One of the challenges in database security is timely detection of an insider attack. This gets more challenging in the case of sophisticated / expert insiders. Behavioral-based techniques have shown promising results in detecting insider attacks. Most of the behavioral-based techniques consider a query in isolation in order to model an insider's normative behavior thus only detecting malicious behavior that is limited to single query. A recently proposed approach considers sequences of queries to model an insider's normative behavior by using n-grams that capture shortterm correlations in an application [1]. However, behavioral-based approaches, including the n-gram approach, are vulnerable to mimicry attacks whereby a sophisticated inside attacker can craft a sequence of statements to mimic normal behavior as a set of legitimate transactions. Thus, a mechanism to detect this types of mimicry attack is desirable. In this paper, we first demonstrate an example mimicry attack on an n-gram based approach and then propose a behavioral-based technique that facilitate its detection. The proposed technique complements existing behavioral-based approaches including the n-gram approach and it can be deployed independently. Experiments are presented whereby a queryanalytics model is used to construct normative behavior from query logs of a synthetic banking application system. Initial results indicate that the proposed model to construct normative behavior is effective in detecting insider attacks conforming to a demonstrated mimicry attack.
[1]
Varun Chandola,et al.
Ettu: Analyzing Query Intents in Corporate Databases
,
2016,
WWW.
[2]
Giovanni Vigna,et al.
Intrusion detection: a brief history and overview
,
2002
.
[3]
Elisa Bertino,et al.
Data and syntax centric anomaly detection for relational databases
,
2016,
WIREs Data Mining Knowl. Discov..
[4]
Stephanie Forrest,et al.
A sense of self for Unix processes
,
1996,
Proceedings 1996 IEEE Symposium on Security and Privacy.
[5]
Simon N. Foley,et al.
Runtime Detection of Zero-Day Vulnerability Exploits in Contemporary Software Systems
,
2016,
DBSec.
[6]
Simon N. Foley,et al.
Detecting Anomalous Behavior in DBMS Logs
,
2016,
CRiSIS.
[7]
Jerry den Hartog,et al.
A white-box anomaly-based framework for database leakage detection
,
2017,
J. Inf. Secur. Appl..
[8]
Simon N. Foley,et al.
A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems
,
2017,
CRiSIS.
[9]
Hung Q. Ngo,et al.
A Data-Centric Approach to Insider Attack Detection in Database Systems
,
2010,
RAID.
[10]
Xin Jin,et al.
Database Intrusion Detection Using Role Profiling with Role Hierarchy
,
2009,
Secure Data Management.
[11]
Elisa Bertino,et al.
DetAnom: Detecting Anomalous Database Transactions by Insiders
,
2015,
CODASPY.