Data-intensive applications exhibit increasing reliance on efficient and scalable Database Management Systems (DBMSs). Examples of these applications are abound in the domain of banking, manufacturing, health care, and enterprise applications . Since data is the most valuable asset in organizations, it is crucial to design attack-resilient DBMSs to protect the confidentiality, integrity, and availability of the data in the presence of Cyber attacks [2, 3]. Although research in database security has made significant progress in protecting from Cyber attacks, applications and infrastructures are still exposed to a large number of vulnerabilities. Even a single intrusion can cause catastrophic cascading effects due to data dependency and application interoperability. Therefore, a holistic approach for designing an intrusion management mechanism that includes intrusion detection, response, and recovery is needed [4, 5].
An Intrusion Detection System (IDS) is integrated with the DBMS to prevent Cyber attacks. The objective of an IDS is to monitor and detect illegal access and malicious actions that take place in the database. However, an IDS is not designed to repair the damages caused by successful attacks. IDS is often integrated with intrusion response and recovery mechanisms to alleviate the damage caused by the malicious attacks . Several efforts have been directed towards developing dynamic damage tracking approach to perform on-the-fly damage repair, for example intrusion-tolerant database systems [6, 5]. However, such systems have limitations in the ability to maintain high availability under severe intrusion attacks. One of the limitations for these systems is the prolonged recovery time due inter-transaction dependency.
Motivating Example: Fig. 1 gives an example scenario for a Banking system with three benign users (B,C, and D), and a malevolent user (A). User A executes a malicious transaction that updates accounts and with incorrect amounts of money as illustrated in Fig. 1. Then, Users B and C withdraw from accounts and , respectively. IDS detects the malicious transaction executed by User A and triggers an alert to the database security administrator that temporarily blocks the incoming transactions and starts the recovery procedure. Meanwhile, User D attempts to access account . However, this request is denied until the damage is recovered. When the recovery transaction is finished, the accounts of Users A and B are compensated, i.e., withdraws money from account and credits account .
In the above example, the recovery time depends on the number of dependent transactions that are executed before the IDS detects the malicious transaction. Consequently, the availability of the DBMS is impaired when the recovery procedure takes a long duration. Therefore, it is important to contain the damage once malicious transactions are detected. Containment of the damage can be achieved by tracking the inter-transaction dependencies and devising a fast confinement strategy to contain the damage.
In this paper, we propose a new real-time response and recovery architecture, termed Partition-based Intrusion Management System (PIMS), for DBMSs. We assume that existing IDS, e.g., [4, 7], can be integrated with PIMS. PIMS is based on an adaptive access and admission control mechanism that responds to intrusions by selectively blocking segments of data that have been affected by the intrusion. The access control mechanism provides a fine-grained control policy to allow graceful degradation of database services in order to maintain a desired level of availability while the system is undergoing through impending attacks. The unique feature of PIMS is the deployment of a data partitioning technique to confine the damage and improve the availability of the system.
The contribution of this paper is summarized as follows. First, we propose the concept of Intrusion Boundary (IB) that defines the extent of the damage over the set of transactional workload. We formulate the IB demarcation as an optimization problem as a Mixed Integer Non-Linear Programming model (MINLP). The output of the optimization problem is a balanced IB assignment of transactions to partitions with minimum overlapping. We prove that the IB demarcation problem is NP-hard. Accordingly, we introduce two heuristics to provide a polynomial time solution. Finally, we introduce response and recovery mechanisms that use the proposed IB assignment to improve the intrusion response and recovery in terms of availability and response time.
The rest of the paper is organized as follows. Section 2 presents relevant background. Section 3 presents the definition and formulation of the IB demarcation problem, its hardness proof, and present two new heuristics. Section 4 describes the design and implementation of PIMS. The performance evaluation and the experimental results of PIMS are presented in Section 5. The related work is presented in Section 6. Finally, Section 7 concludes the paper.
In this section, we present the database and transaction model and explain the threat model. In addition, we present an overview of the state-of-the-art malicious transaction recovery mechanisms in DBMSs.
2.1 Database and Transaction Model
A database is a set of tuples denoted by , where refers to a tuple. A transaction is a partially ordered set of operations, with a partial ordering relation . The read and write (update) operations on a tuple, say , of are denoted by and , respectively. The set of tuples that are read and updated by a transaction are denoted by and , respectively. Formally, is defined as follows :
if then either or
if and only if , and
for any operation , where is either or (whichever in )
where and denote the abort and commit operations of , respectively. In essence, Condition (1) defines the types of operations in . Condition (2) requires that the order of execution of Read and Write operations on a data item is specified by . Condition (3) says that either commits or aborts, while Condition (4) specifies that commit (or abort) must follow all other operations.
For a set of transactions , a complete history over is a partial order with the ordering relation , where and . In other words, the execution history represented by involves all transactions in and matches all operation orderings that are specified within each transaction. Two transactions and in are dependent if (i) is directly followed by , i.e., , and (ii) . The dependency between and is read ” depends on ”. In general, depends on if (i) , and (ii) .
The dependencies among in the history is modeled using the transaction Precedence Graph (PG) . PG is a directed graph , where is a set of nodes; each node representing a committed transaction in , and is a set of edges; each edge representing a dependency between two transactions. In other words, an edge between two transactions and exists if depends on . Fig. 2(a) illustrates a History over . ’s corresponding PG is in Fig. 2(b). depends on because updates that is later read by . Similarly, depends on and depends on .
2.2 Threat Model
In this paper, our focus is on the data corruption caused by transaction-level attacks in the DBMS. These attacks can be manifested either through masquerade access or by exploiting application vulnerabilities, e.g., SQL injection, Cross Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) . A transaction, say , is malicious if it tampers the database by updating one or more tuples with incorrect data. In this context, a malicious transaction corrupts the data due to either an attack or through a user fault. A transaction, say , is affected if directly (or indirectly) depends on a malicious or an affected transaction, i.e., (or such that ). All malicious and affected transactions are invalid transactions. The execution of an invalid transaction takes the DBMS into an invalid state. For example, assume that Transaction in Fig. 2(b) is malicious. Then, both and are affected transactions. We assume that a malicious transaction does not depend on other transactions, i.e., a malicious transaction cannot be an affected transaction. Furthermore, we assume that we can undo the effects of committed transactions.
Throughout the rest of the paper, we deal with integrity attacks in which either an authorized or non-authorized user intentionally tampers with the data by injecting wrong values into some tuples. This attack can temporarily impair the availability of the DBMS during the recovery period. We rely on the existence of an IDS to detect the malicious transactions . Note that the IDS alarm is received after the malicious transactions commit. We assume that the presence of an access control policy is sufficient to prevent any confidentiality attacks. Moreover, we assume that there are security countermeasures to prevent other availability attacks, e.g., Denial-of-Service (DoS) .
2.3 Recovery from Malicious Transactions
Handling the recovery of malicious transactions requires undoing the committed malicious and affected transactions. There are two common approaches to undo committed transactions: rollback and compensation. The rollback approach is to roll back all the operations performed by the committed transaction to a point that is free of damage . On the other hand, the compensation approach seeks to selectively undo committed transactions without rolling back the state of the DBMS into a previous state .
PIMS is relevant to the work in [6, 5], in which a real-time approach tracks the inter-transaction dependency, marks the affected transactions, and repairs the damage. The recovery is perfromed in two stages: damage assessment and damage repair. In the damage assessment stage, the complete and correct set of affected transactions is identified. This stage is challenging because the assessment is conducted on-the-fly while the system is processed other concurrent transactions. Due to transaction dependency, the damage might spread. Therefore, the damage assessment is terminated whenever there are no more transactions that cause spread of the damage. Once the damage assessment stage is completed, all the identified affected transaction are repaired by rolling them back without affecting the other transactions in the system. PIMS’s recovery approach is different than [6, 5] in a sense that PIMS aggressively terminates the damage spread by stopping the execution of the concurrent transactions momentarily during the damage assessment process. Moreover, PIMS adopts data partitioning scheme that provides a proactive damage confinement mechanism by designating a group of tuples to prevent the spread of the damage into the entire database.
3 Intrusion Boundary Demarcation using Data Partitioning
In this section, we present a data-level model to represent intra-transaction and inter-transaction dependencies. Accordingly, we define the IB demarcation problem, and formulate it as MINLP optimization problem. Finally, we prove the problem’s hardness and present two efficient heuristics to solve the IB demarcation problem.
3.1 The IB Demarcation Problem
The objective of the IB demarcation problem is to partition the tuples into partitions, i.e., IBs, with minimum overlap. The advantage of the IB demarcation is to confine the damage into a single IB, and thus increases the data availability in the presence of attacks. Notice that, the overlap among partitions depends on the inter-transaction dependency. For workloads with independent transactions, the demarcation results in non-overlapping IBs. On the other hand, for workloads with high inter-transaction dependencies the IB demarcation results in overlapping IBs. The IB demarcation is defined as follows.
(Intrusion Boundary Demarcation Problem (IBDP)) Given the set of transactions over a set of tuples, IBDP is to assign the transactions into IBs such that the overlap among the IBs is minimized and the sizes of the IBs are almost equal.
3.1.1 Problem Formulation
The demarcation of IBs is controlled by the dependencies among the tuples that are accessed by multiple transactions. We formulate IBDP as a dual-objective MINLP. The first objective function focuses on damage containment that minimizes the overlap among IBs. In order to define this objective function, we define the set of Boundary Tuples (BT) as follows.
(Boundary tuple) A tuple, say , termed a boundary tuples if is assigned to two or more IBs. The set of boundary tuples in the IB assignment is denoted by . Observe that BT .
It is sufficient to minimize the number of boundary tuples in order to minimize the overlap among IBs. Thus, the objective function can be defined as follows.
where B is the boundary tuples vector that indicates if a tuple is boundary, i.e.,=1 if the tuple is a boundary tuple, and 0, otherwise (notice that = n). The intuition behind minimizing the number of boundary tuples is to limit the damage propagation across IBs. However, Equation 1 is oblivious to the number of IBs that share a boundary tuple. This number is termed the degree of sharing. A boundary tuple that is shared between 2 IBs has less risk of damage propagation as compared to a boundary tuple that is shared among multiple IBs. The degree of sharing is incorporated in Equation 1 in the following way.
where is the IB assignment matrix for the tuples, i.e., = 1 if the tuple is assigned to the IB, and 0, otherwise. The sum is the number of IBs to which the tuple is assigned, whereas the sum is the size of the IB.
The second objective function focuses on the overall availability. The goal of this objective function is to prevent skewed IB assignment by balancing the sizes of the IBs. Formally, the objective of balancing the sizes of IBs is defined as follows.
Let be the IB assignment matrix for the transactions, i.e., if the transaction is assigned to the IB, and 0, otherwise. Similarly, Let be a binary matrix representing the association of tuples to the transactions, i.e., if the tuples is accessed by the transaction, and 0, otherwise. Although a transaction might span multiple IBs, each transaction must be fully contained within a single IB. The intuition is that by containing a transaction within an IB, the damage is confined in that IB if the transaction is detected as malicious. Accordingly, IBDP is formulated as MINLP using objective functions and as follows.
The outputs of the optimization problem are the IB assignment matrix of the tuples , the IBs assignment matrix of the transactions , and the set of boundary tuples . Constraints (4) and (5) collectively check if a tuple is assigned to multiple IBs. Accordingly, the constraints set if the tuple is boundary, and 0, otherwise. Full containment of a transaction within a single IB is checked by constraints (6) and (7). In particular, a transaction is assigned to the IB only if all the tuples access by are assigned to the IB. Constraint (8) forces the size of each IB to be at least one tuples, while constraint (9) forces , , and to be binary matrices.
IBDP is NP-hard.
3.2 Heuristics for IB Demarcation
We introduce two efficient greedy-based heuristics to solve IBDP. All algorithms take the set of transaction and the number of IBs as input. The output is a transaction-to-IB assignment. The algorithms start with an empty IB assignment and iteratively assign transactions to IBs based on greedy decisions that optimize the objective functions. The first heuristic is Best-Fit Assignment (BFA) that reduces the number of boundary tuples produced by the IB assignment. The intuition of the assignment is that BFA assigns the transaction to the IB that shares the largest number of shared tuples. The second heuristic is Balanced Assignment (BA) that assigns transactions such that the sizes of all IBs are almost equal. This is achieved by assigning, at each iteration, the transaction to the IB that is the smallest in size. Detailed discussion about each algorithm is presented in the following sections.
3.3 Best-Fit Assignment (BFA)
BFA is listed in Algorithm 1. The algorithm starts with the empty IB assignment set and empty assigned transactions set (Line 1). Then, the transactions are sorted based on the number of internal tuples in descending order (Line 2). The sorted transaction set is stored in Set . Then, the algorithm initially assigns the first transactions to the empty IBs (Lines 3-9). As a result, the overlap among the IBs is minimized. This is correct because the first transactions in have the least number of shared tuples. For the remaining transactions in , each transaction is assigned to the IB that shares the largest number of shared tuples with (Lines 10-19). In particular, the set of assigned transactions that overlap with is stored in (Line 11). Then, the IBs of each transaction in is stored in (Line 12). contains the set of all IBs that share tuples with . If the set is not empty, is assigned to the IB that has the largest number of shared tuples with (Line 14-16). Otherwise, is assigned to the smallest IB in .
The complexity of BFA is .
BFA sorts the set of transactions based on the number of internal tuples in each transaction (Line 3). Sorting Set has a runtime complexity of . The loop in Lines 3-9 assigns a single transaction to each empty IB. Thus, the loop has a runtime complexity of . Then, BFA assigns transactions to the best-fit IB (Lines 10-19). The runtime complexity of finding the set and is (Lines 11 and 12). Finding , the IB that has the largest number of tuples shared with , and assigning in Lines 13-18 has a runtime complexity of . The runtime complexity for assigning all the transactions is . The overall complexity of BFA is , i.e., approximately . ∎
4 The Architecture of PIMS
In this section, we introduce the architecture of PIMS. The proposed architecture for PIMS is given in Fig. 3. PIMS is composed of five components: the IBDP solver, the transactions log, the Admission Controller (AC), the Response Subsystem (RES), and the Recovery Subsystem (REC). In addition, PIMS maintains a Corrupted Tuples Table (CTT) to track the status of the damage caused by the malicious transactions. The IBDP solver generates the IB assignment as discussed in the previous section. The transactions log stores information about the read/write operations of transactions. The log is essential for the recovery procedure to construct compensating transactions. The functionality of AC includes parsing the transactions, regulating the admission of transactions to DBMS, and maintaining the IB assignment table. AC determines whether to block or allow incoming transactions depending on the status of the damage and the assigned IB. When a committed transaction is identified as malicious, RES extracts the commit and detection times of the malicious transaction, approximates the set of corrupted tuples immediately, and stores it in CTT. Although the approximated set can include uncorrupted tuples, the objective is to reduce the risk of executing benign transactions that might propagate the damage unwillingly. Then, REC analyzes the inter-transaction dependency in transactions log and identifies the correct and complete set of affected transactions. The correct set of affected transactions means that no transactions are falsely identified as affected, while the complete set means that the set contains every affected transactions caused by the attack. We refer to this set as the set of Affected Transactions (AT). When AT is identified, the benign tuples are removed from CTT, and consequently can be accessed by the requesting transactions immediately. On the other hand, the corrupted tuples are blocked and will be recovered by the compensating transactions. The recovered tuples are removed from CTT gradually in order to increase the system availability. In the following sections, we present detailed information about the functionality of each component.
4.1 Transactions Log
In order to obtain accurate information about the extent of the damage caused by the malicious transaction, the read/write operations of all transactions need to be logged. However, conventional undo/redo logs and DBMS triggers only record write operations. To address this issue, we have implemented a read/write log that records the transaction ID, the tuple ID, the before-image (the previous value), the after-image (the current value), and the time-stamp for each read and update operation. The transactions log is implemented in the DBMS kernel to reduce the overhead of logging. The transactions log is maintained as a table in the DBMS for efficient retrieval by PIMS. The transactions log is used by AC to check if a transaction reads from corrupted tuples, and by RES to identify AT.
4.2 The Admission Controller (AC)
AC has three subcomponents: the Parser, the IB Manager (IBM), and the Transaction Mediator (TM). The parser extracts the read/write set from transactions. IBM maintains in the IB table information about the IBs including the set of boundary tuples and the transaction-to-IB assignment. The functionality of IBM is to manage the access to the boundary tuples. In essence, the updated boundary tuples are locked by IBM until IDS reports the status of the updating transaction. If the transaction is identified as malicious, then the locked boundary tuples are added to CTT. Otherwise, the locked boundary tuples are released. One problem is that IDS only triggers an alarm when a malicious transaction is detected. We assume that IDS has a detection delay of . The boundary tuples are locked for a sufficient time after which the updating transaction can never be detected as malicious. We set PIMS to wait for 1.5 ms before releasing the boundary tuples. The objective of locking the boundary tuples after update is to assure that the damage does not propagate to other IBs. We refer to the process of locking the boundary tuples as delayed access mechanism.
TM checks if the transaction’s read/write set contains any tuple that exists in CTT or BT. If a tuple in the read set exists in CTT, the transaction is suspended. On the other hand, if a tuple in the write set exists in CTT, then the transaction is executed, and the tuples are removed from CTT and are excluded from subsequent undo and redo operations. AC is signaled on two events: 1) the corrupted tuples are recovered, or 2) the recovery procedure is completed. When signaled, TM executes the suspended transaction if its read tuples are all recovered. Otherwise, the transaction remains suspended until a new signal is received from RES or REC. If the transaction’s read/write set contains a tuple that exists in BT, then the transaction is suspended until the tuples are released by IBM.
Before executing the transaction, AC acquires the locks associated with the assigned IB(s). The lock is to ensure that no concurrent recovery procedure is running on the IB(s). The lock is released by AC when the transaction is executed successfully. The overall procedure for admission control is listed in Algorithm 2. Notice that multiple instances of the admission controller can be executed using multiple threads to increase transaction concurrency. We rely on the available Concurrency APIs to queue the incoming transactions when TM threads are busy waiting for signals.
4.3 The Response Subsystem (RES)
RES is activated when a transaction is detected as malicious by IDS. The objective of RES is to prevent subsequent benign transactions from reading corrupted tuples that are updated by , and thus control the spread of the damage. RES collects the time information about from IDS and the transactions log, i.e., the commit timestamp and the detection timestamp . Moreover, RES extracts , the set of IBs that are spanned by , from the IB table. Consequently, RES adds all tuples in that have been updated between and to CTT. Notice that the tuples that are updated between and but not assigned to are not added to CTT. Thus, PIMS provides more accurate damage confinement as compared to ITDB, which blocks all tuples on temporal basis only. Nevertheless, CTT might contain uncorrupted tuples updated by benign transactions that are independent from . Once enough information about the inter-transaction dependencies between and subsequent transactions is gathered, PIMS removes the uncorrupted tuples from CTT as explained in the next section. The procedure of RES is summarized in Algorithm 3.
4.4 The Recovery Subsystem (REC)
REC is the core component of PIMS that identifies AT and executes compensating transactions for the corrupted tuples. The compensating transactions perform two operations: undo and redo. The undo operation unwinds the effect of the malicious transaction and each transaction in AT. By performing the undo operation, the state of the DBMS returns to the state just before the malicious transaction is executed. However, the update operations performed by the subsequent benign transactions are lost. The redo operation preserves the lost updates by re-executing each transaction in AT. Notice that the malicious transaction is not re-executed because its updates are undesirable.
The overall algorithm for REC is listed in Algorithm 4. REC is activated once the response procedure is finished. Thus, the response and recovery transactions are executed serially. Serializing the response and recovery procedures is essential since the recovery mechanism uses CTT that is updated by the response subsystem. REC temporarily blocks new transactions to prevent new transactions from reading the corrupted tuples while REC identifies AT. This is achieved by acquiring locks on . Incoming transactions are blocked by AC. Notice that the active transactions are not preempted. When all active transactions are committed, the Dependency Analyzer scans the transactions log starting from through the current timestamp in order to find AT. The write set of each transaction in AT is extracted and is added to CTT. The Damage Assessment subsystem removes the uncorrupted tuples that have been initially added by RES from CTT.
At this point, CTT contains the correct and complete set of the corrupted tuples caused by . The Compensation Manager (CM) executes a sequence of compensating transactions that gradually repair the damage. Damage repair is performed in two phases. In Phase 1, CM executes compensating transactions that unwind the effect of the malicious and affected transactions. CM uses the transactions log table to find the correct version of the corrupted tuples. In particular, CM updates the corrupted tuples with the values of the most recent versions before the execution of the malicious transaction. The compensating transactions are executed in the order at which the malicious and affected transactions are committed. At the end of this phase, Damage Cleansing (DC) removes the recovered tuples from CTT and signals AC to resume any blocked transactions.
In the second phase, CM executes compensating transactions that re-execute each transaction in AT in the same order at which they are committed. The information required to re-execute the transactions, e.g., old balance, is maintained in the transactions log. Once an affected transaction is re-executed successfully, DC removes the set of recovered tuples from CTT and signals AC.
4.5 Managing Multiple Malicious Transactions
The advantage of partitioning the tuples into IBs is to execute concurrent response and recovery procedures on different IBs. The reason is that all transactions in AT are guaranteed to be contained in . As a result, concurrent recovery procedures do not perform conflicting operations while recovering the corrupted tuples. Multiple instances of response and recovery procedures are executed using multiple threads. In the case when multiple malicious transactions are detected within the same IB, the recovery procedures need to be coordinated to avoid out-of-order execution of the recovery operations. The strategy is to execute the recovery procedures for the malicious transactions in the same order in which they are detected.
5 Performance Evaluation
In this section, performance evaluation of the proposed PIMS framework is presented. First, we discuss the synthetic workload used for the performance evaluation. Then, we evaluate the performance of the proposed IB demarcation heuristics. Finally, we conduct extensive system evaluation of PIMS using synthesized workloads, and present the performance results.
5.1 Synthetic Transactional Workload
Several benchmarks have been developed to evaluate the performance of OLTP systems, e.g., TPC-C , SmallBank , and YCSB . However, no benchmark has been developed to evaluate the performance of intrusion management systems in OLTP. In order to evaluate the performance of PIMS, we have developed a malicious transaction workload benchmark that generates long chains of dependent transactions. These long chains of dependent transactions amplify the potential damage that can be caused by the malicious transactions. In essence, executing dependent transactions shortly after malicious transactions induce the spread of damage. Thus, the proposed benchmark allows the assessment of the capability of the intrusion management systems to confine and recover the damage without degrading the performance of the DBMS.
The proposed benchmark simulates a banking money-transfer application. In essence, the benchmark consists of a single data table, Checking, that has two attributes: id and balance. The benchmark has three types of money transfer transactions: distribute, collect, and many-to-many transfer. A distribute transaction transfers money from a single account to other accounts; A collect transaction transfers money from accounts to a single account; A many-to-many transactions transfers money from accounts to another accounts. The benchmark is implemented on an OLTP-benchmark testbed for relational databases .
We now explain the process of generating a workload of
transactions. We use four parameters to characterize the workload: 1) the inter-transaction dependency probability threshold, 2) the maximum number of dependent transactions , 3) the amount of transferred money , and 4) the maximum transaction size . First, the inter-transaction dependency is modeled using PG. PG is constructed using the Erdös-Renyi model , in which an edge has probability of existence. The degree of inter-transaction dependency is controlled by grouping transactions into small groups. Within each group, a pair of transactions are dependent if is greater than . Semantically, each group models money transfer transactions within a city, state, or country. In order to avoid fully connected graphs within the group of transactions, the number of allowed dependent transactions is limited to . In other words, a transaction can be dependent to no more than
transactions. Once a PG is created, tuples are assigned to the transactions as follows. The size of each transactions is determined using a uniform distribution with a range of [2,]. The transaction type is randomly selected from distribute, collect, or many-to-many. Each transaction shares a single tuple with the set of its dependent transactions. The value of is chosen from a uniform distribution with range of [0.01,0.1]. Accordingly, the query is generated. Each transaction contains a single query. We generate 4 workloads with different sizes, mainly, 5000, 10000, 15000, and 20000 transactions. For each workload, we vary the value of to be 0.25, 0.5, and 0.75.
5.2 Evaluation of the IB Demarcation Heuristics
In this section, we evaluate the performance of the proposed heuristics using a synthetic transactional workload. We compare the performance of the proposed heuristics with two assignment techniques: Random Assignment (RA) and Skewed Assignment (SA). In RA, transactions are assigned to the IBs randomly. In SA, transaction are randomly assigned to the IBs following an 80-20 rule, i.e., 80% of the transactions are assigned to 20% of the IBs. SA is used to emphasize the importance of the size balancing objective (Equation 3). We use two metrics to evaluate the performance of the heuristics: the total number of boundary tuples (Equation 2), and the assignment fairness index. The fairness index is used to assess the performance in terms of size balancing among IBs. The fairness index is an adaptation of the Jain’s fairness index  in the following way.
where is the number of transactions assigned to the i IB.
In the first experiment, we vary the number of IBs, k, using a workload of 5000 transactions, and . The number of boundary tuples increases as increases (refer to Fig. 4(a)). The reason is that as increases, the number of contained transactions in each IB is reduced. As a result, the overlap among IBs increases and thus increases the total number of boundary tuples. We observe that BFA produces a less number of boundary tuples compared to BA and RA. The reason is that BFA performs a greedy decision to reduce the number of boundary tuples when assigning a transaction to IBs. Moreover, BA performs better than RA because BA attempts to balance the sizes of the IBs. Notice that SA produces less boundary tuples than BFA for 10, but more boundary tuples when k10. The reason is that, when the number of IBs is small, e.g., for k=5 and k=10, 80% of the transactions are assigned only to 1 IB and 2 IBs, respectively. Thus, most of the inter-transaction dependencies are contained in at most 2 IBs. BFA and BA produce fair assignment as in Fig. 4(b). SA performs the worst by design, while RA performs better when the number of transactions is large and the number of IBs is small because the random assignment tends to be fair.
In the next experiment, we vary the number of transactions and the value of while generating the IB assignment with . We observe that increasing the number of transactions increases the number of boundary tuples as in Fig. 5(a). The reason is that increasing the number of transactions increases the number of shared tuples among transactions. Notice that the set of boundary tuples is a subset of the shared tuples. Similarly, increasing the value of increases the number of boundary tuples as in Fig. 5(b). The reason is that as the value of increases, the number of dependent transactions increases. As a result, the number of shared tuples increases.
5.3 PIMS Performance Evaluation
The experiments are conducted on a Dell Power Edge R420 server with 6-core Intel E5-2620v3 CPU, 120 GB of RAM, and Ubuntu Server 16.0 LTS OS. We use PostgreSQL 9.5. PIMS is implemented using Java and is connected to PostgreSQL using JDBC. We use 8 workers (threads) for the admission controller and an unlimited pool of threads for the response and recovery procedures. Before each experiment, the Checking table is populated with 100,000 tuples of unique IDs and initial balance of $10,000. We use a B-tree index on the Checking table to improve the query execution time. We assume that the transactions are submitted according to a Poisson distribution with an arrival rate of. Furthermore, malicious transactions are injected into the workload using a uniform distribution over time. The number of malicious transactions is based on the attack intensity that is a percentage of the total number of transactions.
We evaluate the performance of PIMS using four metrics: 1) the number of affected transactions, 2) the number of blocked transactions, 3) the average recovery time, and 4) the average response time. The number of blocked transactions indicates the performance of PIMS in terms of availability, while the number of affected transactions indicates the cost of damage. The average response time is computed based on the response times of all committed transactions. We compare the performance of PIMS using the proposed heuristics, i.e., BFA and BA, with RA and SA. We refer to PIMS with k1 as ”PIMS_k”. We often use PIMS_k_BFA, PIMS_k_BA, PIMS_k_RA, and PIMS_k_SA to differentiate between the assignment techniques as needed. The performance of PIMS is compared against PIMS_1 (denoted by One IB) and ITDB . We use a workload of 5000 transactions to conduct the experiments, unless stated otherwise. In each experiment, we run PIMS with values of 5, 10, 15, and 20. We do not notice any improvement in the performance beyond 20 IBs.
5.3.1 Read Log Overhead
In this experiment, we study the overhead of logging the transaction read/write operations. Figs. 6(a) and 6(b) give the throughput and response time with logging (PIMS) and without logging (no logging) for various values of . Notice that the throughput in both cases match the transaction arrival rate. However, logging read/write operations adds 30% overhead to the response time. This overhead is inevitable because PIMS relies on the transactions log to identify AT, and generate the compensating transactions.
5.3.2 Effect of Attack Intensity
In this experiment, we compare the performance of PIMS and OneIB with ITDB as the attack intensity increases. We use and to plot the results using BFA and BA assignments. Refer to Fig. 7. We observe that the extent of the damage increases as the attack intensity increases. In particular, the number of affected transactions increases as the number of malicious transactions increases. This is intuitive because increasing the number of malicious transactions increases the number of affected transactions with the same inter-transaction dependency. However, the average time to recover the damage remains constant as in Fig. 7(c). Observe that the number of affected transactions and the average recovery time for PIMS_10_BFA and PIMS_10_BA are less than OneIB and ITDB. The reason is that PIMS employs the delayed access mechanism that takes a proactive approach to block the incoming transactions that can potentially spread the damage. However, the disadvantage of the delayed access mechanism is the increase in the number of blocked transactions and average response time as in Fig. 7(b) and 7(d). PIMS_BFA has less response time as compared to PIMS_BA because BFA generates lower number of boundary tuples. Notice that the delayed access mechanism is not active in the case of OneIB and ITDB because there are no boundary tuples, and thus the response time is lower than PIMS.
Notice that, in general, increasing the number of affected transactions increases the number of compensating transactions to be performed. Consequently, the average recovery time increases. Similarly, increasing the number of blocked transactions increases the average response time. Even though OneIB and ITDB almost have the same number of affected transactions with the same attack intensity, OneIB encounters less recovery time as compared to ITDB. The reason is that ITDB needs multiple passes on the transactions logs to find AT , while OneIB needs a single pass because it temporarily blocks transactions. However, the overhead of blocking incoming transactions is an increase in the number of blocked transactions and response time in OneIB as compared to ITDB.
We note that the proposed response and recovery methodology, i.e., PIMS, reduces the number of affected transactions by at least 33% as compared to ITDB. Consequently, the average recovery time is reduced by 50%, i.e., 150 in PIMS_10_BFA as compared to 300 in ITDB with 750 malicious transactions. The downside is that PIMS incurs a larger number of blocked transactions due to blocking the transactions that request to read boundary tuples. The increase in the response time is around 60% as compared to ITDB. Nevertheless, the average response time for PIMS does not exceed 50 when the attack intensity is 15%. Fig. 8 gives the throughput of PIMS and OneIB as the attack intensity increases for and . We note that PIMS and OneIB match the transaction arrival rate , and thus does not incur any overhead on the throughput.
5.3.3 The Effect of The Number of IBs
In this experiment, we evaluate the performance of PIMS with various values of , i.e., 1, 5, 10, 15, and 20. We compare the results of PIMS_BFA and PIMS_BA with oneIB. Moreover, we study the performance of PIMS_RA and PIMS_SA to demonstrate the effectiveness of the proposed heuristics. Fig. 9 gives the performance of PIMS with , , and , i.e., 500 malicious transactions. From Fig. 9, increasing improves the performance of PIMS. In particular, the number of affected transactions is reduced by at least 5%, 18%, 26%, and 48% using SA, BFA, BA, and RA, respectively. Consequently, the average recovery time decreases as increases. However, PIMS incurs at least 20%, 37%, 50%, and 63% of response time overhead in SA, BFA, BA, and RA, respectively, as Fig. 9(d) illustrates. The reason is due to the increase in the number of boundary tuples. We note that the increase in the response time overhead is marginal as the value of increases beyond 10.
Although PIMS_BFA has the least reduction in recovery time as compared to PIMS_BA and PIMS_RA, PIMS_BFA has the minimum response time overhead. We note that PIMS_SA has less response time than PIMS_BFA when because the number of boundary tuples generated by SA is less than BFA as explained in Section 5.2. However, the response time of PIMS_SA increases dramatically for k10 as the assignment skewness is higher. On the other hand, PIMS_RA outperforms PIMS_BFA and PIMS_BA in terms of reducing the number of affected transactions, and thus the recovery time. PIMS_RA incurs the highest overhead in response time. In conclusion, we note that PIMS_BFA and PIMS_BA produce a balanced performance in terms of recovery and response time as compared to PIMS_RA and PIMS_SA over a wide range of values.
In the next experiment, we study the effect of the delayed access mechanism on the performance of PIMS. We compare the performance of PIMS_BFA, PIMS_BA, PIMS_RA, and PIMS_SA with delay and without delay. From Fig. 10(a), the number of affected transactions is larger when the delayed access mechanism is off. The reason is that the damage propagates across the IBs. However, the shortcoming of the delayed access mechanism is the increase in the response time overhead as in Fig. 10(d). The reason is the increase in the number of blocked transactions due to blocking boundary tuples. The overhead is more noticeable in the case of PIMS_RA as compared to PIMS_BFA. In conclusion, the delayed access mechanism allows to contain the damage and reduce the recovery time in the case of PIMS_BFA and PIMS_BA. Moreover, PIMS with delayed access mechanism maintains a reasonable response time overhead, and thus improves the overall availability.
6 Related Work
Security measures in DBMSs includes the protection of data confidentiality, integrity, and availability [22, 3]. A broad span of research addresses the protection of data confidentiality in DBMSs including authorization, e.g., , access control, e.g., , encryption, e.g., , and inference and disclosure control, e.g., . The integrity risk data in DBMSs is jointly prevented by using access control mechanisms and semantic integrity constraints to verify the correctness of the database state after updates. The availability of data is protected by providing fault-tolerance , replication , and intrusion detection techniques .
In the case of successful intrusion attacks, the effects of the committed transactions are undesirable. The methodology of undoing a committed transaction can be generally handled by one of two approaches: rollback or compensation. The rollback approach is achieved by rolling back all desirable and undesirable activities to a point that is free from damage . On the other hand, compensation approach unwinds the effect of selective committed transactions by executing special compensating transactions. The compensation operations are either action-oriented or effect-oriented . In this paper, we follow an effect-oriented compensation approach to recover from the damage caused by the malicious and affected transactions.
Several solutions have been proposed for intrusion recovery in database-backed applications. A generic intrusion-tolerant architecture for web-servers uses redundancy and diversification principles proposed in . In , WARP is proposed to recover from intrusions in web-applications by rolling back the database and replaying subsequent legitimate actions to correct the state of the DBMS. In 
, an intrusion recovery tool for database-backed applications running in Platform-as-a-Service clouds is proposed. The tool uses machine learning techniques to associate the application requests to the DBMS statements, and then uses existing recovery algorithms to recover from the damage in the DBMS. PIMS is designed as a middle-layer between the DBMS and the application that performs automatic intrusion response and recovery in the DBMS independently from the running applications.
Previous work in intrusion recovery in DBMSs can be broadly classified into two categories: transaction-level and data-level approaches. In the transaction-level approach, the general direction is to selectively rollback or compensate for the damaged tuples. In, a suite of recovery algorithms is proposed to unwind the effect of malicious transactions for offline and online recovery. In [6, 21], the authors present ITDB and DTQR, respectively, that implement the recovery algorithms in  on top of a Commercial-Off-The-Shelf DBMS. In , a damage assessment and repair system, termed Phoenix, is introduced. The core component in Phoenix is the inter-transaction dependency tracking that maintains such persistent dependency information at run-time. On the other hand, data-dependency approach provides a flexible recovery at the object-level. In , a damage assessment technique using data dependency analysis is proposed to obtain precise information about the set of corrupted data. PIMS uses a hybrid approach between data-level dependency and transaction-level approach to track the damage. In particular, the damage assessment is performed at the data-level, while the response and recovery procedures are performed at the transaction-level. Moreover, PIMS addresses the problem of prolonged online recovery procedure in .
Date partitioning schemes are used to improve the availability and scalability of the DBMS. In , a workload-aware approach for partitioning the data is proposed. The partitioning approach models the data objects as a graph that is then partitioned into balanced partitions such that the number of distributed transactions is minimized. In , a scalable workload-aware data placement that uses hyper-graph compression techniques to deal with large-scale datasets is proposed. Online partitioning techniques adaptively partition data based on emerging hotspots, workload skews, and load spikes. In , a methodology for using automatic data partitioning that prefers partitions with independent transactions is proposed. In , E-store is proposed that provides an elastic planning and reconfiguration system to mitigate the challenges paired with workload skews. None of the above partitioning scheme considers the security aspects of DBMS. The IB demarcation scheme partitions the workload with the objective to improve the availability by confining the damage caused by intrusion attacks.
In this paper, the problem of response and recovery of successful intrusion attacks on a DBMS is addressed. We propose PIMS, a data partitioning-based intrusion management system for DBMSs, that can endure intense malicious intrusion attacks. A new fine-grained dependency model that captures the intra-transaction and inter-transaction dependencies is introduced. We introduce a data partitioning scheme, termed IBs, with the objective to limit the extent of the damage into partitions. We formulate the IB demarcation problem as a cost-driven optimization problem and prove that IBDP is NP-hard, and propose efficient heuristic solutions. We present the architecture of PIMS and conduct various experiments to evaluate its performance. We show that although PIMS incurs response time overhead, the reduction in the number of affected transactions and the recovery time is up to 48% and 52%, respectively.
This work is supported by Northrop Grumman.
-  CL Philip Chen and Chun-Yang Zhang. Data-intensive applications, challenges, techniques and technologies: A survey on big data. Information Sciences, 275:314–347, 2014.
-  Gary Stoneburner, Alice Y Goguen, and Alexis Feringa. Risk management guide for information technology systems. NIST Report, 2002.
-  Elisa Bertino and Ravi Sandhu. Database security-concepts, approaches, and challenges. IEEE Trans. on Dep. and Sec. Comp., 2(1):2–19, 2005.
-  Ashish Kamra and Elisa Bertino. Design and implementation of an intrusion response system for relational databases. IEEE Trans. on Knowl. and Data Eng., 23(6):875–888, 2011.
-  Paul Ammann, Sushil Jajodia, and Peng Liu. Recovery from malicious transactions. IEEE Trans. on Knowl. and Data Eng., 14(5):1167–1185, 2002.
-  Peng Liu, Jiwu Jing, Pramote Luenam, Ying Wang, Lunquan Li, and Supawadee Ingsriswang. The design and implementation of a self-healing database system. Journal of Intelligent Information Systems, 23(3):247–269, 2004.
-  Bilal Shebaro, Asmaa Sallam, Ashish Kamra, and Elisa Bertino. Postgresql anomalous query detector. In Proc. of the 16th EDBT, pages 741–744. ACM, 2013.
-  Philip A Bernstein, Vassos Hadzilacos, and Nathan Goodman. Concurrency control and recovery in database systems. 1987.
-  Satish M Srinivasan and Raghvinder S Sangwan. Web app security: A comparison and categorization of testing frameworks. IEEE Software, 34(1):99–102, 2017.
-  C Mohan, Hamid Pirahesh, and Raymond Lorie. Efficient and flexible methods for transient versioning of records to avoid locking by read-only transactions, volume 21. ACM, 1992.
-  Henry F Korth, Eliezer Levy, and Abraham Silberschatz. A formal approach to recovery by compensating transactions. University of Texas at Austin, Department of Computer Sciences, 1990.
-  Brajendra Panda and Kazi Asharful Haque. Extended data dependency approach: a robust way of rebuilding database. In Proc. of the 2002 ACM symp. on Applied comp., pages 446–452. ACM, 2002.
-  Kristy Browder and M Davidson. The virtual private database in oracle9ir2. Oracle Tech. White Paper, Oracle Corporation, 500, 2002.
-  Art Rask, Don Rubin, and Bill Neumann. Implementing row-and cell-level security in classified databases using sql server 2005. MS SQL Server Technical Center, 2005.
-  Transaction Performance Coundeling. Tpc-c benchmark (revision 5.9.0). June 2007.
-  Mohammad Alomari, Michael Cahill, Alan Fekete, and Uwe Rohm. The cost of serializability on platforms that use snapshot isolation. In 2008 IEEE 24th ICDE, pages 576–585. IEEE, 2008.
-  Brian F Cooper, Adam Silberstein, Erwin Tam, Raghu Ramakrishnan, and Russell Sears. Benchmarking cloud serving systems with ycsb. In Proc. of the 1st ACM symposium on Cloud computing, pages 143–154. ACM, 2010.
-  Djellel Eddine Difallah, Andrew Pavlo, Carlo Curino, and Philippe Cudre-Mauroux. Oltp-bench: An extensible testbed for benchmarking relational databases. Proc. of the VLDB Endowment, 7(4):277–288, 2013.
-  Paul Erdos and Alfréd Rényi. On the evolution of random graphs. Publ. Math. Inst. Hung. Acad. Sci, 5(1):17–60, 1960.
-  Raj Jain, Arjan Durresi, and Gojko Babic. Throughput fairness index: An explanation. Technical report, Dep. of CIS, The Ohio State University, 1999.
-  Kun Bai and Peng Liu. A data damage tracking quarantine and recovery (dtqr) scheme for mission-critical database systems. In Proc. of the 12th EDBT, pages 720–731. ACM, 2009.
-  G Stonebumer NIST, A Goguen, and A Fringa. Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology, 2002.
-  Surajit Chaudhuri, Tanmoy Dutta, and S Sudarshan. Fine grained authorization through predicated grants. In 2007 IEEE 24th ICDE, pages 1174–1183. IEEE, 2007.
-  Ravi Sandhu, Edward Coyne, Hal Feinstein, and Charles Youman. Role-based access control models. Computer, 29(2):38–47, 1996.
-  Muhammad I Sarfraz, Mohamed Nabeel, Jianneng Cao, and Elisa Bertino. Dbmask: fine-grained access control on encrypted relational databases. In Proc. of the 5th ACM Conference on Data and Application Security and Privacy, pages 1–11. ACM, 2015.
-  Yu Chen and Wesley W Chu. Protection of database security via collaborative inference detection. In Intelligence and Security Informatics, pages 275–303. Springer, 2008.
-  I. Gashi, P. Popov, and L. Strigini. Fault tolerance via diversity for off-the-shelf products: A study with sql database servers. IEEE Trans. on Dep. and Sec. Comp., 4(4):280–294, Oct 2007.
-  Marta Patiño-Martinez, Ricardo Jiménez-Peris, Bettina Kemme, and Gustavo Alonso. Middle-r: Consistent database replication at the middleware level. ACM Trans on Comp. Sys. (TOCS), 23(4):375–423, 2005.
-  Aleksandar Milenkoski, Marco Vieira, Samuel Kounev, Alberto Avritzer, and Bryan D Payne. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys (CSUR), 48(1):12, 2015.
-  Ayda Saidane, Vincent Nicomette, and Yves Deswarte. The design of a generic intrusion-tolerant architecture for web servers. IEEE Trans. on Dep. and Sec. Comp., 6(1):45–58, 2009.
-  Ramesh Chandra, Taesoo Kim, Meelap Shah, Neha Narula, and Nickolai Zeldovich. Intrusion recovery for database-backed web applications. In Proc. of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 101–114. ACM, 2011.
-  David R Matos Miguel L Pardal and Miguel Correia. Rectify: Black-box intrusion recovery in paas clouds. In Proc. of the 18th International Middleware Conference. ACM, 2017.
-  Tzi-cker Chiueh and Shweta Bajpai. Accurate and efficient inter-transaction dependency tracking. In 2008 IEEE 24th ICDE, pages 1209–1218. IEEE, 2008.
-  Carlo Curino, Evan Jones, Yang Zhang, and Sam Madden. Schism: a workload-driven approach to database replication and partitioning. Proc. of the VLDB Endowment, 3(1-2):48–57, 2010.
-  Abdul Quamar, K Ashwin Kumar, and Amol Deshpande. Sword: scalable workload-aware data placement for transactional workloads. In Proc. of the 16th International Conference on Extending Database Technology, pages 430–441. ACM, 2013.
-  Alexandru Turcu, Roberto Palmieri, Binoy Ravindran, and Sachin Hirve. Automated data partitioning for highly scalable and strongly consistent transactions. IEEE Trans. on Par. and Dist. Sys., 27(1):106–118, 2016.
-  Rebecca Taft, Essam Mansour, Marco Serafini, Jennie Duggan, Aaron J Elmore, Ashraf Aboulnaga, Andrew Pavlo, and Michael Stonebraker. E-store: Fine-grained elastic partitioning for distributed transaction processing systems. Proc. of the VLDB Endowment, 8(3):245–256, 2014.