TY - GEN
T1 - Towards database firewall
T2 - 22nd Annual Computer Security Applications Conference, ACSAC 2006
AU - Bai, Kun
AU - Liu, Peng
PY - 2006
Y1 - 2006
N2 - Access control and integrity constraints are well known approaches to ensure data integrity in commercial database systems. However, due to operational mistakes, malicious intent of insiders or vulnerabilities exploited by outsiders, data stored in a database can still be compromised. When the database is under an attack, rolling back and re-executing the damaged transactions are the most used mechanisms during system recovery. This kind of mechanism either stops (or greatly restricts) the database service during repair, which causes unacceptable availability loss or denial-of-service for mission critical applications, or may cause serious damage spreading during on-the-fly recovery where many clean data items are accidentally corrupted by legitimate new transactions. To resolve this dilemma, we devise a novel mechanism, called database firewall in this paper. This firewall is designed to protect good data from being corrupted due to damage spreading. Pattern mining and Bayesian network techniques are adopted in the framework to mine frequent damage spreading patterns and to predict the data integrity in the face of attack. Our approach provides a probability based strategy to estimate the data integrity on the fly. With this feature, the database firewall is able to enforce a policy of transaction filtering to dynamically filter out the potential spreading transactions.
AB - Access control and integrity constraints are well known approaches to ensure data integrity in commercial database systems. However, due to operational mistakes, malicious intent of insiders or vulnerabilities exploited by outsiders, data stored in a database can still be compromised. When the database is under an attack, rolling back and re-executing the damaged transactions are the most used mechanisms during system recovery. This kind of mechanism either stops (or greatly restricts) the database service during repair, which causes unacceptable availability loss or denial-of-service for mission critical applications, or may cause serious damage spreading during on-the-fly recovery where many clean data items are accidentally corrupted by legitimate new transactions. To resolve this dilemma, we devise a novel mechanism, called database firewall in this paper. This firewall is designed to protect good data from being corrupted due to damage spreading. Pattern mining and Bayesian network techniques are adopted in the framework to mine frequent damage spreading patterns and to predict the data integrity in the face of attack. Our approach provides a probability based strategy to estimate the data integrity on the fly. With this feature, the database firewall is able to enforce a policy of transaction filtering to dynamically filter out the potential spreading transactions.
UR - http://www.scopus.com/inward/record.url?scp=39049165762&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=39049165762&partnerID=8YFLogxK
U2 - 10.1109/ACSAC.2006.52
DO - 10.1109/ACSAC.2006.52
M3 - Conference contribution
AN - SCOPUS:39049165762
SN - 0769527167
SN - 9780769527161
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 449
EP - 459
BT - Proceedings - Annual Computer Security Applications Conference, ACSAC
Y2 - 11 December 2006 through 15 December 2006
ER -