Multilayered database intrusion detection system for detecting malicious behaviors in big data transaction

Nowadays, information plays a significant role in the enterprise organizations. Sensitive and vital data have a key character in organizing and storing within the database. Traditional mechanisms such as encryption, access control, and authentication cannot provide a high level of confidence. The existence of Intrusion Detection Systems in the Data-Base (DB-IDS) is a necessity because enterprises awash in data often struggle to answer basic question about detecting or preventing all facet of their threat. In this paper, we propose a novel type of intrusion detection system for detecting attacks in both database transaction level and inter-transaction level (user task level) in a high-rate transaction processing. For simplicity, our model is divided into two parts; detection method at transaction level and inter-transaction level (detection with learning method, concurrently in both level). Detection method at transaction level is based on describing the expected (normal) transactions within the database applications. This is also focused on anomaly detection and used data mining to find dependency and sequence rules (the effect of spatial and temporal heterogeneity) in where inter-transaction level is used. Also, it gains advantages of a hybrid method, including specification-based detection and anomaly detection, to minimize both false positive and false negative errors. Simulation and implementation experiments in Mobile Telecommunication Company of Iran (MCI) revealed the accuracy of our models. The experiment results demonstrated the true positive detection rate is higher than 0.8, and the false positive detection rate is lower than 0.1 choosing appropriate ranges for support and confidence thresholds. The experimental evaluation results show high accuracy and effectiveness of the proposed system.

[1]  Ramakrishnan Srikant,et al.  Mining sequential patterns , 1995, Proceedings of the Eleventh International Conference on Data Engineering.

[2]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[3]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[4]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[5]  Elisa Bertino,et al.  Profiling Database Application to Detect SQL Injection Attacks , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[6]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[7]  Abhinav Srivastava,et al.  Weighted Intra-transactional Rule Mining for Database Intrusion Detection , 2006, PAKDD.

[8]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[9]  Yi Hu,et al.  Identification of malicious transactions in database systems , 2003, Seventh International Database Engineering and Applications Symposium, 2003. Proceedings..

[10]  BertinoElisa,et al.  Detecting anomalous access patterns in relational databases , 2008, VLDB 2008.

[11]  Dhiren R. Patel,et al.  Machine learning proposed approach for detecting database intrusions in RBAC enabled databases , 2010, 2010 Second International conference on Computing, Communication and Networking Technologies.

[12]  Yi Hu,et al.  Mining Inter-transaction Data Dependencies for Database Intrusion Detection , 2008, SCSS.

[13]  Joseph Lee,et al.  DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions , 2002, ICEIS.

[14]  Elisa Bertino,et al.  Intrusion detection in RBAC-administered databases , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[15]  Yi Hu,et al.  A data mining approach for database intrusion detection , 2004, SAC '04.

[16]  Victor C. S. Lee,et al.  Intrusion detection in real-time database systems via time signatures , 2000, Proceedings Sixth IEEE Real-Time Technology and Applications Symposium. RTAS 2000.