Mechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.

Similar documents
Graduate School ETD Form 9 (Revised 12/07) PURDUE UNIVERSITY GRADUATE SCHOOL Thesis/Dissertation Acceptance

Cybersecurity for Product Lifecycle Management A Research Roadmap

Anomaly Response System for Relational Database System Using Joint Administration Model

S. Pothumani Dept of CSE Bharath University India.

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

ISeCure. The ISC Int'l Journal of Information Security. A Hybrid Approach for Database Intrusion Detection at Transaction and Inter-transaction Levels

A Role Intrusion Detection System for Role Based Access Controlled Relational Database Management Systems

Tautology based Advanced SQL Injection Technique A Peril to Web Application

Introduction and Statement of the Problem

Approaches and Challenges in Database Intrusion Detection

Detection of Insiders Misuse in Database Systems

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

Intrusion Detection System

Security Audit What Why

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

Efficient Implementation of Insider and Outsider Activity Response System for RDB

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Technology White Paper of SQL Injection Attacks and Prevention

A NEW APPROACH TO INTRUSION DETECTION SYSTEM

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

intelop Stealth IPS false Positive

Imperva Incapsula Website Security

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

IT Services IT LOGGING POLICY

UNIFICATION OF TECHNOLOGIES

Basic Concepts in Intrusion Detection

the SWIFT Customer Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

OSSIM Fast Guide

CIT 480: Securing Computer Systems

Database Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.

Cyber Security Audit & Roadmap Business Process and

A Survey And Comparative Analysis Of Data

KPI Dictionary ABRIDGED SAMPLE. A KPI Reference Guide for Use in Performance Management. Information Technology (IT)

Comprehensive Database Security

C1: Define Security Requirements

A Review on Privacy Preserving Data Mining Approaches

Higher Education Privacy Update

McPAD and HMM-Web: two different approaches for the detection of attacks against Web applications

Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow

Implementation of Pattern Matching Algorithm to Prevent SQL Injection Attack

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Intrusion Detection Using Data Mining Technique (Classification)

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Compliance and Privileged Password Management

MULTIVARIATE ANALYSIS OF STEALTH QUANTITATES (MASQ)

CE Advanced Network Security

Web Prior Architecture to Avoid Threats and Enhance Intrusion Response System

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

Double Guard: Detecting intrusions in Multitier web applications with Security

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries

Performance of data mining algorithms in unauthorized intrusion detection systems in computer networks

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

Intrusion Detection by Combining and Clustering Diverse Monitor Data

Anomaly Detection in Communication Networks

Presentation by Brett Meyer

Self-Learning Systems for Network Intrusion Detection

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Achieving End-to-End Security in the Internet of Things (IoT)

INTRUSION RESPONSE SYSTEM TO AVOID ANOMALOUS REQUEST IN RDBMS

Validation and Reverse Business Process Documentation of on line services

Big Data - Security with Privacy

Cassandra Database Security

CIH

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Pyrite or gold? It takes more than a pick and shovel

Network Security Protection Alternatives for the Cloud

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

- Table of Contents -

Financial Conduct Authority. Financial Crime : A Guide for Firms

Security Technologies for Dynamic Collaboration

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Sponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

CS Review. Prof. Clarkson Spring 2017

Insider Threats. Nathalie Baracaldo. School of Information Sciences. March 26 th, 2015

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Intrusion Detection Systems

Database Intrusion Detection: Defending Against the Insider Threat

Detecting outliers in web-based network traffic. Joël Stemmer

WHITEPAPER. THE INGRES DATABASE AND COMPLIANCE Ensuring your business most valuable assets are secure

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

Cluster Based detection of Attack IDS using Data Mining

EVALUATIONS OF THE EFFECTIVENESS OF ANOMALY BASED INTRUSION DETECTION SYSTEMS BASED ON AN ADAPTIVE KNN ALGORITHM

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

International Journal of Advance Engineering and Research Development

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Data Privacy and Protection GDPR Compliance for Databases

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

Transcription:

Mechanisms for Database Intrusion Detection and Response Michael Sintim - Koree SE 521 March 6, 2013.

Article Title: Mechanisms for Database Intrusion Detection and Response Authors: Ashish Kamra, Elisa Bertino, and Guy Lebanon Conference : 2nd SIGMOD PhD workshop on Innovative database research, 2008.

Introduction Data represents today an important asset for companies and organizations. Some of these data are worth millions of dollars. Organizations are taking great care at controlling access to these data for both Internal and external users.

Introduction cont. Recently, there has been an Interest in database activity monitoring solutions that continuously monitor a Database Management System(DBMS) and report any relevant suspicious activity. This is due to Government regulations such as: SOX, PCI, GLBA, HIPAA,... and so forth concerning data management.

Introduction cont. Current attack techniques are more sophisticated, organized and targeted than broad based hacking days of the past. With Greater data integration, aggregation and disclosure, preventing data theft has become a big challenge( from both Outside and within). Standard database security controls are not of much help when it comes to preventing data theft from insiders. Access controls mechanisms, Authentication Encryption Technologies

What are the new Strategies There are two: 1. Monitor database activity using Third-party to detect any potential abnormal behaviour. 2. Revise Architectures and techniques adopted by traditional DBMS. Intrusion Detection (ID) mechanism. However, there few ID systems specifically tailored to a DBMS exist. Hence the goal of this work is to develop efficient and effective algorithms for detecting intrusive user behavior in a context of a DBMS, and augment that with an intrusion response engine.

Problem Statement Creating profiles that succinctly represent user/application-behavior interacting with a DBMS Developing efficient algorithms for online detection of anomalous database user/application behavior. Developing strategies for responding to intrusions in context of a DBMS. Creating a system architecture for database intrusion detection response as an integral component of a DBMS, and a prototype implementation of the same in PostgreSQL relational database.

The Approach System Architecture Detecting Anomalous Database Requests Detecting SQL Injection Attacks

System Architecture Consist of three main components: The conventional DBMS mechanism that handles query execution process The database audit log files The ID mechanism These components form the new extended DBMS that is enhanced with independent ID system operating at database level The flow of interactions for the ID process is shown in Figure 1. Every time a query is issued, it is analyzed by the ID mechanism before execution.

System Architecture Figure 1: System Architecture

Detecting Anomalous Database Request In order to identify anomalous user/role access to a DBMS: Use the database audit files for extracting information regarding user's actions. The audit records, after being processed, are used to form initial profile representing acceptable actions. Every entry in the audit file is represented as separate data unit; these units are then combined to form the desired profile. Two Scenarios while addressing this problem: Role Based Access Control (RBAC) model. False Alarms DBMS without any role definitions. Missed Alarms

Detecting Anomalous Database Request Specific Methodology used for ID task : Partition the training data into clusters using standard clustering techniques. Maintain a mapping for every user to its representative cluster. The representative cluster for a user is the cluster that contains the maximum number of training records for that user after the clustering phase. For every new query under observation, its representative cluster is determined by examining the user-cluster mapping. Note: The assumption is that query is associated with a database user.

Detecting Anomalous Database Request For the detection phase : Applying the naive bayes classifier in a manner similar to the supervised case, to determine whether the user associated with the query belongs to its representative cluster or not. A statistical test is used to identify if the query is an outlier in its representative cluster. If the result of the statistical test is positive, the query is marked as an anomaly and an alarm is raised.

Detecting SQL Injection Attacks SQL Injection is an attack exploiting applications that construct SQL statements from user-supplied input. When an application fails to properly validate user-supplied input, it is possible for an attacker to alter the construction of backend SQL statements. The modified SQL queries are executed with the privileges of the application program. An attacker may abuse the privileges of the program in a manner unintended by the application program designers. An SQL Injection attack typically involves malicious modifications to this input either by adding additional clauses or by changing the structure of an existing clause. The projection clause of the query, however, is not modified and remains static because it is not constructed at run time.

Detecting SQL Injection Attacks The two rules derived: The first set consists of rules binding the projection attributes of the query to the attributes used in the where clause. The second set of rules represent the relationship among the attributes in the where clause of the query. These two sets of rules together form the profile of an application. To detect an attack query, we check if the relationship among its query attributes can be inferred by the set of rules in the application profile. If not, our system raises an alarm.

Our Contributions 1. We propose novel encoding schemes for SQL queries to extract useful information from them. 2. We present an approach for fingerprinting database applications based on the SQL queries submitted by them to a database. 3. We then present an anomaly detection model to detect anomalous behavior of database applications. 4. We further demonstrate how this model can be used to detect SQL Injection at the database level.

Related Work Database Activity Monitoring Database Intrusion Detection SQL Injection Attacks

Database Activity Monitoring There are two categories of database activity monitoring products: Network - application - based Detected hardware application that taps into a network to monitor network traffic to and from the data center. Passive mode - Observes the traffic and report suspicious behaviors Inline mode - All traffic to the data center passes through them Agent - based A software component installed in the database server that interacts with the DBMS in order to monitor them.

Database Intrusion Detection Several approaches dealing with ID for operating systems and networks have been developed. However, they are not adequate for protecting databases. The reason is that actions deemed malicious for a database application are not necessarily malicious for the network or the operating system; thus ID systems specifically designed for the latter would not be effective for database protection. An abstract and high-level architecture of a DBMS incorporating an ID component has been recently proposed by several authors. However, this work mainly focuses on discussing generic solutions rather than proposing concrete algorithmic approaches. Our approach, on the other hand, builds profiles using syntactic information from SQL queries appearing in the database log, which makes our approach more general than others.

SQL Injection Attacks To date, there have been few approaches that apply anomaly detection techniques to identify anomalous database application behavior. One such technique is by F. Valeur, D. Mutz, and G. Vigna. (A learningbased approach to the detection of sql injection attacks.) It builds a number of different statistical query models using a set of typical application queries, and then intercepts the new queries submitted to the databases to check for anomalous behavior. Our work is similar in spirit to their work but uses association rule mining techniques to build application query profiles.

Future Works Intrusion Response ID mechanism should have the capability to decide which response action to take under a given situation. We envisage future ID systems to be augmented with an intrusion response mechanism that is responsible for providing the end-user with a framework for defining appropriate response actions to intrusive behavior. As part of our future work, we propose to design and implement an intrusion response mechanism within the context of a DBMS. Prototype Implementation

Future Works Prototype Implementation A major component of this thesis is to illustrate the feasibility and efficiency of our methods. For this purpose, we intend to implement a prototype intrusion detection mechanism integrated with the PostgreSQL database server. The main objectives of this implementation are as follows: To illustrate efficient implementation strategies for developing an intrusion detection and response mechanism inside a DBMS. To measure the overhead on normal query processing introduced by the intrusion detection and response mechanism.

Questions? Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback