Skip to main content
SpringerLink
Log in

A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10694))

Included in the following conference series:

Abstract

Timely detection of an insider attack is prevalent among challenges in database security. Research on anomaly-based database intrusion detection systems has received significant attention because of its potential to detect zero-day insider attacks. Such approaches differ mainly in their construction of normative behavior of (insider) role/user. In this paper, a different perspective on the construction of normative behavior is presented, whereby normative behavior is captured instead from the perspective of the DBMS itself. Using techniques from Statistical Process Control, a model of DBMS-oriented normal behavior is described that can be used to detect frequency based anomalies in database access. The approach is evaluated using a synthetic dataset and we also demonstrate this DBMS-oriented profile can be transformed into the more traditional role-oriented profiles.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 2015 cost of cyber crime: global. Technical report, Ponemon Institute (2015)

    Google Scholar 

  2. Grand Theft Data. Data exfiltration study: actors, tactics, and detection. Technical report, Intel Security and McAfee (2015)

    Google Scholar 

  3. Insider threat report: insider threat security statistics, vormetric. Technical report, Vormetric (2015)

    Google Scholar 

  4. 2016 data breach investigations report. Technical report, Verizon (2016)

    Google Scholar 

  5. Carr, J.: Breach of britney spears patient data reported, SC magazine for IT security professionals (2008). https://www.scmagazine.com/breach-of-britney-spears-patient-data-reported/article/554340/

  6. Costante, E., den Hartog, J., Petkovic, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017). http://www.sciencedirect.com/science/article/pii/S2214212616302629

    Google Scholar 

  7. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996

    Google Scholar 

  8. Hussain, S.R., Sallam, A.M., Bertino, E.: Detanom: detecting anomalous database transactions by insiders. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 25–35. ACM, New York (2015). https://doi.org/10.1145/2699026.2699111

  9. Kamra, A., Bertino, E., Nehme, R.: Responding to anomalous database requests. In: Jonker, W., Petković, M. (eds.) SDM 2008. LNCS, vol. 5159, pp. 50–66. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85259-9_4

    Chapter  Google Scholar 

  10. Kemmerer, R.A., Vigna, G.: Intrusion detection: a brief history and overview. Computer 35(4), 27–30 (2002)

    Article  Google Scholar 

  11. Khan, M.I., Foley, S.N.: Detecting anomalous behavior in DBMS logs. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 147–152. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54876-0_12

    Chapter  Google Scholar 

  12. Lee, S.Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–279. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45853-0_16

    Chapter  Google Scholar 

  13. Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 382–401. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_20

    Chapter  Google Scholar 

  14. Oakland, J.S.: Statistical Process Control, 6th edn. Routledge, London (2011)

    Google Scholar 

  15. Pieczul, O., Foley, S.N.: Runtime detection of zero-day vulnerability exploits in contemporary software systems. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 347–363. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41483-6_24

    Chapter  Google Scholar 

  16. Report C: 27 suspended for Clooney file peek (2007). http://edition.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html?eref=ew

  17. Sallam, A., Fadolalkarim, D., Bertino, E., Xiao, Q.: Data and syntax centric anomaly detection for relational databases. Wiley Interdisc. Rev. Data Mining Knowl. Discov. 6(6), 231–239 (2016). https://doi.org/10.1002/widm.1195

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported by Science Foundation Ireland under grant SFI/12/RC/2289.

Author information

Authors and Affiliations

  1. Insight Centre for Data Analytics, Department of Computer Science, University College Cork, Cork, Ireland

    Muhammad Imran Khan & Barry O’Sullivan

  2. IMT Atlantique, LabSTICC, Université Bretagne Loire, Rennes, France

    Simon N. Foley

Authors
  1. Muhammad Imran Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Barry O’Sullivan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Simon N. Foley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Muhammad Imran Khan .

Editor information

Editors and Affiliations

  1. IMT Atlantique, Cesson Sévigné, France

    Nora Cuppens

  2. IMT Atlantique, Cesson Sévigné, France

    Frédéric Cuppens

  3. LHS Rennes, Rennes, France

    Jean-Louis Lanet

  4. Inria, Rennes, France

    Axel Legay

  5. Télécom SudParis, Evry Cedex, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khan, M.I., O’Sullivan, B., Foley, S.N. (2018). A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76687-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76686-7

  • Online ISBN: 978-3-319-76687-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation