Synopsis of the Dissertation proposed

for the
M.Tech. Degree of Jagannath
University, Jaipur

FACULTY: Computer Science

TOPIC:
Prevention of Web Database from Intrusion

CANDIDATE:
Alok Kumar
M. Tech (Computer Science)
Roll No. : 122114162

UNDER THE SUPERVISION OF

Mrs. Pallavi Chaturvedi
Assistant Professor
Apar India Institute of Management and Technology, New Delhi
.

(Signature of Candidate)

Remarks of Supervisor:
.
(Signature of Supervisor)
1

ACKNOWLEDGEMENT
I would like to place on record my deep sense of gratitude to Mrs. Pallavi
Chaturvedi, Assistant Professor, Apar India Institute of Management and Technology,
New Delhi, for his generous guidance, help and useful suggestions, continuous
encouragement and supervision throughout the course of present work.
I also wish to extend my thanks to Mrs. Renu Bagoria

and

other

colleagues for attending my seminars and for their insightful comments and
constructive suggestions to improve the quality of this research work.

ALOK KUMAR
M. Tech [CS]

APPLICATION FORM FOR RECOGNITION AS M.TECH. PROJECT GUIDE

(To be submitted to Pro Vice-Chancellors Office, Jagan Nath University, Plot No. IP-2 & 3, Phase IV, Sitapura
Industrial Area, Opp. Choki Dhani, Jaipur-302022)
1.
2.
3.
4.
5.
6.

Name of the Applicant (In Block Letters)

Home Address

Present Position

Past Post (held if any)

Date of Birth

Academic Qualification (beginning from High School or Equivalent and onward):-

S. No.

Name Of Examination

Year

Board/Univ.

7.

Total Teaching experience Post Graduate Classes

8.

Research Experience:-

Ph.D.
Award

9. Post Doctoral Experience:Place

Division Subject

..

Title of Thesis

Year of

Nature of work

Period

10. Are you a recognized M.Tech./Ph.D. guide? If yes give name of institution and year of recognition.
..
11. How many students are registered with you (for M.Tech./Ph.D.)?
12. How many students have been awarded M.Tech./Ph.D. degree under your supervision? .
13. Details of published work/ if any (Separate sheet to be attached if necessary) (Photocopies of Three important
Publications ......
.
I certify that the details given above are correct to the best of my knowledge.

Dated

Signature of Applicant

TABLE OF CONTENTS

1. CHAPTER 1: INTRODUCTION
1.1 What is Intrusion Detection?
1.2 What is Intrusion Prevention?
2. CHAPTER 2: OVERVIEW OF WEB DATABASE AND SURVEY
2.1 Overview of Security
2.2 Web Application Organization
2.3 Web Database security threats
3. CHAPTER 3: RELATED WORK
3.1 Encryption in Databases
3.2 Self-securing Storage
4. CHAPTER 4: FINE-GRAINED ACCESS CONTROL
4.1 Unauthorized Access
4.2 Content-Based and Fine-Grained Access Control
5. REFERENCES

Chapter 1: Introduction
4

Internet users interact with and use web applications every day for a wide spectrum of tasks,
ranging from online banking to social networking, and everything in between. Security in database has
become an important problem because of the large amount of personal data, which is tracked by many
business web applications. Web database is combination of database and web technology. Web database
is placed on the Internet, there are many security problems. Web and distributed databases play the key
role in most of these Web applications and thus it is critical to protect them from unauthorized access
and malicious attacks. One of the key components of every web application and arguably the most
important in terms of security is the web application's database. The web database is the heart of any
data-driven web application, and must be guarded from numerous types of malicious attacks. Security is
a major concern in the application of web database techniques to datasets containing personal sensitive
or confidential information. To address this issue, a more efficient and flexible security mechanism is
required to systematically authenticate users, control network traffic, and provide efficient fine-grained
access control.

1.1 What is Intrusion Detection?

The word Intrusion was first used in the late 14th century, the noun intrusion derives from the
Latin word intrudere, which combines the prefix in-, meaning "in" and trudere, meaning "to thrust,
push", If someone reads your diary, that's considered an intrusion of privacy.
Intrusion detection (ID) is a type of security management system for computers and networks.
An ID system gathers and analyzes information from various areas within a computer or a network to
identify possible security breaches, which include both intrusions (attacks from outside the
organization)

and

misuse

(attacks

from

within

the

organization).

ID

uses vulnerability

assessment (sometimes refered to as scanning), which is a technology developed to assess the security
of a computer system or network.
Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

5

ID systems are being developed in response to the increasing number of attacks on major sites
and networks, including those of the Pentagon, the White House, NATO, and the U.S. Defense
Department. The safeguarding of security is becoming increasingly difficult, because the possible
technologies of attack are becoming ever more sophisticated; at the same time, less technical ability is
required for the novice attacker, because proven past methods are easily accessed through the Web.

1.2 What is intrusion prevention?

Intrusion prevention is a pre-emptive approach to network security used to identify potential
threats and respond to them swiftly. Like an intrusion detection system (IDS), an intrusion prevention
system (IPS) monitors network traffic. However, because an exploit may be carried out very quickly
after the attacker gains access, intrusion prevention systems also have the ability to take immediate
action, based on a set of rules established by the network administrator. For example, an IPS might drop
a packet that it determines to be malicious and block all further traffic from that IP address or port.
Legitimate traffic, meanwhile, should be forwarded to the recipient with no apparent disruption or delay
of service.
According to Michael Reed of Top Layer Networks, an effective intrusion prevention system
should also perform more complex monitoring and analysis, such as watching and responding to traffic
patterns

as

well

as

individual

packets.

"Detection

mechanisms

can

include

address

matching, HTTP string and substring matching, generic pattern matching, TCP connection analysis,
packet anomaly detection, traffic anomaly detection and TCP/UDP port matching."
Broadly speaking, an intrusion prevention system can be said to include any product or practice
used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.

Chapter 2: Overview of web database and Survey

2.1 Overview of Security
In this section we provide an overview of security in the context of database applications, to help
better understand the issues in protecting such applications from external and insider attacks, and the
role of within this context.
There are several aspects to database application security.

User Authentication: Authentication is the process of identifying the user. The basis for system
security is strong user identification and authorization; if you cannot establish, with certainty, who is a
user, then it is impossible to hold users accountable for their actions, and to ensure that users only have
6

access to the data they need to do their jobs, but no more. Authentication is verification that you are who
you say you are. It's the equivalent of showing a guard your ID. Database supports a number of choices
for user authentication: Applications typically use a username/password for authentication of users or
by industry-standard X.509 certificates, host-based (by the underlying operating system), or third-party
based (network authentication services, smart cards and biometric devices) There are better
authentication mechanisms, such as those based on smart cards, which are not vulnerable to problems
such as guessing or leakage of passwords [16].
There are several security issues relating to multi-tier security due to its distributed nature. The
client must authenticate to the middle tier and the middle tier must authenticate to the database. In
addition, because multiple users are sharing a connection, the database must be able to distinguish the
application from the user and one user from another. This white paper does not address multi-tier
security.

Authorization/Access Control: Authorization is giving access to certain objects, processes or

resources. The equivalent in our enterprise analogy would be a key card allowing access to a specific
room or having the pass code to the VIP restroom. The thought here being that management has granted
you access to these rooms or resources. Authorization is implemented using GRANTS on objects to
ROLES [5] or USERS. Let's say your ID is JohnD. Your friendly neighborhood DBA can grant you
SELECT access on the EMP table owned by SCOTT. Or not. You never can tell about those DBA
people. But if the DBA will grant you that access, from that point on you can select from SCOTT.EMP.
Alternatively, the DBA can create a ROLE called EMP_DEPT and grant SELECT on EMP and DEPT
to EMP_DEPT. If he then granted the emp_dept role to your ID, you would be able to select from both
the EMP and DEPT tables. Although SQL provides a fairly extensive access control mechanism, it is
not really usable by most applications since the entire application runs as a single database user, and the
database has no knowledge of the actual end user. As a result, it is impossible to enforce per-user
authorization policies, and any updates cannot be traced back beyond the database user login, leaving no
possibility of holding any (application-level) user accountable for their actions. Hence, access control is
mainly done at the application level.
The only current exception we are aware of is Oracles Virtual Private Database (VPD) where
the application informs the database about the end users identity and the database provides access
control at the level of the end user. However, even here if someone gets access to the database user id

and password associated with the application, they can perform any updates on the database bypassing
the VPD mechanism.

Chapter 3: Related Works

It is possible to look for dependencies between the different items in SQL sentences. And these
dependencies can be found by data mining algorithms. But the main disadvantage of all the above
methods for detecting intrusions to databases is that they are not suitable for web systems. These
methods presume that its possible to analyze the log of databases when this log contains SQL sentences
and indication to which users session each such sentence belongs to. But this is impossible for web
systems as was explained above.
For example, look for the following sentences:
SELECT C1 FROM T2 UPDATE T3 SET C4 = 5
If we apply the approach proposed in [8], we can find dependency between C1 and C4. But for
the web application these sentences can be submitted by different users so they can be completely
independent!

3.1 Encryption in Databases

There has been research in the area of preventing disclosure of information in the database to
users who break into the system. Encryption as a means to protect data stored in an insecure database
(such as a database storage service provided by an application service provider). Here data is encrypted
by the client (application server) before it is sent to the database. Also investigates the capabilities of
encrypting the database in relational databases and yet allowing, to some extent, SQL querying of the
encrypted database. Organizations offer database as a service to other smaller organizations, providing
mechanisms to create, store and access their databases. The studies of two dimensions to encryption;
granularity of data to be encrypted and the other is the choice between software and hardware level
implementation of encryption algorithms.
The encryption algorithm is registered into the database as a user defined function (UDF). It can
then be used to encrypt the data in one or more fields - whenever data is inserted into the chosen fields,
the values are encrypted before being stored. On read access, the stored data is decrypted before the
operation is performed. Another alternative is to use hardware level encryption, have a cryptographic
coprocessor (like IBM S/390), which provides a routine to encrypt/decrypt data whenever a particular
table is accessed. Hacigumus et. al. [20,21] proposes a system which entails some work on the part of
8

the database service user as well to run the queries. The system is comprised of three fundamental
entities. A user poses the query to the client. The service provider who stores the encrypted database
hosts a server. The encrypted database is augmented with additional information (which they call
index), which allows certain amount of query processing to occur at the server without jeopardizing data
privacy. The client maintains metadata for translating user queries to the appropriate representation on
the server, and performs post-processing results on server query results. Based on the auxiliary
information stored, they show some techniques to split an original query over unencrypted relations
into: a corresponding query over encrypted relations to run on the server, and a client query for postprocessing results of the server query.

3.2 Self-securing Storage

There has been research in the area of tamper detection of the storage devices. Strunk et al. [22]
suggest one such system, which they call Self Securing Storage, which prevents intruders from
undetectably tampering with or deleting the data by maintaining different versions of it permanently on
the storage device. Rather than acting as slaves to host OSes, self-securing storage devices view host
OSes and their users with suspicion. Though they look at the problem in a similar way, the success of
their work again depends on the efficacy of the intrusion detection systems. With different versions of
data existing on the storage device, an intrusion detection system should not only identify the point of
intrusion but also single out the version of the data that was consistent before the attempt to tamper
occurred. Our system has a clean way of detecting an intrusion; and the detection is guaranteed. Barbara
et al. [22] suggests use of checksums to detect unauthorized modification of data on the disk. To prevent
the successful completion of the attack, they provide a defense mechanism that increases the load of the
intruder enormously. They propose maintenance of two-level checksums per block. Although a check
can detect that an intrusion has taken place, there is no possibility of recovering the data as the old data
is lost. McDermott and Goldschlag [23, 24] discuss how to detect a type of corruption, which they call
storage jamming, where the user replaces the blocks of data with the old data blocks so that the
checksums are not violated.

Chapter 4: Fine-grained Access Control

4.1. Unauthorized Access
Web database is combination of database and web technology. The combination concentrates
advances of database and web technology, not only was a great deal of database information adequately
utilized, but also users can search and browse some database contents on the web. But web database
was placed on the Internet, there are many security problems. How to ensure web database security has
become problem to be solved. A new web database security model, login module, audit module,
program control modules, database rights and database view. Application of the web database security
model was analyzed in the pork traceability information system.
In the old web database system, some database rights were granted to legal users. The legal users
entered their user name and password on the web browser and operated database after verifying their
user name and password through web server and database. But if user name and password were stolen
by illegal users, then the illegal users could access web database and destroy it. The paper reformed the
old web database system. The rights of program control modules and database were rigidly granted to
every user on basis of types of user. The legal users access database through twice login. Audit module
could trace users behaviours of operating web database and give warnings to the illegal operation. Data
were transported on the Internet after they were encrypted. Figure below showed the reformed web
database security model.

As organizations increase their adoption of database systems as the key data management
technology for day-to-day operations and decision-making, the security of data managed by these
systems becomes crucial. Damage and misuse of data affect not only a single user or application, but
10

may have disastrous consequences on the entire organization. The recent rapid proliferation of Web
based applications and information systems have further increased the risk exposure of databases and,
thus, data protection is today more crucial than ever. It is also important to appreciate that data needs to
be protected not only from external threats, but also from insider threats. Security breaches are typically
categorized as unauthorized data observation, incorrect data modification, and data unavailability.
Unauthorized data observation results in the disclosure of information to users not entitled to gain
access to such information. All organizations, ranging from commercial organizations to social
organizations, in a variety of domains such as healthcare and homeland protection, may suffer heavy
losses from both financial and human points of view as a consequence of unauthorized data observation.
Incorrect modifications of data, either intentional or unintentional, result in an incorrect database state.
Any use of incorrect data may result in heavy losses for the organization. When data is unavailable,
information crucial for the proper functioning of the organization is not readily available when needed.
Thus, a complete solution to data security must meet the following three requirements:
1. Secrecy or confidentiality refers to the protection of data against unauthorized disclosure
2. Integrity refers to the prevention of unauthorized and improper data modification
3. Availability refers to the prevention and recovery from hardware and software errors and from
malicious data access denials making the database system unavailable.
These three requirements arise in practically all application environments.
Consider a database that stores payroll information. It is important that salaries of individual
employees not be released to unauthorized users, that only the users that are properly authorized modify
salaries, and that pay checks be printed on time at the end of the pay period. Similarly, consider the Web
site of an airline company.

11

Chapter 5:References
References:
[1] Zhu Yangqing, Yu Hui, Li Hua, Zeng Lianming, Design of a new web database
security model, IEEE, 2009, 292-297
[2] Leon Pan, A Unified Network Security and Fine-Grained Database Access
Control Model, IEEE 2009, pg 265-270
[3] Xueyong Zhu, William Atwood, A web database Security model using the Host
identity protocol, IEEE 2007,
[4] Lianzhong Liu, Qiang Huang, A framework for database auditing, IEEE, 2009,
982-988
[5] Afonso Neto, Marco Vieira, Henrique Maderia,An appriasal to assess the
security of database configurations, IEEE, 2009, 73-80
[6] Qing Zhao, Shihong Qin, Study on security of web based database, IEEE, 2008,
902-910
[7] WU Pufeng, Zhang Yoqing, An overview of Database security, Computer
Engineering, Vol 32,2006,85-88
[8] Zhou Wen, A new web accessing database module basing in security of
information computer security, 2008, 63-66
[9] S. Sudershan, Govind Kabra, Ravishankar Ramamurthy, Redundancy and
Information Leakage in Fine-Grained Access Control, ACM SIGMOD 2006
[10] Jie SHI, Hong ZHU, A fine-grained access control model for relational
databases, IEEE 2010, Pg 575-585
[11] Sohial Imran, Irfan Hyder, Security Issues in Databases, IEEE 2009, Pg 541545
[12] Wang Baohua, Ma Xinqiang, Li Danning, A formal multilevel database security
model, IEEE 2008, Pg 252-265
[13] Marty Humphrey, Sang-Min Park, Jun Feng, Norm Beekwilder, Fine-Grained
Access Control for GridFTP using SecPAL, IEEE 2007, Pg 1-9
[14] Rongxing Lu, Xiaodong Lin, Haojin Zhu, Pin-Han Ho & Xuemin (Sherman)
Shen, A Novel Anonymous Mutual Authentication Protocol With Provable LinkLayer Location Privacy, IEEE, 2009.
[15] Jie Wang & Jun Zhang, Addressing Accuracy Issues in Privacy Preserving
Data Mining through Matrix Factorization, IEEE, 2007.
12

[16] Anup Patel, Naveeta Sharma, Magdalini, Negative Database for Data
Security, IEEE 2009
[17] Jaeduck Choi & Souhwan Jung, A Security Framework with Strong Nonrepudiation and Privacy in VANETs, IEEE, 2009.
[18] Attribute- Based Encryption for Fine- Grained Access Control of Encrypted
Data, IEEE 2008

13