Multi-phase damage confinement in database systems for intrusion tolerance

Abstract: Preventive measures sometimes fail to defect malicious attacks. With cyber attacks on data-intensive applications becoming an ever more serious threat, intrusion tolerant database systems are a significant concern. Intrusion detectors are a key component of an intrusion tolerant database system. However, a relatively long detection latency is usually unavoidable for detection accuracy, especially in anomaly detection, and it can cause ineffective - to some degree at least - damage confinement. In a busy database ineffective confinement can make the database too damaged to be useful. In this paper, we present an innovative multi-phase damage confinement approach to solve this problem. In contract to a traditional one-phase confinement approach our approach has one confining phase to quickly confine the damage, and one or more later on unconfining phases to unconfine the objects that are mistakenly confined during the first phase. Our approach can ensure no damage spreading after the detection time, although some availability can be temporarily lost. Our approach can be easily extended to support flexible control of damage spreading and multiple confinement policies. Our approach is practical, effective, efficient, and to a large extent assessment independent.

[1]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Peng Liu,et al.  Intrusion confinement by isolation in information systems , 2000 .

[3]  Shiuh-Pyng Shieh,et al.  On a Pattern-Oriented Model for Intrusion Detection , 1997, IEEE Trans. Knowl. Data Eng..

[4]  Marianne Winslett,et al.  Formal query languages for secure relational databases , 1994, TODS.

[5]  Harold S. Javitz,et al.  The NIDES Statistical Component Description and Justification , 1994 .

[6]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[7]  Teresa F. Lunt,et al.  A survey of intrusion detection techniques , 1993, Comput. Secur..

[8]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[9]  Fang Chen,et al.  The multilevel relational (MLR) data model , 1998, TSEC.

[10]  Refik Molva,et al.  IDAMN: An Intrusion Detection Architecture for Mobile Networks , 1997, IEEE J. Sel. Areas Commun..

[11]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[12]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[13]  Paul Helman,et al.  Statistical Foundations of Audit Trail Analysis for the Detection of Computer Misuse , 1993, IEEE Trans. Software Eng..

[14]  John P. McDermott,et al.  Storage Jamming , 1995, DBSec.

[15]  Todd L. Heberlein,et al.  Network intrusion detection , 1994, IEEE Network.

[16]  Richard A. Kemmerer,et al.  Penetration state transition analysis: A rule-based intrusion detection approach , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[17]  Rangaswamy Jagannathan,et al.  SYSTEM DESIGN DOCUMENT: NEXT-GENERATION INTRUSION DETECTION EXPERT SYSTEM (NIDES) , 1993 .

[18]  Sushil Jajodia,et al.  Trusted recovery , 1999, CACM.

[19]  Sushil Jajodia,et al.  Multilevel Secure Transaction Processing , 1999, Advances in Database Systems.

[20]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[21]  Nabil R. Adam,et al.  Security-control methods for statistical databases: a comparative study , 1989, CSUR.

[22]  TERRAN LANE,et al.  Temporal sequence learning and data reduction for anomaly detection , 1999, TSEC.

[23]  John P. McDermott,et al.  Towards a model of storage jamming , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[24]  Jim Gray,et al.  Benchmark Handbook: For Database and Transaction Processing Systems , 1992 .

[25]  Sushil Jajodia,et al.  Using Checksums to Detect Data Corruption , 2000, EDBT.

[26]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[27]  Sushil Jajodia,et al.  Surviving information warfare attacks on databases , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Brajendra Panda,et al.  Reconstructing the Database after Electronic Attacks , 1998, DBSec.

[29]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[30]  Koral Ilgun,et al.  USTAT: a real-time intrusion detection system for UNIX , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.