Tracking end-users in web databases

When a database is accessed via a web application, users usually receive a pooled connection to the database. From a database point of view, such a connection is always established by the same user (i.e. the web application) and specific data on the end user is not available. As a consequence, users' specific transactions cannot be audited and fine-grained access control cannot be enforced at the database level. In this paper we propose a method and a system which provide the ability to track the end users in web databases. The new method can be applied to legacy web applications without requiring any changes in their existing infrastructure. Furthermore, the new users tracking ability provides a basis for native database protection mechanisms, and intrusion detection systems.

[1]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[2]  Yi Hu,et al.  A data mining approach for database intrusion detection , 2004, SAC '04.

[3]  Ehud Gudes,et al.  DIWeDa - Detecting Intrusions in Web Databases , 2008, DBSec.

[4]  Elisa Bertino,et al.  An Extended Authorization Model for Relational Databases , 1997, IEEE Trans. Knowl. Data Eng..

[5]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[6]  Kotagiri Ramamohanarao,et al.  User Session Modeling for Effective Application Intrusion Detection , 2008, SEC.

[7]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[8]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[9]  Elisa Bertino,et al.  Intrusion detection in RBAC-administered databases , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Michael Gertz,et al.  DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[11]  Ehud Gudes,et al.  Fine-grained access control to web databases , 2007, SACMAT '07.

[12]  Joseph Lee,et al.  DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions , 2002, ICEIS.

[13]  Ehud Gudes,et al.  CAMLS: A Constraint-Based Apriori Algorithm for Mining Long Sequences , 2010, DASFAA.

[14]  Jorge Lobo,et al.  Mining roles with semantic meanings , 2008, SACMAT '08.

[15]  Xiangji Huang,et al.  Finding and Analyzing Database User Sessions , 2005, DASFAA.

[16]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[17]  Xiangji Huang,et al.  Applying language modeling to session identification from database trace logs , 2006, Knowledge and Information Systems.

[18]  Jorge Lobo,et al.  Evaluating role mining algorithms , 2009, SACMAT '09.

[19]  Daqing He,et al.  Detecting session boundaries from Web user logs , 2000 .