| Database, being the essential storage center in the information system, is prone to become theattack-attractor. The traditional passive security mechanism which depends on prevention can notperceive all the malicious intrusions in time, thus lacking the ability to stop them. Data stored indatabase may have suffered certain degree of damage when the intrusions are perceived, while otherlegal operations may have read the damaged data, spreading damages to more legal data further.Database survivability technology focuses on improving the ability of database to survive the maliciousintrusions. It first detects intrusions to stop them from undermining database, and then isolate thecorrupted data to prevent damage spreading and finally repair all the damaged data to recover theintegrity and availability of database. In addition, the service of accessing undamaged legal data shouldbe uninterrupted during the process of both isolating and repairing damages. Based on existing researchwork, this dissertation focuses on the techniques of intrustion detection and isolation as well as theimplementation of survivable database. The main contributions are as follows:(1) For the problem of deteriorating detection ability caused by inadequately formalized featurevector of SQL statement in the existing SQL operation oriented anomaly detection methods, a databaseanomaly detection method based on the object-condition association rule model is proposed. Throughthe introduction of finer-grained SQL feature vetor, and the association rule feature of SQL statementstructure, we give the definition of object-condition association rule which can describe the featureprofiles of normal user behavior. Then the object-condition assication rule set mining algorithm andanomaly detection algorithm are given to achieve the better ability of detecting anomaly SQLoperations.(2) Since traditional malicious transaction detection methods do not consider the environmentalconstraints of transaction execution, and the resolving granularity of feature vector is fairly coarse forthe SQL statement within the transaction, we propose a detection method to detect malicioustransactions based on transaction templates. This method represents the feature profile of normal userbehavior by establishing the transaction templates which contains the finer-grained SQL feature vector,directed graph of the execution order of SQL operations and the environmental constraints of thetransaction and its execution. And the established transaction templates are thus used to detect themalicious transactions. Compared to its peers, this method has a stronger detection ability and widerapplication filed.(3) To solve the legal data mis-quarantine problems in the existing damage quarantine techniques for database, we present a damage quarantine mechanism based on color-time marks object (CTMO)model. Firstly a method to assess the damaged data based on data affection relation is given, and thenCTMO model is introduced. Through the CTMO model, we proposed a dynamic CTMO markingalgorithm to tag the transaction and its updated data. Also a real-time damage quarantine algorithmbased quarantine marks vectors is given to apply the quarantine of damaged data. The proof ofcompleteness and correctness of the CTMO model based damage quarantine mechanism indicates that:this quarantine mechanism is an accurate quarantine method with a lower negative quarantine rate andhigher data available rate.(4) To address the problems of valid updates lost and damaged data leakage in the existingsuspicious user isolation techniques, we propose a database suspicious user isolation model (DBSUIM)based suspicious user isolation method. Firstly, the isolation model DBSUIM which contains doublestates data model, suspicious user isolation protocols and suspicious data object repair protocols aregiven. Then, on the basis of DBSUIM, a user operation execution algorithm is given to prevent thepotential damaged data leakage by keeping legal users from suspicious data. In addition, a suspiciousdata object repair algorithm is also given to prevent the valid updates lost by repairing suspicious dataobjects, when the identity of suspicious user is proved.(5) Based on the research of the key technologies of survival database, we propose aDBMS-kernel based survival architecture, which is applied in the secure database prototype NHSecure.Also the survival modulars, which have the ability of detecting intrusions, assessing, quarantining andrepairing damaged data, are implementd in NHSecure. The survival modulars consist of intrusiondetection modular, damage assessment modular, qurantine control modular, schedule/executionmodular and damage repair modular. And the methods to design and implement of those key survivalmodulars are also presented.
|
PDF Full Text Request