Skip to main content
SpringerLink
Log in
Book cover

Handbook of Database Security pp 267–296Cite as

Security Re-engineering for Databases: Concepts and Techniques

  • Chapter

Summary

Despite major advancements in access control models and security mechanisms, most of today’s databases are still very vulnerable to various security threats, as shown by recent incident reports. A reason for this that existing databases used in e-businesses and government organizations are rarely designed with much security in mind but rely on security policies and mechansims that are added over time in an ad-hoc fashion. What is needed in such cases is a coherent approach for organizations to first evaluate the current secrutiy setup of a database, i.e., its policies and mechanisms, and then to re-design and improve the mechanisms in a focused way, that is, to apply an evolutionary rather than a revolutionary approach to improving database security.

In this book chapter, we present important principles and techniques of such a security re-engineering approach. Our focus is on the detection and prevention of insider misuse, which is still the biggest threat to security. We show how techniques such as focused auditing, and data and user profiling are integrated into a single methodological framework for database security evaluation. This framework is supported by an access path model, which provides information about data and user behavior, access correlations, and potential vulnerabilities. Based on the information obtained in this approach, we illustrate how security can be strengthened using standard database functionality.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   89.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Conference series on Recent Advances in Intrusion Detection (RAID), http://www.raid-symposium.org/.

    Google Scholar 

  2. Oracle audit vault. http://www.oracle.com/technology/products/audit-vault/index.html

    Google Scholar 

  3. Common Criteria for Information Technology Security Evaluation (Version 3.1). Technical report, http://www.commoncriteriaportal.org/public/expert/index.php?menu=2, 2006.

    Google Scholar 

  4. Cristina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, Yuanyuan Zhou, and Kenneth E. Rowe. Log correlation for intrusion detection: A proof of concept. In 19th Annual Computer Security Applications Conference (ACSAC 2003), pages 255–265, 2003.

    Google Scholar 

  5. Ant Allen. Intrusion Detection Systems (IDS): Perspective. Technical report, Gartner Research Report DPRO-95367, Technical Overview, January 2002.

    Google Scholar 

  6. Robert H. Anderson. Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Misuse of Critical Defense Information Systems. Conference Proceedings CF-151-OSD. RAND Corporation, 1999.

    Google Scholar 

  7. Kun Bai, Hai Wang, and Peng Liu. Towards database firewalls. In 9th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec05), pages 178–192, 2005.

    Google Scholar 

  8. Daniel Barbara, Julia Couto, Sushil Jajodia, and Ningning Wu. An architecture for anomaly detection. In Daniel Barbara and Sushil Jajodia (eds.), Applications of Data Mining in Computer Security, pages 63–76. Kluwer Academic Publishers, 2002.

    Google Scholar 

  9. Carlo Batini and Monica Scannapieco (eds.). Data Quality: Concepts, Methodologies and Techniques (Data-Centric Systems and Applications). Springer, 2006.

    Google Scholar 

  10. Elisa Bertino, Claudio Bettini, Elena Ferrari, and Pierangela Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transations on Database Systems, 23(3):231–285, 1998.

    Article  Google Scholar 

  11. Matt Bishop. Computer Security: Art and Science. Addison-Wesley, 2002.

    Google Scholar 

  12. Silvana Castano, Maria Grazia Fugini, , Giancarlo Martella, and Pierangela Samarati. Database Security. Addison-Wesley Professional, 1994.

    Google Scholar 

  13. Christina Yip Chung, Michael Gertz, and Karl N. Levitt. DEMIDS: A misuse detection system for database systems. In Third Working Conference on Integrity and Internal Control in Information Systems, IFIP TC11 Working Group 11.5, pages 159–178, 1999.

    Google Scholar 

  14. Christina Yip Chung, Michael Gertz, and Karl N. Levitt. Misuse detection in database systems through user profiling. In Recent Advances in Intrusion Detection (RAID’99), 1999.

    Google Scholar 

  15. Christina Yip Chung, Michael Gertz, and Karl N. Levitt. Discovery of multi-level security policies. In FIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security (DBSec00), pages 173–184, 2000.

    Google Scholar 

  16. Michael J. Covington, Wende Long, Srividhya Srinivasan, Anind K. Dey, Mustaque Ahamad, and Gregory D. Abowd. Securing context-aware applications using environment roles. In 6th ACM Symposium on Access Control Models and Technologies (SACMAT 2001), pages 10–20, 2001.

    Google Scholar 

  17. Vino Fernando Crescini and Yan Zhang. Policyupdater: a system for dynamic access control. International Journal of Information Security, 5(3):145–165, 2006.

    Article  Google Scholar 

  18. Tamraparni Dasu and Theodore Johnson, editors. Exploratory Data Mining and Data Cleaning. Wiley-Interscience, 2003.

    Google Scholar 

  19. DoD. DoD insider threat mitigation, Insider threat integrated process team, Final report of the insider threat integrated process team. Technical report, Washington, DC, 2000.

    Google Scholar 

  20. Carl Endorf, Gene Schultz, and Jim Mellander. Intrusion Detection and Prevention. McGraw-Hill Osborne Media, 2003.

    Google Scholar 

  21. Tom Fawcett and Foster J. Provost. Combining data mining and machine learning for effective user profiling. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD96), pages 8–13, 1996.

    Google Scholar 

  22. Tom E. Fawcett and Foster Provost. Fraud Deection. In Handbook of data mining and knowledge discovery, pages 726–731. Oxford University Press, Inc., 2002.

    Google Scholar 

  23. Amgad Fayad, Sushil Jajodia, and Catherine D. McCollum. Application-level isolation using data inconsistency detection. In 15th Annual Computer Security Applications Conference (ACSAC 1999), page 119, 1999.

    Google Scholar 

  24. David F. Ferraiolo, Ravi S. Sandhu, Serban I. Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224–274, 2001.

    Google Scholar 

  25. Michael Gertz and George Csaba. Monitoring mission critical data for integrity and availability. In IFIP TC11/WG11.5 Fifth Working Conference on Integrity and Internal Control in Information Systems (IICIS02), pages 189–201, 2002.

    Google Scholar 

  26. Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn, and Robert Richardson. 2005 CSI/FBI computer crime and security survey. Technical report, Computer Security Institute, 2005.

    Google Scholar 

  27. R. J. Hulsebosch, Alfons H. Salden, Mortaza S. Bargh, P. W. G. Ebben, and J. Reitsma. Context sensitive access control. In 10th ACM Symposium on Access Control Models and Technologies (SACMAT05), pages 111–119, 2005.

    Google Scholar 

  28. James Joshi, Elisa Bertino, Usman Latif, and Arif Ghafoor. A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng., 17(1):4–23, 2005.

    Article  Google Scholar 

  29. Ashish Kamra, Evimaria Terzi, and Elisa Bertino. Detecting anomalous access patterns in relational databases. To appear in The VLDB Journal, 2007.

    Google Scholar 

  30. David Knox. Effective Oracle Database 10g Security by Design. McGraw Hill Professional, 2004.

    Google Scholar 

  31. Carl E. Landwehr. Computer security. International Journal of Information Security, 1(1):3–13, 2001.

    Google Scholar 

  32. Terran Lane and Carla E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In ACM Conference on Computer and Communications Security, pages 150–158, 1998.

    Google Scholar 

  33. Terran Lane and Carla E. Brodley. Temporal sequence learning and data reduction for anomaly detection. ACM Transactions on Information and System Security, 2(3):295–331, 1999.

    Article  Google Scholar 

  34. Wenke Lee and Salvatore J. Stolfo. A framework for constructing features and models for intrusion detection systems. ACM Transactions on Information and System Security, 3(4):227–261, 2000.

    Article  Google Scholar 

  35. Ninghui Li and Mahesh V. Tripunitara. Security analysis in role-based access control. ACM Transactions on Information and System Security, 9(4):391–420, 2006.

    Article  Google Scholar 

  36. Yingjiu Li, Ningning Wu, Xiaoyang Sean Wang, and Sushil Jajodia. Enhancing profiles for anomaly detection using time granularities. Journal of Computer Security, 10(1/2):137–158, 2002.

    Google Scholar 

  37. Peng Liu. Architectures for intrusion tolerant database systems. In 18th Annual Computer Security Applications Conference (ACSAC 2002), pages 311–320, 2002.

    Google Scholar 

  38. John McHugh. Intrusion and intrusion detection. International Journal of Information Security, 1(1):14–35, 2001.

    MATH  Google Scholar 

  39. Jim Melton and Alan R. Simon. SQL: 1999 - Understanding Relational Language Components (The Morgan Kaufmann Series in Data Management Systems). Morgan Kaufmann, 2001.

    Google Scholar 

  40. Shubha U. Nabar, Bhaskara Marthi, Krishnaram Kenthapadi, Nina Mishra, and Rajeev Motwani. Towards robustness in query auditing. In Proceedings of the 32nd International Conference on Very Large Data Bases (VLDB06), pages 151–162, 2006.

    Google Scholar 

  41. Arup Nanda and Donald K. Burleson. Oracle Privacy Security Auditing. Rampant Techpress, 2003.

    Google Scholar 

  42. Ron Ben Natan. Implementing Database Security and Auditing: Includes Examples for Oracle, SQL Server, DB2 UDB, Sybase. Elsevier Digital Press, 2005.

    Google Scholar 

  43. Peter G. Neumann. The challenges of insider misuse, Papers prepared for the workshop on preventing, detecting, and responding to malicious insider misuse, 16-18 August 1999, at RAND, Santa Monica, CA. Technical report, SRI Computer Science Lab, 1999.

    Google Scholar 

  44. Peng Ning and Sushil Jajodia. Intrusion detection systems basics. In Hossein Bidgoli (ed.), Handbook of Information Security, volume 3, pages 685–700. Wiley, 2006.

    Google Scholar 

  45. Sejong Oh, Ravi S. Sandhu, and Xinwen Zhang. An effective role administration model using organization structure. ACM Transactions on Information and System Security, 9(2):113–137, 2006.

    Google Scholar 

  46. Yong-Chul Oh and Shamkant B. Navathe. Seer: Security enhanced entity-relationship model for modeling and integrating secure database environments. In 14th International Conference on Object-Oriented and Entity-Relationship Modelling (ER95), pages 170–180, 1995.

    Google Scholar 

  47. Kyriacos Pavlou and Richard T. Snodgrass. Forensic analysis of database tampering. In Proceedings of the 2006 ACM SIGMOD international conference on management of data, pages 109–120, 2006.

    Google Scholar 

  48. Richard Power. 2002 CSI/FBI computer crime and security survey. Computer Security Issues & Trends, 8(1), 2002.

    Google Scholar 

  49. Marcus K. Rogers. Internal security threats. In Hossein Bidgoli (ed.), Handbook of Information Security, volume 3, pages 3–17. Wiley, 2006.

    Google Scholar 

  50. Arnon Rosenthal and Marianne Winslett. Security of shared data in large systems: State of the art and research directions. Tutorial at ACM SIGMOD International Conference on Management of Data, pages 962–964, 2004.

    Google Scholar 

  51. Pierangela Samarati and Sabrina De Capitani di Vimercati. Access control: Policies, models, and mechanisms. Tutorial Lectures in Foundations of Security Analysis and Design Springer, LNCS 2171, pages 137–196, 2000.

    Google Scholar 

  52. Jürgen Schlegelmilch and Ulrike Steffens. Role mining with ORCA. In 10th ACM Symposium on Access Control Models and Technologies (SACMAT05), pages 168–176, 2005.

    Google Scholar 

  53. Alexandr Seleznyov and Oleksiy Mazhelis. Learning temporal patterns for anomaly intrusion detection. In Proceedings of the 2002 ACM symposium on Applied computing, pages 209–213, 2002.

    Google Scholar 

  54. Robert Selby Sielken. Application intrusion detection. Master thesis, Department of Computer Science, University of Virginia, May 1999.

    Google Scholar 

  55. Richard T. Snodgrass, Shilong (Stanley) Yao, and Christian S. Collberg. Tamper detection in audit logs. In Proceedings of the 30th International Conference on Very Large Data Bases, pages 504–515, 2004.

    Google Scholar 

  56. Adrian Spalka and Jan Lehnhardt. A comprehensive approach to anomaly detection in relational databases. In 19th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec05), pages 207–221, 2005.

    Google Scholar 

  57. Pang-Ning Tan, Michael Steinbach, and Vipin Kumar, editors. Introduction to Data Mining. Addison-Wesley, 2006.

    Google Scholar 

  58. Jaideep Vaidya, Vijayalakshmi Atluri, and Qi Guo. The role mining problem: finding a minimal descriptive set of roles. In 12th ACM Symposium on Access Control Models and Technologies (SACMAT07), pages 175–184, 2007.

    Google Scholar 

  59. Hai Wang and Peng Liu. Modeling and evaluating the survivability of an intrusion tolerant database system. In 11th European Symposium on Research in Computer Security (ESORICS06), pages 207–224, 2006.

    Google Scholar 

  60. Dit-Yan Yeung and Yuxin Ding. User profiling for intrusion detection using dynamic and static behavioral models. In Advances in Knowledge Discovery and Data Mining, 6th Pacific-Asia Conference, PAKDD 2002, pages 494–505, 2002.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of California at Davis, Davis, CA

    Michael Gertz

  2. Department of Mathematics and Computer Science, California State University, East Bay, CA

    Madhavi Gandhi

Authors
  1. Michael Gertz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Madhavi Gandhi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dept. of Computer Science, University of California at Davis, One Shields Avenue, Davis, CA 95616-8562

    Michael Gertz

  2. George Mason University Center for Secure Information Systems Research I, Suite 417, Fairfax, VA 22030-4444

    Sushil Jajodia

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer Science+Business Media, LLC.

About this chapter

Cite this chapter

Gertz, M., Gandhi, M. (2008). Security Re-engineering for Databases: Concepts and Techniques. In: Gertz, M., Jajodia, S. (eds) Handbook of Database Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-48533-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-0-387-48533-1_12

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-0-387-48532-4

  • Online ISBN: 978-0-387-48533-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation