Databases Reference
In-Depth Information
account) is typically the way they attack. Based on the study by [10], most
(application level) attacks are from insiders. Besides insider attack, (a)
identity
theft
may literally “transform” an outsider into an insider. (b)
SQL injection
attacks, though currently most used to steal sensitive information, has full
capability to maliciously update data objects. (c) Five out of the top six web
application vulnerabilities identified by OWASP [11] may enable the attacker
to launched a malicious transaction. They are
unvalidated input
,
broken access
control
,
broken authentication and session management
,
cross site scripting
(which helps the attacker to steal user name and passwords), and
injection
flaws
. (d) Finally,
erroneous
transactions caused by user/operator mistakes
instead of attacks are yet another major threat to data integrity.
The intrusion detection assumption:
We assume that a set of
external
intrusion detection sensors will do their job and tell us which operations (or
transactions) were malicious or which data objects were originally corrupted
by the attack. These sensors may be a network-level (e.g., [12]), host-level
(e.g., [13]), database-level (e.g., [14]) or transaction-level (e.g., [15, 16]) intru-
sion detection sensor. These sensors may enforce misuse detection (e.g., [17]),
anomaly detection (e.g., [18, 19]), or specification-based (e.g., [20, 21]) detec-
tion mechanisms. We assume these sensors are usually associated with false
positives, false negatives, and detection latency. Finally, sensors that detect
data corruption (e.g., [22, 23, 24]) may also be used.
Remark
Although some intrusion detection sensors could raise a good
number of false positives or false negatives, the alarms raised by many intru-
sion/error detection sensors can actually be
verified
before any DQR opera-
tion is performed. (In this way, the negative impact of false positives and false
negatives on the correctness/quality of DQR may be avoided.) For example,
(a) most user/operator mistakes can be easily verified by the operation audit
trails. (b) Many data corruption detectors have 100% accuracy. (c) When a
strong correlation is found between one alert
X
and some other alerts, alert
X
may be verified as a true intrusion.
2.3 The DQR Problem/Solution Space
In our view, the DQR problem is a 6-dimensional problem:
•
(1) The
damage propagation
dimension explains why cascading effects can
be caused and why quarantine is needed. Although some specific types of
damage (e.g., when an individual credit card account is corrupted) could
be self-contained, a variety types of damage are actually very infectious due
to data sharing, interdependencies, and interoperability between business
processes and applications. For example, in a travel assistant Web Service,
if a set of air tickets are reserved due to malicious transactions, some other
travelers may have to change their travel plans in terms of which airlines
to go, which nights to stay in hotel, etc.. Furthermore, the changed travel
plans can cause cascading effects to yet another group of travelers; and
the propagation may go on and on.
