School of Computing
Department of Computer Science
CS5322: Database Security
[Announcements] [Instructor] [Course Objectives] [Lecture Schedule] [Reference Texts and Materials] [Assignment] [Project] [Assessment]
Database
Security
1.
Overview
·
Elisa Bertino, Ravi S.
Sandhu: Database
Security-Concepts, Approaches, and Challenges. IEEE Trans. Dependable Sec. Comput. 2(1): 2-19 (2005)
·
Discretionary
Access Control
a. Patricia P.
Griffiths and Bradford W. Wade. An Authorization
Mechanism for a Relational Database System. ACM Trans. Database Syst. 1, 3 (Sep.
1976), Pages 242 - 255.
b. R.Fagin. On an Authorization Mechanism. ACM Trans. Database Syst.
3, 3 (Sep. 1978), Pages 310-319.
·
Mandatory
Access Control
a. S. Jajodia,
R. S. Sandhu. Toward a Multilevel Secure Relational Data Model. Proc 1991 ACM Int'l. Conf. on Management of Data (SIGMOD), 50-59.
b. S. Jajodia, R. S. Sandhu, and B. T. Blaustein. Solutions to the Polyinstantiation Problem. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995.
c. (Additional reading) Bell, David Elliott. Looking Back at the Bell-LaPadula Model. Proceedings of the 21st Annual Computer Security Applications Conference. Tucson, Arizona, USA. pp. 337–351. December 2005.
·
Role-based
Access Control
a. R.S.
Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based
Access Control Models. IEEE Computer, 29(2):38--47, February 1996.
b. S. Osborn, R. Sandhu
and Q. Munawer. Configuring
Role-Based Access Control to Enforce Mandatory and Discretionary Access Control
Policies. ACM Trans. Information and Systems Security. 3, 2 (May 2000),
Pages 85-106.
c. (Additional
reading) ANSI
Standard on Role-Based Access Control
d. (Additional
reading) N. Li, J. Byun, and E. Bertino:
A
Critique of the ANSI Standard on Role Based Access Control, IEEE Security
& Privacy.
e. (Additional
reading) N. Li, Z. Bizri, and M.V.Tripunitara: On
Mutually-Exclusive Roles and Separation of Duty. Conference version
appeared in CCS'2004.
·
Oracle
Virtual Private Database (White
Paper)
5.
Database-as-a-Service
Model
·
Encryption
Methods
a. H. Hacigumus,
B. R. Iyer, C. Li, S. Mehrotra: Executing
SQL over encrypted data in the database-service-provider model. 2002
International Conference on Management of Data (SIGMOD'2002), 216-227
b. H. Hacigumus,
B. R. Iyer, C. Li, S. Mehrotra: Efficient
Execution of Aggregation Queries over Encrypted Relational Databases.
DASFAA04, 125-136
c. L. Bouganim, Y. Guo: Database
Encryption. Encyclopedia of Cryptography and Security (2nd Ed.) 2011:
307-312
d. Transparent_Data_Encryption
1. Oracle TDE (White Paper)
·
Query
authentication (Answer Assurance)
a. P.
T. Devanbu, M. Gertz, C. U.
Martel, S. G. Stubblebine: Authentic Data Publication Over
the Internet. Journal of Computer Security 11(3):
291-314 (2003)
b. H.H.
Pang, A. Jain, K. Ramamritham,
K.L. Tan: Verifying
Completeness of Relational Query Results in Data Publishing. 2005 International Conference on Management
of Data (SIGMOD'2005), Baltimore, Maryland, June 2005, pp. 407-418.
c. (Additional
reading) W. Cheng, H. Pang, K.L. Tan: Authenticating
Multi-Dimensional Query Results in Data Publishing. Proceedings
of the 20th Annual IFIP WG 11.3 Working Conference on Data and Applications
Security (DBSec'2006), pp. 60-73, 2006.
d. (Additional
reading) H. Pang, K.L. Tan: Authenticating
Query Results in Edge Computing. Proceedings of the 20th
International Conference on Data Engineering, Boston, MA, March/April 2004, pp.
560-571.
6.
Data
Privacy
·
k-anonymity
a. L. Sweeney: k-anonymity:
a model for protecting privacy. Int. Journal on Uncertainty, Fuzziness and
Knowledge-based Systems, 10 (5):557-570, 2002.
b. L. Sweeney: Achieving
k-anonymity privacy protection using generalization and suppression. Int.
Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5):571-588,
2002.
c. K. LeFevre, D.J. DeWitt, R. Ramakrishnan. Mondrian
Multidimensional K-Anonymity. In Proc. of ICDE, 2006.
d. (Additional Reading) K. LeFevre,
D.J. DeWitt, R. Ramakrishnan:
Incognito:
Efficient Full-Domain K-Anonymity. In Proc. of SIGMOD, 49-60, 2005.
·
l-diversity
a. X. Xiao, Y. Tao: Anatomy:
Simple and Effective Privacy Preservation. In Proc. of VLDB, 139-150, 2006.
b. (Additional Reading) A. Machanavajjhala, J. Gehrke, D.
Kifer, M. Venkitasubramaniam: l-Diversity:
Privacy Beyond k-Anonymity. In Proc. of ICDE, 2006.
·
t-closeness
a. (Additional Reading) Ni. Li, T. Li, S.
Venkatasubramanian: t-Closeness:
Privacy Beyond k-Anonymity and l-Diversity. ICDE 2007: 106-115.
·
Differential
privacy
a. C. Dwork: Differential
Privacy. ICALP 2006: 1-12.
7.
Privacy
in Location Based Services
·
M. Mokbel, C-Y. Chow, W.G. Aref: The New Casper:
Query Processing for Location Services without Compromising Privacy. In
Proc of VLDB 2006.
·
Man
Lung Yiu, Christian S. Jensen, Xuegang
Huang, Hua Lu: SpaceTwist: Managing the Trade-Offs Among Location Privacy,
Query Performance, and Query Accuracy in Mobile Services. In Proc of ICDE
2008.
·
G.
Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, K.L. Tan: Private
Queries in Location Based Services: Anonymizers are
not Necessary. 2008
International Conference on Management of Data (SIGMOD'2008), Vancouver,
Canada, June
2008, pp. 121-132.
8.
Secure
Indexing, Search and Deletion in Compliance Storage
·
Q. Zhu, W. W. Hsu: Fossilized
Index: The Linchpin of Trustworthy Non-Alterable Electronic Records.
SIGMOD’2006, 395-406, 2006.
·
S. Mitra,
W. W. Hsu, M. Winslett: Trustworthy
Keyword Search for Regulatory-Compliant Record Retention.VLDB’2006,
1001-1012, 2006
·
S.Mitra, M. Winslett: Secure Deletion
from Inverted Indexes on Compliance Storage. Proceedings of the 2006 ACM
Workshop On Storage Security And Survivability, StorageSS
2006, Alexandria, VA, USA, October 30, 2006, pp. 67-72.
·
(Additional Reading) S.Mitra, N. Borisov, M. Winslett: Deleting
index entries from compliance storage. EDBT’2008, 109-120.
9.
Insider
Threat (Anomaly detection and response)
·
A. Kamra, E. Terzi,
E. Bertino: Detecting
anomalous access patterns in relational databases. VLDB J. 17(5): 1063-1077 (2008)
·
A. Kamra, E. Bertino:
Design
and Implementation of an Intrusion Response System for Relational Databases.
IEEE TKDE 23(6): 875-888 (June 2011)
·
A. Kamra, E. Bertino:
Privilege States
Based Access Control for Fine-Grained Intrusion Response. RAID 2010: 402-421
·
(Additional Reading) S. Mathew, M. Petropoulos, H.Q. Ngo, S. Upadhyaya: A
Data-Centric Approach to Insider Attack Detection in Database Systems. RAID
2010: 382-401.
10.
Steganographic
File Systems
·
H. Pang, K.L. Tan, X.
Zhou: Steganographic Schemes for File System and B-Tree. IEEE
Trans. Knowl. Data Eng. 16(6): 701-713 (2004)
·
X. Zhou, H. Pang, K.L.
Tan: Hiding
Data Accesses in Steganographic File System. ICDE
2004: 572-583
11.
Query
Auditing
·
Krishnaram Kenthapadi, Nina Mishra, Kobbi Nissim:
Simulatable auditing. PODS 2005: 118-127
·
Shubha U. Nabar, Bhaskara
Marthi, Krishnaram Kenthapadi, Nina Mishra, Rajeev Motwani: Towards
Robustness in Query Auditing. VLDB 2006: 151-162
·
Rajeev Motwani, Shubha U. Nabar, Dilys Thomas: Auditing SQL
Queries. ICDE 2008: 287-296
·
(Additional Reading) Shubha U. Nabar, Krishnaram Kenthapadi, Nina Mishra, Rajeev Motwani: A Survey
of Query Auditing Techniques for Data Privacy. Privacy-Preserving Data Mining
2008: 415-431
·
Rajeev Motwani, Shubha U. Nabar, Dilys Thomas: Auditing a
Batch of SQL Queries. ICDE Workshops 2007: 186-191
12.
SQL Injection
Attack
·
Oracle
SQL injection attack tutorial
Information Security
1.
Information Security on
Wikipedia
2.
Cryptography
·
Stallings,
W. Cryptography
and Network Security, Fourth Edition. Upper Saddle River, NJ: Prentice Hall
2006.
a. Student and
Instructor Resource Site
·
NIST
Computer Security Resource Center: Cryptographic
Toolkit
3.
Entity
Authentication
·
R.
Morris and K. Thompson: Password
Security: A Case History
·
NIST FIPS 112 PASSWORD USAGE
(and guidelines)
·
NIST FIPS PUB 113 COMPUTER
DATA AUTHENTICATION
·
NIST FIPS 196
Entity Authentication Using Public Key Cryptography
4.
Integrity
Protection
5.
Design
Principles for Security
a.
J. H. Saltzer and M. D. Schroeder: The Protection of
Information in Computer Systems. (also appear in 4th
ACM Symposium on Operating System Principles, October 1973; and Communications
of the ACM, 17:7, July 1974).
b.
S.
Barnum and M. Gegick: Economy
of Mechanism. 2005.
Textbooks (References)
Security
· Charles P. Pfleeger and Shari L. Pfleeger: Security in Computing, 4th Edition, Prentice Hall, 2006.
· William Stallings: Cryptography and Network Security, 4th Edition, Prentice Hall, 2006.
· David C. Knox: Effective Oracle Database 10g Security by Design, McGraw-Hill, 2004.
Databases
· Raghu Ramakrishnan and Johannes Gehrke: Database Management Systems 3rd Edition, McGraw-Hill, 2002.
· Hector Garcia-Molina, Jeffrey D. Ullman, and Jennifer Widom: Database Systems -- The Complete Book. Prentice Hall, 2001.
· A. Silberschatz, H. Korth, S. Sudarshan: Database System Concepts, 4th Edition 2002