基于离散马尔科夫链的数据库用户异常行为检测

针对数据库系统内部攻击的问题,将基于用户行为的异常检测方法引入到数据库系统内部攻击检测中.将离散时间马尔科夫链(DTMC)应用到数据库系统异常检测中,构建了一种基于DTM C的用户行为异常检测系统.将用户提交的SQL语句作为用户行为特征进行分析,并利用DTM C分别提取了正常用户和待检测行为的行为特征,并将两者进行比较,如果两者的偏离程度超过了阈值,则判定行为异常.通过实验对所提出系统的可行性和有效性进行测试,结果表明,该系统可以较好地描述用户行为,并有效地检测出数据库系统内部攻击.

Anomaly behavior detection of database user based on discrete-time Markov chain

Aiming at the problem of internal attack in the database system, an anomaly detection method based on the user behaviour was introduced into the internal attack detection in the database system. The discrete-time Markov chain(DTMC)was applied to the anomaly detection of database system, and an anomaly detection system for user behaviour based on DTMC was established. The SQL statements submitted by the users were taken as the user behavior features and were analyzed. In addition, the behavior features of normal users and behavior to be detected were extracted with DTMC, and the corresponding comparison between them was performed. If the deviation degree of two behavior features was beyond the threshold, the detected behavior would be judged as an anomaly behavior. The feasibility and effectiveness of the proposed system were actually tested. The results show that the proposed system can better describe the user behavior, and can effectively detect the internal attack of database system.