Database Intrusion Detection Using Role Profiling

Insider threats cause the majority of computer system security problems and are also among the most challenging research topics in database security. An anomaly-based intrusion detection system (IDS), which can profile inside users’ normal behaviors and detect anomalies when a user’s behaviors deviate from his/her profiles, is effective to protect computer systems against insider threats since the IDS can profile each insider and then monitor them continuously. Although many IDSes have been developed at the network or host level since 1980s, there are still very few IDSes specifically tailored to database systems. We initially build our anomaly-based database IDS using two different profiling methods: one is to build profiles for each individual user (user profiling) and the other is to mine profiles for roles (role profiling). Detailed comparative evaluations between role profiling and user profiling are conducted, and we also analyze the reasons why role profiling is more effective and efficient than user profiling. Another contribution of this thesis is that we introduce role hierarchy into database IDS and remarkably reduce the false positive rate without increasing the false negative rate

A Review of Security Mechanisms for Detection of Malicious Transactions in Database

Insider attacks formed the biggest threaten against database management systems. There are many mechanisms have been developed to detect and prevent the insider attacks called Detection of Malicious Activities in Database Systems DEMIDS. The DEMIDS consider as one of the last defenses mechanism of the database security system. There are many mechanisms that have been developed to detect and prevent the misuse activities like delete, and update data on the database systems. These mechanisms utilize auditing and profiling methods to detect and prevent the malicious activities. However these mechanisms still have problems to detect the misuse activities such as limit to detect the malicious data on authorized commands. This study will address these problems by propose a mechanism that utilizes dependency relationship among items to detect and prevent the malicious data by calculate a number of relations among data items. If the number of relations among items is not allowed any modification or deletion then the mechanism will detect activity as malicious activity. The evaluation parameters such as detect, false positive and false negative rate use to evaluate the accuracy of proposed mechanism

An Access Control Model for Web Databases

International audienceThe majority of today's web-based applications are based on back-end databases to process and store business information. Containing valuable business information, these systems are highly interesting to attackers and special care needs to be taken to prevent them from malicious accesses. In this paper, we propose (RBAC + ), an extension of the NIST RBAC (Role-Based Access Control) standard with the notions of application, application profile and sub-application session to distinguish end users that execute the same application, providing them by only the needed roles and continuously monitoring them throughout a whole session. It is based on business application logic rather than primitive reads and writes to enhance the ability of detecting malicious transactions. Hence, attacks caused by malicious transactions can be detected and canceled timely before they succeed

Monitoring DBMS activity to detect insider threat using query selectivity

The objective of the research presented in this thesis is to evaluate the importance of query selectivity for monitoring DBMS activity and detect insider threat. We propose query selectivity as an additional component to an existing anomaly detection system (ADS). We first look at the advantages of working with this particular ADS. This is followed by a discussion about some existing limitations in the anomaly detection system (ADS) and how it affects its overall performance. We look at what query selectivity is and how it can help improve upon the existing limitations of the ADS. The system is then implemented using Java on top of the existing query parser used by the AD mechanism which in itself is written in Java. Towards the end, we look at how our version of the anomaly detection mechanism using query selectivity fares against a Relational database management system (RDBMS) query optimizer. With high accuracy results that closely match the results produced by the underlying query optimizer, we provide some proof of concept (PoC) for adding query selectivity to the existing AD mechanism. We conclude that a tool to analyze SQL and evaluate query selectivity is required to make the anomaly detection mechanism more maintainable and self-sustained