| With the widely application of computer technology in society, people are becoming more and more dependent on information systems. While we are enjoying the convenient services brought forward, their security problem has drawn our attention. As an important part of information systems, database stores large quantity of data and undertakes the crucial role in its construction and application; consequently, it will play an important part to safeguard security of the whole system. Nowadays, many enterprises with security considerations have adopted some traditional mechanisms, such as the firewall, access control and intrusion detection to ensure the system security. These mechanisms are very important, but they cannot solve all of our security concerns. Due to the diversifications of user access, especially under the current distributed and network-based application environment, the database system faces different kinds of security threats, including illegal data access by unauthorized user through bypassing the system access control mechanism, the mishandling of privileges by the internal administrative staff, etc.One of the main reasons to induce the security threat is the existence of inference channel through which the unauthorized user can access the sensitive data indirectly. Even if the data were encrypted in database, these kinds of threats still could not be solved. But if the inference channel is detected and removed in the database design and query, the data security will be greatly improved. Alternatively, the audit policy could also be applied to audit and analyze the users' history data. While its data usability is improved further, the performance will also be improved at the same time. These mechanisms are very important to ensure the data security.Based on the collection and analysis of recent security database literatures from domestic and abroad especially in the field of database access control and audit, key technologies on database inference access control and audit were studied, including the detection and removing of query inference channel, extending audit, inference audit framework, etc. Moreover, the multi-level relational database inference access control and inference audit were also implemented in the opensource database system PostgreSQL. The aforementioned research is the important part and basis of the security database management platform. This research is focused mainly on the following fields.Through introduction of database security background, this dissertation points out the importance of database access control, inference access control and audit; then describes some problems existing in the inference access control and audit such as the leak of sensitive data caused by collusion; and finally introduces some security-database related research work, inference and audit technologies, some security standards and so forth.This dissertation researches the multilevel-database inference access control. Firstly the algorithms to detect and remove the inference channels during query time are given, which are implemented at the granularity of elements and based on the data constraints, functional dependence and multi-valued dependence, and the analysis of the algorithms showed the security. To further protect the hidden dangerous of secure database brought by multi-user collusion, the dissertation provides the rule of splitting views into the secure and insecure view dependency basis, theoretically proves the correctness of the rule. These inference access control measures improve the data's availability greatly.This dissertation researches the inference-based security database audit framework. First, the existing audit models are discussed and its disadvantages are pointed out not to be able to audit those queries that access database indirectly. And then, the audit framework with MVD, FFD and FD inference capabilities is provided. Last, the respective inference audit algorithm and query graph model (QGM) are also provided with examples to prove the feasibility of this audit framework. The way of partly embedding inference access control into the audit system can effectively improve the data availability and real-time processing performance.This dissertation researches the audit and inference audit on the query of semi-structured data. First, the existing audit models are discussed and their disadvantages are pointed out not to be able to audit and inferentially audit the semi-structured query. Since there have differences between the semi-structured data and relational data on storage and query, it is necessary to study those existing audit models and improve them to be able to audit the query on data of new data-types. Therefore, the audit model, audit algorithm and query graph model (QGM) are provided for XML query; furthermore, combining several typical XML constraints that might lead to the leak of sensitive information, the audit algorithm and query graph model on inference audit are provided with executed experimentations to prove its availability and effectiveness.This dissertation researches the implementations of security database inference control, audit and inference audit system. At first, the current status on security database management platform is introduced. And then the idea of security database infrastructure is put forward to improve the whole process of data storage, transfer, inference access control, audit and inference audit so as to ensure the omni-directional security control. Last, the audit and inference audit functions are implemented in the opensource database system to solve the audit log problem, security problem of database backup and so forth.
|
PDF Full Text Request