An Authorization Framework for Database Systems

Mahmoudi-Nasr, Payam

doi:10.61186/jsdp.19.4.61

Volume 19, Issue 4 (3-2023) JSDP 2023, 19(4): 61-70 | Back to browse issues page

‎ 10.61186/jsdp.19.4.61

Mendeley

Zotero

RefWorks

Mahmoudi-Nasr P. An Authorization Framework for Database Systems. JSDP 2023; 19 (4) : 5
URL: http://jsdp.rcisp.ac.ir/article-1-1167-en.html

An Authorization Framework for Database Systems

Payam Mahmoudi-Nasr ^*

University of Mazandaran

Abstract: (1001 Views)

Today, data plays an essential role in all levels of human life, from personal cell phones to medical, educational, military and government agencies. In such circumstances, the rate of cyber-attacks is also increasing. According to official reports, data breaches exposed 4.1 billion records in the first half of 2019. An information system consists of several components, which one of the most important them is the database. A database in addition to being a repository of data, acts as a common information bus between system components. For this reason, any attack on the database may disrupt the operation of other components of the system. In fact, database security is shared throughout the whole information system. The attack may carried out in various ways, such as data theft, damaging data, and privacy breach. According to the sensitivity of the stored data, database attack could lead to significant human and financial losses even at the national level. Among the different types of threats, since legitimate operator plays a key role in an information system, his/her threat is one of the most dangerous threats to the security and integrity of a database system. This type of cyber-attack occurs when an insider operator abuses his/her legal permissions in order to access unauthorized data. In this paper, a new performance-based authorization framework has been presented which is able to reduce the potential of insider threat in the database system. The proposed method insure that only authenticated operator performs authorized activities on the database objects. In the proposed framework, the access permission of the operator to a database table is determined using his/her performance and the level of sensitivity of the table. The value of the operator performance is updated periodically or when an abuse is detected, in order to protect access to the contents of a database as well as preserve the consistency, integrity, and overall quality of the data. Simulation results, using real dataset from a hospital information system, indicate that the proposed framework has effective performance for mitigating insider threats.

Article number: 5

Keywords: Access control, Authorization, cyber security, database, insider threat

Full-Text [PDF 636 kb] (607 Downloads)

Type of Study: Research | Subject: Paper
Received: 2020/08/13 | Accepted: 2021/12/11 | Published: 2023/03/20 | ePublished: 2023/03/20

References

1. [1] S. Dhal and V. Bhuwan, "Cryptanalysis and improvement of a cloud based login and authentication protocol, " in 2018 4th International Conference on Recent Advances in Information Technology (RAIT), 2018: IEEE, pp. 1-6. [DOI:10.1109/RAIT.2018.8388988]

2. [2] H. Bao, R. Lu, B. Li, and R. Deng, "BLITHE: Behavior rule-based insider threat detection for smart grid, " IEEE Internet of Things Journal, vol. 3, no. 2, pp. 190-205, 2016. [DOI:10.1109/JIOT.2015.2459049]

3. [3] C.-C. Sun, A. Hahn, and C.-C. Liu, "Cyber security of a power grid: State-of-the-art," International Journal of Electrical Power & Energy Systems, vol. 99, pp. 45-56, 2018. [DOI:10.1016/j.ijepes.2017.12.020]

4. [4] P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese, "Automated insider threat detection system using user and role-based profile assessment, " IEEE Systems Journal, vol. 11, no. 2, pp. 503-512, 2017. [DOI:10.1109/JSYST.2015.2438442]

5. [5] I. Agrafiotis, P. A. Legg, M. Goldsmith, and S. Creese, "Towards a User and Role-based Sequential Behavioural Analysis Tool for Insider Threat Detection, " J. Internet Serv. Inf. Secur., vol. 4, no. 4, pp. 127-137, 2014.

6. [6] I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, "Insight into Insiders: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures, " arXiv preprint arXiv:1805.01612, 2018. [DOI:10.1145/3303771]

7. [7] L. Liu, O. De Vel, Q.-L. Han, J. Zhang, and Y. Xiang, "Detecting and Preventing Cyber Insider Threats: A Survey," IEEE Communications Surveys & Tutorials, vol. 20, no. 2, pp. 1397-1417, 2018. [DOI:10.1109/COMST.2018.2800740]

8. [8] Q. Lv, Y. Wang, L. Wang, and D. Wang, "Towards a User and Role-Based Behavior Analysis Method for Insider Threat Detection, " in 2018 International Conference on Network Infrastructure and Digital Content (IC-NIDC), 2018: IEEE, pp. 6-10. [DOI:10.1109/ICNIDC.2018.8525804] []

9. [9] P. Chattopadhyay, L. Wang, and Y.-P. Tan, "Scenario-Based Insider Threat Detection From Cyber Activities," IEEE Transactions on Computational Social Systems, vol. 5, no. 3, pp. 660-675, 2018. [DOI:10.1109/TCSS.2018.2857473]

10. [10] M. S. Islam, M. Kuzu, and M. Kantarcioglu, "A dynamic approach to detect anomalous queries on relational databases, " in Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, 2015: ACM, pp. 245-252. [DOI:10.1145/2699026.2699120] [PMID]

11. [11] A. Almehmadi and K. El-Khatib, "On the possibility of insider threat prevention using intent-based access control (IBAC), " IEEE Systems Journal, vol. 11, no. 2, pp. 373-384, 2017. [DOI:10.1109/JSYST.2015.2424677]

12. [12] L. Argento, A. Margheri, F. Paci, V. Sassone, and N. Zannone, "Towards adaptive access control," 2018. [DOI:10.1007/978-3-319-95729-6_7]

13. [13] F. Ghofrani and M. Amini, "Privacy Preserving Dynamic Access Control Model with Access Delegation for eHealth, " Signal and Data Processing, vol. 17, no. 3, pp. 109-140, 2020. [DOI:10.29252/jsdp.17.3.109]

14. [14] P. Mahmoudi Nasr and A. Yazdian Varjani, "An Access Management System to Mitigate Operational Threats in SCADA System, " Signal and Data Processing, vol. 14, no. 4, pp. 3-18, 2018. [DOI:10.29252/jsdp.14.4.3]

15. [15] M. Toahchoodee, R. Abdunabi, I. Ray, and I. Ray, "A trust-based access control model for pervasive computing applications, " in IFIP Annual Conference on Data and Applications Security and Privacy, 2009: Springer, pp. 307-314. [DOI:10.1007/978-3-642-03007-9_22]

16. [16] N. Baracaldo and J. Joshi, "An adaptive risk management and access control framework to mitigate insider threats, " Computers & Security, vol. 39, pp. 237-254, 2013. [DOI:10.1016/j.cose.2013.08.001]

17. [17] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-based access control models, " Computer, vol. 29, no. 2, pp. 38-47, 1996. [DOI:10.1109/2.485845]

18. [18] M. Collins, "Common sense guide to mitigating insider threats, " CERT Division, Technical Note, 2016.

19. [19] P. Mahmoudi-Nasr, A. Yazdian Varjani, "An Access Management System to Mitigate Operational Threats in SCADA System, " JSDP 2018; 14 (4) :3-18. [DOI:10.29252/jsdp.14.4.3]

20. [20] C. Y. Chung, M. Gertz, and K. Levitt, "Demids: A misuse detection system for database systems, " in Integrity and Internal Control in Information Systems: Springer, 2000, pp. 159-178. [DOI:10.1007/978-0-387-35501-6_12]

21. [21] E. Bertino, E. Terzi, A. Kamra, and A. Vakali, "Intrusion detection in RBAC-administered databases, " in Computer security applications conference, 21st annual, 2005: IEEE, pp. 10 pp.-182.

22. [22] D. C. Montgomery, Introduction to statistical quality control. John Wiley & Sons (New York), 2009.

Send email to the article author

Rights and permissions
	This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Signal and Data Processing

Vote