The VLDB Journal

, Volume 17, Issue 5, pp 1063–1077 | Cite as

Detecting anomalous access patterns in relational databases

  • Ashish Kamra
  • Evimaria Terzi
  • Elisa Bertino
Regular Paper


A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.


Anomaly detection Intrusion detection User profiles DBMS RBAC 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In Proceedings of the 28th International Conference on Very Large Data Bases (VLDB), pp.143–154. Morgan-Kaufmann, New York (2002)Google Scholar
  2. 2.
    Anton, A., Bertino, E., Li, N., Yu, T.: A roadmap for comprehensive online privacy policies. In: CERIAS Technical Report (2004)Google Scholar
  3. 3.
    Axelsson, S.: Intrusion detection systems: a survey and taxonomy. Technical Report 99–15, Chalmers Univ., (2000)Google Scholar
  4. 4.
    Bertino, E., Kamra, A., Terzi, E.: Intrusion detection in rbac-administered databases. In: Proceedings of the Applied Computer Security Applications Conference (ACSAC) (2005)Google Scholar
  5. 5.
    Bertino, E., Leggieri, T., Terzi, E.: Securing dbms: characterizing and detecting query floods. In: Proceedings of the International Security Conference (ISC) (2004)Google Scholar
  6. 6.
    Chung, C., Gertz, M., Levitt, K.: Demids: a misuse detection system for database systems. In: Integrity and Internal Control in Information Systems: Strategic Views on the Need for Control. IFIP TC11 WG11.5 Third Working Conference (2000)Google Scholar
  7. 7.
    Cooper G.F. (1990). The computational complexity of probabilistic inference using bayesian belief networks. Artif. Intell. 42(2–3): 393–405 zbMATHCrossRefGoogle Scholar
  8. 8.
    Domingos P. and Pazzani M.J. (1997). On the optimality of the simple bayesian classifier under zero-one loss. Mach. Learn. 29(2–3): 103–130 zbMATHCrossRefGoogle Scholar
  9. 9.
    Friedman N., Geiger D. and Goldszmidt M. (1997). Bayesian network classifiers. Mach. Learn. 29(2–3): 131–163 zbMATHCrossRefGoogle Scholar
  10. 10.
    Hilden J. (1984). Statistical diagnosis based on conditional independence does not require it. Comput. Biol. Med. 14(4): 429–435 CrossRefGoogle Scholar
  11. 11.
    Hochbaum D.S. and Shmoys DB. (1985). A best possible approximation algorithm for the k-center problem. Math. Oper. Res. 10: 180–184 zbMATHMathSciNetCrossRefGoogle Scholar
  12. 12.
    Hoglund, K.H.A., Sorvari, A.: A computer host-based user anomaly detection using the self-organizing map. In: Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks (IJCNN) (2000)Google Scholar
  13. 13.
    Hu, Y., Panda, B.: Identification of malicious transactions in database systems. In: Proceedings of the International Database Engineering and Applications Symposium (IDEAS) (2003)Google Scholar
  14. 14.
    Iglewicz B. and Hoaglin D.C. (1993). How to Detect and Handle Outliers. ASQC Quality Press, Milwaukee, Wisconsin Google Scholar
  15. 15.
    Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2003)Google Scholar
  16. 16.
    Lane T. and Brodley CE. (1999). Temporal sequence learning and data reduction for anomaly detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 2(3): 295–331 CrossRefGoogle Scholar
  17. 17.
    Langley, P., Iba, W., Thompson, K.: An analysis of bayesian classifiers. In: National Conference on Artificial Intelligence pp.223–228 (1992)Google Scholar
  18. 18.
    Lee, S.Y., Low, W.L., Wong, P.Y. Learning fingerprints for a database intrusion detection system. In: ESORICS ’02: Proceedings of the 7th European Symposium on Research in Computer Security London. pp. 264–280, Springer-Heidelburg (2002)Google Scholar
  19. 19.
    Lee, V., Stankovic, J., Son, S.: Intrusion detection in real-time databases via time signatures. In: Proceedings of the IEEE Real-Time Technology and Applications Symposium (RTAS) (2000)Google Scholar
  20. 20.
    Liu, P.: Architectures for intrusion tolerant database systems. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) (2002)Google Scholar
  21. 21.
    Lunt, T., Tamaru, A., Gilham, F., Jagannathan, R., Neumann, P., Javitz, H., Valdes, A., Garvey, T.: A real-time intrusion detection expert system (ides)—final technical report. Technical Report, Computer Science Laboratory, SRI International (1992)Google Scholar
  22. 22.
    Mitchell TM. (1997). Machine Learning. McGraw-Hill, Newyork zbMATHGoogle Scholar
  23. 23.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The nist model for role based access control: Towards a unified standard. In: Proceedings of the 5th ACM Workshop on Role Based Access Control (2000)Google Scholar
  24. 24.
    Spalka, A., Lehnhardt, J.: A comprehensive approach to anomaly detection in relational databases. In: DBSec, pp. 207–221 (2005)Google Scholar
  25. 25.
    Talpade, R., Kim, G., Khurana, S.: Nomad: traffic-based network monitoring framework for anomaly detection. In: Proceedings of the 4th IEEE Symposium on Computers and Communications (ISCC) (1998)Google Scholar
  26. 26.
    Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of sql attacks. In: Proceedings of the International Conference on detection of intrusions and malware, and vulnerability assessment (DIMVA) (2003)Google Scholar
  27. 27.
    Wenhui, S., Tan, T.: A novel intrusion detection system model for securing web-based database systems. In: Proceedings of the 25th Annual International Computer Software and Applications Conference (COMPSAC) (2001)Google Scholar
  28. 28.
    Yao, Q., An, A., Huang, X. Finding and analyzing database user sessions. In: Proceedings of the 10th International Conference on Database Systems for Advanced Applications (DASFAA) (2005)Google Scholar

Copyright information

© Springer-Verlag 2007

Authors and Affiliations

  1. 1.Purdue University and CERIASWest LafayetteUSA
  2. 2.University of Helsinki and HIITHelsinkiFinland

Personalised recommendations