287 research outputs found
Monitoring DBMS activity to detect insider threat using query selectivity
The objective of the research presented in this thesis is to evaluate the importance of query selectivity for monitoring DBMS activity and detect insider threat. We propose query selectivity as an additional component to an existing anomaly detection system (ADS). We first look at the advantages of working with this particular ADS. This is followed by a discussion about some existing limitations in the anomaly detection system (ADS) and how it affects its overall performance. We look at what query selectivity is and how it can help improve upon the existing limitations of the ADS. The system is then implemented using Java on top of the existing query parser used by the AD mechanism which in itself is written in Java. Towards the end, we look at how our version of the anomaly detection mechanism using query selectivity fares against a Relational database management system (RDBMS) query optimizer. With high accuracy results that closely match the results produced by the underlying query optimizer, we provide some proof of concept (PoC) for adding query selectivity to the existing AD mechanism. We conclude that a tool to analyze SQL and evaluate query selectivity is required to make the anomaly detection mechanism more maintainable and self-sustained
Database Intrusion Detection Using Role Profiling
Insider threats cause the majority of computer system security problems and are also among the most challenging research topics in database security. An anomaly-based intrusion detection system (IDS), which can profile inside users’ normal behaviors and detect anomalies when a user’s behaviors deviate from his/her profiles, is effective to protect computer systems against insider threats since the IDS can profile each insider and then monitor them continuously. Although many IDSes have been developed at the network or host level since 1980s, there are still very few IDSes specifically tailored to database systems. We initially build our anomaly-based database IDS using two different profiling methods: one is to build profiles for each individual user (user profiling) and the other is to mine profiles for roles (role profiling). Detailed comparative evaluations between role profiling and user profiling are conducted, and we also analyze the reasons why role profiling is more effective and efficient than user profiling. Another contribution of this thesis is that we introduce role hierarchy into database IDS and remarkably reduce the false positive rate without increasing the false negative rate
On the detection of privacy and security anomalies
Data analytics over generated personal data has the potential to derive meaningful insights
to enable clarity of trends and predictions, for instance, disease outbreak prediction
as well as it allows for data-driven decision making for contemporary organisations.
Predominantly, the collected personal data is managed, stored, and accessed
using a Database Management System (DBMS) by insiders as employees of an organisation.
One of the data security and privacy concerns is of insider threats, where legitimate
users of the system abuse the access privileges they hold. Insider threats come in two
flavours; one is an insider threat to data security (security attacks), and the other is
an insider threat to data privacy (privacy attacks). The insider threat to data security
means that an insider steals or leaks sensitive personal information. The insider threat
to data privacy is when the insider maliciously access information resulting in the
violation of an individual’s privacy, for instance, browsing through customers bank
account balances or attempting to narrow down to re-identify an individual who has the
highest salary. Much past work has been done on detecting security attacks by insiders
using behavioural-based anomaly detection approaches. This dissertation looks at to
what extent these kinds of techniques can be used to detect privacy attacks by insiders.
The dissertation proposes approaches for modelling insider querying behaviour by
considering sequence and frequency-based correlations in order to identify anomalous
correlations between SQL queries in the querying behaviour of a malicious insider.
A behavioural-based anomaly detection using an n-gram based approach is proposed
that considers sequences of SQL queries to model querying behaviour. The results
demonstrate the effectiveness of detecting malicious insiders accesses to the DBMS
as anomalies, based on query correlations. This dissertation looks at the modelling of normative behaviour from a DBMS perspective and proposes a record/DBMS-oriented
approach by considering frequency-based correlations to detect potentially malicious
insiders accesses as anomalies. Additionally, the dissertation investigates modelling of
malicious insider SQL querying behaviour as rare behaviour by considering sequence
and frequency-based correlations using (frequent and rare) item-sets mining.
This dissertation proposes the notion of ‘Privacy-Anomaly Detection’ and considers
the question whether behavioural-based anomaly detection approaches can have a privacy
semantic interpretation and whether the detected anomalies can be related to the
conventional (formal) definitions of privacy semantics such as k-anonymity and the discrimination
rate privacy metric. The dissertation considers privacy attacks (violations
of formal privacy definition) based on a sequence of SQL queries (query correlations).
It is shown that interactive querying settings are vulnerable to privacy attacks based
on query correlation. Whether these types of privacy attacks can potentially manifest
themselves as anomalies, specifically as privacy-anomalies, is investigated. One
result is that privacy attacks (violation of formal privacy definition) can be detected
as privacy-anomalies by applying behavioural-based anomaly detection using n-gram
over the logs of interactive querying mechanisms
Database Intrusion Detection: Defending Against the Insider Threat
Not only are Databases an integral and critical part of many information systems, they are critical information assets to many business enterprises. However, the network and host intrusion detection systems most enterprises use to detect attacks against their information systems cannot detect transaction-level attacks against databases. Transaction-level attacks often come from authorized users in the form of inference, query flood, or other anomalous query attacks. Insider attacks are not only growing in frequency, but remain significantly more damaging to businesses than external attacks. This paper proposes a database intrusion detection model to detect and respond to transaction-level attacks from authorized database users
Raccoon: Automated Verification of Guarded Race Conditions in Web Applications
Web applications are distributed, asynchronous applications that can span multiple concurrent processes. They are intended to be used by a large amount of users at the same time. As concurrent applications, web applications have to account for race conditions that may occur when database access happens concurrently. Unlike vulnerability classes, such as XSS or SQL Injection, dbms based race condition flaws have received little attention even though their impact is potentially severe. In this paper, we present Raccoon, an automated approach to detect and verify race condition vulnerabilities in web application. Raccoon identifies potential race conditions through interleaving execution of user traces while tightly monitoring the resulting database activity. Based on our methodology we create a proof of concept implementation. We test four different web applications and ten use cases and discover six race conditions with security implications. Raccoon requires neither security expertise nor knowledge about implementation or database layout, while only reporting vulnerabilities, in which the tool was able to successfully replicate a practical attack. Thus, Raccoon complements previous approaches that did not verify detected possible vulnerabilities
- …