A real-time intrusion prevention system for commercial enterprise databases

  • Authors:

  • Ulf Mattsson

  • Affiliations:

  • Protegrity, Incorporated., Stamford, CT

  • Venue:
  • SEPADS'05 Proceedings of the 4th WSEAS International Conference on Software Engineering, Parallel & Distributed Systems
  • Year:
  • 2005

Quantified Score

Hi-index 0.00

Visualization

Abstract

Modern intrusion detection systems are comprised of three basically different approaches, host based, network based, and a third relatively recent addition called procedural based detection. The first two have been extremely popular in the commercial market for a number of years now because they are relatively simple to use, understand and maintain. However, they fall prey to a number of shortcomings such as scaling with increased traffic requirements, use of complex and false positive prone signature databases, and their inability to detect novel intrusive attempts. This intrusion detection systems represent a great leap forward over current security technologies by addressing these and other concerns. This paper presents an overview of our work in creating a true database intrusion detection system. Based on many years of Database Security Research, the proposed solution detects a wide range of specific and general forms of misuse, provides detailed reports, and has a low false-alarm rate. Traditional database security mechanisms are very limited in defending successful data attacks. Authorized but malicious transactions can make a database useless by impairing its integrity and availability. The proposed solution offers the ability to detect misuse and subversion through the direct monitoring of database operations inside the database host, providing an important complement to host-based and network-based surveillance. Suites of the proposed solution may be deployed throughout a network, and their alarms man-aged, correlated, and acted on by remote or local subscribing security services, thus helping to address issues of decentralized management. Inside the host, the proposed solution is intended to operate as a true security daemon for database systems, consuming few CPU cycles and very little memory and secondary storage. The proposed Intrusion Prevention Solution is managed by an access control system, with intrusion detection profiles, with item access rates and associating each user with profiles. Further, the method determines whether a result of a query exceeds any one of the item access rates defined in the profile associated with the user, and, in that case, notifies the access control system to alter the user authorization, thereby making the received request an unauthorized request, before the result is transmitted to the user. The method allows for a real time prevention of intrusion by letting the intrusion detection process interact directly with the access control system, and change the user authority dynamically as a result of the detected intrusion. The method is also preventing an administrator impersonating a user of a relational database, which database at least comprises a table with at least a user password, wherein the password is stored as a hash value. The method comprises the steps of: adding a trigger to the table, the trigger at least triggering an action when an administrator alters the table through the database management system (DBMS) of the database; calculating a new password hash value differing from the stored password hash value when the trigger is triggered; and replacing the stored password hash value with the new password hash value. In this paper, the design of the first MATTSSONHYBRID prototype, which is for Oracle Server 8.1.6, is discussed. MATTSSONHYBRID uses triggers and transaction profiles to keep track of the items read and written by transactions, isolates attacks by rewriting user SQL statements, and is transparent to end users. The MATTSSONHYBRID design is very general. In addition to Oracle, it can be easily adapted to support many other database application platforms such as IBM DB2, Microsoft SQL Server, Sybase, and Informix.