Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Aziah Asmawi Faculty of Computer Science and Information System Universiti Teknologi Malaysia aziah@fsktm.upm.edu.my Zailani Mohamed Sidek Faculty of Computer Science and Information System Universiti Teknologi Malaysia zailani@citycampus.utm.my Shukor Abd Razak Faculty of Computer Science and Information System, Universiti Teknologi Malaysia shukorar@utm.my
Abstract
As organizations increase their adoption of database systems as one of their key data management technologies for the daily operations and decision makings, the security of data managed by these systems becomes crucial. Damage and misuse of data affect not only a single user or application, but may have effect the entire organization. The recent rapid proliferations of web-based applications with database at its backend have further increased the risk of database exposure to the outside world. There are many recent reports on intrusion from external hackers which compromised the database system. However, there are also insiders who abuse their privileges and access the database system for many intentions. For that reason, it is imperative for us to secure database system from both external and internal attacks. This paper describes on database security threats and the existing works that had been done to mitigate these problems. One of possible solutions is by using Intrusion Detection System (IDS). For that reason, this study proposed a novel SQL Injections and Insider Misuse Detection System (SIIMDS) to provide higher level of security for database system.
1. Introduction
Todays trend in computer security shows an increased amount of work being done in database security research. The reason behind such an increase is because in traditional security mechanisms such as
the use of firewall are no longer effective in todays environment. This is because, in web-based application scenario, business partners and customers must have access to data including the organizations employee. For that reason the data cannot simply be hidden behind a firewall. Web applications that are connected to the Internet and accessing the backend databases, make the DBMS more vulnerable to attacks. In recent years, Internet attacks from outside the organizations have increased due to large number of organizations information system are connected to the Internet. One of the most common attacks upon webbased application is SQL Injection [19]. However, results from a series of Computer Crime and Security surveys conducted by Computer Security Institute (CSI) with the participation of San Francisco Federal Bureau of Investigations (FBI) Computer Squad in recent years have constantly suggested that the dollar amount lost due to insider abuse is greater than the loss due to abuse from outsiders [17]. In such cases, it is imperative that we secure our database systems from both external and internal threats. The remainder of this paper is organized as follows. Section 2 presents the database security threats that occur nowadays. Section 3 describes the SQL injection attacks and Section 4 describes the type of Intrusion Detection System suitable for databases as a solution for the database security problems. Section 5 presents the systems architecture for the proposed IDS system in a DBMS. Finally, Section 6 concludes the paper.
data within the users authorized domain. A denial-ofservice attack involves actions that prevent users from accessing or using the database. Threats to any of these categories are a breach of security and must be prevented. Any breach in security to these databases can affect the reputation of the organization, loss of customers confidence and might even result in lawsuits. Recent reports indicate that there is a large increase in the number of security breaches, which resulted in the theft of transaction information and financial fraud [16; 2; 10]. One mechanism to safeguard the information in these databases is to use intrusion detection system (IDS) which will be discussed after introducing SQL injection attacks.
SELECT * FROM users WHERE username = OR 1=1 AND password = The query now checks for the conditional equation of [1=1] or an empty password, then a valid row has been found in the users table. The first [] quote is used to terminate the string and the characters [--] mark the beginning of a SQL comment, and anything beyond is ignored. The query as interpreted by the database now has a tautology and is always satisfied. Thus an attacker can bypass all authentication modules gaining unrestricted access to critical information on the server. SQL injection potentially affects every database on all platform and web application. This attack can be used to gain confidential information, to bypass authentication mechanisms, to modify the database, and to execute arbitrary code. In certain circumstances the attacks happened on the database server itself. Even though DBMSs provide access control mechanisms, these mechanisms are not adequate to deal with SQL injection attacks. For that reason, various techniques such as the use of stored procedures, prohibiting display of database server error messages and use of escape sequences for sanitizing user inputs are employed as a quick fix solution. Unfortunately, even these security measures are also inadequate against highly sophisticated SQL injection attacks. As a solution, better protections such as Intrusion Detection System (IDS) have been proposed by many researchers which will be discussed in Section 4.1.
hold, make it crucial to detect any intrusion or intrusion attempts made at the database levels. Therefore, intrusion detection models and techniques specially designed for databases are becoming imperative needs. This reinforces the point that intrusion detection systems should not only be employed at the network and hosts, but also at the database systems where the critical information assets lie. Unfortunately, there is little existing work on intrusion detection systems specifically for databases, and this will be discussed next.
against DBMS misuse, especially malicious transactions. This immune system can produce antibodies through immune analysis, and then send them out to all the modules respectively to enhance resistance of the whole database system. A real-time intrusion detection mechanism based on the profile of user roles has been present by Bertino et al. (2005). This approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that are capable to model normal database access behavior and identify intruders. Rietta (2006) proposed an application layer intrusion detection system, which should take the form of a proxy server and employ an anomaly detection model based on specific characteristics of SQL and the transaction history of a particular user and application. We proposed combination of anomaly and misuse detection methods to give the database server a way to mitigate the SQL injection and insider misuse attacks. The following is the description on the proposed model.
2. 3. 4.
7.
8.
If the SQL statements are different from the normal database access behavior, an internal misuse is concluded as has occurred and this misuse will be channeled to the Response Module for the appropriate action(s) to be taken. The appropriate action(s) taken can be include the alerting of administrator by sounding the alarm.
[6] Castano, S., Fugini, M.G., Martella, G. and Samarati, P., (1995), Database Security. Wokingham, England: Addison-Wesley Publishing Company. [7] Chung C., Gertz M., Levitt K., (1999), DEMIDS: A Misuse Detection System for Database Systems. In Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Kluwer Academic Publishers, pages 159-178, November. [8] Feikis, J., (1999), Secure Database Management System, IEEE transaction on knowledge and data engineering. [9] Halfond W. and Orso A., (2005), AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, pp. 174183. [10] Hatcher, T., (2001), Survey: Costs of computer security breaches soar. Available at URL http://www.cnn.com/2001/TECH/internet/03/12/csi.fbi.hacki ng.report/ [11] Hu, Y., Panda, B., (2003), Identification of malicious transactions in database systems. In Proceedings of the International Database Engineering and Applications Symposium (IDEAS). [12] Ke Chen, Gang Chen, Jinxiang Dong, (2005), An Immunity-Based Detection Solution for Database Systems. Springer-Verlag Berlin Heidelberg, pp. 773-778. [13] Korth, H.F. and Silberschatz, A., (1997), Database Research Faces the Information Explosion. Communications of the ACM, 40(2): 139-142. [14] Lee, V. C.S., Stankovic, J. A., Son, S. H., (2000), Intrusion Detection in Real-time Database Systems Via Time Signatures. In Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium. [15] Olson I. and Marshall A., (1990), Computer access control policy choices. Computer & Security, Elsevier Advanced Technology Publications, pp. 699-714. [16] Poulsen, K., (2002), Guesswork Plagues Web Hole Reporting. Available at URL http://online.securityfocus.com/news/346. [17] Power R., (2002), CSI/FBI Computer Crime and Security Survey. Computer Security Issues & Trends. [18] Sharma P., (2005), SQL Injection Techniques & Countermeasures, CERT-In White Paper CIWP-2005-0, Department of Information Technology, Ministry of Communications and Information Technology Govt. of India.http://www.certin.org.in/knowledgebase/whitepapers/ciwp-2005-06.pdf.
6. Conclusion
This paper has presented a description on the threats in database security and the intrusions from both external and internal attacks against database systems. Most of the researches focused on detecting external attacks, but the most dangerous attacks actually come from insiders misuse. This is because in many instances, the insiders do have authorized access to their database system but often misuse their rights. In these circumstances, all of their malicious activities will seem legitimate to the database thus difficult to detect. For that reason, this paper has proposed a SQL Injection and Insider Misuse Detection System (SIIMDS) to address both kinds of intrusions from internal and external threats. With this type of system, it is hoped to provide a higher level of security for database systems. A brief description on the SIIMDS system has also been provided.
7. References
[1] Andrews D.J and MacEwen G., (1990), A review of Tools and Methods for System Assurance, Andyne Computing Ltd. [2] Atanasov M., (2001), The truth about internet fraud, In: Ziff Davis Smart Business. Available at URL http://techupdate.zdnet.com/techupdate/stories/main/0,14179 ,2688776-11,00.html. [3] Barbara, D., Goel, R., and Jajodia, S., (2002), Mining Malicious Data Corruption with Hidden Markov Models. In Proceedings of the 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Cambridge, England. [4] Bell D.E., (1990), Lattices, policies, and implementations, In Proc. 13th National Computer Security Conf. October. [5] Bertino E., Kamra A., Terzi E. and Vakali A., (2005), Intrusion Detection in RBAC Administered Databases, Proceedings of Annual Computer Security Applications Conference (ACSAC).
[19] Spett. K. (2005) Sql injection: Are your web applications vulnerable? Available at URL http://www.spidynamics.com/papers/SQLInjectionWhitePap er.pdf.