An Anomaly Detection System for the Protection of Relational Database Systems against Data Leakage by Application Programs

Application programs are a possible source of attacks to databases as attackers might exploit vulnerabilities in a privileged database application. They can perform code injection or code-reuse attack in order to steal sensitive data. However, as such attacks very often result in changes in the program’s behavior, program monitoring techniques represent an effective defense to detect on-going attacks. One such technique is monitoring the library/system calls that the application program issues while running. In this paper, we propose AD-PROM, an Anomaly Detection system that aims at protecting relational database systems against malicious/compromised applications PROgraMs aiming at stealing data. AD-PROM tracks calls executed by application programs on data extracted from a database. The system operates in two phases. The first phase statically and dynamically analyzes the behavior of the application in order to build profiles representing the application’s normal behavior. AD-PROM analyzes the control and data flow of the application program (i.e., static analysis), and builds a hidden Markov model trained by the program traces (i.e., dynamic analysis). During the second phase, the program execution is monitored in order to detect anomalies that may represent data leakage attempts. We have implemented AD-PROM and carried experimental activities to assess its performance. The results showed that our system is highly accurate in detecting changes in the application programs’ behaviors and has very low false positive rates.

[1]  Elisa Bertino,et al.  DetAnom: Detecting Anomalous Database Transactions by Insiders , 2015, CODASPY.

[2]  Ali Ahmadian Ramaki,et al.  A systematic review on intrusion detection based on the Hidden Markov Model , 2018, Stat. Anal. Data Min..

[3]  Barbara G. Ryder,et al.  A Sharper Sense of Self: Probabilistic Reasoning of Program Behaviors for Anomaly Detection with Context Sensitivity , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Salvatore J. Stolfo,et al.  Anomaly Detection as a Service: Challenges, Advances, and Opportunities , 2017, Anomaly Detection as a Service.

[5]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[6]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[7]  Dan Boneh,et al.  Hacking Blind , 2014, 2014 IEEE Symposium on Security and Privacy.

[8]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[9]  Yevgeniy Vorobeychik,et al.  Optimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments , 2016, GameSec.

[10]  Alex Bateman,et al.  An introduction to hidden Markov models. , 2007, Current protocols in bioinformatics.

[11]  Michael Gertz,et al.  DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[12]  Hung Q. Ngo,et al.  A Data-Centric Approach to Insider Attack Detection in Database Systems , 2010, RAID.

[13]  Beizhan Wang,et al.  Survey on HMM based anomaly intrusion detection using system calls , 2010, 2010 5th International Conference on Computer Science & Education.

[14]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[15]  Barbara G. Ryder,et al.  Probabilistic Program Modeling for High-Precision Anomaly Classification , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[16]  Zoubin Ghahramani,et al.  An Introduction to Hidden Markov Models and Bayesian Networks , 2001, Int. J. Pattern Recognit. Artif. Intell..

[17]  Debin Gao,et al.  Beyond Output Voting: Detecting Compromised Replicas Using HMM-Based Behavioral Distance , 2009, IEEE Transactions on Dependable and Secure Computing.

[18]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[20]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[21]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[22]  Matilde Santos Peñas,et al.  Data leakage detection algorithm based on task sequences and probabilities , 2017, Knowl. Based Syst..

[23]  Elisa Bertino,et al.  Data and syntax centric anomaly detection for relational databases , 2016, WIREs Data Mining Knowl. Discov..

[24]  Chih-Jen Lin,et al.  A Study on Threshold Selection for Multi-label Classification , 2007 .

[25]  Debin Gao,et al.  Gray-box extraction of execution graphs for anomaly detection , 2004, CCS '04.

[26]  Elisa Bertino,et al.  PANDDE: Provenance-based ANomaly Detection of Data Exfiltration , 2016, CODASPY.

[27]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[28]  Elisa Bertino,et al.  A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration , 2019, Comput. Secur..

[29]  Marius Kloft,et al.  Hidden Markov Anomaly Detection , 2015, ICML.

[30]  Vallipuram Muthukkumarasamy,et al.  A survey on data leakage prevention systems , 2016, J. Netw. Comput. Appl..