1. CSCE 824 Secure (and Distributed) Database Management Systems FarkasCSCE 824 1

2. Course Aim Advanced understanding of DBMS concepts Advanced understanding of DBMS concepts –From relation to un- and semi- structured data models –New type of applications –Security needs FarkasCSCE 824 2

3. Reference Materials Recommended: Recommended: –T. Ozsu and P. Valduriez, Principles of Distributed Database Systems, Springer; 3rd Edition. edition (March 2, 2011), ISBN-10: 1441988335 –M. Gertz, S. Jajodia, Handbook of database security: applications and trend, Springer 2008 –Online materials FarkasCSCE 824 3

4. Conference Proceedings and Journals Proceedings of Secure Data Management Workshop, links: 2012 http://www.hitech-projects.com/sdm- workshop/sdm12.html, 2011 http://www.hitech- projects.com/sdm-workshop/sdm11.html Proceedings of Secure Data Management Workshop, links: 2012 http://www.hitech-projects.com/sdm- workshop/sdm12.html, 2011 http://www.hitech- projects.com/sdm-workshop/sdm11.htmlhttp://www.hitech-projects.com/sdm- workshop/sdm12.htmlhttp://www.hitech- projects.com/sdm-workshop/sdm11.htmlhttp://www.hitech-projects.com/sdm- workshop/sdm12.htmlhttp://www.hitech- projects.com/sdm-workshop/sdm11.html Proceedings of IFIP WG 11.3 Data and Application Security and Privacy, links: 2012 http://conferences.telecom-bretagne.eu/dbsec2012/, 2011 http://www.egr.vcu.edu/dbsec2011/ Proceedings of IFIP WG 11.3 Data and Application Security and Privacy, links: 2012 http://conferences.telecom-bretagne.eu/dbsec2012/, 2011 http://www.egr.vcu.edu/dbsec2011/ http://conferences.telecom-bretagne.eu/dbsec2012/http://www.egr.vcu.edu/dbsec2011/ http://conferences.telecom-bretagne.eu/dbsec2012/http://www.egr.vcu.edu/dbsec2011/ Proceedings of International Conference of Very Large Databases (VLDB), links: 2012 http://www.vldb2012.org/, 2011 http://www.vldb.org/2011/ Proceedings of International Conference of Very Large Databases (VLDB), links: 2012 http://www.vldb2012.org/, 2011 http://www.vldb.org/2011/ http://www.vldb2012.org/ http://www.vldb.org/2011/ http://www.vldb2012.org/ http://www.vldb.org/2011/ FarkasCSCE 824 4

5. Journals and Books IEEE Transactions on Knowledge and Data Engineering (TKDE) IEEE Transactions on Knowledge and Data Engineering (TKDE) ACM Transactions on Information and System Security (TISSEC) ACM Transactions on Information and System Security (TISSEC) M. Gertz, S. Jajodia, Handbook of database security: applications and trend, Springer 2008 M. Gertz, S. Jajodia, Handbook of database security: applications and trend, Springer 2008 FarkasCSCE 824 5

6. Challenge Research project : there will be one group research project. Students must present the related work and their results to the class in the last lectures of the semester. Research project : there will be one group research project. Students must present the related work and their results to the class in the last lectures of the semester. Homework assignments. There will be several homework exercises and reading for the lectures. Homework assignments. There will be several homework exercises and reading for the lectures. Tests : there will be two tests covering the course materials. Both tests are open book, in-class tests. Tests : there will be two tests covering the course materials. Both tests are open book, in-class tests. FarkasCSCE 824 6

7. Grading Research project: 35%, Test 1 : 20%, Test 2: 25%, Homework assignment: 20% Research project: 35%, Test 1 : 20%, Test 2: 25%, Homework assignment: 20% 90 < A; 87 < B+ <= 90; 80 < B <= 87; 76 < C+<=80; 90 < A; 87 < B+ <= 90; 80 < B <= 87; 76 < C+<=80; 65 < C <= 76; 60 < D+ <= 65; 50 <D <= 60 65 < C <= 76; 60 < D+ <= 65; 50 <D <= 60 FarkasCSCE 824 7

8. Topics Covered Weeks 1-5: Distributed and Non- traditional Databases Weeks 1-5: Distributed and Non- traditional Databases Weeks 6-11: Database Security Weeks 6-11: Database Security Weeks 12-15: Student Presentations Weeks 12-15: Student Presentations FarkasCSCE 824 8

9. Students’ Introduction Students’ Introduction Name Major Interest in class FarkasCSCE 824 9

10. CSCE 727 - Farkas 10 Information Assurance Studies

11. IA Specialization Graduate level Graduate level Core Requirement (3 Hours) Core Requirement (3 Hours) – CSCE 522: Information Security Principles (3 credits) – meets CNSS 4011 standard Additional Requirements: Additional Requirements: –Elective IA course (3 credit) –2 nd elective course (3 credits) or 500-level or above CSCE course with IA project component 11

12. 12 CNSS Certifications Old criteria: National Training Standard for Information Systems Security Professionals, CNSSI No. 4011 National Training Standard for System Administrators in Information Systems Security, CNSSI No. 4013 National Training Standard for Information Systems Security Officers, CNSSI No. 4014 New criteria: Knowledge Units

13. 13 IA&S Courses Offered since 2000 12 new courses – 4 undergraduate and graduate – 8 graduate students only Approved by USC Accredited by the Committee on National Security Systems (CNSS)

14. 14 IA&S Certificate Program http://www.cse.sc.edu/isl/education/iaands http://www.cse.sc.edu/isl/education/iaands (modifications are approved, starting Fall 2016)

15. 15 12 hours of graduate study with B average – 6 hours core courses – 6 hours of elective courses Graduation requirements

16. 16 Core Courses CSCE 522 – Information Systems Security Principles – offered every Fall semester -- APOGEE CSCE 715– Network Security – offered every Fall semester

17. 17 Elective Courses CSCE 517 – Computer Crime and Forensics CSCE 557 – Introduction to Cryptography CSCE 548 – Secure Software Construction CSCE 716 – Design for Reliability CSCE 717 – Comp. Systems Performance CSCE 727 – Information Warfare CSCE 813 – Internet Security CSCE 814 – Distributed Systems Security CSCE 824 – Secure Databases

18. 18 Center for Information Assurance Engineering (CIAE) http://www.cse.sc.edu/isl http://www.cse.sc.edu/isl http://www.cse.sc.edu/isl Information about: Information about: –Research –Education –Publications –People –Useful links

19. Questions? FarkasCSCE 824 19

20. FarkasCSCE 824 20 Database Management System (DBMS) Collection of Collection of –interrelated data and –set of programs to access the data Convenient and efficient processing of data Convenient and efficient processing of data Database Application Software Database Application Software

21. FarkasCSCE 824 21 Evolution of Database Systems Early days: customized applications built on top of file systems Early days: customized applications built on top of file systems Drawbacks of using file systems to store data: Drawbacks of using file systems to store data: –Data redundancy and inconsistency –Difficulty in accessing data –Atomicity of updates –Concurrency control –Security –Data isolation — multiple files and formats –Integrity problems

22. FarkasCSCE 824 22 Abstraction View level: different perspectives View level: different perspectives –Application programs hide irrelevant data Logical level: data models Logical level: data models –Logical representation of data –Different approaches: hierarchical, network, object oriented, semi-structured, etc. – Data independence principle Physical level: how data is stored Physical level: how data is stored

23. FarkasCSCE 824 23 Data Models A collection of tools for describing A collection of tools for describing –Data –Relationships among data items –Semantics of stored data –Database constraints

24. FarkasCSCE 824 24 Database Management Systems Smaller and smaller systems Smaller and smaller systems –Past: large and expensive DBMS –Present: DBMS in most personal computers More and more data stored – BIG DATA More and more data stored – BIG DATA –Past: few MB –Present: terabyte (10 12 bytes), petabyte (10 15 bytes) Functionality: from physical to view level Functionality: from physical to view level Optimization Optimization

25. FarkasCSCE 824 25 Data Definition Language (DDL) Defines the database schema and constraints Defines the database schema and constraints DDL compiler  DDL compiler  data dictionary Metadata – data about data Metadata – data about data

26. FarkasCSCE 824 26 Data Manipulation Language (DML) Accessing and manipulating the data Accessing and manipulating the data Query Languages Query Languages –Procedural – user specifies what data is required and how to get those data –Nonprocedural – user specifies what data is required without specifying how to get those data

27. Current Demands Efficient data processing of large data sets Efficient data processing of large data sets Long running transactions Long running transactions Real-time demand Real-time demand Usability for specific applications Usability for specific applications … FarkasCSCE 824 27

28. Data Security

29. FarkasCSCE 824 29 Security Objectives Confidentiality: prevent/detect/deter improper disclosure of information Confidentiality: prevent/detect/deter improper disclosure of information Integrity: prevent/detect/deter improper modification of information Integrity: prevent/detect/deter improper modification of information Availability: prevent/detect/deter improper denial of access to services Availability: prevent/detect/deter improper denial of access to services

30. FarkasCSCE 824 30 Security Threats Poor design Poor design Insufficient quality control Insufficient quality control Accidents Accidents Attacks Attacks

31. FarkasCSCE 824 31 Achieving Security Policy Policy –What to protect? Mechanism Mechanism –How to protect? Assurance Assurance –How good is the protection?

32. FarkasCSCE 824 32 Database Security Security Policy Security Policy Access control models Access control models Inference control Inference control Integrity protection Integrity protection Privacy problems Privacy problems Fault tolerance and recovery Fault tolerance and recovery Auditing and intrusion detection Auditing and intrusion detection TOOLS TOOLS

33. FarkasCSCE 824 33 Next Class Relational data model