An anomaly analysis framework for database systems

Anomaly detection systems are usually employed to monitor database activities in order to detect security incidents. These systems raise an alert when anomalous activities are detected. The raised alerts have to be analyzed to timely respond to the security incidents. Their analysis, however, is time-consuming and costly. This problem increases with the large number of alerts often raised by anomaly detection systems. To timely and effectively handle security incidents, alerts should be accompanied by information which allows the understanding of incidents and their context (e.g., root causes, attack type) and their prioritization (e.g., criticality level). Unfortunately, the current state of affairs regarding the information about alerts provided by existing anomaly detection systems is not very satisfactory. This work presents an anomaly analysis framework that facilitates the analysis of alerts raised by an anomaly detection system monitoring a database system. The framework provides an approach to assess the criticality of alerts with respect to the disclosure of sensitive information and a feature-based classification of alerts according to their associated type of attack. The framework has been deployed as a web-based alert audit tool that provides alert classification and risk-based ranking capabilities, significantly easing the analysis of alerts. We validate the classification and ranking approaches using synthetic data generated through an existing healthcare management system. Keywords: Anomaly detection; Data leakage; Risk assessment; Database attack classification; Alert visualizatio

SAFAX: an extensible authorization service for cloud environments

Cloud storage services have become increasingly popular in recent years. Users are often registered to multiple cloud storage services that suit different needs. However, the ad hoc manner in which data sharing between users is implemented lead to issues for these users. For instance, users are required to define different access control policies for each cloud service that they use and are responsible for synchronizing their policies across different cloud providers. Users do not have access to a uniform and expressive method to deal with authorization. Current authorization solutions cannot be applied as-is, since they cannot cope with challenges specific to cloud environments. In this paper, we analyze the challenges of data sharing in multi-cloud environments and propose SAFAX, an XACML-based authorization service designed to address these challenges. SAFAX’s architecture allows users to deploy their access control policies in a standard format, in a single location, and augment policy evaluation with information from user selectable external trust services. We describe the architecture of SAFAX, a prototype implementation based on this architecture, illustrate the extensibility through external trust services and discuss the benefits of using SAFAX from both the user’s and cloud provider’s perspectives

An authorization service for collaborative situation awareness

In international military coalitions, situation awareness is achieved by gathering critical intel from different authorities. Authorities want to retain control over their data, as they are sensitive by nature, and, thus, usually employ their own authorization solutions to regulate access to them. In this paper, we highlight that harmonizing authorization solutions at the coalition level raises many challenges. We demonstrate how we address authorization challenges in the context of a scenario defined by military experts using a prototype implementation of SAFAX, an XACML-based architectural framework tailored to the development of authorization services for distributed systems