2006 International Conference on Power System Technology

Distributed Database System Security Model of

Power Enterprise Based on Intrusion Tolerance

Technology

Gu-Ping Zheng and Lu-Feng Xu

Abstract--This paper presents an intrusion-tolerantdistributed database system security model of power enterprise.While traditional secure distributed database systems depend onpreventive measures and are limited in surviving maliciousattacks, this model can detect intrusions, isolate attacks, assessand repair the damage caused by intrusions in a timely manner.In this way, the system can maintain the integrity and availabilityof data. As for confidential data, a (t, n) threshold secret sharescheme is utilized to protect them from compromised servers inthe presence of intrusions. In this way, the system can realize theconfidentiality of data.

Index Terms--Distributed database systems; Intrusiondetection; Intrusion tolerance; threshold secret share

I. INTRODUCTION

N owadays, with wide applications of information andnetwork technologies to power enterprise, informationsystems have inevitably become open, interconnected

and standardized. It is necessary for each department of thepower enterprise to set up a relatively independentinformation system, correspond with each other, and share theinformation. In this situation, distributed database system(DDBS) can achieve the goal. It is also a necessary part of thedigital power system (DPS) [1]. Some researchers havestudied the possibility and necessity of the application ofDDBS in power enterprise [2], for example, in supervisorycontrol and data acquisition system (SCADA) and manageinformation system (MIS).

Distributed databases are widely used in data-intensiveapplications, simultaneously, the demand on the security ofdistributed database is strongly cried for. In power enterprise,more and more concerns are focused on information securityissues [3]. DDBS can get its security character by secure audit,message tracing, collecting the access property of the users,utilizing firewall and intrusion detection system (IDS). Butthese preventive measures sometimes fail to defect maliciousattacks in face of sophisticated attack methods and frequent

Gu-Ping Zheng is with School of Computer Science and Technology,North China Electric Power University, Baoding, 071003, China (e-mail:zhenggupingg126.com)

Lu-Feng Xu is with School of Computer Science and Technology, NorthChina Electric Power University, Baoding, 071003, China (e-mail:fenluxgyahoo.com.cn).

attack events. Intrusion tolerance (IT) is a new approach ofinformation security. Instead of trying to prevent every singleintrusion, these are allowed, but tolerated; the system triggerstolerance mechanisms that prevent the intrusion fromgenerating a system security failure and provide normal orgraceful degradation service for users.

In this paper, an intrusion-tolerant distributed database(ITDDB) security model is presented to provide distributeddatabase applications with data integrity and availability in theface of attacks. Further more, a (t, n) threshold secret sharingscheme is adopted to realize the confidentiality of importantdata.

II. ITDDB MODEL

A distributed database is composed of databases stored inphysically separated systems, interconnected bycommunication networks, and managed by distributeddatabase management system (DDBMS). While traditionaldatabase security techniques often fail to deal with maliciousattacks or intrusions, an intrusion-tolerant database system candetect intrusions, isolate attacks, assess and repair the damagecause by attacks or intrusions, and keep confidential data safe.

The ITDDB model is designed for these goals and has fourmain subsystems:

(1) The Proxy Sever subsystem, which will receive andfilter users' requests and communicate with other sites inDDBS;

(2) The Intrusion Detection subsystem, which acts as anintrusion tolerance trigger to the whole system;

(3) The Assessment and Repair subsystem, which willassess and repair the damage caused by attacks or intrusions ina timely manner;

(4) The Isolation subsystem, which will isolate suspicioususers (transactions) when the intrusion detection subsystemgives an alert.

The ITDDB model is designed based on two assumptions:(1) IDS can identify malicious attacks or intrusions;(2) DDBMS can provide a strict serial history.As is shown in Fig. 1, we design an architecture for each

site at DDBS and in the following, we will present thefundamental design and implementation of these foursubsystems.

1-4244-0111-9/06/$20.00c02006 IEEE.

2

Fig. 1. The architecture of ITDDB.

A. Proxy Server SubsystemBased on the technique of redundancy, this subsystem is

composed of several proxy servers. One of them is elected asthe main proxy server (MPS), which represents the publicaccess point for the intrusion-tolerant services provided, andthe others serve as assistant proxy servers (APS). MPS willreceive and filter users' requests, then pass valid requests tothe DDBMS; the DDBMS will transact the request and giveresults to MPS. MPS will also communicate with MPSs atother sites in DDBS and capture relevant information abouttransactions to cooperate with the Isolation subsystem and theAssessment and Repair subsystem.

As the entrance to the database, the Proxy Serversubsystem plays an important role in the whole system and itoften becomes the target of attacks. The virtual IP address isutilized to enhance the safety of the proxy servers. A virtualaddress, which will be made known to the clients, is assignedto the MPS. The MPS serves as a dynamic virtual server forthe end users. Inside the subsystem, each proxy server has adynamic PRI. MPS sends messages to APS periodically;meanwhile, APS should respond MPS immediately. If MPScan not receive the replying of a certain APS for a fixedperiod of time, it should send out warning information,showing that this APS breaks down. On the other hand, ifAPS has not received the information of MPS for a fixedperiod of time, the highest PRI APS will be chosen as the newMPS.

B. Intrusion Detection SubsystemIntrusion detection is a key technique for building ITDDB.

Effective damage assessment and repair cannot be achievedwithout effective intrusion detection, since intrusion detectionacts as the trigger of the intrusion tolerance mechanism andmakes the system attack-aware. But current intrusiondetection systems have some common shortcomings, such aslack of efficiency, high number of false positives, limitedflexibility and response capability, etc. Mobile agents baseddistributed intrusion detection (MADID) is presented forDDBS to address some of issues as mentioned above [4]. Fig.2 shows the architecture ofMADID.

The components and each component's function ofMADID are as follows:* Intrusion Detection Agent (IDA)IDA is a static agent on each site of DDBS. By viewing

system logs, application logs and network traffic, it can detectsuspicious events and report to Intrusion Collection Agent.* Mobile Agents (MA)MAs are a set of software entities which can move from

one site to another, interact with each other and workautonomously toward a goal. There are all kinds of MAs andeach one has its specific function.* Rule-Base

Rule-Base consists of all kinds of experience rules and newrules can be added dynamically.* Alerting Agent (AA)

Base on Rule-Base, AA can predict possible intrusionintention and give alerts when intrusion occurs.* Mobile Agents Dispatcher (MAD)MAD can dispatch different MAs to destination sites

according to information provided by AA.* Intrusion Collection Agent (ICA)ICA collects all kinds of suspicious events coming from

IDA located on different sites.* IDS console

IDS console provides a user interface for administrators toaccomplish various management functions, such asconfiguring system parameters and adding rules to Rule-Base.

Fig. 2. The architecture ofMADID

The working process of Fig. 2 is as follows:1) IDA detects suspicious events and reports the findings

to ICA.2) ICA collects all reports of suspicious events, and then

transfers them to AA.3) Based on Rule Base, AA predicts possible intrusion

intention and gives relevant information.4) MAD dispatches specific type of MAs to specific site

to collect intrusion information. More MAs will besent if needed, and the existing MAs can be modifiedfor better detection capability.

5) MAs cooperate with IDAs, aggregate and correlate the

3

information, and generate alerts. At the same time, thedetective results will be collected by ICA and then willbe reported to AA. AA sends these alerts to the IDSconsole that can be used by the security administrator.

C. Assessment and Repair subsystemIt is almost impossible to prevent all the attacks and these

attacks sometimes cause data damage, which means some datamay be deleted, accessed exceeding one's authority, ormodified illegally. The assessment and repair subsystem is tolocate the damage and repair it in a timely manner; at the sametime, the whole system can still offer normal or gracefuldegradation service. One key challenge of attack recovery iscalled damage spreading [5]. In a distributed database, theresults of one transaction can affect the execution of someother transactions directly or indirectly. There are two kinds ofpopular damage assessment and repair techniques: data-oriented methods [6] and transaction-oriented methods [7]. Byusing a cleaning transaction to repair multiple data objects andbacking out affected transactions, transaction-orientedmethods are more efficient and practical in distributedenvironment [8], thus, they are adopt in this subsystem.

According to the statistics about previous attacks, theMADID will raise two levels of alarms [4]: when the anomalyof a transaction is above Level 1 anomaly threshold THm, thetransaction is reported as malicious; when the anomaly isabove Level 2 anomaly threshold THs and below THm, thetransaction is reported suspicious. In this way, transactions aredivided into three types: innocent transactions, malicioustransactions and suspicious transactions. This subsystem willassess and repair the damage caused by the malicioustransactions and the innocent transactions affected by themalicious transactions directly or indirectly.

The assessment and repair subsystem is composed of twocomponents: tracing manager and damage repairer. For eachdistributed transaction, the tracing manager of the site wherethe distributed transaction initiates will allocate a track recordto keep relevant information about the transaction. When atransaction is identified as malicious, the track record of thetransaction will be sent to relevant tracing managers at othersites according to the information about the transaction. Whenall the relevant tracing managers have received the trackrecord, they will send ACK information to sender, and thenscan their local log respectively to identify the subtransactionswhich are affected by the malicious transaction. The localrepair manager collects the information provided by the localtracing manager, then builds a specific distributed cleaningtransaction to repair the damage caused by the malicioustransaction or the affected subtransactions. The cleaningtransaction is to clean each object affected by the maliciousdirectly or indirectly by restoring the value of the object to itslatest undamaged version.

The damage assessment and repair processes are on-the-flyand during the process, new transactions can be executed.This may bring a critical issue: if the damage spreading speedis quicker than the repair speed, the repair may neverterminate. Reference [9] points out the standards of the repair

termination: (1) every malicious transaction is cleaned; (2)every identified damaged object is cleaned; (3) further(assessment) scans will not identify any new damage (if nonew attack comes).

D. Isolation subsystemThe isolation subsystem has two main components:

isolation manager and virtual database. As mentioned above,transactions are divided into three types: innocent transactions,malicious transactions and suspicious transactions. As forsuspicious transactions, [5] proposes the idea of isolation incentralized database and we make some improvements indistributed environment.When a transaction Ts is reported as suspicious at one site,

which means the transaction has the probability to be amalicious transaction, MPS, working together with theisolation manager, will redirect Ts to the virtual database. Atthe same time, MPS should send messages to MPSs at othersites, indicating that a transaction Ts at this site has beenidentified as suspicious. The following transactions submittedby the same user who submits Ts are all viewed as suspicious,since a malicious user may submit a series of malicioustransactions. Later on, if the user is proven malicious, theIsolation Manager will discard the effects of the user;otherwise, the effects of the user will be merged into the maindatabase. In this way, potential danger caused by malicioususer can be reduced and non-hostile users' work can be keptas much as possible.

One challenge to the Isolation subsystem is inconsistency.For example, an isolated transaction Ts updates an object andat the same time, an innocent transaction T updates the sameobject. Later on, if the isolated transaction is proven innocent,Ts should be merged into the main database and this maycause inconsistency between Ts and T. To solve the problem,firstly, innocent users are restricted to access only the maindatabase and isolated users can read the main database whiletheir write operations are limited in the virtual database. MPSsat relevant sites should cooperate to avoid wrong read andwrite operations. Secondly, during a merge, some suspiciousor innocent transactions may need to be backed out to solvethe inconsistencies. A precedence-graph based approach canidentify and resolve all the inconsistencies [10].

E. Safety storage ofconfidential dataThe data stored in DDBS can be divided into general data

and confidential data according to their safety grades. Thegeneral data can be stored totally at one site. To theconfidential data, a (t, n) threshold secret share scheme isutilized to protect them from compromised servers in thepresence of intrusions. Supposing there are n sites in DDBS,we can divide the confidential data into n shares and thenstore them in the n sites respectively. In this way, each site hasits share of the confidential data. In addition, the periodicity-refreshing technology based on proactive secret sharing isadopted to enhance the security. The share of the confidentialdata at each site will refresh periodically and the old share willbe destroyed in the new periodicity. These make the sharing

4

information of the previous periodicity ineffective in theattack of the present periodicity. There is only one case thatthe intruder can access and reconstruct the confidential data:the intruder succeeds in breaking through more than t sites inone periodicity and obtaining their present sharing. Throughthreshold secret share scheme and the periodicity-refreshingtechnology, the security of the confidential data can be greatlystrengthened.

III. CONCLUSION

In the DDBS of power enterprise, a wide range of missioncritical applications need to provide continuous servicedespite active attacks or partial compromise. So it is urgentand significant to build the intrusion-tolerant DDBS, whichcan provide normal or graceful degradation service in face ofintrusions. The model presented in this paper provides anarchitecture to detect intrusions, isolate attacks, assess andrepair the damage caused by intrusions. Furthermore, a (t, n)threshold secret share scheme is adopted to protect theconfidential data. In this way, the system can keep theintegrity, availability and confidentiality of data. Thesystematic structure that this paper describes only offers anoutline of design and a lot of concrete details need to bestudied in the future.

V. BIOGRAPHIES

Gu-Ping Zheng was born in Baoding city of Hebeiprovince in China, 1960. He graduated from JinlinUniversity of Technology. He is an associateprofessor and vice director of School of ComputerScience and Technology. He has worked in NorthChina Electric Power University since June 1986. Hegraduated form North China Electric PowerUniversity in 1993 and obtained the master degree.His research fields are computer network,information management and artificial intelligence.

Lu-Feng Xu was born in Nantong city of JiangsuProvince in China, 1978. He graduated from NanjingUniversity. He had engaged in maintenance ofcomputer network in an IT company. At present, heis studying at North China Electric Power Universityfor master degree. His research fields are computernetwork and information security.

IV. REFERENCES[1] Qiang Lu, "Digital power system-the power system technological trend

in the new century," Electric Power, vol. 33, No. 5, pp. 15-18, May.2000.

[2] Qiong Liu, Su Lv and Lin Li, "Application and analysis of distributeddatabase technology in electric enterprises," Computer Applications, vol.21, No. 8, pp 149-153, Aug. 2001.

[3] Yan Hu, Mingchui Dong and Yingduo Han, "Consideration ofinformation security for electric power industry," Automation ofElectricPower Systems, vol. 26, No. 7, pp. 1-4,Apr. 2002.

[4] K. Pradeep and Z. Mohammad, "DIDMA: A Distributed IntrusionDetection System Using Mobile Agents," in Proc. SoftwareEngineering, Artificial Intelligence, Networking andParallel/Distributed Computing, 2005 and First ACIS InternationalWorkshop on Self-Assembling Wireless Networks, SNPDISAWN 2005,Sixth International Conf., pp. 238-245.

[5] Peng Liu, "Architectures for intrusion tolerant database systems," inProc. 2002 Computer Security Applications Conference, 18th Annual,pp. 311-320.

[6] B. Panda and J. Giordano, "Reconstructing the database after electronicattacks," in Database Security Xll: Status and Prospect, S. Jajodia, Ed.Kluwer Academic Publishers, 1999, pp. 143-156.

[7] P. Ammann, S. Jajodia and Peng Liu, "Recovery from malicioustransactions," IEEE Trans. Knowledge and Data Engineering, vol. 14,issue 5, pp. 1167-1185, Sept.-Oct. 2002.

[8] Peng Liu and Xu Hao, "Efficient damage assessment and repair inresilient distributed database systems," in Proc. 2001 the FifteenthAnnual Working Conference on Database and Application Security, pp.75-89.

[9] Peng Liu, "Engineering a distributed intrusion tolerant database systemusing COTS components," in Proc. 2003 DARPA InformationSurvivability Conference and Exposition, vol. 2, pp. 284-289.

[10] S. Jajodia, Peng Liu and C. D. McCollum, "Application-level isolationto cope with malicious database users," in Proc. 1998 1 4th AnnualComputer Security Applications Conf., pp. 73-82.