Techniques and Systems for Anomaly Detection in Database Systems

Techniques for detection of anomalies in accesses to database systems have been widely investigated. Existing techniques operate in two main phases. The first phase is a training phase during which profiles of the database subjects are created based on historical data representing past users’ actions. New actions are then checked with these profiles to detect deviations from the expected normal behavior. Such deviations are considered indicators of possible attacks and may thus require further analyses. The existing techniques have considered different categories of features to describe users’ actions and followed different methodologies and algorithms to build access profiles and track users’ behaviors. In this chapter, we review the prominent techniques and systems for anomaly detection in database systems. We discuss the attacks they help detect as well as their limitations and possible extensions. We also give directions on potential future research.

[1]  Hung Q. Ngo,et al.  A Data-Centric Approach to Insider Attack Detection in Database Systems , 2010, RAID.

[2]  Elisa Bertino,et al.  DetAnom: Detecting Anomalous Database Transactions by Insiders , 2015, CODASPY.

[3]  Elisa Bertino,et al.  Result-Based Detection of Insider Threats to Relational Databases , 2019, CODASPY.

[4]  Hanna Mazzawi,et al.  Anomaly Detection in Large Databases Using Behavioral Patterning , 2017, 2017 IEEE 33rd International Conference on Data Engineering (ICDE).

[5]  Elisa Bertino,et al.  Anomaly Detection Techniques for Database Protection Against Insider Threats (Invited Paper) , 2016, 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI).

[6]  Marco Vieira,et al.  Integrated Intrusion Detection in Databases , 2007, LADC.

[7]  Jerry den Hartog,et al.  A white-box anomaly-based framework for database leakage detection , 2017, J. Inf. Secur. Appl..

[8]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[9]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[10]  Xiangji Huang,et al.  Finding and Analyzing Database User Sessions , 2005, DASFAA.

[11]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[12]  Elisa Bertino,et al.  Detection of Temporal Data Ex-Filtration Threats to Relational Databases , 2018, 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC).

[13]  Elisa Bertino,et al.  A System for Profiling and Monitoring Database Access Patterns by Application Programs for Anomaly Detection , 2017, IEEE Transactions on Software Engineering.

[14]  Elisa Bertino,et al.  Data and syntax centric anomaly detection for relational databases , 2016, WIREs Data Mining Knowl. Discov..

[15]  Elisa Bertino,et al.  DBSAFE—An Anomaly Detection System to Protect Databases From Exfiltration Attempts , 2017, IEEE Systems Journal.

[16]  Carlo Curino,et al.  OLTP-Bench: An Extensible Testbed for Benchmarking Relational Databases , 2013, Proc. VLDB Endow..

[17]  Elisa Bertino,et al.  Detection of Temporal Insider Threats to Relational Databases , 2017, 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC).