Database Intrusion Detection Using Role Profiling

Insider threats cause the majority of computer system security problems and are also among the most challenging research topics in database security. An anomaly-based intrusion detection system (IDS), which can profile inside users’ normal behaviors and detect anomalies when a user’s behaviors deviate from his/her profiles, is effective to protect computer systems against insider threats since the IDS can profile each insider and then monitor them continuously. Although many IDSes have been developed at the network or host level since 1980s, there are still very few IDSes specifically tailored to database systems. We initially build our anomaly-based database IDS using two different profiling methods: one is to build profiles for each individual user (user profiling) and the other is to mine profiles for roles (role profiling). Detailed comparative evaluations between role profiling and user profiling are conducted, and we also analyze the reasons why role profiling is more effective and efficient than user profiling. Another contribution of this thesis is that we introduce role hierarchy into database IDS and remarkably reduce the false positive rate without increasing the false negative rate

AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

A Fuzzy approach for detecting anomalous behaviour in e-mail traffic

This paper investigates the use of fuzzy inference for detection of abnormal changes in email traffic communication behaviour. Several communication behaviour measures and metrics are defined for extracting information on the traffic communication behaviour of email users. The information from these behaviour measures is then combined using a hierarchy of fuzzy inference systems, to provide an abnormality rating for overall changes in communication behaviour of suspect email accounts. The use of fuzzy inference is then demonstrated with a case study investigating the email traffic behaviour of a person’s email accounts from the Enron email corpus

A GENERIC ARCHITECTURE FOR INSIDER MISUSE MONITORING IN IT SYSTEMS

Intrusion Detection Systems (IDS) have been widely deployed within many organisations' IT nenvorks to delect network penetration attacks by outsiders and privilege escalation attacks by insiders. However, traditional IDS are ineffective for detecting o f abuse o f legitimate privileges by authorised users within the organisation i.e. the detection of misfeasance. In essence insider IT abuse does not violate system level controls, yet violates acceptable usage policy, business controls, or code of conduct defined by the organisation. However, the acceptable usage policy can vary from one organisation to another, and the acceptability o f user activities can also change depending upon the user(s), application, machine, data, and other contextual conditions associated with the entities involved. The fact that the perpetrators are authorised users and that the insider misuse activities do not violate system level controls makes detection of insider abuse more complicated than detection o f attacks by outsiders. The overall aim o f the research is to determine novel methods by which monitoring and detection may be improved to enable successful detection of insider IT abuse. The discussion begins with a comprehensive investigation o f insider IT misuse, encompassing the breadth and scale of the problem. Consideration is then given to the sufficiency of existing safeguards, with the conclusion that they provide an inadequate basis for detecting many o f the problems. This finding is used as the justification for considering research into alternative approaches. The realisation of the research objective includes the development of a taxonomy for identification o f various levels within the system from which the relevant data associated with each type of misuse can be collected, and formulation of a checklist for identification of applications that requires misfeasor monitoring. Based upon this foundation a novel architecture for monitoring o f insider IT misuse, has been designed. The design offers new analysis procedures to be added, while providing methods to include relevant contextual parameters from dispersed systems for analysis and reference. The proposed system differs from existing IDS in the way that it focuses on detecting contextual misuse of authorised privileges and legitimate operations, rather than detecting exploitation o f network protocols and system level \ailnerabilities. The main concepts of the new architecture were validated through a proof-of-concept prototype system. A number o f case scenarios were used to demonstrate the validity of analysis procedures developed and how the contextual data from dispersed databases can be used for analysis of various types of insider activities. This helped prove that the existing detection technologies can be adopted for detection o f insider IT misuse, and that the research has thus provided valuable contribution to the domain

Data security in European healthcare information systems

This thesis considers the current requirements for data security in European healthcare systems and establishments. Information technology is being increasingly used in all areas of healthcare operation, from administration to direct care delivery, with a resulting dependence upon it by healthcare staff. Systems routinely store and communicate a wide variety of potentially sensitive data, much of which may also be critical to patient safety. There is consequently a significant requirement for protection in many cases. The thesis presents an assessment of healthcare security requirements at the European level, with a critical examination of how the issue has been addressed to date in operational systems. It is recognised that many systems were originally implemented without security needs being properly addressed, with a consequence that protection is often weak and inconsistent between establishments. The overall aim of the research has been to determine appropriate means by which security may be added or enhanced in these cases. The realisation of this objective has included the development of a common baseline standard for security in healthcare systems and environments. The underlying guidelines in this approach cover all of the principal protection issues, from physical and environmental measures to logical system access controls. Further to this, the work has encompassed the development of a new protection methodology by which establishments may determine their additional security requirements (by classifying aspects of their systems, environments and data). Both the guidelines and the methodology represent work submitted to the Commission of European Communities SEISMED (Secure Environment for Information Systems in MEDicine) project, with which the research programme was closely linked. The thesis also establishes that healthcare systems can present significant targets for both internal and external abuse, highlighting a requirement for improved logical controls. However, it is also shown that the issues of easy integration and convenience are of paramount importance if security is to be accepted and viable in practice. Unfortunately, many traditional methods do not offer these advantages, necessitating the need for a different approach. To this end, the conceptual design for a new intrusion monitoring system was developed, combining the key aspects of authentication and auditing into an advanced framework for real-time user supervision. A principal feature of the approach is the use of behaviour profiles, against which user activities may be continuously compared to determine potential system intrusions and anomalous events. The effectiveness of real-time monitoring was evaluated in an experimental study of keystroke analysis -a behavioural biometric technique that allows an assessment of user identity from their typing style. This technique was found to have significant potential for discriminating between impostors and legitimate users and was subsequently incorporated into a fully functional security system, which demonstrated further aspects of the conceptual design and showed how transparent supervision could be realised in practice. The thesis also examines how the intrusion monitoring concept may be integrated into a wider security architecture, allowing more comprehensive protection within both the local healthcare establishment and between remote domains.Commission of European Communities SEISMED proje