DETECTION AND ANALYSIS OF DATABASE TAMPERING

By:Shweta Naik(01FM15ECS036)

Introduction The enterprise collects a large amount of

valuable data, likes customers, suppliers, competitions, etc.

According to the information in the databases, the enterprise managers can make a significant strategy of the company for further development.

Therefore, considering the information of the databases as the important assets for enterprises, database authentication becomes a hot research issue in recent years.

Introduction: Database Forensics is a branch of digital

forensic science relating to the forensic study of databases and their related metadata.

For the forensic examination of a data-base, it is necessary to know who, when and how modified or tampered the data

Timestamp of various action carried out on the Database

Type of transactions made How made the transaction made

Oracle Physical Storage Structures User data: Datafiles, redo log files, and archived redo

log Control files, maintain the state of the database objects Text-based alert and trace files contain logging

information for both routine events and error conditions Data files Redo log files Control Files Archived Log Files Alert and Trace Log Files Backup Files

Vulnerabilities in Oracle Firstly, they can exploit the trust already

given to them in the case of an inside attacker or in a social engineering attack

Secondly, an attacker can exploit a weakness in the configuration of the server Default Usernames and Passwords Reflections on default passwords

Third and last, exploit a vulnerability in the software.Buffer Overflow Vulnerabilities Format String Vulnerabilities PL/SQL Injection Trigger Abuse

Detection Methods checksum-based approach relational hash tree strong one-way hash functions audit log validate digital notarization service

Sources for Evidences

Redo Logs :The entry has a header and one or more “change vectors” for a given event.

Data Blocks :Each row in the block has a three byte header.

The first byte is a marker and contains a set of flags to indicate the row’s state

The second byte of the row header is used to determine lock status

the third byte indicates the total amount of data in the row.

Sources for Evidences

The audit trail Live Response :recovering and safely storing

volatile data for later analysis, in other words, all the information that will disappear when the machine is dis-connected from the network and switched off.

Views: For performance purposes V$SQL fixed view contains a list of recently executed

SQL queries V$DB_OBJECT_CACHE contains details about objects

in the library cache. Oracle Recycle Bin : System Change Number

Steps to Collect the Evidence

Steps to Collect the Evidence1) Setup the evidence collection server pipe output over the network using netcat or

cryptcat mapping a drive if the system is running on

Windows and then using file redirection 2) get basic in-formation 3) Collect the Oracle files of Interest The Oracle specific log, trace and control files

can be located in various places know where each instance of Oracle is

installed this can be extracted from the ORACLE_HOME environment vari-able if set.

4) Get the previously executed SQL

Steps to Collect the Evidence5) Getting a list of users and roles

SQL > SELECT USER#, NAME, ASTATUS, PASS WORD, CTIME, PTIME, LTIME FROM SYS.USER$ WHERE TYPE# = 1;

6) Getting a list of dropped tables SQL > SELECT U.NAME, R.ORIGINAL_NAME, R.OBJ#, R.DROPTIME, R.DROPSCN FROM SYS.RECYCLEBIN$ R, SYS.USER$ U WHERE R.OWNER# = U.USER#;

7) Getting information about PL/SQL objects The source of PL/SQL objects should be retrieved and

analyzed. Much of the source is encrypted or “wrapped” to use the

Oracle term. The incident responder should obtain an “unwrapper” to examine the clear text as an at-tacker can modify a PL/SQL object and re-encrypt it to hide their attack.

8) Finishing up SQL > SPOOL OFF ;SQL > QUIT

Disconnected from Oracle Database

Fragile Database Watermarking for Malicious Tamper Detection UsingSupport Vector Regression

 "Watermarking" is the process of hiding digital information in a carrier signal; the hidden information should, but does not need to, contain a relation to the carrier signal. Digital watermarks may be used to verify the authenticity or integrity of the carrier signal or to show the identity of its owners.

 A watermarking system is usually divided into three distinct steps, embedding, attack, and detection.

Continued…

Exploits trained support vector regression (SVR) predicting function to distribute the digital watermark over the particular numeric attributes to achieve embedding and detecting watermark by the same SVR predicting function.

If the absolute value of the difference between predicted value and attribute value is more than the designed fixed value, then the database content will be tampered with.

uses SVR to learn the data correlations of the protected database and embed the watermark bits.

This basically has 3 stagesTraining PhaseEmbedding PhaseTamper Detection Phase

The structure of the ith tuple in the protected table T is ti(P, Ci, A1, A2, …, An)

P is the primary key attribute Ci is the tolerable numeric attribute A1, A2, …, An are other n numeric attributes in the

table. The numeric attribute against slight distortion is

chosen to be objective dataset and the remainder attributes are used to be feature datasets.

Continued…

Training Phase: select training tuples from the original table randomly The numeric attribute against slight distortion is chosen

to be objective dataset and the remainder attributes are used to be feature datasets and will be trained for SVR.

the predicting function is obtained by SVREmbedding Phase: During watermark embedding, predict each numeric

attribute Ci of the table T by the trained SVR predicting function f.

Let the predicted value i C of the embedded attribute of the tuple ti be obtained by computing i C = f(ti).

Continued…

Continued…

Tamper Detection Phase: This phase detects which records in the table are

modified by malicious tamper. During detection, use the trained SVR predicting

function f(D) to generate the predicted value of each tuple

Then compare the corresponding watermark bit to the original watermark bit whether they are the same or not.

If the watermark bit comparison is the same, then the tuple has not been modified; otherwise the tuple has been modified.

Continued…Experimental Results:Database: “Iris Plant Database”

References:

[1] Digital Evidence for Database Tamper Detection, Journal of Information Security, 2012, 3, 113-121

[2] Fragile Database Watermarking for Malicious Tamper Detection Using Support Vector Regression

[3] Tutorial on Support Vector Regression , Alex J.GMD, Bernhard Scholkopf

[4] Database Tampering and Detection of Data Fraud by Using the Forensic Scrutiny Technique

THANK YOU!