Documente Academic
Documente Profesional
Documente Cultură
for the
M.Tech. Degree of Jagannath
University, Jaipur
TOPIC:
Prevention of Web Database from Intrusion
CANDIDATE:
Alok Kumar
M. Tech (Computer Science)
Roll No. : 122114162
(Signature of Candidate)
Remarks of Supervisor:
.
(Signature of Supervisor)
1
ACKNOWLEDGEMENT
I would like to place on record my deep sense of gratitude to Mrs. Pallavi
Chaturvedi, Assistant Professor, Apar India Institute of Management and Technology,
New Delhi, for his generous guidance, help and useful suggestions, continuous
encouragement and supervision throughout the course of present work.
I also wish to extend my thanks to Mrs. Renu Bagoria
and
other
colleagues for attending my seminars and for their insightful comments and
constructive suggestions to improve the quality of this research work.
ALOK KUMAR
M. Tech [CS]
Present Position
Date of Birth
S. No.
Name Of Examination
Year
Board/Univ.
7.
8.
Research Experience:-
Ph.D.
Award
Division Subject
..
Title of Thesis
Year of
Nature of work
Period
10. Are you a recognized M.Tech./Ph.D. guide? If yes give name of institution and year of recognition.
..
11. How many students are registered with you (for M.Tech./Ph.D.)?
12. How many students have been awarded M.Tech./Ph.D. degree under your supervision? .
13. Details of published work/ if any (Separate sheet to be attached if necessary) (Photocopies of Three important
Publications ......
.
I certify that the details given above are correct to the best of my knowledge.
Dated
Signature of Applicant
TABLE OF CONTENTS
1. CHAPTER 1: INTRODUCTION
1.1 What is Intrusion Detection?
1.2 What is Intrusion Prevention?
2. CHAPTER 2: OVERVIEW OF WEB DATABASE AND SURVEY
2.1 Overview of Security
2.2 Web Application Organization
2.3 Web Database security threats
3. CHAPTER 3: RELATED WORK
3.1 Encryption in Databases
3.2 Self-securing Storage
4. CHAPTER 4: FINE-GRAINED ACCESS CONTROL
4.1 Unauthorized Access
4.2 Content-Based and Fine-Grained Access Control
5. REFERENCES
Chapter 1: Introduction
4
Internet users interact with and use web applications every day for a wide spectrum of tasks,
ranging from online banking to social networking, and everything in between. Security in database has
become an important problem because of the large amount of personal data, which is tracked by many
business web applications. Web database is combination of database and web technology. Web database
is placed on the Internet, there are many security problems. Web and distributed databases play the key
role in most of these Web applications and thus it is critical to protect them from unauthorized access
and malicious attacks. One of the key components of every web application and arguably the most
important in terms of security is the web application's database. The web database is the heart of any
data-driven web application, and must be guarded from numerous types of malicious attacks. Security is
a major concern in the application of web database techniques to datasets containing personal sensitive
or confidential information. To address this issue, a more efficient and flexible security mechanism is
required to systematically authenticate users, control network traffic, and provide efficient fine-grained
access control.
and
misuse
(attacks
from
within
the
organization).
ID
uses vulnerability
assessment (sometimes refered to as scanning), which is a technology developed to assess the security
of a computer system or network.
Intrusion detection functions include:
ID systems are being developed in response to the increasing number of attacks on major sites
and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense
Department. The safeguarding of security is becoming increasingly difficult, because the possible
technologies of attack are becoming ever more sophisticated; at the same time, less technical ability is
required for the novice attacker, because proven past methods are easily accessed through the Web.
as
well
as
individual
packets.
"Detection
mechanisms
can
include
address
matching, HTTP string and substring matching, generic pattern matching, TCP connection analysis,
packet anomaly detection, traffic anomaly detection and TCP/UDP port matching."
Broadly speaking, an intrusion prevention system can be said to include any product or practice
used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.
User Authentication: Authentication is the process of identifying the user. The basis for system
security is strong user identification and authorization; if you cannot establish, with certainty, who is a
user, then it is impossible to hold users accountable for their actions, and to ensure that users only have
6
access to the data they need to do their jobs, but no more. Authentication is verification that you are who
you say you are. It's the equivalent of showing a guard your ID. Database supports a number of choices
for user authentication: Applications typically use a username/password for authentication of users or
by industry-standard X.509 certificates, host-based (by the underlying operating system), or third-party
based (network authentication services, smart cards and biometric devices) There are better
authentication mechanisms, such as those based on smart cards, which are not vulnerable to problems
such as guessing or leakage of passwords [16].
There are several security issues relating to multi-tier security due to its distributed nature. The
client must authenticate to the middle tier and the middle tier must authenticate to the database. In
addition, because multiple users are sharing a connection, the database must be able to distinguish the
application from the user and one user from another. This white paper does not address multi-tier
security.
and password associated with the application, they can perform any updates on the database bypassing
the VPD mechanism.
the database service user as well to run the queries. The system is comprised of three fundamental
entities. A user poses the query to the client. The service provider who stores the encrypted database
hosts a server. The encrypted database is augmented with additional information (which they call
index), which allows certain amount of query processing to occur at the server without jeopardizing data
privacy. The client maintains metadata for translating user queries to the appropriate representation on
the server, and performs post-processing results on server query results. Based on the auxiliary
information stored, they show some techniques to split an original query over unencrypted relations
into: a corresponding query over encrypted relations to run on the server, and a client query for postprocessing results of the server query.
As organizations increase their adoption of database systems as the key data management
technology for day-to-day operations and decision-making, the security of data managed by these
systems becomes crucial. Damage and misuse of data affect not only a single user or application, but
10
may have disastrous consequences on the entire organization. The recent rapid proliferation of Web
based applications and information systems have further increased the risk exposure of databases and,
thus, data protection is today more crucial than ever. It is also important to appreciate that data needs to
be protected not only from external threats, but also from insider threats. Security breaches are typically
categorized as unauthorized data observation, incorrect data modification, and data unavailability.
Unauthorized data observation results in the disclosure of information to users not entitled to gain
access to such information. All organizations, ranging from commercial organizations to social
organizations, in a variety of domains such as healthcare and homeland protection, may suffer heavy
losses from both financial and human points of view as a consequence of unauthorized data observation.
Incorrect modifications of data, either intentional or unintentional, result in an incorrect database state.
Any use of incorrect data may result in heavy losses for the organization. When data is unavailable,
information crucial for the proper functioning of the organization is not readily available when needed.
Thus, a complete solution to data security must meet the following three requirements:
1. Secrecy or confidentiality refers to the protection of data against unauthorized disclosure
2. Integrity refers to the prevention of unauthorized and improper data modification
3. Availability refers to the prevention and recovery from hardware and software errors and from
malicious data access denials making the database system unavailable.
These three requirements arise in practically all application environments.
Consider a database that stores payroll information. It is important that salaries of individual
employees not be released to unauthorized users, that only the users that are properly authorized modify
salaries, and that pay checks be printed on time at the end of the pay period. Similarly, consider the Web
site of an airline company.
11
Chapter 5:References
References:
[1] Zhu Yangqing, Yu Hui, Li Hua, Zeng Lianming, Design of a new web database
security model, IEEE, 2009, 292-297
[2] Leon Pan, A Unified Network Security and Fine-Grained Database Access
Control Model, IEEE 2009, pg 265-270
[3] Xueyong Zhu, William Atwood, A web database Security model using the Host
identity protocol, IEEE 2007,
[4] Lianzhong Liu, Qiang Huang, A framework for database auditing, IEEE, 2009,
982-988
[5] Afonso Neto, Marco Vieira, Henrique Maderia,An appriasal to assess the
security of database configurations, IEEE, 2009, 73-80
[6] Qing Zhao, Shihong Qin, Study on security of web based database, IEEE, 2008,
902-910
[7] WU Pufeng, Zhang Yoqing, An overview of Database security, Computer
Engineering, Vol 32,2006,85-88
[8] Zhou Wen, A new web accessing database module basing in security of
information computer security, 2008, 63-66
[9] S. Sudershan, Govind Kabra, Ravishankar Ramamurthy, Redundancy and
Information Leakage in Fine-Grained Access Control, ACM SIGMOD 2006
[10] Jie SHI, Hong ZHU, A fine-grained access control model for relational
databases, IEEE 2010, Pg 575-585
[11] Sohial Imran, Irfan Hyder, Security Issues in Databases, IEEE 2009, Pg 541545
[12] Wang Baohua, Ma Xinqiang, Li Danning, A formal multilevel database security
model, IEEE 2008, Pg 252-265
[13] Marty Humphrey, Sang-Min Park, Jun Feng, Norm Beekwilder, Fine-Grained
Access Control for GridFTP using SecPAL, IEEE 2007, Pg 1-9
[14] Rongxing Lu, Xiaodong Lin, Haojin Zhu, Pin-Han Ho & Xuemin (Sherman)
Shen, A Novel Anonymous Mutual Authentication Protocol With Provable LinkLayer Location Privacy, IEEE, 2009.
[15] Jie Wang & Jun Zhang, Addressing Accuracy Issues in Privacy Preserving
Data Mining through Matrix Factorization, IEEE, 2007.
12
[16] Anup Patel, Naveeta Sharma, Magdalini, Negative Database for Data
Security, IEEE 2009
[17] Jaeduck Choi & Souhwan Jung, A Security Framework with Strong Nonrepudiation and Privacy in VANETs, IEEE, 2009.
[18] Attribute- Based Encryption for Fine- Grained Access Control of Encrypted
Data, IEEE 2008
13