Abstract
We propose an access control model specifically developed to support fine-grained response actions, such as request suspension and request tainting, in the context of an anomaly detection system for databases. To achieve such response semantics, the model introduces the concept of privilege states and orientation modes in the context of a role-based access control system. The central idea in our model is that privileges, assigned to a user or role, have a state attached to them, thereby resulting in a privilege states based access control (PSAC) system. In this paper, we present the design details and a formal model of PSAC tailored to database management systems (DBMSs). PSAC has been designed to also take into account role hierarchies that are often present in the access control models of current DBMSs. We have implemented PSAC in the PostgreSQL DBMS and in the paper, we discuss relevant implementation issues. We also report experimental results concerning the overhead of the access control enforcement in PSAC. Such results confirm that our design and algorithms are very efficient.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Access control lists in win32 (June 7, 2009), http://msdn.microsoft.com/en-us/library/aa374872VS.85.aspx
Incits/iso/iec 9075. sql-99 standard (January 2, 2009), http://webstore.ansi.org/
Nfs version 4 minor version 1 (June 7, 2009), http://www.ietf.org/internet-drafts/draft-ietf-nfsv4-minorversion1-29.txt
Oracle database security guide 11g release 1 (11.1) (January 2, 2009), http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/toc.htm
The postgresql global development group. postgresql 8.3 (June 7, 2009), http://www.postgresql.org/
Postgresql global development group. postgresql 8.3 documentation (January 2, 2009), http://www.postgresql.org/docs/8.3/static/sql-grant.html
Sql server 2008 books online. identity and access control (database engine) (January 2, 2009), http://msdn.microsoft.com/en-us/library/bb510418SQL.100.aspx
Bertino, E., Kamra, A., Terzi, E., Vakali, A.: Intrusion detection in rbac-administered databases. In: ACSAC, pp. 170–182. IEEE Computer Society, Los Alamitos (2005)
Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Transactions on Knowledge and Data Engineering 9(1), 85–101 (1997)
Bertino, E., Sandhu, R.: Database security-concepts, approaches, and challenges. IEEE Transactions on Dependable and Secure Computing 2(1), 2–19 (2005)
Chandramouli, R., Sandhu, R.: Role based access control features in commercial database management systems. In: National Information Systems Security Conference, pp. 503–511
Crampton, J.: Understanding and developing role-based administrative models. In: ACM Conference on Computer and Communications Security, pp. 158–167 (2005)
Foo, B., Glause, M., Modelo-Howard, G., Wu, Y.-S., Bagchi, S., Spafford, E.H.: Information Assurance: Dependability and Security in Networked Systems. Morgan Kaufmann, San Francisco (2007)
Kamra, A., Bertino, E.: Design and implementation of a intrusion response system for relational database. IEEE Transactions on Knowledge and Data Engineering, TKDE (to appear 2010)
Kamra, A., Bertino, E., Terzi, E.: Detecting anomalous access patterns in relational databases. The International Journal on Very Large Data Bases, VLDB (2008)
Patcha, A., Park, J.-M.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)
Pusara, M., Brodley, C.E.: User re-authentication via mouse movements. In: ACM Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC), pp. 1–8. ACM, New York (2004)
Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role-based access control: Towards a unified standard. In: ACM Workshop on Role-based Access Control, pp. 47–63 (2000)
Somayaji, A., Forrest, S.: Automated response using system-call delays. In: Proceedings of the 9th USENIX Security Symposium, p. 185. USENIX Association, Berkeley (2000)
Toth, T., Krügel, C.: Evaluating the impact of automated intrusion response mechanisms, pp. 301–310. IEEE Computer Society, Los Alamitos (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kamra, A., Bertino, E. (2010). Privilege States Based Access Control for Fine-Grained Intrusion Response. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)