Download DOC - Columbus State University

Proactive Data Security
Overcoming Challenges in Role-Based Intrustion Detection for Relational Database
Management Systems
Columbus,GA USA
Jonathan Boulineau
CPSC 6126
Columbus State University
Abstract— Nowhere in an Enterprise is security more essential than
for data stores. Increasingly, relational databases are moving to the
forefront of mission critical systems which directly drive the purpose
of the organization, be it profit or other concerns. In the case of
many for-profit companies, earnings are often directly related to how
proprietary data are used and protected. In other cases, data itself
may be the purpose of the organization as in the example of
government intelligence agencies. The risk, therefore, of malicious or
unauthorized access to databases is of the highest level.
One attempt to develop an effective Intrusion Detection System (IDS)
is presented in the article Detecting anomalous access patterns in
relational databases1. Ashish Kamra, Evimaria Terzi and Elisa
Bertino present a role-based solution based upon evaluating activity
and comparing data access based on historical trends of similar
users. By identifying behavior that is outside the norm of usage
patterns they hope to provide an effective alert system for intrusion.
Unfortunately, their system is not without flaws. With certain
modifications, however, a more effective solution can be envisioned.
Keywords – RDBMS, Data Security, Intrusion Detection
I.
INTRODUCTION
Securing databases presents unique challenges. Activities
of attackers are, in most cases, extremely difficult to
distinguish from legitimate usage. Unlike many attacks which
create auditable events such as deletions or additions of objects,
data violation is a simple read action; a capability typically
available even to the most restricted user. As a result, a
violation can be extraordinarily damaging without leaving any
clear trace. Work undertaken to produce an effective Intrusion
Detection System (IDS) to address the specific issues of
relational database management systems (RDBMS) is,
therefore, of great import.
The work conducted by Kamra, Terzi and Bertino (KTB)
emerges squarely into this environment. By approaching the
problem through building upon the foundation of role-based
security already present in many RDBMS products they are
able to construct a solution which would be, in principle, a
fairly simple matter to apply. It also professes the benefit of
addressing the classification of access problem by providing a
strategy to identify malicious data reads.
However, the KTB approach is not without flaws. Indeed
some of the limitations which exists could potentially preclude
the usefulness of an IDS implementing their ideas. The simple
fact that their solution involves adding a layer of processing
which occurs during, or perhaps before, the parsing phase of
query execution certainly presents challenges.
Another
possible pitfall occurs in the proposal to present administrative
alerts whenever a potential violation occurs. Although a clear
solution is not evident to the problem of handling outlying
events, an alert system is not necessarily a desirable tack.
Finally, the use of roles in an IDS develops from a different
conceptual viewpoint than the actual implementation of roles in
a traditional RDBMS. It is, therefore, problematic to adapt inplace roles for use in an IDS.
The remainder of this text will continue to explore rolebased intrusion detection with a focus on the KTB approach. A
brief review of related work follows in the next section,
followed in the third section by outlining an approach that
attempts to overcome the difficulties mentioned. Finally,
conclusions will be drawn about the overall potential for a rolebased approach to IDS and this approach specifically.
II.
RELATED WORK
KTB are not creating a new line of study. However, they
make the claim that that their work is progressive because no
one else has proposed a solution that is generic enough to apply
across all application and database schema types, operates realtime and is learning-based. They acknowledge close relations
2
to DEMIDS (DEtection of MIsuse in Database Systems ) ,
which uses the concept of a 'Frequent Itemset Profiler' to
identify ranges of behaviors for users based on data gleaned
from log files. KTB argue that DEMIDS requires schema
knowledge which ensure their approach is more generally
applicable. They also claim that the administrative effort
involved in maintaining a solution requiring individual profiles
for all users of a data source can be too intensive in many
cases.
3
KTM point to the work of Hu and Panda who approach
the problem by identifying data dependencies in different types
of transactions and mining the log to identify potential
problems. It is an oversight, however, for KTM to neglect the
work of the same researchers on utilizing data mining
methodologies for intrusion detection 4. This is especially
notable considering the use of data mining in their own work,
including Naïve Bayes classification and clustering techniques.
In the years since the publication of the KTB proposal
additional work has been introduced from Xin Jin and Sylvia L.
Osborn 5. While Jin and Osborn do not propose a new rolebased IDS approach, they do provide for at least one
improvement, which is incorporated and discussed in greater
depth in the solution presented below.
There have also been new techniques presented One such
technique was presented by Yawei Zhang, Xiaojun Ye, Feng
8
Xie, and Yong Peng . Their presentation at the 2009 IEEE
International Conference on Computer and Information
Technology. Their work focuses on the database
communication content detection mechanism for intrusion
detection.
III.
SOLUTION
Three significant challenges face the KTM approach. First,
the IDS could potentially generate significant administrative
challenges which diminish the usefulness of the system. The
performance degradation which is inherent in 'screening' each
statement executed against the RDBMS engine is a serious
problem which must be addressed as well. Perhaps most
significant, however, is the conflict between their solution and
standard data model design practices and role-based security
implementations.
The acknowledgment of the inevitability of false alarms
made by KTM is admirable. However, they fail to consider the
serious impact of this problem. It is not at all unusual to
encounter an RDBMS which is called upon to serve hundreds
of requests each second. The precision of the IDS is paramount
in this case. Even a tiny false positive rate of .001%, a level to
which the authors make no claim, would could result in a
deluge of alerts that could prove an impossible task to address.
Proper attention to alerts also requires knowledge of data which
is rarely available to administrators.
In the end, the question of how an administrator is to
distinguish between a false alarm and an intrusion is left open.
For example, the situation may occur in which a user is flagged
for accessing data in a manner which is outside of the typical
behavior of their role. However, in this case it may simply be
that the user is running a report as a special request for
management. It would be quite difficult to make a ruling on
this alert without potentially time intensive investigation.
Unfortunately, the solution to this problem is tied directly
to the effectiveness of the classification algorithm. Further
research should be conducted into advancing precision of
current, or the development of new, algorithms. Even so, it
should be acknowledged that the exactitude demanded here is
in well excess of any current classifier. The magnitude of the
problem should not go unrecognized.
An additional problem related to the workload placed upon
an RDBMS involves the additional step added to the query
execution process.
Evaluating against a classification
algorithm, such as Naïve Bayes, can be performed quite
quickly. Nevertheless, since query performance is often
measured in the millisecond or sub-millisecond level an IDS
check could easily double execution time. While at first glance
this may seem negligible, a millisecond addition gains
relevance when placed in the context of a heavy workload. The
absorption of CPU cycles and other resources dedicated to the
IDS subsystem could preclude its usefulness.
5
Fortunately, in this case, Jin and Osborn provide a partial
solution by diverting IDS monitoring to a dedicated server that
would execute all necessary algorithms. While the additional
overhead of data collection remains, it would not be beyond
what is typical to something like database mirroring, which has
proven to be successfully implemented as an industry standard.
The key caveat to consider is to ensure asynchronous
processing to ensure limited impact to the production system.
Finally, using native role-based security systems for IDS is
a fundamental conceptual paradigm shift from how they are
currently implemented. Roles in an RDBMS are used to define
what a user can do. This includes functionality such as security
administration permissions, reading and writing capabilities. It
is somewhat rare, however, to use roles to define what data is
available to be queried. Part of the difficulty in using roles for
an IDS involves the nature of relational data models. It is very
difficult when implementing the 3rd normal form model to
build table structures to facilitate data division for security
purposes. The third normal form (3NF) defined by E.F. Codd
6
ca. 1971, and particularly the Boyce-Codd modification ca.
7
1974 , is the de facto standard for normalization in relational
database design. It specifies that tables should be constructed
such that every column in a table contains an attribute directly
related to the primary key. In other words, in a table of
addresses there should only exist data that directly define the
address. Clearly, this is not an approach which considers a
division of data along the lines of security since all data of any
given type is stored in the same location, regardless of
sensitivity. In fact, the objects accessed by legitimate queries
are often the very same accessed in illegitimate queries because
of this design.
This problem, though significant, is not necessarily
insurmountable. Careful logical and physical database design
using newer features such as function-based table partitions
could provide effective database design while still providing
for effective role-based data access 'zones.' An additional
requirement could be the addition of an additional role
structure to separate data access roles from functional roles.
This would, however, add additional administrative work to a
system already suffering from complex maintenance problems.
IV.
CONCLUSION
The solution presented here represents an improvement
over the approach presented in RTM. By including the
additional consideration of database design performed with
IDS in mind the groundwork is laid to effectively use roles to
analyze access.
As presented, an effective role-based IDS could be
successfully implemented provided certain considerations are
made. First, the problem of high administrative overhead
remains. Addressing false-positives and false-negatives will
remain a function of classification algorithms which may never
achieve sufficient precision to make administration trivial.
Any system implementing this IDS would need to provide for
this additional administration and the expense that is involved.
not present in an postmortem scenario. Certain methodologies,
especially log analysis, can continue to improve the practice of
forensics.
Perhaps most important is the that the intent to use this IDS
must be present at the time of initial database design. The
increased complexity must be calculated into the design
process as well, thereby increasing, possibly drastically, the
time and effort that must be expended during development.
[1]
Exciting research opportunities are uncovered here because
of the need to incorporate well established principles of
relational theory with the type of data modeling demanded by
security considerations. How to maintain the benefits of classic
theory such as design-driven performance and efficient
resource utilization while
The circumstances under which these caveats are
acceptable are limited. Until further advancement is made the
implementations of role-based Intrusion Detection Systems
will be relegated to high-security environments in which the
problems of the IDS are accepted in order to gain additional
assurance.
Therefore, constructing an effective IDS which can be
widely implemented remains a major challenge for which no
clear solution is evident. Additional research should also focus
on the forensic opportunities presented by intrusion detection.
Many of the difficulties presented by 'real-time' detection are
REFERENCES
[2]
[3]
[4]
[5]
[6]
[7]
[8]
Ashish Kamra, Evimaria Terzi, and Elisa Bertino, “Detecting anomalous
access patters in relational databases,” in The VLDB Journal 17, 2008,
pp. 1063 – 1077.
C. Chung, M. Gertz, and K. Levitt, “ DEMIDS: A missuse detection
system for database systems,” in Integrity and Internal Control in
Information Systems: Strategic Views on the Need for Control,
IFIPTC11WG11.5, Third Working Conference, 2000.
Y. Hu and P. Brajendra, “Identification of malicious transactions in
database systems,” International Database Engineering and Applications
Symposium, 2003 .
Y. Hu and P. Brajendra, “A data mining approach for database intrusion
detection,” at the ACM Symposium on Applied Computing, 2004
J. Xin and S.L. Osborn, “Architecture for data collection in database
intrusion detection systems,” in Lecture Notes in Computer Science,
Springer Berlin/Heidelberg, pp. 96-107.
E.F. Codd, “Further normalization of the database relational model,” at
the Courant Computer Science Symposia Series 6: New York, NY,
1971,
E.F. Codd, “Recent investigations in relational database systems,”
Information Processing 74, North Holland Pub. Co., Amsterdam, 1975,
pp. 1017-1021
Yawei Zhang, Xiaojun Ye, Feng Xie, and Yong Peng, "A Practical
Database Intrusion Detection System Framework," cit, vol. 1, pp.342347, 2009 Ninth IEEE International Conference on Computer and
Information
Technology,
2009