* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download DOC - Columbus State University
Survey
Document related concepts
Data analysis wikipedia , lookup
Computer security wikipedia , lookup
Data center wikipedia , lookup
Operational transformation wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Information privacy law wikipedia , lookup
3D optical data storage wikipedia , lookup
Versant Object Database wikipedia , lookup
Expense and cost recovery system (ECRS) wikipedia , lookup
Concurrency control wikipedia , lookup
Data vault modeling wikipedia , lookup
Open data in the United Kingdom wikipedia , lookup
Business intelligence wikipedia , lookup
Clusterpoint wikipedia , lookup
Transcript
Proactive Data Security Overcoming Challenges in Role-Based Intrustion Detection for Relational Database Management Systems Columbus,GA USA Jonathan Boulineau CPSC 6126 Columbus State University Abstract— Nowhere in an Enterprise is security more essential than for data stores. Increasingly, relational databases are moving to the forefront of mission critical systems which directly drive the purpose of the organization, be it profit or other concerns. In the case of many for-profit companies, earnings are often directly related to how proprietary data are used and protected. In other cases, data itself may be the purpose of the organization as in the example of government intelligence agencies. The risk, therefore, of malicious or unauthorized access to databases is of the highest level. One attempt to develop an effective Intrusion Detection System (IDS) is presented in the article Detecting anomalous access patterns in relational databases1. Ashish Kamra, Evimaria Terzi and Elisa Bertino present a role-based solution based upon evaluating activity and comparing data access based on historical trends of similar users. By identifying behavior that is outside the norm of usage patterns they hope to provide an effective alert system for intrusion. Unfortunately, their system is not without flaws. With certain modifications, however, a more effective solution can be envisioned. Keywords – RDBMS, Data Security, Intrusion Detection I. INTRODUCTION Securing databases presents unique challenges. Activities of attackers are, in most cases, extremely difficult to distinguish from legitimate usage. Unlike many attacks which create auditable events such as deletions or additions of objects, data violation is a simple read action; a capability typically available even to the most restricted user. As a result, a violation can be extraordinarily damaging without leaving any clear trace. Work undertaken to produce an effective Intrusion Detection System (IDS) to address the specific issues of relational database management systems (RDBMS) is, therefore, of great import. The work conducted by Kamra, Terzi and Bertino (KTB) emerges squarely into this environment. By approaching the problem through building upon the foundation of role-based security already present in many RDBMS products they are able to construct a solution which would be, in principle, a fairly simple matter to apply. It also professes the benefit of addressing the classification of access problem by providing a strategy to identify malicious data reads. However, the KTB approach is not without flaws. Indeed some of the limitations which exists could potentially preclude the usefulness of an IDS implementing their ideas. The simple fact that their solution involves adding a layer of processing which occurs during, or perhaps before, the parsing phase of query execution certainly presents challenges. Another possible pitfall occurs in the proposal to present administrative alerts whenever a potential violation occurs. Although a clear solution is not evident to the problem of handling outlying events, an alert system is not necessarily a desirable tack. Finally, the use of roles in an IDS develops from a different conceptual viewpoint than the actual implementation of roles in a traditional RDBMS. It is, therefore, problematic to adapt inplace roles for use in an IDS. The remainder of this text will continue to explore rolebased intrusion detection with a focus on the KTB approach. A brief review of related work follows in the next section, followed in the third section by outlining an approach that attempts to overcome the difficulties mentioned. Finally, conclusions will be drawn about the overall potential for a rolebased approach to IDS and this approach specifically. II. RELATED WORK KTB are not creating a new line of study. However, they make the claim that that their work is progressive because no one else has proposed a solution that is generic enough to apply across all application and database schema types, operates realtime and is learning-based. They acknowledge close relations 2 to DEMIDS (DEtection of MIsuse in Database Systems ) , which uses the concept of a 'Frequent Itemset Profiler' to identify ranges of behaviors for users based on data gleaned from log files. KTB argue that DEMIDS requires schema knowledge which ensure their approach is more generally applicable. They also claim that the administrative effort involved in maintaining a solution requiring individual profiles for all users of a data source can be too intensive in many cases. 3 KTM point to the work of Hu and Panda who approach the problem by identifying data dependencies in different types of transactions and mining the log to identify potential problems. It is an oversight, however, for KTM to neglect the work of the same researchers on utilizing data mining methodologies for intrusion detection 4. This is especially notable considering the use of data mining in their own work, including Naïve Bayes classification and clustering techniques. In the years since the publication of the KTB proposal additional work has been introduced from Xin Jin and Sylvia L. Osborn 5. While Jin and Osborn do not propose a new rolebased IDS approach, they do provide for at least one improvement, which is incorporated and discussed in greater depth in the solution presented below. There have also been new techniques presented One such technique was presented by Yawei Zhang, Xiaojun Ye, Feng 8 Xie, and Yong Peng . Their presentation at the 2009 IEEE International Conference on Computer and Information Technology. Their work focuses on the database communication content detection mechanism for intrusion detection. III. SOLUTION Three significant challenges face the KTM approach. First, the IDS could potentially generate significant administrative challenges which diminish the usefulness of the system. The performance degradation which is inherent in 'screening' each statement executed against the RDBMS engine is a serious problem which must be addressed as well. Perhaps most significant, however, is the conflict between their solution and standard data model design practices and role-based security implementations. The acknowledgment of the inevitability of false alarms made by KTM is admirable. However, they fail to consider the serious impact of this problem. It is not at all unusual to encounter an RDBMS which is called upon to serve hundreds of requests each second. The precision of the IDS is paramount in this case. Even a tiny false positive rate of .001%, a level to which the authors make no claim, would could result in a deluge of alerts that could prove an impossible task to address. Proper attention to alerts also requires knowledge of data which is rarely available to administrators. In the end, the question of how an administrator is to distinguish between a false alarm and an intrusion is left open. For example, the situation may occur in which a user is flagged for accessing data in a manner which is outside of the typical behavior of their role. However, in this case it may simply be that the user is running a report as a special request for management. It would be quite difficult to make a ruling on this alert without potentially time intensive investigation. Unfortunately, the solution to this problem is tied directly to the effectiveness of the classification algorithm. Further research should be conducted into advancing precision of current, or the development of new, algorithms. Even so, it should be acknowledged that the exactitude demanded here is in well excess of any current classifier. The magnitude of the problem should not go unrecognized. An additional problem related to the workload placed upon an RDBMS involves the additional step added to the query execution process. Evaluating against a classification algorithm, such as Naïve Bayes, can be performed quite quickly. Nevertheless, since query performance is often measured in the millisecond or sub-millisecond level an IDS check could easily double execution time. While at first glance this may seem negligible, a millisecond addition gains relevance when placed in the context of a heavy workload. The absorption of CPU cycles and other resources dedicated to the IDS subsystem could preclude its usefulness. 5 Fortunately, in this case, Jin and Osborn provide a partial solution by diverting IDS monitoring to a dedicated server that would execute all necessary algorithms. While the additional overhead of data collection remains, it would not be beyond what is typical to something like database mirroring, which has proven to be successfully implemented as an industry standard. The key caveat to consider is to ensure asynchronous processing to ensure limited impact to the production system. Finally, using native role-based security systems for IDS is a fundamental conceptual paradigm shift from how they are currently implemented. Roles in an RDBMS are used to define what a user can do. This includes functionality such as security administration permissions, reading and writing capabilities. It is somewhat rare, however, to use roles to define what data is available to be queried. Part of the difficulty in using roles for an IDS involves the nature of relational data models. It is very difficult when implementing the 3rd normal form model to build table structures to facilitate data division for security purposes. The third normal form (3NF) defined by E.F. Codd 6 ca. 1971, and particularly the Boyce-Codd modification ca. 7 1974 , is the de facto standard for normalization in relational database design. It specifies that tables should be constructed such that every column in a table contains an attribute directly related to the primary key. In other words, in a table of addresses there should only exist data that directly define the address. Clearly, this is not an approach which considers a division of data along the lines of security since all data of any given type is stored in the same location, regardless of sensitivity. In fact, the objects accessed by legitimate queries are often the very same accessed in illegitimate queries because of this design. This problem, though significant, is not necessarily insurmountable. Careful logical and physical database design using newer features such as function-based table partitions could provide effective database design while still providing for effective role-based data access 'zones.' An additional requirement could be the addition of an additional role structure to separate data access roles from functional roles. This would, however, add additional administrative work to a system already suffering from complex maintenance problems. IV. CONCLUSION The solution presented here represents an improvement over the approach presented in RTM. By including the additional consideration of database design performed with IDS in mind the groundwork is laid to effectively use roles to analyze access. As presented, an effective role-based IDS could be successfully implemented provided certain considerations are made. First, the problem of high administrative overhead remains. Addressing false-positives and false-negatives will remain a function of classification algorithms which may never achieve sufficient precision to make administration trivial. Any system implementing this IDS would need to provide for this additional administration and the expense that is involved. not present in an postmortem scenario. Certain methodologies, especially log analysis, can continue to improve the practice of forensics. Perhaps most important is the that the intent to use this IDS must be present at the time of initial database design. The increased complexity must be calculated into the design process as well, thereby increasing, possibly drastically, the time and effort that must be expended during development. [1] Exciting research opportunities are uncovered here because of the need to incorporate well established principles of relational theory with the type of data modeling demanded by security considerations. How to maintain the benefits of classic theory such as design-driven performance and efficient resource utilization while The circumstances under which these caveats are acceptable are limited. Until further advancement is made the implementations of role-based Intrusion Detection Systems will be relegated to high-security environments in which the problems of the IDS are accepted in order to gain additional assurance. Therefore, constructing an effective IDS which can be widely implemented remains a major challenge for which no clear solution is evident. Additional research should also focus on the forensic opportunities presented by intrusion detection. Many of the difficulties presented by 'real-time' detection are REFERENCES [2] [3] [4] [5] [6] [7] [8] Ashish Kamra, Evimaria Terzi, and Elisa Bertino, “Detecting anomalous access patters in relational databases,” in The VLDB Journal 17, 2008, pp. 1063 – 1077. C. Chung, M. Gertz, and K. Levitt, “ DEMIDS: A missuse detection system for database systems,” in Integrity and Internal Control in Information Systems: Strategic Views on the Need for Control, IFIPTC11WG11.5, Third Working Conference, 2000. Y. Hu and P. Brajendra, “Identification of malicious transactions in database systems,” International Database Engineering and Applications Symposium, 2003 . Y. Hu and P. Brajendra, “A data mining approach for database intrusion detection,” at the ACM Symposium on Applied Computing, 2004 J. Xin and S.L. Osborn, “Architecture for data collection in database intrusion detection systems,” in Lecture Notes in Computer Science, Springer Berlin/Heidelberg, pp. 96-107. E.F. Codd, “Further normalization of the database relational model,” at the Courant Computer Science Symposia Series 6: New York, NY, 1971, E.F. Codd, “Recent investigations in relational database systems,” Information Processing 74, North Holland Pub. Co., Amsterdam, 1975, pp. 1017-1021 Yawei Zhang, Xiaojun Ye, Feng Xie, and Yong Peng, "A Practical Database Intrusion Detection System Framework," cit, vol. 1, pp.342347, 2009 Ninth IEEE International Conference on Computer and Information Technology, 2009