A Bayesian model for anomaly detection in SQL databases for security systems

Abstract

We focus on automatic anomaly detection in SQL databases for security systems.\u3cbr/\u3eMany logs of database systems, here the Townhall database, contain detailed information about users, like the SQL queries and the response of the database.\u3cbr/\u3eA database is a list of log instances, where each log instance is a Cartesian product of feature values with an attached anomaly score. All log instances with the anomaly score in the top percentile are identified as anomalous. Our contribution is multi-folded. We define a model for anomaly detection of SQL databases that learns the structure of Bayesian networks from data. Our method for automatic feature extraction generates the maximal spanning tree to detect the strongest similarities between features. Novel anomaly scores based on the joint probability distribution of the database features and the log-likelihood of the maximal spanning tree detect both point and contextual anomalies. Multiple anomaly scores are combined within a robust anomaly analysis algorithm. We validate our method on the Townhall database showing the performance of our anomaly detection algorithm