L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

ZHENG Yu-shan,DENG Zheng-hong

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.22.032

2008-01-01

Abstract:Beside security problems of the database itself,DBAS's insecurity exists in three dimensions: Database site's insecurity factor,database application vulnerabilities,and dangers of sensitive data in the database.To solve the above three problems,a multi-level architecture is presented,which protect database application system security,and every level's function module is designed in this architecture.DBAS defensive system is divided into three levels: Decision-support level,code level,and data encryption level.Firstly,the system enhance security of database site,then ensure database application robustness and security,last ensure data of database security.

Cai Liang,Yang Xiao-hu,Dong Jin-xiang

DOI: https://doi.org/10.1631/jzus.2003.0287

2003-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Database Security and Protection System (DSPS) is a security platform for fighting malicious DBMS. The security and performance are critical to DSPS. The authors suggested a key management scheme by combining the server group structure to improve availability and the key distribution structure needed by proactive security. This paper detailed the implementation of proactive security in DSPS. After thorough performance analysis, the authors concluded that the performance difference between the replicated mechanism and proactive mechanism becomes smaller and smaller with increasing number of concurrent connections; and that proactive security is very useful and practical for large, critical applications.

Haoqi Wu,Zhengxuan Yu,Dapeng Huang,Haodong Zhang,Weili Han

DOI: https://doi.org/10.1109/trustcom50675.2020.00075

2020-01-01

Abstract:The state-of-the-art database-backed web applications usually assign full privileges to connections between applications and data sources. This phenomenon, which would enable a malicious attacker to easily compromise the applications through arbitrarily manipulating the data sources without the restriction of privileges, seriously breaks the principle of least privilege (PLP), a fundamental law of system security. Motivated to counter this problem, we propose a framework PDA (PLP over Data source Access) to automatically enforce this principle over data source access based on application-driven privilege separation. Our proposed PDA contributes from the following aspects: i) PDA achieves the privilege separation by intercepting database queries and enforcing privileged connections to database for each database query; ii) PDA can effectively defend against SQL-based vulnerabilities including buggy queries and SQL injection attacks. Lastly, we evaluate PDA on a widely used application platform, JForum, to demonstrate the effectiveness of PDA with a promising performance overhead of 8.13%.

Bai Wen-yang

2010-01-01

Abstract:The development of modern information technology and digitalization of the daily lives brings security database new challenges. It is necessary for a security database to provide access control and privacy protection mechanism to ensure the legal use of data and to prevent privacy breach. This paper introduced an integrated security model which could provide the functions of privacy protection and access control simultaneously by building the connection between the validity of query in parameterized authorization view model and the suspiciousness of a conjunctive select-project-join query in online query audit model, it also designed a polynomial time detecting algorithm and two incorporating frameworks for the integrated model to provide higher performance and fine-grained access control in modern database systems.

Qin Jun,Wang Zhengfei,Tan Zijing,Wang Wei,Shi Bole

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.12.002

2006-01-01

Abstract:The protection of sensitive data in database is an important aspect on information security.It becomes more and more exigent to incorporate security features into DBMS.In this paper,a methed is presented that makes DBMS support database encryption by modifying the implementation of DBMS.This method doesn't affect the functionality of DBMS and decreases the performance of DBMS little.This paper also presents correlative key management architecture that makes the management of key secure and effective.Finally,the performance of database encryption is assessed by experimenting on TPC-H data set.

YU Yong-hong,BAI Wen-yang

DOI: https://doi.org/10.3724/sp.j.1087.2011.00110

2011-01-01

Journal of Computer Applications

Abstract:Currently in outsourced database service,to consider a unilateral protection technology outsourcing is difficult to meet the security requirements of the lack of a database.In this paper,the authors proposed a solution to enforce data confidentiality,data privacy,user privacy and access control over outsourced database services.The approach started from a flexible definition of privacy constraints on a relational schema,applied encryption on information in a parsimonious way and mostly relied on attribute partition to protect sensitive information.Based on the approximation algorithm for the minimal encryption attribute partition with quasi-identifier detection,the approach allowed storing the outsourced data on a single database server and minimizing the amount of data represented in encrypted format.Meanwhile,by applying cryptographic technology on the auxiliary random server protocol,the approach can solve the problem of private information retrieval to protect user privacy and access control.The theoretical analysis shows that the new model can provide efficient data privacy protection and query processing,efficient in computational complexity and does not increase the cost of communication complexity of user privacy protection and access control.

Liang Cai,Xiaohu Yang,Jinxiang Dong

2001-01-01

Abstract:We briefly introduce the special characteristics of database security in information warfare and related researches, then emphasis the importance of antagonizing, malicious DBMS in information warfare. This paper suggests a threat model for malicious DBMS by carefully analyzing the possible security threats by malicious DBMS, then a database security architecture capable of antagonizing the malicious DBMS is proposed based on this threat model and the special requirements of critical applications in China. It can greatly improve the critical application's capability to antagonize malicious DBMS by incorporating, self-controlled authentication, principal / object mapping, transparent attribute encryption / decryption, attribute / tuple level mandatory access control, and parallel structure of multiple DBMSs.

Ingrid A. Buckley,Fan Wu

DOI: https://doi.org/10.14569/ijacsa.2014.050607

IF: 0.9

2014-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Databases are an important and almost mandatory means for storing information for later use. Databases require effective security to protect the information stored within them. In particular access control measures are especially important for cloud databases, because they can be accessed from anywhere in the world at any time via the Internet. The internet has provided a plethora of advantages by increasing accessibility to various services, education, information and communication. The internet also presents challenges and disadvantages, which include securing services, information and communication. Naturally, the internet is being used for good but also to carry out malicious attacks on cloud databases. In this paper we discuss approaches and techniques to protect cloud databases, including security policies which can realized as security patterns.

ZHANG Ke,LI Yongzhen

DOI: https://doi.org/10.1088/1742-6596/2005/1/012004

2021-08-01

Journal of Physics: Conference Series

Abstract:Abstract The company's data leakage has always been a very serious problem. Many of the leaked data is the user's personal privacy data, which will bring a lot of trouble to users. In order to improve the security of the storage and use of personal private information in the database, two methods of lightweight private information encryption and social engineering anonymization are proposed to protect database information. We compare the proposed method with the application layer encryption and pre encryption methods. The experimental results show that the proposed method can effectively protect the user's personal privacy data, and can detect and recover the privacy data when managers need it. The storage efficiency of the three methods is close. Therefore, it has good application value in privacy protection.

YongHong Yu,Wenyang Bai

2010-01-01

Journal of Computational Information Systems

Abstract:Privacy requirements have an increasing impact on the real-world applications. Technical considerations and many significant commercial and legal regulations demand that privacy guarantees be provided whenever sensitive information is stored, processed, or communicated to external partied. In this paper, we propose a solution to enforce data confidentiality, data privacy, user privacy and access control over outsourced database services. The approach starts from a flexible definition of privacy constraints on a relational schema, applies encryption on information in a parsimonious way and mostly relies on attribute partition to protect sensitive information. Based on the approximation algorithm for the minimal encryption attribute partition with quasi-identifier detection, the approach allow storing the outsourced data on a single database server and minimizing the amount of data represented in encrypted format. Meanwhile, by applying cryptographic technology on the auxiliary random server protocol, the approach can solve the problem of private information retrieval to protect data privacy, user privacy and access control on outsourced database services. The theoretical analysis shows that our new model can provide efficient data privacy protection and query processing, efficient in computational complexity and does not increase the cost of communication complexity of user privacy protection and access control. Copyright © 2010 Binary Information Press.

Li-ming DONG,Hong-jun HE,Li LUO,Xiu-xiong HE

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.18.025

2009-01-01

Abstract:The main harm that computer virus and spyware do to people is stealing or modifies people's important data,nowadays protect method such as safety software and firewall etc.couldn't provide real time and full-scale protect,there always some malicious software could escape or bypass checking through disguise themselves or cheating safety software.To this question,this paper put forward a method which could provide real time protection to personal important data against malicious software.Unlike traditional protect method,this method didn't stay on software's codes and behaviors when identifying their validity;instead,this method deem user's authentication as standard,all the file access request should be authorized by user and those requests which without user 's authorization are deemed as invalidate.So even if malicious software has escaped checking,they still couldn 't get user's authorization,and then couldn't achieve its intention.The implementation of the method in Windows XP and tests indicate this method has little effect to system performance and could provide real time protection to user's data even system compromised.

Yong Zhang

DOI: https://doi.org/10.1109/EEBDA56825.2023.10090574

2023-02-24

Abstract:This paper innovatively proposes a database access information security management method under the big data platform. This paper first designs and implements a network information security management system based on B/S architecture. The system consists of a safety management platform management center, a WEB console, an agency center and a processing center. At the same time, the system covers a total of five sub-modules including security monitoring management, security policy management, event analysis and processing, security incident response and system management. Secondly, this paper constructs an attribute-based multi-authorization encryption system, which reduces the number of matching operations and improves the efficiency of password utilization. Then, this paper builds a user hierarchical role key tree in the big data platform user role authentication center, and describes the relationship between the big data platform user role and the encryption key of extremely sensitive information. Finally, simulation experiments are carried out in this paper. The results show that the establishment of the encryption system enhances the security of web page access information, and realizes the security management of information platform access information under the big data platform.

Computer Science

YUAN Chun,WEN Zhen-kun,ZHANG Ji-hong,ZHONG Yu-zhuo

DOI: https://doi.org/10.3321/j.issn:0372-2112.2006.11.023

2006-01-01

Abstract:Researchers on security database concern more and more the security threats from DBA(database administrator),for its resulting in increasing crime to internet commercial databases which exist in the mode of ASP(Application service provider) recently,and its theoretic and technical hardness.Traditional access control could not provide enough security for the purpose,cryptographic security database becomes a promising scheme favored by its computing complexity of mathematical difficulties.We analyse various and up to date security threats to distributed database application systems,and give an overview for cryptographic access control and encryption database technology.Each class and approach is described and evaluated with its cryptographic principle,algorithm characters and positive and negative performance.We focus on the term of cryptanalysis of the schemes,which is considered the crucial points of the technology.

田秀霞,王晓玲,高明,周傲英

DOI: https://doi.org/10.3724/sp.j.1001.2010.03746

2010-01-01

Journal of Software

Abstract:This paper gives a summary of the secure and privacy preserving in database as a service (DaaS) from five primary techniques such as data confidentiality, data integrity, data completeness, query privacy preserving and access control policy. Data confidentiality is analyzed from the encrypted-based and division-based aspects; Data integrity and data completeness focus on the signature-based, challenge-response and probability-based aspects; Query privacy preserving and access control policy are analyzed mainly from exist problems. Finally, this paper gives the future research directions, existing problems and challenges of DaaS in the security and privacy preserving.

ZOU Zu-jun,YANG Fan

DOI: https://doi.org/10.3969/j.issn.1671-0428.2013.06.011

2013-01-01

Abstract:Security of database system as the base of information system is an emphases that can't be wriggled in the process of information.This paper briefly introduce the structure,constitutes of one database system and its existing design of security,and analyses the demand of safety control in actual,then bring forward the measure improved by adding system security control mechanism,improving system hardware configuration,establishing feasible backup policy,and perfecting administer system.

ZHOU Jing-Li,WANG Xiao-Feng,YU Sheng-Sheng,XIA Hong-Tao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2006.11.019

2006-01-01

Computer Science

Abstract:SQL injection, which is a popular and easy to carry out method of remote attacks, poses a major thread to application level security. In this paper, we introduce Pre-analysis of SQL syntax, a fire-new policy to detect and prevent SQL injection attacks. First, all SQL injection attacks are categorized into some classes and for each class a specified syntagma is abstracted and recorded. Then, the user input is picked up and embedded into prepared SQL sentences. Finally, these embedded SQL sentences are syntactically checked. Any find of underlying syntagma recorded as SQL injection tells a SQL injection attack. The implementation of new policy needs neither modification to Web program codes nor any patch to software of server platform. Experiments prove that new policy provides close to perfect detection rate and avoids the conflict between low false positive rate and low false negative rate.

Zongda Wu,Guandong Xu,Chenglang Lu,Enhong Chen,Fang Jiang,Guiling Li

DOI: https://doi.org/10.1007/s11280-017-0491-8

2017-01-01

World Wide Web

Abstract:Due to the advantages of pay-on-demand, expand-on-demand and high availability, cloud databases (CloudDB) have been widely used in information systems. However, since a CloudDB is distributed on an untrusted cloud side, it is an important problem how to effectively protect massive private information in the CloudDB. Although traditional security strategies (such as identity authentication and access control) can prevent illegal users from accessing unauthorized data, they cannot prevent internal users at the cloud side from accessing and exposing personal privacy information. In this paper, we propose a client-based approach to protect personal privacy in a CloudDB. In the approach, privacy data before being stored into the cloud side, would be encrypted using a traditional encryption algorithm, so as to ensure the security of privacy data. To execute various kinds of query operations over the encrypted data efficiently, the encrypted data would be also augmented with additional feature index, so that as much of each query operation as possible can be processed on the cloud side without the need to decrypt the data. To this end, we explore how the feature index of privacy data is constructed, and how a query operation over privacy data is transformed into a new query operation over the index data so that it can be executed on the cloud side correctly. The effectiveness of the approach is demonstrated by theoretical analysis and experimental evaluation. The results show that the approach has good performance in terms of security, usability and efficiency, thus effective to protect personal privacy in the CloudDB.

Xiaosong Zhang,Fei Liu,Ting Chen,Hua Li

DOI: https://doi.org/10.1109/cis.2009.107

2009-01-01

Abstract:Traditional data leakage prevention strategies encompass access control, audit logon and authority management. They have some effects on preventing sensitive information from leakage, while the system’ s availability may be degraded seriously by their limitation. To solve this problem, a novel model based on Windows file system filter driver is proposed in this paper, in which system encrypts files automatically according to encryption strategies. Leaking confidential information out of enterprise environment, intentionally or unintentionally, will be prevented effectively. Moreover, it has the characteristic of mandatory and transparent encryption, which can compromise the contradiction between data security and user flexibility.

Yawei Zhang,Xiaojun Ye

DOI: https://doi.org/10.1109/ISPA.2008.28

2008-01-01

Abstract:Inspired by rule-based access control models, this paper proposes a universal policy model and an access protection framework to secure dataspace. The key components and processes for this framework, policy organization, policy indexing and two resource searching strategies with access decision-making, are illustrated and experimented to harmonize the contradiction between security and efficiency.