Cyber security Unit 3

1. Cryptography And Network
Security

2. UNIT-III
DEFENCES: SECURITY COUNTERMEASURES
Cryptography in Network Security – Firewalls-Intrusion
Detection and Prevention Systems-Network Management-
Databases-Security Requirements of Databases- Reliability and
Integrity- Database Disclosure.

3. CRYPTOGRAPHY IN NETWORK
SECURITY
 Cryptography is the study of secure communications
techniques that allow only the sender and intended
recipient of a message to view its contents. The term is
derived from the Greek word kryptos, which means
hidden.

4. CRYPTOGRAPHY
 Cryptography refers to the science and art of
transforming messages to make them secure and
immune to attacks. It is a method of storing and
transmitting data in a particular form so that
only those for whom it is intended can read and
process it.

5.  Cryptography not only protects data from theft or
alteration but can also be used for user
authentication.
 Thus preventing unauthorized access to
information. The prefix “crypt” means “hidden”
and suffix graphy means “writing”.

6.  In Cryptography the techniques which are use to
protect information are obtained from
mathematical concepts and a set of rule based
calculations known as algorithms to convert
messages in ways that make it hard to decode it.

7.  These algorithms are used for cryptographic key
generation, digital signing, verification to protect
data privacy, web browsing on internet and to
protect confidential transactions such as credit
card and debit card transactions.

8.  Encryption or cryptography—the name means
secret writing—is probably the strongest defense
in the arsenal of computer security protection

9. ENCRYPTION
 Encryption is the process of encoding a message so that
its meaning is not obvious; decryption is the reverse
process, transforming an encrypted message back into
its normal, original form.
 Alternatively, the terms encode and decode or encipher
and decipher are used instead of encrypt and decrypt.
That is, we say we encode, encrypt, or encipher the
original message to hide its meaning. Then, we decode,
decrypt, or decipher it to reveal the original message

10.  A system for encryption and decryption is called
a cryptosystem. The original form of a message is
known as plaintext, and the encrypted form is
called ciphertext .

11. CIPHERTEXT: ENCRYPTED MATERIAL;
PLAINTEXT: MATERIAL IN INTELLIGIBLE
FORM

12.  For example, we write C = E(P) and P = D(C),
where C represents the ciphertext, E is the
encryption rule, P is the plaintext, and D is the
decryption rule.
 What we seek is a cryptosystem for which
 P = D(E(P)).

13.  In other words, we want to be able to convert the
plaintext message to ciphertext to protect it from an
intruder, but we also want to be able to get the
original message back so that the receiver can read it
properly.
 Encryption Keys A cryptosystem involves a set of
rules for how to encrypt the plaintext and decrypt the
ciphertext.

14.  The encryption and decryption rules, called
algorithms, often use a device called a key, denoted
by K, so that the resulting ciphertext depends on the
original plaintext message, the algorithm, and the
key value. We write this dependence as C = E(K, P).
Essentially, E is a set of encryption algorithms, and
the key K selects one specific algorithm from the set.

15. TYPES OF CRYPTOGRAPHY:
 There are three types Of cryptography:
Symmetric Key Cryptography:
It is an encryption system where the
sender and receiver of message use a single
common key to encrypt and decrypt messages.
Symmetric Key Systems are faster and simpler
but the problem is that sender and receiver have
to somehow exchange key in a secure manner.
The most popular symmetric key cryptography
system is Data Encryption System(DES).

16.  Hash Functions:
There is no usage of any key in this algorithm.
A hash value with fixed length is calculated as per
the plain text which makes it impossible for contents
of plain text to be recovered. Many operating
systems use hash functions to encrypt passwords.

17.  Asymmetric Key Cryptography:
Under this system a pair of keys is used to
encrypt and decrypt information. A public key is used
for encryption and a private key is used for decryption.
Public key and Private Key are different. Even if the
public key is known by everyone the intended receiver
can only decode it because he alone knows the private
key.

19. STREAM AND BLOCK CIPHERS
 A stream cipher is an encryption algorithm
that uses a symmetric key to encrypt and
decrypt a given amount of data.
 Block ciphers and stream ciphers are two
separate methods of encrypting data with
symmetric encryption algorithms:

20.  Encrypting information in chunks. A block
cipher breaks down plaintext messages into
fixed-size blocks before converting them into
ciphertext using a key.
 Encrypting information bit-by-bit. A stream
cipher, on the other hand, breaks a plaintext
message down into single bits, which then are
converted individually into ciphertext using key
bits.

22.  Block ciphers are the algorithms that form the
backbone of many of the cryptographic
technologies and processes that are in use today
in computer communications. Basically, you can
find block ciphers just about anywhere in cyber
security.

24. FEATURES OF CRYPTOGRAPHY
ARE AS FOLLOWS
 Confidentiality:
Information can only be accessed by the person for
whom it is intended and no other person except
him can access it.
 Integrity:
Information cannot be modified in storage or
transition between sender and intended receiver
without any addition to information being
detected.

25.  Non-repudiation:
The creator/sender of information cannot deny
his intention to send information at later stage.
 Authentication:
The identities of sender and receiver are
confirmed. As well as destination/origin of
information is confirmed.

26. CRYPTOGRAPHY IN NETWORK
SECURITY
 There are two broad classes of encryption:
symmetric (secret key) and asymmetric (public
key) systems.
 In network applications, encryption can be
applied either between two hosts (called link
encryption) or between two applications (called
end-to-end encryption).

27. Link Encryption

28.  In link encryption, data are encrypted just before
the system places them on the physical
communications link. In this case, encryption
occurs at layer 1 or 2 in the OSI model. (A similar
situation occurs with TCP/IP protocols, which
have a similar but shorter layered model.)

29.  Similarly, decryption occurs just as the communication
arrives at and enters the receiving computer. As you
can see, the data travel in plaintext through the top
layers of the model until they are encrypted just prior
to transmission, at level 1. Addressing occurs at level 3.
Therefore, in the intermediate node, the encryption
must be removed in order to determine where next to
forward the data, and so the content is exposed.

30. END-TO-END ENCRYPTION
 As its name implies, end-to-end encryption
provides security from one end of a transmission
to the other. The encryption can be applied
between the user and the host by a hardware
device

33. FIREWALLS
 A firewall is a network security device, either
hardware or software-based, which monitors all
incoming and outgoing traffic and based on a
defined set of security rules it accepts, rejects or
drops that specific traffic.
 Accept : allow the traffic
Reject : block the traffic but reply with an
“unreachable error”
Drop : block the traffic with no reply
 .

34. INTRODUCTION
 Firewalls control the flow of network traffic
 Firewalls have applicability in networks where
there is no internet connectivity
 Firewalls operate on number of layers
 Can also act as VPN gateways
 Active content filtering technologies

35.  A firewall establishes a barrier between secured
internal networks and outside untrusted
network, such as the Internet

36.  Before Firewalls, network security was
performed by Access Control Lists (ACLs)
residing on routers. ACLs are rules that
determine whether network access should be
granted or denied to specific IP address.
But ACLs cannot determine the nature of the
packet it is blocking. Also, ACL alone does not
have the capacity to keep threats out of the
network. Hence, the Firewall was introduced.

37.  Accessing the Internet provides benefits to the
organization; it also enables the outside world to
interact with the internal network of the
organization. This creates a threat to the
organization. In order to secure the internal
network from unauthorized traffic, we need a
Firewall.

38.  From the perspective of a server, network traffic
can be either outgoing or incoming. Firewall
maintains a distinct set of rules for both the cases.
Mostly the outgoing traffic, originated from the
server itself, allowed to pass. Still, setting a rule on
outgoing traffic is always better in order to achieve
more security and prevent unwanted
communication.

39.  Incoming traffic is treated differently. Most traffic
which reaches on the firewall is one of these three
major Transport Layer protocols- TCP, UDP or
ICMP. All these types have a source address and
destination address. Also, TCP and UDP have port
numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.

40.  If default policy on the firewall is set to accept,
then any computer outside of your office can
establish an SSH connection to the server.
Therefore, setting default policy as drop (or
reject) is always a good practice.

41. EXAMPLE
FIREWALLCONFIGURATION

42.  inbound traffic toport 25 (mail transfer) or port
69 (so-called trivial file transfer) is allowed to or
from anyhost on the 192.168.1 subnetwork.
 By rule 3 any inside host is allowed outbound
trafficanywhere on port 80 (web page fetches).
 Furthermore, by rule 4 outside traffic to the
internal host at destination address
192.168.1.18(presumablyawebserver)is allowed.
 All other traffic to the 192.168.1
networkisdenied.

43.  A firewall is a reference monitor,
positioned to monitor all traffic, not
accessible to outside attacks, and
implementing only accesscontrol.

44. Henr
ic
John
son
44
FIREWALL DESIGN PRINCIPLES
FIREWALL DESIGN PRINCIPLES
 The firewall is inserted between the premises
network and the Internet
 Aims:
 Establish a controlled link
 Protect the premises network from Internet-
based attacks
 Provide a single choke point

45. Henr
ic
John
son
45
FIREWALL CHARACTERISTICS
FIREWALL CHARACTERISTICS
 Design goals:
 All traffic from inside to outside must pass
through the firewall (physically blocking all
access to the local network except via the
firewall)
 Only authorized traffic (defined by the local
security police) will be allowed to pass

46. Henr
ic
John
son
46
FIREWALL CHARACTERISTICS
FIREWALL CHARACTERISTICS
 Design goals:
 The firewall itself is immune to penetration
(use of trusted system with a secure operating
system)

47. Henr
ic
John
son
47
FIREWALL CHARACTERISTICS
FIREWALL CHARACTERISTICS
 Four general techniques:
 Service control
 Determines the types of Internet services that
can be accessed, inbound or outbound
 Direction control
 Determines the direction in which particular
service requests are allowed to flow

48. Henr
ic
John
son
48
FIREWALL CHARACTERISTICS
FIREWALL CHARACTERISTICS
 User control
 Controls access to a service according to
which user is attempting to access it
 Behavior control
 Controls how particular services are used (e.g.
filter e-mail)

49. Henr
ic
John
son
49
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Three common types of Firewalls:
 Packet-filtering routers
 Application-level gateways
 Circuit-level gateways
 (Bastion host)

50. Henr
ic
John
son
50
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Packet-filtering Router

51. Henr
ic
John
son
51
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Packet-filtering Router
 Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet
 Filter packets going in both directions
 The packet filter is typically set up as a list of
rules based on matches to fields in the IP or
TCP header
 Two default policies (discard or forward)

52. Henr
ic
John
son
52
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Advantages:
 Simplicity
 Transparency to users
 High speed
 Disadvantages:
 Difficulty of setting up packet filter rules
 Lack of Authentication

53. Henr
ic
John
son
53
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Possible attacks and appropriate
countermeasures
 IP address spoofing
 Source routing attacks
 Tiny fragment attacks

54. Henr
ic
John
son
54
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Application-level Gateway

55. Henr
ic
John
son
55
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Application-level Gateway
 Also called proxy server
 Acts as a relay of application-level traffic

56. Henr
ic
John
son
56
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Advantages:
 Higher security than packet filters
 Only need to scrutinize a few allowable
applications
 Easy to log and audit all incoming traffic
 Disadvantages:
 Additional processing overhead on each
connection (gateway as splice point)

57. Henr
ic
John
son
57
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Circuit-level Gateway

58. Henr
ic
John
son
58
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Circuit-level Gateway
 Stand-alone system or
 Specialized function performed by an
Application-level Gateway
 Sets up two TCP connections
 The gateway typically relays TCP segments
from one connection to the other without
examining the contents

59. Henr
ic
John
son
59
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Circuit-level Gateway
 The security function consists of determining
which connections will be allowed
 Typically use is a situation in which the
system administrator trusts the internal users
 An example is the SOCKS package

60. Henr
ic
John
son
60
TYPES OF FIREWALLS
TYPES OF FIREWALLS
 Bastion Host
 A system identified by the firewall
administrator as a critical strong point in the
network´s security
 The bastion host serves as a platform for an
application-level or circuit-level gateway

61. Henr
ic
John
son
61
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 In addition to the use of simple configuration of a single
system (single packet filtering router or single gateway),
more complex configurations are possible
 Three common configurations

62. Henr
ic
John
son
62
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened host firewall system (single-homed
bastion host)

63. Henr
ic
John
son
63
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened host firewall, single-homed bastion
configuration
 Firewall consists of two systems:
 A packet-filtering router
 A bastion host

64. Henr
ic
John
son
64
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Configuration for the packet-filtering router:
 Only packets from and to the bastion host are
allowed to pass through the router
 The bastion host performs authentication and
proxy functions

65. Henr
ic
John
son
65
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Greater security than single configurations
because of two reasons:
 This configuration implements both packet-
level and application-level filtering (allowing
for flexibility in defining security policy)
 An intruder must generally penetrate two
separate systems

66. Henr
ic
John
son
66
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 This configuration also affords flexibility in
providing direct Internet access (public
information server, e.g. Web server)

67. Henr
ic
John
son
67
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened host firewall system (dual-homed
bastion host)

68. Henr
ic
John
son
68
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened host firewall, dual-homed bastion
configuration
 The packet-filtering router is not completely
compromised
 Traffic between the Internet and other hosts on
the private network has to flow through the
bastion host

69. Henr
ic
John
son
69
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened-subnet firewall system

70. Henr
ic
John
son
70
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Screened subnet firewall configuration
 Most secure configuration of the three
 Two packet-filtering routers are used
 Creation of an isolated sub-network

71. Henr
ic
John
son
71
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Advantages:
 Three levels of defense to thwart intruders
 The outside router advertises only the
existence of the screened subnet to the
Internet (internal network is invisible to the
Internet)

72. Henr
ic
John
son
72
FIREWALL CONFIGURATIONS
FIREWALL CONFIGURATIONS
 Advantages:
 The inside router advertises only the existence
of the screened subnet to the internal network
(the systems on the inside network cannot
construct direct routes to the Internet)

73. Henr
ic
John
son
73
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 General models of access control:
 Access matrix
 Access control list
 Capability list

74. Henr
ic
John
son
74
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Access Matrix

75. Henr
ic
John
son
75
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Access Matrix: Basic elements of the model
 Subject: An entity capable of accessing objects,
the concept of subject equates with that of process
 Object: Anything to which access is controlled
(e.g. files, programs)
 Access right: The way in which an object is
accessed by a subject (e.g. read, write, execute)

76. Henr
ic
John
son
76
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Access Control List: Decomposition of the
matrix by columns

77. Henr
ic
John
son
77
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Access Control List
 An access control list lists users and their
permitted access right
 The list may contain a default or public entry

78. Henr
ic
John
son
78
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Capability list: Decomposition of the matrix by
rows

79. Henr
ic
John
son
79
DATA ACCESS CONTROL
DATA ACCESS CONTROL
 Capability list
 A capability ticket specifies authorized objects
and operations for a user
 Each user have a number of tickets

81. DIFFERENCE BETWEEN
CYBERSECURITY AND
CRYPTOGRAPHY
Cyber Security Cryptography
It is a process of keeping networks,
devices, programs, data secret and
safe from damage or unauthorized
access.
It is a process of keeping information
secret and safe simply by converting it
into unintelligible information and
vice-versa.
It is all about managing cyber risks in
all aspects such as people, process,
technology, etc.
It is all about math functions and can
be applied in technical solutions for
increasing cybersecurity.
Its main objective is to prevent or
mitigate harm or destruction of
computer networks, applications,
devices, and data.
Its main objective is to keep plain text
secret from eaves or droppers who are
trying to have access to some
information about the plain text.
It is generally used for the protection
of internet-connected systems like
software, hardware, and data, risk
management, disaster planning,
access control, policies.
It is generally used for integrity,
entity authentication, data origin
authentication, non-repudiation, etc.

82. DIFFERENCE BETWEEN
STEGANOGRAPHY AND
CRYPTOGRAPHY
Steganography Cryptography
Steganography means covered
writing.
Cryptography means secret writing.
Steganography is less popular
than Cryptography.
While cryptography is more popular than
Steganography.
Attack’s name in
Steganography is
Steganalysis.
While in cryptography, Attack’s name is
Cryptanalysis.
In steganography, structure of
data is not usually altered.
While in cryptography, structure of data is
altered.
Steganography supports
Confidentiality and
Authentication security
principles.
While cryptography supports Confidentiality and
Authentication security principles as well as Data
integrity and Non-repudiation.
In steganography, the fact
that a secret communication
is taking place is hidden.
While in cryptography only secret message is
hidden.

83. CRYPTOGRAPHY IN EVERYDAY
LIFE
 Authentication/Digital Signatures
 Time Stamping
 Electronic Money
 Encryption/Decryption in email
 Encryption in WhatsApp
 Encryption in Instagram
 Sim card Authentication

84. CRYPTOGRAPHY – BENEFITS
 Confidentiality − Encryption technique can guard the
information and communication from unauthorized
revelation and access of information.
 Authentication − The cryptographic techniques such
as MAC and digital signatures can protect information
against spoofing and forgeries.
 Data Integrity − The cryptographic hash functions are
playing vital role in assuring the users about the data
integrity.
 Non-repudiation − The digital signature provides the
non-repudiation service to guard against the dispute
that may arise due to denial of passing message by the
sender.

85. INTRUSION
DETECTION SYSTEMS
(IDS)

86. INTRUSION DETECTION SYSTEM
(IDS)
 An Intrusion Detection System (IDS) is a
system that monitors network traffic for
suspicious activity and issues alerts when such
activity is discovered.
 It is a software application that scans a
network or a system for the harmful activity
or policy breaching.

87.  Any malicious venture or violation is normally
reported either to an administrator or collected
centrally using a security information and event
management (SIEM) system.
 A SIEM system integrates outputs from multiple
sources and uses alarm filtering techniques to
differentiate malicious activity from false
alarms.

88.  Organizations need to fine-tune their IDS products
when they first install them. It means properly
setting up the intrusion detection systems to
recognize what normal traffic on the network looks
like as compared to malicious activity.
 Intrusion prevention systems also monitor network
packets inbound the system to check the malicious
activities involved in it and at once send the warning
notifications.

89. CLASSIFICATION OF INTRUSION
DETECTION SYSTEM:
 IDS are classified into 5 types:
 Network Intrusion Detection System
(NIDS):
Network intrusion detection systems (NIDS) are
set up at a planned point within the network to
examine traffic from all devices on the network.
It performs an observation of passing traffic on
the entire subnet and matches the traffic that is
passed on the subnets to the collection of known
attacks. Once an attack is identified or abnormal
behavior is observed, the alert can be sent to the
administrator.
 An example of a NIDS is installing it on the
subnet where firewalls are located in order to see
if someone is trying to crack the firewall.

90.  Host Intrusion Detection System (HIDS):
Host intrusion detection systems (HIDS)
run on independent hosts or devices on the
network. A HIDS monitors the incoming and
outgoing packets from the device only and will
alert the administrator if suspicious or malicious
activity is detected.
 It takes a snapshot of existing system files and
compares it with the previous snapshot. If the
analytical system files were edited or deleted, an
alert is sent to the administrator to investigate.

91.  An example of HIDS usage can be seen on
mission-critical machines, which are not expected
to change their layout.
 Protocol-based Intrusion Detection System
(PIDS):
Protocol-based intrusion detection system
(PIDS) comprises a system or agent that would
 consistently resides at the front end of a server,
controlling and interpreting the protocol between
a user/device and the server

92.  . It is trying to secure the web server by regularly
monitoring the HTTPS protocol stream and
accept the related HTTP protocol.
 As HTTPS is un-encrypted and before instantly
entering its web presentation layer then this
system would need to reside in this interface,
between to use the HTTPS.

93. APPLICATION PROTOCOL-BASED
INTRUSION DETECTION SYSTEM
(APIDS):

Application Protocol-based Intrusion Detection
System (APIDS) is a system or agent that
generally resides within a group of servers. It
identifies the intrusions by monitoring and
interpreting the communication on application-
specific protocols.
 For example, this would monitor the SQL
protocol explicit to the middleware as it transacts
with the database in the web server.

94. HYBRID INTRUSION DETECTION
SYSTEM
 Hybrid intrusion detection system is made by the
combination of two or more approaches of the
intrusion detection system. In the hybrid intrusion
detection system, host agent or system data is
combined with network information to develop a
complete view of the network system. Hybrid
intrusion detection system is more effective in
comparison to the other intrusion detection
system. Prelude is an example of Hybrid IDS.


95. DETECTION METHOD OF IDS:
 Signature-based Method:
Signature-based IDS detects the attacks
on the basis of the specific patterns such as
number of bytes or number of 1’s or number of 0’s
in the network traffic. It also detects on the basis
of the already known malicious instruction
sequence that is used by the malware. The
detected patterns in the IDS are known as
signatures.

96.  Signature-based IDS can easily detect the
attacks whose pattern (signature) already exists
in system but it is quite difficult to detect the
new malware attacks as their pattern (signature)
is not known.

97.  Anomaly-based Method:
Anomaly-based IDS was introduced to detect
unknown malware attacks as new malware are
developed rapidly. In anomaly-based IDS there is use
of machine learning to create a trustful activity
model and anything coming is compared with that
model and it is declared suspicious if it is not found in
model. Machine learning-based method has a better-
generalized property in comparison to signature-
based IDS as these models can be trained according
to the applications and hardware configurations.

98. COMPARISON OF IDS WITH
FIREWALLS:

IDS and firewall both are related to network security
but an IDS differs from a firewall as a firewall looks
outwardly for intrusions in order to stop them from
happening. Firewalls restrict access between
networks to prevent intrusion and if an attack is
from inside the network it doesn’t signal. An IDS
describes a suspected intrusion once it has happened
and then signals an alarm.

99. GOALS FOR INTRUSION DETECTION
SYSTEMS
 An IDS could use some—or all—of the following
design approaches: • Filter on packet headers. •
Filter on packet content. • Maintain connection
state. • Use complex, multipacket signatures. • Use
minimal number of signatures with maximum
effect. • Filter in real time, online. • Hide its
presence. • Use optimal sliding-time window size to
match signatures.

100. IDS STRENGTHS AND
LIMITATIONS
 IDSs detect an ever-growing number of serious
problems. And as we learn more about problems,
we can add their signatures to the IDS model.
Thus, over time, IDSs continue to improve. At
the same time, they are becoming cheaper and
easier to administer.

101.  commercial IDSs are pretty good at identifying
attacks. Another IDS limitation is its sensitivity,
which is difficult to measure and adjust. IDSs
will never be perfect, so finding the proper
balance is critical.

102. INTRUSION PREVENTION SYSTEM
 Intrusion Prevention System is also known as
Intrusion Detection and Prevention System. It is
a network security application that monitors
network or system activities for malicious
activity. Major functions of intrusion prevention
systems are to identify malicious activity, collect
information about this activity, report it and
attempt to block or stop it.

103. CLASSIFICATION OF INTRUSION
PREVENTION SYSTEM (IPS):
 Intrusion Prevention System (IPS) is classified into
4 types:
 Network-based intrusion prevention system
(NIPS):
It monitors the entire network for suspicious
traffic by analyzing protocol activity.
 Wireless intrusion prevention system
(WIPS):
It monitors a wireless network for
suspicious traffic by analyzing wireless networking
protocols.

104.  Network behavior analysis (NBA):
It examines network traffic to identify threats
that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of
malware and policy violations.

 Host-based intrusion prevention system
(HIPS):
It is an inbuilt software package which
operates a single host for doubtful activity by
scanning events that occur within that host.

105. THE MAIN DIFFERENCE BETWEEN
INTRUSION PREVENTION SYSTEM (IPS)
WITH INTRUSION DETECTION SYSTEMS
(IDS) ARE:
 Intrusion prevention systems are placed in-line
and are able to actively prevent or block
intrusions that are detected.
 IPS can take such actions as sending an alarm,
dropping detected malicious packets, resetting a
connection or blocking traffic from the offending
IP address.

106.  IPS also can correct cyclic redundancy check
(CRC) errors, defragment packet streams,
mitigate TCP sequencing issues and clean up
unwanted transport and network layer options.

107. Host Based
 Narrow in scope (watches only
specific host activities)
 More complex setup
 Better for detecting attacks from the
inside
 More expensive to implement
 Detection is based on what any
single host can record
 Does not see packet headers
 Usually only responds after a
suspicious log entry has been made
 OS-specific
 Detects local attacks before they hit
the network
 Verifies success or failure of attacks
COMPARISON
Network Based
 Broad in scope (watches all
network activities)
 Easier setup
 Better for detecting attacks from
the outside
 Less expensive to implement
 Detection is based on what can be
recorded on the entire network
 Examines packet headers
 Near real-time response
 OS-independent
 Detects network attacks as payload
is analyzed
 Detects unsuccessful attack
attempts

108. 108
NETWORK MANAGEMENT
SCENARIOS
 Detecting failure of an interface card in a device
 Host monitoring
 Traffic monitoring to optimize resource deployment
 Detecting rapid changes in routing tables
 Intrusion detection

109.  The administrator can take actions to prefer one
stream of network traffic over another, either to
promote fair use of resources or to block a
malicious traffic stream so that nonmalicious
communication does go through.
 To do this kind of tuning the administrator
needs an accurate image of the network’s status.

110.  Tools called security information and event
management devices collect status indications
from a range of products—including firewalls,
IDSs, routers, load balancers—and put these
separate data streams together into a unified
view.

111. MANAGEMENT TO ENSURE
SERVICE
 Networks are not set-and-forget kinds of
systems; because network activity is dynamic,
administrators need to monitor network
performance and adjust characteristics as
necessary

112. CAPACITY PLANNING
 One benign cause of denial of service is
insufficient capacity: too much data for too little
capability. Not usually viewed as a security
issue, capacity planning involves monitoring
network traffic load and performance to
determine when to upgrade which aspects.

113.  A network or component running at or near
capacity has little margin for error, meaning that
a slight but normal surge in traffic can put the
network over the top and cause significant
degradation in service. Websites are especially
vulnerable to unexpected capacity problems.

114.  Launching a new product with advertising can
also cause an overload; events such as opening
sales of tickets for a popular concert or sporting
event have swamped websites. Network
administrators need to be aware of these
situations that can cause unexpected demand.

115. LOAD BALANCING
 Popular websites such as those of Google,
Microsoft, and the New York Times are not run
on one computer alone; no single computer has
the capacity to support all the traffic these sites
receive at once. Instead, these places rely on
many computers to handle the volume. The
public is unaware of these multiple servers,

116.  A load balancer is an appliance that redirects
traffic to different servers while working to
ensure that all servers have roughly equivalent
workloads.

117. NETWORK TUNING
 Similarly, network engineers can adjust traffic
on individual network segments. If two clients on
one segment are responsible for a large
proportion of the traffic, it may be better to place
them on separate segments to even the traffic
load. Engineers can install new links, restructure
network segments, or upgrade connectivity to
ensure good network performance

118.  In a real attack, network administrators can
adjust bandwidth allocation to segments, and
they can monitor incoming traffic, selectively
dropping packets that seem to be malicious.

119. RATE LIMITING
 It is a countermeasure that reduces the impact of
an attack. With rate limiting, the volume of traffic
allowed to a particular address is reduced. Routers
can send a quench signal back to another router
that is forwarding traffic; such a signal informs
the sending router that the receiving router is
overloaded and cannot keep up, therefore asking
the sender to hold up on transmitting data.

120. NETWORK ADDRESSING
 A problem inherent in Internet (IPv4) addressing
is that any packet can claim to come from any
address: A system at address A can send a packet
that shows address B as its source. That
statement requires a bit of elaboration because
address spoofing is not simply a matter of filling
in a blank on a web page.

121.  Most users interact with the Internet through
higher-level applications, such as browsers and
mail handlers, that craft communications
streams and pass them to protocol handlers, such
as bind and socks. The protocol handlers perform
the network interaction, supplying accurate data
in the communication stream. Thus, someone can
spoof an address only by overriding these
protocol handlers, which requires privilege in an
operating system

122. SHUNNING
 With reliable source addresses, network
administrators can set edge routers to drop
packets engaging in a denial-of-service attack.
This practice, called shunning,
 the attacker might make it appear as if the
attack is originating at google.com or
facebook.com, for example; shunning that
apparent attack has the negative outcome of
denying legitimate traffic from Google or
Facebook.

123. BLACKLISTING AND SINKHOLING
 In extreme cases, the network administrator may
decide to effectively disconnect the targeted
system. The administrator can blacklist the target
address, meaning that no traffic goes to that
address, from legitimate or malicious sources alike.
Alternatively, the administrator may redirect
traffic to a valid address where the incoming traffic
can be analyzed; this process is called sinkholing.

124. SECURITY INFORMATION AND EVENT
MANAGEMENT (SIEM)
 networking and security products, including
routers, switches, VPNs, and many varieties of
firewalls, IDSs, and IPSs. A large enterprise can
have hundreds or even thousands of such
products, often of different brands and models, as
well as tens of thousands of servers and
workstations, all of which need to be monitored
by security personnel.

125.  In this section, we discuss the tools that make it
possible for a small security team to monitor and
respond to security issues from all over such an
enterprise.
 A Security Operations Center
 Security Operations Center (SOC) at a single
location, perhaps their headquarters. A SOC is a
team of security personnel dedicated to
monitoring a network for security incidents and
investigating and remediating those incidents

127.  For instance, a SOC analyst might notice a spike
in login events in the middle of the night and
want to investigate. The SIEM would allow the
analyst to search for all login events between the
hours of, say, 1:00–4:00 AM Eastern Time, and
then continue to investigate based on other
factors, such as IP address, apparent source
country, targeted systems, or targeted
usernames.

128.  The ability to run searches like these and quickly
investigate hunches across all of a company’s
systems is a fundamental breakthrough for near
real-time security analysis. The functions of a SOC
are like those of an air traffic control center or
nuclear reactor control room: Large amounts of
data accumulate from a variety of sources

129.  . The control staff has to use both experience and
intuition to ensure that the system runs properly, so
any technological help to organize and digest the data
helps the staff be more effective. As long as the
system runs properly, monitoring is mostly passive.
However, when an anomaly occurs, the control staff
need plenty of background data to determine what is
happening and decide what to do next. We explore
this active system management role, called incident
response.

130. Section 6: Database Security

131.  Protecting data is at the heart of many secure
systems, and many users (people, programs, or
systems) rely on a database management system
(DBMS) to manage the protection of structured
data.

132.  Databases are essential to many business and
government organizations, holding data that reflect
the organization’s core activities. Often, when
business processes are reengineered to make them
more effective and more in tune with new or
revised goals, one of the first systems to receive
careful scrutiny is the set of databases supporting
the business processes. Thus, databases are more
than software-related repositories. Their
organization and contents are considered valuable
corporate assets that must be carefully protected.

133. CONCEPT OF A DATABASE
 A database is a collection of data and a set of
rules that organize the data by specifying certain
relationships among the data
 A database administrator is a person who defines
the rules that organize the data and also controls
who should have access to what parts of the data.

134.  The user interacts with the database through a
program called a database manager or a
database management system (DBMS),
informally known as a front end.
Components of Databases
The database file consists of records, each of
which contains one related group of data.
Each record contains fields or elements, the
elementary data items themselves

135.  The fields in the name and address record are
NAME, ADDRESS, CITY, STATE, and ZIP
(where ZIP is the U.S. postal code). This
database can be viewed as a two-dimensional
table, where a record is a row and each field of a
record is an element of the table.

137.  The logical structure of a database is called a
schema. A particular user may have access to
only part of the database, called a subschema

138. QUERIES
 Users interact with database managers through
commands to the DBMS that retrieve, modify,
add, or delete fields and records of the database.
A command is called a query.
 Database management systems have precise
rules of syntax for queries. Most query languages
use an English-like notation, and many are based
on SQL, a structured query language originally
developed by IBM

139. 6. Database Security – Outline - 1
6.1. Introduction - a DB refresher –
6.2. Security Requirements
a. Physical database integrity requirements
b. Logical database integrity requirements
c. Element integrity requirements
d. Auditability requirements
e. Access control requirements
f. User authentication requirements
g. Availability requirements
6.3. Reliability and Integrity
6.4. Sensitive Data

140.  Terms you know from database courses:
a) Database
b) Database management system (front end)
c) Records
d) Fields (elements)
e) Schema (logical design)
f) Subschema (user view)
g) Entity
h) Attributes
i) Relation
j) Queries (results in subschema)

141. FILE ORGANIZATION
 BIT: Binary Digit (0,1; Y,N; On,Off)
 BYTE:
Combination of BITS representing a CHARACTER
 FIELD:
Collection of BYTES representing a DATUM or Fact
 RECORD:
Collection of FIELDS reflecting a TRANSACTION
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky
Source: Laudon & Laudonr

142. FILE ORGANIZATION
 FILE:
Collection of similar RECORDS
 DATABASE:
Organization’s Electronic Library of FILES
Organized to serve business applications
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky
Source: Laudon & Laudonr

143. FILE ORGANIZATION
 ENTITY:
Person, place, thing, event about which data must
be kept
 ATTRIBUTE:
Description of a particular ENTITY
 KEY FIELD:
Field used to retrieve, update, sort RECORD
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky
Source: Laudon & Laudonr

144. KEY FIELD
 Field in Each Record
 Uniquely Identifies THIS Record
 For RETRIEVAL
UPDATING
SORTING
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

145.  Data redundancy
 Program / data dependency
 Lack of flexibility
 Poor security
 Lack of data sharing & availability
PROBLEMS WITH TRADITIONAL
FILE ENVIRONMENT
Flat File
Flat File
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

146. SEQUENTIAL VS. DIRECT FILE
ORGANIZATION
 SEQUENTIAL:
 Tape-oriented;
 One file follows another--physical sequence
 DIRECT:
 Disk-oriented;
 Accessible without regard to physical sequence
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

147. FILING METHODS
 Indexed sequential access method (ISAM) :
 Each record identified by key
 Grouped in blocks and cylinders
 Keys in index
 Virtual storage access method (VSAM) :
 Memory divided into areas & intervals
 Dynamic file space
VSAM widely used for relational DBs
 Direct file access method (next)
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

148. DIRECT FILE ACCESS
METHOD
 Each record has key field
 Key field fed into transformation algorithm
 Algorithm generates physical storage location of record
(record address)
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

149. DATABASE MANAGEMENT SYSTEM
(DBMS)
 Software to create & maintain data
 Enables business apps to extract data
 Independent of specific computer programs
DBM
S
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

150. COMPONENTS OF DBMSS
 DATA DEFINITION LANGUAGE:
 Defines data elements in database
 DATA MANIPULATION LANGUAGE:
 Manipulates data for applications
 DATA DICTIONARY:
 Formal definitions of all variables in database
 Controls variety of database contents
 Data elements
DBM
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

151. STRUCTURED QUERY
LANGUAGE (SQL)
 Emerging standard
 Data manipulation language
 For relational databases
DBM
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

152. ELEMENTS OF SQL
 SELECT:
List of columns from tables desired
 FROM:
IDs tables from which columns will be selected
 WHERE:
Includes conditions for selecting specific rows, conditions
for joining multiple tables
 Example:
SELECT (name, phone)
FROM employees_table
WHERE employer = ‘MWU’ and city = ‘Kalamazoo’
DBM
S
Source: Laudon & Laudon
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

153. TWO VIEWS OF
DATA
 PHYSICAL VIEW: Where is data physically?
 Drive, disk, surface, track, sector (block), record
 Tape, block, record number (key)
 LOGICAL VIEW: What data is needed by
application?
 Succession of facts needed by application
 Name, type, length of field
DBM
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

154. STORAGE HIERARCHY
BIT
BYTE
FIELD
RECORD
FILE
DATABASE
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

155. RELATIONAL DATA MODEL
 Data in table format
 RELATION: Table
 TUPLE: Row (record) in table
 FIELD: Column (attribute) in table
HOURS RATE TOTAL
ABLE 40.50
$ 10.35
$ 419.18
$
BAXTER 38.00
$ 8.75
$ 332.50
$
CHEN 42.70
$ 9.25
$ 394.98
$
DENVER 35.90
$ 9.50
$ 341.05
$
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

156. TYPES OF
RELATIONS
ONE-TO-ONE:
ONE-TO-ONE: STUDENT ID
ONE-TO-MANY:
ONE-TO-MANY:
CLASS
STUDENT
A
STUDENT
B
STUDENT
C
MANY-TO-MANY:
MANY-TO-MANY:
STUDENT
A
STUDENT
B
STUDENT
C
CLASS
1
CLASS
2
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

157. ROOT
1st
Child
2nd
Child
Ratings
Ratings Salary
Salary
Compensation
Compensation Job
Job
Assignments
Assignments
Pension
Pension Insur
Insurance
ance Health
Health
Benefits
Benefits
Employer
Employer
HIERARCHICAL DATA
MODEL
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

158. NETWORK DATA MODEL
 Variation of hierarchical model
 Best suited for many-to-many relationships
NETWORK
A
NETWORK
B
NETWORK
C
NETWORK
1
NETWORK
2
Source: Laudon & Laudon
cf:
Prof.
Barbara
Endicott-Popovsky

159. OTHER SYSTEMS
 LEGACY SYSTEM: older system
 OBJECT - ORIENTED DBMS:
stores data & procedures as objects
 OBJECT - RELATIONAL DBMS: hybrid
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

160. CREATING A DATABASE
 Conceptual Design
 Physical Design
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

161. CREATING A DATABASE —
CONCEPTUAL DESIGN
 Abstract model, business perspective
 How will data be grouped?
 Relationships among elements
 Establish end-user needs
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

162.  Detailed model by database specialists
 Entity-relationship diagram
 Normalization
 Hardware / software specific
CREATING A DATABASE —
PHYSICAL DESIGN
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

163. ELEMENTS OF DATABASE
ENVIRONMENT
DATABASE
MANAGEMENT
SYSTEM
DATA
ADMINISTRATION
DATABASE
TECHNOLOGY &
MANAGEMENT
USERS
DATA
PLANNING &
MODELING
METHODOLOGY
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

164. ENTITY- RELATIONSHIP
DIAGRAM
1
1
M
1
ORDER
CAN
HAVE
PART
SUPPLIER
CAN
HAVE
ORDER: #, DATE, PART #, QUANTITY
PART: #, DESCRIPTION, UNIT PRICE,
SUPPLIER #
SUPPLIER: #, NAME,
ADDRESS Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

165. NORMALIZATION
= Process of creating small data structures
from complex groups of data
EXAMPLES:
 Accounts Receivable
 Personnel Records
 Payroll
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

166. DISTRIBUTED DATABASES
 PARTITIONED:
remote CPUs (connected to host) have files unique
to that site,
e.g., records on local customers
 REPLICATED (DUPLICATED as a special case)
ea. remote CPU has copies of common files
e.g., layouts for standard reports and forms
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

167. DATABASE
ADMINISTRATION
 A person or a group of people
 Defines / organizes database structure and content
 Develops security procedures
 Develops database documentation
 Maintains DBMS
 E.g., software patches and updates
Source: Laudon & Laudonr
cf:
Prof.
Barbara
Endicott-Popovsky

168. DATABASE TRENDS - 1
 Multidimensional Data Analysis:
3D (or higher dimension) groupings to store complex data
 Hypermedia:
Nodes contain text, graphics, sound, video,
programs
Organizes data as nodes
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

169. DATABASE TRENDS - 2
 Data Warehouse:
Organization’s electronic library stores
consolidated current & historic data for
management reporting & analysis
 On-Line Analytical Processing (OLAP):
Tools for multi-dimensional data analysis
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

170. COMPONENTS OF DATA
WAREHOUSE
INFORMATION
DIRECTORY
INTERNAL
DATA
SOURCES
EXTERNAL
DATA
SOURCES
OPERATIONAL,
HISTORICAL DATA
DATA WAREHOUSE
EXTRACT,
TRANSFORM
DATA
ACCESS &
ANALYSIS
QUERIES &
REPORTS
OLAP
DATA MINING
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

171. DATABASE TRENDS -3
 DATA MART:
Small data warehouse for special function
 E.g., focused marketing based on customer info
 DATA MINING:
Tools for finding hidden patterns, relationships, for
predicting trends, etc.
Source: Laudon & Laudonr
cf:
Prof.
Barbara
Endicott-Popovsky

172. DATABASE TRENDS - 4
Linking Databases to The Web:
 Web user connects to vendor database
 Special software converts users query ‘in’ html to SQL
 SQL finds data,
server converts result to HTML
Source: Laudon & Laudonr
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

173. 6.2. Security Requirements
 Security requirements for databases and DBMSs:
a. Physical database integrity requirements
 DB immune to physical problems (e.g., power failure, flood)
b. Logical database integrity requirements
 DB structure preserved (e.g., update of a field doen’t affect another)
c. Element integrity requirements
 Accuracy of values of elements
d. Auditability requirements
 Able to track who accessed (read, wrote) what
e. Access control requirements
 Restricts DB access (read, write) to legitinmate users
f. User authentication requirements
 Only authorized users can access DB
g. Availability requirements
 DB info available to all authorized users 24/7
cf:
Prof.
Barbara
Endicott-Popovsky
Source:
Pfleeger &
Pfleeger

174. --OPTIONAL– CONFIDENT. / INTEGRITY /
AVAILABILITY
 Requirements can be rephrased / sumarized as follows:
 Data must be trusted
DBMS designed to manage trust
DBMS must reconstruct reality
 Data must be accurate
Field checks
Access control (CRUD)
 CRUD = Create, Read, Update, and Delete
Change log
 Trade-offs
Audit vs. performance
Access vs. performance
 Self-authentication
 High availability
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky
Source: Pfleeger & Pfleeger

175. 6.3. Reliability and Integrity
 Reliable software runs long time without failures
 Reliable DBMS preserves:
 DB Integrity / Element Integrity / Element Accuracy
 Basic protection provided by OS underlying DBMS
a) File back ups
b) Access controls
c) Integrity checks
 DBMS needs more CIA controls
a) E.g. two-phase commit protocols for updates
b) Redundancy/internal consistency controls
c) DB recovery
d) Concurrency/consistency control
e) Monitors to enforce DB constraints

Range, state, transition constraints

Control structural DB integrity
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky
Source: Pfleeger & Pfleeger

176. --SKIP-- A) TWO-PHASE UPDATE
(2PC)
 Intent Phase
Check value of COMMIT-FLAG
Gathers resources
 Data
 Dummy records
 Open files
 Lock out others
 Calculate final answers
Write COMMIT-FLAG
 Permanent Change Phase
Update made
 Rollback ability at each phase
Source: Pfleeger & Pfleeger
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

177. --SKIP-- B)-E) DETECTING
INCONSISTENCIES
b) Redundancy/internal consistency controls
 Error detection / error correction
 Hamming codes
 Parity bits
 Cyclic redundancy check
 Shadow fields
c) DB recovery
 Uses DBMS access log
d) Concurrency control
 Checks/enforcement
e) Monitors for DB constraints
 Range comparisons
 State constraints
 Transition constraints
More sophisticated
Source: Pfleeger & Pfleeger
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

178. --OPTIONAL-- 6.4. Sensitive Data
 Managing access
 Hiding existence
 Sharing vs. confidentiality
 Security vs. precision

Perfect confidentiality

Maximum precision
Source: Pfleeger & Pfleeger
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

179. 6.5. INFERENCE (INFERENCE
PROBLEMS)
 Inference attack - inferring sensitive data
from nonsensitive data
 Types of inference attacks:
1) Direct attack
Infer sens. data from results of queries run by attacker
n-item k-percent rule:
Data withheld if n items represent > k percent of the
result reported
 Most obvious case: 1-item 100-percent case: 1
person represents 100 % of results reported
2) Indirect attack
Infer sens. info from statistics (Sum, Count, Median)
also from info external to the attacked DB
Tracker attacks (intersection of sets)
Linear system vulnerability
Use algebra of multiple equations to infer
Source: Pfleeger & Pfleeger
cf:
Prof.
Barbara
Endicott-Popovsky

180. INDIRECT INFORMATION FLOW
CHANNELS
 Indirect Information Flow Channels
1) Covert channels
Discussed earlier –
in the general context of program security
 Recall:
 Overt Channel: designed into a system and documented
 Covert Channel: not documented
Covert channels may be deliberately inserted into a
system, but most are accidents of the system design.
2) Inference channels
Discussed next–
in the context of DBMS
cf:
Prof.
Csilla
Farkas

181. INFERENCE CONTROLS -
OUTLINE
1) Query controls — applied to queries
 Primarily against direct attacks
 Query analysis to prevent inferences
 Query inventory (history) per person
2) Data item controls —applied to individual DB items
 Useful for indirect attacks
 Two types:
a) Suppression — data not provided to querying user
 Suppress combinations of rows and columns
 Combine results (to hide actual answers)
b) Concealing — close answers, not exact given to
querying user
 Rounding
 Present range of results
 Present random sample results
 Perturb random data (generate small + and – error)
Source: Pfleeger & Pfleeger
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

182. DATABASE INFERENCE PROBLEM
& TYPES
 DB inference problem:
where meta-data:
 Working knowledge about the attributes
 Supplementary knowledge (not stored in database)
 DB inference types:
1) Statistical database inferences
2) General-purpose database inferences
+ Meta-data
Sensitive
information
Non-sensitive
information
=
cf:
Prof.
Csilla
Farkas

183. 1) STATISTICAL DATABASE
INFERENCE
 Statistical database goal: provide aggregate information
about groups of individuals
 E.g., average grade point of students
 Security risk in statistical database:
disclosure of specific information about a particular
individual
 E.g., grade point of student John Smith
cf:
Prof.
Csilla
Farkas

184. --OPTIONAL-- TYPES OF STATISTICS
 Macro-statistics: collections of related statistics
presented in 2-dimensional tables
 Micro-statistics: Individual data records used for
statistics after identifying information is removed
SexYear 1997 1998 Sum
Female 4 1 5
Male 6 13 19
Sum 10 14 24
Sex Course GPA Year
F CSCE 590 3.5 2000
M CSCE 590 3.0 2000
F CSCE 790 4.0 2001
cf:
Prof.
Csilla
Farkas

185. STATISTICAL COMPROMISE
 Exact compromise:
Find exact value of an attribute of an individual
 E.g., finding that John Smith’s GPA is 3.8
 Partial compromise:
Find an estimate of an attribute value corresponding to
an individual
 E.g., finding that John Smith’s GPA is between 3.5
and 4.0)
cf:
Prof.
Csilla
Farkas

186. METHODS OF ATTACKS AND
PROTECTION
 Small/Large Query Set Attack
 C: characteristic formula that identifies groups of
individuals
If C identifies a single individual I, e.g., count(C) = 1
 Find out existence of another property D for I
If count(C and D)= 1 means I has property D
If count(C and D)= 0 means I does not have D
OR
 Find value of property
Sum(C, D), gives value of D
 If value of C known already
cf:
Prof.
Csilla
Farkas

187. PREVENTION
 Protection from small/large query set attack:
query-set-size control
 A query q(C) is permitted only if
N-n  |C|  n
where:
n  0 is a parameter of the database, and
N is the number of records in the database
 E.g. a query q(C) in a DB describing 100 individuals is
permitted only if
100 – 5 = 95  |C|  5
that is if it can’t give statistics on a group smaller than
5 individuals
(Note: If it gives statistics on C for e.g., 96 people, it
gives statistics on not-C for 4 people.)
cf:
Prof.
Csilla
Farkas

188. TRACKER ATTACK 1 (SIMPLE)
T - Tracker C
C1
C2
C = C1 and C2
T = C1 and ~C2
Attacker runs instead 2 queries: q(C1) and q(T)
where q(C) = q(C1) – q(T)
=> infers q(C) from q(C1) and q(T)
Query q(C) is disallowed
cf:
Prof.
Csilla
Farkas

189. --OPTIONAL-- Tracker Attack 2 (more complex)
C = C1 and C2
T = C1 and ~C2
Tracker
C
C1
C2
D
C and D
Query q(C and D)
is disallowed
Attacker runs instead 2 queries: q(T or C and D) and q(T)
where q(C and D) = q(T or C and D) – q(T)
=> infers q(C and D) from q(T or C and D) and q(T)
cf:
Prof.
Csilla
Farkas

190. --OPTIONAL-- QUERY OVERLAP
ATTACK
C1 C2
John
Kathy
Max
Fred
Eve
Paul
Mitch
Q(John)=q(C1)-q(C2)
Protection: need query-overlap control
cf:
Prof.
Csilla
Farkas

191. --OPTIONAL-- INSERTION/DELETION
ATTACK
 Observing changes over time
 q1=q(C)
 Insert(i)
 q2=q(C)
 q(i) = q2 „-” q1
 where „-” means compensation for insertion that permist to infer
 Protection: insertion/deletion performed as pairs
cf:
Prof.
Csilla
Farkas

192. STATISTICAL INFERENCE
THEORY
 Given unlimited number of statistics and correct statistical
answers, all statistical databases can be compromised
[Ullman]
 Fortunately:
 Number of statistics can be limited by statistical DB
controls
 Statistical DB can give approximate rather than
‘correct’ statistical answers
cf:
Prof.
Csilla
Farkas

193. 2) INFERENCES IN GENERAL-
PURPOSE
DATABASES
 Inference types:
a) Inference via queries based on sensitive data
b) Inference via DB constraints
c) Inference via updates
cf:
Prof.
Csilla
Farkas

194. a) INFERENCE VIA QUERIES
BASED ON
SENSITIVE DATA
 Sensitive information is used in selection condition but
not returned to the user
 Example: Salary: secret, Name: public
NameSalary=$25,000 (- projection,  - selection)
NameSalary=$26,000
• • •
NameSalary=$110,000
 Sensitive info (salary) used in selection condition, but
not returned to the user
 Returns only Name to user
 “Infers” (quite mechanically – no intelligence needed) salary for
everybody making between $25,000 and $110,000
 Protection: apply query of database views at different
security levels
cf:
Prof.
Csilla
Farkas

195. B) INFERENCE VIA DB CONSTRAINTS
 Database constraints:
b-1) Integrity constraints
b-2) DB dependencies
b-3) Key integrity
cf:
Prof.
Csilla
Farkas

196. B-1) INFERING VIA INTEGRITY
CONSTRAINTS
 C = A+B
 A - public, C - public, and B - secret
 B can be calculated from A and C
 I.e., secret information can be calculated from public
data

197. B-2) INFERING VIA DB
DEPENDENCIES
 DB dependencies (metadata):
 Functional dependencies
 Multi-valued dependencies
 Join dependencies
 etc.
cf:
Prof.
Csilla
Farkas

198. FUNCTIONAL DEPENDENCIES
 Functional dependency (FD) for attributes A  B:
For any two tuples in the relation, if they have the same
value for A, they must have the same value for B
 Example: Exploiting the FD: Rank  Salary to infer
secret info
Secret information: Name and Salary together
 Query1: Name and Rank
 Query2: Rank and Salary
 Combined answers for Q1 and Q2 reveal Name and
Salary together
 Only because we have Rank  Salary
cf:
Prof.
Csilla
Farkas

199. --OPTIONAL--B-3) INFERING VIA KEY
INTEGRITY
 Every tuple in the relation has a unique key
 Users at different security levels see different versions
of the database
 User with ‘top secret’ clearance sees more than one
with ‘secret’ clearance
 Users might attempt to update data that is not visible
for them
cf:
Prof.
Csilla
Farkas

200. --SKIP--EXAMPLE – INFERING VIA KEY
INTEGRITY
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Secret View
Name (key) Salary Address
Black P 38,000 P Null P
Public View
cf:
Prof.
Csilla
Farkas

201. --SKIP-- EXAMPLE (CTD) - UPDATES
Public User:
Name (key) Salary Address
Black P 38,000 P Null P
1. Update Black’s address to Orlando
2. Add new tuple: (Red, 22,000, Manassas)
If
Refuse update => covert channel
Allow update =>
• Overwrite high data – may be incorrect
• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
polyinstantiation – given record instantiated many times,
each time with different security level
cf:
Prof.
Csilla
Farkas

202. --SKIP-- EXAMPLE (CTD) - UPDATES
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Secret user:
1. Update Black’s salary to 45,000
If
Refuse update => denial of service
Allow update =>
• Overwrite ‘low’ data – covert channel
• Create new tuple – which data it corrects
(polyinstantiation) – violate key constraints
polyinstantiation – given record instantiated many times, each
time with different security level
cf:
Prof.
Csilla
Farkas

203. CONCLUSIONS ON
INFERENCE
 No general technique is available to solve the inference
problems
 Need assurance of protection
 Hard to incorporate outside knowledge
 Optimal plan:
 Suppress obviously sensitive information
 Track what user knows (expensive)
 Disguise data
 --OPTIONAL-- Aggregation—additional problem
 Inferences from aggregating data
 Data mining increases risks
Source: Pfleeger & Pfleeger
cf:
Prof.
C.
Farkas
and
B.
Endicott-Popovsky

204. 6.6. MULTILEVEL DATABASES
 Multilevel databases - store data with different
sensitivity levels (e.g.: public, confidential, secret, top_secret)
 Problems
 Polyinstantiation – multiple (“poly”) instantiations of a record, each
at a different security level
 Example:
 [John, Kalamazoo-MI] -- Public level
 [John, 19_Main_Ave-Kalamazoo-MI] -- Confidential level
…
 [John, 19_Main_Ave-Kalamazoo-MI, …, SSN=123-45-6789] --
Top_Secret level
 -- OPTIONAL below --
 Global actions (i.e., backup)
 Small items controlled
 Cost and performance
 Consumer resistance to military model
 Granularity
 Access control policy
 Guarantee values not changed by unauthorized person
Source: Pfleeger & Pfleeger
of:
Prof.
Barbara
Endicott-Popovsky

205. --OPTIONAL-- 6.7. PROPOSALS FOR
MULTILEVEL SECURITY -
SEPARATION MECHANISMS
1) Partitioning
 Redundancy
 Accuracy (multiple field update)
2) Encryption per level
 Cumbersome decrypting with queries
3) Integrity lock
 Data item
 Sensitivity level
 Checksum (above 2)
 Cryptographic checksums
4) Sensitivity lock
 Unique identifier
 Sensitivity level
Source: Pfleeger &
cf:
Prof.
Barbara
Endicott-Popovsky

206. --OPTIONAL-- IMPLEMENTATIONS OF
SEPARATION - 1
1) Integrity lock
 Expands size of element
 Processing time efficiency
 Untrusted DBM subject to Trojan horse
2) Trusted front end
 Guard ~ reference monitor
 One-way filter—filters out reports
 Inefficient—calls, then releases much data
3) Commutative filters
 Interface between user and DB
 Reformats query
 Addresses inefficiencies (above)
Source: Pfleeger &
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky

207. --OPTIONAL-- IMPLEMENTATIONS OF
SEPARATION - 2
4) Distributed DB
 Separate DB’s based on sensitivity
 Front end sends query to right DB
5) Views
 Logical / functional divisions
Source: Pfleeger &
Courtesy
of:
Prof.
Barbara
Endicott-Popovsky