Author: Lin Yusheng Cao Lei Zhang yaoyun
1. Preface
With the rapid development of computer technology, the database has been widely used in various fields, but data security issues have emerged. Security issues of a large amount of data in databases of various application systems, as well as theft and tampering prevention of sensitive data have attracted more and more attention. As a collection of information, a database system is the core component of a computer information system. Its security is critical to the rise and fall of enterprises and national security. Therefore, how to effectively ensure the security of database systems and ensure the confidentiality, integrity, and effectiveness of data has become one of the most important topics for researchers in the industry, this article briefly discusses the anti-intrusion technology.
In addition to the internal security mechanisms, the security of the database system is closely related to factors such as the external network environment, application environment, and the quality of employees. Therefore, in a broad sense, the security framework of the database system can be divided into three layers:
(1) network system level;
(2) host operating system level;
(3) database management system level.
These three layers form a database system security system, which is closely related to data security. The importance of prevention is also enhanced layer by layer to ensure data security from the outside to the inside, from the table to the inside. Next we will discuss the three layers of the security framework.
2. Network System Level Security Technology
Broadly speaking, database security first depends on network systems. With the development and popularization of Internet, more and more companies transfer their core services to the Internet. Various Network-based database application systems have sprung up to provide various information services for network users. It can be said that the network system is the external environment and basis of database applications. to exert its powerful role, the support of the network system is indispensable. Users of the database system (such as remote users and distributed Users) you must also access the database data through the network. Network system security is the first barrier for database security. External intrusion begins with network system intrusion. Network intrusion attempts to undermine the integrity, confidentiality, or a set of trusted network activities of the information system. It has the following features:
A) without restrictions on regions and time, cross-border attacks are just as convenient as on-site attacks;
B) network-based attacks are often mixed in a large number of normal network activities, with high concealment;
C) intrusion means are more concealed and complex.
The open environment of computer network systems faces the following threats: [2] A) masquerade; B) resend (replay); c) message modification (Modification of message); d) Denial of Service (Deny of service); e) trapdoor; f) Trojan Horse; g) attacks such as tunneling attack and application software attacks. These security threats are always and ubiquitous. Therefore, effective measures must be taken to ensure system security.
From a technical point of view, there are many security technologies at the network system level, which can be divided into firewall, intrusion detection, and collaborative intrusion detection technologies.
(1) firewall. Firewall is the most widely used defense technology. As the first line of defense of the system, the main function of the system is to monitor access channels between a trusted network and an untrusted network, which can form a protection barrier between the internal network and the external network, intercept illegal access from the outside and prevent internal information leakage, but it cannot block illegal operations from inside the network. It determines whether to intercept inbound and outbound Information Based on preset rules, but it cannot dynamically identify or adapt to the rules. Therefore, its intelligence is limited. There are three main firewall technologies: Packet Filter, proxy, and stateful inspection ). Modern firewall products generally use these technologies together.
(2) intrusion detection. Intrusion Detection System (IDS) is a protection technology developed in recent years, using statistical technology, rule method, network communication technology, artificial intelligence, cryptography, reasoning, and other technologies and methods, it monitors network and computer systems for signs of intrusion or misuse. In 1987, derothy Denning proposed for the first time the idea of detecting intrusions. After continuous development and improvement, derothy Denning was used as a standard solution to monitor and identify attacks, the IDS system has become an important part of the security defense system.
Intrusion detection uses three types of analysis technologies: Signature, statistics, and data integrity analysis.
① Signature analysis method. It is mainly used to monitor attacks against known vulnerabilities of the system. People sum up their signatures in the attack mode and write them into the IDS system code. Signature Analysis is actually a template matching operation.
② Statistical analysis. Based on statistics, the system determines whether an action has deviated from the normal track based on the observed action pattern in normal use.
③ Data integrity analysis. Based on cryptography, it can verify whether a file or object has been modified by others.
IDS include network-based and Host-Based Intrusion monitoring systems, feature-based and Abnormal Intrusion monitoring systems, and real-time and non-real-time intrusion monitoring systems [1].
(3) collaborative intrusion Monitoring Technology
The independent intrusion monitoring system cannot effectively monitor and respond to a wide range of intrusion activities. In order to make up for the lack of independent operation, people have proposed the idea of a collaborative intrusion monitoring system. In a collaborative intrusion monitoring system, IDS automatically exchanges information between intrusion monitoring components based on a unified specification, and effectively monitors intrusion through information exchange, it can be applied to different network environments [3].
3. host operating system level Security Technology
The operating system is the operating platform of a large database system, providing a certain degree of security protection for the database system. Currently, most operating system platforms are Windows NT and UNIX, and the security level is usually C1 and C2. The main security technologies include operating system security policies, security management policies, and data security.
The operating system security policy is used to configure the security settings of the local computer, including password policy, account lock policy, Audit Policy, IP Security Policy, user permission assignment, data encryption recovery proxy, and other security options [7]. The details can be reflected in the user account, password, access permission, audit, and other aspects.
User Account: the "ID card" used by the user to access the system. Only valid users have an account.
Password: the user's password provides a verification for the user to access the system.
Access permission: Specifies the user's permissions.
Audit: tracks and records user behaviors, so that the system administrator can analyze system access conditions and trace user behavior afterwards.
Security management policies refer to the methods and policies adopted by network administrators to manage system security. Security management policies for different operating systems and network environments are generally different. The core of security management policies is to ensure server security and assign permissions to various users.
Data security mainly includes the following aspects: Data encryption technology, data backup, data storage security, and data transmission security. There are many technologies available, including Kerberos authentication, IPSec, SSL, TLS, VPN (PPTP, L2TP) and other technologies.
4. Database Management System-level security technology
The security of the database system depends largely on the database management system. If the security mechanism of the database management system is very powerful, the security performance of the database system will be better. Currently, relational database management systems are popular in the market, and their security functions are weak, which leads to some threats to the security of database systems.
Because the database systems are all managed in the form of files in the operating system, intruders can directly use the vulnerabilities of the operating system to steal database files, alternatively, you can use the OS tool to illegally forge or tamper with the contents of database files. This vulnerability is hard to detect by database users. Analysis and blocking of this vulnerability are considered B2-level security technical measures [4].
The layer security technology of the database management system is mainly used to solve this problem, that is, the security of the database data can still be guaranteed when the current two layers have been broken through, this requires a strong security mechanism for the database management system. One of the effective ways to solve this problem is that the database management system encrypts the database files so that even if the data is unfortunately leaked or lost, it is difficult to be decrypted and read.
We can consider how to encrypt database data at three different layers: the OS layer, the DBMS kernel layer, and the DBMS outer layer.
(1) encryption at the OS layer. On the OS layer, the Data Relationship in database files cannot be identified, and a reasonable key cannot be generated. Therefore, it is difficult to manage and use the key reasonably. Therefore, it is difficult to encrypt database files on the OS layer for large databases.
(2) implement encryption at the DBMS kernel layer. This type of encryption performs data encryption/Decryption before physical access. The advantage of this encryption method is that the encryption function is powerful, and the encryption function almost does not affect the DBMS function. It can achieve seamless coupling between the encryption function and the database management system. The disadvantage is that encryption is performed on the server, which increases the load on the server, and the interfaces between the DBMS and the encryptor need the support of the DBMS developer. This encryption method 1 is shown in:
Tools defining encryption requirements
DBMS
Database Application System
Encryptor
(Software or hardware)
(3) implement encryption at the outer layer of the DBMS. The actual practice is to make the database encryption system an external tool of the DBMS, and automatically complete the encryption/de-password processing of the database data according to the encryption requirements, as shown in Figure 2:
Define encryption requirements tool encryptor
(Software or hardware)
DBMS
Database Application System
This encryption method is used for encryption. The encryption/de-encryption operation can be performed on the client. It does not increase the load on the database server and can implement encryption for online transmission, the disadvantage is that the encryption function is limited, and the coupling with the database management system is slightly poor.
Next we will further explain the principle of implementing the encryption function at the outer layer of the DBMS:
The database encryption system is divided into two main components with independent functions: one is the encryption dictionary Management Program, and the other is the database encryption/de-Password engine, as shown in architecture 3. The database encryption system stores the user's specific encryption requirements for database information and basic information in the encryption dictionary, you can call the data encryption/Decryption engine to encrypt, decrypt, and convert database tables. Database Information Encryption/decryption is completed in the background and transparent to the database server.
Encryption dictionary management program
Encryption System
Applications
Database Encryption and de-Password Engine
Database Server
Encryption dictionary
User Data
The database encryption system implemented in the preceding method has many advantages: first, the system is completely transparent to the end users of the database, and the administrator can convert plaintext and ciphertext as needed. Second, the encryption system is completely independent of the database application system. Data Encryption can be implemented without modifying the database application system. Third, encryption and decryption are performed on the client without affecting the efficiency of the database server.
The database encryption/de-Password engine is the core component of the database encryption system. It is located between applications and database servers and is responsible for the addition/de-password processing of database information in the background, it is transparent to application developers and operators. The data encryption/Decryption engine has no operation interface. when needed, the operating system automatically loads the data and stores the data in the memory, and communicates with the encryption dictionary management program and user applications through internal interfaces. The database encryption/Decryption engine consists of three modules: The addition/Decryption processing module, the user interface module, and the database interface module, as shown in figure 4. The main task of the "database interface module" is to accept user operation requests and pass them to the "Add/Remove password processing module ", in addition, the "Add/Remove password processing module" should be used to access the database server, and the conversion between the external interface parameters and the internal data structure of the Add/Remove password engine should be completed. The "Add/Remove password processing module" initializes the database addition/remove password engine, processes internal dedicated commands, retrieves encrypted dictionary information, manages encrypted dictionary buffers, and encrypts SQL commands. transform, decreden processing of query results, and implement encryption and de-creden algorithms, there are also some common auxiliary functions.
The main process of data encryption/decryption is as follows:
1) perform syntax analysis on SQL commands. If the syntax is correct, go to the next step. If the syntax is incorrect, go to 6). directly submit the SQL command to the database server for processing.
2) Is it an internal control command for the database addition/de-Password engine? If yes, process the Internal Control Command, and then go to 7); if not, go to the next step.
3) check whether the database encryption/Decryption engine is disabled or does the SQL command only need to be compiled? If yes, go to Step 6. Otherwise, go to the next step.
4) Search for the encrypted dictionary and analyze the SQL commands Based on the encryption definition.
5) Do SQL commands require encryption? If yes, encrypt the SQL command, replace the original SQL command, and then go to the next step; otherwise, go to the next step.
6) Forward SQL commands to the database server for processing.
7) after the SQL command is executed, clear the SQL command buffer.
The preceding example illustrates how to implement the encryption function on the outer layer of the DBMS.
5. Conclusion
This article reviews the Database System Security Anti-intrusion technology, puts forward three layers of the database system security system framework, and describes the three layers of technical means. Taking the principle of implementing encryption in the outer layer of DBMS as an example, this article details how to apply the security technology at the database management system level.
The three layers of the database system security framework are complementary, with different levels of Defense focus and technical means, A good security system must comprehensively consider using these technologies to ensure data security.
References:
[1] Huang Jin, Research and Implementation of intrusion detection system based on firewall log information, Shanghai: Shanghai Jiao Tong University master's thesis, 2001
[2] Cao Wei, cdif: collaborative intrusion monitoring framework, Shanghai: Master's degree thesis from Shanghai Jiao Tong University, 1999
[3] Liu Chun, collaborative intrusion monitoring and response framework, Shanghai: Master's degree thesis from Shanghai Jiao Tong University, 1999
[4] Gu hengjun, Liu mengren, Research on Computer encryption technology and its application, Wuhan: Master's degree thesis from haijun Engineering University, 2001