This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Design and Implementation of an Intrusion Response System for Relational Databases
June 2011 (vol. 23 no. 6)
pp. 875-888
Ashish Kamra, Purdue University, Sunnyvale
Elisa Bertino, Purdue University, West Lafayette
The intrusion response component of an overall intrusion detection system is responsible for issuing a suitable response to an anomalous request. We propose the notion of database response policies to support our intrusion response system tailored for a DBMS. Our interactive response policy language makes it very easy for the database administrators to specify appropriate response actions for different circumstances depending upon the nature of the anomalous request. The two main issues that we address in context of such response policies are that of policy matching, and policy administration. For the policy matching problem, we propose two algorithms that efficiently search the policy database for policies that match an anomalous request. We also extend the PostgreSQL DBMS with our policy matching mechanism, and report experimental results. The experimental evaluation shows that our techniques are very efficient. The other issue that we address is that of administration of response policies to prevent malicious modifications to policy objects from legitimate users. We propose a novel Joint Threshold Administration Model (JTAM) that is based on the principle of separation of duty. The key idea in JTAM is that a policy object is jointly administered by at least k database administrator (DBAs), that is, any modification made to a policy object will be invalid unless it has been authorized by at least k DBAs. We present design details of JTAM which is based on a cryptographic threshold signature scheme, and show how JTAM prevents malicious modifications to policy objects from authorized users. We also implement JTAM in the PostgreSQL DBMS, and report experimental results on the efficiency of our techniques.

[1] A. Conry-Murray, "The Threat from within. Network Computing (Aug. 2005)," http://www.networkcomputing.comshowArticle. jhtml?articleID=166400792 , July 2009.
[2] R. Mogull, "Top Five Steps to Prevent Data Loss and Information Leaks. Gartner Research (July 2006)," http:/www.gartner.com, 2010.
[3] M. Nicolett and J. Wheatman, "Dam Technology Provides Monitoring and Analytics with Less Overhead. Gartner Research (Nov. 2007)," http:/www.gartner.com, 2010.
[4] R.B. Natan, Implementing Database Security and Auditing. Digital Press, 2005.
[5] D. Brackney, T. Goan, A. Ott, and L. Martin, "The Cyber Enemy within ... Countering the Threat from Malicious Insiders," Proc. Ann. Computer Security Applications Conf. (ACSAC). pp. 346-347, 2004.
[6] A. Kamra, E. Terzi, and E. Bertino, "Detecting Anomalous Access Patterns in Relational Databases," J. Very Large DataBases (VLDB), vol. 17, no. 5, pp. 1063-1077, 2008.
[7] A. Kamra, E. Bertino, and R.V. Nehme, "Responding to Anomalous Database Requests," Secure Data Management, pp. 50-66, Springer, 2008.
[8] A. Kamra and E. Bertino, "Design and Implementation of SAACS: A State-Aware Access Control System," Proc. Ann. Computer Security Applications Conf. (ACSAC), 2009.
[9] "Postgresql 8.3. The Postgresql Global Development Group," http:/www.postgresql.org/, July 2008.
[10] J. Widom and S. Ceri, Active Database Systems: Triggers and Rules for Advanced Database Processing. Morgan Kaufmann, 1995.
[11] "Oracle Database Concepts 11g Release 1 (11.1)," http://download.oracle.com/docs/cd/B28359_01/ server.111/b28318datadict.htm, July 2009.
[12] V. Shoup, "Practical Threshold Signatures," Proc. Int'l Conf. Theory and Application of Cryptographic Techniques (EUROCRYPT), pp. 207-220, 2000.
[13] R. Gennaro, T. Rabin, S. Jarecki, and H. Krawczyk, "Robust and Efficient Sharing of RSA Functions," J. Cryptology, vol. 20, no. 3, pp. 393-400, 2007.
[14] D. Kincaid and W. Cheney, Numerical Analysis: Mathematics of Scientific Computing. Brooks Cole, 2001.
[15] "Openpgp Message Format. rfc 4800," http://www.ietf.org/rfcrfc4880.txt, July 2009.
[16] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography. CRC Press, 2001.
[17] C.K. Koc, "High-Speed RSA Implementation," Technical Report tr-201, Version 2.0, RSA Laboratories, 1994.
[18] "Oracle Database Vault Administrator's Guide 11g Release 1 (11.1)," http://download.oracle.com/docs/cd/B28359_01/ server.111/b31222toc.htm, Jan. 2009.
[19] F. Fabret, F. Llirbat, J.A. Pereira, I. Rocquencourt, and D. Shasha, "Efficient Matching for Content-Based Publish/Subscribe Systems," technical report, INRIA, 2000.
[20] M.K. Aguilera, R.E. Strom, D.C. Sturman, M. Astley, and T.D. Chandra, "Matching Events in a Content-Based Subscription System," Proc. Symp. Principles of Distributed Computing (PODC), pp. 53-61, 1999.
[21] J.A. Pereira, F. Fabret, F. Llirbat, and D. Shasha, "Efficient Matching for Web-Based Publish/Subscribe Systems," Proc. Int'l Conf. Cooperative Information Systems (CooplS), pp. 162-173, 2000.
[22] T.W. Yan and H. García-Molina, "Index Structures for Selective Dissemination of Information under the Boolean Model," ACM Trans. Database Systems, vol. 19, no. 2, pp. 332-364, 1994.
[23] A. Campailla, S. Chaki, E. Clarke, S. Jha, and H. Veith, "Efficient Filtering in Publish-Subscribe Systems Using Binary Decision Diagrams," Proc. Int'l Conf. Software Eng. (ICSE), pp. 443-452, 2001.
[24] E.N. Hanson, M. Chaabouni, C.-H. Kim, and Y.-W. Wang, "A Predicate Matching Algorithm for Database Rule Systems," Proc. ACM SIGMOD, vol. 19, no. 2, pp. 271-280, 1990.
[25] H.-S. Lim, J.-G. Lee, M.-J. Lee, K.-Y. Whang, and I.-Y. Song, "Continuous Query Processing in Data Streams Using Duality of Data and Queries," Proc. ACM SIGMOD, pp. 313-324, 2006.
[26] V. Ganapathy, T. Jaeger, and S. Jha, "Retrofitting Legacy Code for Authorization Policy Enforcement," Proc. IEEE Symp. Security and Privacy, pp. 214-229, 2006.

Index Terms:
Databases, intrusion detection, response, prevention, policies, threshold signatures.
Citation:
Ashish Kamra, Elisa Bertino, "Design and Implementation of an Intrusion Response System for Relational Databases," IEEE Transactions on Knowledge and Data Engineering, vol. 23, no. 6, pp. 875-888, June 2011, doi:10.1109/TKDE.2010.151
Usage of this product signifies your acceptance of the Terms of Use.