Skip to main content

Advertisement

Springer Nature Link
Log in

Detecting anomalous access patterns in relational databases

  • Regular Paper
  • Published:
The VLDB Journal Aims and scope Submit manuscript

Abstract

A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Explore related subjects

Discover the latest articles and news from researchers in related subjects, suggested using machine learning.

References

  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In Proceedings of the 28th International Conference on Very Large Data Bases (VLDB), pp.143–154. Morgan-Kaufmann, New York (2002)

  2. Anton, A., Bertino, E., Li, N., Yu, T.: A roadmap for comprehensive online privacy policies. In: CERIAS Technical Report (2004)

  3. Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical Report 99–15, Chalmers Univ., (2000)

  4. Bertino, E., Kamra, A., Terzi, E.: Intrusion detection in rbac-administered databases. In: Proceedings of the Applied Computer Security Applications Conference (ACSAC) (2005)

  5. Bertino, E., Leggieri, T., Terzi, E.: Securing dbms: characterizing and detecting query floods. In: Proceedings of the International Security Conference (ISC) (2004)

  6. Chung, C., Gertz, M., Levitt, K.: Demids: a misuse detection system for database systems. In: Integrity and Internal Control in Information Systems: Strategic Views on the Need for Control. IFIP TC11 WG11.5 Third Working Conference (2000)

  7. Cooper G.F. (1990). The computational complexity of probabilistic inference using bayesian belief networks. Artif. Intell. 42(2–3): 393–405

    Article  MATH  Google Scholar 

  8. Domingos P. and Pazzani M.J. (1997). On the optimality of the simple bayesian classifier under zero-one loss. Mach. Learn. 29(2–3): 103–130

    Article  MATH  Google Scholar 

  9. Friedman N., Geiger D. and Goldszmidt M. (1997). Bayesian network classifiers. Mach. Learn. 29(2–3): 131–163

    Article  MATH  Google Scholar 

  10. Hilden J. (1984). Statistical diagnosis based on conditional independence does not require it. Comput. Biol. Med. 14(4): 429–435

    Article  Google Scholar 

  11. Hochbaum D.S. and Shmoys DB. (1985). A best possible approximation algorithm for the k-center problem. Math. Oper. Res. 10: 180–184

    Article  MATH  MathSciNet  Google Scholar 

  12. Hoglund, K.H.A., Sorvari, A.: A computer host-based user anomaly detection using the self-organizing map. In: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks (IJCNN) (2000)

  13. Hu, Y., Panda, B.: Identification of malicious transactions in database systems. In: Proceedings of the International Database Engineering and Applications Symposium (IDEAS) (2003)

  14. Iglewicz B. and Hoaglin D.C. (1993). How to Detect and Handle Outliers. ASQC Quality Press, Milwaukee, Wisconsin

    Google Scholar 

  15. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2003)

  16. Lane T. and Brodley CE. (1999). Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 2(3): 295–331

    Article  Google Scholar 

  17. Langley, P., Iba, W., Thompson, K.: An analysis of bayesian classifiers. In: National Conference on Artificial Intelligence pp.223–228 (1992)

  18. Lee, S.Y., Low, W.L., Wong, P.Y. Learning fingerprints for a database intrusion detection system. In: ESORICS ’02: Proceedings of the 7th European Symposium on Research in Computer Security London. pp. 264–280, Springer-Heidelburg (2002)

  19. Lee, V., Stankovic, J., Son, S.: Intrusion detection in real-time databases via time signatures. In: Proceedings of the IEEE Real-Time Technology and Applications Symposium (RTAS) (2000)

  20. Liu, P.: Architectures for intrusion tolerant database systems. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) (2002)

  21. Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A., Garvey, T.: A real-time intrusion detection expert system (ides)—final technical report. Technical Report, Computer Science Laboratory, SRI International (1992)

  22. Mitchell TM. (1997). Machine Learning. McGraw-Hill, Newyork

    MATH  Google Scholar 

  23. Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role based access control: Towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control (2000)

  24. Spalka, A., Lehnhardt, J.: A comprehensive approach to anomaly detection in relational databases. In: DBSec, pp. 207–221 (2005)

  25. Talpade, R., Kim, G., Khurana, S.: Nomad: traffic-based network monitoring framework for anomaly detection. In: Proceedings of the 4th IEEE Symposium on Computers and Communications (ISCC) (1998)

  26. Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of sql attacks. In: Proceedings of the International Conference on detection of intrusions and malware, and vulnerability assessment (DIMVA) (2003)

  27. Wenhui, S., Tan, T.: A novel intrusion detection system model for securing web-based database systems. In: Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC) (2001)

  28. Yao, Q., An, A., Huang, X. Finding and analyzing database user sessions. In: Proceedings of the 10th International Conference on Database Systems for Advanced Applications (DASFAA) (2005)

Download references

Author information

Authors and Affiliations

  1. Purdue University and CERIAS, West Lafayette, IN, USA

    Ashish Kamra & Elisa Bertino

  2. University of Helsinki and HIIT, Helsinki, Finland

    Evimaria Terzi

Authors
  1. Ashish Kamra
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Evimaria Terzi
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Elisa Bertino
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Ashish Kamra.

Additional information

This material is based upon work supported by the National Science Foundation under Grant No. 0430274 and the sponsors of CERIAS.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kamra, A., Terzi, E. & Bertino, E. Detecting anomalous access patterns in relational databases. The VLDB Journal 17, 1063–1077 (2008). https://doi.org/10.1007/s00778-007-0051-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00778-007-0051-4

Keywords