Abstract
Timely detection of an insider attack is prevalent among challenges in database security. Research on anomaly-based database intrusion detection systems has received significant attention because of its potential to detect zero-day insider attacks. Such approaches differ mainly in their construction of normative behavior of (insider) role/user. In this paper, a different perspective on the construction of normative behavior is presented, whereby normative behavior is captured instead from the perspective of the DBMS itself. Using techniques from Statistical Process Control, a model of DBMS-oriented normal behavior is described that can be used to detect frequency based anomalies in database access. The approach is evaluated using a synthetic dataset and we also demonstrate this DBMS-oriented profile can be transformed into the more traditional role-oriented profiles.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
2015 cost of cyber crime: global. Technical report, Ponemon Institute (2015)
Grand Theft Data. Data exfiltration study: actors, tactics, and detection. Technical report, Intel Security and McAfee (2015)
Insider threat report: insider threat security statistics, vormetric. Technical report, Vormetric (2015)
2016 data breach investigations report. Technical report, Verizon (2016)
Carr, J.: Breach of britney spears patient data reported, SC magazine for IT security professionals (2008). https://www.scmagazine.com/breach-of-britney-spears-patient-data-reported/article/554340/
Costante, E., den Hartog, J., Petkovic, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017). http://www.sciencedirect.com/science/article/pii/S2214212616302629
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996
Hussain, S.R., Sallam, A.M., Bertino, E.: Detanom: detecting anomalous database transactions by insiders. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 25–35. ACM, New York (2015). https://doi.org/10.1145/2699026.2699111
Kamra, A., Bertino, E., Nehme, R.: Responding to anomalous database requests. In: Jonker, W., Petković, M. (eds.) SDM 2008. LNCS, vol. 5159, pp. 50–66. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85259-9_4
Kemmerer, R.A., Vigna, G.: Intrusion detection: a brief history and overview. Computer 35(4), 27–30 (2002)
Khan, M.I., Foley, S.N.: Detecting anomalous behavior in DBMS logs. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 147–152. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_12
Lee, S.Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–279. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45853-0_16
Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 382–401. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_20
Oakland, J.S.: Statistical Process Control, 6th edn. Routledge, London (2011)
Pieczul, O., Foley, S.N.: Runtime detection of zero-day vulnerability exploits in contemporary software systems. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 347–363. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41483-6_24
Report C: 27 suspended for Clooney file peek (2007). http://edition.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html?eref=ew
Sallam, A., Fadolalkarim, D., Bertino, E., **ao, Q.: Data and syntax centric anomaly detection for relational databases. Wiley Interdisc. Rev. Data Mining Knowl. Discov. 6(6), 231–239 (2016). https://doi.org/10.1002/widm.1195
Acknowledgments
This work was supported by Science Foundation Ireland under grant SFI/12/RC/2289.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Khan, M.I., O’Sullivan, B., Foley, S.N. (2018). A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-76687-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76686-7
Online ISBN: 978-3-319-76687-4
eBook Packages: Computer ScienceComputer Science (R0)