**4.2 Execution of security audit**

#### **4.2.1 Process of security audit**

Process of Security audit can be divided into two modules, including the collection of information and the security audit, the structure is shown in the following fig.3.

Fig. 3. Architecture of Security Audit System

Information gathering side runs on the system server. Information collecting side transmits information to the security audit terminal through a special security channel, security audit client runs on a stand-alone computer separately. To ensure the safety of audit side, the computer which operates safety audit module is not access to the server's LAN. To ensure

 Main server host application platform software: It mainly includes the audit of the running of the important application platform processes, Web Server, Mail Server,

 Main database operation audit: It mainly includes the audit of the database process operation conditions, violated access behaviour to operate the database directly by passing the application software, the database configuration changes, data backup operations and other operations of maintenance and management, to access and change

 Main application system audit: It mainly includes the audit of office automation system, document flow and operation, webpage integrity, interrelated service systems etc. The relevant business system includes normal operation of business system, important operations of setting up or stopping the user, authorized change operation, data

Process of Security audit can be divided into two modules, including the collection of

**Filter module**

Information gathering side runs on the system server. Information collecting side transmits information to the security audit terminal through a special security channel, security audit client runs on a stand-alone computer separately. To ensure the safety of audit side, the computer which operates safety audit module is not access to the server's LAN. To ensure

**Reorganization module**

> **Query module**

**database module**

**Analysis module**

> **Audit report**

**Display module**

information and the security audit, the structure is shown in the following fig.3.

**Sending module**

**Process protection module**

Fig. 3. Architecture of Security Audit System

submission , processing, access and publishing operation, business process etc. Main regional network client: It mainly includes audit of virus infection situation, file sharing operation through the network, operation of copying or printing file, the situation of unauthorized connect to Internet through the Modem, installation and

Lotus, middleware system, health status (response time) etc.

important data, and data integrity.

**4.2 Execution of security audit 4.2.1 Process of security audit** 

> **Acquisition module**

**Setting module**

**Address settings**

operation of non business abnormal software.

**Capture settings**

the communication between audit module and information collection module, we do a dual-channel design, the user can set any ways to communicate, and the system can automatically switch to another way when one way can not work normally.

Information collection module collects the data which needs to be audited, including network packet, process information, port information, file access information, and modify the registry information, as well as a variety of server logs, such as WWW logs and security logs. In order to process conveniently later, all data is stored in the audit module of the database.

#### **4.2.2 Key technologies of network security audit system**

1. Analysis of Data Source of Network Security Audit System

For security audit system, selection of incoming data is the key problem to be solved, data source of the security audit can be divided into three categories: Based on the host, based on network and other channels. In order to select the appropriate data sources, it analyzes each class of data source respectively as follows.

a. Data Source Based on the Host

Data sources of the network security audit based on the host , including audit records of the operating system, system log, log information of application system and information based on the target.

b. Data Source Based on the Network

Network data is the most common source of information in the current network security audit system and commercial intrusion detection system. The basic principle is that when the network data stream transmitting in the network, using a special data acquisition technology to collect the data transmitted in network as the data source of security audit system.

c. Other Data Source

Data source from other safe products mainly refers to log files produced by safe products e.g. firewall, authentication system which are operated independent in the target system. These data sources also should be considered by security audit system.

Data source from network device e.g. a network management system, using information provided by SNMP (Simple Network Management Protocol) as data source. Out-of-band data source refers to data information provided by the artificial way, which is contrived and non-systematic, e.g. recording what happened in system environment manually, including hardware error information, system configuration information, system crash, other kinds of natural hazard events etc. Out-of-band data source may play an important role for later analysis.

In general, it will improve the performance of security audit system if active log of the network and its safe device are used as audit data source.


Web and Database Security 15

other protocols it belongs based on their header information. According to the formats, transmission mode and message content, it make the user's operation to restructure, restore,

According to the rules defined format, the achieved user information e.g. TELNET and FTP commands, SQL statements, manipulate objects, operating keywords will match with the user-defined strategy in rule base. Responses are made according to the matching results, and the audited data are recorded into audit logs. The rule base is generated based on the visit strategy deployed by authorized administrator. The authorized administrators formulate or modify the strategy, and issue it to the next rule base. In process of utilizing audit system, administrators gather experience and add novel strategies constantly according to the issues in system usage making the rule base more

Rulebase based security audit method is the process below. Administrators extract feature of attack behaviors, and then push them into rulebase after represent by script language. When executing security audit, network attack behaviors are detected after the comparison and matching operations e.g. keywords, regular expression, fuzzy approximation degree between the above rule base and network data. But these rules are only fit for certain specific types of attacks or attack software, and failures of rule base are generated when new

Method of mathematical statistics is to create a statistic description for object firstly e.g. average value or variance of network traffic. And then value of characteristic quantity under normal circumstances is calculated to compare with actual network packet. If actual value is far different with regular value, the attacks is then occurred. However, the biggest problem of mathematical statistics is how to set the thresholds of statistics i.e. cut-off point between the normal and abnormal value, which often depends on the administrator's experience that

3. New Method Based on Network Security Audit System : Learning Data Mining

The biggest drawback of the above two methods is that the known intrusion patterns are hand-coded inevitably, and can not applicable to any unknown intrusion patterns. So people start to pay attention to the the data mining method owning the learning ability. Data mining is the process of analyzing mass data completely including data preparation, data preprocessing, establishment of mining model, model evaluation and interpretation. It is an iterative processing and can get a better model by continuously adjust methods and parameters. The main idea of the network security audit system is to find *normal* network communication patterns from *normal* network communication data and then achieve the purose of detecting web accack behaviors by relewance analysis with the regular attack rule

and finally it restore user data and submit to the audit module.

c. Data Audit Module

and more abundant.

**4.2.3 Security audit approach**  1. Methods Based on Rule Base

attack or upgraded software turns up.

inevitably prone to false and omission.

base.

2. Mathematical Statistics Based Method

Data collection captures data-packets based on the data link layer. It filters out the packets without audit and saves selectively according to the defined policies and system analysis requirements. Data acquisition and data files are generated to provide data source the network security audit system. It is the key link of the network security audit system, and is the basis of data analysis and processing. Because the system only access the external computer and the user network audit, it is not necessary to collect or store intenal network data.

b. Log Data Management Capabilities

The log data with sustainable growth are very large, even a small network produces over 3 G network logs per day. Integrated mechanism of backups, recovery and processing is constructed for management of network security logs rather than simply delete.

c. Feature of Automatical Analysis and Statistical Reports Generation

The network will generate a lot of daily log information, and it is difficult for administrators to process these huge amount of work. A visualized analysis and statistical reports automatically generated mechanisms need to be provided to ensure that administrators can find a variety of network anomalies and security events effectively.

d. Data Analysis and Processing Functions

System access to external networks, achieve the user's computer and the contents of the audit network behavior via processing and analyzing to the data collected and preserved. The core is protocol analysis. Web content audit system includes web audit, mail audit, FTP audit and user log etc. The function data play a decisive role in audit results.

e. Function of Real-time Network Status Monitoring

Real-time monitoring function mainly includes analysis, identification, judgement and record of typical protocol in network traffic, intrusion detection for Telnet, HTTP, Email, FTP, Internet chat, file sharing etc. flow monitoring, and identification and alarming of unusual flow.

f. Network Service Control Function

Network service control function achieves control of host and service for user access to network services, to be able to support the operations of user authorization, settings of white list host and user access rules.

3. Network Security Audit System Architecture

Network security audit system mainly consists of three modules.

a. Data Collection Module

Data collection module acquires network packet of users' operation by monitoring and core filtering technology depending on imaging feature of switchers and user-defined strategies. The key to realize this module is to acquire accurate and complete packet. Data integrity of data acquisition modules is determined by the exactness and completeness of audit results.

b. Packet Processing Module

Protocol analysis is a key step in the data packet processing. Main job of packet processing module is to capture the data packets and determine the protocols e.g. TELNET, FTP and

Data collection captures data-packets based on the data link layer. It filters out the packets without audit and saves selectively according to the defined policies and system analysis requirements. Data acquisition and data files are generated to provide data source the network security audit system. It is the key link of the network security audit system, and is the basis of data analysis and processing. Because the system only access the external computer and the

The log data with sustainable growth are very large, even a small network produces over 3 G network logs per day. Integrated mechanism of backups, recovery and processing is

The network will generate a lot of daily log information, and it is difficult for administrators to process these huge amount of work. A visualized analysis and statistical reports automatically generated mechanisms need to be provided to ensure that administrators can

System access to external networks, achieve the user's computer and the contents of the audit network behavior via processing and analyzing to the data collected and preserved. The core is protocol analysis. Web content audit system includes web audit, mail audit, FTP

Real-time monitoring function mainly includes analysis, identification, judgement and record of typical protocol in network traffic, intrusion detection for Telnet, HTTP, Email, FTP, Internet chat, file sharing etc. flow monitoring, and identification and alarming of

Network service control function achieves control of host and service for user access to network services, to be able to support the operations of user authorization, settings of

Data collection module acquires network packet of users' operation by monitoring and core filtering technology depending on imaging feature of switchers and user-defined strategies. The key to realize this module is to acquire accurate and complete packet. Data integrity of data acquisition modules is determined by the exactness and completeness of audit results.

Protocol analysis is a key step in the data packet processing. Main job of packet processing module is to capture the data packets and determine the protocols e.g. TELNET, FTP and

user network audit, it is not necessary to collect or store intenal network data.

constructed for management of network security logs rather than simply delete.

c. Feature of Automatical Analysis and Statistical Reports Generation

find a variety of network anomalies and security events effectively.

audit and user log etc. The function data play a decisive role in audit results.

b. Log Data Management Capabilities

d. Data Analysis and Processing Functions

f. Network Service Control Function

white list host and user access rules.

a. Data Collection Module

b. Packet Processing Module

3. Network Security Audit System Architecture

Network security audit system mainly consists of three modules.

unusual flow.

e. Function of Real-time Network Status Monitoring

other protocols it belongs based on their header information. According to the formats, transmission mode and message content, it make the user's operation to restructure, restore, and finally it restore user data and submit to the audit module.

c. Data Audit Module

According to the rules defined format, the achieved user information e.g. TELNET and FTP commands, SQL statements, manipulate objects, operating keywords will match with the user-defined strategy in rule base. Responses are made according to the matching results, and the audited data are recorded into audit logs. The rule base is generated based on the visit strategy deployed by authorized administrator. The authorized administrators formulate or modify the strategy, and issue it to the next rule base. In process of utilizing audit system, administrators gather experience and add novel strategies constantly according to the issues in system usage making the rule base more and more abundant.

#### **4.2.3 Security audit approach**

1. Methods Based on Rule Base

Rulebase based security audit method is the process below. Administrators extract feature of attack behaviors, and then push them into rulebase after represent by script language. When executing security audit, network attack behaviors are detected after the comparison and matching operations e.g. keywords, regular expression, fuzzy approximation degree between the above rule base and network data. But these rules are only fit for certain specific types of attacks or attack software, and failures of rule base are generated when new attack or upgraded software turns up.

2. Mathematical Statistics Based Method

Method of mathematical statistics is to create a statistic description for object firstly e.g. average value or variance of network traffic. And then value of characteristic quantity under normal circumstances is calculated to compare with actual network packet. If actual value is far different with regular value, the attacks is then occurred. However, the biggest problem of mathematical statistics is how to set the thresholds of statistics i.e. cut-off point between the normal and abnormal value, which often depends on the administrator's experience that inevitably prone to false and omission.

3. New Method Based on Network Security Audit System : Learning Data Mining

The biggest drawback of the above two methods is that the known intrusion patterns are hand-coded inevitably, and can not applicable to any unknown intrusion patterns. So people start to pay attention to the the data mining method owning the learning ability. Data mining is the process of analyzing mass data completely including data preparation, data preprocessing, establishment of mining model, model evaluation and interpretation. It is an iterative processing and can get a better model by continuously adjust methods and parameters. The main idea of the network security audit system is to find *normal* network communication patterns from *normal* network communication data and then achieve the purose of detecting web accack behaviors by relewance analysis with the regular attack rule base.

Web and Database Security 17

a. The profundity and scope of audit. The audit profundity and scope determine the complexity of the audit system, which are also the basis of audit products selection. b. Problems of data sources. An audit system operation is based on data from the system at all levels, and how to obtain the data sources of audit system is the most critical

c. Relationship with the original systems. To ensure the normal operation of the original system go smoothly in the realization of the audit, and the least modification and the

d. Eliminate of audit function ignore. If the audit system is easily bypassed, it would lead

e. Effective utilization of audit data. In establishing an audit system, the lack of deep

Network security is accompanied with the production of computer, especially the present popular network, security problem is emphasized by at all levels of sectors and industries especially the area of intranet security. Network security is a huge and complex dynamic system, hardware equipments provide basic security for the network, but a system which continues to improve can find a kind of dynamic equilibrium only with the help of network security audit system by doing real-time audit and effective evaluation to the system which has been established and discovering the potential safety hazard in time. These problems will become hot spots for future security research in building a solid and reliable network

Computer network security audit is a very complex and extensive research subject, as an indispensable part in integrity security framwork, it is a complement for a firewall system and a intrusion detection system. It involves a wide range of knowledge. With the complexity of computer operating system and network communication technology increasing, the complexity of network security audit is also increasing. How to improve network security audit system performance of various technologies and how to build a strong network security audit system need to further constantly explore and research.

Web and database technologies are in a rapid evolution roadmap, for example web3.0 and graph database (Angles, 2008) are getting more and more attention. At the same time, related security issues will appear, but the fundamental security rules will remain the same. In this chapter, we briefly overview the advanced web and database securities, the security design principles and security audit rules and methods. Due to the limitation of chapter length and variable programming languages, most contents in each section are general guide lines and rules. When deploying practical information systems, we need to map those rules to real implementation. Information systems can be more secured if we know and

This work is partially supported by Zhejiang Provincial Youth Natural Science Foundation

minimum impact on system performance make the audit perfect.

utilization of audit data will lead to weak audit system effection.

issue.

to serious problems.

security audit system.

**5. Conclusion** 

apply those technologies.

**6. Acknowledgment** 

(Q12F020022) and Zhejiang Educational Foundation.

Firstly, the system collects data from collection points, and put the data into database after processing. Invasion evens are detected by executing engine of security audit to read in rulebase. The invasion is then recorded into invasion time database as well as the regular network visiting data are recorded in regular network database, and regular visiting patten can be abstracted by data mining. Latest rulebase is acquired from old rulebase, invasion events and regular visiting patterns. The above procedure is repeated and self-learning constantly until achieving a stable rule base. Data mining technology extracts the regular visiting mode semi-automatically from the mass of the normal data, which can reduce the human perception and experience participation which declining the possibility of misinformation.

#### **4.2.4 How do security audit**

1. Establish Audit System

An audit system which leads to excellent audit should to be developed to ensure that auditors do their work on a regular basis. In the audit system, auditors should clearly know what the audit objects are. The main focus is the enterprise's information protection e.g. the server, backbone switches, routers and security devices.

2. Focus on Safety Auditors fostering

Safety audit involves massive products and wide content. The basic information of the audit come from operating system, network systems, security devices, applications system etc. Security auditors are not only necessary to understand the operating system knowledge, but also should be familiar with network protocols, database, virus infection mechanism. Moreover, auditor should understand the basic situation of application systems as well as master the work principles of servers, switches and security devices, especially the understanding a variety of security policies of information systems deeply. Thus, in the audit processing, the analysis of massive information can be developed and the observing and thinking ability can be cultivated.

However most of the enterprise information system security audit work is just begin without any own professionals. Although security audit can be conducted by professional security company or buying excellent audit software, it is still harmful in term of the safety and longterm development. The audit process involves a number of important enterprise information especially the system security weaknesses. Serious threaten will occur when criminals turn up or the workers are in low ability to analyze the weak links. From the above analysis, the security audit work should be accomplished by the professionals in the enterprises.

From the angles of security audit requirement for auditors and situation enterprise internal personnels, the enterprise should lay emphasis on the foster of information system administrators, network administrators, security guards especial the safety audit personals. Because all security policy, security system and security measures are developed by human beings, personnels with high quality and ability are required in developing management standards of enterprise information system and ensuring enterprise information security.

3. Reasonable Structure of the Security Audit System

The premise of improving the safety audit is to build a security audit system in line with business needs. In building a security audit system, the follow issues should be considered:

Firstly, the system collects data from collection points, and put the data into database after processing. Invasion evens are detected by executing engine of security audit to read in rulebase. The invasion is then recorded into invasion time database as well as the regular network visiting data are recorded in regular network database, and regular visiting patten can be abstracted by data mining. Latest rulebase is acquired from old rulebase, invasion events and regular visiting patterns. The above procedure is repeated and self-learning constantly until achieving a stable rule base. Data mining technology extracts the regular visiting mode semi-automatically from the mass of the normal data, which can reduce the human perception and experience participation which declining the possibility of

An audit system which leads to excellent audit should to be developed to ensure that auditors do their work on a regular basis. In the audit system, auditors should clearly know what the audit objects are. The main focus is the enterprise's information protection e.g. the

Safety audit involves massive products and wide content. The basic information of the audit come from operating system, network systems, security devices, applications system etc. Security auditors are not only necessary to understand the operating system knowledge, but also should be familiar with network protocols, database, virus infection mechanism. Moreover, auditor should understand the basic situation of application systems as well as master the work principles of servers, switches and security devices, especially the understanding a variety of security policies of information systems deeply. Thus, in the audit processing, the analysis of massive information can be developed and the observing

However most of the enterprise information system security audit work is just begin without any own professionals. Although security audit can be conducted by professional security company or buying excellent audit software, it is still harmful in term of the safety and longterm development. The audit process involves a number of important enterprise information especially the system security weaknesses. Serious threaten will occur when criminals turn up or the workers are in low ability to analyze the weak links. From the above analysis, the

From the angles of security audit requirement for auditors and situation enterprise internal personnels, the enterprise should lay emphasis on the foster of information system administrators, network administrators, security guards especial the safety audit personals. Because all security policy, security system and security measures are developed by human beings, personnels with high quality and ability are required in developing management standards of enterprise information system and ensuring enterprise information security.

The premise of improving the safety audit is to build a security audit system in line with business needs. In building a security audit system, the follow issues should be considered:

security audit work should be accomplished by the professionals in the enterprises.

misinformation.

**4.2.4 How do security audit**  1. Establish Audit System

server, backbone switches, routers and security devices.

3. Reasonable Structure of the Security Audit System

2. Focus on Safety Auditors fostering

and thinking ability can be cultivated.


Network security is accompanied with the production of computer, especially the present popular network, security problem is emphasized by at all levels of sectors and industries especially the area of intranet security. Network security is a huge and complex dynamic system, hardware equipments provide basic security for the network, but a system which continues to improve can find a kind of dynamic equilibrium only with the help of network security audit system by doing real-time audit and effective evaluation to the system which has been established and discovering the potential safety hazard in time. These problems will become hot spots for future security research in building a solid and reliable network security audit system.

Computer network security audit is a very complex and extensive research subject, as an indispensable part in integrity security framwork, it is a complement for a firewall system and a intrusion detection system. It involves a wide range of knowledge. With the complexity of computer operating system and network communication technology increasing, the complexity of network security audit is also increasing. How to improve network security audit system performance of various technologies and how to build a strong network security audit system need to further constantly explore and research.

#### **5. Conclusion**

Web and database technologies are in a rapid evolution roadmap, for example web3.0 and graph database (Angles, 2008) are getting more and more attention. At the same time, related security issues will appear, but the fundamental security rules will remain the same. In this chapter, we briefly overview the advanced web and database securities, the security design principles and security audit rules and methods. Due to the limitation of chapter length and variable programming languages, most contents in each section are general guide lines and rules. When deploying practical information systems, we need to map those rules to real implementation. Information systems can be more secured if we know and apply those technologies.

#### **6. Acknowledgment**

This work is partially supported by Zhejiang Provincial Youth Natural Science Foundation (Q12F020022) and Zhejiang Educational Foundation.

**2**

*USA* 

**Cyber Security** 

*Brigham Young University* 

Barry Lunt, Dale Rowe and Joseph Ekstrom

Prior to HTML, browsers, and the WWW, computer interconnections were localized and limited. Since the early 1990s, web technologies have made it easy for everyone to access and post content on the Internet. Before long, there were thousands, then hundreds of thousands, and soon tens of millions of computers, all connected together via the Internet. As noted by Robert Metcalfe, and as later codified in what became known as "Metcalfe's Law", the value of a network goes up as the square of the number of users. Regardless of whether we accept his exact quantification of the value, there is no question that a few interconnected computers are more valuable than the same computers not being interconnected, and that many (or all) computers being interconnected has much more value

This is the situation today: essentially all desktop, notebook, netbook and tablet computers are interconnected via the Internet, and the same is true for the majority of cell phones. Additionally, even a significant portion of embedded computers are being connected via the Internet, as well as most industrial control and monitoring computers. Suffice it to say that, if the trend continues, and the evidence is very strong that it will, most computers, mobile devices, and even embedded systems either are or soon will be connected via the Internet. While this has dramatic advantages for a free and open society, there has always been an element of society that would attempt to take advantage of this openness in ways that are damaging to other computers, users, the data, or to society as a whole. The need to protect our computers, users, data, and society, from this type of abuse, is the field of information

Most businesses today would recognize the need to follow the most economical path to maximum profit. Frequently an organization's profit margins form the primary indicators as to their success. Even government agencies must admit to being somewhat cost-driven. With the recent economic downturn and increased competition to stay one foot ahead, businesses may be tempted to consider security as an afterthought, rather than an integral part of their business models and practices. In this Chapter we will look at some of the devastating implications of this error and why every genre of organization must place

**1. Introduction** 

than only a portion of them.

assurance and security.

**2. Guarding our information** 

security at the forefront of business planning and practice.

#### **7. References**

