A Practical Implementation of a Real-time Intrusion Prevention System for Commercial Enterprise Databases
Ulf T. Mattsson
2004
Abstract
Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall prey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection system interacts with the access control system to deny further access when detection occurs and represent a practical implementation addressing these and other concerns. This paper presents an overview of our work in creating a practical database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional commercial implementations of database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveillance. Suites of the proposed solution may be deployed throughout a network, and their alarms man-aged, correlated, and acted on by remote or local subscribing security services, thus helping to address issues of decentralized management.
References
- M. R. Adam. Security-Control Methods for Statistical Database: A Comparative Study. ACM Computing Surveys, 21(4), 1989.
- P. Ammann, S. Jajodia, and P. Liu. Recovery from malicious trans-actions.
- IEEE Transactions on Knowledge and Data Engineering, 2001. To appear.
- V. Atluri, S. Jajodia, and B. George. Multilevel Secure Transaction Processing. Kluwer Academic Publishers, 1999.
- D. Barbara, R. Goel, and S. Jajodia. Using checksums to detect data corruption. In Proceedings of the 2000 International Conference on Extending Data Base Technology, Mar 2000.
- P. A. Bernstein, V. Hadzilacos, and N. Goodman. Concurrency Control and Recovery in Database Systems. Addison-Wesley, Reading, MA, 1987.
- S. B. Davidson. Optimism and consistency in partitioned distributed database systems. ACM Transactions on Database Systems, 9(3):456-581, September 1984.
- D.E.Denning. An intrusion-detection model. IEEE Trans. on Software Engineering, SE13:222-232, February 1987.
- T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, Balti-more, MD, October 1991.
- P. P. Griffiths and B. W. Wade. An Authorization Mechanism for a Relational Database System. ACM Transactions on Database Systems, 1(3):242-255, September 1976.
- P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886-901, 1993.
- K. Ilgun. Ustat: A real-time intrusion detection system for unix. In Proceedings of the IEEE Symposium on Security and Privacy,Oak-land, CA, May 1993.
- K. Ilgun, R.A. Kemmerer, and P.A. Porras. State transition analysis: A rule-based intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181-199, 1995.
- R. Jagannathan and T. Lunt. System design document: Next generation intrusion detection expert system (nides). Technical report, SRI International, Menlo Park, California, 1993.
- S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino. A unified framework for enforcing multiple access control policies. In Proceedings of ACM SIGMOD International Conference on Management of Data, pages 474-485, May 1997.
- H. S. Javitz and A. Valdes. The sri ides statistical anomaly detector. In Proceedings IEEE Computer Society Symposium on Security and Privacy, Oakland, CA, May 1991.
- H. S. Javitz and A. Valdes. The nides statistical component description and justification. Technical Report A010, SRI International, March 1994.
- T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proc. 5th ACM Conference on Computer and Communications Security, San Francisco, CA, Nov 1998.
- Wenke Lee, Sal Stolfo, and Kui Mok. A data mining framework for building intrusion detection models. In Proc. 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
- P. Liu, S. Jajodia, and C.D. McCollum. Intrusion confinement by isolation in information systems. Journal of Computer Security, 8(4):243-279, 2000.
- P. Luenam and P. Liu. Odam: An on-the-fly damage assessment and repair system for commercial database applications. In Proc. 15th IFIP WFG11.3 Working Conference on Database and Application Security, Ontario, Canada, July 2001.
- T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, H. S. Javitz, A. Valdes, P. G. Neumann, and T. D. Garvey. A real time intrusion detection expert system (ides). Technical report, SRI International, Menlo Park, California, 1992.
- Teresa Lunt and Catherine McCollum. Intrusion detection and response research at DARPA. Technical report, The MITRE Corporation, McLean, VA, 1998.
- T.F. Lunt. A Survey of Intrusion Detection Techniques. Computers & Security, 12(4):405- 418, June 1993.
- J. McDermott and D. Goldschlag. Storage jamming. In D.L. Spooner, S.A. Demurjian, and J.E. Dobson, editors, Database Se-curity IX: Status and Prospects, pages 365-381. Chapman & Hall, London, 1996.
- J. McDermott and D. Goldschlag. Towards a model of storage jamming. In Proceedings of the IEEE Computer Security Foundations Workshop, pages 176-185, Kenmare, Ireland, June 1996.
- B. Mukherjee, L. T. Heberlein, and K.N. Levitt. Network intrusion detection. IEEE Network, pages 26-41, June 1994.
- P.A. Porras and R.A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, December 1992.
- F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next generation database systems. ACM Transactions on Database Systems, 16(1):88-131, 1994.
- P. Liu S. Ingsriswang. Aaid: An application aware transaction level database intrusion detection system. Technical report, Department of Information Systems, UMBC, Baltimore, MD, 2001.
- D. Samfat and R. Molva. Idamn: An intrusion detection architecture for mobile networks. IEEE Journal of Selected Areas in Communications, 15(7):1373-1380, 1997.
- R. Sandhu and F. Chen. The multilevel relational (mlr) data model. ACM Transactions on Information and Systems Security, 1(1), 1998.
- S.-P. Shieh and V.D. Gligor. On a pattern-oriented model for intrusion detection. IEEE Transactions on Knowledge and Data Engi-neering, 9(4):661-667, 1997.
- M. Winslett, K. Smith, and X. Qian. Formal query languages for secure relational databases. ACM Transactions on Database Systems, 19(4):626-662, 1994.
- The U.S. Health Information Portability and Accountability Act (HIPAA) - compliance by October 2002 www.hipaacomply.com
- The European Union 95/46/EC Directive on Data Privacy - compliance October 1998 - and individual EU member state privacy legislation - various compliance dates http://europa.eu.int/comm/internal_market/en/dataprot/
- EU/US Safe Harbor - compliance 11/1/2000 www.export.gov/safeharbor http://europa.eu.int/comm/internal_market/en/dataprot/modelcontracts/index.htm
- J. Habra, B. Le Charlier, A. Mounji, and I. Mathieu. ASAX: Software architecture and rulebased language for universal audit trail analysis. In Y. Deswarte et al., editors, Computer Security - Proceedings of ESORICS 92, volume 648 of LNCS, pages 435-450, Toulouse, France, Nov. 23-25, 1992. Springer-Verlag.
- L. T. Heberlein et al. A network security monitor. In Proceedings of the 1990 IEEE Symposium on Security and Pri-vacy, pages 296-304, Oakland, California, May 7-9, 1990.
- K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, pages 16-28, Oakland, California, May 24- 26, 1993.
- U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 146-161, Oakland, California, May 9-12, 1999.
- R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In H. Debar, L. M e, and S. F. Wu, editors, Recent Advances in Intrusion Detection (RAID 2000), volume 1907 of LNCS, pages 162-182, Toulouse, France, Oct. 2-4, 2000. Springer-Verlag.
- A. Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. PhD thesis, Institut d'Informatique, University of Namur, Belgium, Sept. 1997.
- P. G. Neumann and P. A. Porras. Experience with EMERALD to date. In Proceedings of the 1st Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, Apr. 9-12, 1999. The USENIX Association.
- A. One. Smashing the stack for fun and profit. Phrack Magazine, 7(49), Nov. 8, 1996. http://www.fc.net/phrack/files/ p49/p49-14.
- J. Picciotto. The design of an effective auditing subsystem. In Proceedings of the 1987 IEEE Symposium on Security and Privacy, pages 13-22, Oakland, California, Apr. 27-29, 1987.
- P. A. Porras and R. A. Kemmerer. Penetration state transitionanalysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Applications Conference, pages 220-229, San Antonio, Texas, Nov. 30-Dec. 4, 1992.
- P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353-365, Baltimore, Maryland, Oct. 7-10, 1997. National Institute of Standards and Tech-nology/National Computer Security Center.
- P. Proctor. Audit reduction and misuse detection in heterogeneous environments: Framework and application. In Proceedings of the Tenth Annual Computer Security Applications Conference, pages 117-125, Orlando, Florida, Dec. 5-9, 1994.
- T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., Calgary, Alberta, Canada, Jan. 1998. http://www.clark.net/˜roesch/idspaper.html.
- M. M. Sebring, E. Shellhouse, M. E. Hanna, and R. A. Whitehurst. Expert systems in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Baltimore, Maryland, Oct. 17-20, 1988. National Institute of Standards and Technology/National Computer Security Center.
- Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, CA 94303, USA. SunSHIELD Basic Security Module Guide, Solaris 7, Oct. 1998. Part No. 805-2635-10.
- U.S. Department of Defense. Trusted Computer System Evaluation Criteria, Dec. 1985. DoD 5200.28-STD.
- A. Valdes and K. Skinner. Adaptive, model-based monitoring for cyber attack detection. In H. Debar, L. M e,and S. F. Wu, editors, Recent Advances in Intrusion De-tection (RAID 2000), volume 1907 of LNCS, pages 80-92,Toulouse, France, Oct. 2-4, 2000. SpringerVerlag.
- U. T. Mattsson, and T. Valfridsson. An automated method to minimize the risk for exposure of encryption keys and encrypted database information. EPC Patent number - 00/975134.8.
- U. T. Mattsson. A method for implementation of encryption in a 24 by 7 production database. US Patent number 09/712 926.
- U. T. Mattsson. A method for detecting and preventing intrusions in commercial databases. EPC Patent number EP 01127906.4.
- U. T. Mattsson. A method for protecting databases against internal attacks. Sweden Patent number 0004189-7.
- U. T. Mattsson. Basic Data Type transparent method for storing and transporting of encrypted data. US Patent number 09/721 942.
- U. T. Mattsson. A method for combining software based encryption and hardware based encryption and key management. US Patent number 09/712 941.
- UK's Data Protection Act - Compliance March 1, 2000 www.dataprotection.gov.uk
- Canada's Personal Information Protection and Electronic Document Act (PIPEDA) Compliance 1/1/2001 to 1/1/2004 www.privcom.gc.ca [42] Australia's Privacy Act - Compliance by December 21, 2001 www.privacy.gov.au
- The VISA U.S.A. Cardholder Information Security Program (CISP) - Compliance May 1, 2001http://usa.visa.com/business/merchants/cisp_indexhtml
- The VISA International Account Information Security Standards (AIS) and Best Practices Guide https://www.visa.com/nt/gds/main.html
- The U.S. Software and Information Industry Association (SIIA) - An Electronic Citadel - A Method for Securing Credit Card and Private Consumer Data in E-Business Sites www.siia.net/sharedcontent/divisions/ebus/citadel.pdf
- The BITS (the technology group for the Financial Services Roundtable) Voluntary Guidelines for Aggregation Services www.bitsinfo.org/FinalAggregationBook051601.pdf
- The U.S. Gramm-Leach-Bliley Act (GLBA) (TITLE V--Consumer Privacy), regulated by the SEC, FTC, FDIC, OCC, OTS, FRB, NAIC, and NCUA, which covers a broad range of financial services and virtually affects any company who accepts credit cards - compliance July 1st, 2001 www.complianceheadquarters.com/Privacy/Privacy_Research/privacy_research.html
- EU member state privacy legislations see http://europa.eu.int/comm/internal_market/en/dataprot/law/impl.htm
- Germany's Federal Data Protection Act (Der Bundesbeauftragte für den Datenschutz) - compliance May 23, 2001 www.bfd.bund.de
- Sweden's Personal Data Act (Personuppgiftslagen - PuL) - compliance October 1, 2001 www.datainspektionen.se
Paper Citation
in Harvard Style
T. Mattsson U. (2004). A Practical Implementation of a Real-time Intrusion Prevention System for Commercial Enterprise Databases . In Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004) ISBN 972-8865-07-4, pages 114-125. DOI: 10.5220/0002663101140125
in Bibtex Style
@conference{wosis04,
author={Ulf T. Mattsson},
title={A Practical Implementation of a Real-time Intrusion Prevention System for Commercial Enterprise Databases},
booktitle={Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)},
year={2004},
pages={114-125},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002663101140125},
isbn={972-8865-07-4},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 2nd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2004)
TI - A Practical Implementation of a Real-time Intrusion Prevention System for Commercial Enterprise Databases
SN - 972-8865-07-4
AU - T. Mattsson U.
PY - 2004
SP - 114
EP - 125
DO - 10.5220/0002663101140125