Managing malicious transactions in mobile database systems
Abstract
Database security is one of the most important issues for any organization,
especially for financial institutions such as banks. Protecting database from external
threats is relatively easier and a number of effective security schemes are available to
organizations. Unfortunately, this is not so in the case of threats from insiders. Existing
security schemes for such threats are some variation of external schemes that are not
able to provide desirable security level. As a result, still authorized users (insiders)
manage to misuse their privileges for fulfilling their malicious intent. It is a fact that
most external security breaches succeed mainly with the help of insiders. An example
for an insider is the Enron scandal of 2001 which led to bankruptcy of Enron
Corporation. The firm was widely regarded as one of the most innovative, fastest
growing and best managed business in the United States. When Enron filed for
bankruptcy its share prices fall from US$90 to $1 causing a loss of nearly $11 billion dollar to its stakeholders. Financial officers and executives misled outside investors,
auditors and Enron's board of directors about corporation's net income and liabilities.
These insiders kept reported income and reported cash flow up, asset value inflated and
liabilities off the book to meet Wall Street expectations. Enron's $63.4 billion in assets
made it the largest corporate bankruptcy in American history at that time. Existing security policies are inadequate to prevent the attacks from insiders.
Current database protections mechanisms do not fully protect occurrence of these
malicious transactions. These requires human intervention in some form or other to
detect malicious transactions. In a database, a transaction can affect the execution of the
subsequesnt transactions thereby spreading the damage and hence making the attack
recovery more complex. The problem of malicious attack becomes more pronounced
when we are dealing with mobile database systems. This thesis proposes a solution to mitigate insider attack by identifying such
malicious transactions. It develops a formal framework for characterizing mobile
transaction by identifying essential components like order of data access, order of
operations and user profile.
Table of Contents
Introduction -- Mobile database system -- Research problem -- Solution and scheme -- Simulation and results -- Future work -- Conclusion
Degree
M.S.