Databases Reference
In-Depth Information
queries and database updates. It records the query string and relevant contex-
tual information (identity, time, purpose, and recipient) in a query log. It then
records all updates, inserts, and deletions over source tables by insertions into
backlog tables, which can be populated using database triggers or existing
replication features. The query log and backlog tables are sucient to track
past disclosures by reconstructing any previous database state. Because HDB
auditing does not incur additional cost for read queries, it requires much lower
storage overhead than result logging systems.
HDB allows enterprises to formulate declarative “audit expressions,” us-
ing a flexible query-like audit language, to specify the information they would
like to audit. At the time of audit, HDB performs a static analysis of logged
queries to generate a subset of candidate queries for further analysis. Candi-
date queries are identified as suspicious if they share an “indispensable tuple”
with the audit expression. The system combines and transforms these queries
into a single SQL audit query, which it runs against the backlog tables to deter-
mine the queries that accessed the data specified by the audit expression. For
each suspicious query, the audit results reveal the requestor's identity, time,
purpose, recipient, and actual information disclosed (Figure 4). This powerful
and ecient auditing capability allows enterprises to investigate and account
for past disclosures of information and verify compliance with policies, even
if the information is updated over time.
Audit query
Query with purpose
Updates, inserts, deletes
Audit Interface
Database Layer
DB triggers or
replication
Database Layer
Data
Tables
Backlog
Generate audit record for
each query
Query Audit Log
ID
Timestamp
Query
User
Purpose
Recipient
1
2006-02…
Select …
Dr. Jones
Treatment
Dr. Jones
2
2006-02…
Select …
Dr. Roberts
Treatment
Dr. Roberts
Fig. 4.
Generic HDB Compliance Auditing Architecture
