Research And Implementation Of The Intrusion Detector For Intrusion Tolerant Databases

The concept of Intrusion tolerance was brought out in 1985 by J. Fraga and D. Powell. Deswarte, Blain and Fabre developed an intrusion tolerant distributed computing systems in 1991, but its wide range of fruitful research began in the past few years. In the United States, DARPA started to fund the OASIS Plan from 1999. The Plan has nearly 30 composition, its objectives include: firstly build intrusion tolerance system on the basis of potentially vulnerable components, secondly construction of low-cost intrusion tolerance mechanism, thirdly the development of methodology to evaluate and verify the intrusion tolerance mechanism. From 2000, Europe launched the MAFTIA research projects, with a view to systematically study intrusion tolerance model. Its main research results include: first the definition of the structural framework and conceptual model of intrusion tolerant systems. Second the development of a set of mechanisms and protocols for the establishment of intrusion tolerance system including: a group of modular and scalable middleware protocols for secure group communication; the architecture of an intrusion tolerant large-scale distributed IDS; the design and implementation of a Distributed Intrusion Tolerant Certification Service. Third suggests the formal verification and assessment methods for the MAFTIA components.As everyone knows, the database service is crucial for any enterprise and government. The current database systems ensure security through authentication and access control, but no matter how well these safety precautions are, there is always the successful infiltration, there is always internal users'abuse. To information security of the state and enterprises, the intrusion tolerant database system becomes very urgent. In 2000, with the support of DARPA (OASIS) and the Air Force Research Laboratory, Liu Peng and its lab members studied and constructed the intrusion tolerant database system (ITDB). They add Intrusion tolerance feature to current commercial database systems based on automatic Intrusion Response. Under the conditions of being attacked, ITDB is still able to provide sustaining transaction processing services, and guarantees the reasonable range of consistency in data. Intrusion Detection, the main trigger of ITDB, to a large extent determines the effectiveness of ITDB. However at present, most of Intrusion Detection Research focused on the Host-based and network-based attack detection, few related research specifically for database intrusion detection system exists. Take into account the complex structure of the database as well as ITDB Intrusion Detection for the special requirements of ITDB Intrusion Detection for study is very necessary. Based on the above reasons, taking into account the complex structure of the database as well as the special requirements of ITDB, the study of Intrusion Detection specifically for ITDB indeed is very necessary.Through the study of existing intrusion tolerant database systems, we get the requirements for the Intrusion Detector for ITDB as follows: firstly it must be a real-time transaction-level Intrusion Detection System; secondly it must be able to give out at least two level of alerts-suspicious and malicious. Thirdly under the premise of less human intervention, its false alarm rate must be below 25%, its detection rate more than 75% and its detection latency is in the level of seconds. Based on the requirements mentioned above, an intrusion detection model is suggested. The model includes: intrusion detection engine, Rule Learning Module, Alert Correlation Module, Invasion Diagnosis Module, Data preprocessing module, Real-time Log Capturing Module etc. The following specifically describes the main logic of some critical modules.Intrusion Detection Engine: received data from log acquisition module, it will first transform it to events, and then calls event-processor of the engine and other registered customized event-processor. After that, it begins pattern matching. If the visit do not conform to the user profile or violate the database semantic rules, the scorecards and alarm module scores the user and the transaction based on the weight of the rules. If the score exceed predefined threshold then it sends alarms to the response component and the intrusion diagnosis module.Rule Learning Component: first through the learning of user access patterns, form user rules, and then characterize these rules, that is, divided them into user-specific rules and the rules common to all the users. After that computes the weights of the rules according to the degree of characterization and the support of them. The database semantic rules can be inferred from the database schema or mined or through sequence pattern learning algorithm.Alert Correlation Module: collects alerts form NIDS, HIDS and Application IDS, and aggregate, correlate them, and finally form an evaluation on the security status of the host and user.Invasion Diagnosis Module: receiving a suspicious transaction alert, it extracts the information of the user, host, application of the transaction, and then requests security status of these entities from Alert Correlation Module. After that, based on the evaluation of the Alert Correlation Module, it decide whether the transaction is malicious or not and send its judgment to the Response Component. To the suspicious transactions which are difficult to decide its maliciousness, people can analyze and judge them through the management console.Based on the above model, a prototype Intrusion Detection is designed and implemented. As ITDBID require real-time access to the audit / log data, and considering performance commercial DBMS usually cache these information, however log monitor source can be added to the Log Module of MYSQL, a widely used open-source DBMS, and such real-time logs are captured. So the database platform ITDBID targeted is mysql-5.1.23a-maria-alpha for Linux, and the database engine is Innodb which supports transaction processing. Because Perl has strong string processing functions, the Data Preprocessing Module uses the Perl programming language. Intrusion Detection Engine is an extensible rule-based system, and considering efficiency its implementation language is C. At present, the engine is able to issue five levels of alert according to the suspicious extent of transactions and users transactions belong to, and this is sufficient for ITDB. Rule Learning Module is based on an open-source data mining tool kits-WEKA. During the rule mining process, this paper found the important containment relationship between SQL statements. After formulation, it's integrated into the association algorithm-Apriori and the sequence algorithm-GSP. The modified Apriori and GSP then are used to mine user behavior pattern and database semantics rules.