Abstract
Monitoring database activity is useful for identifying and preventing data breaches. Such database activity monitoring (DAM) systems use anomaly detection algorithms to alert security officers to possible infractions. However, the sheer number of transactions makes it impossible to track each transaction. Instead, solutions use manually crafted policies to decide which transactions to monitor and log. Creating a smart data-driven policy for monitoring transactions requires moving beyond manual policies. In this paper, we describe a novel simulation method for user activity. We introduce events of change in the user transaction profile and assess the impact of sampling on the anomaly detection algorithm. We found that looking for anomalies in a fixed subset of the data using a static policy misses most of these events since low-risk users are ignored. A Bayesian sampling policy identified 67% of the anomalies while sampling only 10% of the data, compared to a baseline of using all of the data.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 15 (2009)
Feldman, D., Schmidt, M., Sohler, C.: Turning big data into tiny data: constant-size coresets for k-means, PCA and projective clustering. In: Proceedings of the Twenty-Fourth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1434–1453. Society for Industrial and Applied Mathematics (2013)
Grushka-Cohen, H., Sofer, O., Biller, O., Dymshits, M., Rokach, L., Shapira, B.: Sampling high throughput data for anomaly detection of data-base activity. arXiv preprint arXiv:1708.04278 (2017)
Grushka-Cohen, H., Sofer, O., Biller, O., Shapira, B., Rokach, L.: CyberRank: knowledge elicitation for risk assessment of database security. In: Proceedings of the 25th ACM International on Conference on Information and Knowledge Management, pp. 2009–2012. ACM (2016)
Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Performance of flow-based anomaly detection in sampled traffic. J. Netw. 10(9), 512 (2015)
Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Intelligent sampling using an optimized neural network. J. Netw. 11(01), 16–27 (2016)
Juba, B., Musco, C., Long, F., Sidiroglou-Douskos, S., Rinard, M.C.: Principled sampling for anomaly detection. In: NDSS (2015)
Kaplan, J., Sharma, S., Weinberg, A.: Meeting the cybersecurity challenge. Digit, McKinsey Google Scholar (2011)
Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014)
Kumar, A., Xu, J.J.: Sketch guided sampling-using on-line estimates of flow size for adaptive data collection. In: INFOCOM (2006)
Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 165–176. ACM (2006)
Sallam, A., Bertino, E., Hussain, S.R., Landers, D., Lefler, R.M., Steiner, D.: DBSAFE - an anomaly detection system to protect databases from exfiltration attempts. IEEE Syst. J. 11(2), 483–493 (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Grushka-Cohen, H., Biller, O., Sofer, O., Rokach, L., Shapira, B. (2019). Simulating User Activity for Assessing Effect of Sampling on DB Activity Monitoring Anomaly Detection. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham. https://doi.org/10.1007/978-3-030-17277-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-17277-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17276-3
Online ISBN: 978-3-030-17277-0
eBook Packages: Computer ScienceComputer Science (R0)