A REAL-TIME INTRUSION PREVENTION SYSTEM FOR COMMERCIAL ENTERPRISE DATABASES

Ulf T. Mattsson

2004

Abstract

Modern intrusion detection systems are comprised of three basically different ap-proaches, host based, network based, and a third relatively recent addition called pro-cedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall prey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection system interacts with the access control system to deny further access when detection occurs and represent a practical implementation addressing these and other concerns. This paper presents an overview of our work in creating a practical database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional commercial implementations of database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveil-lance. Suites of the proposed solution may be deployed throughout a network, and their alarms man-aged, correlated, and acted on by remote or local subscribing security ser-vices, thus helping to address issues of decentralized management.

References

  1. M. R. Adam. Security-Control Methods for Statistical Database: A Comparative Study. ACM Computing Surveys, 21(4), 1989.
  2. IEEE Transactions on Knowledge and Data Engineering, 2001. To appear.
  3. V. Atluri, S. Jajodia, and B. George. Multilevel Secure Transaction Processing. Kluwer Academic Publishers, 1999.
  4. D. Barbara, R. Goel, and S. Jajodia. Using checksums to detect data corruption. In Proceedings of the 2000 International Conference on Extending Data Base Technology, Mar 2000.
  5. P. A. Bernstein, V. Hadzilacos, and N. Goodman. Concurrency Control and Recovery in Database Systems. Addison-Wesley, Reading, MA, 1987.
  6. S. B. Davidson. Optimism and consistency in partitioned distributed database systems. ACM Transactions on Database Systems, 9(3):456-581, September 1984.
  7. D.E.Denning. An intrusion-detection model. IEEE Trans. on Software Engineering, SE-13:222-232, February 1987.
  8. T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, Balti-more, MD, October 1991.
  9. P. P. Griffiths and B. W. Wade. An Authorization Mechanism for a Relational Database System. ACM Transactions on Database Systems, 1(3):242-255, September 1976.
  10. P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-901, 1993.
  11. K. Ilgun. Ustat: A real-time intrusion detection system for unix. In Proceedings of the IEEE Symposium on Security and Privacy,Oak-land, CA, May 1993.
  12. K. Ilgun, R.A. Kemmerer, and P.A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181-199, 1995.
  13. R. Jagannathan and T. Lunt. System design document: Next generation intrusion detection expert system (nides). Technical report, SRI International, Menlo Park, California, 1993.
  14. S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino. A unified framework for enforcing multiple access control policies. In Proceedings of ACM SIGMOD International Conference on Management of Data, pages 474-485, May 1997.
  15. H. S. Javitz and A. Valdes. The sri ides statistical anomaly detector. In Proceedings IEEE Computer Society Symposium on Security and Privacy, Oakland, CA, May 1991.
  16. H. S. Javitz and A. Valdes. The nides statistical component description and justification. Technical Report A010, SRI International, March 1994.
  17. T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proc. 5th ACM Conference on Computer and Communications Security, San Francisco, CA, Nov 1998.
  18. Wenke Lee, Sal Stolfo, and Kui Mok. A data mining framework for building intrusion detection models. In Proc. 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
  19. P. Liu, S. Jajodia, and C.D. McCollum. Intrusion confinement by isolation in information systems. Journal of Computer Security, 8(4):243-279, 2000.
  20. P. Luenam and P. Liu. Odam: An on-the-fly damage assessment and repair system for commercial database applications. In Proc. 15th IFIP WFG11.3 Working Conference on Database and Application Security, Ontario, Canada, July 2001.
  21. T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, H. S. Javitz, A. Valdes, P. G. Neumann, and T. D. Garvey. A real time intrusion detection expert system (ides). Technical report, SRI International, Menlo Park, California, 1992.
  22. Teresa Lunt and Catherine McCollum. Intrusion detection and response research at DARPA. Technical report, The MITRE Corporation, McLean, VA, 1998.
  23. T.F. Lunt. A Survey of Intrusion Detection Techniques. Computers & Security, 12(4):405-418, June 1993.
  24. J. McDermott and D. Goldschlag. Storage jamming. In D.L. Spooner, S.A. Demurjian, and J.E. Dobson, editors, Database Se-curity IX: Status and Prospects, pages 365-381. Chapman & Hall, London, 1996.
  25. Workshop, pages 176-185, Kenmare, Ireland, June 1996.
  26. B. Mukherjee, L. T. Heberlein, and K.N. Levitt. Network intrusion detection. IEEE Network, pages 26-41, June 1994.
  27. P.A. Porras and R.A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, December 1992.
  28. F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next generation database systems. ACM Transactions on Database Systems, 16(1):88- 131, 1994.
  29. P. Liu S. Ingsriswang. Aaid: An application aware transaction level database intrusion detection system. Technical report, Department of Information Systems, UMBC, Baltimore, MD, 2001.
  30. D. Samfat and R. Molva. Idamn: An intrusion detection architecture for mobile networks. IEEE Journal of Selected Areas in Communications, 15(7):1373-1380, 1997.
  31. R. Sandhu and F. Chen. The multilevel relational (mlr) data model. ACM Transactions on Information and Systems Security, 1(1), 1998.
  32. S.-P. Shieh and V.D. Gligor. On a pattern-oriented model for intrusion detection. IEEE Transactions on Knowledge and Data Engi-neering, 9(4):661-667, 1997.
  33. M. Winslett, K. Smith, and X. Qian. Formal query languages for secure relational databases. ACM Transactions on Database Systems, 19(4):626-662, 1994.
  34. P. A. Porras and R. A. Kemmerer. Penetration state transitionanalysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Ap-plications Conference, pages 220-229, San Antonio, Texas, Nov. 30-Dec. 4, 1992.
  35. P. Proctor. Audit reduction and misuse detection in heterogeneous environments: Framework and application. In Proceedings of the Tenth Annual Computer Security Applications Conference, pages 117-125, Orlando, Florida, Dec. 5-9, 1994.
  36. M. M. Sebring, E. Shellhouse, M. E. Hanna, and R. A. Whitehurst. Expert systems in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Baltimore, Maryland, Oct. 17-20, 1988. National Institute of Standards and Technology/National Computer Security Center.
  37. J. Habra, B. Le Charlier, A. Mounji, and I. Mathieu. ASAX: Software architecture and rule-based language for universal audit trail analysis. In Y. Deswarte et al., editors, Computer Security - Proceedings of ESORICS 92, volume 648 of LNCS, pages 435-450, Toulouse, France, Nov. 23-25, 1992. Springer-Verlag.
  38. L. T. Heberlein et al. A network security monitor. In Proceedings of the 1990 IEEE Symposium on Security and Pri-vacy, pages 296-304, Oakland, California, May 7-9, 1990.
  39. K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, pages 16-28, Oakland, California, May 24-26, 1993.
  40. U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 146-161, Oakland, California, May 9-12, 1999.
  41. R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In H. Debar, L. M e, and S. F. Wu, editors, Recent Advances in Intrusion Detection (RAID 2000), volume 1907 of LNCS, pages 162-182, Toulouse, France, Oct. 2-4, 2000. SpringerVerlag.
  42. A. Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. PhD thesis, Institut d'Informatique, University of Namur, Belgium, Sept. 1997.
  43. P. G. Neumann and P. A. Porras. Experience with EMERALD to date. In Proceedings of the 1st Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, Apr. 9-12, 1999. The USENIX Association.
  44. A. One. Smashing the stack for fun and profit. Phrack Magazine, 7(49), Nov. 8, 1996. http://www.fc.net/phrack/files/ p49/p49-14.
  45. J. Picciotto. The design of an effective auditing subsystem. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 13-22, Oakland, California, Apr. 27-29, 1987.
Download


Paper Citation


in Harvard Style

T. Mattsson U. (2004). A REAL-TIME INTRUSION PREVENTION SYSTEM FOR COMMERCIAL ENTERPRISE DATABASES . In Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE, ISBN 972-8865-15-5, pages 275-280. DOI: 10.5220/0001381102750280


in Bibtex Style

@conference{icete04,
author={Ulf T. Mattsson},
title={A REAL-TIME INTRUSION PREVENTION SYSTEM FOR COMMERCIAL ENTERPRISE DATABASES},
booktitle={Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,},
year={2004},
pages={275-280},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001381102750280},
isbn={972-8865-15-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,
TI - A REAL-TIME INTRUSION PREVENTION SYSTEM FOR COMMERCIAL ENTERPRISE DATABASES
SN - 972-8865-15-5
AU - T. Mattsson U.
PY - 2004
SP - 275
EP - 280
DO - 10.5220/0001381102750280