analysis of database tampering
TRANSCRIPT
DETECTION AND ANALYSIS OF DATABASE TAMPERING
By:Shweta Naik(01FM15ECS036)
Introduction The enterprise collects a large amount of
valuable data, likes customers, suppliers, competitions, etc.
According to the information in the databases, the enterprise managers can make a significant strategy of the company for further development.
Therefore, considering the information of the databases as the important assets for enterprises, database authentication becomes a hot research issue in recent years.
Introduction: Database Forensics is a branch of digital
forensic science relating to the forensic study of databases and their related metadata.
For the forensic examination of a data-base, it is necessary to know who, when and how modified or tampered the data
Timestamp of various action carried out on the Database
Type of transactions made How made the transaction made
Oracle Physical Storage Structures User data: Datafiles, redo log files, and archived redo
log Control files, maintain the state of the database objects Text-based alert and trace files contain logging
information for both routine events and error conditions Data files Redo log files Control Files Archived Log Files Alert and Trace Log Files Backup Files
Vulnerabilities in Oracle Firstly, they can exploit the trust already
given to them in the case of an inside attacker or in a social engineering attack
Secondly, an attacker can exploit a weakness in the configuration of the server Default Usernames and Passwords Reflections on default passwords
Third and last, exploit a vulnerability in the software.Buffer Overflow Vulnerabilities Format String Vulnerabilities PL/SQL Injection Trigger Abuse
Detection Methods checksum-based approach relational hash tree strong one-way hash functions audit log validate digital notarization service
Sources for Evidences
Redo Logs :The entry has a header and one or more “change vectors” for a given event.
Data Blocks :Each row in the block has a three byte header.
The first byte is a marker and contains a set of flags to indicate the row’s state
The second byte of the row header is used to determine lock status
the third byte indicates the total amount of data in the row.
Sources for Evidences
The audit trail Live Response :recovering and safely storing
volatile data for later analysis, in other words, all the information that will disappear when the machine is dis-connected from the network and switched off.
Views: For performance purposes V$SQL fixed view contains a list of recently executed
SQL queries V$DB_OBJECT_CACHE contains details about objects
in the library cache. Oracle Recycle Bin : System Change Number
Steps to Collect the Evidence
Steps to Collect the Evidence1) Setup the evidence collection server pipe output over the network using netcat or
cryptcat mapping a drive if the system is running on
Windows and then using file redirection 2) get basic in-formation 3) Collect the Oracle files of Interest The Oracle specific log, trace and control files
can be located in various places know where each instance of Oracle is
installed this can be extracted from the ORACLE_HOME environment vari-able if set.
4) Get the previously executed SQL
Steps to Collect the Evidence5) Getting a list of users and roles
SQL > SELECT USER#, NAME, ASTATUS, PASS WORD, CTIME, PTIME, LTIME FROM SYS.USER$ WHERE TYPE# = 1;
6) Getting a list of dropped tables SQL > SELECT U.NAME, R.ORIGINAL_NAME, R.OBJ#, R.DROPTIME, R.DROPSCN FROM SYS.RECYCLEBIN$ R, SYS.USER$ U WHERE R.OWNER# = U.USER#;
7) Getting information about PL/SQL objects The source of PL/SQL objects should be retrieved and
analyzed. Much of the source is encrypted or “wrapped” to use the
Oracle term. The incident responder should obtain an “unwrapper” to examine the clear text as an at-tacker can modify a PL/SQL object and re-encrypt it to hide their attack.
8) Finishing up SQL > SPOOL OFF ;SQL > QUIT
Disconnected from Oracle Database
Fragile Database Watermarking for Malicious Tamper Detection UsingSupport Vector Regression
"Watermarking" is the process of hiding digital information in a carrier signal; the hidden information should, but does not need to, contain a relation to the carrier signal. Digital watermarks may be used to verify the authenticity or integrity of the carrier signal or to show the identity of its owners.
A watermarking system is usually divided into three distinct steps, embedding, attack, and detection.
Continued…
Exploits trained support vector regression (SVR) predicting function to distribute the digital watermark over the particular numeric attributes to achieve embedding and detecting watermark by the same SVR predicting function.
If the absolute value of the difference between predicted value and attribute value is more than the designed fixed value, then the database content will be tampered with.
uses SVR to learn the data correlations of the protected database and embed the watermark bits.
This basically has 3 stagesTraining PhaseEmbedding PhaseTamper Detection Phase
The structure of the ith tuple in the protected table T is ti(P, Ci, A1, A2, …, An)
P is the primary key attribute Ci is the tolerable numeric attribute A1, A2, …, An are other n numeric attributes in the
table. The numeric attribute against slight distortion is
chosen to be objective dataset and the remainder attributes are used to be feature datasets.
Continued…
Training Phase: select training tuples from the original table randomly The numeric attribute against slight distortion is chosen
to be objective dataset and the remainder attributes are used to be feature datasets and will be trained for SVR.
the predicting function is obtained by SVREmbedding Phase: During watermark embedding, predict each numeric
attribute Ci of the table T by the trained SVR predicting function f.
Let the predicted value i C of the embedded attribute of the tuple ti be obtained by computing i C = f(ti).
Continued…
Continued…
Tamper Detection Phase: This phase detects which records in the table are
modified by malicious tamper. During detection, use the trained SVR predicting
function f(D) to generate the predicted value of each tuple
Then compare the corresponding watermark bit to the original watermark bit whether they are the same or not.
If the watermark bit comparison is the same, then the tuple has not been modified; otherwise the tuple has been modified.
Continued…Experimental Results:Database: “Iris Plant Database”
References:
[1] Digital Evidence for Database Tamper Detection, Journal of Information Security, 2012, 3, 113-121
[2] Fragile Database Watermarking for Malicious Tamper Detection Using Support Vector Regression
[3] Tutorial on Support Vector Regression , Alex J.GMD, Bernhard Scholkopf
[4] Database Tampering and Detection of Data Fraud by Using the Forensic Scrutiny Technique
THANK YOU!