Databases Reference
In-Depth Information
An important feature of the proposed approach is that it allows a gradual
and focused re-design of security policies and mechanisms. This is achieved by
a data-driven evaluation strategy in which accesses to mission-critical and sen-
sitive data are evaluated first for potential vulnerabilities and insider misuse.
We have shown different security re-design strategies, as simple as integrity
constraints and as complex and powerful as stored procedures or derived views
that precisely contain the data users typically operate on.
The proposed approach motivates several research and development ac-
tivities that concentrate on securing today's databases in an evolutionary
approach. First and foremost, tools are necessary administrators and security
personnel can employ for a security re-design approach, including tools that
perform most of the data mining tasks on profiles and establish similarity
measures between user profiles, leading to the discovery of roles and role-
hierarchies. Recent research has developed many of such tool components,
which now have to be integrated in a coherent fashion to provide all the func-
tionality for a comprehensive security re-design approach. Second, there is a
great potential in well-founded methods that derive database view specifica-
tions from a collection of user and access profiles. That is, given a collection
of queries (and potentially result tuples) against one or more base relations,
what “minimal” views can be queried that contain the same tuples as the
queries against the base relations. In general, we think that views, especially
those that furthermore include query context information, provide an interest-
ing alternative to implementing expressive access control models using today's
database technology.
Acknowledgment.
This work is in part supported by the NSF award IIS-
0242414.
References
1. Conference
series
on
Recent
Advances
in
Intrusion
Detection
(RAID),
http://www.raid-symposium.org/.
2. Oracle audit vault.
http://www.oracle.com/technology/products/audit-vault/index.html
3. Common Criteria for Information Technology Security Evaluation (Version 3.1).
Technical report, 2006
http://www.commoncriteriaportal.org/public/expert/index.php?menu=2.
4. Cristina Abad, Jed Taylor, Cigdem Sengul, William Yurcik, Yuanyuan Zhou,
and Kenneth E. Rowe. Log correlation for intrusion detection: A proof of
concept. In
19th Annual Computer Security Applications Conference (ACSAC
2003)
, pages 255-265, 2003.
5. Ant Allen. Intrusion Detection Systems (IDS): Perspective. Technical report,
Gartner Research Report DPRO-95367, Technical Overview, January 2002.
6. Robert H. Anderson.
Research and Development Initiatives Focused on Pre-
venting, Detecting, and Responding to Insider Misuse of Critical Defense In-
