research paper on mongodb

• Conferences

• Registration Information
• Student Grant Application
• Diversity Grant Application
• Grants for Black Computer Science Students
• Technical Sessions
• Sponsor Events
• Call for Papers
• Instructions for Presenters
• Sponsorship
• Past Symposia
• Symposium Organizers
• Conference Policies
• Code of Conduct

Fault-Tolerant Replication with Pull-Based Consensus in MongoDB

Siyuan Zhou, MongoDB Inc.; Shuai Mu, Stony Brook University

In this paper, we present the design and implementation of strongly consistent replication in MongoDB. MongoDB provides linearizability and tolerates any minority of failures through a novel consensus protocol that derives from Raft. A major difference between our protocol and vanilla Raft is that MongoDB deploys a unique pull-based data synchronization model: a replica pulls new data from another replica. This pull-based data synchronization in MongoDB can be initiated by any replica and can happen between any two replicas, as opposed to vanilla Raft, where new data can only be pushed from the primary to other replicas. This flexible data transmission topology enabled by the pull-based model is strongly desired by our users since it has an edge on performance and monetary cost. This paper describes how this consensus protocol works, how MongoDB integrates it with the rest of the replication system, and the extensions of the replication protocol that support our rich feature set. Our evaluation shows that MongoDB effectively achieved the design goals and can replicate data efficiently and reliably.

Siyuan Zhou, MongoDB Inc.

Shuai mu, stony brook university.

NSDI '21 Open Access Sponsored by NetApp

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Presentation Video 

A Review on Various Aspects of MongoDb Databases

Content maybe subject to  copyright     Report

7  citations

View 1 citation excerpt

Cites background from "A Review on Various Aspects of Mong..."

... MongoDB is able to store larger amount of data compared to SQL (Structured Query Language) databases [9]. ...

4  citations

2  citations

... Fitur yang juga merupakan bagian dari fungsi intinya adalah kemampuan untuk melakukan skala secara horizontal, (Chauhan, 2019). ...

1  citations

112  citations

35  citations

View 2 reference excerpts

"A Review on Various Aspects of Mong..." refers background in this paper

... { _id:ObjectId(7df78ad8902c) Title:’MongoDB Overview’ Description:’ MongoDB is no sql database Comments: [ { user:’user1’, Message:’my first comment’, dateCreated: new Date(2011,1,20,2,15), }, { user:’user2’, Message: ‘my second comments’ dateCreated: new Date (2011,1,25,7,45), } } • Sample Document - ...

... Comments: [ { user:’user1’, Message:’my first comment’, dateCreated: new Date(2011,1,20,2,15), }, { user:’user2’, Message: ‘my second comments’ dateCreated: new Date (2011,1,25,7,45), } } • Sample Document - Above example shows the document structure of a blog site, which is simply a comma separated key value pair. ...

19  citations

Related Papers (3)

Ask Copilot

Related papers

A Survey on Security Threats and Mitigation Strategies for NoSQL Databases

MongoDB as a Use Case

• Conference paper
• First Online: 09 December 2023
• Cite this conference paper

• Surabhi Dwivedi 10 ,
• R. Balaji 10 ,
• Praveen Ampatt 10 &
• S. D. Sudarsan 10  

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14424))

Included in the following conference series:

• International Conference on Information Systems Security

301 Accesses

With the advent of IoT devices, cloud computing, accessible mobile devices, social networking sites and other advancements in technology a huge amount of data is being generated. NoSQL databases were evolved to provide a better storage capability, scalability, improved performance for read and write operations for the enormous data generated by various systems which are continuously being read and written by large number of users. Initially it was believed to provide better security in comparison to the traditional relational database management system (RDBMS), but in due course of time NoSQL databases were also exposed to various security breaches and vulnerabilities. In this paper we studied in detail the various security vulnerabilities of MongoDB, along with the need to secure the interfaces being used to access MongoDB. We analyzed the prevention and mitigation strategies for the same. The study of this paper can be used as a best practice to secure NoSQL or MongoDB database. It suggests how to secure the queries and all the interfaces that are being used to access the database.

• NoSQL Injection
• Data Masking

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Brewer, E.A.: Towards robust distributed systems. In: PODC , vol. 7 (2000)

Google Scholar  

Db engines. https://db-engines.com/en/ranking . Accessed 02 Sept 2022

Okman, L., Gal-Oz, N., Gonen, Y., Gudes, E., Abramov, J.: Security Issues in NoSQL Databases. In: 10th International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China, 2011 (2011)

Sicari, S., Rizzardi, A., Coen-Porisini, A.: Security& privacy issues and challenges in NoSQL databases. Comput. Netw. Int. J. Comput. Telecommun. Netw. 206( C), 341 (2022)

Fahd, K., Venkatraman, S., Hammeed, F.K.: A comparative study of NOSQL system vulnerabilities with big data. Int. J. Managing Inf. Technol. (IJMIT), 11 (4), 1–19 (2019)

Ron, A., Shulman-Peleg, A., Puzanov, A.: Analysis and mitigation of NoSQL injections. IEEE Secur. Priv. 14 (2), 30–39 (2016)

Zdnet. https://www.zdnet.com/article/chinese-companies-have-leaked-over-590-million-resumes-via-open-databases/ . Accessed 02 July 2023

Bleeping computer. https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/ . Accessed 09 July 2023

Bleeping computer. https://www.bleepingcomputer.com/news/security/over-275-million-records-exposed-by-unsecured-mongodb-database/ . Accessed 09 July 2023

Cpomagazine. https://www.cpomagazine.com/cyber-security/toyota-connected-service-decade-long-data-leak-exposed-2-15-million-customers/ . Accessed 18 July 2023

Bleeping computer. https://www.bleepingcomputer.com/news/security/redis-mongodb-and-elastic-2022-s-top-exposed-databases/ . Accessed 18 July 2023

Imam, A.A., Basri, S., González-Aparicio, M.T., Balogun, A.O., Kumar, G.: NoInjection: preventing unsafe queries on NoSQL-document-model databases. In: 2nd International Conference on Computing and Information Technology (ICCIT) (2022)

Ron, A., Shulman-Peleg, A., Bronshtein, E: No SQL, No Injection? Examining NoSQL Security

Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., Liu, J.: MongoDB NoSQL Injection Analysis and Detection. In: IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), 2016 (2016)

A survey on detection and prevention of SQL and NoSQL injection attack on server-side applications. Int. J. Comput. Appl. (0975 - 8887), 183 (2021)

Invicti. https://www.invicti.com/blog/web-security/what-is-nosql-injection/ . Accessed 07 Nov 2022

Spiegel, P.: NoSQL injection fun with objects and arrays (2022). https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf

Databases security issues - a short analysis on the emergent security problems generated by NoSQL databases. Economic Computation and Economic Cybernetics Studies and Research 53 (3) (2019)

Rodríguez, G.E., Torres, J.G., Flores, P., Benavides, D.E.: Cross-site scripting (XSS) attacks and mitigation: a survey. Comput. Netw. 166 , 106960 (2020)

OWASP. https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection . Accessed 28 July 2023

Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2

Chapter   Google Scholar  

Qualys. https://blog.qualys.com/product-tech/2013/03/19/rc4-in-tls-is-broken-now-what . Accessed 09 July 2023

Zugaj, W., Beichler, A.S.: Analysis of standard security features for selected NoSQL systems. Am. J. Inf. Sci. Technol. (2019)

Meow attack. https://www.bleepingcomputer.com/news/security/new-meow-attack-has-deleted-almost-4-000-unsecured-databases/ . Accessed 02 Oct 2023

Hackernoon. https://hackernoon.com/learnings-from-the-meow-bot-attack-on-our-mongodb-databases-y22q3zs8 . Accessed 12 Oct 2023

Techtarget. https://www.techtarget.com/searchsecurity/news/252486971/Meow-attacks-continue-thousands-of-databases-deleted . Accessed 9 Oct 2023

Osborn, S.L., Servos, D., Shermin, M.: Issues in access control and privacy for big data. In: Meyers, R.A. (eds.) Encyclopedia of Complexity and Systems Science, pp. 1–9. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-642-27737-5_752-1

MongoDB docs. https://www.mongodb.com/docs/drivers/go/current/fundamentals/auth/ . Accessed 22 June 2023

MongoDB manual. https://www.mongodb.com/docs/manual/ . Accessed 22 June 2023

Ajayi, O.O., Adebiyi, T.O.: Application of data masking in achieving information privacy. IOSR J. Eng. (IOSRJEN) 4 (2), 13–21 (2014)

Cuzzocrea, A., Shahriar, H.: Data masking techniques for NoSQL database security: a systematic review. In: 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA (2017)

Git hub Data masking. https://github.com/pkdone/mongo-data-masking . Accessed 06 July 2023

Mozilla docs. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS . Accessed 18 July 2023

Lavrenovs, A., Melón, F.J.R.: HTTP security headers analysis of top one million websites. In: 10th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia (2018)

MongoDB manual. https://www.mongodb.com/docs/manual/core/security-transport-encryption/ . Accessed 04 July 2023

MongoDB manual, CSFLE. https://www.mongodb.com/docs/manual/core/csfle/ . Accessed 16 July 2023

CouchDB homepage. https://couchdb.apache.org/ . Accessed 19 June 2023

Download references

Author information

Authors and affiliations.

Centre for Development of Advanced Computing (C-DAC), 68-Electronic City, Bengaluru, 560100, India

Surabhi Dwivedi, R. Balaji, Praveen Ampatt & S. D. Sudarsan

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Surabhi Dwivedi .

Editor information

Editors and affiliations.

Griffith University, Gold Coast, QLD, Australia

Vallipuram Muthukkumarasamy

Centre for Development of Advanced Computing (C-DAC), Bangalore, India

Sithu D. Sudarsan

Indian Institute of Technology Bombay, Mumbai, India

Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Cite this paper.

Dwivedi, S., Balaji, R., Ampatt, P., Sudarsan, S.D. (2023). A Survey on Security Threats and Mitigation Strategies for NoSQL Databases. In: Muthukkumarasamy, V., Sudarsan, S.D., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2023. Lecture Notes in Computer Science, vol 14424. Springer, Cham. https://doi.org/10.1007/978-3-031-49099-6_4

Download citation

DOI : https://doi.org/10.1007/978-3-031-49099-6_4

Published : 09 December 2023

Publisher Name : Springer, Cham

Print ISBN : 978-3-031-49098-9

Online ISBN : 978-3-031-49099-6

eBook Packages : Computer Science Computer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

A study of normalization and embedding in MongoDB

Ieee account.

• Change Username/Password
• Update Address

Purchase Details

• Payment Options
• Order History
• View Purchased Documents

Profile Information

• Communications Preferences
• Profession and Education
• Technical Interests
• US & Canada: +1 800 678 4333
• Worldwide: +1 732 981 0060
• Contact & Support
• About IEEE Xplore
• Accessibility
• Terms of Use
• Nondiscrimination Policy
• Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Research Areas

Recent activities, research papers, cryptography research group, encrypted search algorithms, leakage cryptanalysis.

All known efficient ESAs achieve a tradeoff between performance and information leakage. The design of leakage attacks is therefore an important way to ascertain whether an ESA is exploitable in practice or not.

Leakage analysis and suppression

Leakage analysis frameworks allow us to formally study and understand the leakage of ESAs, and leakage suppression techniques allow us to remove leakage patterns.

Archita Agarwal

Archita’s research bridges the gap between encrypted search and distributed computing.

Zachary Espiritu

Zachary’ s research focuses on both cryptographic design and cryptanalysis of encrypted search algorithms.

Marilyn George

Marilyn’s research focuses on understanding the efficiency and security trade-offs of the real-world use of cryptography.

Seny Kamara

Seny has worked extensively on the design and cryptanalysis of encrypted search algorithms.

Tarik Moataz

Tarik’s research interests are in the area of cryptography and computer security with a focus on encrypted search.

Archita received her Ph.D. in computer science from Brown University in 2021. Before joining MongoDB, she was an assistant professor of Computer Science at Denison University, Ohio. Her work focuses on bridging the gaps between encrypted search and distributed computing. Specifically, she designs and analyzes end-to-end encrypted, distributed, and concurrent systems. She was the first to design encrypted distributed dictionaries and key-value stores, two primitives that underlie encrypted distributed databases. Her work also highlights the fundamental connections between cryptography and distributed/concurrent systems, such as how security, consistency, and efficiency interact with each other. Archita is also interested in augmenting her encrypted database designs with additional privacy-preserving features, such as differentially private analytical queries and GDPR-compliant access requests.

Archita Agarwal's Scholar profile

Zachary received his concurrent Sc.M and Sc.B. in computer science from Brown University in 2021. Prior to MongoDB, Zachary worked with the Cloud Security Group and Encrypted Systems Lab at Brown University at the intersection of cryptography, data structures and algorithms, and computer systems. Zachary's research has focused on both cryptographic design and cryptanalysis of encrypted search algorithms. Zachary created a framework for designing encrypted aggregate queries, deployed Arca, a programming library for rapidly prototyping cryptographic schemes, and designed and implemented a system for public policy analytics over encrypted data. He has also designed and implemented attacks against multi-dimensional encrypted databases.

Zachary Espiritu's Scholar profile

Marilyn received her Ph.D. in computer science from Brown University’s Encrypted Systems Lab in 2022. Her research focuses on understanding the efficiency and security trade-offs associated with the real-world use of cryptography, with an emphasis on encrypted search. Her work addresses the theoretical limits of encrypted search algorithms and introduces new techniques for their design. Marilyn’s work showed, for the first time, how to design dynamic leakage suppression techniques, resulting in efficient zero and almost-zero leakage encrypted search algorithms. Marilyn is also interested in the legal and social aspects of secure systems. In the past, she has designed a GDPR compliance tool for legacy databases as well as an encrypted database for public policy studies. She has also introduced a game theoretic framework to augment secure protocols with contracts for rational participants.

Marilyn George's Scholar profile

Seny manages the Cryptography Research Group. He has worked extensively on the design and cryptanalysis of encrypted search algorithms, which are efficient algorithms for searching on end-to-end encrypted data. His work first showed how to search on encrypted data in optimal time, how to formalize the security of searchable symmetric encryption (SSE), how to optimally search on dynamic encrypted data, and how to cryptanalyze property preserving encryption. He maintains interests in various aspects of theory and systems, including applied and theoretical cryptography, data structures and algorithms, and technology policy.

Seny is also an Associate Professor of Computer Science at Brown University where he leads the Encrypted Systems Lab. Before that, he was a research scientist at Microsoft Research. In 2017, he co-founded Aroki Systems and served as its Chief Scientist until its acquisition by MongoDB. He has been appointed to two National Academies of Sciences committees on encryption and surveillance and has provided testimony to the U.S. House of Representatives Financial Services Committee and to the Committee on Space, Science, and Technology. He has given keynotes at the IACR’s Annual International Cryptology Conference (CRYPTO), the ACM’s Symposium on Principles of Distributed Computing (PODC), and the ACM’s Conference on Advances in Financial Technologies (AFT). In 2022, Seny and his collaborators won the ACM Conference on Computer and Communications Security’s (CCS) Test-of-Time Award for their work on dynamic searchable symmetric encryption.

Seny Kamara's Scholar profile

Tarik is a researcher in the Cryptography Research Group at MongoDB. Prior to joining MongoDB, he was a co-founder and Chief Technology Officer at Aroki Systems (acquired by MongoDB) and before that, he was a visiting scientist and a postdoctoral researcher at Brown University in the Encrypted Systems Lab (ESL). His research is in the area of cryptography and computer security with a focus on encrypted search. He works primarily on the design and cryptanalysis of encrypted search algorithms that offer different efficiency, security, and expressiveness trade-offs. His work introduced the first worst-case sublinear Boolean searchable symmetric encryption scheme, the first structured encryption-based encrypted relational database, the notion of leakage suppression along with the first volume-hiding structured encryption schemes, and the first volumetric leakage attacks against exact keyword search.

Tarik served on the organizing committee of the first workshop on the Theory and Practice of Encrypted Search (TPES) as well as ICERM’s workshop on Encrypted Search. He has also served on the program committees of IACR’s Annual International Cryptology Conference (CRYPTO), IACR’s Annual International Conference on the Theory and Applications of Cryptology (Eurocrypt), and the ACM’s Conference on Computer and Communications Security (CCS).

Tarik Moataz's Scholar profile

International Conference on Very Large DataBases (VLDB)

Zach's paper on multi-dimensional encrypted range schemes will appear at VLDB 2023.

Privacy-Enhancing Technologies Symposium (PETS)

Zach's paper on attacks against multi-dimensional encrypted range schemes will appear at PETS 2023.

ACM Conference on Advances in Financial Technologies (AFT)

Seny delivered a keynote at the conference.

Workshop on the Theory and Practice of Encrypted Search (TPES)

Tarik gave a talk on practical encrypted databases.

We organized the first edition of the Workshop on the Theory and Practice of Encrypted Search.

ACM Symposium on Principles of Distributed Computing (PODC)

Seny delivered a keynote at the Symposium.

Design and Analysis of a Stateless Database Encryption Scheme

In this work, we design the first encrypted document database scheme. A key focus of our work is on designing a scheme that is practical not only in terms of asymptotic and concrete efficiency but also with respect to real-world constraints that emerge when trying to build and deploy real database systems at scale for commercial use. These constraints present new technical challenges that have not been considered in the research literature before.

An Overview of MongoDB’s Queryable Encryption

In this work, we give an overview of Queryable Encryption, its design goals, threat model, security properties and performance.

Bayesian Leakage Analysis: A Framework for Analyzing Leakage in Encrypted Search

This work proposes a theoretical framework with which leakage can be analyzed and better understood.

MAPLE: MArkov Process Leakage attacks on Encrypted Search

This work studies query equality leakage on dependent queries and presents two new attacks in this setting which can work either as known-distribution or known-sample attacks.

Injection-Secure Structured and Searchable Symmetric Encryption

We propose the first injection-secure multi-map encryption scheme and use it as a building block to design the first injection-secure searchable symmetric encryption (SSE) scheme.