Protection of Database Security Via Collaborative Inference Detection

1
Protection of Database Security via Collaborative

Inference Detection

A project Report
Submitted to Jawaharlal Nehru Technological University
In Partial fulfillment of the requirements for the award of the degree of

BACHELOR OF TECHNOLOGY
IN
COMPUTER SCIENCE AND ENGINEERING

Submitted by
ABHILASH V. (06231A502) K. BHARATH(06231A0538)
M.PAVAN KUMAR (06231A510) Ch. SUNIL (06231A514)

Under the esteemed guidance of
Mr. R.SRIKANTH B.Tech (M.Tech)

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
NIMRA COLLEGE OF ENGINEERING AND TECHNOLOGY
NIMRA NAGAR, JUPUDI, IBRAHIMPATNAM- 521 456.
2009-2010
2

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

CERTIFICATE

I certify that this is a bonafied report of project on the Protection of
Database Security via Collaborative Inference Detection done by
K.BHARATH (06231A0538), Ch.SUNIL(06231A0514), K.ANIL
KUMAR(06231A0504),V.ABHILASH(06231A0502),M.PAVAN
KUMAR(06231A0510) of IV/IV B.Tech class in Computer Science and
Engineering Department for the award of degree for Bachelor of Technology
of Jawaharlal Nehru Technological University during the year 2009-2010.

Mr.R.SRIKANTH Mr. SYED GULAM GOUSE
B.Tech(M.Tech) M.Tech (CSE)
HEAD OF THE DEPARTMENT

3

DECLARATION

We declare that the project work submitted by us for award of Degree of
Bachelor of Technology from Nimra College of Engineering and
Technology, Jupudi, Ibrahimpatnam affiliated to Jawaharlal Nehru
Technology University, Kakinada, is original and it has not been submitted to
this or any other university for any degree, diploma or other similar title.

Project Associates:

K.BHARATH (06231A0538)

Signature: ______________

V.ABHILASH (06231A0502)

Signature: ______________

Ch. SUNIL (06231A0514)

Signature: ______________

M.PAVAN KUMAR

Signature: ______________

4

Protection of Database Security via Collaborative Inference Detection

ABSTRACT

Malicious users can exploit the correlation among data to infer sensitive information from
a series of seemingly innocuous data accesses. Thus, we develop an inference violation detection
system to protect sensitive data content. Based on data dependency, database schema and
semantic knowledge. We constructed a semantic inference model (SIM) that represents the
possible inference channels from any attribute to the pre-assigned sensitive attributes.

The SIM is then instantiated to a semantic inference graph (SIG) for query-time inference
violation detection. For a single user case, when a user poses a query, the detection system will
examine his/her past query log and calculate the probability of inferring sensitive information.
The query request will be denied if the inference probability exceeds the pre specified threshold.
For multi-user cases, the users may share their query answers to increase the inference
probability.

Therefore, we develop a model to evaluate collaborative inference based on the query
sequences of collaborators and their task-sensitive collaboration levels. Experimental studies
reveal that information authoritativeness, communication fidelity and honesty in collaboration
are three key factors that affect the level of achievable collaboration. An example is given to
illustrate the use of the proposed technique to prevent multiple collaborative users from deriving
sensitive information via inference.

5

INDEX

1. INTRODUCTION
1.1 Problem Identification- Existing System.
1.2 Proposed System

2. SYSTEM ANALYSIS
2.1 System Requirement
2.2 Implementation Plan
2.3 Modules

3. SYSTEM DESIGN
3.1 Models
3.2 Architecture
3.3 Menu Design
3.4 Database Design

4. DEVELOPMENT OF SYSTEM AND TESTING
4.1 System Development
4.2 UML

6

5. SOFTWARE REQUIREMENTS
5.1 HTML
5.2 Java
5.3 Java script
5.4 J2EE
5.5 SQL SERVER 2005
5.6 Net Beans

6. CODING

7. TESTING

8. SCREEN SHOTS

9. CONCLUSION

10.BIBLIOGRAPHY

7

APPENDIX
List of Figures
3.1 System Architecture
4.1 System Development
4.2 Use Case Diagram
4.3 Sequence Diagram
4.4 Activity Diagram
5.1 The two J2ME configurations
5.2 Profiles
8.1 Starting page
8.2 New Registration
8.3 Registered
8.4 Forgot password
8.5 Password retrieval
8.6 Main page
8.7 URL and password given
8.8 Result
8.9 Wrong password
8.10 After wrong password
8.11 Logout and login again
8.12 URL stored in database
8.13 Change search password
8.14 Database
List of Tables
3.2 DataBase Design

8

1. INTRODUCTION

Access control mechanisms are commonly used to protect users from the
acknowledgment of sensitive information in data sources. However, such techniques are
insufficient because malicious users may access a series of innocuous information and then
employ inference techniques to derive sensitive data by using that information. To address this
inference problem, we develop an inference detection system that resides at the central directory
site. Because inference channels can be used to provide a scalable and systematic sound
inference, we construct a semantic inference model (SIM) that represents all the possible
inference channels from any attribute in the system to the set of pre-assigned sensitive attributes.

The SIM can be constructed by linking all the related attributes, which can be derived via
attribute dependency from data dependency, database schema, and semantic related knowledge.
Based on the SIM, the violation detection system keeps track of a users query history. When a
new query is posed, all the channels where sensitive information can be inferred will be
identified. If the probability of inferring sensitive information exceeds a pre-specified threshold,
then the current query request will be denied.

This inference detection approach is based on the assumption that users are isolated and
do not share information with one another. This assumption, however, may not be the case in a
real-life situation. Most users usually work as a team, and each member can access the
information independently. Afterward, the members may merge their knowledge together and
jointly infer the sensitive information. Generalizing from a single-user collaborative system to a
multi-user collaborative system greatly increases the complexity of the inference detection
system.
This motivates us to extend our research from a single user case to a multiple-user case,
where users may collaborate with each other to jointly infer sensitive data. We have conducted a
set of experiments by using our inference violation detector as a testbed to understand the
characteristics in collaboration and the effect on collaborative inference. From the experiments,
we learn that for a given specific task, the amount of information that flows from one user to
another depends on the closeness of their relationships and the knowledge related to the task.
9

Thus, collaborative inference for a specific task can be derived by tracking the query history of
all the users together with their collaboration levels (CLs).

1.1 Problem Identification:
Existing System:

Multiple collaborative users from deriving sensitive information via inference.

Experimental studies reveal that information authoritativeness, communication fidelity, and
honesty in collaboration are three key factors that affect the level of achievable collaboration

Disadvantages:
Users may access a series of innocuous information.
Single-user environment its detection level is very low.

1.2 Proposed System:

We develop a model for evaluating collaborative inference based on the query sequences of
collaborators and their task-sensitive collaboration levels.

A mechanism that propagates update to the user history files to ensure that no query is
rejected based on the outdated information.

To reduce the time in examining the entire history login computation inference.

Advantages:
Inference channels can be used to provide a scalable and systematic sound inference
System keeps track of a users query history
Multi-user environment inference detection level is very high

10

1. SYSTEM ANALYSIS

2.1 System Requirements:

Hardware Requirements:

Hard disk 40GB
RAM 265MB or more
Processor Speed 2.60GHz
Processor Pentium IV Processor or more

Software Requirements:

JDK1.5
Net Beans IDE 5.0
SQL 2005

2.2 Implementation Plan:
To develop Protection of Database Security we are going to assign users request by using
Collaborative Inference Detection method. In Collaboration inference Detection is used to
estimate users authoritativeness and honesty.
To design the project by using advance java web application concepts like Servlets, JSP
and Sql server.

2.3 Modules:
Membership Login
Add new Members
Searching RSS Reader
Process Monitoring

11

Module Description:

Membership Login:
User gives the required username and password and then logins. If the login name and
password in correct then he goes to the next form else he is asked to give the correct
username and password.

Add new Members:
The Registration module new user can register the details.

Searching RSS Reader:
After login, user Enter into the RSS Reader searching page, user can view any RSS Xml
files in any web sites. We process the user query, using searching password by providing
password as key which is key feature in our application. If the user searching password and
requesting rss url both are true, processes the users request by using channels. This channel
gets the information from the external database. So, user can view that particular rss file data.
Also we stored the users query in history for future references.

Process Monitoring:
This module deals, whether user requesting query within the limit. We predict threshold
limit by using searching password. If user searching password is mismatch, then the system
considered as user requesting query threshold value more then normal threshold level. So
user connection will be terminated.

12

3. SYSTEM DESIGN

3.1 Models:
Inference detection system using the following models used to estimate authoritativeness
and honesty

Knowledge Acquisition model:
The Knowledge Acquisition module extracts data dependency knowledge, data scheme
knowledge and domain semantic knowledge. Based on the database schema and the data
sources, we can extract data dependency between attributes within the same entity and
among entities. Domain semantic knowledge can be derived by semantic links with specific
constraints and rules. A semantic inference model can be constructed based on the acquired
knowledge.

Semantic Inference Model:
The Semantic Inference Model (SIM) is a data model that combines data schema,
dependency and semantic knowledge. The model links related attributes and entities as well
as semantic knowledge needed for data inference. Therefore SIM represents all the possible
relationships among the attributes of the data sources. A Semantic Inference Graph (SIG) can
be constructed by instantiating the entities and attributes in the SIM. For a given query, the
SIG provides inference channels for inferring sensitive information.

Violation Detection model:
Based on the inference channels derived from the SIG, the Violation Detection module
combines the new query request with the request log, and it checks to see if the current
request exceeds the pre-specified threshold of information leakage. If there is collaboration
according to social relation analysis, the Violation Detection module will decide whether to
answer the current query based on the acquired knowledge among the malicious group
members and their social relation to the current user.

13

3.2 System Architecture:

Fig 3.1

14

3.3 Database Design:

Fig 3.2

15

4. SYSTEM DEVELOPMENT

4.1 System Development:

Fig 4.1

Searchin
g
process
Login
Proces
s
User
Request process
DB
Genuine user
Query requisition
Query
history
User Request Analysis
Genuine user,
Requesting
information

Request
Invalid user requesting
query
Disconnected connection re-login
Main
DB
16

A threat to database security is the misuses of these databases by the authorized users,
for example selling the personal information to outsiders. Various access control
mechanisms have been proposed for protecting individual information in statistical
database systems.
These mechanisms are specifically designed for statistical databases, making them not
applicable to general purpose database systems. In multilevel secure database systems,
a type of attacks called inference is identified. An inference occurs when a user uses
legitimate data to infer information without directly accessing it. Existing approaches to
inference detection focus on analyzing functional dependencies in the database schema.
However, it is possible to exploit data level functional dependencies to achieve
inferences.
For example, although in general the job title does not functionally determine salary
(different vice-presidents may earn different salaries), the dependency may hold for lower
rank jobs.
This research investigates the detection of attempts to access personal information
relational database systems.
We identify five types of inferences: unique characteristic, logical implication,
complementary, overlapping, and functional dependency.
Algorithms for these inferences are developed. These inferences are detected by auditing
both user queries and their return tables.

In general the inference problem is an NP-complete problem (for example, determining
the equivalence between two logical expressions).
We have no attempt to completely detect all possible types of inferences. The detection
system essentially makes the inference attacks more
difficult. This might result in having the user to issue more queries, which then could be
detected by anomaly detection techniques.

NP is the set of decision problems solvable in polynomial time by a non-deterministic
Turing machine.
Anomaly Detection refers to detecting patterns in a given data set that do not conform to
an established normal behavior

Existing work on inference detection for database systems mainly employ functional
dependencies in the database schema to detect inferences.

It has been noticed that analyzing the data stored in the database may help to detect
more inferences.

In this paper, we describe our effort in developing a data level inference detection system.
We have identified five inference rules that a user can use to perform inferences. They are
`subsume', `unique characteristic', `overlapping ', `complementary', and `functional dependency'
inference rules.
17

The existence of these inference rules confirms the inadequacy of detecting inferences
using just functional dependencies. The rules can be applied any number of times and in any
order.

These inference rules are sound. They are not necessarily complete, although we have
no example that demonstrates incompleteness. We employ a rule based approach so that future
inference rules can be incorporated into the detection system.

We have developed a prototype of the inference detection system using Perl on a Sun
SPARC 20 workstation. The preliminary results show that on average it takes seconds to process
a query for a database with thousands of records.

Thus, our approach to inference detection is best performed off-line, and would be most
useful to detect subtle inference attacks.

4.2 Unified Modeling Language Diagrams:
The unified modeling language allows the software engineer to express an analysis model using
the modeling notation that is governed by a set of syntactic semantic and pragmatic rules.
A UML system is represented using five different views that describe the system from
distinctly different perspective. Each view is defined by a set of diagram, which is as follows.
User Model View
i. This view represents the system from the users perspective.
ii. The analysis representation describes a usage scenario from the end-users perspective.
Structural model view
In this model the data and functionality are arrived from inside the system.
This model view models the static structures.
Behavioral Model View
It represents the dynamic of behavioral as parts of the system, depicting the interactions of
collection between various structural elements described in the user model and structural model view.
Implementation Model View
In this the structural and behavioral as parts of the system are represented as they are to be
built.
18

Environmental Model View
In this the structural and behavioral aspects of the environment in which the system is to be
implemented are represented.
UML is specifically constructed through two different domains they are
UML Analysis modeling, which focuses on the user model and structural model views of the
system.
UML design modeling, which focuses on the behavioral modeling, implementation modeling and
environmental model views.

19

Use Case Diagram:-

Fig 4.2

Sequence Diagram:-

Fig 4.3
20

Activity Diagram:

Fig 4.4

Requesting
info from db

Checking
request
Retrieve the
information
User

Valid user

Logout
Invalid search
21

5. SOFTWARE REQUIREMENTS

5.1 HTML (Hyper text markup language)

What an HTML Document Is?

HTML documents are plain-text (also known as ASCII) files that can be created using
any text editor (e.g., Emacs or vi on UNIX machines; SimpleText on a Macintosh; Notepad on a
Windows machine). You can also use word-processing software if you remember to save your
document as "text only with line breaks".

HTML Editors:

Some WYSIWYG editors are also available (e.g., Claris Home Page or Adobe PageMill,
both for Windows and Macintosh). You may wish to try one of them after you learn some of the
basics of HTML tagging. WYSIWYG is an acronym for "what you see is what you get"; it
means that you design your HTML document visually, as if you were using a word processor,
instead of writing the markup tags in a plain-text file and imagining what the resulting page will
look like.

It is useful to know enough HTML to code a document before you determine the
usefulness of a WYSIWYG editor, in case you want to add HTML features that your editor
doesn't support.

22

Getting Your Files on a Server:

If you have access to a Web server at school or work, contact your webmaster (the
individual who maintains the server) to see how you can get your files on the Web. If you do not
have access to a server at work or school, check to see if your community operates a FreeNet, a
community-based network that provides free access to the Internet.

Lacking a FreeNet, you may need to contact a local Internet provider that will post your
files on a server for a fee. (Check your local newspaper for advertisements or with your Chamber
of Commerce for the names of companies.)

Tags Explained:

An element is a fundamental component of the structure of a text document. Some
examples of elements are heads, tables, paragraphs, and lists. Think of it this way: you use
HTML tags to mark the elements of a file for your browser. Elements can contain plain text,
other elements, or both.

To denote the various elements in an HTML document, you use tags. HTML tags consist
of a left angle bracket (<), a tag name, and a right angle bracket (>). Tags are usually paired (e.g.,
<H1> and </H1>) to start and end the tag instruction. The end tag looks just like the start tag
except a slash (/) precedes the text within the brackets. HTML tags are listed below.

Some elements may include an attribute, which is additional information that is included
inside the start tag. For example, you can specify the alignment of images (top, middle, or
bottom) by including the appropriate attribute with the image source HTML code. Tags that have
optional attributes are noted below.

23

NOTE: HTML is not case sensitive.
<Title> is equivalent to <TITLE> or <Title>.
There are a few exceptions noted in Escape Sequences below.

Not all tags are supported by all World Wide Web browsers. If a browser does not support a tag,
it will simply ignore it. Any text placed between a pair of unknown tags will still be displayed,
however.

The Minimal HTML Document:

Every HTML document should contain certain standard HTML tags. Each document
consists of head and body text.

The head contains the title, and the body contains the actual text that is made up of
paragraphs, lists, and other elements. Browsers expect specific information because they are
programmed according to HTML and SGML specifications.

5.2 Java:
Java is an object-oriented multithread programming languages .It is designed to be small,
simple and portable across different platforms as well as operating systems.

FEATURES OF JAVA

Platform Independence
The Write-Once-Run-Anywhere ideal has not been achieved (tuning for different
platforms usually required), but closer than with other languages.

24

Object Oriented
Object oriented throughout - no coding outside of class definitions, including main().
An extensive class library available in the core language packages.

Compiler/Interpreter Combo
Code is compiled to byte codes that are interpreted by a Java virtual machines (JVM).
This provides portability to any machine for which a virtual machine has been written.
The two steps of compilation and interpretation allow for extensive code checking and improved
security.
Robust
Exception handling built-in, strong type checking (that is, all data must be declared an
explicit type), local variables must be initialized.

Several features of C & C++ eliminated:
No memory pointers
No preprocessor
Array index limit checking

Automatic Memory Management
Automatic garbage collection - memory management handled by JVM.

25

Security
No memory pointers
Programs run inside the virtual machine sandbox.
Array index limit checking
Code pathologies reduced by
Byte code verifier - checks classes after loading
Class loader - confines objects to unique namespaces. Prevents loading a hacked
"java.lang.SecurityManager" class, for example.
Security manager - determines what resources a class can access such as reading and writing to
the local disk.

Dynamic Binding
The linking of data and methods to where they are located is done at run-time.
New classes can be loaded while a program is running. Linking is done on the fly.
Even if libraries are recompiled, there is no need to recompile code that uses classes in those
libraries.

This differs from C++, which uses static binding. This can result in fragile classes for cases
where linked code is changed and memory pointers then point to the wrong addresses.

26

Good Performance
Interpretation of byte codes slowed performance in early versions, but advanced
virtual machines with adaptive and just-in-time compilation and other techniques now typically
provide performance up to 50% to 100% the speed of C++ programs.

Threading
Lightweight processes, called threads, can easily be spun off to perform multiprocessing.
Can take advantage of multiprocessors where available
Great for multimedia displays.
Built-in Networking
Java was designed with networking in mind and comes with many classes to develop
sophisticated Internet communications.
IMP applications are called IMlets, but in reality they are MIDlets. They subclass MIDlet, and
follow the same packaging, deployment, security and life-cycle as MIDlets.

Connected Device Configuration:

CDC is a smaller subset of Java SE, containing almost all the libraries that are not GUI
related.

Foundation Profile:

A headless version of Java SE.

Personal Basis Profile:

Extends the Foundation Profile to include lightweight GUI support in the form of an
AWT subset.

27

Personal Profile:

This extension of Personal Basis Profile includes a more comprehensive AWT subset
and adds applet support.

Java application
KVM +
CLDC APIs
Native APIs
Native OS
Device

Connected, Limited Device Connected Device
Configuration (CLDC) Configuration (CDC)

Fig 5.1 The two J2ME configurations.

Fig 5.2 Profiles.

Java application
Classic VM +
CDC APIs
Native
APIs
Native OS
Device
Java application
Profile
Configuration
Native OS
Device
28

5.3 JavaScript:

Java script is an easy-to-use programming language that can be embedded in the header
of your web pages.

It can enhance the dynamics and interactive features of your page by allowing you to
perform calculations, check forms, write interactive games, add special effects, customise
graphics selections, and create security passwords and more.

What's the difference between JavaScript and Java?

Java is a compiled programming language, similar to C. It is powerful enough to write
major applications and insert them in a web page as a special object called an "applet." Java has
been generating a lot of excitement because of its unique ability to run the same program on
IBM, Mac, and UNIX computers. Java is not considered an easy-to-use language for non-
programmers.

Java script is much simpler to use than Java. With Java script, if you want check a form
for errors, just type an if-then statement at the top of the page. No compiling, no applets, just a
simple sequence.

Object-oriented programming consists of Objects, Methods and Properties. An object
is basically a black box which stores some information.

It may have a way for you to read that information and a way for you to write to, or
change, that information. It may also have other less obvious ways of interacting with the
information.

Some of the information in the object may actually be directly accessible; other
information may require you to use a method to access it - perhaps because the way the
information is stored internally is of no use to you, or because only certain things can be written
29

into that information space and the object needs to check that you're not going outside those
limits.

The directly accessible bits of information in the object are its properties. The difference
between data accessed via properties and data accessed via methods is that with properties, you
see exactly what you're doing to the object; with methods, unless you created the object yourself,
you just see the effects of what you're doing.

A few examples your web page document is an object. Any table, form, button, image, or
link on your page is also an object. Each object has certain properties (information about the
object). For example, the background color of your document is written document.bgcolor.

You would change the color of your page to red by writing the line:
document.bgcolor="red"
The contents (or value) of a textbox named "password" in a form named "entryform" is
document.entryform.password.value.

Methods:

Most objects have a certain collection of things that they can do. Different objects can do
different things, just as a door can open and close, while a light can turn on and off. A new
document is opened with the method document.open()

You can write "Hello World" into a document by typing document.write("Hello World")
. open() and write() are both methods of the object: document.

30

Events:

Events are how we trigger our functions to run. The easiest example is a button, whose
definition includes the words onClick="run_my_function()". The onClick event, as its name
implies, will run the function when the user clicks on the button. Other events include
OnMouseOver, OnMouseOut, OnFocus, OnBlur, OnLoad, and OnUnload.

JavaScript and HTML:

JavaScript is inserted in the <HEAD> area of HTML documents, between <SCRIPT> and
</SCRIPT> tags.

This is the standard open and close to the JavaScript section of your page:

<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript">
< !-- Beginning of JavaScript -
(all of your JavaScript functions)
// - End of JavaScript - -->
</SCRIPT>
</HEAD>

Remember to tell the browser your script language: <SCRIPT LANGUAGE="JavaScript">
The  tags are used to hide comments in HTML from the browser. Old browsers will
not understand the <SCRIPT> tags, so you need to include the comment tags to keep your
JavaScript from showing up on the Browser (e.g. Netscape 1.0).

Hiding scripts within comment tags:
31

Only Netscape Navigator versions 2.0 and later recognize JavaScript. To ensure that
other browsers ignore JavaScript code, place the entire script within HTML comment tags, and
precede the ending comment tag with a double-slash (//) that indicates a JavaScript single-line
comment:
<SCRIPT>

</SCRIPT>

The Form is a JavaScript user's best friend. Forms can be used to input text, to display
results, and to trigger JavaScript functions. The form in our example used 2 objects, a text box,
and a button.

All forms start with the tag <FORM> and end with </FORM>.

The text box should include a NAME and a TYPE. The NAME will be used when we
need to tell the function which box has the text we want. TYPE is how the browser knows to
create a text box, button, or check box. For example:

<INPUT NAME="text1" TYPE=Text>

The button is how we tell JavaScript to run a particular function. The button should
include a NAME, TYPE, VALUE, and ONCLICK command.

The NAME could be used to refer to the button in JavaScript, but is usually not
important.

The VALUE is the label which will appear inside the button. The ONCLICK is followed
by the name of a function, and the name of the text box containing the data.
32

For example:

<INPUT NAME="submit" TYPE=Button VALUE="Show Me"
onClick="MsgBox(form.text1.value)">
<BODY>
<FORM>
<INPUT NAME="text1" TYPE=Text>
<INPUT NAME="submit" TYPE=Button VALUE="Show Me"
onClick="MsgBox(form.text1.value)">
</FORM></BODY></HTML>

5.4 J2EE (Java 2 Enterprise Edition):

Today, more and more developers want to write distributed transactional applications for
the enterprise and leverage the speed, security, and reliability of server-side technology.
If you are already working in this area, you know that in today's fast-moving and
demanding world of e-commerce and information technology, enterprise applications have to be
designed, built, and produced for less money, with greater speed, and with fewer resources than
ever before.
To reduce costs and fast-track enterprise application design and development, the Java

2 Platform, Enterprise Edition (J2EE ) technology provides a component-based approach to the
design, development, assembly, and deployment of enterprise applications. The J2EE platform
offers a multi tiered distributed application model, the ability to reuse components, integrated
Extensible Markup Language (XML)-based data interchange, a unified security model, and
flexible transaction control.
Not only can you deliver innovative customer solutions to market faster than ever, but
your platform-independent J2EE component-based solutions are not tied to the products and
application programming interfaces (APIs) of any one vendor. Vendors and customers enjoy the
33

freedom to choose the products and components that best meet their business and technological
requirements.

Distributed Multi tiered Applications:

The J2EE platform uses a multi tiered distributed application model. Application
logic is divided into components according to function, and the various application
components that make up a J2EE application are installed on different machines depending
on the tier in the multi tiered J2EE environment to which the application component belongs

J2EE Components:
Client-tier components run on the client machine.
Web-tier components run on the J2EE server.
Business-tier components run on the J2EE server.
Enterprise information system (EIS)-tier software runs on the EIS server.
J2EE multi tiered applications are generally considered to be three-tiered
applications because they are distributed over three different locations: client machines,
the J2EE server machine, and the database or legacy machines at the back end.
Three-tiered applications that run in this way extend the standard two-tiered client and
server model by placing a multithreaded application server between the client application and
back-end storage.

J2EE applications are made up of components. A J2EE component is a self-contained
functional software unit that is assembled into a J2EE application with its related classes and
files and that communicates with other components. The J2EE specification defines the
following J2EE components:
34

Application clients and applets are components that run on the Client.
Java Servlet and Java Server Pages (JSP ) technology Components are Web
components that run on the server.
Enterprise JavaBeans (EJB ) components (enterprise beans) are business components
that run on the server.
J2EE components are written in the Java programming language and are compiled in
the same way as any program in the language. The difference between J2EE components and
"standard" Java classes is that J2EE components are assembled into a J2EE application, verified
to be well formed and in compliance with the J2EE specification, and deployed to production,
where they are run and managed by the J2EE server.
Web Clients:
A Web client consists of two parts: dynamic Web pages containing various types of
markup language (HTML, XML, and so on), which are generated by Web components running
in the Web tier, and a Web browser, which renders the pages received from the server.
A Web client is sometimes called a thin client. Thin clients usually do not do things like
query databases, execute complex business rules, or connect to legacy applications. When you
use a thin client, heavyweight operations like these are off-loaded to enterprise beans executing
on the J2EE server where they can leverage the security, speed, services, and reliability of J2EE
server-side technologies.
Applets :
Web components are the preferred API for creating a Web client program because no
plug-ins or security policy files are needed on the client systems.
Also, Web components enable cleaner and more modular application design because
they provide a way to separate applications programming from Web page design. Personnel
involved in Web page design thus do not need to understand Java programming language syntax
to do their jobs.
35

Application Clients:
A J2EE application client runs on a client machine and provides a way for users to handle
tasks that require a richer user interface than can be provided by a markup language. It typically
has a graphical user interface (GUI) created from Swing or Abstract Window Toolkit (AWT)
APIs, but a command-line interface is certainly possible.
Application clients directly access enterprise beans running in the business tier. However,
if application requirements warrant it, a J2EE application client can open an HTTP connection to
establish communication with a servlet running in the Web tier.
JavaBeans Component Architecture:
The server and client tiers might also include components based on the JavaBeans
component architecture (JavaBeans component) to manage the data flow between an application
client or applet and components running on the J2EE server or between server components and a
database.
JavaBeans components are not considered J2EE components by the J2EE specification.
JavaBeans components have instance variables and get and set methods for accessing the
data in the instance variables. JavaBeans components used in this way are typically simple in
design and implementation, but should conform to the naming and design conventions outlined
in the JavaBeans component architecture.
J2EE Server Communications :
The client communicates with the business tier running on the J2EE server either directly
or, as in the case of a client running in a browser, by going through JSP pages or servlets running
in the Web tier.
J2EE application uses a thin browser-based client or thick application client. In deciding
which one to use, should be aware of the trade-offs between keeping functionality on the client
and close to the user (thick client) and off-loading as much functionality as possible to the server
(thin client).
36

The more functionality you off-load to the server, the easier it is to distribute, deploy,
and manage the application; however, keeping more functionality on the client can make for a
better perceived user experience.
5.5 SQL Server 2005:
Microsoft SQL Server 2000 features include:
Internet Integration:
The SQL Server 2000 database engine includes integrated XML support. It also has
the scalability, availability, and security features required to operate as the data storage
component of the largest Web sites.
The SQL Server 2000 programming model is integrated with the Windows DNA
architecture for developing Web applications, and SQL Server 2000 supports features such as
English Query and the Microsoft Search Service to incorporate user-friendly queries and
powerful search capabilities in Web applications.
Scalability and Availability:
The same database engine can be used across platforms ranging from laptop
computers running Microsoft Windows 98 through large, multiprocessor servers running
Microsoft Windows 2000 Data Center Edition.
SQL Server 2000 Enterprise Edition supports features such as federated servers,
indexed views, and large memory support that allow it to scale to the performance levels
required by the largest Web sites.
Enterprise-Level Database Features:
The SQL Server 2000 relational database engine supports the features required to
support demanding data processing environments. The database engine protects data integrity
while minimizing the overhead of managing thousands of users concurrently modifying the
database. SQL Server 2000 distributed queries allow you to reference data from multiple sources
37

as if it were a part of a SQL Server 2000 database, while at the same time, the distributed
transaction support protects the integrity of any updates of the distributed data.
Replication allows you to also maintain multiple copies of data, while ensuring that the separate
copies remain synchronized. You can replicate a set of data to multiple, mobile, disconnected
users, have them work autonomously, and then merge their modifications back to the publisher.
Ease of installation, deployment, and use:
SQL Server 2000 includes a set of administrative and development tools that
improve upon the process of installing, deploying, managing, and using SQL Server across
several sites. SQL Server 2000 also supports a standards-based programming model integrated
with the Windows DNA, making the use of SQL Server databases and data warehouses a
seamless part of building powerful and scalable systems.
These features allow you to rapidly deliver SQL Server applications that customers
can implement with a minimum of installation and administrative overhead.
Data warehousing:
SQL Server 2000 includes tools for extracting and analyzing summary data for online
analytical processing. SQL Server also includes tools for visually designing databases and
analyzing data using English-based questions.
5.6 NetBeans:
An Integrated Development Environment (IDE) is a necessity for enterprise
developers who want to have all their productivity tools under one umbrella.
An IDE enables the developer to move from one phase of application development to
the next without having to worry about manual management of source code or tool interfaces.
With so many IDEs available on the market today, it has become a time-consuming task to
decide on and choose one.
38

Ideally, you should be looking for an IDE that maximizes your productivity: easy to use, fun to
work with, enables you to get the work done, and has out-of-the-box support for open standards
and technologies.
The NetBeans IDE, which is sponsored by Sun Microsystems, is a free and open
source IDE that enables you to develop J2EE 1.4 applications and web services, mobile/wireless
applications and services, and J2SE desktop applications.
Using the NetBeans IDE, developers get their work done in a fun development
environment that enables them to concentrate on the business logic of their applications. It
provides productivity tools, and supports refactoring and integrated debugging, that simplify the
work of Java technology developers.
The NetBeans IDE allows developers to:
Create J2EE applications, automatically add EJB modules and web modules, and
deploy the applications
Create EJBs from existing source, from scratch, or from an existing database
Automatically generate EJB business methods, database calls, and calls to EJBs
Create a web module for deployment to the freely available Application Server PE 8
or Tomcat
Add multiple source folders to an EJB module or web module, and create unit tests as
part of the project
Edit deployment descriptors in a graphical editor that is automatically synchronized
with the underlying XML
Create, register, and test web services
Import your existing J2EE projects
Validate your applications with the J2EE Verifier
Visually configure your EJBs, web Services and web components

39

6. CODING

Index page:

<%@page contentType="text/html"%>
<%@page pageEncoding="UTF-8"%>
<%--
The taglib directive below imports the JSTL library. If you uncomment it,
you must also add the JSTL library to the project. The Add Library... action
on Libraries node in Projects view can be used to add the JSTL 1.1 library.
--%>
<%--
<%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%>
--%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Member Login</title>
<link ref="StyleSheet" href="StyleSheet/Login.css" type="text/css">
<style>
.login
{
position: Absolute;
padding : 30px 318px 204px 3px;
color : red;
background-color: #ffffff;
top: 300px;
left: 600px;
}
#inner
{

}
</style>

</head>
<body bgcolor="#636363">
<form method="post" action="Login">
<h1 style="position:absolute;top:100px;left:130px;color:#F5F5F5"></h1>
<div class="login">
40

<img src="Image/leftcornt.gif"
style="position:Absolute;top:0px;left:0px;"/><img src="Image/rightcornt.gif" style="position:
Absolute; top:0px;left:280px;"/>
<span style=" position: Absolute;top:10px;left:100px;font:bold 14pt/10pt Times
New Roman;color:#636363;">Member Login</span>
<div style="position:Absolute;padding : 0px 269px 163px
50px;top:40px;left:1px;background-color:#C0C0C0;">
<p style="position:Absolute;top:20px;left:30px;font : bold 12pt/14pt Times
New Roman;color:#000000;">User Name :</p>
<input type="text" name="username"
style="position:absolute;top:20px;left:145px;"/>
New Roman;color:#000000;">Password    :</p>
<input type="password" name="password"
<input type="submit" id="loginbutton" value="Login"
style="position:Absolute;top:90px;left:145px;"/>
<input type="button" id="resetbutton" value="Reset"
<a href="ForgetPassword.jsp"
style="position:Absolute;top:120px;left:30px;">Forget Password</a>
<a href="New_Registration.jsp"
style="position:Absolute;top:120px;left:160px;">New Registration</a>

</div>

</div>
<%
if(request.getAttribute("error")!=null)
{%>
<span style="position:Absolute;top:275px;left:650px;font:bold 12pt/14pt Times
New Roman;color:#FFFAF0"><%=request.getAttribute("error")%></span>
<%}
%>
<form>
</body>
</html>

41

Main page:

<html>

<title>Online RSS Reader</title>

<head>

<script src="Script/Sub_Unsub.js" type="text/javascript"></script>

<style>

.Tree_Channel a
{
color: #696969;
text-decoration: none;
}

.Tree_Channel a:hover
{
color: #000080;
}

.Tree_Channel img
{
border: 0px;
}

.home A:visited
{
color: #000000
}

.MF A
{
color: #696969;
text-decoration: none;
}

.MF img
{
border: 0px;
}

.MF a:hover
42

{
color: #000080;
}

</style>

</head>

<%
String usname = (String)session.getAttribute("uname");
session.setMaxInactiveInterval(-1);
//out.println(usname);
%>

<p style="position:absolute;font : bold 12pt/14pt Times New Roman;top:
8px;left:650px;">

<%
String name = (String)session.getAttribute("MemberName");
out.println(name);
session.setMaxInactiveInterval(-1);
%>

</p>

<body>

<form id="main">


<div style="position:absolute;top:10px;left:800px;cursor:hand;" onclick="logout()">

<img src="Image/img03.gif" style="height:20px;width:100px;"/>

<span style="position:absolute;top:0px;left:23px;font-weight:bold">Log Out</span>

</div>



<div class="home" id="home"
style="position:absolute;top:35px;left:5px;width:980px;height:100px; background-
color:#87CEFA;overflow:auto">

43

<span style="position:absolute;top:30px;left:70px;font-weight:bold">Check Feed URL
:</span>

<input id="url" type="text" size="75" style="position:absolute;top:30px;left:230px;"/>

<span style="position:absolute;top:70px;left:70px;font-weight:bold">Search Password
:</span>

<input id="searchPass" name="searchPass" type="text" size="75"

<input type="button" onclick="checkXML('<%=usname%>')" size="14" value="Add
URL" style="position:absolute;top:45px;left:750px;"/>

<p style="position:absolute;top:105px;left:100px;font-weight:bold"></p>



</a>

</div>

<div id="Rss_Title" style="position:absolute;top:150px;left:2px;padding:0px 0px 0px
0px;background-color:#FFFFFF;" >

</div>

<div style="position:absolute;top:10px;left:50px;cursor:hand;"
onclick="Search_His('<%=usname%>')">


<span style="position:absolute;top:0px;left:23px;font-weight:bold">

Search History</span>

</div>

<div style="position:absolute;top:10px;left:250px;cursor:hand;"
onclick="setting('<%=usname%>')">
44

<span style="position:absolute;top:0px;left:28px;font-weight:bold">Setting</span>
</div>
</form>
</body>
</html>

45

Login Page:

<%--
--%>
<%--
--%>


<html>

<head>


<title>Member Login</title>

<link ref="StyleSheet" href="StyleSheet/Login.css" type="text/css">
<style>

.login
{
position: Absolute;
46

color : red;
background-color: #ffffff;
top: 300px;
left: 600px;
}

#inner
{

}

</style>

</head>

<body bgcolor="#636363">
<form method="post" action="Login">

<h1 style="position:absolute;top:100px;left:130px;color:#F5F5F5"></h1>

<div class="login">

<img src="Image/leftcornt.gif"
style="position:Absolute;top:0px;left:0px;"/><img src="Image/rightcornt.gif" style="position:
Absolute; top:0px;left:280px;"/>

<span style=" position: Absolute;top:10px;left:100px;font:bold 14pt/10pt Times
New Roman;color:#636363;">Member Login</span>

<div style="position:Absolute;padding : 0px 269px 163px
50px;top:40px;left:1px;background-color:#C0C0C0;">
47

New Roman;color:#000000;">User Name :</p>

<input type="text" name="username"

New Roman;color:#000000;">Password    :</p>

<input type="password" name="password"

<input type="submit" id="loginbutton" value="Login"

<input type="button" id="resetbutton" value="Reset"

<a href="ForgetPassword.jsp"
style="position:Absolute;top:120px;left:30px;">Forget Password</a>

<a href="New_Registration.jsp"
style="position:Absolute;top:120px;left:160px;">New Registration</a>

</div>

</div>
<%
if(request.getAttribute("error")!=null)
48

{%>
<span style="position:Absolute;top:275px;left:650px;font:bold 12pt/14pt Times
New Roman;color:#FFFAF0"><%=request.getAttribute("error")%></span>

<%}
%>
<form>
</body>
</html>
49

Registration Page:

<%--
--%>
<%--
--%>


<html>

<head>


<title>New Registration</title>

<style>
#ng_head
{

}

#newreg
50

{
position: Absolute;
background-color: #CD853F;
top: 50px;
left: 270px;
}

#inner
{
position: Absolute;
background-color: #DEB887;
left:3px;
}

#ng_head
{
position: Absolute;
top: 5px;
left: 10px;
color : #FAEBD7;
font : bold 12pt/14pt Times New Roman;
}

</style>

<script src="Script/Registration.js" type="text/javascript"></script>

</head>

51

<body bgcolor="#D2B48C">

<form method="post" action="NewRegistration">
<div id="newreg">

<p id="ng_head">New Registration:</p>
<div id="inner">

<p style="position: Absolute;top: 20px;left: 80px;color : #000000;font : bold
12pt/14pt Times New
Roman;">First Name         &
nbsp;   :</p>

<input type="text" name="firstname" id="firstname" style="position:
Absolute;top: 20px;left: 250px;">

12pt/14pt Times New
Roman;">Last Name         &n
bsp;   :</p>

<input type="text" name="lastname" id="lastname" style="position:

12pt/14pt Times New
Roman;">User Name         &
nbsp;   :</p>

<input type="text" name="username" id="username" style="position:
52

12pt/14pt Times New
Roman;">Password          &n
bsp;     :</p>

<input type="password" name="password" id="password" size="22"
style="position: Absolute;top: 110px;left: 250px;">

12pt/14pt Times New Roman;">Confirm Password :</p>

<input type="password" name="confirmp" id="confirmp" size="22"

12pt/14pt Times New Roman;">Searching Password :</p>

<input type="password" name="search_pass" id="search_pass" size="22"

<input type="button" id="newregbutton" onclick="checkReg()" value="Register"

<input type="button" id="resetbutton" value="Reset" style="position:
<a href="index.jsp" id="log" style="position: Absolute;top: -25px;left:
290px;">Home Page</a>

</div>
</div>
<%--
53

This example uses JSTL, uncomment the taglib directive above.
To test, display the page like this: index.jsp?sayHello=true&name=Murphy
--%>

<%--
<c:if test="${param.sayHello}">



Hello ${param.name}!
</c:if>
--%>
</form>

</body>
</html>

54

7. TESTING

Introduction:

After finishing the development of any computer based system the next complicated time
consuming process is system testing. During the time of testing only the development company
can know that, how far the user requirements have been met out, and so on.
Following are the some of the testing methods applied to this effective project:
Source Code Testing:

This examines the logic of the system. If we are getting the output that is required by the
user, then we can say that the logic is perfect.

Specification Testing:

We can set with, what program should do and how it should perform under various
condition. This testing is a comparative study of evolution of system performance and system
requirements.

Module Level Testing:

In this the error will be found at each individual module, it encourages the programmer to
find and rectify the errors without affecting the other modules.

Unit Testing:

Unit testing focuses on verifying the effort on the smallest unit of software-module. The
local data structure is examined to ensure that the date stored temporarily maintains its integrity
55

during all steps in the algorithms execution. Boundary conditions are tested to ensure that the
module operates properly at boundaries established to limit or restrict processing.

Integration Testing:

Data can be tested across an interface. One module can have an inadvertent, adverse
effect on the other. Integration testing is a systematic technique for constructing a program
structure while conducting tests to uncover errors associated with interring.

Validating Testing:
It begins after the integration testing is successfully assembled. Validation succeeds when
the software functions in a manner that can be reasonably accepted by the client. In this the
majority of the validation is done during the data entry operation where there is a maximum
possibility of entering wrong data. Other validation will be performed in all process where
correct details and data should be entered to get the required results.

Recovery Testing:

Recovery Testing is a system that forces the software to fail in variety of ways and
verifies that the recovery is properly performed. If recovery is automatic, re-initialization, and
data recovery are each evaluated for correctness.

Security Testing:

Security testing attempts to verify that protection mechanism built into system will in fact
protect it from improper penetration. The tester may attempt to acquire password through
external clerical means, may attack the system with custom software design to break down any
defenses to others, and may purposely cause errors.
56

Performance Testing:

Performance Testing is used to test runtime performance of software within the context
of an integrated system. Performance test are often coupled with stress testing and require both
software instrumentation.

Blackbox Testing:

Black- box testing focuses on functional requirement of software. It enables to derive ets
of input conditions that will fully exercise all functional requirements for a program. Black box
testing attempts to find error in the following category:
Incorrect or missing function
Interface errors
Errors in data structures or external database access and performance errors.

Output Testing:

After performing the validation testing, the next step is output testing of the proposed
system since no system would be termed as useful until it does produce the required output in the
specified format. Output format is considered in two ways, the screen format and the printer
format.

User Accepting Testing:

User Acceptance Testing is the key factor for the success of any system. The system
under consideration is tested for user acceptance by constantly keeping in touch with prospective
system users at the time of developing and making changes whenever required.

57

8. SCREEN SHOTS

Output:
Run Index Page type username and password

Fig 8.1

58

New Registration:

Fig 8.2

59

Registered:

Fig 8.3

60

Forget password:

Fig 8.4

61

Password retrieved:

Fig 8.5

62

Main Page:

Fig 8.6

Give URL
http://www.rediff.com/rss/iycurss.xml
http://www.cricinfo.com/rss/livescores.xml
http://www.rediff.com/rss/newsrss.xml
And search password

63

URL and Password given:

Fig 8.7

64

If the URL already exist it get it from server otherwise stored the URL in DB and get from
web server first time only:

Fig 8.8

65

If you are entering wrong password:

Fig 8.9

66

After wrong password:

Fig 8.10

67

Then logout and login again:

Fig 8.11

68

If your visited URLs stored in DB:

Fig 8.12

69

You can change search password
in setting:

Fig 8.13
70

DataBase:

71

Fig 8.14

72

9. CONCLUSION

We present a technique that prevents users from inferring sensitive information
from a series of seemingly innocuous queries. Compared to the deterministic inference
approach in previous works, we include nondeterministic relations into inference channels
for query-time inference detection. Specifically, we extract possible inference channels from
probabilistic data dependency, the database schema, and the semantic knowledge, and we
construct a SIM. The SIM links represent the possible inference channels from any attribute
to the set of pre-assigned sensitive attributes.

The parameters of attributes in SIM can be computed in polynomial time in
terms of the rows and columns of the relational table. The SIM is then instantiated by
specific instances and reduced to a SIG for inference violation detection at query time. To
reduce the computation complexity for inference, the SIG can be mapped into a Bayesian
network so that available Bayesian network tools can be used for evaluating the inference
probability along the inference channels. When a user poses a query, the detection system
will examine his/her past query log and calculate the probability of inferring sensitive
information from answering the posed query. The query request will be denied if it can infer
sensitive information, with probability exceeding the pre-specified threshold. In the multiple-
user inference environment, the users can share their query answers to collaboratively infer
sensitive information.

Collaborative inference is related to the CL and the inference channels of the
user-posed queries. For inference violation detection, we developed a collaborative inference
model that combines the collaborators query log sequences into inference channels to derive
the collaborative inference of sensitive information.

A sensitivity analysis of attributes in the Bayesian network can be used for
studying the sensitivity of the inference channels. Our study reveals that the nodes closer to
the security node have stronger inference effects on the security node. Thus, a sensitivity
73

analysis of these close nodes can assist domain experts to specify the threshold of the
security node to ensure its robustness.

User profiles and questionnaire data provide a good starting point for learning CLs
among collaborative users. However, gathering such information is complicated by the fact
that the information may be incomplete and incorrect. In addition, the accuracy of such
information is task specific and user-community sensitive.

We have constructed a testbed on the inference violation detection system to study
the CL for collaborative users. Our preliminary study reveals that information provider
authoritativeness, communication fidelity, and honesty in collaboration play key roles in the
CL. Further research and experiments in generating training sets to estimate and validate the
CL are needed.

Future Enhancement:

Collaborative Inference Detection method is used to provide a user with the
authority to perform his task based on which the system decided the trustworthiness of the kind
user.

In future we may confine the security level of trustworthiness, which may help
in to dig into the deeper information on the various levels provided to individual based on their
action or query.

74

10. BIBLIOGRAPHY

References:
K. Aberer and Z. Despotovic, Managing Trust in a Peer-2-Peer Information System, Proc.
10th ACM Intl Conf. Information and Knowledge Management (CIKM 01), Oct. 2001.

M. Chavira, D. Allen, and A. Darwiche, Exploiting Evidence in Probabilistic Inference, Proc.
21st Conf. Uncertainty in Artificial Intelligence (UAI 05), pp. 112-119, 2005.

Y. Chen and W.W. Chu, Database Security Protection via Inference Detection, Proc. Third
IEEE Intl Conf. Intelligence and Security Informatics (ISI 06), 2006.

M. Chavira and A. Darwiche, Compiling Bayesian Networks with Local Structure, Proc.
19th Intl Joint Conf. Artificial Intelligence (IJCAI 05), pp. 1306-1312, 2005.

F. Cornelli, E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, Choosing
Reputable Servents in a P2P Network, Proc. 11th Intl World Wide Web Conf. (WWW 02),
May 2002.

A. Darwiche, Recursive Conditioning, Artificial Intelligence, vol. 126, nos. 1-2, pp. 5-41,
2001.

WebSites:

java.sun.com

www.java2s.com

www.roseindia.net

Protection of Database Security Via Collaborative Inference Detection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Protection of Database Security Via Collaborative Inference Detection

Uploaded by

Copyright:

Available Formats

1

Protection of Database Security via Collaborative

You might also like