# Introduction

nformation is one of the main assets of any organization which is essential to its continuity. Therefore, information security is very important to protect the confidentiality, integrity and availability of the information. Many systems and tools are used to achieve the requirements of the information security and to prevent information systems from any possible incident.

Access control systems, authentication systems, anti-virus software and firewalls are examples of such systems. According to [1] despite different protection mechanism, it is nearly impossible to have a completely secured system. Although sophisticated security systems can be used to achieve the information security requirements, those systems may be under threat due to vulnerabilities or misconfiguration of those systems.

As a result, those vulnerabilities or misconfiguration may be exploited by intruders or implement their at-tacks. Therefore, Detection of Misuse Activities in Database Systems is considered as the last defense layer of the database security systems of any organization. The insider attack forms the biggest threaten on the database systems due to it has authorized access to the database systems.


# II.


# Background

There are many types of insider attack that try to abuse the access rights and do malicious activities for example, employees, masquerading and the malicious activities such as updated and deleted approved records. A malicious activity is de-fined as a group of actions that attempts to harm the Integrity, confidentiality of database system, [3]. DEMIDS is a mechanism designed to detect and prevent the malicious activities such as malicious transactions on the database systems [4].

There are many insider attacks that may hurt the confidentiality, integrity and availability of database systems. According to [5]the database security attacks classified into two types of attack such as: outsider attacks and insider attacks. The outsider attack can defined as malicious actions that cause many problems such as delay or bugs. However, the insider attacks categorized into legitimate and illegitimate access. Legitimate access can abuse his privilege to do malicious actions, and on the other hand, the illegitimate accesses try to exploit the vulnerabilities of the system to do malicious actions. Many researchers have been conducted to investigate the insider attacks [6]. According to [2]the insider attacker's forms the biggest threat on the database security level than the outsider attacker, because two reasons, the ir knowledge about systems and their granted privileges. [7]Indicates that the insider attacks can forms the extremely dangerous on database systems. Furthermore, insider attacks use their rights to achieve the malicious action.

Malicious transaction is one of the inside attacks which harm the integrity and availability of the database [5]. There are many causes of malicious activities [5] such as bad configuration, low experiences of the Database administrator (DBA), hidden flaw and weakness of database implementation. [8]Stated that the mechanisms based on auditing log file only detect the malicious commands, and if legitimate commands contain malicious data, it will not be detected. [8]Proposed mechanism to detect the malicious activities in database sys-tem management.

The mechanism used data mining approach to determine the dependency among data items. The data dependency indicates to the access relations among 


# E

Chitanlapudi Sai Charan data items. These data dependency are generated in a set of rules (pre-written, read, and post-written sets). Therefore, the activities that don't follow any of rules are signed as malicious activity. The limitation of this mechanism is limited to user transactions that conform to the read-write patterns assumed by [8]. Also, the system is notable to detect malicious behavior in individual read-write commands and the false alarm rate is may be more as well as the same sensitive are given to the each items and there is no concept of attribute sensitivity [6], [3]. [9]Addressed the problem of [8]. The approach adds more rules to some attributes to become more sensitive to detect malicious modification. The limitation of this approach is identification of suitable support and confidence values, also is not suitable for the role based database access control, as well as it is not support other manipulation commands like insert and delete [11], [6].

[6]Try to address the problem of [8]. This approach use to detect the malicious behavior based on RBAC (Role Based Access Control). The technique used in this approach working as control unit on the user role profile. If the technique discover that the user use different role than the normal role of user, then the mechanism will raise notification. The approach is suitable for databases that employ role based access control mechanism. The problem of [9] also addressed in this approach. The limitation of this approach is inability to detect transaction level dependency; so some of the database attacks may be undetected [10].

[10] Addressed the problem of [6] by extracts the correlation among queries of the transaction. The proposed mechanisms called DIDS (Database Intrusion Detection System) generate the transaction profiles mechanism automatically. This mechanism has two phases: learning phase and intrusion detection phase. The learning phase generates authorized transactions profile automatically. The detection phase will check the behavior of executable transactions by compare it with authorized transaction profile. The limitation of this approach that address by this study is difficult to capture the malicious data on authorized commands. Developed mechanism to detect the malicious transaction based on predefined profile transactions called Database Malicious Transaction Detection (DBMTD). Therefore, if the enter transaction is not matching with predefined transaction in the profile will detect as misuse or malicious transaction. The limitation of this approach is limited transactions and manual generating of the predefined profile transactions and this cause consuming time as well as difficult to achieve in real and complex database installations [13], [10].

The problem of the [12] has been solved by [10] which generate the transaction profiles mechanism automatically.

This approach used detection mechanism to detect the misuse activities. The limitation of this approach is inability to detect the authorized malicious activities like delete or update on approved records will address in this study by the author. The previous studies try to solve the problems of malicious activities on the relation database management system. However, the malicious data on the authorized commands can pass to the database. This study tries to address this kind of problems.


# a) Problem Statement

One of the database security problems is inside malicious activities. Among them are: updating of approved records with malicious data, and deleting approved records.

This study hypothesize that dependency relationship among items can be used to detect and prevent the aforementioned malicious activities. To test this hypothesis, the following questions needs to be answered:

i. How to represent the dependency relationship to detect and prevent malicious activities? ii. How to use the dependency relationship to detect and prevent the malicious activities?

III.


# Methodologies

This chapter discusses the methodology used to design and develop the detection and prevention mechanism to detect the malicious activities that harm the integrity of database. Scientific research is the research which relies on the application of scientific method. So, scientific method can be defined as a set of research principles and methods that helps re-searchers obtain valid results from their research studies by providing a set of clear guidelines for gathering, evaluating, and reporting information in the context of research study [20].


# a) Research Framework

A methodology is required to guide the activities conducted by the project, in order to make sure that all project activities are well-organized. However, to gather all the in-formation related to the study, the researcher have to build a methodology or research framework to make sure that all the tasks of the project have been done clearly. Figure 1 shows the project research framework. The first step in achieving this project was the initial planning phase. First of all, the title of the project was discussed with the supervisor. The objective of the project development reviewed and defined according to the problem statement. Besides that, the scope of the project identified to draw the boundary for this project. After that, some re-search on the problem background of the project was done in order to decide on the methodology of the project.


# Global Journal of Computer Science and Technology


# Phase 2: Literature Review

The literature review should give a theoretical base for the research and help to resolve the nature of the research. The purpose from writing the literature review is to reveal to the reader what knowledge and ideas have been established on a topic by previous studies and how similar are they to this project topic. Thus, the literature review for this study started with overview on information security in general term. Then the literature re-view focused on the components influencing on information security, such as insider attack, malicious trans-action. Moreover, continue the study by talking about importance of dependency relationship in the relational database systems. Finally, the discussion goes through related works on how to detect and prevent the misuses activities on the relational database systems. It has two parts:


# i. Dependency Relationship

This part focus about dependency relationship concept, including the purpose of dependency relationship and how the dependency relationship among items can use to detect and prevent the malicious activities.


# ii. Detection mechanisms

Some of the mechanisms that used to detect and prevent the malicious activities have been mentioned in this part. Also the methods used in these mechanisms such as auditing log files, profiling, data mining, and dependency relationship.


# Phase 3: Design the proposed mechanism

In this phase, the design of the mechanism will be developed which will contain specification on the mechanism components. The components of the mechanism are three layers:

Input layer, detection and prevention layer and database layer as follow:


# i. Input Layer

This layer will used to input data to the mechanism. The source of input data is a dataset that constructed by this study. The dataset contains more than 20,000 records that include malicious and none malicious records.


# ii. Detection Layer Based on Dependency Relationship

It considers the most important layer in the mechanism. It will receive the data from the input layer and check if there is malicious or not. It is collection of objects such dependency algorithm, alerter and events table. The components of this layer are:


# Dependency Algorithm

The DA dependency algorithm is a set of instructions that used to calculate the total dependency relationship among date items and calculate the data items that related with, to mining the malicious data among items. Chapter 4 will ex-plain more about it.


# Alerter

During the process, the malicious activities like updating or deleting commands will be detected by the mechanism. Therefore, an alert needed to be raised by the alerter and notify the DBA.


# Events Table

This table used to store the misuse activities events when happened.


# Database Layer

The database layer is the original database tables (schema), which store the clean data that coming from the detection and prevention layer. The database layer includes the definition and transaction tables.

1. Definition Tables: These tables store the primary and fix data of the system. 2. Transaction Table : The tables which have the transaction data those changes continuously, for example salaries tables, check tables and so on. Phase 4: Develop the Proposed Mechanism Three software products will used to develop the proposed mechanism: i. PL/SQL Language Procedural language/ structured query language is the best language to develop the logic of the mechanism. It has a good feature such as: flexibility, easy to use, control statement and so on. Pl/SQL will used to connect all components of the mechanism.


# ii. Oracle Database

The oracle database will used to create target database schema such as: tables, views, triggers, procedures and functions of the mechanism.

iii.


# Oracle Developer2000

Oracle developer is one of the oracle corporation products. The oracle developer2000 will be used to build the inter-faces of the mechanism (input layer).


# Evaluation of the Proposed Mechanism

This phase will evaluate the mechanism to verify it meet the project objectives or not. To evaluate the mechanism there are some steps should be executed such as execute the proposed mechanism, baseline, and evaluation measures and compare the result.


# i. Execute the Proposed Mechanism

Execute the proposed mechanism to get the results and com-pare it with existing mechanism. The exiting mechanism is DIDS (Database Intrusion Detection system), [10].

ii. Baseline The baseline of this project is used DIDS (Database Intrusion Detection System), [10].The DIDS is one of the mechanisms that used to detect and prevent the malicious activities in database.


# iii. Evaluation Parameters

The measures that will be used in this study to evaluation the accuracy of the proposed mechanism are: detection rate, false negative and false positive rates measures.


# Detection Rate

Detection rate refers to the percentage of detected malicious events, namely detection rate is equal to the product of the quotient of dividing the number of detected intrusion events by the total of malicious events and 100%.


# False positive Rate

Rate of false negative refers to the probability that correct events are falsely detected as abnormal events, namely rate of false positive is equal to the product of the quotient of dividing the number of events which are falsely detected as abnormal events by the total of events and 100%.


# False Negative Rate

Rate of the false negative represent the abnormal or harmful activities which are classified wrongly by detection mechanism as normal activities, namely Rate of false negative is equal to the product of the quotient of dividing the number of events which are falsely detected as normal events by the total of events and 100%.


# Compare the Results

The results that have gotten will be compared with the results in the existing mechanism. These results will compare the ac-curacy of the proposed mechanism with accuracy in the existing mechanism.

IV.


# Conclusion a) Entail Design of the mechanism

The initial results that have gets from this study are initial design of the mechanism, and the flowchart of the mechanism working. Figure 2: show the architectture design for the mechanism and the relations among the components of mechanism. Figure 3shows the mechanism flow processes of the mechanism. According to the proposed dependency algorithm among items the calculate relations among items and data items that related with these relations will be accrue. For example, if the total number of relationship among items is greater than or equal three relations then the attribute is more used and high important. After, that checks the data in the items. On the other hand,if the total relations among items equal 2 (low important), and the two data items have been used already. So, if there is up-dated or deleted command on only one data item without other item, it will determine as malicious command. However, if there is updating or deleting in parallel on these two data items, it will be determine as malicious but it will be pass and committed in database. 


# Global
1![Figure 1: Research Framework Phase 1: Initial Planning PhaseThe first step in achieving this project was the initial planning phase. First of all, the title of the project was discussed with the supervisor. The objective of the project development reviewed and defined according to the problem statement. Besides that, the scope of the project identified to draw the boundary for this project. After that, some re-search on the problem background of the project was done in order to decide on the methodology of the project.](image-2.png "VolumeFigure 1 :")
2![Figure 2 : Dependency Relationship Mechanism](image-3.png "Figure 2 :")
![Journal of Computer Science and TechnologyVolume XIV Issue VIII Version I](image-4.png "")
![](image-5.png "")
![](image-6.png "")
			© 2014 Global Journals Inc. (US)
			© 2014 Global Journals Inc. (US) 2 Year 2014
			© 2014 Global Journals Inc. (US) 4 Year 2014
		
		
			

data has been written already in more than one item, then this item is used in other places by other users and the update or delete is prohibited and classified as malicious.


## Figure 3 : Mechanism Flow processes

The proposed dependency algorithm working as:

When the authorized user send a command to the database, the algorithm checks the command type, if insert then will move directly to database. However, if the command update or delete then, the algorithm will check first the total number of the dependency relationship among items(TR) and then check the total number of data items(TD) that related by the relation dependency. Therefore, if the TR greater than or equal three relations, then check the relevant data items if data has been written already to more than one item , then the mechanism will detect the activity as malicious and prevent it and notify the DBA as well as write the events to the events table. On the other hand, if the TR equal two relations then check the TD if written in more than one item, then check the activity on two data items, if parallel activity then detect as malicious but can pass to the database, owing to the data may be correct or not, but if the activity is only on the one data item, then detect as malicious activity and prevent it, and also notify the DBA and write the event in events table. Algorithm in figure 4 will explain the proposed dependency algorithm among items. 
			
			

				


* 
	
		A software implementation of a genetic algorithm based approach to net-work intrusion detection. Software Engineering, Artificial intelligence
		
			RenHui
		
		
			G
		
		
			MZulke Rnine
		
	
	
		Networking unparallel/Distributed Computing, 2005 and First ACIS international Workshop on Self-Assembling Wireless Networks. SNPD/SAWN 2005. Sixth international Conference on
				
			2005
		
	




* 
	
		Detection of Insiders Misuse
		
			NahlaShatnawi
		
		
			QA
		
		
			WailMardini
		
	
	
		database Systems proceedings of the international Multi Conference of Engineers and computer Science
				Hong Kong
		
			2011. 2011. 2011. March 16 -18, 2011
		
	




* 
	
		The architecture of a network level intrusion Javidi
		
			RHeady
		
		
			1990
		
	




* 
	
		Demids: A misuse detection system for database systems
		
			CYChung
		
		
			MGertz
		
		
			KLevitt
		
	
	
		14th IFIP WG11.3 Working Conference on Database and Application Security
				
			2000
		
	




* 
	
		Detection of Malicious Transactions in DBMS
		
			ASYushi
		
		
			ReenaBansal
		
	
	
		international Journal of Information Technology and Knowledge Management
		
			2
			2
			
			2010. July-december 2010
		
	




* 
	
		Intrusion detection in RBAC administered databases
		
			EBertino
		
		
			ETerzi
		
	
	
		Computer Security Applications Conference
				
			2005
		
	
	21st Annual




* 
	
		System architecture for SQL injection and insider misuse detection system for DBMS. Information Technology
		
			AAsmawi
		
		
			ZMSidek
		
		
			2008. 2008. 2008
		
	
	IT Sim. International Symposium on




* 
	
		Identification of malicious trans-actions in database systems. Database Engineering and Applications Symposium
		
			HYi
		
		
			BPanda
		
	
	
		Proceedings. Seventh international
				Seventh international
		
			2003. 2003
		
	




* 
	
		Weighted intratransactional rule mining for database intrusion detection
		
			ASrivastava
		
		
			SSural
		
	
	
		Proceedings of the 10th Pacific-Asia conference on Advances in knowledge Discovery and Data Mining
				the 10th Pacific-Asia conference on Advances in knowledge Discovery and Data MiningSingapore
		
			Springer-Verlag
			2006
			
		
		
			Dept of Computer Science
		
	




* 
	
		Design and Implementation of Database Intrusion Detection system for Security in Database
		
			URao
		
		
			DR P
		
	
	
		International Journal of Computer Applications
		
			35
			9
			
			2011. December 2011
		
	




* 
	
		Design and Implementation of Database Intrusion detection system for Security in Database
		
			UP R D RPatel
		
	
	
		Proceedings of the 2008 ACM symposium on applied computing
				the 2008 ACM symposium on applied computingFortaleza, Ceara, Brazil, ACM
		
			2011. December 2011
			35
			
		
	




* 
	
		Detection of malicious transactions in DBMS. Dependable computing
		
			MVieira
		
		
			HMadeira
		
	
	
		Proceedings. 11th Pacific Rim International Symposium on
				11th Pacific Rim International Symposium on
		
			2005. 2005
		
	




* 
	
		Online detection of malicious data access using DBMS auditing
		
			Jos
		
	
	
		Lab
		
			2008