Kun Bai
College of Information Science and Technology, Pennsylvania State University, University Park PA 16803
USA

Peng Liu
College of Information Science and Technology, Pennsylvania State University, University Park PA 16803
USA

Access control and integrity constraints are well
known approaches to ensure data integrity in commercial database
systems. However, due to operational mistakes, malicious
intent of insiders or vulnerabilities exploited by outsiders, data
stored in a database can still be compromised. When the
database is under an attack, rolling back and re-executing the
damaged transactions are the most used mechanisms during
system recovery. However, this kind of mechanism either stops (or
greatly restricts) the database service during repair, which causes
unacceptable availability loss or denial-of-service for mission
critical applications, or may cause serious damage spreading
during on-the-fly recovery where many clean data items are
accidentally corrupted by legitimate new transactions. To resolve
this dilemma, we devise a novel mechanism, called database
firewall in this paper. This firewall is designed to protect good data
from being corrupted due to damage spreading. Pattern mining
and Bayesian network techniques are adopted in the framework
to mine frequent damage spreading patterns and to predict the
data integrity in the face of attack. Our approach provides a
probability based strategy to estimate the data integrity on the
fly. With this feature, the database firewall is able to enforce
a policy of transaction filtering dynamically to filter out the
potential spreading transactions. Synthetic data and a real dataset
which contains transaction logs from a clinic OLTP application
are utilized to verify the feasibility of the database firewall.

Keywords: Database Firewall

Read Paper (in PDF)