Databases Reference
In-Depth Information
Quaran-
tined
Good
Corrupted
Detected
Repaired
Marked
Fig. 6.
DQR System State Transition
version can be much fresher than another clean version of the same data
object.
•
C3: Data Consistency
Violation of serializability can compromise data
consistency no matter the history is multi-versioned or not.
•
C4: Rewarding Availability
The more clean or cleaned data objects are
made accessible to new transactions, the more
rewarding
availability (or
business continuity) is achieved. The more rewarding availability, the less
denial-of-service will be caused.
•
C5: Hurting Availability
The more corrupted data objects are made
accessible to new transactions, the more
hurting
availability is yielded.
Because hurting availability will hurt data integrity and spread the dam-
age, hurting availability is worse than letting the corrupted objects be
quarantined.
An important finding gained in reliability evaluation research (e.g., [34,
79]) is that state transition models may play a big role in quality evaluation.
A state transition model specific for DQR systems can be the model shown
in Figure 6, where in terms of any portion of the application (e.g., a set of
data objects), the system has 6 basic states: they are self explanatory except
that the 'M' state means that the portion is Marked as damaged. Ignoring the
'Q' state, we could measure Dirtiness by
(MTTC+MTTM+MTTR)/(MTTC+
MTTD+MTTM+MTTR)
; and Rewarding Availability by
(MTTC+MTTR)/
(MTTC+MTTD+MTTM+MTTR)
. In [80], this idea is well justified in the con-
text of intrusion tolerant database systems through Continuous Time Markov
Chain based state transition model analysis and prototype experiments based
validation.
5 Remaining Research Issues and Concluding Remarks
Although DQR is not a new concept, existing attack (or intrusion) recovery
research activities (see Section 4) are still quite limited in satisfying the DQR
needs of real world applications, for the following reasons: (1) A theoretic
understanding of the correctness and quality of DQR schemes is still missing in
the literature. Since classic failure recovery theories cannot handle quarantine
