Topic: Methods for Database Security P5: Project Proposal ...


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Topic: Methods for Database Security P5: Project Proposal ...

  1. 1. Topic: Methods for Database Security<br />P5: Project Proposal<br />Introduction: <br />Database Security has become an important issue in today’s world. Organizations have become highly dependent on the database for their daily operations. The objective of database security is to prevent undesired information disclosure and modification of data while ensuring the availability of the necessary service. With the increase in the use of World Wide Web in recent years emphasize the web database security. In this survey we are going to present different methods or frameworks explained in different papers for common problem: database security. <br />Classification Scheme:<br />The different papers we studied for database security are classified based on the type of information security and models. We classified our papers based on Encryption, Web-based Database Security, Negative Database, Authentication and Access control, Timeliness and Security in Real-time Database Systems, Testing Schemes for SQL Injections. <br />Encryption: This is the process of transforming plain text information using encryption algorithms (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The traditional database systems using plain text have many threats of data corruption and collapse of database. To avoid these threats, the data is stored in encrypted form in the database. <br />Web-based Database Security: Some Methods are proposed to establish security of Web database against illegitimate intrusion. The data transmission from server to the client should be in a secured way (use Secure Socket Layer). Host identity of an end system should be authenticated.<br />Negative Database: False data is added to the original data in the database to prevent data theft from malicious users and provide efficient data retrieval for all valid users. <br />Authentication and Access Control: Authentication is used to check properly the identity of the user and Access Control controls the user actions or operations. Access Control gives different privileges to different authenticated users.<br />Timeliness and Security in Real-time Database Systems: Trade off has to be made between security and priority of transactions. Different methods are proposed to ensure security and to have low probability of missing the deadlines in real-time database systems.<br />Testing Schemes for SQL Injections: SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.<br />The Classification Scheme diagram of our Survey: Explains models under each classification<br />Encryption Mixed Cryptography, Conventional Encryption and Public Key Encryption, Encryption scheme limiting time cost of Encryption and Decryption, Encryption and Compression.<br />Web-based Database Security Host Identity Protocol (HIP), New Web Database Security model<br />Authentication and Access Control Agent-based Simulation, Criterion-based Access Control<br />Timeliness and Security in Real-time Database Systems Adaptive Policy called Secure two-phase Locking Loop, Secure Optimistic Concurrency Control Algorithm<br />Related Work:<br />Papers related to Encryption: Papers [1], [2], [3], [4]<br />Contribution: These papers propose different frameworks for Database Encryption.<br />Paper [1] proposed Mixed Cryptography Database (MCDB) to encrypt databases over untrusted networks in a mixed form using many keys owned by different parties. This framework is very useful in strengthening the protection of sensitive data even if the database server is attacked at multiple points from the outside or inside. This framework ensures confidentiality; privacy and integrity of data are achieved for the database. The framework is explained in four steps: data is classified into groups, data in encrypted in database, Query Management Agent (QMA) and Result Analysis (RA) is used for query processing and finally, security of data storage and data transmission is analyzed. The results show the probability of outside attacker getting the encryption key and decrypting it is measured and found to be very less.<br /> Paper [2] proposed a Database Encryption Scheme for enhanced sharing of data inside a database along with preserving data privacy. It is a combination of conventional encryption and public key encryption along with using the fast speed of conventional encryption and convenience of public key encryption. A threat model is given which mainly gives the threats faced by the database. A user can encrypt the private data with a randomly generated working key with conventional encrypted algorithm and if a user wants to see the encrypt data by first decrypting the private key with the passphrase and with this private key the working can be decrypted to access the key. A security catalog technology is used where it has strict access control and cannot be updated by even administrator. Future work will address two issues: research how to improve the security and performance of database in terms of encryption algorithm and devise some self tuning mechanisms to manage keys.<br />Paper [3] proposed a Database Encryption scheme that provides maximum security without decreasing the performance of the database system while limiting the added time and cost of encryption. This scheme basically divides the data into sensitive data and insensitive data where the insensitive data is stored in the clear for fast retrieval and sensitive data is stored in encrypted for to conceal the data from the intruders. The classified sensitive data(classified and private) are encrypted/decrypted using Data Encryption standard technique. And their decryption is very fast as only one key is needed to decrypt a whole column of encrypted data. The accessed encrypted private data need to decrypted separately using their own unique keys but the requests of private data are very rare. <br />Paper [4] proposed a framework to make the E-government Procurement Secure by protecting the data in the database in which encryption based Private Information Retrieval is used along with compression. This mainly allows to store, process and retrieve data in secure fashion. To make the data transaction secure a Secure Box is introduced between the users and central procurement database where the important information of the user is stored in the encrypted form and later on decrypted the data when requested by users in secure way. For recovering the PIN of a vendor a recovering scheme is introduced. Compression is used along with encryption so as to save the cost of storage and computation expansion. Huffman Algorithm is used to compress the bid file. Based on the frequency of characters of file Huffman trees are constructed for each vendor. <br />Papers related to Web-based Database Security: Papers [5], [6]<br />Contribution: Identified the security problems when data is transferred via WEB (third party) and proposed solutions for them.<br />Paper [5] proposed a Host Identity Protocol (HIP) to set up a limited relationship of trust between two hosts on the internet. This model limits the access to the Web Server and database to the greatest extent. The authenticated users for the access to the Web server are registered in the HUT in Web Server. If an attacker tries to directly access the Web Server bypassing the HIP Responder, the request will be dropped by Web Server as its not registered in HUT. Authentication of extended HIP with UI helps the Responder to react to the requests from the attackers. <br />Paper [6] proposed a New Web Database Security Model for web database security. This model constitutes three modules: login module, audit module, program control module. This model was analyzed in the pork traceability information system. The Old Web database system could not ensure web security when the user id and password are stolen. The twice login module helps in proper checking of the authenticated user. The audit model keeps track of the user activity in logs. The audit module conform legality of users and start auto-response program to execute some operation for safeguarding database. The program control module avoids user to access all modules of web application system. The Future works of the paper would be enhancing data mine capability of audit module and optimizing every program module.<br />Papers related to Negative database: Paper [7] <br />Contribution: Implemented the concept of Negative database to help prevent data theft.<br />Paper [7] proposed a framework which manipulates the original data and stores it in a database. This framework mainly consists of four modules: Database catching, Virtual database encryption and Database Encryption algorithm, Negative Database conversion which is applied to actual data. The actual data passes through first three modules to generate the data required for fourth module to generate false data which stored along with positive data named as negative database. Returns invalid results for malicious users and retrieval of original data for legitimate queries. Overall complexity of security work is O(n) which is very high  can be compensated to the low-security high risk of data for other applications. This works only with INSERT and SELECT query and future development is to work with UPDATE query.<br />Papers related to Authentication and Access Control: Paper [8], [9]<br />Contribution: Developed a framework that helps in giving permission rules, immediate fixing of corrupted data and giving criterion-based access control to the users.<br />Paper [8] proposed an Agent-based simulation program that includes permission rules and immediate fixing of corrupted to avoid database collapse. This program is written in C++. The important elements of the program are: the agents, the data, the privileges the agents have on data and the privileges that the owners of data have granted to other agents. This program stores the last user record based on which the privileges of the user are determined and modified. If the user corrupts the data many times, all the privileges of that user may be revoked. Future works would be adding more advanced features to the simulation program.<br />Paper [9] proposed a criterion-based access control approach to deal with multilevel database security. In this approach, authorization rules are transformed to security criteria, security criterion expressions, and security criterion subsets which serve as locks and keys. Each object/sub-object is embedded into a lock and a user is given a set of keys. The security criterion expression specifies all the users who lack the permission to a sub object. This system is easier as one mechanism is used to define both the user’s security attributes and sub-objects security attributes. It also reduces the cost of storage as only one row and one column is added to original table. <br />Papers related to Timeliness and Security in Real-time Database Systems: Paper [10], [11].<br />Contribution: Developed models for getting trade-off between priority and security of transactions. Their models don’t degrade the real-time performance by achieving security.<br />Paper [10] proposed an Adaptive Policy called secure two-phase locking loop to address the requirement of multilevel security in transaction scheduling and concurrency control. If two conflicting transactions arise, i.e. one is blocked and waiting for other transaction to release the lock, then balance between security and priority is given by looking up the past history. The two factors by which the adaptive policy works is: the security factor and the factor resembling the deadline-miss ratio. <br />Paper [11] proposed a Secure Optimistic Concurrency Control Algorithm for secure real-time database systems without degrading the real-time performance. The previous paper work has more sacrifice in timeliness. The method proposed in this paper shows that security can be achieved with negligible sacrifice in timeliness. They introduced a new metric called Covert Channel factor (CCF) and also metrics for security maintenance and priority maintenance. The simulation program is written in C++. The experimental results show that there is low deadline miss percentage and high security when compared with non-secure algorithm. The future work would be to examine temporal consistency, design suitable concurrency control algorithms and study their performance.<br />Papers related to Testing Schemes for SQL Injections: Paper [12]<br />Contribution: Developed a Testing Scheme to stop SQL injections in the beginning<br />Paper [12] proposed a Database Security Testing Scheme to detect potential input points of SQL injection, automatically generate test cases and find vulnerability of databases by running these test cases to make a simulation attack to an application. The SQL injection points are found by complete scan of application. Test cases generated are submitted to injection points and the responses are recorded in the reports to know the attack parameters.<br />Summary: <br />This survey is done to explore different methods used for database security. Some of the papers were extensions of the some papers. The Classification schema we followed for our survey has been explained. The methods proposed in each individual paper are explained clearly in this report. Also the advantages of each method, tools used and the future work are explained. We compared the solutions of related papers. We got a good knowledge of various security issues in database and their solutions.<br />