Abstract
The majority of today’s web-based applications are based on back-end databases to process and store business information. Containing valuable business information, these systems are highly interesting to attackers and special care needs to be taken to prevent them from malicious accesses. In this paper, we propose (RBAC + ), an extension of the NIST RBAC (Role-Based Access Control) standard with the notions of application, application profile and sub-application session to distinguish end users that execute the same application, providing them by only the needed roles and continuously monitoring them throughout a whole session. It is based on business application logic rather than primitive reads and writes to enhance the ability of detecting malicious transactions. Hence, attacks caused by malicious transactions can be detected and canceled timely before they succeed.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
American national standard for information technology, role based access control. ansi incits 359-2004 (February 2004)
Gertz, M., Gandhi, M.: Security Re-engineering for Databases: Concepts and Techniques. In: Handbook of Database Security, pp. 267–296 (2007)
Roichman, A.: Intrusion prevention and detection for web databases (2008)
Halfond, W.G., Viegas, J., Orso, A.: A classification of sql-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA (2006)
Vieira, M., Madeira, H.: Detection of malicious transactions in dbms. In: PRDC 2005: Proceedings of the 11th Pacific Rim International Symposium on Dependable Computing, Washington, DC, USA, pp. 350–357. IEEE Computer Society, Los Alamitos (2005)
Oracle corporation: Oracle9i database concepts release 2 (9.2). ch. 22: Controlling database access, http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96524/c23acces.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bouchahda-Ben Tekaya, A., Le Thanh, N., Bouhoula, A., Labbene-Ayachi, F. (2010). An Access Control Model for Web Databases. In: Foresti, S., Jajodia, S. (eds) Data and Applications Security and Privacy XXIV. DBSec 2010. Lecture Notes in Computer Science, vol 6166. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13739-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-13739-6_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13738-9
Online ISBN: 978-3-642-13739-6
eBook Packages: Computer ScienceComputer Science (R0)