The job of attack recovery is two-fold: damage
assessment and repair. In particular, the job of the Damage
Assessor is to locate each affected good transaction, i.e., the
damage spreading traces; and the job of the Damage
Repairer is to recover the database from the damage caused
on the objects updated along the traces. In particular, when
an affected transaction T is located, the Damage Repairer
builds a specific cleaning transaction to clean each object
updated by T (and not cleaned yet). Cleaning an object is
simply done by restoring the value of the object to its latest
undamaged version.
Temporarily stopping the database will certainly make
the attack recovery job simpler since the damage will no
longer spread and the repair can be done backwardly after
the assessment is done, that is, we can repair the database
by simply undoing the malicious as well as affected
transactions in the reverse order of their commit order. An
even simpler approach is to roll back the database (state) to
a check-point taken before the attack [22], though all
(legitimate) work done after the checkpointing time will be
lost. However, since many critical database servers need to
be 24*7 available and temporarily making the database shut
down can be the real goal of the attacker, on-the-fly attack
recovery which never stops the database is necessary in
many cases