L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

HE Wei,SUN Yuhai,SHA Xuejun,MENG Lirong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.08.064

2006-01-01

Abstract:This paper adopts multi-layer security model,integrates redundancy and variety architectures,makes use of integral security strategy and server-oriented intrusion tolerance architecture,realizes the survive and availability of database and the integrity and confidentiality of sensitive data.It can effectively resist malicious attacks with legal identity,and reduce the cost of security.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

Yawei Zhang,Xiaojun Ye,Feng Xie,Yong Peng

DOI: https://doi.org/10.1109/CIT.2009.69

2009-01-01

Abstract:Security mechanisms within DBMSs are far from effective to detect and prevent anomalous behavior of applications and intrusions from attackers. In fact, intrusions executed by unauthorized users to explore system vulnerabilities, and malicious database transactions executed by authorized users, both cannot be detected and prevented by typical security mechanisms. In this paper we proposed a database intrusion detection system architecture based on the database communication content detection mechanism. Implementation strategies for main components are detailed. Besides, we investigate several critical intrusion detection approaches used in the practice.

Yijia Cao

2008-01-01

Abstract:According to the development trend and present condition of security protection of power enterprise information integration,a security protection architecture of power enterprise information integration based on the technology of distributed intrusion tolerance with multi-level defense line is proposed.The intrusion tolerance strategies of the proposed architecture consist of following items:(A) the firewall is used as the fundamental protective measures;(B) at key nodes in non-realtime application network,the mobile agents are configured to implement on-line detection and tracking of internal and external intrusions;(C) after the intruder is successfully confirmed by intrusion detection system,according to the requirement of system security the honeypot technology based intrusion inducting system directionally inducts the locked invading flow,and the active defensive mode protects the legitimate system from invasion;(D) by means of slicing-scattering based distributed document management style,the resilient file system serves as the last defense line of enterprise memory system.Moreover,the key security protection problems pertinent to transverse and longitudinal information integration as well as the application of the technologies,such as mobile agents,honeypot,resilient file system and so on,in security protection system are analyzed.Finally,the application of the proposed secure protection architecture is briefly presented.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

Liang Cai,Xiaohu Yang,Jinxiang Dong

2001-01-01

Abstract:We briefly introduce the special characteristics of database security in information warfare and related researches, then emphasis the importance of antagonizing, malicious DBMS in information warfare. This paper suggests a threat model for malicious DBMS by carefully analyzing the possible security threats by malicious DBMS, then a database security architecture capable of antagonizing the malicious DBMS is proposed based on this threat model and the special requirements of critical applications in China. It can greatly improve the critical application's capability to antagonize malicious DBMS by incorporating, self-controlled authentication, principal / object mapping, transparent attribute encryption / decryption, attribute / tuple level mandatory access control, and parallel structure of multiple DBMSs.

Ke Chen,Gang Chen,Jinxiang Dong

DOI: https://doi.org/10.1007/11563952_79

2005-01-01

Abstract:Database intrusion detection has been an important research area in database security. It focuses on malicious transaction attacks, which cannot be handled by traditional database security mechanisms, such as authorization, access control, integrity control, and so on. Although there have appeared some intrusion detection systems, current researches on malicious transaction detection are limited in accuracy and efficiency. Inspired by natural immune system, we propose a novel immunity-based intrusion detection solution for database system in this paper. It provides an additional layer of defense against DBMS misuse, especially malicious transactions. The ability to learn and to adapt to the environment dynamically entitles the system to detect both known and unknown malicious transaction intrusions efficiently. Simulations show that the database intrusion detection system based on data immunity can accelerate detection of malicious transaction attacks and improve its accuracy without causing any other performance penalty.

Lu Yiwen,Zhang Guixu

DOI: https://doi.org/10.3969/j.issn.1000-386X.2009.01.016

2009-01-01

Abstract:Different from the traditional firewall and intrusion detection techniques,intrusion tolerance focuses on the survivability of system on condition that intrusion is somehow inevitable,thus preferably meeting the design requirements of the survivable system.A scheme based on intrusion tolerance for system design is proposed,which guarantees the continuity of key services by fault-tolerant techniques,and meanwhile,obtains the tradeoff between confidentiality and availability of key data by proactive secret sharing,so that the system can process high survivability under attacks and faults.

YUAN Chun,WEN Zhen-kun,ZHANG Ji-hong,ZHONG Yu-zhuo

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.023

2006-01-01

Abstract:Researchers on security database concern more and more the security threats from DBA(database administrator),for its resulting in increasing crime to internet commercial databases which exist in the mode of ASP(Application service provider) recently,and its theoretic and technical hardness.Traditional access control could not provide enough security for the purpose,cryptographic security database becomes a promising scheme favored by its computing complexity of mathematical difficulties.We analyse various and up to date security threats to distributed database application systems,and give an overview for cryptographic access control and encryption database technology.Each class and approach is described and evaluated with its cryptographic principle,algorithm characters and positive and negative performance.We focus on the term of cryptanalysis of the schemes,which is considered the crucial points of the technology.

Fang Zhou,Hua Sun,Xuefeng Zheng

DOI: https://doi.org/10.1109/NSWCTC.2010.250

2010-01-01

Abstract:To improve the ability of system providing service when encounter malicious invasion, a new model of tolerance invasion system is given based on dynamic threshold encryption. The real-time detection of the model is realized by the Collaboration between servers and hosts. The sensitive data in the system apply dynamic threshold encryption, and can change their share with the distribution. The model has such as distribution, self-adaptability, fault tolerance, dynamic and expansibility features to ensure that the system has a higher level of safety.

Cai Liang,Yang Xiao-hu,Dong Jin-xiang

DOI: https://doi.org/10.1631/jzus.2003.0287

2003-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Database Security and Protection System (DSPS) is a security platform for fighting malicious DBMS. The security and performance are critical to DSPS. The authors suggested a key management scheme by combining the server group structure to improve availability and the key distribution structure needed by proactive security. This paper detailed the implementation of proactive security in DSPS. After thorough performance analysis, the authors concluded that the performance difference between the replicated mechanism and proactive mechanism becomes smaller and smaller with increasing number of concurrent connections; and that proactive security is very useful and practical for large, critical applications.

PENG Pai,Dai Yiqi,Li Wujun

DOI: https://doi.org/10.3321/j.issn:1000-0054.2001.01.024

2001-01-01

Abstract:Encrypted databases are an effective method to realize database security. The data encrypt ion prevents intruders from stealing or tampering with crucial information. A design scheme for a network encrypted database is developed using the principles of database encryption and the request for secure data transmission in an open network, using Microsoft's ODBC (open database connectivity). The scheme makes changes in existing database systems and introduces the mechanisms of databaseen cryption and secret key management. It also implements authentication and encrypted data transmission by adding a secure proxy to normal database accessing flow.

Lina Gong,Li Zhang,Wei Zhang,Xuhong Li,Xia Wang,Wenwen Pan

DOI: https://doi.org/10.1063/1.4981623

2017-01-01

AIP Conference Proceedings

Abstract:With the development of computer network and the popularization of information system, the security of databases, as platforms for centralized storage and sharing of information system data, has increasingly become a serious problem in the field of information security, so data encryption technology has come into people's sight. However, the current data encryption technology still has certain shortcomings, such as the inconsistency of the code text of the encryption and decryption technology, and the low efficiency of decoding and encryption. The purpose of this paper is to study the application of data encryption technology in computer network communication to provide better suggestions and explore better methods for improving network communication security system. This article, through the analysis of the database threat model and database application system structure, puts forward a design scheme of database encryption system model. A complete database encryption system can be divided into five logic modules: a key storage module, key engine module, key information module, key management module, and data storage module, and provides an in-depth analysis of the various parts and implementation details related to these modules. Finally, the designed encryption system model is programmed to be implemented; with the help of online examination system, the function and performance of the encryption system were tested; and the transmission efficiency of data encryption is maintained at more than 95%, which proves the effectiveness of the system.

安然,陈驰,徐震

2009-01-01

Abstract:To overcome the shortcoming of encryption mechanism that the existing commercial database system provide,such as not transparent to application layer,security administrator can't separate from the DBA,the lack of key management system.A middleware of database encryption is designed and realized,is applied between the upper application and the database system,and the transparent data encryption/decryption and independent key management system are provided,finally the encryption management is separated from the DBA.

Li-zhong Geng,Hui-bo Jia

DOI: https://doi.org/10.1109/IAS.2009.100

2009-01-01

Abstract:Rapid increase of information resources speeds the development of network storage. And security of network storage satisfies the demands of privacy and safety of the information. Data encryption and personal identity authentication which are based on cryptography can protect the storage against non-authorized access, while they are ineffective for malicious authorized users and inherent attacks. Also heavy performances affect the control of storage. This paper demonstrates an efficient intrusion detection system model for network-attached storage based on system calls and improves the Process Homeostasis to realize the implementation. The experimental results demonstrate high detection rate and low false detection rate. The total performance is about 3% additions when the detection system is running normally.

Bai Wen-yang

2010-01-01

Abstract:This paper proposed a distributed architecture for secure database service which could provide both efficient privacy protection and query processing. Based on the algorithms of automatic quasi-identifiers detection,partitioned the client data across many logically independent database servers vertically,while only encrypted few sensitive data. The client executed queries by transmitting appropriate sub-queries to different databases based on metadata. The experimental results show that this method is well-balanced on dealing with the contradiction between data privacy protection and efficient query processing.

Bai Wen-yang

2010-01-01

Abstract:The development of modern information technology and digitalization of the daily lives brings security database new challenges. It is necessary for a security database to provide access control and privacy protection mechanism to ensure the legal use of data and to prevent privacy breach. This paper introduced an integrated security model which could provide the functions of privacy protection and access control simultaneously by building the connection between the validity of query in parameterized authorization view model and the suspiciousness of a conjunctive select-project-join query in online query audit model, it also designed a polynomial time detecting algorithm and two incorporating frameworks for the integrated model to provide higher performance and fine-grained access control in modern database systems.

王德强,张锐,谢立,宋娇

DOI: https://doi.org/10.3969/j.issn.1002-137X.2002.12.004

2002-01-01

Computer Science

Abstract:Being an important part of Information System, Database Security has absorbed much attention fordecades. First, we bring forth the Database Security's contents, properties of data: sensitivity, integrity and availabil-ity. Several access control models to guarantee these properties are described in this paper. Due to the challengesbrought by advanced DBMSs such as OODBMS and ADBMS, we also discuss some security topics in these fields. Atthe end of this paper, the encryption control and inference control are reviewed together with some trend of thedatabase security technology in the future.

Qin Jun,Wang Zhengfei,Tan Zijing,Wang Wei,Shi Bole

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.002

2006-01-01

Abstract:The protection of sensitive data in database is an important aspect on information security.It becomes more and more exigent to incorporate security features into DBMS.In this paper,a methed is presented that makes DBMS support database encryption by modifying the implementation of DBMS.This method doesn't affect the functionality of DBMS and decreases the performance of DBMS little.This paper also presents correlative key management architecture that makes the management of key secure and effective.Finally,the performance of database encryption is assessed by experimenting on TPC-H data set.