Detection of intrusive activity in databases by combining multiple evidences and belief update

In this paper, we propose an innovative approach for database intrusion detection which combines evidences from current as well as past behavior of users. It consists of four components, namely, rule-based component, belief combination component, security sensitive history database component and Bayesian learning component. The rule-based component consists of a set of well-defined rules which give independent evidences about a transaction's behavior. An extension of Dempster-Shafer's theory is used to combine multiple such evidences and an initial belief is computed. First level inferences are made about the transaction depending on this initial belief. Once the transaction is found to be suspicious, belief is updated according to its similarity with malicious or genuine transaction history using Bayesian learning. Experimental evaluation shows that the proposed intrusion detection system can effectively detect intrusive attacks in databases without raising too many false alarms.

[1]  R. Power CSI/FBI computer crime and security survey , 2001 .

[2]  E. Myers,et al.  Basic local alignment search tool. , 1990, Journal of molecular biology.

[3]  Stuart C. Shapiro,et al.  Symbolic Reasoning in the Cyber Security Domain , 2007 .

[4]  Kari Sentz,et al.  Combination of Evidence in Dempster-Shafer Theory , 2002 .

[5]  Yi Hu,et al.  A data mining approach for database intrusion detection , 2004, SAC '04.

[6]  Thomas M. Chen,et al.  Dempster-Shafer theory for intrusion detection in ad hoc networks , 2005, IEEE Internet Computing.

[7]  Luis Freire An Extended Approach for Dempster-Shafer Theory , 2009 .

[8]  Sin Yeung Lee,et al.  Learning Fingerprints for a Database Intrusion Detection System , 2002, ESORICS.

[9]  Elisa Bertino,et al.  Database security - concepts, approaches, and challenges , 2005, IEEE Transactions on Dependable and Secure Computing.

[10]  Kimmo Hätönen,et al.  A computer host-based user anomaly detection system using the self-organizing map , 2000, Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks. IJCNN 2000. Neural Computing: New Challenges and Perspectives for the New Millennium.

[11]  Gregory Piatetsky-Shapiro,et al.  The KDD process for extracting useful knowledge from volumes of data , 1996, CACM.

[12]  Abhinav Srivastava,et al.  Weighted Intra-transactional Rule Mining for Database Intrusion Detection , 2006, PAKDD.

[13]  Steven Furnell Enemies within: the problem of insider attacks , 2004 .

[14]  Daniel Tan,et al.  A novel intrusion detection system model for securing web-based database systems , 2001, 25th Annual International Computer Software and Applications Conference. COMPSAC 2001.

[15]  Glenn Shafer,et al.  A Mathematical Theory of Evidence , 2020, A Mathematical Theory of Evidence.

[16]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[17]  Michael Gertz,et al.  DEMIDS: A Misuse Detection System for Database Systems , 2000, IICIS.

[18]  Xingyu Wang,et al.  Distributed intrusion detection system based on data fusion method , 2004, Fifth World Congress on Intelligent Control and Automation (IEEE Cat. No.04EX788).

[19]  Elisa Bertino,et al.  Intrusion detection in RBAC-administered databases , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[20]  Raymond T. Ng,et al.  Distance-based outliers: algorithms and applications , 2000, The VLDB Journal.

[21]  Victor C. S. Lee,et al.  Intrusion detection in real-time database systems via time signatures , 2000, Proceedings Sixth IEEE Real-Time Technology and Applications Symposium. RTAS 2000.

[22]  Shamik Sural,et al.  Credit card fraud detection: A fusion approach using Dempster-Shafer theory and Bayesian learning , 2009, Inf. Fusion.

[23]  Jaideep Srivastava,et al.  Intrusion Detection: A Survey , 2005 .