Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICCCS - 2017 Conference Proceedings Database Security: Attacks, Threats and Control Methods Sakshi Gahlot Bhawna Verma Anurag Khandelwal Dayanand B.Tech Student B.Tech Student B.Tech Student Assistant Professor Dept. of CSE, Dept. of CSE Dept. of CSE Dept. of CSE HMRITM, INDIA HMRITM, INDIA HMRITM, INDIA HMRITM, INDIA Abstract:-Nowadays the speed at which data is generated is very high and rapid; so store and manage this enormous data, it is placed in the Database System. In this Database System the data is maintained and manipulated. Since this vast data is stored in the Database, this Database needs to be secured. Security involves protecting and shielding the data and the Database from unauthorized usage and malicious attacks. With the increase in the complicatedness of the Database the types of attacks increases and so security becomes a crucial issue. Through this paper, various techniques are presented which will make the Database more secure and strengthened. Keywords- DBMS, SQL, Privileges, Queries, Encryption, Cryptography, Steganography I. INTRODUCTION A database is a collection of information or data that is organized such that it can easily be accessed, managed, or updated. In context to computer science, databases are Fig. 1 Database Security Properties sometimes classified according to their organizational approaches and one of the most common approaches is the II. DATABASE ATTACKS relational database which is a tabular representation of data [1]. The data is defined such that it can be reorganized and The attacks can be categorised as follows: accessed in a number of different ways. In distributed 1. Direct attacks: When the attack is directly on the database, it can be circulated or replicated among different targeted data, it is called a direct attack. This attack points in a network. is successful when the database does not contain any Databases allow any authorized user to access, enter or protection mechanism. analyse the data quickly and easily. It is a collection of 2. Indirect attacks: These attacks do not directly attack queries, views and tables. The data which is stored in the the target but the information regarding the data can databases is usually organised to form the aspects that be collected using other objects. Combinations of support the processes that require information storage and different types of queries are used but are difficult to retrieval. The database management system (DBMS), is a track. computer software program that is designed as the means These are further classified as follows: of managing all the databases that are currently installed on i. Active attacks: In such attacks, the actual any system hard drive or network [2].The database contains database values are modified. These are more vital information of the system. So database security cannot problematic because they can mislead a user. be ignored. Protecting the confidential and sensitive data Spoofing, Splicing and Replay are the different which is stored in a database is what we call as database ways of performing such attacks. security [3]. It works on making database secure from any ii. Passive attacks: In such attacks the attacker only kind of unauthorized or illegal access or threat at any level. observes the data present in the database without making any modifications to any data. This can be done in the following three ways:- ● Static leakage- Attacker observes the snapshot of the database to acquire information about database plaintext values. ● Dynamic leakage- The attacker observes the changes made to the database over a period of time to acquire information about the plaintext values. Volume 5, Issue 10 Published by, www.ijert.org 1 Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICCCS - 2017 Conference Proceedings ● Linkage leakage- The attacker links the database IV. WEB SECURITY THREATS values to the position of index values. 1. Ajax Security: AJAX (Asynchronous JavaScript III. DATABASE THREATS and XML) technology is a mainstream technology of Web2.0 which facilitates the browser to provide Since database contains vital information therefore it users with more natural browsing experience. It also faces a lots of threats. The threats can be supports asynchronous communication. With categorized as follows: asynchronous communication, user is able to 1. Excessive privileges: If users are granted database submit, wait and refresh freely, update partial page privileges that exceed their use or requirements, dynamically. So it allows users to have a smooth then these privileges can be used to gain some experience similar in desktop applications [3]. confidential information. The solution to this However, it is lacking the ability to solve security problem (besides good hiring policies) is query- problems. level access control. Query-level access control Ajax Security (Server Side)- AJAX-based restricts privileges to minimum-required Web applications also use the same server- operations and data[4]. side security schemes which the regular 2. Privilege abuse: Users may abuse or misuse the Web applications do. You just need to access privileges for unauthorized purpose. The specify authentication, authorization, and solution is access control policies that apply not data protection requirements in your only to what data is accessible, but how data is web.xml file or in your program. But the accessed. By enforcing policies for time of day, AJAX-based Web applications are also location, and application client and volume of data vulnerable to the same security threats as retrieved, it is possible to identify users who are regular Web applications. abusing access privileges[4]. Ajax Security (Client Side)- The JavaScript 3. Unauthorized privilege elevation: Attackers may code is visible to the user as well as to any convert some low-level access privileges to high- hacker. Hacker can use this JavaScript code level access privileges. for extracting the server-side weaknesses. 4. Platform vulnerabilities: The platform or operating 2. Cross Site Scripting: Cross-site Scripting occurs system may be vulnerable to leakage and when dynamically generated web pages display corruption of data. input that is not properly authenticated [3]. These 5. SQL injection: SQL injection specifically targets a attacks occur when an attacker uses some web user to send unauthorized database queries which application to send some malicious code, which is makes the server to reveal the information (which generally in the form of a browser side script, to a it wouldn’t do normally). Using this user can also different end user. So the attacker can use this to access the entire database. send some malicious script to any user and the 6. Denial of service: This attack involves making the end user’s browser will have no way to know that resource unavailable for the purpose it was the script shouldn’t be trusted, and will therefore designed. This means that the access to data or the execute the script. Since, it thinks the script came application is denied to the user. from some trusted source that malicious script 7. Backup Exposure: The backup storage media can access any of the cookies or sessions, tokens, remains unprotected from any attacks. As a result or any other sensitive information which the there are several attacks on the database backup browser contains. disks and tapes. Fig. 2 Avenues of Attack Fig. 3 Cross Scripting Attack Volume 5, Issue 10 Published by, www.ijert.org 2 Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICCCS - 2017 Conference Proceedings V. CONTROL METHODS FOR DATABASE 2. Correlated data: when visible data is connected to THREATS invisible data semantically. Inference detection can be done through: Access control is responsible for the direct access to the i. Semantic inference model: represents all possible system with the control of rules which are accompanied by relations between attributes of data resources. some security policies. It is basically used to restrict the ii. Security violation detection and knowledge access of confidential information. In access control, the acquisition: it adds the new query request to the owner of the resource is eligible to give the rights to the request log and checks if the further request is other user of that resource based on his discretion[6]. allowed [8]. An access control system includes who can access the objects (data, programs), subjects (users, processes), 3. User identification/authentication through operations (read, write, run)[7]. The most important security requirement is that there must b authorized and authenticated users to access the database Access control can be classified as: or you must identify your users before they can access the 1. Discretionary access control: it is a means of resources. In authentication, server or the client needs to restricting access to objects based on identity of know the identity of the user or computer. It cannot control subjects or groups to which they belong. These are what the user is accessing but it controls who is accessing defined by user identification during the resources. Therefore the user identification is must for authentication ex- username, password. Its main the security concerns of the database. However, the aim to grant and revoke privileges to users. unauthorized user may take different approaches like 2. Mandatory access control: this security default password or bypassing authentication etc. user mechanism restricts the ability of owner of identification can be implemented by using the secure resource to deny or grant access to a file. Criteria socket layer (SSL) [9]. is defined by the administrator. It enforces multilevel security by categorizing both the users and the data into security classes and then the appropriate policy is implemented. FIG. 5 USER IDENTIFICATION 4. ACCOUNTABILITY AND AUDITING Fig.4 Access Control Auditing is the monitoring and recording of all the 1.