0 évaluation0% ont trouvé ce document utile (0 vote)
72 vues74 pages
Malicious users can exploit the correlation among data to infer sensitive information
from a series of seemingly innocuous data accesses. Thus, we develop an inference violation
detection system to protect sensitive data content. Based on data dependency, database schema
and semantic knowledge. We constructed a semantic inference model (SIM) that represents the
possible inference channels from any attribute to the pre-assigned sensitive attributes.
Titre original
Protection of Database Security via Collaborative Inference Detection
Malicious users can exploit the correlation among data to infer sensitive information
from a series of seemingly innocuous data accesses. Thus, we develop an inference violation
detection system to protect sensitive data content. Based on data dependency, database schema
and semantic knowledge. We constructed a semantic inference model (SIM) that represents the
possible inference channels from any attribute to the pre-assigned sensitive attributes.
Malicious users can exploit the correlation among data to infer sensitive information
from a series of seemingly innocuous data accesses. Thus, we develop an inference violation
detection system to protect sensitive data content. Based on data dependency, database schema
and semantic knowledge. We constructed a semantic inference model (SIM) that represents the
possible inference channels from any attribute to the pre-assigned sensitive attributes.
A project Report Submitted to Jawaharlal Nehru Technological University In Partial fulfillment of the requirements for the award of the degree of
BACHELOR OF TECHNOLOGY IN COMPUTER SCIENCE AND ENGINEERING
Submitted by ABHILASH V. (06231A502) K. BHARATH(06231A0538) M.PAVAN KUMAR (06231A510) Ch. SUNIL (06231A514)
Under the esteemed guidance of Mr. R.SRIKANTH B.Tech (M.Tech)
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING NIMRA COLLEGE OF ENGINEERING AND TECHNOLOGY NIMRA NAGAR, JUPUDI, IBRAHIMPATNAM- 521 456. 2009-2010 2
DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING
CERTIFICATE
I certify that this is a bonafied report of project on the Protection of Database Security via Collaborative Inference Detection done by K.BHARATH (06231A0538), Ch.SUNIL(06231A0514), K.ANIL KUMAR(06231A0504),V.ABHILASH(06231A0502),M.PAVAN KUMAR(06231A0510) of IV/IV B.Tech class in Computer Science and Engineering Department for the award of degree for Bachelor of Technology of Jawaharlal Nehru Technological University during the year 2009-2010.
Mr.R.SRIKANTH Mr. SYED GULAM GOUSE B.Tech(M.Tech) M.Tech (CSE) HEAD OF THE DEPARTMENT
3
DECLARATION
We declare that the project work submitted by us for award of Degree of Bachelor of Technology from Nimra College of Engineering and Technology, Jupudi, Ibrahimpatnam affiliated to Jawaharlal Nehru Technology University, Kakinada, is original and it has not been submitted to this or any other university for any degree, diploma or other similar title.
Project Associates:
K.BHARATH (06231A0538)
Signature: ______________
V.ABHILASH (06231A0502)
Signature: ______________
Ch. SUNIL (06231A0514)
Signature: ______________
M.PAVAN KUMAR
Signature: ______________
4
Protection of Database Security via Collaborative Inference Detection
ABSTRACT
Malicious users can exploit the correlation among data to infer sensitive information from a series of seemingly innocuous data accesses. Thus, we develop an inference violation detection system to protect sensitive data content. Based on data dependency, database schema and semantic knowledge. We constructed a semantic inference model (SIM) that represents the possible inference channels from any attribute to the pre-assigned sensitive attributes.
The SIM is then instantiated to a semantic inference graph (SIG) for query-time inference violation detection. For a single user case, when a user poses a query, the detection system will examine his/her past query log and calculate the probability of inferring sensitive information. The query request will be denied if the inference probability exceeds the pre specified threshold. For multi-user cases, the users may share their query answers to increase the inference probability.
Therefore, we develop a model to evaluate collaborative inference based on the query sequences of collaborators and their task-sensitive collaboration levels. Experimental studies reveal that information authoritativeness, communication fidelity and honesty in collaboration are three key factors that affect the level of achievable collaboration. An example is given to illustrate the use of the proposed technique to prevent multiple collaborative users from deriving sensitive information via inference.
5
INDEX
1. INTRODUCTION 1.1 Problem Identification- Existing System. 1.2 Proposed System
2. SYSTEM ANALYSIS 2.1 System Requirement 2.2 Implementation Plan 2.3 Modules
3. SYSTEM DESIGN 3.1 Models 3.2 Architecture 3.3 Menu Design 3.4 Database Design
4. DEVELOPMENT OF SYSTEM AND TESTING 4.1 System Development 4.2 UML
6
5. SOFTWARE REQUIREMENTS 5.1 HTML 5.2 Java 5.3 Java script 5.4 J2EE 5.5 SQL SERVER 2005 5.6 Net Beans
6. CODING
7. TESTING
8. SCREEN SHOTS
9. CONCLUSION
10.BIBLIOGRAPHY
7
APPENDIX List of Figures 3.1 System Architecture 4.1 System Development 4.2 Use Case Diagram 4.3 Sequence Diagram 4.4 Activity Diagram 5.1 The two J2ME configurations 5.2 Profiles 8.1 Starting page 8.2 New Registration 8.3 Registered 8.4 Forgot password 8.5 Password retrieval 8.6 Main page 8.7 URL and password given 8.8 Result 8.9 Wrong password 8.10 After wrong password 8.11 Logout and login again 8.12 URL stored in database 8.13 Change search password 8.14 Database List of Tables 3.2 DataBase Design
8
1. INTRODUCTION
Access control mechanisms are commonly used to protect users from the acknowledgment of sensitive information in data sources. However, such techniques are insufficient because malicious users may access a series of innocuous information and then employ inference techniques to derive sensitive data by using that information. To address this inference problem, we develop an inference detection system that resides at the central directory site. Because inference channels can be used to provide a scalable and systematic sound inference, we construct a semantic inference model (SIM) that represents all the possible inference channels from any attribute in the system to the set of pre-assigned sensitive attributes.
The SIM can be constructed by linking all the related attributes, which can be derived via attribute dependency from data dependency, database schema, and semantic related knowledge. Based on the SIM, the violation detection system keeps track of a users query history. When a new query is posed, all the channels where sensitive information can be inferred will be identified. If the probability of inferring sensitive information exceeds a pre-specified threshold, then the current query request will be denied.
This inference detection approach is based on the assumption that users are isolated and do not share information with one another. This assumption, however, may not be the case in a real-life situation. Most users usually work as a team, and each member can access the information independently. Afterward, the members may merge their knowledge together and jointly infer the sensitive information. Generalizing from a single-user collaborative system to a multi-user collaborative system greatly increases the complexity of the inference detection system. This motivates us to extend our research from a single user case to a multiple-user case, where users may collaborate with each other to jointly infer sensitive data. We have conducted a set of experiments by using our inference violation detector as a testbed to understand the characteristics in collaboration and the effect on collaborative inference. From the experiments, we learn that for a given specific task, the amount of information that flows from one user to another depends on the closeness of their relationships and the knowledge related to the task. 9
Thus, collaborative inference for a specific task can be derived by tracking the query history of all the users together with their collaboration levels (CLs).
1.1 Problem Identification: Existing System:
Multiple collaborative users from deriving sensitive information via inference.
Experimental studies reveal that information authoritativeness, communication fidelity, and honesty in collaboration are three key factors that affect the level of achievable collaboration
Disadvantages: Users may access a series of innocuous information. Single-user environment its detection level is very low.
1.2 Proposed System:
We develop a model for evaluating collaborative inference based on the query sequences of collaborators and their task-sensitive collaboration levels.
A mechanism that propagates update to the user history files to ensure that no query is rejected based on the outdated information.
To reduce the time in examining the entire history login computation inference.
Advantages: Inference channels can be used to provide a scalable and systematic sound inference System keeps track of a users query history Multi-user environment inference detection level is very high
10
1. SYSTEM ANALYSIS
2.1 System Requirements:
Hardware Requirements:
Hard disk 40GB RAM 265MB or more Processor Speed 2.60GHz Processor Pentium IV Processor or more
Software Requirements:
JDK1.5 Net Beans IDE 5.0 SQL 2005
2.2 Implementation Plan: To develop Protection of Database Security we are going to assign users request by using Collaborative Inference Detection method. In Collaboration inference Detection is used to estimate users authoritativeness and honesty. To design the project by using advance java web application concepts like Servlets, JSP and Sql server.
2.3 Modules: Membership Login Add new Members Searching RSS Reader Process Monitoring
11
Module Description:
Membership Login: User gives the required username and password and then logins. If the login name and password in correct then he goes to the next form else he is asked to give the correct username and password.
Add new Members: The Registration module new user can register the details.
Searching RSS Reader: After login, user Enter into the RSS Reader searching page, user can view any RSS Xml files in any web sites. We process the user query, using searching password by providing password as key which is key feature in our application. If the user searching password and requesting rss url both are true, processes the users request by using channels. This channel gets the information from the external database. So, user can view that particular rss file data. Also we stored the users query in history for future references.
Process Monitoring: This module deals, whether user requesting query within the limit. We predict threshold limit by using searching password. If user searching password is mismatch, then the system considered as user requesting query threshold value more then normal threshold level. So user connection will be terminated.
12
3. SYSTEM DESIGN
3.1 Models: Inference detection system using the following models used to estimate authoritativeness and honesty
Knowledge Acquisition model: The Knowledge Acquisition module extracts data dependency knowledge, data scheme knowledge and domain semantic knowledge. Based on the database schema and the data sources, we can extract data dependency between attributes within the same entity and among entities. Domain semantic knowledge can be derived by semantic links with specific constraints and rules. A semantic inference model can be constructed based on the acquired knowledge.
Semantic Inference Model: The Semantic Inference Model (SIM) is a data model that combines data schema, dependency and semantic knowledge. The model links related attributes and entities as well as semantic knowledge needed for data inference. Therefore SIM represents all the possible relationships among the attributes of the data sources. A Semantic Inference Graph (SIG) can be constructed by instantiating the entities and attributes in the SIM. For a given query, the SIG provides inference channels for inferring sensitive information.
Violation Detection model: Based on the inference channels derived from the SIG, the Violation Detection module combines the new query request with the request log, and it checks to see if the current request exceeds the pre-specified threshold of information leakage. If there is collaboration according to social relation analysis, the Violation Detection module will decide whether to answer the current query based on the acquired knowledge among the malicious group members and their social relation to the current user.
13
3.2 System Architecture:
Fig 3.1
14
3.3 Database Design:
Fig 3.2
15
4. SYSTEM DEVELOPMENT
4.1 System Development:
Fig 4.1
Searchin g process Login Proces s User Request process DB Genuine user Query requisition Query history User Request Analysis Genuine user, Requesting information
Request Invalid user requesting query Disconnected connection re-login Main DB 16
A threat to database security is the misuses of these databases by the authorized users, for example selling the personal information to outsiders. Various access control mechanisms have been proposed for protecting individual information in statistical database systems. These mechanisms are specifically designed for statistical databases, making them not applicable to general purpose database systems. In multilevel secure database systems, a type of attacks called inference is identified. An inference occurs when a user uses legitimate data to infer information without directly accessing it. Existing approaches to inference detection focus on analyzing functional dependencies in the database schema. However, it is possible to exploit data level functional dependencies to achieve inferences. For example, although in general the job title does not functionally determine salary (different vice-presidents may earn different salaries), the dependency may hold for lower rank jobs. This research investigates the detection of attempts to access personal information relational database systems. We identify five types of inferences: unique characteristic, logical implication, complementary, overlapping, and functional dependency. Algorithms for these inferences are developed. These inferences are detected by auditing both user queries and their return tables.
In general the inference problem is an NP-complete problem (for example, determining the equivalence between two logical expressions). We have no attempt to completely detect all possible types of inferences. The detection system essentially makes the inference attacks more difficult. This might result in having the user to issue more queries, which then could be detected by anomaly detection techniques.
NP is the set of decision problems solvable in polynomial time by a non-deterministic Turing machine. Anomaly Detection refers to detecting patterns in a given data set that do not conform to an established normal behavior
Existing work on inference detection for database systems mainly employ functional dependencies in the database schema to detect inferences.
It has been noticed that analyzing the data stored in the database may help to detect more inferences.
In this paper, we describe our effort in developing a data level inference detection system. We have identified five inference rules that a user can use to perform inferences. They are `subsume', `unique characteristic', `overlapping ', `complementary', and `functional dependency' inference rules. 17
The existence of these inference rules confirms the inadequacy of detecting inferences using just functional dependencies. The rules can be applied any number of times and in any order.
These inference rules are sound. They are not necessarily complete, although we have no example that demonstrates incompleteness. We employ a rule based approach so that future inference rules can be incorporated into the detection system.
We have developed a prototype of the inference detection system using Perl on a Sun SPARC 20 workstation. The preliminary results show that on average it takes seconds to process a query for a database with thousands of records.
Thus, our approach to inference detection is best performed off-line, and would be most useful to detect subtle inference attacks.
4.2 Unified Modeling Language Diagrams: The unified modeling language allows the software engineer to express an analysis model using the modeling notation that is governed by a set of syntactic semantic and pragmatic rules. A UML system is represented using five different views that describe the system from distinctly different perspective. Each view is defined by a set of diagram, which is as follows. User Model View i. This view represents the system from the users perspective. ii. The analysis representation describes a usage scenario from the end-users perspective. Structural model view In this model the data and functionality are arrived from inside the system. This model view models the static structures. Behavioral Model View It represents the dynamic of behavioral as parts of the system, depicting the interactions of collection between various structural elements described in the user model and structural model view. Implementation Model View In this the structural and behavioral as parts of the system are represented as they are to be built. 18
Environmental Model View In this the structural and behavioral aspects of the environment in which the system is to be implemented are represented. UML is specifically constructed through two different domains they are UML Analysis modeling, which focuses on the user model and structural model views of the system. UML design modeling, which focuses on the behavioral modeling, implementation modeling and environmental model views.
19
Use Case Diagram:-
Fig 4.2
Sequence Diagram:-
Fig 4.3 20
Activity Diagram:
Fig 4.4
Requesting info from db
Checking request Retrieve the information User
Valid user
Logout Invalid search 21
5. SOFTWARE REQUIREMENTS
5.1 HTML (Hyper text markup language)
What an HTML Document Is?
HTML documents are plain-text (also known as ASCII) files that can be created using any text editor (e.g., Emacs or vi on UNIX machines; SimpleText on a Macintosh; Notepad on a Windows machine). You can also use word-processing software if you remember to save your document as "text only with line breaks".
HTML Editors:
Some WYSIWYG editors are also available (e.g., Claris Home Page or Adobe PageMill, both for Windows and Macintosh). You may wish to try one of them after you learn some of the basics of HTML tagging. WYSIWYG is an acronym for "what you see is what you get"; it means that you design your HTML document visually, as if you were using a word processor, instead of writing the markup tags in a plain-text file and imagining what the resulting page will look like.
It is useful to know enough HTML to code a document before you determine the usefulness of a WYSIWYG editor, in case you want to add HTML features that your editor doesn't support.
22
Getting Your Files on a Server:
If you have access to a Web server at school or work, contact your webmaster (the individual who maintains the server) to see how you can get your files on the Web. If you do not have access to a server at work or school, check to see if your community operates a FreeNet, a community-based network that provides free access to the Internet.
Lacking a FreeNet, you may need to contact a local Internet provider that will post your files on a server for a fee. (Check your local newspaper for advertisements or with your Chamber of Commerce for the names of companies.)
Tags Explained:
An element is a fundamental component of the structure of a text document. Some examples of elements are heads, tables, paragraphs, and lists. Think of it this way: you use HTML tags to mark the elements of a file for your browser. Elements can contain plain text, other elements, or both.
To denote the various elements in an HTML document, you use tags. HTML tags consist of a left angle bracket (<), a tag name, and a right angle bracket (>). Tags are usually paired (e.g., <H1> and </H1>) to start and end the tag instruction. The end tag looks just like the start tag except a slash (/) precedes the text within the brackets. HTML tags are listed below.
Some elements may include an attribute, which is additional information that is included inside the start tag. For example, you can specify the alignment of images (top, middle, or bottom) by including the appropriate attribute with the image source HTML code. Tags that have optional attributes are noted below.
23
NOTE: HTML is not case sensitive. <Title> is equivalent to <TITLE> or <Title>. There are a few exceptions noted in Escape Sequences below.
Not all tags are supported by all World Wide Web browsers. If a browser does not support a tag, it will simply ignore it. Any text placed between a pair of unknown tags will still be displayed, however.
The Minimal HTML Document:
Every HTML document should contain certain standard HTML tags. Each document consists of head and body text.
The head contains the title, and the body contains the actual text that is made up of paragraphs, lists, and other elements. Browsers expect specific information because they are programmed according to HTML and SGML specifications.
5.2 Java: Java is an object-oriented multithread programming languages .It is designed to be small, simple and portable across different platforms as well as operating systems.
FEATURES OF JAVA
Platform Independence The Write-Once-Run-Anywhere ideal has not been achieved (tuning for different platforms usually required), but closer than with other languages.
24
Object Oriented Object oriented throughout - no coding outside of class definitions, including main(). An extensive class library available in the core language packages.
Compiler/Interpreter Combo Code is compiled to byte codes that are interpreted by a Java virtual machines (JVM). This provides portability to any machine for which a virtual machine has been written. The two steps of compilation and interpretation allow for extensive code checking and improved security. Robust Exception handling built-in, strong type checking (that is, all data must be declared an explicit type), local variables must be initialized.
Several features of C & C++ eliminated: No memory pointers No preprocessor Array index limit checking
Security No memory pointers Programs run inside the virtual machine sandbox. Array index limit checking Code pathologies reduced by Byte code verifier - checks classes after loading Class loader - confines objects to unique namespaces. Prevents loading a hacked "java.lang.SecurityManager" class, for example. Security manager - determines what resources a class can access such as reading and writing to the local disk.
Dynamic Binding The linking of data and methods to where they are located is done at run-time. New classes can be loaded while a program is running. Linking is done on the fly. Even if libraries are recompiled, there is no need to recompile code that uses classes in those libraries.
This differs from C++, which uses static binding. This can result in fragile classes for cases where linked code is changed and memory pointers then point to the wrong addresses.
26
Good Performance Interpretation of byte codes slowed performance in early versions, but advanced virtual machines with adaptive and just-in-time compilation and other techniques now typically provide performance up to 50% to 100% the speed of C++ programs.
Threading Lightweight processes, called threads, can easily be spun off to perform multiprocessing. Can take advantage of multiprocessors where available Great for multimedia displays. Built-in Networking Java was designed with networking in mind and comes with many classes to develop sophisticated Internet communications. IMP applications are called IMlets, but in reality they are MIDlets. They subclass MIDlet, and follow the same packaging, deployment, security and life-cycle as MIDlets.
Connected Device Configuration:
CDC is a smaller subset of Java SE, containing almost all the libraries that are not GUI related.
Foundation Profile:
A headless version of Java SE.
Personal Basis Profile:
Extends the Foundation Profile to include lightweight GUI support in the form of an AWT subset.
27
Personal Profile:
This extension of Personal Basis Profile includes a more comprehensive AWT subset and adds applet support.
Java application Classic VM + CDC APIs Native APIs Native OS Device Java application Profile Configuration Native OS Device 28
5.3 JavaScript:
Java script is an easy-to-use programming language that can be embedded in the header of your web pages.
It can enhance the dynamics and interactive features of your page by allowing you to perform calculations, check forms, write interactive games, add special effects, customise graphics selections, and create security passwords and more.
What's the difference between JavaScript and Java?
Java is a compiled programming language, similar to C. It is powerful enough to write major applications and insert them in a web page as a special object called an "applet." Java has been generating a lot of excitement because of its unique ability to run the same program on IBM, Mac, and UNIX computers. Java is not considered an easy-to-use language for non- programmers.
Java script is much simpler to use than Java. With Java script, if you want check a form for errors, just type an if-then statement at the top of the page. No compiling, no applets, just a simple sequence.
Object-oriented programming consists of Objects, Methods and Properties. An object is basically a black box which stores some information.
It may have a way for you to read that information and a way for you to write to, or change, that information. It may also have other less obvious ways of interacting with the information.
Some of the information in the object may actually be directly accessible; other information may require you to use a method to access it - perhaps because the way the information is stored internally is of no use to you, or because only certain things can be written 29
into that information space and the object needs to check that you're not going outside those limits.
The directly accessible bits of information in the object are its properties. The difference between data accessed via properties and data accessed via methods is that with properties, you see exactly what you're doing to the object; with methods, unless you created the object yourself, you just see the effects of what you're doing.
A few examples your web page document is an object. Any table, form, button, image, or link on your page is also an object. Each object has certain properties (information about the object). For example, the background color of your document is written document.bgcolor.
You would change the color of your page to red by writing the line: document.bgcolor="red" The contents (or value) of a textbox named "password" in a form named "entryform" is document.entryform.password.value.
Methods:
Most objects have a certain collection of things that they can do. Different objects can do different things, just as a door can open and close, while a light can turn on and off. A new document is opened with the method document.open()
You can write "Hello World" into a document by typing document.write("Hello World") . open() and write() are both methods of the object: document.
30
Events:
Events are how we trigger our functions to run. The easiest example is a button, whose definition includes the words onClick="run_my_function()". The onClick event, as its name implies, will run the function when the user clicks on the button. Other events include OnMouseOver, OnMouseOut, OnFocus, OnBlur, OnLoad, and OnUnload.
JavaScript and HTML:
JavaScript is inserted in the <HEAD> area of HTML documents, between <SCRIPT> and </SCRIPT> tags.
This is the standard open and close to the JavaScript section of your page:
<HTML> <HEAD> <SCRIPT LANGUAGE="JavaScript"> < !-- Beginning of JavaScript - (all of your JavaScript functions) // - End of JavaScript - --> </SCRIPT> </HEAD>
Remember to tell the browser your script language: <SCRIPT LANGUAGE="JavaScript"> The <!-- and --> tags are used to hide comments in HTML from the browser. Old browsers will not understand the <SCRIPT> tags, so you need to include the comment tags to keep your JavaScript from showing up on the Browser (e.g. Netscape 1.0).
Hiding scripts within comment tags: 31
Only Netscape Navigator versions 2.0 and later recognize JavaScript. To ensure that other browsers ignore JavaScript code, place the entire script within HTML comment tags, and precede the ending comment tag with a double-slash (//) that indicates a JavaScript single-line comment: <SCRIPT> <!-- Begin to hide script contents from old browsers. JavaScript statements... // End the hiding here. --> </SCRIPT>
The Form is a JavaScript user's best friend. Forms can be used to input text, to display results, and to trigger JavaScript functions. The form in our example used 2 objects, a text box, and a button.
All forms start with the tag <FORM> and end with </FORM>.
The text box should include a NAME and a TYPE. The NAME will be used when we need to tell the function which box has the text we want. TYPE is how the browser knows to create a text box, button, or check box. For example:
<INPUT NAME="text1" TYPE=Text>
The button is how we tell JavaScript to run a particular function. The button should include a NAME, TYPE, VALUE, and ONCLICK command.
The NAME could be used to refer to the button in JavaScript, but is usually not important.
The VALUE is the label which will appear inside the button. The ONCLICK is followed by the name of a function, and the name of the text box containing the data. 32
For example:
<INPUT NAME="submit" TYPE=Button VALUE="Show Me" onClick="MsgBox(form.text1.value)"> <BODY> <FORM> <INPUT NAME="text1" TYPE=Text> <INPUT NAME="submit" TYPE=Button VALUE="Show Me" onClick="MsgBox(form.text1.value)"> </FORM></BODY></HTML>
5.4 J2EE (Java 2 Enterprise Edition):
Today, more and more developers want to write distributed transactional applications for the enterprise and leverage the speed, security, and reliability of server-side technology. If you are already working in this area, you know that in today's fast-moving and demanding world of e-commerce and information technology, enterprise applications have to be designed, built, and produced for less money, with greater speed, and with fewer resources than ever before. To reduce costs and fast-track enterprise application design and development, the Java
2 Platform, Enterprise Edition (J2EE ) technology provides a component-based approach to the design, development, assembly, and deployment of enterprise applications. The J2EE platform offers a multi tiered distributed application model, the ability to reuse components, integrated Extensible Markup Language (XML)-based data interchange, a unified security model, and flexible transaction control. Not only can you deliver innovative customer solutions to market faster than ever, but your platform-independent J2EE component-based solutions are not tied to the products and application programming interfaces (APIs) of any one vendor. Vendors and customers enjoy the 33
freedom to choose the products and components that best meet their business and technological requirements.
Distributed Multi tiered Applications:
The J2EE platform uses a multi tiered distributed application model. Application logic is divided into components according to function, and the various application components that make up a J2EE application are installed on different machines depending on the tier in the multi tiered J2EE environment to which the application component belongs
J2EE Components: Client-tier components run on the client machine. Web-tier components run on the J2EE server. Business-tier components run on the J2EE server. Enterprise information system (EIS)-tier software runs on the EIS server. J2EE multi tiered applications are generally considered to be three-tiered applications because they are distributed over three different locations: client machines, the J2EE server machine, and the database or legacy machines at the back end. Three-tiered applications that run in this way extend the standard two-tiered client and server model by placing a multithreaded application server between the client application and back-end storage.
J2EE applications are made up of components. A J2EE component is a self-contained functional software unit that is assembled into a J2EE application with its related classes and files and that communicates with other components. The J2EE specification defines the following J2EE components: 34
Application clients and applets are components that run on the Client. Java Servlet and Java Server Pages (JSP ) technology Components are Web components that run on the server. Enterprise JavaBeans (EJB ) components (enterprise beans) are business components that run on the server. J2EE components are written in the Java programming language and are compiled in the same way as any program in the language. The difference between J2EE components and "standard" Java classes is that J2EE components are assembled into a J2EE application, verified to be well formed and in compliance with the J2EE specification, and deployed to production, where they are run and managed by the J2EE server. Web Clients: A Web client consists of two parts: dynamic Web pages containing various types of markup language (HTML, XML, and so on), which are generated by Web components running in the Web tier, and a Web browser, which renders the pages received from the server. A Web client is sometimes called a thin client. Thin clients usually do not do things like query databases, execute complex business rules, or connect to legacy applications. When you use a thin client, heavyweight operations like these are off-loaded to enterprise beans executing on the J2EE server where they can leverage the security, speed, services, and reliability of J2EE server-side technologies. Applets : Web components are the preferred API for creating a Web client program because no plug-ins or security policy files are needed on the client systems. Also, Web components enable cleaner and more modular application design because they provide a way to separate applications programming from Web page design. Personnel involved in Web page design thus do not need to understand Java programming language syntax to do their jobs. 35
Application Clients: A J2EE application client runs on a client machine and provides a way for users to handle tasks that require a richer user interface than can be provided by a markup language. It typically has a graphical user interface (GUI) created from Swing or Abstract Window Toolkit (AWT) APIs, but a command-line interface is certainly possible. Application clients directly access enterprise beans running in the business tier. However, if application requirements warrant it, a J2EE application client can open an HTTP connection to establish communication with a servlet running in the Web tier. JavaBeans Component Architecture: The server and client tiers might also include components based on the JavaBeans component architecture (JavaBeans component) to manage the data flow between an application client or applet and components running on the J2EE server or between server components and a database. JavaBeans components are not considered J2EE components by the J2EE specification. JavaBeans components have instance variables and get and set methods for accessing the data in the instance variables. JavaBeans components used in this way are typically simple in design and implementation, but should conform to the naming and design conventions outlined in the JavaBeans component architecture. J2EE Server Communications : The client communicates with the business tier running on the J2EE server either directly or, as in the case of a client running in a browser, by going through JSP pages or servlets running in the Web tier. J2EE application uses a thin browser-based client or thick application client. In deciding which one to use, should be aware of the trade-offs between keeping functionality on the client and close to the user (thick client) and off-loading as much functionality as possible to the server (thin client). 36
The more functionality you off-load to the server, the easier it is to distribute, deploy, and manage the application; however, keeping more functionality on the client can make for a better perceived user experience. 5.5 SQL Server 2005: Microsoft SQL Server 2000 features include: Internet Integration: The SQL Server 2000 database engine includes integrated XML support. It also has the scalability, availability, and security features required to operate as the data storage component of the largest Web sites. The SQL Server 2000 programming model is integrated with the Windows DNA architecture for developing Web applications, and SQL Server 2000 supports features such as English Query and the Microsoft Search Service to incorporate user-friendly queries and powerful search capabilities in Web applications. Scalability and Availability: The same database engine can be used across platforms ranging from laptop computers running Microsoft Windows 98 through large, multiprocessor servers running Microsoft Windows 2000 Data Center Edition. SQL Server 2000 Enterprise Edition supports features such as federated servers, indexed views, and large memory support that allow it to scale to the performance levels required by the largest Web sites. Enterprise-Level Database Features: The SQL Server 2000 relational database engine supports the features required to support demanding data processing environments. The database engine protects data integrity while minimizing the overhead of managing thousands of users concurrently modifying the database. SQL Server 2000 distributed queries allow you to reference data from multiple sources 37
as if it were a part of a SQL Server 2000 database, while at the same time, the distributed transaction support protects the integrity of any updates of the distributed data. Replication allows you to also maintain multiple copies of data, while ensuring that the separate copies remain synchronized. You can replicate a set of data to multiple, mobile, disconnected users, have them work autonomously, and then merge their modifications back to the publisher. Ease of installation, deployment, and use: SQL Server 2000 includes a set of administrative and development tools that improve upon the process of installing, deploying, managing, and using SQL Server across several sites. SQL Server 2000 also supports a standards-based programming model integrated with the Windows DNA, making the use of SQL Server databases and data warehouses a seamless part of building powerful and scalable systems. These features allow you to rapidly deliver SQL Server applications that customers can implement with a minimum of installation and administrative overhead. Data warehousing: SQL Server 2000 includes tools for extracting and analyzing summary data for online analytical processing. SQL Server also includes tools for visually designing databases and analyzing data using English-based questions. 5.6 NetBeans: An Integrated Development Environment (IDE) is a necessity for enterprise developers who want to have all their productivity tools under one umbrella. An IDE enables the developer to move from one phase of application development to the next without having to worry about manual management of source code or tool interfaces. With so many IDEs available on the market today, it has become a time-consuming task to decide on and choose one. 38
Ideally, you should be looking for an IDE that maximizes your productivity: easy to use, fun to work with, enables you to get the work done, and has out-of-the-box support for open standards and technologies. The NetBeans IDE, which is sponsored by Sun Microsystems, is a free and open source IDE that enables you to develop J2EE 1.4 applications and web services, mobile/wireless applications and services, and J2SE desktop applications. Using the NetBeans IDE, developers get their work done in a fun development environment that enables them to concentrate on the business logic of their applications. It provides productivity tools, and supports refactoring and integrated debugging, that simplify the work of Java technology developers. The NetBeans IDE allows developers to: Create J2EE applications, automatically add EJB modules and web modules, and deploy the applications Create EJBs from existing source, from scratch, or from an existing database Automatically generate EJB business methods, database calls, and calls to EJBs Create a web module for deployment to the freely available Application Server PE 8 or Tomcat Add multiple source folders to an EJB module or web module, and create unit tests as part of the project Edit deployment descriptors in a graphical editor that is automatically synchronized with the underlying XML Create, register, and test web services Import your existing J2EE projects Validate your applications with the J2EE Verifier Visually configure your EJBs, web Services and web components
39
6. CODING
Index page:
<%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%> <%-- The taglib directive below imports the JSTL library. If you uncomment it, you must also add the JSTL library to the project. The Add Library... action on Libraries node in Projects view can be used to add the JSTL 1.1 library. --%> <%-- <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> --%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%> <%-- The taglib directive below imports the JSTL library. If you uncomment it, you must also add the JSTL library to the project. The Add Library... action on Libraries node in Projects view can be used to add the JSTL 1.1 library. --%> <%-- <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> --%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<%-- The taglib directive below imports the JSTL library. If you uncomment it, you must also add the JSTL library to the project. The Add Library... action on Libraries node in Projects view can be used to add the JSTL 1.1 library. --%> <%-- <%@taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c"%> --%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
This example uses JSTL, uncomment the taglib directive above. To test, display the page like this: index.jsp?sayHello=true&name=Murphy --%>
<%-- <c:if test="${param.sayHello}">
<!-- Let's welcome the user ${param.name} -->
Hello ${param.name}! </c:if> --%> </form>
</body> </html>
54
7. TESTING
Introduction:
After finishing the development of any computer based system the next complicated time consuming process is system testing. During the time of testing only the development company can know that, how far the user requirements have been met out, and so on. Following are the some of the testing methods applied to this effective project: Source Code Testing:
This examines the logic of the system. If we are getting the output that is required by the user, then we can say that the logic is perfect.
Specification Testing:
We can set with, what program should do and how it should perform under various condition. This testing is a comparative study of evolution of system performance and system requirements.
Module Level Testing:
In this the error will be found at each individual module, it encourages the programmer to find and rectify the errors without affecting the other modules.
Unit Testing:
Unit testing focuses on verifying the effort on the smallest unit of software-module. The local data structure is examined to ensure that the date stored temporarily maintains its integrity 55
during all steps in the algorithms execution. Boundary conditions are tested to ensure that the module operates properly at boundaries established to limit or restrict processing.
Integration Testing:
Data can be tested across an interface. One module can have an inadvertent, adverse effect on the other. Integration testing is a systematic technique for constructing a program structure while conducting tests to uncover errors associated with interring.
Validating Testing: It begins after the integration testing is successfully assembled. Validation succeeds when the software functions in a manner that can be reasonably accepted by the client. In this the majority of the validation is done during the data entry operation where there is a maximum possibility of entering wrong data. Other validation will be performed in all process where correct details and data should be entered to get the required results.
Recovery Testing:
Recovery Testing is a system that forces the software to fail in variety of ways and verifies that the recovery is properly performed. If recovery is automatic, re-initialization, and data recovery are each evaluated for correctness.
Security Testing:
Security testing attempts to verify that protection mechanism built into system will in fact protect it from improper penetration. The tester may attempt to acquire password through external clerical means, may attack the system with custom software design to break down any defenses to others, and may purposely cause errors. 56
Performance Testing:
Performance Testing is used to test runtime performance of software within the context of an integrated system. Performance test are often coupled with stress testing and require both software instrumentation.
Blackbox Testing:
Black- box testing focuses on functional requirement of software. It enables to derive ets of input conditions that will fully exercise all functional requirements for a program. Black box testing attempts to find error in the following category: Incorrect or missing function Interface errors Errors in data structures or external database access and performance errors.
Output Testing:
After performing the validation testing, the next step is output testing of the proposed system since no system would be termed as useful until it does produce the required output in the specified format. Output format is considered in two ways, the screen format and the printer format.
User Accepting Testing:
User Acceptance Testing is the key factor for the success of any system. The system under consideration is tested for user acceptance by constantly keeping in touch with prospective system users at the time of developing and making changes whenever required.
57
8. SCREEN SHOTS
Output: Run Index Page type username and password
Fig 8.1
58
New Registration:
Fig 8.2
59
Registered:
Fig 8.3
60
Forget password:
Fig 8.4
61
Password retrieved:
Fig 8.5
62
Main Page:
Fig 8.6
Give URL http://www.rediff.com/rss/iycurss.xml http://www.cricinfo.com/rss/livescores.xml http://www.rediff.com/rss/newsrss.xml And search password
63
URL and Password given:
Fig 8.7
64
If the URL already exist it get it from server otherwise stored the URL in DB and get from web server first time only:
Fig 8.8
65
If you are entering wrong password:
Fig 8.9
66
After wrong password:
Fig 8.10
67
Then logout and login again:
Fig 8.11
68
If your visited URLs stored in DB:
Fig 8.12
69
You can change search password in setting:
Fig 8.13 70
DataBase:
71
Fig 8.14
72
9. CONCLUSION
We present a technique that prevents users from inferring sensitive information from a series of seemingly innocuous queries. Compared to the deterministic inference approach in previous works, we include nondeterministic relations into inference channels for query-time inference detection. Specifically, we extract possible inference channels from probabilistic data dependency, the database schema, and the semantic knowledge, and we construct a SIM. The SIM links represent the possible inference channels from any attribute to the set of pre-assigned sensitive attributes.
The parameters of attributes in SIM can be computed in polynomial time in terms of the rows and columns of the relational table. The SIM is then instantiated by specific instances and reduced to a SIG for inference violation detection at query time. To reduce the computation complexity for inference, the SIG can be mapped into a Bayesian network so that available Bayesian network tools can be used for evaluating the inference probability along the inference channels. When a user poses a query, the detection system will examine his/her past query log and calculate the probability of inferring sensitive information from answering the posed query. The query request will be denied if it can infer sensitive information, with probability exceeding the pre-specified threshold. In the multiple- user inference environment, the users can share their query answers to collaboratively infer sensitive information.
Collaborative inference is related to the CL and the inference channels of the user-posed queries. For inference violation detection, we developed a collaborative inference model that combines the collaborators query log sequences into inference channels to derive the collaborative inference of sensitive information.
A sensitivity analysis of attributes in the Bayesian network can be used for studying the sensitivity of the inference channels. Our study reveals that the nodes closer to the security node have stronger inference effects on the security node. Thus, a sensitivity 73
analysis of these close nodes can assist domain experts to specify the threshold of the security node to ensure its robustness.
User profiles and questionnaire data provide a good starting point for learning CLs among collaborative users. However, gathering such information is complicated by the fact that the information may be incomplete and incorrect. In addition, the accuracy of such information is task specific and user-community sensitive.
We have constructed a testbed on the inference violation detection system to study the CL for collaborative users. Our preliminary study reveals that information provider authoritativeness, communication fidelity, and honesty in collaboration play key roles in the CL. Further research and experiments in generating training sets to estimate and validate the CL are needed.
Future Enhancement:
Collaborative Inference Detection method is used to provide a user with the authority to perform his task based on which the system decided the trustworthiness of the kind user.
In future we may confine the security level of trustworthiness, which may help in to dig into the deeper information on the various levels provided to individual based on their action or query.
74
10. BIBLIOGRAPHY
References: K. Aberer and Z. Despotovic, Managing Trust in a Peer-2-Peer Information System, Proc. 10th ACM Intl Conf. Information and Knowledge Management (CIKM 01), Oct. 2001.
M. Chavira, D. Allen, and A. Darwiche, Exploiting Evidence in Probabilistic Inference, Proc. 21st Conf. Uncertainty in Artificial Intelligence (UAI 05), pp. 112-119, 2005.
Y. Chen and W.W. Chu, Database Security Protection via Inference Detection, Proc. Third IEEE Intl Conf. Intelligence and Security Informatics (ISI 06), 2006.
M. Chavira and A. Darwiche, Compiling Bayesian Networks with Local Structure, Proc. 19th Intl Joint Conf. Artificial Intelligence (IJCAI 05), pp. 1306-1312, 2005.
F. Cornelli, E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, Choosing Reputable Servents in a P2P Network, Proc. 11th Intl World Wide Web Conf. (WWW 02), May 2002.
A. Darwiche, Recursive Conditioning, Artificial Intelligence, vol. 126, nos. 1-2, pp. 5-41, 2001.