Database intrusion detection using role and user behavior based risk assessment

Highlights

• A robust algorithm for DIDS which assesses risk associated with incoming transaction and selects the response from a suite of countermeasures.

• A novel framework for creating user profiles based upon fingerprinting legitimate transactions for a user.

• A novel method for agglomeration of different behavioral checks, i.e combining results of the user, role and temporal analysis as one.

Abstract

Present-day organizations continue to expose their critical information infrastructures over the Internet for facilitating accessibility; substantially raising concerns about the security of data from both outsiders and insiders. In this paper, we propose a novel approach for detecting intrusive attacks on databases by assessing the risk for incoming transaction based upon the conflation of multiple behavior-based components for the user. In a database intrusion detection system for a role-based access (RBAC) environment, it is not sufficient to focus on role-based features as every user within the same role has a degree of uniqueness. Moreover, traditional database intrusion detection systems classify the incoming transactions into two classes (Malicious or Non-malicious), taking the same action for all transactions that are labeled as malicious irrespective of the damage it can cause to the system. Our approach, Role and User Behavior-based Risk Assessment (RUBRA) uses both role-behavior and user-behavior based features for detecting an intrusive attack. Further, we also quantify the risk associated with the incoming transaction, streamlining the countermeasure process. Experiments on stochastic datasets show promising results on both detection and labeling of malicious transactions.

Introduction

Databases are an indispensable part of the working of organizations in the present era. The meteoric rise in adoption of database management systems as the primary structure to handle information can be ascribed to the increasing data volumes. It has been estimated that volume of business data worldwide, across all companies, doubles every 1.2 years [1]. With highly sensitive data and an increased online presence, the concerns regarding database security are at an all-time high. As more systems are brought online to improve accessibility, the susceptibility towards malicious attacks also increase. Along with substantial financial losses, estimated to be about $1.3 million [2], malicious attacks are also responsible for the degradation of public image and customer relationships of the organization.

The conventional security measures for protecting databases consist of features including but not limited to data encryption, auditing, authorization, enforcing separation of duties (SoD) policy, and fine-grained user level access. The approaches mentioned above prove efficacious in their respective use cases but fail to alleviate malicious insider attacks. A malicious insider can be an employee, contractor or a business partner that has or had access to an organization’s information infrastructure and purposefully supersedes or misuses the access in a manner which results in compromising the confidentiality, integrity or availability of the organization’s data [3], [4], [5].

The fundamental challenge in identification and mitigation of internal threat arises from the fact that intruders are authorized users of the system, having relevant access rights and familiarity with the parts of the database schema and the security mechanism that are in place. Therefore, insider threats can persist for long periods without being detected and cause considerable damages to database systems. Given the dynamic nature of the problem, we reckon that capturing user behavior is necessary for designing an effective intrusion detection system (IDS). Our work is not the first to employ user interactions and temporal patterns as features for creating an IDS, similar approaches have been employed in the past [6], [7], [8]. The novelty of our approach lies in the attributes that are used to build a user profile and the conflation of multiple behavioral patterns to arrive at a conclusion. The advantages of this approach are two-fold. Firstly, A considerable increase in the type of attacks that are captured. Secondly, An overall improvement in performance over traditional IDS.

Existing intrusion detection systems can be broadly categorized on the basis of features used to create the system i.e they either employ a data-centric approach [8], [9] or a syntax-centric approach [10], [11]. In this paper, we have assumed a syntax centric approach and our notion of behavior is based upon fingerprinting features from the SQL queries sent to the database by the user. The behavioral features such as locational (the geographical coordinates of database access), biological (such as typing speed) and query correlation are currently not in the scope of our work and will be considered in the future.

One of the widely followed approaches for alleviating misuse of assigned roles in an organization is RBAC [12] which regulates user access via permissions. In an RBAC model, the behavior of a user can be evaluated against two levels. First being the Role level, which captures how closely the current user transaction adheres to that of the users with a similar role i.e how closely the current user actions resemble those of the others with the same role. Typical approaches at this level use pattern mining to find consistent patterns in the previously stored legitimate transactions for all users with the same role [10], [13]. The queries present in the incoming transaction are then evaluated against the set of previously mined patterns and a conformance score is generated, This score is then used to label the incoming transactions as malicious or non-malicious based on a chosen threshold, in our discussion we refer to this score as role based similarity score (RBSS). While this approach is widely used, it also results in a number of false positives as the user’s individual behavior is not accounted for. Hence, at the second level, we capture the user’s unique behavior. The entities present at this level include features such as the count of sensitive elements accessed in the query and access frequency of the table. As in the role level, queries in the incoming transaction are evaluated against the stored attributes and a conformance score is assigned. Apart from features based upon SQL queries, the timestamp is employed to capture the temporal dimension of the behavior: the legitimate temporal access pattern. The timestamp of the incoming transaction is assigned a score based upon its proximity to the standard time of access by the user. Finally, the weighted average of the scores assigned at each level is computed, denoting the perceived probability of the transaction being malicious.

Existing database intrusion detection systems give binary judgment regarding the transaction i.e. either the transaction is malicious or non-malicious. While such an approach safeguards the database against threats adequately, it leads to degradation of user experience and unnecessary system overheard [14]. Since each incoming transaction if executed, will have a different impact on the system, IDS should also be capable of issuing different counter-measures, based on the severity of the situation. To widen the spectrum of countermeasures we introduce the concept of risk. Risk associated with a given transaction is a measure of the perceived damage to the system from the transaction being executed.

The range of risk values is then divided into bins and appropriate countermeasures are assigned for each category. In a real-world scenario, countermeasures are assigned based upon the opinion of DBA and the SME. For each incoming transaction, based upon its perceived risk, a different action is taken, streamlining the response process. To the best of our knowledge, this is the first attempt to integrate risk in host-based intrusion detection for databases.

The major contributions of this work are as follows:

• It presents a novel approach for creating a user profile based on upon fingerprinting legitimate transactions committed by the user.

• It presents a novel method for agglomeration of different behavioral checks, i.e combining results of the user, role and temporal analysis into one unified parameter.

• It proposes a robust database intrusion detection system which assesses risk associated with incoming transaction and selects the response from a spectrum of countermeasures.

The rest of the paper is composed as follows. An overview of the related work is given in Section 2. Section 3 describes the proposed approach. Experimental results and comparison with existing approaches are given in Section 4. Lastly, we state the conclusion in Section 5.