Database Recovery from Malicious Transactions: A Use of Provenance

Information

Theppatorn Rhujittawiwat

, John Ravan

, Ahmed Saaudi

, Shankar Banik

and Csilla Farkas

Computer Science & Engineering Dept., University of South Carolina, Columbia, SC, U.S.A.

Dept. of Mathematics and Computer Science, The Citadel, The Military College of South Carolina, Charleston, SC, U.S.A.

Keywords:

Database, Malicious Transaction, Security, Dependency Graph, Data Provenance.

Abstract:

In this paper, we propose a solution to recover a database from the effects of malicious transactions. The

traditional approach for recovery is to execute all non-malicious transactions from a consistent rollback point.

However, this approach is inefﬁcient. First, the database will be unavailable until the restoration is ﬁnished.

Second, all non-malicious transactions that committed after the rollback state need to be re-executed. The

intuition for our approach is to re-execute partial transactions, i.e., only the operations that were affected by

the malicious transactions. We develop algorithms to reduce the downtime of the database during recovery

process. We show that our solution is 1.) Complete, i.e., all the effects of the malicious transactions are

removed, 2.) Sound, i.e., all the effects of non-malicious transactions are preserved, and 3.) Minimal, i.e.,

only affected data items are modiﬁed. We also show that our algorithms preserve conﬂict serializability of the

transaction execution history.

1 INTRODUCTION

The increase in the number and sophistication of cy-

berattacks makes cybersecurity one of the top prior-

ities for organizations. One of the recent studies to

evaluate the impact of cyberattacks was performed

by the Ponemon Institue (Bissell et al., 2019). They

studied over 355 companies to evaluate the damages

incurred from cybercrime. Their results show that,

on average, each company lost $11.7 million in 2017

and $13.0 million in 2018. Part of this damage comes

from the hourly cost of service downtime.

Malicious transactions further escalate the cost of

recovery. Such transactions are often detected at a

later time, after malicious transaction as well as other

transactions dependent of the malicious one are com-

mitted. Efﬁcient recovery methods are needed to re-

duce the cost of service downtime and recovery work.

Traditional recovery methods are based on the re-

execution of all non-malicious transactions from a

consistent backup point. However, this causes the

database to be unavailable until the restoration is com-

pleted. Moreover, transactions that were not affected

may also be re-executed.

To improve recovery speed, researchers aim to re-

duce the number of transactions that need to be re-

executed. Transactions that were affected by the ma-

licious transactions are identiﬁed by transaction de-

pendency and input comparison. The approaches pre-

sented by Ammann et al. (Ammann et al., 2002),

Liu et al. (P. Liu, P. Ammann, and S. Jajodia, 2000),

Panda et al. (Panda and Haque, 2002) have used trans-

action dependency to identify compromised transac-

tions. The works of Kim et al. (Kim et al., 2012),

and Chandra et al. (Chandra et al., 2011) have used

input comparison to determine unaffected transac-

tions. Input comparison approaches provide simpler

and faster solutions than the dependency approaches.

However, transaction dependency approaches provide

greater details about which transactions are affected

and a higher possibility to salvage good transactions

than the input comparison approaches. Therefore,

there is a possibility that the dependency-based ap-

proaches may provide better overall performance than

input comparison-based approaches when it can sal-

vage many good transactions. In this case, the re-

duced re-execution cost outweighs the slower deter-

mination process.

Our work ﬁts into the category of transaction

dependency-based recovery. We propose a novel ap-

proach to use data provenance to reduce the computa-

tional cost of recovery. We deﬁne transaction depen-

dency based on an attribute-value assignment. Our

work closely relates to the work of Panda et al. (Panda

Rhujittawiwat, T., Ravan, J., Saaudi, A., Banik, S. and Farkas, C.

Database Recovery from Malicious Transactions: A Use of Provenance Information.

DOI: 10.5220/0010553900390048

In Proceedings of the 10th International Conference on Data Science, Technology and Applications (DATA 2021), pages 39-48

ISBN: 978-989-758-521-0

and Haque, 2002). However, their work focuses on

the identiﬁcation of the affected transactions. Their

solution requires the shutdown of the database during

the recovery process. Our work reduces the duration

of the database downtime and lets the unaffected part

of the database operate during the recovery process.

Our method uses transaction dependency to deter-

mine which transactions have to be re-executed and

which attributes have to be updated. We use data

provenance to collect crucial information for the re-

covery process. Instead of the complete shutdown

of the database, we only lock the database until the

corrupted data items are identiﬁed. The unaffected

part of the database will become active and perform

the service after the identiﬁcation is ﬁnished. The af-

fected parts of the database will be available as soon

as the data items are recovered. Our solution will im-

prove the availability of the database during recovery

and reduce the downtime from malicious transaction

attacks.

We show that our solution is 1.) Complete, i.e., all

the effects of the malicious transactions are removed,

2.) Sound, i.e., all the effects of non-malicious trans-

actions are preserved, and 3.) Minimal, i.e., only af-

fected data items are modiﬁed. We also show that our

algorithms preserve conﬂict serializability of the con-

current transaction execution.

The paper is organized as follows: Section 2 dis-

cusses the existing research used to drive the direction

of the solution. Section 3 deﬁnes the problem and out-

lines the system model. Section 4 describes solution,

we present our algorithms and provide formal proofs.

We conclude in Section 5.

2 RELATED WORK

Many researchers proposed approaches to improve

the process to recover from malicious transactions.

There are two major approaches to identify affected

transactions and reduce re-execution cost: transaction

dependency-based approach, and input comparison-

based approach.

The works of Kim et al. (Kim et al., 2010)(Kim

et al., 2012) and Chandra et al. (Chandra

et al., 2011)(Chandra et al., 2013) introduce input

comparison-based approaches. In their approaches,

if the current input of re-executing transaction is the

same as the input when this transaction is originally

executed, this re-execution will be skipped because

the output will obviously be the same. These meth-

ods can be processed easily from reading the trans-

action log, which records the inputs. They also do

not require extra memory and computational power

to build a complicated dependency structure between

transactions. However, these approaches cannot save

the re-execution cost of transactions which have dif-

ferent inputs but produce the same outputs. For ex-

ample, a transaction that blindly updates values inde-

pendently from its inputs. These approaches provide

a fast and simple solution with less possibility to save

re-execution cost.

There are several transaction dependency-based

approaches. The works of Ammann et al. (Ammann

et al., 2002) and Liu et al. (P. Liu, P. Ammann, and S.

Jajodia, 2000)(Liu and Jajodia, 2001) deﬁne the trans-

action by using the read and write sets of transactions.

A transaction T

depends on another earlier transac-

tion T

if the read set of T

shares the same data item

as a write set of T

and this data item is not presented

in write sets of any transaction committed between

them. The corresponding dependency graph can be

used to identify transactions that are affected by ma-

licious transactions. The later work of Chakraborty et

al. (A. Chakraborty, A. K. Majumdar, and S. Sural,

2010) follows the same direction but uses different

granularity. The dependency is deﬁned on columns

instead of data items to improve scalability. However,

this approach saves fewer unaffected transactions than

the previous approaches.

Our work closely relates to the works of Panda et

al. (Panda and Giordano, 1998)(Panda and Haque,

2002)(Panda and Jing Zhou, 2003), Lomet et al.

(Lomet et al., 2006), Haraty et al. (Haraty and Zbib,

2014)(Haraty et al., 2016)(Haraty et al., 2018), and

Kaddoura et al. (Kaddoura et al., 2016). They de-

ﬁne dependency based on how each data item is up-

dated. A transaction T

depends on another trans-

action T

if T

updates any data item according to

a data item lastly updated by T

. These approaches

provide greater details on how transactions depend

on each other than the read/write set dependency ap-

proaches. Thus, they provide the highest possibil-

ity to save unaffected transactions comparing all the

above approaches. However, the computational costs

are also the highest.

To improve the performance, we use the concept

of data provenance. Our solution reduces the recovery

cost by building data provenance that contains trans-

action dependency when each transaction is commit-

ted. This provides information to speed up the recov-

ery process. There are many data provenance works

which inﬂuenced our solution such as Xu and Wang

(Xu and Wang, 2010), Zhang et al. (Zhang et al.,

2012), Hammad and Wu (Hammad and Wu, 2014),

He et al. (He et al., 2015), Backes et al. (Backes et al.,

2016), and Liang et al. (Liang et al., 2017). They

provide different data provenance structures which

DATA 2021 - 10th International Conference on Data Science, Technology and Applications

record information to counter speciﬁc malicious at-

tacks.

3 PROBLEM SPECIFICATION

AND PRELIMINARIES

Malicious transactions can potentially be committed

before they are detected, thus propagating their dam-

age across the database. The problem of malicious

transaction recovery has two major parts: identifying

the scope of damage and repairing the damage. The

damage from a malicious transaction can spread to

other transactions. For example, if a malicious trans-

action T

updates the value of attribute A

, every trans-

action that uses this A

will be affected by T

and will

need to be corrected. Furthermore, if an affected non-

malicious transaction T

uses A

to update A

, then

will need to be corrected therefore spreading the

damage and the scope of the correction will be re-

duced. On the other hand, a transaction T

which does

not use A

can be indirectly affected if it uses A

from

Our goal is to reduce the cost of locating every af-

fected transaction, limit propagation of the corrupted

values, and reduce the recovery work.

Next, we present our recovery framework and cor-

responding deﬁnitions.

Deﬁnition 1. A relation schema R is denoted by

R(A

, ...,A

), where R is the name of the relation and

|i ∈ {1, ..., n} is an attribute name.

Deﬁnition 2. An attribute value pair is denoted by

(A, v), where v is the value of an attribute A such that

v is in the domain of attribute A, i.e., v ∈ Dom(A).

Deﬁnition 3. A relation instance r is denoted by r(R),

where R(A

, ..., A

) is the relation schema of r. r is

a set of tuples r = {t

, ..., t

}, where each tuple is a

set of n attribute value pair t = {(A

, v

), ..., (A

, v

)}

such that each value v

∈ Dom(A

). We also represent

a tuple as an order list of n values t =< v

, ..., v

such that each value v

∈ Dom(A

Deﬁnition 4. An attribute-value assignment is de-

noted by

t = {(A

, v

), .., (A

, v

), .., (A

, v

)}

−→ t

= {(A

, v

), .., (A

→ exp), .., (A

, v

)} (1)

for some attribute value pair of A

∈ R, (A

, v

)

will be set to (A

, exp) such that exp is either;

1. A constant value v

∈ Dom(A

2. An attribute A

∈ R with value v

, such that v

∈

Dom(A

3. An arithmetic expression which includes constant

values, attribute names in R, and/or arithmetic

operators.

Example 1: Transaction T

UPDATE r

SET

= 10 ,

= A

= 2A

+ 20 ;

Example 1 shows value assignments by transac-

tion T

on relation r with schema R(A

, A

assigns the constant value 10 to attribute A

attribute A

is assigned the value of A

, and attribute

is assigned using an arithmetic expression.

Deﬁnition 5. An attribute-value conditional assign-

ment is denoted by

t{(A

, v

), .., (A

, v

), .., (A

, v

)}

−→ t

{(A

, v

), .., (A

→ exp, c), .., (A

, v

)} (2)

for some attribute value pair of A

∈ R, (A

, v

)

will be set to (A

, {exp, c}) when condition c is

satisﬁed. The boolean expression c may include truth

values, boolean variables, arithmetic expressions,

relational operators, and/or boolean operators.

The multiple attributes assignment

t{(A

, v

), .., (A

, v

)}

−→ t

{(A

, v

), .., (A

→ exp

, c

), ..., (A

→

exp

, c

), .., (A

, v

)} is interpreted as a sequence of

update to attributes A

, ..., A

Deﬁnition 6 (Data Dependency Pair). A data depen-

dency pair is denoted by

= (A

, {A

, ..., A

}) (3)

We also represent it as

= (A

, Set

) (4)

Where an attribute A

depends on a set of at-

tributes Set

= {A

, ..., A

} such that A

∈ R, i ∈

{1, ..., n}. The data dependency is transitive, i.e., if

, A

) and (A

, A

) then (A

, A

For a transaction T, Dp

= {Dp

, ..., Dp

} denotes

all the dependency pairs Dp

, ..., Dp

where at-

tributes A

|i ∈ {1, ..., n} were modiﬁed by T.

Deﬁnition 7 (Last Assignment Table). A last assign-

ment table L has the schema

L(A, T ) (5)

Where A is the column with domain {A

, ..., A

} ∈ R

and T is the column for representing the last transac-

tion that updated attribute A

. The domain of T is the

identities of the transactions.

Database Recovery from Malicious Transactions: A Use of Provenance Information

Deﬁnition 8 (Transaction Dependency). Transaction

depends on transaction T

iff there is an attribute

that is modiﬁed by T

and A

depends on an at-

tribute A

that was updated by T

. The transaction

dependency is transitive. We also say that transaction

affects transaction T

if transaction T

depends on

transaction T

Deﬁnition 9. Data dependency record of provenance

for transaction T is denoted by

=< ID

,ts, R s,W s, Dp > (6)

Where ts is the timestamp when transaction T com-

mitted, ID

is the id of transaction T

, R s is a set of

read attributes, W s is a set of modiﬁed attributes, Dp

is the data dependency set of T.

Deﬁnition 10 (Conﬂict Transactions). Transaction T

and transaction T

are in conﬂict if at least one of the

following conditions is met:

1. R s

∩W s

is not ∅.

2. R s

∩W s

is not ∅.

3. W s

∩W s

is not ∅.

Operation Dependency Graph: Assuming a trans-

action can read and write each attribute only once, we

can recreate the partial order of the operation of T as

a directed acyclic graph (DAG) G

. For each record

T in P

1. For each attribute A

in R s, create a node r[A

2. For each attribute A

in W s, create a node w[A

]

and read Dp

in Dp.

3. Create a directed edge from each r[A

] where A

in Set

to w[A

4. If any subgraph G

has only one node with no

edge, create a directed edge from the node in G

to another node outside of G

that has no directed

edge pointing to it.

5. If any subgraph G

contains an edge but does not

contain any edge connect to any node outside of

, create a directed edge from any node that has

no directed edge pointing from it in G

to an-

other node outside of G

that has no directed edge

pointing to it.

The step 4 and 5 ensure that all subgraphs will be con-

nected together in the correct direction.

Notation 1. Given relation R with a single column.

S[R] denotes the set containing the attribute values of

relation R.

4 PROPOSED SOLUTION

In this section, we will present the algorithms that are

needed to properly recover from malicious transac-

tions. We also present the formal properties and the

complexity analysis of our solution.

4.1 Provenance-based Transaction

Recovery

In this section we present out recovery algorithms.

Algorithm 1 creates a data dependency record of

provenance for each transaction. Each record con-

tains transaction ID, timestamp, attributes which are

read or written by this transaction, and a set of

data dependency pairs. These records will be used

to ﬁnd the minimal number of transactions and at-

tributes that have to be recovered.Algorithm 2 ﬁnds

the affected transactions and affected attributes. The

records generated by Algorithm 1 provide informa-

tion on how each attribute is updated. By scanning

through those records, all affected transactions and

affected attributes can be found. All affected transac-

tions will be added into a table containing their trans-

action ID and ID of transactions, which they depend

on. All affected attributes will be locked until they

are repaired. The last assignment table L is generated

so the system knows when affected attributes can be

unlocked. Once affected attributes are updated with

values from the re-execution of their last assignment

transactions, they will be unlocked.

Algorithm 3 repairs the damage. The affected

transaction table AT generated by Algorithm 2 pro-

vides information on which transactions have to be

re-executed. The re-execution will be processed on

a snapshot of the database. The unaffected part of

the database can be operated during this repair pro-

cess. The affected transactions will be re-executed

in a topological order based on transaction depen-

dency. The affected attributes will be unlocked once

the transactions that last updated them are commit-

ted. This provides availability of those attributes as

soon as possible.

4.2 Formal Properties and Complexity

Analysis

In this section, we analyze and formally prove the

properties of our solution. We also evaluate the com-

plexity of our approach and compare it with the cost

of traditional transaction recovery.

Theorem 1. Given a malicious transaction T

and a

transaction execution history, the output of Algorithm

DATA 2021 - 10th International Conference on Data Science, Technology and Applications

Algorithm 1: Create Data Dependency Provenance Record.

Input: Transaction, T

and data provenance table P

Output: Data dependency provenance record of T

=< ID

,ts, R s,W s, Dp >

1: Initialization

2: If data provenance table is not available, create an

empty table P

(ID, ts, R s,W s, Dp)

3: Let ts := ””, R s := {}, W s := {}, Dp := {}, ts

= timestamp when T

is committed, ID

= gener-

ated id based on transaction committed order

5: for all attributes A

in T

6: if attribute A

is assigned by {exp, c} then

7: Set

= {}

8: Dp

= (A

, Set

)

9: W s = W s ∪ A

10: for all attributes A

in {exp, c} do

11: Dp

= (A

, {Set

∪ A

})

12: end for

13: Add Dp

to Dp

14: else

15: R s = R s ∪ A

16: end if

17: end for

18: Insert record (ID

,ts, R s,W s, Dp) into P

2 is 1.) Complete, 2.) Sound, and 3.) Minimal.

That is,

Completeness: All the transactions that were affected

by T

appear in column AT (T ). All the attributes that

were affected by T

appear in column L(A).

Soundness: For each tuple in AT (T, Set

), Set

con-

tains only those transactions that were affected by T.

For each tuple in L(A, T ), T is the last transaction

that updated A.

Minimal: Column AT (T ) contains only those trans-

actions that were affected by T

Column L(A) contains only those attributes that were

affected by T

This theorem shows that Algorithm 2 will ﬁnd all

affected transactions and affected attributes.

Proof Sketch.

Completeness: by induction;

Let T

, T

, ..., T

be n transactions following T

transaction log, AT

contains all transactions affected

by T

from T

to T

, and L

contains all attributes

affected by T

from T

to T

The base case: when n = 1.

1. Let L

initially contains all attributes updated by

Algorithm 2: Finding affected transaction.

Input: Data dependency provenance table P

, Trans-

action ID T

of a malicious transaction, and a

transaction log

Output: The affected transaction table AT(T, Set

)

and the last assignment table L(A, T)

1: Initialization

2: Create empty tables AT (T, Set

), and L(A, T )

4: Abort all incomplete transactions

5: We are locking the database

6: Read the data dependency provenance record P

of the malicious transaction T

in the table

7: for all dependency pair (A

, Set

) in Dp do

8: Insert record (A

, T

) into L

9: end for

10: for all T

following T

in transaction log ordered

by committed time do

11: Read record of T

in P

12: for all dependency pair (A

, Set

) in Dp do

13: if Set

∩ S[π

(L)] is not ∅ then

14: if T

6∈ S[π

(AT )] then

15: Set

= {}

16: for all A

∈ Set

∩ S[π

(L)] do

17: Set

= Set

∪ π

(σ

A=A

(L))

18: end for

19: Insert record (T

, Set

) into AT

20: else

21: Set

= π

Set

(σ

T =T

(AT ))

22: for all A

∈ Set

∩ S[π

(L)] do

23: Set

= Set

∪ π

(σ

A=A

(L))

24: end for

25: Update record σ

T =T

(AT ) to

, Set

)

26: end if

27: if A

6∈ S[π

(L)] then

28: Insert record (A

, T

) into L

29: else

30: Update record σ

A=A

(L) to (A

, T

)

31: end if

32: else if A

∈ S[π

(L)] and Set

∩ S[π

(L)]

is ∅ then

33: Delete record σ

A=A

(L)

34: end if

35: end for

36: end for

37: We are unlocking only the attributes in database

6∈ S[π

(L)]

2. AT

contains T

if T

update an attribute A

de-

pending on an attribute A

in L

3. Records of T

in data provenance table P

shows

whether A

depends on A

Database Recovery from Malicious Transactions: A Use of Provenance Information

Algorithm 3: Repairing.

Input: The affected transaction table AT , the last as-

signment table L, and the snapshot of database at

the time before the malicious transaction commit-

ted

Output: A consistent database state where all mali-

cious and affected transactions are undone

1: Initialization

2: Create empty ordered list FixQueue =<

, T

, ... > with the size equal to the number of

records in AT

4: for all π

Set

(AT ) do

5: Set

= Set

− T

6: end for

7: while AT is not ∅ do

8: if π

Set

(AT ) is empty then

9: Add T

to FixQueue

10: Delete record σ

T =T

(AT )

11: for all π

Set

(AT ) do

12: Set

= Set

− T

13: end for

14: end if

15: end while

16: if T

∈ S[π

(L)] then

17: Fixed attributes F := π

(σ

T =T

(L))

18: for all A

∈ S[F] do

19: Unlock A

20: end for

21: end if

22: for all FixQueue[i] where i = 0, i++ do

23: execute FixQueue[i]

24: if FixQueue[i] ∈ S[π

(L)] then

25: Fixed attributes F := π

(σ

T =FixQueue[i]

(L))

26: for all A

∈ S[F] do

27: Update database with A

28: Unlock A

29: end for

30: end if

31: end for

4. If A

depends on A

, A

is also affected by T

is added to AT

and A

is added to L

The induction case: assume AT

n−1

contains all trans-

actions that are affected by T

from T

to T

n−1

, and

n−1

contains all attributes affected by T

from T

n−1

1. Consider transaction T

update an attribute A

2. Records of T

in P

shows whether A

depends on

any attribute A

in L

n−1

3. If A

depends on A

, A

is also affected by T

is added to AT

and A

is added to L

Conclusion: By the principle of induction, AT

con-

tains all transactions affected by T

and L

contains

all attributes affected by T

Soundness: Assume that there is a transaction

in Set

that is not affected by T. But then, because

there is an attribute in T

that is dependent on an

attribute of T (Algorithm 2 lines 16 and 17). This is a

contradiction of our initial assumption.

Minimality: Trivially follows.

Theorem 2. Given a malicious transaction T

and

a transaction execution history, Algorithm 3 recovers

the database to a consistent state, such that

1. All the effects of T

are removed.

2. All of the effects of the other transaction are pre-

served.

3. The recovered history is conﬂict serializable.

First we note, that by Theorem 1, AT (T, Set

) and

L(A, T) are complete, minimal, and sound, thus sup-

port 1.) and 2.) above.

Next, we show by contradiction, that all the effects

of T

are removed by Algorithm 3.

Proof Sketch.

Consistency by contradiction;

1. Assume that some inconsistent attribute A

that is

affected by malicious transaction T

and A

is not

ﬁxed by Algorithm 3.

2. But attribute A

must be assigned by a transaction

that is affected by T

3. Algorithm 3 executes all transactions in AT by

their committed order on the given snapshot and

AT contains all transactions that are affected by

4. AT contains all transaction id which are affected

by T

. So T

is in AT .

5. Since T

is re-executed from a consistent state

without affect from T

by Algorithm 3, all at-

tributes assigned by T

are consistent including A

6. So A

must be consistent. This contradicts the sup-

position that A

is inconsistent.

Serializability;

Case 1: There is no conﬂict operation between trans-

action T

and T

1. In this case, the following conditions must be true

by deﬁnition of conﬂict transactions

(a) R s

∩W s

is ∅.

DATA 2021 - 10th International Conference on Data Science, Technology and Applications

(b) R s

∩W s

is ∅.

∩W s

is ∅.

2. The partial order of transaction T

and T

can be

represented using directed graph.

3. There is no edge between node of T

and T

be-

cause of the conditions above.

4. So the graph is a directed acyclic graph. This his-

tory is conﬂict-serializable.

Case 2: There is a conﬂict operation between transac-

tion T

and T

1. In this case, at least one of the following condi-

tions must be true by deﬁnition of conﬂict trans-

actions

(a) R s

∩W s

is not ∅.

(b) R s

∩W s

is not ∅.

∩W s

is not ∅.

2. Case (a): R s

∩W s

is not ∅.

1 T

always reads attribute value from the snap-

shot which is a database state preceding a state

that T

writes. So the read operation of T

al-

ways precedes the write operation of T

2 The partial order of transaction T

and T

can be

represented using a directed graph.

3 The edge between node of T

and T

is in a di-

rection from T

to T

because T

always precedes

4 So the graph is a directed acyclic graph. This

history is conﬂict-serializable.

3. Case (b): R s

∩W s

is not ∅.

1 Algorithm 2 discovers all attributes that are af-

fected by a malicious transaction T

as claimed

in Theorem 1 and it locks all those attributes.

2 There are 2 possible cases as follows:

i) The attribute A

in R s

∩W s

is not an af-

fected attribute.

ii) The attribute A

in R s

∩W s

is an affected

attribute.

2.1 Case (i): the attribute A

in R s

∩W s

is not

an affected attribute.

2.1.1 The attribute A

which was written by af-

fected transaction T

is consistent and will

not be overwritten after T

is re-executed in

snapshot. So the history is preserved and

the write operation of T

over A

precedes the

read operation of T

as in the original history.

2.1.2 The partial order of transaction T

and T

can

be represented using a directed graph.

2.1.3 The edge between node of T

and T

is in a

direction from T

to T

because T

always pre-

cedes T

Figure 1: Transaction Dependency in Case 2.b.i.

Figure 2: Transaction Dependency in Case 2.b.ii.

2.1.4 So the graph is a directed acyclic graph. This

history is conﬂict-serializable.

2.2 Case (ii): The attribute A

in R s

∩W s

an affected attribute.

2.2.1 The attribute A

is locked by Algorithm 2 un-

til the re-execution of affected transactions

which modiﬁes A

is ﬁnished and the con-

sistent value of A

is updated. So the write

operation of T

always precedes the read op-

eration of T

2.2.2 The partial order of transaction T

and T

can

be represented using a directed graph.

2.2.3 The edge between node of T

and T

is in a

direction from T

to T

because T

always pre-

cedes T

2.2.4 So the graph is a directed acyclic graph. This

history is conﬂict-serializable.

4. Case (c): W s

∩W s

is not ∅.

1 Algorithm 2 discovers all attributes that are af-

fected by a malicious transaction T

as claimed

in Theorem 1 and it locks all those attributes.

2 There are 2 possible cases as follows:

i) The attribute A

in W s

∩W s

is not an af-

fected attribute.

ii) The attribute A

in W s

∩W s

is an affected

attribute.

2.1 Case (i): the attribute A

in W s

∩ W s

not an affected attribute.

2.1.1 The attribute A

which was written by af-

fected transaction T

is consistent and will

not be overwritten after T

is re-executed in

snapshot. So the history is preserved and

the write operation of T

over A

precedes the

write operation of T

as in the original his-

tory.

Database Recovery from Malicious Transactions: A Use of Provenance Information

Figure 3: Transaction Dependency in Case 2.c.i.

Figure 4: Transaction Dependency in Case 2.c.ii.

2.1.2 The partial order of transaction T

and T

can

be represented using a directed graph.

2.1.3 The edge between node of T

and T

is in a

direction from T

to T

because T

always pre-

cede T

2.1.4 So the graph is a directed acyclic graph. This

history is conﬂict-serializable.

2.2 Case (ii): the attribute A

in W s

∩W s

an affected attribute.

2.2.1 The attribute A

is locked by Algorithm 2 un-

til the re-execution of affected transactions

which modify A

is ﬁnished and the consis-

tent value of A

is updated. So the write op-

eration of T

always precedes the write oper-

ation of T

2.2.2 The partial order of transaction T

and T

can

be represented using a directed graph.

2.2.3 The edge between node of T

and T

is in a

direction from T

to T

because T

always pre-

cedes T

2.2.4 So the graph is a directed acyclic graph. This

history is conﬂict-serializable.

5. Consider all the possible cases, the history con-

taining all operations of T

and T

is conﬂict-

serializable.

Complexity Analysis: Assume n number of transac-

tions were committed after the malicious transaction,

the database has m number of attributes, and r num-

ber of transactions were affected by the malicious

transaction. Let t

create

denote the time required to

create the provenance record for a transaction. The

time required to retrieve the attributes that may have

been corrupted by a transaction is denoted by t

check

The time required to add a transactions to a queue

waiting for recovery is denoted by t

queue

, the time

required to reexecute a transaction is denoted by

reexecute

, and the time required to unlock an attribute

is denoted by t

unlock

Algorithm 1. To create the provenance table

for each transaction, the loop from line 5-17 will be

executed at most m times and the nested loop from

line 10-12 will be executed at most m times. This

give us: Time = m

create

Algorithm 2. To ﬁnd all affected transactions,

Algorithm 2 checks each transaction. The loop from

line 12-35 will be executed at most m times and

either the nested loop from line 16-18 or another

nested loop from line 22-24 will be executed at

most the combined total of m times. The process

will be repeated for each transaction. This give us:

Time = nm

check

Algorithm 3. To repair the database, the af-

fected transactions will be queued and re-executed.

After a transaction is re-executed, then attributes of

this transaction will be unlocked if there is no risk

of inconsistency. The while loop from line 7-15 will

be executed r times until all affected transactions are

queued. The nested loop on line 11-13 will be exe-

cuted r times. The checking process from line 16-20

checks for attributes that are affected by only the

malicious transaction, they can be rolled back and un-

locked immediately. The loop from line 22-31 will be

executed r times to ﬁx each affected transaction. The

unlock process from line 24-30 checks for attributes

that were last updated by the re-executed transaction

is the last transaction which assign the values then

unlock. These attributes are unlocked that updated

these attributes. This process may be repeated up to

m times for each transaction (max. m × r). This give

us: Time = r

queue

) + r(t

reexecute

) + rm(t

unlock

Re-execute All Transactions. To re-execute all

transactions, we have to go through all n transac-

tions then unlock all m attributes. This give us:

Time = n(t

reexecution

) + m(t

unlock

Comparison between using Our Solution and

Re-executing All Transactions. Our solution use the

total time of Algorithm 2 and Algorithm 3: Time =

check

) + r

queue

) + r(t

reexecute

) + rm(t

unlock

Without loss of generality, we assume that for most

realistic workloads, the checking, queuing, and

unlocking processes (in Algorithm 2 and Algorithm

3) require substantially less time than the time needed

DATA 2021 - 10th International Conference on Data Science, Technology and Applications

to re-execute a transaction. The time required by our

solution will be bounded by Time = r(t

reexecute

). The

time required by re-executing all transactions will be

bounded by Time = n(t

reexecute

). Thus, our solution

can perform faster on the assumptions that r < n and

the processes in our algorithms requires substantially

less time than the re-execution process.

5 CONCLUSIONS & FUTURE

WORK

As the numbers and sophistication of attacks against

databases increase, it is necessary to support efﬁ-

cient and correct recovery from malicious transac-

tions. The solution presented in this paper provides

an efﬁcient an correct solution to recover from ma-

licious transactions. This increases the availability

of the system without dramatically decreasing perfor-

mance. We showed that our solution also preserves

conﬂict serializability.

Our ongoing work extends our results to reduce

the number of malicious transactions that affect the

database. Our approach is to combine snapshot iso-

lation with data provenance. Our provenance data

incorporates snapshot isolation to predict transaction

behavior. The transaction scheduler can use this in-

formation to prioritize transactions and block poten-

tial malicious transactions.

ACKNOWLEDGEMENT

This project was partially supported by the NCAE-C

Cyber Curriculum and Research 2020 Program.

REFERENCES

A. Chakraborty, A. K. Majumdar, and S. Sural (2010). A

column dependency-based approach for static and dy-

namic recovery of databases from malicious transac-

tions. International Journal of Information Security,

9(1):51–67.

Ammann, P., Jajodia, S., and Liu, P. (2002). Recovery from

malicious transactions. IEEE Transactions on Knowl-

edge and Data Engineering, 14(5):1167–1185.

Backes, M., Grimm, N., and Kate, A. (2016). Data lineage

in malicious environments. IEEE Transactions on De-

pendable and Secure Computing, 13(2):178–191.

Bissell, K., Lasalle, R., and Paolo, D. C. (2019). 2019 Cost

of Cybercrime Study | 9th Annual | Accenture.

Chandra, R., Kim, T., Shah, M., Narula, N., and Zeldovich,

N. (2011). Intrusion recovery for database-backed

web applications. In Proceedings of the Twenty-Third

ACM Symposium on Operating Systems Principles,

SOSP ’11, pages 101–114, New York, NY, USA. As-

sociation for Computing Machinery.

Chandra, R., Kim, T., and Zeldovich, N. (2013). Asyn-

chronous intrusion recovery for interconnected web

services. In Proceedings of the Twenty-Fourth ACM

Symposium on Operating Systems Principles, SOSP

’13, pages 213–227, New York, NY, USA. Associa-

tion for Computing Machinery.

Hammad, R. and Wu, C. (2014). Provenance as a service:

A data-centric approach for real-time monitoring. In

2014 IEEE International Congress on Big Data, pages

258–265.

Haraty, R. A., Kaddoura, S., and Zekri, A. S. (2018).

Recovery of business intelligence systems: Towards

guaranteed continuity of patient centric healthcare

systems through a matrix-based recovery approach.

Telematics Informatics, 35(4):801–814.

Haraty, R. A. and Zbib, M. (2014). A matrix-based damage

assessment and recovery algorithm. In 2014 14th In-

ternational Conference on Innovations for Community

Services (I4CS), pages 22–27.

Haraty, R. A., Zbib, M., and Masud, M. (2016). Data dam-

age assessment and recovery algorithm from mali-

cious attacks in healthcare data sharing systems. Peer-

to-Peer Networking and Applications, 9(5):812–823.

He, L., Yue, P., Di, L., Zhang, M., and Hu, L.

(2015). Adding geospatial data provenance into

sdi—a service-oriented approach. IEEE Journal of Se-

lected Topics in Applied Earth Observations and Re-

mote Sensing, 8(2):926–936.

Kaddoura, S., Haraty, R. A., Zekri, A., and Masud, M.

(2016). Tracking and repairing damaged healthcare

databases using the matrix. International Journal of

Distributed Sensor Networks, 2015:6:6.

Kim, T., Chandra, R., and Zeldovich, N. (2012). Recovering

from intrusions in distributed systems with DARE. In

Proceedings of the Third ACM SIGOPS Asia-Paciﬁc

conference on Systems, APSys ’12, page 10, USA.

USENIX Association.

Kim, T., Wang, X., Zeldovich, N., and Kaashoek,

M. F. (2010). Intrusion recovery using selective re-

execution. In Arpaci-Dusseau, R. H. and Chen, B., ed-

itors, 9th USENIX Symposium on Operating Systems

Design and Implementation, OSDI 2010, October 4-

6, 2010, Vancouver, BC, Canada, Proceedings, pages

89–104. USENIX Association.

Liang, X., Shetty, S., Tosh, D., Kamhoua, C., Kwiat, K.,

and Njilla, L. (2017). Provchain: A blockchain-

based data provenance architecture in cloud environ-

ment with enhanced privacy and availability. In 2017

17th IEEE/ACM International Symposium on Cluster,

Cloud and Grid Computing (CCGRID), pages 468–

477.

Liu, P. and Jajodia, S. (2001). Multi-phase damage conﬁne-

ment in database systems for intrusion tolerance. In

Proceedings. 14th IEEE Computer Security Founda-

tions Workshop, 2001., pages 191–205.

Lomet, D., Vagena, Z., and Barga, R. (2006). Recov-

ery from ”bad” user transactions. In Proceedings of

Database Recovery from Malicious Transactions: A Use of Provenance Information

the 2006 ACM SIGMOD international conference on

Management of data, SIGMOD ’06, pages 337–346,

New York, NY, USA. Association for Computing Ma-

chinery.

P. Liu, P. Ammann, and S. Jajodia (2000). Rewriting histo-

ries: Recovering from malicious transactions, pages

7–40. Springer.

Panda, B. and Giordano, J. (1998). Reconstructing the

database after electronic attacks. In Jajodia, S., ed-

itor, Database Security XII: Status and Prospects,

IFIP TC11 WG 11.3 Twelfth International Working

Conference on Database Security, July 15-17, 1998,

Chalkidiki, Greece, volume 142 of IFIP Conference

Proceedings, pages 143–156. Kluwer.

Panda, B. and Haque, K. A. (2002). Extended data depen-

dency approach: a robust way of rebuilding database.

In Proceedings of the 2002 ACM symposium on Ap-

plied computing, SAC ’02, pages 446–452, New York,

NY, USA. Association for Computing Machinery.

Panda, B. and Jing Zhou (2003). Database damage as-

sessment using a matrix based approach: an intrusion

response system. In Seventh International Database

Engineering and Applications Symposium, 2003. Pro-

ceedings., pages 336–341.

Xu, G. and Wang, Z. (2010). Data provenance architecture

based on semantic web services. In 2010 Fifth IEEE

International Symposium on Service Oriented System

Engineering, pages 91–94.

Zhang, O. Q., Ko, R. K. L., Kirchberg, M., Suen, C. H.,

Jagadpramana, P., and Lee, B. S. (2012). How to

track your data: Rule-based data provenance tracing

algorithms. In 2012 IEEE 11th International Confer-

ence on Trust, Security and Privacy in Computing and

Communications, pages 1429–1437.

DATA 2021 - 10th International Conference on Data Science, Technology and Applications