A real-time intrusion prevention system for commercial enterprise databases and file systems

Ulf T. Mattsson

Abstract

Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall prey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection system interacts with the access control system to deny further access when detection occurs and represent a practical implementation addressing these and other concerns. This paper presents an overview of our work in creating a practical database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional commercial implementations of database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network- based surveillance. Suites of the proposed solution may be deployed throughout a network, and their alarms man-aged, correlated, and acted on by remote or local subscribing security services, thus helping to address issues of decentralized management.

References

  1. Adam, 1989. M. R. Adam. Security-Control Methods for Statistical Database: A Comparative Study. ACM Computing Surveys, 21(4), 1989.
  2. Atluri, 1999. V. Atluri, S. Jajodia, and B. George. Multilevel Secure Transaction Processing. Kluwer Academic Publishers, 1999.
  3. Garvey, 1991) T.D. Garvey and T.F. Lunt. Model-based intrusion detection. In Proceedings of the 14th National Computer Security Conference, Balti-more, MD, October 1991.
  4. Griffiths, 1976. P. P. Griffiths and B. W. Wade. An Authorization Mechanism for a Relational Database System. ACM Transactions on Database Systems, 1(3):242-255, September 1976.
  5. Helman, 1993. P. Helman and G. Liepins. Statistical foundations of audit trail analysis for the detection of computer misuse. IEEE Transactions on Software Engineering, 19(9):886- 901, 1993.
  6. Ilgun, 1993. K. Ilgun. Ustat: A real-time intrusion detection system for unix. In Proceedings of the IEEE Symposium on Security and Privacy,Oak-land, CA, May 1993.
  7. Ilgun, 1995. K. Ilgun, R.A. Kemmerer, and P.A. Porras. State transition analysis: A rulebased intrusion detection approach. IEEE Transactions on Software Engineering, 21(3):181-199, 1995.
  8. Jagannathan, 1993. R. Jagannathan and T. Lunt. System design document: Next generation intrusion detection expert system (nides). Technical report, SRI International, Menlo Park, California, 1993.
  9. Javitz, 1991. H. S. Javitz and A. Valdes. The sri ides statistical anomaly detector. In Proceedings IEEE Computer Society Symposium on Security and Privacy, Oakland, CA, May 1991.
  10. Javitz, 1994. H. S. Javitz and A. Valdes. The nides statistical component description and justification. Technical Report A010, SRI International, March 1994.
  11. Lane, 1998. T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proc. 5th ACM Conference on Computer and Communications Security, San Francisco, CA, Nov 1998.
  12. Lee, 1999. Wenke Lee, Sal Stolfo, and Kui Mok. A data mining framework for building intrusion detection models. In Proc. 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999.
  13. Lunt, 1992. T. Lunt, A. Tamaru, F. Gilham, R. Jagannathan, C. Jalali, H. S. Javitz, A. Valdes, P. G. Neumann, and T. D. Garvey. A real time intrusion detection expert system (ides). Technical report, SRI International, Menlo Park, California, 1992.
  14. Lunt, 1998. Teresa Lunt and Catherine McCollum. Intrusion detection and response research at DARPA. Technical report, The MITRE Corporation, McLean, VA, 1998.
  15. Lunt, 1993. T.F. Lunt. A Survey of Intrusion Detection Techniques. Computers & Security, 12(4):405-418, June 1993.
  16. Mukherjee, 1994. B. Mukherjee, L. T. Heberlein, and K.N. Levitt. Network intrusion detection. IEEE Network, pages 26-41, June 1994.
  17. Porras, 1992. P.A. Porras and R.A. Kemmerer. Penetration state transition analysis: A rule-based intrusion detection approach. In Proceedings of the 8th Annual Computer Security Applications Conference, San Antonio, Texas, December 1992.
  18. Rabitti, 1994. F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next generation database systems. ACM Transactions on Database Systems, 16(1):88-131, 1994.
  19. Samfat, 1997. D. Samfat and R. Molva. Idamn: An intrusion detection architecture for mobile networks. IEEE Journal of Selected Areas in Communications, 15(7):1373-1380, 1997.
  20. Sandhu, 1998. R. Sandhu and F. Chen. The multilevel relational (mlr) data model. ACM Transactions on Information and Systems Security, 1(1), 1998.
  21. Shieh, 1997. S.-P. Shieh and V.D. Gligor. On a pattern-oriented model for intrusion detection. IEEE Transactions on Knowledge and Data Engi-neering, 9(4):661-667, 1997.
  22. Winslett, 1994. M. Winslett, K. Smith, and X. Qian. Formal query languages for secure relational databases. ACM Transactions on Database Systems, 19(4):626-662, 1994.
  23. Habra, 1992. J. Habra, B. Le Charlier, A. Mounji, and I. Mathieu. ASAX: Software architecture and rule-based language for universal audit trail analysis. In Y. Deswarte et al., editors, Computer Security - Proceedings of ESORICS 92, volume 648 of LNCS, pages 435-450, Toulouse, France, Nov. 23-25, 1992. Springer-Verlag.
  24. Ilgun, 1993. K. Ilgun. USTAT: A real-time intrusion detection system for UNIX. In Proceedings of the 1993 IEEE Symposium on Security and Privacy, pages 16-28, Oakland, California, May 24-26, 1993.
  25. Mounji, 1997. A. Mounji. Languages and Tools for Rule-Based Distributed Intrusion Detection. PhD thesis, Institut d'Informatique, University of Namur, Belgium, Sept. 1997.
  26. Porras, 1992. P. A. Porras and R. A. Kemmerer. Penetration state transitionanalysis: A rule-based intrusion detection approach. In Proceedings of the Eighth Annual Computer Security Ap-plications Conference, pages 220-229, San Antonio, Texas, Nov. 30-Dec. 4, 1992.
  27. Proctor, 1994. P. Proctor. Audit reduction and misuse detection in heterogeneous environments: Framework and application. In Proceedings of the Tenth Annual Computer Security Applications Conference, pages 117-125, Orlando, Florida, Dec. 5-9, 1994.
  28. Sebring, 1988. M. M. Sebring, E. Shellhouse, M. E. Hanna, and R. A. Whitehurst. Expert systems in intrusion detection: A case study. In Proceedings of the 11th National Computer Security Conference, pages 74-81, Baltimore, Maryland, Oct. 17-20, 1988. National Institute of Standards and Technology/National Computer Security Center.
Download


Paper Citation


in Harvard Style

T. Mattsson U. (2005). A real-time intrusion prevention system for commercial enterprise databases and file systems . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 94-101. DOI: 10.5220/0002543200940101


in Bibtex Style

@conference{wosis05,
author={Ulf T. Mattsson},
title={A real-time intrusion prevention system for commercial enterprise databases and file systems},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={94-101},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002543200940101},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - A real-time intrusion prevention system for commercial enterprise databases and file systems
SN - 972-8865-25-2
AU - T. Mattsson U.
PY - 2005
SP - 94
EP - 101
DO - 10.5220/0002543200940101