Access control and integrity constraints are well known approaches to ensure data integrity in commercial database systems. However, due to operational mistakes, malicious intent of insiders or vulnerabilities exploited by outsiders, data stored in a database can still be compromised. When the database is under an attack, rolling back and re-executing the damaged transactions are the most used mechanisms during system recovery. This kind of mechanism either stops (or greatly restricts) the database service during repair, which causes unacceptable availability loss or denialof-service for mission critical applications, or may cause serious damage spreading during on-the-fly recovery where many clean data items are accidentally corrupted by legitimate new transactions. To resolve this dilemma, we devise a novel mechanism, called database firewall in this paper. This firewall is designed to protect good data from being corrupted due to damage spreading. Pattern mining and Bayesian net...