Download Database security Techniques and more Lecture notes Database Management Systems (DBMS) in PDF only on Docsity!
Topic: Methods for Database Security Team Members: P5: Project Proposal Aparna Kolli, Anupama, Lakshmi Ganesh
Introduction: Database Security has become an important issue in today’s world. Organizations have become highly dependent on the database for their daily operations. The term security is the degree of protection against danger or loss, Security as a form of protection are structures and processes that provide or improve security as a condition i.e. a form of protection where a separation is created between the assets and the threat. Database security is the system, processes, and procedures that protect data in the database from unintended activity. An unintended activity can be defined as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. The objective of database security is to prevent undesired information disclosure and modification of data while ensuring the availability of the necessary service. With the increase in the use of World Wide Web in recent years emphasize the web database security. One of the dominant problems with the database security is that though there have been many approaches to secure the data many conventional systems are bugged with holes that can be used by the malicious user to access the data. Thus good security schemes are very essential to protect the data in the databases. In order to prevent these unintended activities database security is attained through different methodologies. To build a secure database system, the architecture and functionality of traditional DBMS are to be extended. Secure transaction management, encryption schemes, cryptography, compression, Manipulation of data, Host Identity Protocol, Agent Based Simulation, Testing schemes for SQL injections are some of the methodologies to attain extension. Some functional programming languages are used as tools to implement security: C++, Java, and SQL. The database security is developed here with the construction of models. In this survey we are going to present different methods or frameworks explained in different papers for database security.
Classification Scheme: The different papers we studied for database security are classified based on the type of information security and models. We classified our papers based on Encryption, Web-based Database Security, Negative Database, Authentication and Access control, Timeliness and Security in Real-time Database Systems, Testing Schemes for SQL Injections.
Encryption: This is the process of transforming plain text information using an encryption algorithms (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The traditional database systems using plain text have many threats of data corruption and collapse of database. To avoid these threats, the data is stored in encrypted form in the database.
Web-based Database Security: Some Methods are proposed to establish security of Web database against illegitimate intrusion. The data transmission from server to the client should be in a secured way (use Secure Socket Layer). Host identity of an end system should be authenticated.
Negative Database: False data is added to the original data in the database to prevent data theft from malicious users and provide efficient data retrieval for all valid users.
Authentication and Access Control: Authentication is used to check properly the identity of the user and Access Control controls the user actions or operations. Access Control gives different privileges to different authenticated users.
Timeliness and Security in Real-time Database Systems: Trade off has to be made between security and priority of transactions. Different methods are proposed to ensure security and to have low probability of missing the deadlines in real-time database systems.
Testing Schemes for SQL Injections: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
The Classification Scheme diagram of our Survey: Explains models under each classification
Encryption Mixed Cryptography, Conventional Encryption and Public Key Encryption, Encryption scheme limiting time cost of Encryption and Decryption, Encryption and Compression. Web-based Database Security Host Identity Protocol (HIP), New Web Database Security model Authentication and Access Control Agent-based Simulation, Criterion-based Access Control Timeliness and Security in Real-time Database Systems Adaptive Policy called Secure two-phase Locking Loop, Secure Optimistic Concurrency Control Algorithm
Related Work: Papers related to Encryption: Papers [1], [2], [3], [4] Contribution: These papers propose different frameworks for Database Encryption.
Paper [1] proposed Mixed Cryptography Database (MCDB) to encrypt databases over untrusted networks in a mixed form using many keys owned by different parties. This framework is very useful in strengthening the protection of sensitive data even if the database server is attacked at multiple points from the outside or inside. This framework ensures confidentiality, privacy and integrity of data are achieved for the database. The framework is explained in four steps: data is classified into groups, data in encrypted in database, Query Management Agent (QMA) and Result Analysis (RA) is used for query processing and finally, security of data storage and data transmission is analyzed. The results show the probability of outside attacker getting the encryption key and decrypting it is measured and found to be very less. Paper[2] proposed a Database Encryption Scheme for enhanced sharing of data inside a database along with preserving data privacy. It is a combination of conventional encryption and public key encryption along with using the fast speed of conventional encryption and convenience of public key encryption. A threat model is given which mainly gives the threats faced by the database. A user can encrypt the private data with a randomly generated working key with conventional encrypted algorithm and if a user wants to see the encrypt data by first decrypting the private key with the passphrase and with this private key the working can be decrypted to access the key. A security catalog technology is used where it has strict access control and cannot be updated by even administrator. Future work will address two issues: research how to improve the security ad performance of database in terms of encryption algorithm and devise some self tuning mechanisms to manage keys.
to actual data. The actual data passes through first three modules to generate the data required for fourth module to generate false data which stored along with positive data named as negative database. Returns invalid results for malicious users and retrieval of original data for legitimate queries. Overall complexity of security work is O(n) which is very high can be compensated to the low-security high risk of data for other applications. This works only with INSERT and SELECT query and future development is to work with UPDATE query.
Papers related to Authentication and Access Control: Paper [8], [9] Contribution: Developed a framework that helps in giving permission rules, immediate fixing of corrupted data and giving criterion-based access control to the users. Paper [8] proposed an Agent-based simulation program that includes permission rules and immediate fixing of corrupted to avoid database collapse. This program is written in C++. The important elements of the program are: the agents, the data, the privileges the agents have on data and the privileges that the owners of data have granted to other agents. This program stores the last user record based on which the privileges of the user are determined. If the user corrupts the data many times, all the privileges of that user may be revoked. Future works would be adding more advanced features to the simulation program. Paper [9] proposed a criterion-based access control approach to deal with multilevel database security. In this approach, authorization rules are transformed to security criteria, security criterion expressions, and security criterion subsets which serve as locks and keys. Each object/sub-object is embedded into a lock and a user is given a set of keys. The security criterion expression specifies all the users who lack the permission to a sub object. This system is easier as one mechanism is used to define both the user’s security attributes and sub-objects security attributes. It also reduces the cost of storage as only one row and one column is added to original table.
Papers related to Timeliness and Security in Real-time Database Systems: Paper [10], [11]. Contribution: Developed models for getting trade-off between priority and security of transactions. Their models don’t degrade the real-time performance by achieving security.
Paper [10] proposed an Adaptive Policy called secure two-phase locking loop to address the requirement of multilevel security in transaction scheduling and concurrency control. If two conflicting transactions arise, i.e. one is blocked and waiting for other transaction to release the lock, then balance between security and priority is given by looking up the past history. The two factors by which the adaptive policy works is: the security factor and the factor resembling the deadline-miss ratio. This system ensures only partial security. Paper [11] proposed a Secure Optimistic Concurrency Control Algorithm for secure real- time database systems without degrading the real-time performance. The previous paper work has more sacrifice in timeliness. The method proposed in this paper shows that security can be achieved with negligible sacrifice in timeliness. They introduced a new metric called Covert Channel factor (CCF) and also metrics for security maintenance and priority maintenance. The simulation program is written in C++. The experimental results show that there is low deadline miss percentage and high security when compared with non-secure algorithm. The future work would be to examine temporal consistency, design suitable concurrency control algorithms and study their performance.
Papers related to Testing Schemes for SQL Injections: Paper [12] Contribution: Developed a Testing Scheme to stop SQL injections in the beginning
Paper [12] proposed a Database Security Testing Scheme to detect potential input points of SQL injection, automatically generate test cases and find vulnerability of databases by running these test cases to make a simulation attack to an application. The SQL injection point are found by complete scan of application. Test cases generated are submitted to injection points and the responses are recorded in the reports to know the attack parameters.
Summary: This survey is done to explore different methods used for database security. Some of the papers were extensions of the some papers. The Classification schema we followed for our survey has been explained. The methods proposed in each individual paper are explained clearly in this report. Also the advantages of each method, tools used and the future work are explained. We compared the solutions of related papers. We got a good knowledge of various security issues in database and their solutions. References:
[1] Kadhem, H.; Amagasa, T.; Kitagawa, H.;A Novel Framework for Database Security based on Mixed Cryptography; Internet and Web Applications and Services, 2009. ICIW '09. Fourth International Conference on ; Publication Year: 2009 , Page(s): 163 – 170 [2] Gang Chen; Ke Chen; Jinxiang Dong;A Database Encryption Scheme for Enhanced Security and Easy Sharing; Computer Supported Cooperative Work in Design, 2006. CSCWD '06. 10th International Conference on ; Publication Year: 2006 , Page(s): 1 – 6 [3] Sesay, S.; Zongkai Yang; Jingwen Chen; Du Xu; A secure database encryption scheme; Consumer Communications and Networking Conference, 2005. CCNC. 2005 Second IEEE ; Publication Year: 2005 , Page(s): 49 – 53 [4] Islam, M.S.; Dey, S.; Kundu, G.; Hoque, A.S.M.; A Solution to the Security Issues of an E- Government Procurement System; Electrical and Computer Engineering, 2008. ICECE 2008. International Conference on ; Publication Year: 2008 , Page(s): 659 – 664 [5] Qing Zhao; Shihong Qin;Study on Security of Web-based Database; Computational Intelligence and Industrial Application, 2008. PACIIA '08. Pacific-Asia Workshop on ; Publication Year: 2008 , Page(s): 902 – 905 [6]Zhu Yangqing; Yu Hui; Li Hua; Zeng Lianming; Design of A New Web Database Security Model1*, Electronic Commerce and Security, 2009. ISECS '09. Second International Symposium on ; Publication Year: 2009 , Page(s): 292 – 295 [7]Patel, A.; Sharma, N.; Eirinaki, M.; Negative Database for Data Security ; Computing, Engineering and Information, 2009. ICC '09. International Conference on ; Publication Year: 2009 , Page(s): 67 – 70 [8]Chiong, R.; Dhakal, S.; Modelling Database Security through Agent-based Simulation ; Modeling & Simulation, 2008. AICMS 08. Second Asia International Conference on ; Publication Year: 2008 , Page(s): 24 – 28 [9]Pan, L.; Using Criterion-based access control for multilevel database security; Electronic Commerce and Security, 2008 International Symposium on ; Publication Year: 2008 , Page(s): 518 – 522 [10]Son, S.H.;Supporting Timeliness and Security in Real-Time Database Systems ; Real- Time Systems, 1997. Proceedings., Ninth Euromicro Workshop on ; Publication Year: 1997 , Page(s): 266 – 273 [11]Ahmed, Q.N.; Vrbsky, S.V.; Maintaining Security in Firm Real-Time Database Systems; Computer Security Applications Conference, 1998, Proceedings., 14th Annual; Publication Year: 1998 , Page(s): 83 – 90 [12]Yang Haixia; Nan Zhihong;A database security testing scheme of web application ; Computer Science & Education, 2009. ICCSE '09. 4th International Conference on ; Publication Year: 2009 , Page(s): 953 - 955
