1. INTRODUCTION 1.

1 Background Information The idea of relational database consisting of data sets unraveled in early 70s and uses the concept of relational model which has been widely adopted by relational database management systems (RDBM !" Relational model has become a predominant choice in data storage over other models such as hierarchical database storage model or networ# based storage model due to its fle$ibility" %t is also efficient in terms of access to information& retrieval of data& updating of data besides providing necessary security credentials" Relational database also consist of tables and each table have a column #nown as primary key which is used to reference a foreign key of another table" %n addition& relational database also consist of constraints which is one of the mechanisms of implementing rules within the database& ('odd& ()70!" That notwithstanding& there has been numerous attac#s that relational databases are widely e$periencing such as use of *+ in,ection& malicious modification by internal attac#er& password sniffing and so on" %nsiders may also try to penetrate the database for personal gratification or gain thereby leading to compromise of sensitive data such as company-s strategic plans& business plans& budgets& employees credentials and other essential information" Therefore these valuable organi.ational& personal and business data are in danger of suffering malicious attac#s" 'onstant monitoring of database is a tas# which must be done bearing in mind the significance of the data itself" The /artner group which is a world leading research group on information technology and advisory company& proposed a system in which data lea#age in organi.ations will be done away with (/artner& 00((!" 'ountries such as 12 and 2 management with respect to security" 2se of networ# related attac# such as %3 address spoofing& data modification& denial of service and *+ in,ection is increasingly becoming more sophisticated" 4ccording to (3eter Mell& 0005!& highly sophisticated techni6ues which are difficult to detect are being deployed in order to brea# %T security systems" ome of the goals and intent of a database attac#er in a relational model are7 to determine database schema such as tables& views& procedures7 to e$tract& modify or perform data addition by use of data manipulation languages7 to identify in,ectable parameters7 to perform denial of service such as dropping the database or table or loc#ing database7 to evade detection7 to e$ecute remote commands7 to bypass authentication and to perform privilege escalation" 8or this reason organi.ation and business world have to focus more on relational database attac#s with much interest" DBM such as 9racle& My 6l& 3osgre *+ are now developing built in security mechanisms using access control lists and other credentials" :owever& the internal threat dilemma is still a reality since have got regulations which guide on database

continuous attac#s would still be made by insider adversaries" %t is therefore necessary for organi.ations through their database administrators (DB4s! to reevaluate security standards and mechanisms of handling these dynamic threats other than relying on built in features of relational databases" The study aims to propose manual development of specification that captures legitimate system behavior by maintaining a log of all M4' addresses of devices that are accessing a database at any given time" The specification based approach focus more on building on the techni6ues of anomaly detection and response based on the behavioral deviations noticed on users profile" 8or instance if particular user normally accesses a portion of a table and suddenly the same user decides to access attributes (columns! of all tables then in that case a deviation should be e$perienced which then triggers a detection" %n my case a deviation would be defined by certain intrinsic rules which would be used to monitor the log so that in case the rule is bro#en then detection would be raised which eventually calls for a system response" 3olicies defining what category of users should access what type of data would be necessary in providing high degree of assurance and security to our approach" 8ailure to outline such policies would lead to difficulty in detection and response during attac#" 1.2 Statement of the Prob em *+ in,ection techni6ues" *+ in,ection is causing serious threats for web based applications and database systems as well" *+ in,ections uses code;in,ection attac# in which instruction provided by the intruder is embedded in 6uery such that part of the intruder-s input is treated as a valid *+ code" 1" (:alfond& 000<!" This has created a security gap in relational database management systems" Moreover& a study conducted by /artner group on over =00 internet web sites have indicated that most of these sites could be vulnerable to tructured *uery +anguage %n,ections ( *+4s ! posing a huge ris# on critical organi.ational asset (data!" %nsider threat is another threat e$isting in every organi.ation where employees (insider! are #ey drivers in e$ecuting organi.ation-s operation plan" 4 disgruntled employee or insider may cause asset loss for the organi.ation by ta#ing some actions #nowingly that would lead to negative conse6uences" ome perceived in,ustice& retaliation& aggression& sense of entitlement or unwitting need for attention is some of the numerous conditions that can lead to corruption of databases by an employee" (>abeel Mohamed& 000)!" %n R 4 conference (00(=!& Dawn 'appelli& technical manager of the '1RT %nsider Threat 'enter at 'arnegie Mellon 2niversity& described several cases in which current and former employees sabotaged companies by planting malware& stole confidential corporate data or colluded with outsiders to commit fraud" The center has trac#ed ?00 insider threat cases since 000(" Most

DBM have not addressed this problem perhaps due to dynamic wor#ing environment of relational databases hence it translate into a gap in database security" 'onsider an e$ample where a DB4 is accessing database system from recogni.ed %3 source then issues a database DR93 command" 4ccess control vulnerabilities. Due to proliferation of web based applications which in most cases use database server as the bac#;end& criminal activities against databases have been on the rise" Most of these web based applications still use traditional methods of single database login which is used to access all levels or every instance of database system" Therefore& such internal database access controls cannot contain intrusion against web applications" +ac# of ade6uate remote response after detection. 9ther problems in the database management systems are7 lac# of effective response mechanisms through e;mail or M utility to alert the lead administrators for an emergency& inade6uate forensic algorithms to conduct e$aminations on database transactions and produce a resulting evidential report on criminal activities against database" 1.! Re"earch #ue"tion" (" @hy do we need a specification based approach for intrusion detection system in relational databasesA 0" @hat is the significance of storing database logins by use of attributes such as M4' addresses& user%D& date and timeA =" :ow would the challenges caused by *+ in,ections and insider threats be addressed using this approachA B" @hat mechanism would the system use to provide immediate response in case anomaly detection is raisedA 1.$ Ob%ecti&e" of the Stud' (" To construct an audit log that captures environmental variables such as source M4' address& 2ser-s 9perating ystem& *+ commands e$ecuted on a given date and time" 0" To develop a framewor# for issuing a response after anomaly has been detected" 8or instance& developing action for sending alert messages through e;mail" =" To implement e$perimental mechanisms in 9racle database management system in order to a test reliability of the study"

1.( )u"tification

Today there are so many products for database monitoring against intrusion but their shortcoming is their inability to provide suitable response to an ongoing attac# in the database" 9n one hand we recommend some of their strengths especially on recovery of database internal state but on the other hand& a 6uestion is raised on their inability to detect advance attac#s and their response time in relation to an ongoing attac#" There is need for an intrusion detection system that will allow for sending remote signals to multiple database administrators in case anomalous detection has occurred in the database" That is where an immediate response such as disconnecting the e$ecution andCor sending an e;mail response would be ideal& hence the ,ustification of this study" 1.* Sco+e This research will be based on *+ security in relational databases particularly in monitoring database logins" %t will cover the process of detecting an *+ in,ection attac# and discover %nsider threat and the actions that can be ta#en to issue necessary response using e;mail functions" 1., Definition of Term" RDBMSD Relational Database Management ystems MAC addressD Media 4ccess 'ontrol& a uni6ue identifier assigned to networ# interfaces for communication" DBMSD Database Management ystem SQLD tructured *uery +anguage& a special purpose language in programming designed for manipulation& access and general management of data held in relational database system" MYSQLD %t is an open source relational database management system that runs as a server providing access to multiple databases in a multi;user environment" PostgreSQLD %t is an ob,ect;oriented relational database system" The concept of -ob,ects- involves instances of classes which can be made to interact with one another in order to develop additional programs within the database"

1.- Conce+tua .rame/ork

The framewor# below brings out clearly that attac#s ma,orly occur from the *+ environment in comparison to other areas such as transaction profiles" The two system phases #nown as detection mode and response mode have been conceptuali.ed in this diagram to show how they relate to one another" The detection engine e$amines *+ before e$ecution and profiles it as anomalous or non; anomalous and sends the result to the response engine" %n addition& the audit data provides storage of accesses and all the transactions made within the database" Prone to SQLAs attacks
Detection mode Response mo$e

S#l #uery is submitte$

SQL Query

Detection
Database Response Non-anomalous

Alert message through e-mail

ser !P

Profiles
Anomalous

Profiles A D!" DA"A

Response

Specification Framework

R0.0R0NC0S

(! Bertino 1"& Eamra 4"& Ter.i 1" and Fa#ali 4" (0005!" Intrusion Detection in RBAC Administered Data ases& 3roceedings of 4nnual 'omputer ecurity 4pplications 'onference (4' 4'!" 0! Ee 'hen& /ang 'hen& Gin$iang Dong& (0005D 77=;77?!& 4n %mmunity;Based Detection olution for Database ystems" pringer;Ferlag Berlin :eidelberg" =! " Boyd and 4" Eeromytis" (000B! 6lrandD 3reventing s6l in,ection attac#s"

B! >icolett& M"& @heatman& G"D Dam technology provides monitoring and analytics with less overhead" /artner Research (>ovember 0007!" 5! Mogull& R"D Top five steps to prevent data loss and information lea#s" /artner Research (Guly 000<!& httpDCCwww"gartner"com" <! @idom& G"& 'eri (())5! 4ctive Database ystemsD Triggers and Rules for 4dvanced Database 3rocessing" 7! 'astano& "& 8ugini& M"/"& Martella& /" and amarati& 3" (())5!" Data ase Security" ?! :u& H"& 3anda& B" (000=!" Identification of ma!icious transactions in data ase systems" )! +ee& F" '" "& tan#ovic& G" 4"& on& " :"& (0000!& %ntrusion Detection in Real;time Database ystems Fia Time" (0! Hi :u& (000B!& Bra,endra 3anda" 4 Data Mining 4pproach for Database %ntrusion Detection" ((! Barbara& D"& /oel& R"& and Ga,odia& " (0000!& Mining Malicious Data 'orruption with :idden Mar#ov Models" (0! :atcher& T"& (000(!& I urveyD 'osts of computer security breaches soarJ& 4vailable at 2R+ httpDCCwww"cnn"comC000(CT1':CinternetC0=C(0Ccsi"fbi"hac#ing"reportC (=! 3oulsen& E"& (0000!& /uesswor# 3lagues @eb :ole Reporting" 4vailable at 2R+ httpDCConline"securityfocus"comCnewsC=B<" (B! 3ower R" (0000!" CSI"#BI Computer Crime and Security Sur$ey " 'omputer ecurity %ssues K Trends& 0000" (5! " @enhui and T" Tan" (000(!& 4 novel intrusion detection system model for securing web; based database systems"

(<! 4"

pal#a and G" +ehnhardt" (0005!& 4 comprehensive approach to anomaly detection in

relational databases" %n DBSec& pages 007;00(" (7! 3eter Mell& Tiffany Bergeron& David :enning"D 'reating a 3atch and Fulnerability Management 3rogram" Recommendations of the >ational %nstitute of (>ovember& 000<!" (?! T" /oan& +" Martin& D" Brac#ney& 4" 9tt& (000B! IThe 'yber 1nemy within"""'ountering the threat from Malicious %nsider&J pp" =B<;=B7" tandards and Technology (>% T!