Customized Intrusion Detection Based on a Database Audit Log

The Internet enables world-wide communication for all areas of human activity. To deal with the massive data involved, companies deploy database products such as Oracle® Database, MySQL, Microsoft® SQL Server, and IBM® DB2. Databases are continuously under attack by intruders who probe for valuable customer and corporate information. Commercial databases have auditing support that facilitates after-the-fact review and analysis of data access. However, audit data collected has vendor-specific structure and content. Tools are needed to optimize response to security incidents and to proactively mine audit logs for vulnerabilities. This paper1 demonstrates some databaseindependent techniques aimed toward automating the management of a site’s audit information.