Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444 “Loss Minimization of Web Databases by Fine Grain Approach” Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni M.Tech IVSem O.C.T Bhopal India Department Of C.S.E O.C.T Bhopal India Head, Department of C.S.E O.C.T Bhopal IndiaAbstract Information is the most valuable asset driven web application, and must be guarded fromfor organizations. One of the goals of numerous types of malicious attacks. Security is aorganizations is to share their data and at the major concern in the application of web databasesame time to enforce their policies. Web database techniques to datasets containing personal sensitiveis a combined production with database or confidential information. To address this issue, atechnology and Web technology. Web database is more efficient and flexible security mechanism isplaced on the Internet, there are many security required to systematically authenticate users, controlproblems. The secrecy and the integrity are two network traffic [14], and provide efficient fine-important demands of security system. When grained access control. Traditional policies treatdatabase access control and the network security tables or columns as the basic access control unitare addressed separately, the security systems [03].are not optimized sufficiently as a whole. Fine- As security has gained significantgrained access control (FGAC) must be importance, organizations have been forced tosupported by web relational databases to satisfy protect individual preferences and comply withthe requirements of privacy preserving and many enacted privacy laws. This has been a strongInternet-based applications. We propose a model driving force for access control in relationalof integrating network security with criterion databases [07]. Traditional relation level accessbased access control to handle network security control is insufficient to address the increasinglyand the fine grained Web database access control complex requirements of access control policiessimultaneously. We have implemented our model where each cell in the relation might be governed byin college database and performance is evaluated. a separate policy. In order to address this demand,Whenever any unauthorized user altered our we are in need of a more fine grained access controldata a system called Web-Secure report to the scheme, at the row-level or even the cell-level.authorized user via E-mail or Short Message Security is an integrative concept thatService (SMS). The implementation results show includes the following properties [1]:that how our model is suitable for web database confidentiality (absence of Unauthorized disclosuresecurity. of a service or piece of information), authenticity (guarantees that a service or piece of information isKeywords: Fine grained access control, Web authentic), integrity [01](protection of a service ordatabase security, multiple policies, Privacy piece of information against illicit and/or undetectedpreservation, Network security, access control modification), and availability (protection of a service or piece of information against possible1. Introduction denials of service caused maliciously) [04]. Internet users interact with and use web Current day database applications, withapplications every day for a wide spectrum of tasks, large numbers of users, require fine-grained accessranging from online banking to social networking, control mechanisms, at the level of individualand everything in between. Security in database has tuples[17], not just entire relations/views, to controlbecome an important problem because of the large which parts of the data can be accessed by eachamount of personal data, which is tracked by many user. The authorization rules (security policy) maybusiness web applications. Web database is be different for different Web and distributedcombination of database and web technology. Web databases. It is convenient to implement flexibledatabase is placed on the Internet, there are many fine-grained access control for each database basedsecurity problems. Web and distributed databases on different authorization rules [13].play[02] the key role in most of these Web Currently, network security and databaseapplications and thus it is critical to protect them security are often addressed separately and thereforefrom unauthorized access and malicious attacks. the security system is not optimized properly as aOne of the key components of every web whole.application and arguably the most important in We propose a model of integrating networkterms of security [19] is the web applications security with criterion based access control todatabase. The web database is the heart of any data- 1437 | P a g e
  2. 2. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444handle network security and the fine grained Web 2. Related workdatabase access control simultaneously. Fine-grained access control was firstWe consider the issue of security of the web introduced as a part of the access control system indatabase at the database layer and network layer. INGRES by Stonebraker and Wong (1974), whichOur main emphasis is at database layer[05] where was implemented by query modification technology.we have applied fine grained access control to The basic idea of query modification is that beforeachieve security at row level or even cell level. being processed, user queries are transparently We have implemented our model in college modified to ensure that users can access only whatdatabase and performance is evaluated. Whenever they are authorized to access (Bertino et al., 2005;any unauthorized user altered our data a system Wang et al., 2007) [20][15].called WebSecure report to the authorized user via Views are used to specify and store accessemail or SMS. The implementation results show that permission for users. When a user submits a query,how our model is suitable for web database security. DBMS first finds all views [08] whose attributesThe rest of the paper is divided as follows. Section 2 include the attributes of the issued query, and thenpresent the security related work. Section 3.1 covers add the predicates of these views to the predicates ofthe proposed algorithm. Section 3.2 present the original query to form a new modified query,implementation. Section 4 Present Experimental which will be carried out.result and performance evaluation. Section 5 Recently, work on the policy for preservingconcludes the paper and also present future work. privacy has boosted the research of FGAC (Agrawal et al., 2002; Bertino et al., 2005). Bertino et al.1.1 Motivation (2005) [20] presented a privacy preserving access In the past decade alone, the widespread control model for relational databases, which needsavailability of broadband internet connections a basis of FGAC in relational databases.coupled with the relatively low cost of internet- Nevertheless, they did not describe how tocapable computers has led to a boom in the number implement the model.of internet users. As entire populations log on to the LeFevre et al. (2004) proposed a practicalinternet, the amount of physical data stored by web- approach to incorporating privacy policybased applications continues to soar. Internet users enforcement into an existing application andinteract with and use web applications every day for database environment where the implementation ofa wide spectrum of tasks, ranging from online FGAC at cell level was provided.banking to social networking, and everything in All works described above focused mainlybetween. Web database is a combined production on the enforcement of FGAC, and did not provide awith database technology and web technology. Data FGAC Model which supports many access controlsecurity [18] is a major issue in any web-based policies [11]. Less work has been done with theapplication. Web database was placed on the FGAC model. The work of Agrawal et al. (2005)Internet, there are many security problems. Real [20]and Barker (2008) suffered from specificworld web databases have information that needs to aforementioned securely stored and accessed. Web applications Chaudhuri et al. (2007) also extended SQLare becoming increasingly commonplace and the language to support fine-grained authorization bydatabase can be easily accessible. In the old web predicated grants. Not only the column- and cell-database system, some database rights were granted level authorizations, but also the authorizations forto legal users. Many applications are developed with function/procedure execution were supported.loosely-typed scripting languages [06] and make use Moreover, they designed query defined user groupsof a single database user with full permissions, a so- and authorization groups to simplify thecalled administrator user. Information is the most administration of authorizations.valuable asset for organizations. The information Olson et al. (2008) presented a formaldisclosure from such databases may have very framework for reflective database access controlserious impact on organization business. It is policies where a formal specification of FGACimportant to properly handle network and web policies was supported by Transaction Data-log. Thedatabase security issues [08] including security analysis [16] was also provided. Moreover,authentication, denial of service, and fine-grained they enforced policies by compiling policies inaccess control. So new security mechanism and Transaction Data-log into standard SQL viewsaccess control [3] approaches for databases and (Olson et al., 2009). The shortcomings are that theespecially for web databases have become a dire negative authorization and multiple policies at finenecessity. But with the development of web granularity (which are the major contributions of oursystems, the number of attacks on databases model) were not taken into account.increased and it has become clear that their security Kabra et al. (2006) [09] considered twomechanism and access control mechanism is different aspects of FGAC: efficiency andinadequate for web-based database systems. information leakage of enforcement of FGAC. Using query modification to enforce FGAC, there 1438 | P a g e
  3. 3. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444may exist redundancies in the final executed queries event. The attributes of the anomaly, such as user,because of the same predicates between the FGAC role, SQL command, then correspond to thepolicies and the queries issued by users. These environment surrounding such an event. Intuitively,redundancies include not only cheap comparisons, a policy can be specified taking into account thebut also expensive semi-joins, which would increase anomaly attributes to guide the response engine inthe execution time. taking a suitable action. Kabra et al. (2006) also considered the Fine-grained access control (FGAC) mustpotential of information leakage through channels be supported by web relational databases to satisfycaused by exceptions, error messages, and user the requirements of privacy preserving and Internet-defined functions. For remedying the two problems, based applications. We propose a model ofthey proposed methods for redundancy removal, the integrating network security with criterion baseddefinition of safety query plan, and the techniques to access control to handle network security and thegenerate safe query plans. fine grained Web database access control Wang et al. (2007) proposed a correctness simultaneously.criterion of FGAC for databases, which contains Inconsistency Attributesthree properties: secure, sound, and maximum. They User The user associated with the requestargued that any algorithm used to implement FGAC Role The role associated with the requestmust be sound and secure, and should strive to be Source IP the IP Address associated with the requestmaximum. They also pointed out that no algorithm Date and Time Date/Time of the anomalous request.exists that is both sound and secure. Then, they Client App The client application associated withproposed an algorithm that is sound and secure. In the request.this paper, we do not consider these aspects. Thereis another important related work. 3.1 Proposed Algorithm Bertino et al. (1997) proposed an extendedauthorization model for relational databases, which Algorithmsupports negative authorization. This work inspired Input: user U, relation R, action A, database to extend the FGAC model to support negative Output: the combined Fine Grained Access Controlauthorization. The main difference between their policy and ours is the granularity of negativeauthorization: the model they proposed can support ON ANOMALY DETECTIONonly negative authorization at coarse granularity IF ROLE != USERROLE and Source IP IN(tables, views), but our model can express negative NETWORK and OBJECTTYPE=tableauthorization at finer granularity (rows, columns, or And SQLCOMMANDcells). IN{INSERT,UPDATE,DELETE} Oracle’s Virtual Private Database (VPD) THEN SUSPENDmodel [9] supports finegrained access control CONFIRM REAUTHENTICATEthrough functions that return strings containing ON SUCCESSpredicates. Oracle virtual private database (VPD) Access to web database according to Policyalso uses query modification to implement FGAC ON FAILURE(Oracle Corporation, 2005). VPD supports Abort, Disconnect and response report toFGAC[10] through functions written as stored authorized userprocedures which are associated with a relation.When a user accesses the relation, the function is RS←∅;triggered to return predicates, and the database PStemp←∅;rewrites the SQL statement submitted by the user to PSrole←∅;include these predicates. For providing enhanced PStemp=Get all FGAC policies (U, R, A, D);access control, in addition to row level access PD=Inter Section of (PStemp);control, column-level VPD [12] has been added to RS=Get the Role Set (U, D);Oracle to provide column-level access control, for all r in RS dowhich in turn associates functions with columns. A PStemp←∅;function is associated with each relation, and when PStemp=Get RFGAC Policies Set (r, R, A, D);invoked returns a string containing predicates that PSrole←Inter Section of (PStemp);enforce fine-grained access control; the function end fortakes as input the mode of access and an application PR=Union of (PSrole);context which includes information such as user-idof the end user. Pout=PD∧PR. 3.2. Implementation3 Our approach The machine on which the experiments The detection of an inconsistency by the were performed has a system memory of 2GB, clockdetection engine can be considered as a system 1439 | P a g e
  4. 4. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444speed of 2.50 GHz, cache size of 512 KB, bus speed Now, instead of shipping the whole relation we canof 100 MHz, and a block size of 1 KB. All the compute a checksum on the tuples of the relation inexperiments were run on the ORACLE 11g database the main database, ship the checksum to the Web-management system. The tables used in our Secure site, compute a similar checksum of tuples inexperiments are of Educational Institute. The tables the local copies and compare the two checksums. Ifused are students (eno, name, tos), faculty (id, name, they do not match, it can be reported as a securitydept, courseid), courses (courseid, coursename), breach. In fact, if detecting inconsistency is all thatgrades (eno, courseid, grade), dept (deptno, dname), is required, we could do away with creating theemp(empno, ename, job, mgr, hiredate, sal, comm, result tables. Instead of storing the results as a table,deptno), bonus (ename, job, sal, comm), registration all we need to do is store the checksum of the query(eno,courseid), salgrade (grade, losal, hisal), users result. During the periodic check, we compare this(username, domainname, ipaddress, privatekey), checksum with the calculated checksum of thetmp(eno, grade, newgrade). tuples in the main database relation. The WebSecure is a system, which we aredeveloping to detect and report inconsistencies and We have incorporated this facility into oursecurity breaches in a web database. It runs on a Web-Secure code. We use MD5 checksums; weseparate site (typically different from the one on compute checksum of every tuple that is a 16-bytewhich the application runs and the one on which the value and compute the exclusive-OR of all themain database resides) monitoring the access to the checksums. This is the value that is transferred todatabase indirectly. It runs periodically at pre- the Web-Secure, where a similar procedure isdecided intervals and checks for the consistency of followed to compute the checksum, and comparedthe database relations and reports any discrepancies. with the computed checksum of the local copy. ThisIt also has a local copy of original data, which can reduces the network traffic significantly, whichbe used to restore the database to the consistent would otherwise have been very high, if the wholestate. relation was transferred periodically to the Web- We built a package in Java. Any Secure site.application that uses this package should call theappropriate function and send the query along with 4. Experimental Results and Performancethe parameters. We create a table containing the Evaluationparameters of the queries passed, one table per We have Performed the row level or Cellquery type. And similarly we have one result table Level Security on the table as mentioned below andper query type. When a new query is received at the The Data Dictionary is also given below of eachWeb-Secure, we detect if it is a duplicate and insert table:it into the table accordingly. We then run the queryon the main database and store the result we get in DEPTthe corresponding result table. Also each set of DEPTNO NUMBER(2)parameter and result tables are identified by the DNAME VARCHAR2(14)parameters in the query. LOC VARCHAR2(3) We get the entire main database table to the Department table consists of DepartmentWeb-Secure site and join it with the local parameter Number(DEPTNO), Department Name(DNAME),table and detect the inconsistencies. In order to Location(LOC).optimize the activity performed by the Web-Secure,we run as less number of queries as possible during COURSESthe periodical activity of verifying the consistency COURSEID VARCHAR2(20)of the database. For every type of query, i.e., for set COURSENAME VARCHAR2(20)of queries of the same type (meaning same number Courses table consists of Courses Identityand type of parameters), the Web-Secure runs a (COURSEID),Courses Name(COURSENAME).single query in order to check the results with thelocal copies. As the parameters differ only in values, EMPwe perform a join of the parameter table with the EMPNO NUMBER(4)database table to get the results and compare themwith the locally stored result tables containing ENAME VARCHAR2(10)original contents. JOB VARCHAR2(9) MGR NUMBER(4) Our earlier model of Web-Secure maintains HIREDATE DATEa copy of the frozen query results and periodically, SAL NUMBER(7,2)it transfers the whole relation of the main database COMM NUMBER(7,2)to the Web-Secure site and does a join of the DEPTNO NUMBERparameter table with this relation as part of thequery to detect differences between these copies. 1440 | P a g e
  5. 5. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444Employee table consists of Employee Number TMP(EMPNO), Employee Name (ENAME),Job(JOB), ENO VARCHAR2(20)Manager(MGR),Hiredate(HIREDATE),Salary(SAL GRADE VARCHAR2(2)),Commission (COMM),Department Number NEWGRADE VARCHAR2(2)(DEPTNO). Temprorary table consists of Employee Number (ENO),Grade(GRADE),New Grade(NEWGRADE).GRADES ENO VARCHAR2(20) There are eleven tables in our concept of COURSEID VARCHAR2(20) fine grain approach.Now we will performed our GRADES VARCHAR2(20) approach on the grade table.The fine grain approachGrades table consists of Employee Number (ENO), is applied where the database tables are used notCourse Identity(COURSEID),Grades(GRADES). frequently.The example of our approach can be applied on grade system and if tables commercially,BONUS it can be applied on Land Registry,fixed deposits of ENAME VARCHAR2(10) banks etc. JOB VARCHAR2(9) SAL NUMBER Now We have Performed the Operation on the table COMM NUMBER grade. Before doing the Operation The TicketBonus table consists of Employee Name (ENAME), authorization Serever will check for the authorizedJob(JOB),Salary(SAL),Commission(COMM). user.STUDENTS ENO VARCHAR2(20) NAME VARCHAR2(20 TOS VARCHAR2(20Students table consists of Employee Number(ENO),Name(NAME),Type of Course Name(TOS).REGISTRATION ENO VARCHAR2(20) COURSEID VARCHAR2(20)Registration table consists of Employee Number(ENO), Course Identity (COURSEID).FACULTY ID VARCHAR2(20) NAME VARCHAR2(20) DEPT VARCHAR2(20) COURSEID VARCHAR2(20)Faculty table Consists of Identity(ID),Name(NAME),Department(DEPT),Couse Identity(COURSEID).SALGRADE GRADE NUMBER LOSAL NUMBER HISAL NUMBERSalary Grade table consists of Grade (GRADE),Low Salary (LOSAL) ,High Salary(HISAL).USERS USERNAME VARCHAR2(20) Fig. 1 DOMAINNAME VARCHAR2(20) IPADDRESS VARCHAR2(20) Here, authorized user mean he should be registered PRIVATEKEY VARCHAR2(20) in database and should be aware to Server IPUsers table consists of User Name (USERNAME), Address.If this true,Then Ticket AuthorizationDomain Name (DOMAIN NAME), IP Address Server will allow to perform the operation to(IPADDRESS), Private Key(PRIVATEKEY). authorized usres.So that We assume the application Software are secure because as we may see in 1441 | P a g e
  6. 6. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444Fig.1,the user should be registered as well as should snapshot describes the Fig. 2 mentioned conceptbe aware to server IP address. here only one cell of one table is being modified. Our approach gives the logoff data that is whenWe assume the sense of following parameter: modified two of modification old value and also theScholar Number : Registerd User in database. updated value.TAS IP :Client IPTarget Servers’s IP Address:Server IP Address In the Fig. 2 named as Grade Information(Where we have to send the value). We are changing the grade table through cell levelDuration(in minutes):for how much time. approach. Here only authorized user is able toValue toSend:What we have to send change the grade but If there is an impersonification,and then send request to TAS server. the impersonified person can only change a singleSo, To Perform a task User should be aware for data therefore the whole table is secure from thethe above parameter . attack of an intruder. This is the concept behind of our approach. If unauthorized User will bypassdirectly/logged to this database system Then he may If Unauthorized User gets an entry into thealter the useful data ,So it is clear that Database database Server then he would not be able tosystem are inseure so We are providing the security manipulate the Whole table, only One Cell of theat database System. Here We are providing the data may be modified that too will be received bysecurity on grade table. authorized user and he would get the information by mail & SMS Which Would describe the old and updated value. Fig. 2In the Student Information System, meaningfullyunauthorized user Will alter data on grade table, soWe have Provided the Security on grade table. Onlyone of the enroll grade will be alter at a time byunauthorized user. Then instantly The Web Secure Fig. 3will report to authorized user by email/sms with oldvalue and updated value, and then authorized user So, As we may See in Fig. 3 that only one cell willmay act. So here we are minimizing loss of be alter at a time and instantly The Web Secure willdatabases by Fine Grain Approach. The above report to authorized user by email/sms with old 1442 | P a g e
  7. 7. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444 value and updated value and then authorized user The chart which has been given below is in may act. So,It may be noted that that we are histogram format. The number of users are same in minimizing the Loss of database using Fine Grain the X-axis and number of seconds is in the Y-axis. Approach. The performance can be evaluated hypothetically. The graph i.e., shown below evaluates the performance between users and number of interactions. Performance Graph 350 300Web Interaction per seconds 250 200 150 100 50 0 Fig. 5 10 20 30 40 50 60 70 80 In the Fig. 5 performance chart as we may No. of users see that we are comparing the performance of without FGAC and FGAC with time in second without versus number of users. FGAC Number of users in even same number we with FGAC may see that more time is taking in case of with FGAC while less in without FGAC with respect to web interaction per seconds so again it is clear that we are getting more security in case of FGAC Fig. 4 because we are working on cell level therefore time required is more and information retrieval is less. In the Fig. 4 performance graph we measure the performance of FGAC and without 5 Conclusion and future work FGAC with Web interaction per second Vs no. of Web database is combination of database users. As we may see in the Fig. 4 the number of and web technology. Security of data stored in the users in any number interacting / hitting more web web database is of prime importance in today’s interaction per second in without FGAC and less in world with growing E-business. In order to preserve with FGAC so it is clear that we may retrieve less data privacy, we assume that no one except the data information in case of FGAC because less owner or authorized users have the right to access interaction/hitting with web interaction per second. the original data. We propose an authentication So it may be noted it is providing security to the mechanism when certain anomalous actions are database server. executed against critical system resources such as anomalous access to system tables. The system was considered extremely useful by the administrators. These results clearly show that our approach is very accessible to most administrators and can be of extreme importance in helping them to become more aware of the security 1443 | P a g e
  8. 8. Dilip kumar Choubey, Prof. Joy Bhattacharjee, Prof. Roopali Soni / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 Vol. 3, Issue 1, January -February 2013, pp.1437-1444flaws existent in the configuration of the Access Control for GridFTP usingenvironments that they manage. The termination of SecPAL, IEEE 2007, Pg 1-9the users requests at the early stage avoids to [14] Rongxing Lu, Xiaodong Lin, Haojin Zhu,unnecessarily processing the requests further. The Pin-Han Ho & Xuemin (Sherman) Shen,implemented system can be applied to many areas “A Novel Anonymous Mutualsuch as education, finance, marketing, health care, Authentication Protocol With Provablegovernment, and military. We implemented our Link-Layer Location Privacy”, IEEE, 2009.system in Education domain. The propose policy [15] Jie Wang & Jun Zhang, “Addressingmechanism and access control mechanism is Accuracy Issues in Privacy Preserving Dataapplicable for any existing web databases and is Mining through Matrix Factorization”,capable to prevent many kinds of attacks, thus IEEE, 2007.significantly decreases the web databases attack [16] Anup Patel, Naveeta Sharma, Magdalini,surface. We propose a system which report when “Negative Database for Data Security”,any unauthorized user modifies our web database IEEE 2009via SMS. [17] Attribute- Based Encryption for Fine- Future work: Web database security and Grained Access Control of EncryptedSemantic web is constantly research topic. Our Data”, IEEE 2008future works is to provide semantic web capability [18] Qing Zhao, Shihong Qin, “ Study onto analyze user access and authentication. Security- based Database”, IEEE 2008 [19] Alex Roichman & Ehud Gudes, “Fine-References grained Access control to web databases”, [1] Zhu Yangqing, Yu Hui, Li Hua, Zeng ACM SACMAT, 2007. Lianming, Design of a new web database [20] Elisa Bertino & Ravi Sandhu, “ Database security model, IEEE, 2009, 292-297 Security- Concepts, Approaches, and [2] Leon Pan, A Unified Network Security and challenges”, IEEE Transactions on Fine-Grained Database Access Control Dependable and secure computing, 2005. Model, IEEE 2009, pg 265-270 [3] Xueyong Zhu, William Atwood, A web database Security model using the Host identity protocol, IEEE 2007 [4] Lianzhong Liu, Qiang Huang, A framework for database auditing, IEEE, 2009, 982-988 [5] Afonso Neto, Marco Vieira, Henrique Maderia,An appriasal to assess the security of database configurations, IEEE, 2009, 73-80 [6] Qing Zhao, Shihong Qin, Study on security of web based database, IEEE, 2008, 902- 910 [7] WU Pufeng, Zhang Yoqing, An overview of Database security, Computer Engineering, Vol 32,2006,85-88 [8] Zhou Wen, A new web accessing database module basing in security of information computer security, 2008, 63-66 [9] S. Sudershan, Govind Kabra, Ravishankar Ramamurthy, Redundancy and Information Leakage in Fine-Grained Access Control, ACM SIGMOD 2006 [10] Jie SHI, Hong ZHU, A fine-grained access control model for relational databases, IEEE 2010, Pg 575-585 [11] Sohial Imran, Irfan Hyder, Security Issues in Databases, IEEE 2009, Pg 541-545 [12] Wang Baohua, Ma Xinqiang, Li Danning, A formal multilevel database security model, IEEE 2008, Pg 252-265 [13] Marty Humphrey, Sang-Min Park, Jun Feng, Norm Beekwilder, Fine-Grained 1444 | P a g e