Detecting anomalous access patterns in relational databases |
| |
Authors: | Ashish Kamra Evimaria Terzi Elisa Bertino |
| |
Affiliation: | (1) Purdue University and CERIAS, West Lafayette, IN, USA;(2) University of Helsinki and HIIT, Helsinki, Finland |
| |
Abstract: | A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high
assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID)
techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms
proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach
is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles
that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing
the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a
RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is
able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An
important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting
against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user
population. In the second scenario, we assume that there are no roles associated with users of the database. In this case,
we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal
user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to
identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database
traces shows that our methods work well in practical situations.
This material is based upon work supported by the National Science Foundation under Grant No. 0430274 and the sponsors of
CERIAS. |
| |
Keywords: | Anomaly detection Intrusion detection User profiles DBMS RBAC |
本文献已被 SpringerLink 等数据库收录! |
|