Abstract
The security of computers and their networks is of crucial concern in the world today. One mechanism to safeguard information stored in database systems is an Intrusion Detection System (IDS). The purpose of intrusion detection in database systems is to detect malicious transactions that corrupt data. Recently researchers are working on using data mining techniques for detecting such malicious transactions in database systems. Their approach concentrates on mining data dependencies among data items. However, the transactions not compliant with these data dependencies are identified as malicious transactions. Algorithms that these approaches use for designing their data dependency miner have limitations. For instance, they need to experimentally determine appropriate settings for minimum support and related constraints, which does not necessarily lead to strong data dependencies. In this paper we propose a new data mining algorithm, called the Optimal Data Access Dependency Rule Mining (ODADRM), for designing a data dependency miner for our database IDS. ODADRM is an extension of k-optimal rule discovery algorithm, which has been improved to be suitable in database intrusion detection domain. ODADRM avoids many limitations of previous data dependency miner algorithms. As a result, our approach is able to track normal transactions and detect malicious ones more effectively than existing approaches.
Similar content being viewed by others
References
Agrawal, R., & Srikant, R. (1994). Fast algorithms for mining association rules. In Proceedings of the 20th international conference on very large databases (pp. 487–499). Santiago.
Agrawal, R., & Srikant, R. (1995). Mining sequential patterns. In Proceedings of the 1995 international conference data engineering (pp. 3-14). Taipei.
Agrawal, R., Imielinski, T., Swami, A. (1993). Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD conference on management of data (pp. 207–216). Washington.
Barbara, D., Goel, R., Jajodia, S. (2002). Mining malicious data corruption with Hidden Markov Models. In Proceedings of the 16th annual IFIP WG 11.3 working conference on data and application security. Cambridge.
Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N. (2001). ADAM: detecting intrusions by data mining. In Proceedings of the IEEE workshop on information assurance and security. New York: IEEE Press.
Bayardo, R.J. (1998). Efficiently mining long patterns from databases. In Proceedings of the 1998 ACM-SIGMOD international conference on management of data (pp. 85–93).
Bayardo, R.J., & Agrawal, R. (1999). Mining the most interesting rules. In Proceedings of the fifth ACM SIGKDD international conference on knowledge discovery and data mining (pp. 145–154).
Bertino, E., Kamra, A., Terzi, E., Vakali, A. (2005). Intrusion detection in RBAC-administered databases. In Proceedings of 21st annual computer security applications conference (pp. 170–182).
Bon, S., & Negmat, M. (2006). Extracting forensic explanation from intrusion alerts. In International conference on data mining (pp. 283–289). Las Vegas: CSREA Press.
Casewell, B., & Beale, J. (2004). SNORT 2.1 Intrusion detection, 2nd edn. Massachusetts: Syngress.
Chung, C.Y., Gertz, M., Levitt, K. (2000). Demids: a misuse detection system for database systems. Integrity and internal control information systems: strategic views on the need for control (pp. 159–178). Norwell: Kluwer.
Cohen, E., Datar, M., Fujiwara, S., Gionis, A., Indyk, R., Motwani, P., Ullman, J., Yang, C. (2000). Finding interesting associations without support pruning. In Proceedings of international conference on data engineering.
Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivava, J., Kumar, V., Dokas, P. (2004). The MINDS – Minnesota intrusion detection system. In Next generation data mining. Boston: MIT Press.
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. Applications of data mining in computer security. Dordrecht: Kluwer.
Fan, W., Miller, M., Stolfo, S., Lee, W., Chan, P. (2001). Using artificial anomalies to detect unknown and known network intrusions. In Proceedings of the 1st IEEE international conference on data mining. New York: IEEE Press.
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A. (1996). A Sense of self for unix processes. In Proceedings of the 1996 IEEE symposium on security and privacy, IEEE computer society press (pp. 120–128).
Frank, J. (1994). Artificial intelligence and intrusion detection: current and future directions. In Proceedings of the 17th national computer security conference.
Hashemi, S., Yang, Y., Zabihzadeh, D., Kangavari, M. (2008). Detecting intrusion transactions in databases using data item dependencies and anomaly analysis. Expert Systems, 25(5), 460–473.
Hashler, M. (2011). A comparison of commonly used interest measures for association rules. http://michael.hahsler.net/research/association_rules/measures.html .
Heady, R., Luger, G., Maccabe, A., Servilla, M. (1990). The architecture of a network level intrusion detection system. Technical Report. University of New Mexico: Computer Science Department.
Hu, Y., & Panda, B. (2004). A data mining approach for database intrusion detection. In Proceedings of the ACM symposium on applied computing (pp. 711–716).
Hu, Y., & Panda, B. (2010). Mining inter-transaction data dependencies for database intrusion detection. In Proceedings of innovations and advances in computer sciences and engineering. Springer.
Hwang, K., Cai, M., Chen, Y., Qin, M. (2007). Hybrid intrusion detection with weighted signature generation over anomalous Internet episodes. IEEE Transactions on Dependency and Secure Computing, 4(1), 41–55.
Javidi, M.M., Sohrabi, M., Kuchaki Rafsanjani, M. (2010). Intrusion detection in database systems. In Proceedings of FGCN 2010, Part II, CCIS, 120 (pp. 93–101).
Javidi, M.M., Kuchaki Rafsanjani, M., Hashemi, S., Sohrabi, M. (2012). An overview of anomaly based database intrusion detection systems. Indian Journal of Science and Technology 5(10), 3550–3559.
Javitz, H.S., & Valdes, A. (1991). The SRI IDES statistical anomaly detector. In Proceedings of the IEEE symposium on security and privacy.
Karjoth, G. (2003). Access control with IBM tivoli access manager.ACM Transactions on Information and Systems Security (TISSEC), 6(2), 232–257.
Killourhy, K.S., & Maxion, R.A. (2002). Undermining an anomaly-based intrusion detection system using common exploits. In Proceedings of the international symposium on recent advances in intrusion detection (RAID ’02) (pp. 54–73). Berlin: Springer.
Lee, V.C., Stankovic, J., Son, S.H. (2000). Intrusion detection in real-time database systems via time signatures. In Proceedings of the sixth IEEE real time technology and applications symposium (RTAS’00) (pp. 124–133). New York: IEEE Press.
Lee, W., Stolfo, S.J., Mok, K. (2000). Adaptive intrusion detection: a data mining approach. Artificial Intelligence Review, 14(6), 533–567.
Noel, S., Wijesekera, D., Youman, C. (2002). Modern intrusion detection, data mining, and degrees of attack guilt. In Applications of data mining in computer security. Dordrecht: Kluwer.
Paxson, V. (1998). Bro: a system for detecting network intrusions in real time. In Proceedings of the 7 \(^{th}\) USENIX security symposium. Berkeley: USENIX Association.
Piatetsky-Shapiro, G. (1991). Discovery, analysis, and presentation of strong rules. In G., Piatetsky-Shapiro, & J., Frawley (Eds.), Knowledge discovery in databases AAAI (pp. 229–248). Cambridge: MIT Press.
Qin, M., & Hwang, K. (2004). Frequent episode rules for Internet traffic analysis and anomaly detection. In Proceedings of the IEEE conference on network computing and applications (NAC ’04). New York: IEEE Press.
Roesch, M. (1999). SNORT – lightweight intrusion detection for networks. In Proceedings of the USENIX 13th systems administration conference (LISA ’99) (pp. 229–238). Berkeley: USENIX Association.
Sandhu, R., Ferraiolo, D., Kuhn, R. (2000). The NIST model for role based access control: towards a unified standard. In Proceedings of the 5th ACM workshop on role based access control.
Srivastava, A., Sural, S., Majumdar, A.K. (2006). Database intrusion detection using weighted sequence mining. Journal of Computers, 1(4), 8–17.
Todorovski, L., Flach, P., Lavrac, N. (2000). Predictive performance of weighted relative accuracy. In D. A., Zighed, J., Komorowski, J., Zytkow (Eds.), Proceedings of the fourth European conference on principles of data mining and knowledge discovery (PKDD2000) (pp. 255–264). Springer-Verlag.
Webb, G.I. (1995). OPUS: an efficient admissible algorithm for unordered search. Journal of Artificial Intelligence Research, 3, 431–465.
Webb, G.I. (2000). Efficient search for association rules. In The Sixth ACM SIGKDD international conference on knowledge discovery and data mining (pp. 99–107). Boston: The Association for computing machinery.
Webb, G.I., & Zhang, S. (2005). K-Optimal rule discovery. Data Mining and Knowledge Discovery, 10(1), 39–79.
White, G.B., Fisch, E.A., Pooch, U.W. (1996). Cooperating security managers: a peer-based intrusion detection system. IEEE Network, 10(1), 20–23.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sohrabi, M., Javidi, M.M. & Hashemi, S. Detecting intrusion transactions in database systems:a novel approach. J Intell Inf Syst 42, 619–644 (2014). https://doi.org/10.1007/s10844-013-0286-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10844-013-0286-z