it is able to execute arbitrary SQL insert, update, and delete commands to make malicious modifications to the policies. Such actions are possible even if the policies are stored in the system catalogs.3 JTAM protects a response policy against malicious modifications by maintaining a digital signature on the policy definition. The signature is then validated either periodically or upon policy usage to verify the integrity of the policy definition. A DBA authorizes a policy operation, such as create or drop, by submitting a signature share on the policy. At least k signature shares are required to form a valid final signature on a policy, where k is a threshold parameter defined for each policy at the time of policy creation. The final signature is then validated either periodically or upon policy usage to detect any malicious modifications to the policies. The key idea in our approach is that a policy operation is invalid unless it has been authorized by at least k DBAs. We thus refer to our administration model as the Joint Threshold Administration Model (JTAM) for managing response policy objects[3]. It requires no changes to the existing access control mechanisms of a DBMS for achieving SoD. Second, the final signature on a policy is non reputable, thus making the DBAs accountable for authorizing a policy operation. Third, and probably the most important, JTAM allows an organization to utilize existing manpower resources to address the problem of insider threats since it is no longer required to employ additional users as policy administrators. Once a database request has been flagged off as anomalous, an action is executed by the response system to address the anomaly. The response action to be executed is specified as part of a response policy. Such actions may log the anomaly details or send an alert, but they do not proactively prevent an intrusion. Aggressive actions, on the other hand, are high severity responses. Such actions are capable of preventing an intrusion proactively by dropping the request, disconnecting the user or revoking/denying the necessary privileges. Signature We describe the signature share generation, the signature share combining, and the final signature verification operations, in the context of the administrative 414 P a g e

Vol.2, Issue.1, Jan-Feb 2012 pp-412-416 ISSN: 2249-6645 lifecycle of a response policy object. The steps in the Interestingly, the number of predicates skipped in both the lifecycle of a policy object are policy creation, activation, algorithms is almost same. suspension, alteration, and deletion[8]. Thus, counter-intuitively, the ordered policy It is possible for a malicious administrator to matching algorithm does not lead to a decrease in the replace a valid signature share with some other signature number of predicate evaluations. In fact, for larger number share that is generated on a different policy definition. of predicates, the policy matching overhead of the ordered However, such attack will fail as the final signature that is predicate algorithm is higher than that of the base policy produced by the signature share combining algorithm will matching algorithm. not be valid. Note that by submitting an invalid signature share, a malicious administrator can block the creation of a valid policy. We do not see this as a major problem since the threat scenario that we address is malicious modifications to existing policies, and not generation of policies themselves. D.CLIENT Often clients and servers communicate over a computer network on separate hardware, but both client and server may reside in the same system. A server machine is a host that is running one or more server programs which share their resources with clients. A client does not share any of its resources, but requests a server's content or service function. Clients therefore initiate communication sessions with servers which await incoming requests.note that implementing the confirmation actions such as a re authentication or a second factor of authentication require changes to the communication protocol between the database client and the server. The scenarios in which such confirmation actions may be useful are when a malicious subject (user/process) is able to bypass the initial authentication mechanism of the DBMS due to software vulnerabilities (such as buffer overflow) or due to social engineering attacks (such as using someone else s unlocked unattended terminal). Interactive response with the user is not required; the confirmation/resolution/failure actions may be omitted from the policy. IV. PERFORMANCE EVALUATION We perform three sets of experiments. The first two experiments report and compare the overhead of the policy matching algorithms. The third experiment reportsresults on the overhead of the signature verification mechanism in JTAM. In the first experiment, the anomaly assessment is set such that the number of matching policies for an anomaly is kept constant at four. The number of predicates, and correspondingly the number of policies, are varied in order to assess the policy matching overhead time. Fig. 1 shows the policy matching overhead for the two algorithms as a function of the number of predicates. Fig. 2 reports the number of predicates skipped as a function of the number of predicates. As expected, the policy matching overhead time increases linearly with the increase in the number of predicates in the policy database. Fig 1. Experiment 1: Number of predicates versus policy matching overhead. Such increase in matching overhead may be explained by the fact that the predicates evaluated by the ordered policy matching are more computationally expensive than the ones evaluated by the base policy matching algorithm. The key observation from this experiment, however, is that predicate ordering based on the policy-count parameter has no benefits in terms of decreasing the overhead of the policy matching procedure. Fig. 2. Experiment 1: Number of predicates versus number of predicates skipped. In the second experiment, we keep the number of predicates in the policy database constant at 60. The number of policies is also kept constant at 20. The number of matching policies is varied in order to assess the policy matching overhead. Fig. 3 shows the policy matching overhead for the two algorithms as a function of the number of matching policies. As expected, the policymatching overhead increases with the increase in the number of matching policies. 415 P a g e

Vol.2, Issue.1, Jan-Feb 2012 pp-412-416 ISSN: 2249-6645 response actions for different circumstances depending upon the nature of the anomalous request. The two main issues that we addressed in the context of such response policies are policy matching, and policy administration. Specifically, we added support for new system catalogs to hold policy related data, implemented new SQL commands for the policy administration tasks, and integrated the policy matching code with the query processing subsystem of PostgreSQL. The other issue that we addressed is the administration of response policies to prevent malicious modifications to policy objects from legitimate users. We proposed a JTAM, a novel Fig 3. Experiment 2: Number of matching policies versus administration model, based on Shoup s threshold policy matching overhead Moreover, in this experiment as well, the overhead of the ordered policy matching algorithm is higher than that of the base policy matching algorithm. Fig. 4 Experiment 2: Number of matching policies versus number of predicates skipped Fig. 4 reports the variation in the number of predicates skipped by varying the number of matching policies. For both the algorithms, the number of predicates skipped by the search procedure decreases for increasing numbers of matching policies. Such result is expected since an increase in the number of matching policies leads to an increasing number of predicate evaluations. Overall, the fist two experiments confirm the low overhead associated with our policy matching algorithms. They also show that predicate ordering based on the descending policy-count parameter has no significant impact on reducing the overhead of the policy matching procedure. Therefore, a better strategy is to create a dedicated DBMS process that periodically polls the policy tables, and verifies the signature on all the policies. cryptographic signature scheme we are currently in the process of implementing the intrusion detection algorithms in the PostgreSQL DBMS as part of our overall intrusion detection and response system in a DBMS. REFERENCES [1] M.K. Aguilera, R. E. Strom, D. C. Sturman, M. Astley, and T. D. Chandra, Matching Events in a Content-Based Subscription System, Proc. Symp. Principles of Distributed Computing (PODC), pp. 53-61, 1999. [2] Campailla, S. Chaki, E. Clarke, S. Jha, and H. Veith, EfficientFiltering in Publish-Subscribe Systems Using Binary Decision Diagrams, roc. Int l Conf. Software Eng. (ICSE), pp. 443-452, 2001. [3] V. Ganapathy, T. Jaeger, and S. Jha, Retrofitting Legacy Code for Authorization Policy Enforcement, Proc. IEEE Symp. Security and Privacy, pp. 214-229, 2006. [4] R. Gennaro, T. Rabin, S. Jarecki, and H. Krawczyk, Robust andefficient Sharing of RSA Functions, J. Cryptology, vol. 20, no. 3, pp. 393-400, 2007. [5] H.-S. Lim, J.-G. Lee, M.-J. Lee, K.-Y. Whang, and I.- Y. Song, Continuous Query Processing in Data Streams Using Duality of Data and Queries, Proc. ACM SIGMOD, pp. 313-324, 2006. [6] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography. CRC Press, 2001. [7] Postgresql 8. 3. The Postgresql Global Development Group http://www.postgresql.org/, July 2008. [8] V. Shoup, Practical Threshold Signatures, Proc. Int l Conf. Theory and Application of Cryptographic Techniques (EURO1RYPT), pp. 207-220, 2000. V. CONCLUSION In this paper, we have described the response component of our intrusion detection system for a DBMS. We presented an interactive Event-Condition-Action type response policy language that makes it very easy for the database security administrator to specify appropriate 416 P a g e

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback