Abstract
Existing host-based Intrusion Detection Systems use the operating system log or the application log to detect misuse or anomaly activities. These methods are not sufficient for detecting intrusion in the database systems. In this paper, we describe a method for detecting malicious activities in a database management system by using data dependency relationships. Typically, before a data item is updated in the database, some other data items are read or written. And after the update, other data items may also be written. These data items read or written in the course of update of a data item construct the read set, prewrite set, and the postwrite set for this data item. The proposed method identifies malicious transactions by comparing these sets with data items read or written in user transactions. We have provided mechanisms for finding data dependency relationships among transactions and use Petri-Nets to model normal data update patterns at user task level. Using this method, we ascertain more hidden anomalies in the database log. Our simulation on synthetic data reveals that the proposed model can achieve desirable performance when both transaction and user task level intrusion detection methods are employed.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
B. Panda and J. Giordano, Defensive information warfare, Communications of the ACM, Vol. 42, No. 7, pp. 31–32, July 1999.
P. Liu, P. Ammann, and S. Jajodia, Rewriting histories: Recovering from malicious transactions, Distributed and Parallel Databases, Vol. 18, No. 1, pp. 7–40, January 2000.
R. Sobhan and B. Panda, Reorganization of database log for information warfare data recovery, Proceedings of the 15th Annual IFIP WG 11.3 Working Conference on Database and Application Security, July 2001.
J. Zhou, B. Panda, and Y. Hu, Succinct and fast accessible data structures for database damage assessment, Proceedings of the International Conference on the Distributed Computing and Internet Technology, December 2004.
H. S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, Proceedings of the IEEE Symposium on Security and Privacy, May 1991.
T. F. Lunt, R. Jagannathan, et.al., IDES: A progress report, Proceedings of the 6th Annual Computer Security Applications Conference, December 1990.
S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A sense of self for Unix processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society, pp. 120–128, 1996.
A. K. Ghosh, A. Schwartzbard, and M. Schatz, Learning program behavior profiles for intrusion detection, 1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999.
T. Lane and C. E. Brodley, Sequence matching and learning in anomaly detection for computer security, Proceedings of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 43–49, 1997.
J. Frank, Artificial intelligence and intrusion detection: Current and future directions, Proceedings of the 17th National Computer Security Conference, October 1994.
W. Lee and S. Stolfo, Data mining approaches for intrusion detection, USENIX Security Symposium, 1998.
W. Lee, R. A. Nimbalkar, K. K. Yee, S. B. Patil, P. H. Desai, T. T. Tran, and S. J. Stolfo, A data mining and CIDF-based approach for detecting novel and distributed intrusions, Proceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection, October 2000.
Y. Huang, W. Fan, W. Lee, and P. Yu, Cross-feature analysis for detecting ad-hoc routing anomalies, Proceedings of the 23rd International Conference on Distributed Computing Systems, May 2003.
V. C. S. Lee, J. A. Stankovic, and S. H. Son, Intrusion detection in real-time database systems via time signatures, Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium, 2000.
C. Chung, M. Gertz, and K. Levitt, DEMIDS: A misuse detection system for database systems, Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Kluwer Academic, pp. 159–178, November 1999.
E. Codd, A relational model for large shared databanks, Communications of the ACM, Vol. 13, No. 6, pp. 377–387, June 1970.
T. Murata, Petri-Nets: Properties, analysis, and applications, Proceedings of the IEEE, Vol. 77, No. 4, pp. 541–580, April 1989.
B. Panda and R. Yalamanchili, A host-based multisource information attack detection model design and implementation, Information: An International Journal, Vol. 4, No. 4, October 2001.
Author information
Authors and Affiliations
Corresponding author
Additional information
Yi Hu is a PhD candidate in Computer Science and Computer Engineering Department at the University of Arkansas. His research interests are in Database Intrusion Detection, Database Damage Assessment, Data Mining, and Trust Management. Previously, he received the BS and MS degree in Computer Science from the Southwest Jiaotong University and the University of Arkansas, respectively.
Brajendra Panda received his MS degree in mathematics from Utkal University, India, in 1985 and PhD degree in computer science from North Dakota State University in 1994. He is currently an associate professor with the Computer Science and Computer Engineering Department at the University of Arkansas. His research interests include database systems, computer security, digital forensics, and information assurance. He has published over 60 research papers in these areas.
Rights and permissions
About this article
Cite this article
Hu, Y., Panda, B. Design and Analysis of Techniques for Detection of Malicious Activities in Database Systems. J Netw Syst Manage 13, 269–291 (2005). https://doi.org/10.1007/s10922-005-6264-1
Issue Date:
DOI: https://doi.org/10.1007/s10922-005-6264-1