Abstract
The protection of data over database is very important for an organization. Database security assures the security of data against threats. The more complex the databases are the more complex the security measures that are to be applied. Network and Internet connections to databases may complicate things even further. Even the existing security measures at the database application level are not able to protect the database completely from some malicious actions and reason may be especially because of insider attack. In this paper, we discuss the acceptable facets of attack on a database and security system for detection of malicious transactions in database.
Keywords: Database Security, Database Intrusion Detection, Insider Attack
1. Introduction
The focus of attacks on the company’s databases are motivated by the following factors :-
- Databases are the mass of information which the company works with.
- Databases can reveal private data by processing public data.
- Theft and fraud
- Loss of confidentiality/privacy
- Loss of privacy
- Loss of integrity
- Loss of availability.
In recent years, with the frequent occurrence of security incidents, enterprises and organizations have now realized the importance of designing a safety information system. Today, information systems are heavily relied on web and database technologies, thus the risks and threats those technologies faced will also affect the security of information systems. There are many aspects to security in database applications, including security at the application layer and security at the database layer. While applications typically support a fairly complex set of access control policies, any one is having the direct access to the database can bypass the access control policies together. In addition to database administrators, anyone who discovers the database login/password used by the application has the ability to directly modify the database. Thus, even if all security measures have been taken to ensure security at the application logic level, we need to have the ability to detect any malicious actions into the database.
This chapter can be divided into parts: Advanced security threats section contains cross-site scripting (XSS) attacks and AJAX attacks and other security threats and detection of malicious activities on databases.
Applications typically have a complex security model built into the application, but when communicating to the database, an application typically connects as single database user. Anyone who gets access to the database login/password used by the application has the ability to frequently read or modify the database, bypassing all the security features built into the application. This problem is exacerbated since the database login and password are often stored in clear text in the application code or configuration files, accessible to system administrators. In addition, database administrators have full access to the data in the database. When dealing with mission critical data, preventing, or detecting and repairing, unauthorized updates to the database is absolutely critical, even more than preventing or detecting unauthorized attacks, since it may severely affects the ability of the organization to function. In this paper, we address the problem of detecting unauthorized updates/ malicious actions to the database and some method by which we can detect the problem.
2. Related work
2.1 Database security
Ajax security
As Web applications become increasingly complex, it is required for the performance of Web services is also increasing. AJAX (Asynchronous JavaScript and XML) (Garrett, 2005) technology is mainstream technology of Web2.0 that enables the browser to provide users with more natural browsing experience. With asynchronous communication, user can submit, wait and refresh mode freely, update partial page dynamically. So it allows users to have a smooth experience similar in desktop applications. However, a variety of Web applications has brought us countless convenience, produced a series of security problems. When the introduction of AJAX technology, because of its inability to solve the security problems, the traditional Web security problems still exist, along with elements of the composition and structure of AJAX features, will lead to new security threats. In recent years, adding AJAX elements in sites has become a very popular trend, and most websites are typical AJAX-based applications. As most of the website builders just enjoy the conveniences of AJAX technology, little is known about its security threat, resulting in most of the AJAX application sites have different levels of security risks. Here, we summarize and analysis the AJAX security threats.
1. Security Threats of AJAX Technology
a. The Deficit of JavaScript Language
JavaScript is a widely client-side scripting language, originally designed and implemented by Netscape, and it has been widely used to reduce the burden on the server. JavaScript scripting language features determine its presence in all kinds of security risks: JavaScript is an interpreted language. In the interpretation process, every error is a runtime error. Run-time error can only be found during runtime. If somewhere in the code the programmer has left a Bug, but the logic of the code at run time is not running to the area, then the bug will not be found, which leaving significant risks to the application. To detect, locate the error position of interpreted language is quite difficult.
JavaScript is a weak typing language. Weak typing languages do not need to declare variables at the time the programmer declare the variable. This flexibility often easily leads to many problems. JavaScript code has dynamic nature. It can be dynamically generated code, and used the evalfunction dynamic execution; or you can directly modify the existing function. Once the attacker can gain control of the JavaScript code, he can overwrite the other user-defined methods and even the browser built-in method, thus cause many serious malicious behaviours.
b. Problems of Asynchronous
Asynchronous communication is the highlights and core idea of AJAX technology. But asynchronous will also introduce a series competition problems.
2. Issues of AJAX Framework
a. Explosion of Client-Side Logic
Programming client-side logic using JavaScript will bring the client-side logic to public. Users can easily through the browser\’s View Source feature to see the client code.
b. Incomplete Server
Most AJAX programmers validate user input at client-side, though it reduces the burden of server, it lefts room for security risks.
Cross site scripting
Cross-site Scripting (also known as XSS or CSS) occurs when dynamically generated Web pages display input that is not properly validated. In XSS, malicious attackers acted as normal visitors upload Malicious Script as JavaScript codes etc. to Web server by utilizing the bugs of utility programs or codes in the Web server. Attackers also send URL links including malicious script to objective users. When Web users visit the pages containing malicious script or open the received URL links codes in the Web sites, users’ browsers will auto-load and execute the malicious script codes. This attacking procedure indicates that XSS is actually a simple attack technology. In most cases, malicious attackers attack users indirectly by utilizing Web server, and direct attack occurs merely. XSS is a passive attack. First of all, by utilizing the XSS bugs in the Web programs, malicious attackers construct a trap page and the malicious script can be saved in the page content or URL. The URL of this page is then announced in the BBS after embedding to e-mails or disguising attractive titles. If the users visit ULR, the JavaScript will be executed by attackers’ browser. The procedure of XSS attack is shown in fig. 1.
2.2 Detection Of Malicious Activities On Database
The early research mainly focused on network-based and host-based intrusion detection. However, in spite of the significant role of databases in information systems, very limited research has been carried out in the field of intrusion detection in databases. We need intrusion detection systems that work at the application layer and potentially offer accurate detection for the targeted application.
The approaches used in detecting database intrusions mainly include data mining and Hidden Markov Model (HMM). Chung et al. [1] this paper presents a misuse detection system called DEMIDS which is tailored to relational database systems. DEMIDS uses audit logs to derive profiles that describe typical behavior of users working with the DBS. The profiles computed can be used to detect misuse behavior, in particular insides abuse. DEMIDS sue “working scope” to find frequent itemsets, which are sets offeature with certain values.
Database intrusion detection using time signatures
Lee et al. [2] have proposed a real-time database intrusion detection using time signatures. Real-time database systems have a deal with data that changes its value with time. These temporal data objects are used to reflect the status of object in the real world. Whenever the value of a real world object changes, the data that describes this object should change as well, but a certain lag between the moment of change in real world and the updates in the database in unavoidable. This intrusion detection model observes the database behavior at the level of sensor transaction. If a transaction attempts to update a temporal data which has already been updated in that period, an alarm is raised.
Wenhui et al. [3] proposed a two-layer mechanism to detect intrusions against a web-based database services. They use web-server behavior modeling and database system behavior modeling by a profile process in the first layer. Layer one built historical profiles based on audit trails and other log data provided by the web server and database server. The pre-alarms generated from the first layer are passed to the second layer for further analysis. In layer one the tree topology was adopted to profile web server behavior. Moreover, to profile database server, a role-based model is adopted to deter describe the characteristics of the super user behavior. However, they have not used different level of granularity or intra-transactional and inter-transactional features in their model. Hu et al. [4] determine the dependency among data items where data dependency refers to the access correlations among data items. These data dependency are generated in the form of classification rules, i.e. before one data item is updated in the database, which other data items probably need to be read and after this data item is updated, which other data items are most likely to be updated by same transactions. Transactions that do not follow any of the mined data dependency rules are marked as malicious transactions. Database contain many attribute, all attribute to be consider for dependency rules generation, maintaining such rules are difficult. In this approach there is no concept for attribute sensitivity. These problem addresses by Srivastava et al [5], who consider attribute sensitivity in their IDS. In every database, some of the attributes are considered more sensitive to malicious modification compared to others. They suggest a weighted data mining algorithm for finding dependencies among sensitive attributes.
DIDAFT (Detecting Intrusions in Database through Fingerprinting Transactions)
It is a system developed to perform database intrusion detection at application level. It works by fingerprinting access patterns of the legitimate database transactions, and using them to identify database intrusions. The framework for DIDAFIT has been described in [6]. This paper describes how the fingerprints for database transactions can be represented and presents an algorithm to learn and summarize SQL statements into fingerprints. The main contribution of this work is a technique to efficiently summarize SQL statements queries into compact and effective regular expression fingerprints. If a given query does not match any of the existing fingerprints, it is reported as malicious. Kamra et al. [7] have proposed a role based approach for detecting malicious behavior in RBAC (role based access control) administered databases. Classification technique is used to deduce role profiles of normal user behavior. An alarm is raised if roles estimated by classification for given user is different than the actual role of a user. The approach is well suited for databases which employ role based access control mechanism. It also addresses insider threats scenario directly. But limitation of this approach is that it is query-based approach and it cannot extract correlation among queries in the transaction. This problem is resolved by Rao et al. [8] it extracts correlation among queries in the transaction. In this approach database log is read to extract the list of table accessed by transaction and list of attribute read and written by transaction. This approach supports the correlation between queries of transaction. By using this approach if a transaction contains two queries and it is supported by the application, then authorized user of particular transaction must issue the both query of transaction one by one. If any user issues only one query of the defined transaction then the executable transaction is marked as malicious transaction. This approach is well suited for handling of insider attack completely.
3. References
Jesse James Garrett (Feb 2005). Ajax: A New Approach to Web Applications. Available from http://adaptivepath.com/ideas/ajax-new-approach-web-applications .
D. Crockford (July 2006). The application/json Media Type for JavaScript Object Notation (JSON). RFC 4627, July 2006
[1] C. Y. chung, M. Gertz, K. Levitt, “DEMIDS: A Misuse Detection System for Database systems”, IFIP TC-11 WG 11.5 Conference on integrity and internal control in information system, pp. 159-178, 1999.
[2] V. C. S. Lee, J.A. Stankovic, S. H. Son, “intrusion detection in real-time database system Via time signatures”, real time technology and application symposium, pp. 124,2000.
[3] Wenhui, S., Tan, T., “A novel intrusion detection system model for securing web based database systems”, In proceedings of the 25th annual international computer software and application conference (COMPSAC), pp. 249-254, 2001.
[4] Y. Hu, B. Panda, “A data mining approach for database intrusion detection”, In Proceedings of the ACM Symposium on applied computing, pp. 711-716, 2004.
[5] A. Srivastava, S. Sural, A. K. Majumdar, “Weighted intra-transactional rule mining for database intrusion detection”, In proceedings of the Pacific-Asia knowledge discovery and data mining (PAKDD), lecture notes in artificial intelligence, Springer. pp. 611-620, 2006.
[6] Lee, S.Y., Low, W.L., Wong, and P.Y., “Learning Fingerprints for a Database intrusion detection system”, In proceedings of the 7th European symposium on research in computer security, pp.264-280, 2002.
[7] Bertino, E., Terzi, E., Kamra, A., Vakali, A., “Intrusion Detection in RBAC-Administered Database”, In proceedings of the 21st annual computer security application conference (ACSAC), pp. 170-182, 2005.
[8] U. P. Rao, G. J. Sahani, D. R. Patel, “Detection of Malicious Activity in Role Based Access Control (RBAC) Enabled Databases”, In proceedings of Journal of Information Assurance and Security ,Volume 5, Issue 6, pp. 611-617,2010.