Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accelerating Multilevel Secure Database Queries using P-Tree Technology Imad Rahal and Dr. William Perrizo Computer Science Department North Dakota State.

Published byWilla Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "Accelerating Multilevel Secure Database Queries using P-Tree Technology Imad Rahal and Dr. William Perrizo Computer Science Department North Dakota State."— Presentation transcript:

1 Accelerating Multilevel Secure Database Queries using P-Tree Technology Imad Rahal and Dr. William Perrizo Computer Science Department North Dakota State University

2 Outline Introduction 1- What are MLS/DBSs ? 2- The Mandatory Access Control (MAC) Policy Attempts The Sea View model (Secure data model) and PRISM model [6] PRISM is based on Sea View but eliminates spurious tuples during recovery Deficiencies of Seaview/PRISM (mainly speed) Query Acceleration using P-trees Replace the Recovery data structure of PRISM Advantages: time efficiency

3 What are MLS/DBSs DBSs that implement secure access control policies to protect their data Each user or process is called a subject Each data item (column value or tuple) is a called an object The security hardware & software are stored in a TCB (Trusted Computing Base) (sometime referred to as Reference Monitor or Security Kernel)

4 R(A 1,C 1, A 2, C 2 ….,A n, C n,TC) is a multi-level relation or view A i ’s are fields C i ’s are their respective sensitivity levels (form a lattice) We use the convention that A 1,C 1 is the apparent key The apparent key does not have uniqueness but will be a key if all security fields are combined together. A 1,C 1,C 2,……,C n is the primary key TC is the classification level of the tuple Notice that TC = highest C i for all i C 1 = lowest C i for all i

5 The Mandatory Access Control (MAC) policy Each subject has a clearance level Each object has a sensitivity level Bell-Lapadula restrictions: Simple Security Policy for READs (read down, i.e., subject can read at his level or down) *-Policy for WRITEs (write up, i.e., his level or up) X (a subject) dominates Y (an object) means X’s classification level must be equal to or exceed Y’s classification level

6 A simple example of DoD classification levels are (in descending order): 1- Top Secret(TC) 2- Secret (S) 3- Confidential (C) 4- Unclassified (U)

7 Attempts Seaview Model(Secure Data View) Sponsored by RADC Joint effort by SRI, Gemini and Oracle Objective: Build an A1 (very secure) MLS/DBMS PRISM Model improves on Seaview by eliminating spurious tuples during recovery automatically using a bit vector approach to mask surious tuples Some other Models LDV(Lock Data View) ASD(Advanced Secure DBMS)

8 SEA View Model Multilevel relations exist at logical level only(views of Single-level relations which are stored and managed by TCB) Decomposition algorithm creates single level relations from a multilevel relation. Recovery Algorithm creates an output multi- level relation from a set of physically stored single level relations.

9 Decomposition algorithm Let A 1 =key and A i = any attribute Let x denote classifications of A 1 Let y denote classifications of A i For every x, create R A 1,x (A 1 ) or just R A 1,x i.e., for the key, we vertically partition by attribute and horizontally partition by security level. For every y, create R A i,x,y (A 1,A i ) x  y or just R A i,x,y I.e., for non-keys vertical partitioning by attribute and key and horizontal partitioning by attribute and key classification level.

10 C 900 C450 CFD7 C C U C TC 1000 C 750 U 750 C speed 480 C 450 U 350 U range NT5 U MT1 U Name*Missiles MT1 NT5 Name R name,u FD7 Name R name,c 450NT5 350 Range MT1 Name R range,u,u 450 Range FD7 Name R range,c,c 900 Speed FD7 Name R speed,c,c 750 Speed NT5 Name R speed,u,u 480 Range NT5 Name R range,u,c 1000NT5 750 Speed MT1 Name R speed,u,c

11 Resulting decomposed single level relations are: MT1 NT5 Name R name,u FD7 Name R name,c 450NT5 350 Range MT1 Name R range,u,u 450 Range FD7 Name R range,c,c 900 Speed FD7 Name R speed,c,c 750 Speed NT5 Name R speed,u,u 480 Range NT5 Name R range,u,c 1000NT5 750 Speed MT1 Name R speed,u,c

12 Deficiencies of the SEA View /PRISM Models The deficiencies of the SEA View Model (in its recovery algorithm) Creation of spurious tuples (due to polyinstantiation) Space cost of temporary tables Time cost of unions Time cost of joins PRISM solves the spurious tuple problem, but still suffers from time cost problems

13 Recovery acceleration using P-trees Based on the Sea View / PRISM Model Uses its Decomposition algorithm New Recovery algorithm using the P- tree technology (given a query, creates an output multi-level relation from the single level relations). Main contribution is in addressing the space and time cost problems.

14

15

16

17 Recovery Algorithm 1. For every relation RAi,x,y (single level relations containing all entries from the multilevel relation having keys at classification level x and Ai attribute values at classification level y), excluding base relations (those containing the key only), create a P-tree, PAi,x,y, denoting the presence or absence of the keys at level x. The recovery algorithm is very analogous to the PRISM solution, but addresses time costs (and to some extent space costs – the space savings due to P-tree compression are the main reason for the time savings). Next we introduce P-trees.

18 bSQ Format Split each numeric attribute into separate bit files (one for each bit position). Reasons of using bSQ format Different bits contribute to the value differently. bSQ format facilitates the representation of a precision hierarchy (from 1 bit precision, upwards). bSQ format facilitates the creation of an efficient data structure, the P-tree, P-tree algebra and T- cube.

19 The “tabular” formats (inverted list) BSQ and bSQ are “tabular” formats BSQ consist of a separate table for each feature attribute bSQ consist of a separate table for each bit One can view it this way: Data set is initially 1 relation or table, R(K 1,..,K k, A 1,…, A n ) K 1,..,K k are structure attributes and A i are feature attributes. Structure attributes of a 2-D image are X,Y coordinates of the pixels (rows). Structure attribute of a relation is a 1-D structure consisting of the key In BSQ we separate each feature into a separate file (similar to the Decomposition Storage Model (DSM), Copeland et al, SIGMOD85, 268-279.) bSQ, separate each bit of each feature into a separate file (with a consistent structural order assumed) (similar to the Bit Transpose File (BTF) model, Wong et al, VLDB85, pp 448-457.)

20 Peano Count Tree (P-tree) A basic P-tree is a representation of a bSQ file in a recursive, segmentized (quadrant- by-quadrant in images) arrangement. The basic P-trees provide a compressed, lossless, easily-manipulated representation of the original data.

21 An example Ptree for one bSQ file of an image Peano or Z-ordering Pure (Pure-1/Pure-0) quadrant Root Count  Level  Fan-out  QID (Quadrant ID) 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 55 1681516 30414434 11100010110 1 55 0 4 444 158 11 10 300 10 1 11 3 0 1 111111111111111111100100111100101111111111111111111111111111111111100100111100101111111111111111 64-tuple bSQ file 64-pixel bSQ raster image file

22 55 1681516 30414434 11100010110 1 An example of Ptree Peano or Z-ordering Pure (Pure-1/Pure-0) quadrant Root Count  Level  Fan-out  QID (Quadrant ID) 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 0123 111 ( 7, 1 ) ( 111, 001 ) 10.10.11 2 3 2. 2. 3 001

23 P-tree variation – PM-tree Peano Mask tree (PM-tree) uses mask instead of count. 1 denotes pure-1, 0 denotes pure-0 and m denotes mixed. It provides an efficient way for ANDing. Predicate Tree (1 iff predicate is true for quadrant E.g., Pure1-Tree (predicate: quad is all 1’s Most compact form (all are lossless) 1 1 1 1 1 1 0 0 1 1 1 1 1 0 0 0 1 1 1 1 1 1 0 0 1 1 1 1 1 1 1 0 1 1 1 1 0 1 1 1 1 1 1 1 m 1mm1 m01m11m1 11100010110 1 0 1001 00101101 11100010110 1

24 Ptree Algebra And Or Complement Other (XOR, etc) Ptree: 55 ____________/ / \ \___________ / ___ / \___ \ / / \ \ 16 ____8__ _15__ 16 / / | \ / | \ \ 3 0 4 1 4 4 3 4 //|\ //|\ //|\ 1110 0010 1101 Complement: 9 ____________/ / \ \___________ / ___ / \___ \ / / \ \ 0 ____8__ __1__ 0 / / | \ / | \ \ 1 4 0 3 0 0 1 0 //|\ //|\ //|\ 0001 1101 0010

25 Ptree ANDing Operation PM-tree1: m ______/ / \ \______ / / \ \ 1 m m 1 / / \ \ / / \ \ m 0 1 m 1 1 m 1 //|\ //|\ //|\ 1110 0010 1101 PM-tree2: m ______/ / \ \______ / / \ \ 1 0 m 0 / / \ \ 1 1 1 m //|\ 0100 Result: m ________ / / \ \___ / ____ / \ \ / / \ \ 1 0 m 0 / | \ \ 1 1 m m //|\ //|\ 1101 0100 0 100 101 102 12 132 20 21 220 221 223 23 3 & 0 20 21 22 231  RESULT 0 0  0 20 20  20 21 21  21 220 221 223 22  220 221 223 23 231  231 Depth-first Pure 1 path code

26 Basic, Value and Tuple Ptrees Value Ptrees (predicate: quad is purely target value in target attribute) e.g., P 1, 5 = P 1, 101 = P 11 AND P 12 ’ AND P 13 Tuple Ptrees (predicate: quad is purely target tuple) e.g., P (1, 2, 3) = P (001, 010, 111) = P 1, 001 AND P 2, 010 AND P 3, 111 AND Basic Ptrees (a Pure1-Trees predicate-tree for target bit of target attribute) e.g., P 11, P 12, …, P 18, P 21, …, P 28, …, P 71, …, P 78 Target Attribute Target Value Target Attribute Target Bit Position Cube Ptrees (predicate: quad is purely in target cube (product of intervals) e.g., P ([13],, [0.2]) = (P 1,1 OR P 1,2 OR P 1,3 ) AND (P 3,0 OR P 3,1 OR P 3,2 ) AND/OR

27 Using Ptrees for MLS data (key=structure attribute)

28 2.Create the output P-trees, P out,x, at every level x (contains all keys with classification x that will appear in the output table) as follows: Read all relations having an attribute participating in the selection criteria of the query Get all entries from those relations satisfying the selection criteria at each level x Create P out,x at level x where a 1 value is given to those keys succeeding from the above or 0 otherwise.

29 If we have the following query: “Select name, dev- by, length from R where range  35”

30 3.Create the polyinstantiated P-trees, P poly,x,y, for all x, y combination such that x<y (contains all polyinstantiated keys at level x by subjects at level y). For all attributes Ai requested in the output of the query (name, devby and Length) except for the key (devby and Length) create the following temporary p-trees: Temp Ai,x,y = AND{P Ai,x,y | where x<=y} To get P poly,x,y, OR all Temp Ai,x,y : P poly,x,y = OR{Temp Ai,x,y | for all Ai}

31

32 4.Create the polyinstantiated output P- trees Ppoly,out,x,y as the ANDing of Ppoly,x,y and Pout,x (where x<y).

33

34 5.Create Output table as follows : Having a number of columns equal to the number of fields, Ai, requested in the output of the query e.g. Select name, devby and length (3 columns) Scan Pout,x for 1-bit entries. If a 1 bit appears in position n (consider leaf level nodes) do the following for all Ai attributes requested in the output: If Ai is the key then get the nth record from Rkey,x and store it under Ai column in output table. This entry has classification x.

35 Else, go to the nth entry in PAi,x,z where z = x initially. If a 1 bit is found in position n then get the value of the nth entry from RAi,x,z and store it under Ai column in output table. This entry has classification z. Else (if 1 bit is not found in position n of PAi,x,z then) increment z to the next higher level and repeat this step. Scan Ppoly,out,x,y for 1 bit entries. If a 1 bit appears in position n do the following for all Ai attributes requested in the output: If Ai is the key then get the nth record from Rkey,x and store it under Ai column in output table. This entry has classification x.

36 Else, go to the nth entry in PAi,x,z where z = y initially. If a 1 bit is found in position n then get the value of the nth entry from RAi,x,z and store it under Ai column in output table. This entry has classification z. Else (if 1 bit is not found in position n of PAi,x,z then) decrement z to the next lower level and repeat this step as needed.

37

38 Time improvements to the recovery process using P-trees 0 2 4 6 8 10 12 10050090013001700 Number of records (in thousands) PRISM P-Tree

39 Advantages Acceleration results from operating on p-trees and restricting I/O to only those fields that are involved in the output of the query Space efficiency due to p-tree compression Correct output results (no spurious tuples in the output table)

Download ppt "Accelerating Multilevel Secure Database Queries using P-Tree Technology Imad Rahal and Dr. William Perrizo Computer Science Department North Dakota State."

Similar presentations

CpSc 3220 File and Database Processing Lecture 17 Indexed Files.

CpSc 3220 File and Database Processing Lecture 17 Indexed Files.
Relational Algebra, Join and QBE Yong Choi School of Business CSUB, Bakersfield.

Relational Algebra, Join and QBE Yong Choi School of Business CSUB, Bakersfield.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Concepts of Database Management Sixth Edition

Concepts of Database Management Sixth Edition
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
1 Introduction to Database Systems CSE 444 Lectures 19: Data Storage and Indexes November 14, 2007.

1 Introduction to Database Systems CSE 444 Lectures 19: Data Storage and Indexes November 14, 2007.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Physical Database Monitoring and Tuning the Operational System.

Physical Database Monitoring and Tuning the Operational System.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
1 Indexing Structures for Files. 2 Basic Concepts  Indexing mechanisms used to speed up access to desired data without having to scan entire.

1 Indexing Structures for Files. 2 Basic Concepts  Indexing mechanisms used to speed up access to desired data without having to scan entire.
PARTITIONING “ A de-normalization practice in which relations are split instead of merger ”

PARTITIONING “ A de-normalization practice in which relations are split instead of merger ”
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.

View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
Chapter 61 Chapter 6 Index Structures for Files. Chapter 62 Indexes Indexes are additional auxiliary access structures with typically provide either faster.

Chapter 61 Chapter 6 Index Structures for Files. Chapter 62 Indexes Indexes are additional auxiliary access structures with typically provide either faster.
1 Efficient packet classification using TCAMs Authors: Derek Pao, Yiu Keung Li and Peng Zhou Publisher: Computer Networks 2006 Present: Chen-Yu Lin Date:

1 Efficient packet classification using TCAMs Authors: Derek Pao, Yiu Keung Li and Peng Zhou Publisher: Computer Networks 2006 Present: Chen-Yu Lin Date:
Artificial Neural Network Applications on Remotely Sensed Imagery Kaushik Das, Qin Ding, William Perrizo North Dakota State University

Artificial Neural Network Applications on Remotely Sensed Imagery Kaushik Das, Qin Ding, William Perrizo North Dakota State University
Performance Improvement for Bayesian Classification on Spatial Data with P-Trees Amal S. Perera Masum H. Serazi William Perrizo Dept. of Computer Science.

Performance Improvement for Bayesian Classification on Spatial Data with P-Trees Amal S. Perera Masum H. Serazi William Perrizo Dept. of Computer Science.
AN OPTIMIZED APPROACH FOR kNN TEXT CATEGORIZATION USING P-TREES Imad Rahal and William Perrizo Computer Science Department North Dakota State University.

AN OPTIMIZED APPROACH FOR kNN TEXT CATEGORIZATION USING P-TREES Imad Rahal and William Perrizo Computer Science Department North Dakota State University.
CSC271 Database Systems Lecture # 30.

CSC271 Database Systems Lecture # 30.
1 © Prentice Hall, 2002 Physical Database Design Dr. Bijoy Bordoloi.

1 © Prentice Hall, 2002 Physical Database Design Dr. Bijoy Bordoloi.
Polyinstantiation Problem

Polyinstantiation Problem

Similar presentations

Ads by Google