A Data-Centric Approach to Insider Attack Detection in Database Systems

The insider threat against database management systems is a dangerous security problem. Authorized users may abuse legitimate privileges to masquerade as other users or to maliciously harvest data. We propose a new direction to address this problem. We model users' access patterns by profiling the data points that users access, in contrast to analyzing the query expressions in prior approaches. Our data-centric approach is based on the key observation that query syntax alone is a poor discriminator of user intent, which is much better rendered by what is accessed. We present a feature-extraction method to model users' access patterns. Statistical learning algorithms are trained and tested using data from a real Graduate Admission database. Experimental results indicate that the technique is very effective, accurate, and is promising in complementing existing database security solutions. Practical performance issues are also addressed.

[1]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[2]  Robert H. Anderson,et al.  Understanding the Insider Threat: Proceedings of a March 2004 Workshop , 2005 .

[3]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[4]  Sanjeev Khanna,et al.  Why and Where: A Characterization of Data Provenance , 2001, ICDT.

[5]  Leon Strous,et al.  Integrity and internal control in information systems : strategic views on the need for control : IFIP TC11 WG11.5 Third Working Conference on Integrity and Internal Control in Information Systems, November 18-19, 1999, Amsterdam, The Netherlands , 2000 .

[6]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[7]  Diego Calvanese,et al.  Dwq : Esprit Long Term Research Project, No 22469 on the Decidability of Query Containment under Constraints on the Decidability of Query Containment under Constraints , 2022 .

[8]  Surajit Chaudhuri,et al.  Dynamic sample selection for approximate query processing , 2003, SIGMOD '03.

[9]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[10]  Fabio E. Cerullo OWASP TOP 10 2009 , 2009 .

[11]  Arputharaj Kannan,et al.  Intelligent Multi-agent Based Database Hybrid Intrusion Prevention System , 2004, ADBIS.

[12]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[13]  Abhinav Srivastava,et al.  Database Intrusion Detection using Weighted Sequence Mining , 2006, J. Comput..

[14]  Peter J. Haas,et al.  Ripple joins for online aggregation , 1999, SIGMOD '99.

[15]  Doron Rotem,et al.  Simple Random Sampling from Relational Databases , 1986, VLDB.

[16]  Dawn M. Cappelli,et al.  CERT. Preventing Insider Sabotage: Lessons Learned From Actual Attacks , 2005 .

[17]  Nina Mishra,et al.  Simulatable auditing , 2005, PODS.

[18]  Marco Vieira,et al.  Online detection of malicious data access using DBMS auditing , 2008, SAC '08.

[19]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[20]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[21]  Rajeev Motwani,et al.  On random sampling over joins , 1999, SIGMOD '99.

[22]  David Maier,et al.  On the foundations of the universal relation model , 1984, TODS.

[23]  Xiangji Huang,et al.  Finding and Analyzing Database User Sessions , 2005, DASFAA.

[24]  Michael Gertz,et al.  DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[25]  Sridhar Ramaswamy,et al.  Join synopses for approximate query answering , 1999, SIGMOD '99.

[26]  Nasser M. Nasrabadi,et al.  Pattern Recognition and Machine Learning , 2006, Technometrics.

[27]  Daniel Tan,et al.  A novel intrusion detection system model for securing web-based database systems , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[28]  Christopher J. C. Burges,et al.  A Tutorial on Support Vector Machines for Pattern Recognition , 1998, Data Mining and Knowledge Discovery.

[29]  Yi Hu,et al.  Identification of malicious transactions in database systems , 2003, Seventh International Database Engineering and Applications Symposium, 2003. Proceedings..

[30]  Matt Bishop,et al.  The insider problem revisited , 2005, NSPW '05.

[31]  Dirk Fox,et al.  Open Web Application Security Project , 2006, Datenschutz und Datensicherheit - DuD.

[32]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[33]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[34]  Adrian Spalka,et al.  A Comprehensive Approach to Anomaly Detection in Relational Databases , 2005, DBSec.

[35]  Yehuda Lindell,et al.  Privacy Preserving Data Mining , 2002, Journal of Cryptology.

[36]  Victor C. S. Lee,et al.  Intrusion detection in real-time database systems via time signatures , 2000, Proceedings Sixth IEEE Real-Time Technology and Applications Symposium. RTAS 2000.

[37]  Ehud Gudes,et al.  DIWeDa - Detecting Intrusions in Web Databases , 2008, DBSec.

[38]  Michael Stonebraker,et al.  Implementation of integrity constraints and views by query modification , 1975, SIGMOD '75.

[39]  Dieter Gollmann,et al.  Computer Security — ESORICS 2002 , 2002, Lecture Notes in Computer Science.

[40]  Peng Liu Architectures for intrusion tolerant database systems , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..