System Architecture for SQL Injection and Insider Misuse Detection System for DBMS

Aziah Asmawi Faculty of Computer Science and Information System Universiti Teknologi Malaysia aziah@fsktm.upm.edu.my Zailani Mohamed Sidek Faculty of Computer Science and Information System Universiti Teknologi Malaysia zailani@citycampus.utm.my Shukor Abd Razak Faculty of Computer Science and Information System, Universiti Teknologi Malaysia shukorar@utm.my

Abstract
As organizations increase their adoption of database systems as one of their key data management technologies for the daily operations and decision makings, the security of data managed by these systems becomes crucial. Damage and misuse of data affect not only a single user or application, but may have effect the entire organization. The recent rapid proliferations of web-based applications with database at its backend have further increased the risk of database exposure to the outside world. There are many recent reports on intrusion from external hackers which compromised the database system. However, there are also insiders who abuse their privileges and access the database system for many intentions. For that reason, it is imperative for us to secure database system from both external and internal attacks. This paper describes on database security threats and the existing works that had been done to mitigate these problems. One of possible solutions is by using Intrusion Detection System (IDS). For that reason, this study proposed a novel SQL Injections and Insider Misuse Detection System (SIIMDS) to provide higher level of security for database system.

1. Introduction
Todays trend in computer security shows an increased amount of work being done in database security research. The reason behind such an increase is because in traditional security mechanisms such as

the use of firewall are no longer effective in todays environment. This is because, in web-based application scenario, business partners and customers must have access to data including the organizations employee. For that reason the data cannot simply be hidden behind a firewall. Web applications that are connected to the Internet and accessing the backend databases, make the DBMS more vulnerable to attacks. In recent years, Internet attacks from outside the organizations have increased due to large number of organizations information system are connected to the Internet. One of the most common attacks upon webbased application is SQL Injection [19]. However, results from a series of Computer Crime and Security surveys conducted by Computer Security Institute (CSI) with the participation of San Francisco Federal Bureau of Investigations (FBI) Computer Squad in recent years have constantly suggested that the dollar amount lost due to insider abuse is greater than the loss due to abuse from outsiders [17]. In such cases, it is imperative that we secure our database systems from both external and internal threats. The remainder of this paper is organized as follows. Section 2 presents the database security threats that occur nowadays. Section 3 describes the SQL injection attacks and Section 4 describes the type of Intrusion Detection System suitable for databases as a solution for the database security problems. Section 5 presents the systems architecture for the proposed IDS system in a DBMS. Finally, Section 6 concludes the paper.

978-1-4244-2328-6/08/$25.00 2008 IEEE

2. Database security threats

The general definition of database security is that it comprises a set of measures, policies, and mechanisms to provide secrecy, integrity and availability of data and to combat possible attacks on the system (threats) from insiders and outsiders, both malicious and accidental [6]. Data security on the other hand is defined as protecting information against unauthorized disclosure, alteration or destruction using hardware or software techniques [8]. Achieving security in a database environment means identifying the threats and choosing the proper policies which refer to what the security system is expected to do [15] and mechanisms which refer to how the security system should achieve the security goals [4]. It also involves the provision of security system assurance which refers to how well the security system meets the protection requirements and executes the expected functions [1]. Feikis (1999) state that database management systems have three major security issues of concern: confidentiality, integrity and availability. Confidentiality refers to information disclosure only to those users authorized to access it. The improper release of information caused by reading data from intentional or unintentional access either observed or inferred is considered a breach of data confidentiality. Integrity is the second security issue of database management systems. There are several areas of database integrity: physical database integrity, logical database integrity and data element integrity. Physical database integrity protection maintains data integrity through physical problems such as power failures and fires. Logical data integrity protection refers to the assurance that information is modified only by users entitled to do so. Maintaining data element integrity involves data accuracy and correctness. The third issue is availability. This issue involves maintaining access to the database and all the threat to any web application that reads input from the users through web forms and uses it to make SQL queries to an underlying database. Most web applications available on the Internet work this way and therefore could be vulnerable to SQL injection attacks. The web application accepts user input and embeds this input inside an SQL query. This query is sent to the applications database server where it is executed. By providing certain malformed input, an attacker can manipulate the SQL query in such a way that its execution will have unintended consequences. A typical SQL statement in an Active Server Pages (ASP) login form looks like this:

data within the users authorized domain. A denial-ofservice attack involves actions that prevent users from accessing or using the database. Threats to any of these categories are a breach of security and must be prevented. Any breach in security to these databases can affect the reputation of the organization, loss of customers confidence and might even result in lawsuits. Recent reports indicate that there is a large increase in the number of security breaches, which resulted in the theft of transaction information and financial fraud [16; 2; 10]. One mechanism to safeguard the information in these databases is to use intrusion detection system (IDS) which will be discussed after introducing SQL injection attacks.

3. SQL injections attacks

SQL injection refers to a class of code-injection attacks in which data provided by the user is included in the SQL query in such a way that part of the users input is treated as SQL code [9]. It is a trick to inject SQL query or command as an input possibly via the web pages. They occur when data provided by user is not properly validated and is included directly in a SQL query. By leveraging these vulnerabilities, an attacker can submit SQL commands directly access to the database. According to Sharma (2005), there are two major SQL Injection techniques: i) access through login page and ii) access through URL. The first technique is the easiest in which it bypasses the login forms where users are authenticated by using passwords. This kind of technique can be performed by the attackers through: or condition, having clause, multiple queries and extended stored procedure. The second technique can be performed by the attackers through: manipulating the query string in URL and using the SELECT and UNION statements. This kind of vulnerability represents a serious SELECT * FROM users WHERE username = & userName & AND password = & userPass & If the username and password as provided by the user are used, the query to be submitted to the database takes the form; SELECT * FROM users WHERE username = guest AND password = guestpass If the user were to enter [ OR 1=1 --] and [ ] instead of [guest] and [guestpass], the query would take the form;

978-1-4244-2328-6/08/$25.00 2008 IEEE

SELECT * FROM users WHERE username = OR 1=1 AND password = The query now checks for the conditional equation of [1=1] or an empty password, then a valid row has been found in the users table. The first [] quote is used to terminate the string and the characters [--] mark the beginning of a SQL comment, and anything beyond is ignored. The query as interpreted by the database now has a tautology and is always satisfied. Thus an attacker can bypass all authentication modules gaining unrestricted access to critical information on the server. SQL injection potentially affects every database on all platform and web application. This attack can be used to gain confidential information, to bypass authentication mechanisms, to modify the database, and to execute arbitrary code. In certain circumstances the attacks happened on the database server itself. Even though DBMSs provide access control mechanisms, these mechanisms are not adequate to deal with SQL injection attacks. For that reason, various techniques such as the use of stored procedures, prohibiting display of database server error messages and use of escape sequences for sanitizing user inputs are employed as a quick fix solution. Unfortunately, even these security measures are also inadequate against highly sophisticated SQL injection attacks. As a solution, better protections such as Intrusion Detection System (IDS) have been proposed by many researchers which will be discussed in Section 4.1.

hold, make it crucial to detect any intrusion or intrusion attempts made at the database levels. Therefore, intrusion detection models and techniques specially designed for databases are becoming imperative needs. This reinforces the point that intrusion detection systems should not only be employed at the network and hosts, but also at the database systems where the critical information assets lie. Unfortunately, there is little existing work on intrusion detection systems specifically for databases, and this will be discussed next.

4.1. Existing IDS in DBMS

Most of the research on database security revolves around access policies, roles, administration procedures, physical security, security models and data inference [6]. However, in recent years much effort has been invested in developing methods for detecting intrusions to databases. The main idea is based on analyzing transactions that arrive to the database with the purpose of searching for signs of intrusions. A Misuse Detection System for Database System (DEMIDS) has been proposed by Chung et al. (1999) is a misuse-detection system, tailored for relational database systems. It uses audit data log to derive profiles describing typical behavior of users in DBMS. Chung introduces the notion of distance measure and frequent item sets to capture the working scopes of users using a data mining algorithm. Another method present by Lee et al. (2000) has used time signatures in discovering database intrusions. Their approach is to tag the time signature to data items. A security alarm is raised when a transaction attempts to write a temporal data object that has already been updated within a certain period. Another similar work, Detecting Intrusion in Databases through Fingerprinting Transactions (DIDAFIT) was proposed by Low et al. (2002). DIDAFIT is a system developed using misuse detection approach (signature-based) to perform database intrusion detection at the application level. It works by fingerprinting access patterns of legitimate database transactions, and using them to identify illegitimate accesses. Yet another relevant approach towards a databasespecific intrusion detection mechanism is by Hu and Panda (2003). They proposed a mechanism that is capable of finding data dependency relationships among transactions and use this information to find hidden anomalies in the databases log. Ke Chen et al. (2005) present an intrusion detection model for a database system based on digital immunity. It provides an additional layer of defense

4. Intrusion detection system (IDS)

Intrusion detection is not a new research field and has been on going for many years. However, previous efforts were focused on network-based intrusion detection and host-based intrusion detection. Network based intrusion detection typically works by monitoring network traffic and attempts to discover if an intruder is trying to break into the system. Instead of network traffic, host-based intrusion detection works by monitoring the log files in the hosts. Both network and host-based intrusion detection systems look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent, to identify intrusions. However, these intrusion detection systems do not work at the application layer, which can potentially offer more accurate and precise detection for the targeted application. The distinctive characteristics of database management systems (DBMSs), together with their widespread use and the invaluable data they

978-1-4244-2328-6/08/$25.00 2008 IEEE

against DBMS misuse, especially malicious transactions. This immune system can produce antibodies through immune analysis, and then send them out to all the modules respectively to enhance resistance of the whole database system. A real-time intrusion detection mechanism based on the profile of user roles has been present by Bertino et al. (2005). This approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that are capable to model normal database access behavior and identify intruders. Rietta (2006) proposed an application layer intrusion detection system, which should take the form of a proxy server and employ an anomaly detection model based on specific characteristics of SQL and the transaction history of a particular user and application. We proposed combination of anomaly and misuse detection methods to give the database server a way to mitigate the SQL injection and insider misuse attacks. The following is the description on the proposed model.

5. Proposed system architecture

Figure 1 shows the system architecture for the proposed SQL Injection and Insider Misuse detection system (SIIMDS), and Figure 2 shows the components in the SIIMDS system. The operation of the SIIMDS system is described as follows: Figure 2. Component in the SQL Injection and Insider Misuse Detection System 1. The application user issues a service request to the application server through a web-based application. This transaction may or may not be legitimate. The application server deploys the SQL query statements and issues them to the database server. The user logs into the database and the database session is traced. The SQL statements are received from the application and channeled to the misuse detection module. In the misuse detection module, the received SQL statements are matched with the set of SQL injections signatures. If the SQL statement matches with the SQL injection signatures, an intrusion had occurred. The intrusion is then channeled to the Respond Module for the appropriate action(s) to be taken. If no intrusion is detected by the Misuse Detection Module, the SQL statements are then channeled to the Anomaly Detection Module to check whether the SQL statements are different from the normal database access behavior.

2. 3. 4.

5. Figure 1. Proposed System Architecture 6.

978-1-4244-2328-6/08/$25.00 2008 IEEE

7.

8.

If the SQL statements are different from the normal database access behavior, an internal misuse is concluded as has occurred and this misuse will be channeled to the Response Module for the appropriate action(s) to be taken. The appropriate action(s) taken can be include the alerting of administrator by sounding the alarm.

[6] Castano, S., Fugini, M.G., Martella, G. and Samarati, P., (1995), Database Security. Wokingham, England: Addison-Wesley Publishing Company. [7] Chung C., Gertz M., Levitt K., (1999), DEMIDS: A Misuse Detection System for Database Systems. In Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Kluwer Academic Publishers, pages 159-178, November. [8] Feikis, J., (1999), Secure Database Management System, IEEE transaction on knowledge and data engineering. [9] Halfond W. and Orso A., (2005), AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), Long Beach, CA, USA, pp. 174183. [10] Hatcher, T., (2001), Survey: Costs of computer security breaches soar. Available at URL http://www.cnn.com/2001/TECH/internet/03/12/csi.fbi.hacki ng.report/ [11] Hu, Y., Panda, B., (2003), Identification of malicious transactions in database systems. In Proceedings of the International Database Engineering and Applications Symposium (IDEAS). [12] Ke Chen, Gang Chen, Jinxiang Dong, (2005), An Immunity-Based Detection Solution for Database Systems. Springer-Verlag Berlin Heidelberg, pp. 773-778. [13] Korth, H.F. and Silberschatz, A., (1997), Database Research Faces the Information Explosion. Communications of the ACM, 40(2): 139-142. [14] Lee, V. C.S., Stankovic, J. A., Son, S. H., (2000), Intrusion Detection in Real-time Database Systems Via Time Signatures. In Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium. [15] Olson I. and Marshall A., (1990), Computer access control policy choices. Computer & Security, Elsevier Advanced Technology Publications, pp. 699-714. [16] Poulsen, K., (2002), Guesswork Plagues Web Hole Reporting. Available at URL http://online.securityfocus.com/news/346. [17] Power R., (2002), CSI/FBI Computer Crime and Security Survey. Computer Security Issues & Trends. [18] Sharma P., (2005), SQL Injection Techniques & Countermeasures, CERT-In White Paper CIWP-2005-0, Department of Information Technology, Ministry of Communications and Information Technology Govt. of India.http://www.certin.org.in/knowledgebase/whitepapers/ciwp-2005-06.pdf.

6. Conclusion
This paper has presented a description on the threats in database security and the intrusions from both external and internal attacks against database systems. Most of the researches focused on detecting external attacks, but the most dangerous attacks actually come from insiders misuse. This is because in many instances, the insiders do have authorized access to their database system but often misuse their rights. In these circumstances, all of their malicious activities will seem legitimate to the database thus difficult to detect. For that reason, this paper has proposed a SQL Injection and Insider Misuse Detection System (SIIMDS) to address both kinds of intrusions from internal and external threats. With this type of system, it is hoped to provide a higher level of security for database systems. A brief description on the SIIMDS system has also been provided.

7. References
[1] Andrews D.J and MacEwen G., (1990), A review of Tools and Methods for System Assurance, Andyne Computing Ltd. [2] Atanasov M., (2001), The truth about internet fraud, In: Ziff Davis Smart Business. Available at URL http://techupdate.zdnet.com/techupdate/stories/main/0,14179 ,2688776-11,00.html. [3] Barbara, D., Goel, R., and Jajodia, S., (2002), Mining Malicious Data Corruption with Hidden Markov Models. In Proceedings of the 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Cambridge, England. [4] Bell D.E., (1990), Lattices, policies, and implementations, In Proc. 13th National Computer Security Conf. October. [5] Bertino E., Kamra A., Terzi E. and Vakali A., (2005), Intrusion Detection in RBAC Administered Databases, Proceedings of Annual Computer Security Applications Conference (ACSAC).

978-1-4244-2328-6/08/$25.00 2008 IEEE

[19] Spett. K. (2005) Sql injection: Are your web applications vulnerable? Available at URL http://www.spidynamics.com/papers/SQLInjectionWhitePap er.pdf.

978-1-4244-2328-6/08/$25.00 2008 IEEE