This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Recovery from Malicious Transactions
September/October 2002 (vol. 14 no. 5)
pp. 1167-1185

Abstract—Preventive measures sometimes fail to deflect malicious attacks. In this paper, we adopt an information warfare perspective, which assumes success by the attacker in achieving partial, but not complete, damage. In particular, we work in the database context and consider recovery from malicious but committed transactions. Traditional recovery mechanisms do not address this problem, except for complete rollbacks, which undo the work of benign transactions as well as malicious ones, and compensating transactions, whose utility depends on application semantics. Recovery is complicated by the presence of benign transactions that depend, directly or indirectly, on the malicious transactions. We present algorithms to restore only the damaged part of the database. We identify the information that needs to be maintained for such algorithms. The initial algorithms repair damage to quiescent databases; subsequent algorithms increase availability by allowing new transactions to execute concurrently with the repair process. Also, via a study of benchmarks, we show practical examples of how offline analysis can efficiently provide the necessary data to repair the damage of malicious transactions.

[1] N.R. Adam and J.C. Wortmann, “Security-Control Methods for Statistical Databases: A Comparative Study,” ACM Computing Surveys, vol. 21, pp. 515-556, 1989.
[2] P. Ammann, S. Jajodia, and P. Mavuluri, “On the Fly Reading of Entire Databases,” IEEE Trans. Knowledge and Data Eng., vol. 7, no. 5, pp. 834–838, Oct. 1995.
[3] P. Ammann, S. Jajodia, C.D. McCollum, and B.T. Blaustein, “Surviving Information Warfare Attacks on Databases,” Proc. IEEE Symp. Security and Privacy, pp. 164–174, May 1997.
[4] V. Atluri, S. Jajodia, and B. George, Multilevel Secure Transaction Processing. Kluwer Academic Publishers, 1999.
[5] D. Barbara, R. Goel, and S. Jajodia, “Using Checksums to Detect Data Corruption,” Proc. 2000 Int'l Conf. Extending Data Base Technology, Mar. 2000.
[6] P. Bernstein, V. Hadzilacos, and N. Goodman, Concurrency Control and Recovery in Database Systems. Addison-Wesley, 1987.
[7] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Software Eng., vol. 13, pp. 222–232, Feb. 1987.
[8] H. Garcia-Molina, “Using Semantic Knowledge for Transaction Processing Databases,” ACM Trans. Database Systems, vol. 8, no. 2, pp. 186-213, Mar. 1983.
[9] H. Garcia-Molina and K. Salem, "Sagas," Proc. ACM SIGMOD Ann. Conf., pp. 249-259, May 1987.
[10] R. Graubart, L. Schlipper, and C. McCollum, “Defending Database Management Systems Against Information Warfare Attacks,” technical report, The MITRE Co., 1996.
[11] The Benchmark Handbook for Database and Transaction Processing Systems, second ed. J. Gray, ed., Morgan Kaufmann, 1993.
[12] J. Gray and A. Reuter, Transaction Processing: Concepts and Techniques, Morgan Kauffman, 1993.
[13] P.P. Griffiths and B.W. Wade, “An Authorization Mechanism for a Relational Database System,” ACM Trans. Database Systems, vol. 1, no. 3, pp. 242–255, Sept. 1976.
[14] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection Approach,” IEEE Trans. Software Eng., vol. 21, no. 3, pp. 181–199, 1995.
[15] S. Jajodia, P. Samarati, V.S. Subrahmanian, and E. Bertino, “A Unified Framework for Enforcing Multiple Access Control Policies,” Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 474–485, May 1997.
[16] H.S. Javitz and A. Valdes, “The Sri Ides Statistical Anomaly Detector,” Proc. IEEE Computer Society Symp. Security and Privacy, May 1991.
[17] H. Korth, E. Levy, and A. Silberschatz, “A Formal Approach to Recovery by Compensating Transactions,” Proc. 16th VLDB Conf., 1990.
[18] D. Lomet and M.R. Tuttle, “Redo Recovery After System Crashes,” Recovery Mechanisms in Database Systems, V. Kumar and M. Hsu, eds., chapter 6, 1998.
[19] D.B. Lomet, “MLR: A Recovery Method for Multi-Level Systems,” Proc. ACM-SIGMOD Int'l Conf. Management of Data, pp. 185–194, June 1992.
[20] T.F. Lunt, “A Survey of Intrusion Detection Techniques,” Computers&Security, vol. 12, no. 4, pp. 405–418, June 1993.
[21] T. Lunt and C. McCollum, “Intrusion Detection and Response Research at DARPA,” technical report, The MITRE Corporation, McLean, Va., 1998.
[22] N. Lynch, M. Merritt, W. Weihl, and A. Fekete, Atomic Transactions. Morgan Kaufmann, 1994.
[23] J. McDermott and D. Goldschlag, “Storage Jamming,” Database Security IX: Status and Prospects, D.L. Spooner, S.A. Demurjian, and J.E. Dobson, eds., pp. 365–381, 1996.
[24] J. McDermott and D. Goldschlag, “Towards a Model of Storage Jamming,” Proc. IEEE Computer Security Foundations Workshop, pp. 176–185, June 1996.
[25] C. Mohan, H. Pirahesh, and R. Lorie, “Efficient and Flexible Methods for Transient Versioning of Records to Avoid Locking by Read-Only Transactions,” Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 124–133, June 1992.
[26] J. Eliot and B. Moss, Nested Transactions. An Approach to Reliable Distributed Computing. Information Systems Series. Cambridge, Mass.: MIT Press, 1985.
[27] B. Mukherjee, L.T. Heberlein, and K.N. Levitt, “Network Intrusion Detection,” IEEE Network, pp. 26–41, June 1994.
[28] C. Pu, “On-the-Fly, Incremental, Consistent Reading of Entire Databases,” Algorithmica, vol. 1, no. 3, pp. 271–287, Oct. 1986.
[29] C. Pu, G.E. Kaiser, and N. Hutchinson, "Split-Transaction for Open-Ended Activities," Proc. 14th VLCB Conf., pp. 26-37, May 1988.
[30] F. Rabitti, E. Bertino, W. Kim, and D. Woelk, “A Model of Authorization for Next-Generation Database Systems,” ACM Trans. Database Systems, vol. 16, no. 1, pp. 88–131, 1994.
[31] R. Sandhu and F. Chen, “The Multilevel Relational (MLR) Data Model,” ACM Trans. Information and Systems Security, vol. 1, no. 1, 1998.
[32] S.-P. Shieh and V.D. Gligor, “On a Pattern-Oriented Model for Intrusion Detection,” IEEE Trans. Knowledge and Data Eng., vol. 9, no. 4, pp. 661–667, 1997.
[33] H. Wachter and A. Reuter, “The Contract Model,” Database Transaction Models for Advanced Applications, A. Elmagarmid, ed., pp. 219–263, 1991.
[34] G. Weikum, C. Hasse, P. Broessler, and P. Muth, “Multi-Level Recovery,” Proc. Ninth ACM SIGACT-SIGMOD-SIGART Symp. Principles of Database Systems, pp. 109–123, April 1990.
[35] G. Weikum and H.-J. Schek, “Concepts and Applications of Multilevel Transactions and Open Nested Transactions,” Database Transaction Models for Advanced Applications, A.K. Elmagarmid, ed., chapter 13, 1992.
[36] M. Winslett, K. Smith, and X. Qian, “Formal Query Languages for Secure Relational Databases,” ACM Trans. Database Systems, vol. 19, no. 4, pp. 626–662, 1994.

Index Terms:
Security, database recovery, transaction processing, assurance.
Citation:
Paul Ammann, Sushil Jajodia, Peng Liu, "Recovery from Malicious Transactions," IEEE Transactions on Knowledge and Data Engineering, vol. 14, no. 5, pp. 1167-1185, Sept.-Oct. 2002, doi:10.1109/TKDE.2002.1033782
Usage of this product signifies your acceptance of the Terms of Use.