With the increasing complexity and dynamics of database systems, it becomes more and more difficult for administrative personnel to identify, specify and enforce security policies that govern against the misuse of data. Often security policies are not known, too imprecise or simply have been disabled because of changing requirements.
Recently several proposals have been made to use data mining techniques to discover profiles and anomalous user behavior from audit logs. These approaches, however, are often too fine-grained in that they compute too many rules to be useful for an administrator in implementing appropriate security enforcing mechanisms.
In this paper we present a novel approach to discover security policies from audit logs. The approach is based on using multiple concept hierarchies that specify properties of objects and data at different levels of abstraction and thus can embed useful domain knowledge. A profiler, attached to the information system’s auditing component, utilizes such concept hierarchies to compute profiles at different levels of granularity, guided by the administrator through the specification of an interestingness measure. The computed profiles can be translated into security policies and existing policies can be verified against the profiles.
- R. Agrawal and R. Srikant. Fast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, 487–499, Morgan Kaufmann, 1994.Google Scholar
- R. Bueschkes, M. Borning, D. Kesdogan. Transaction-based anomaly detection. In Proc. of the Workshop on Intrusion Detection & Network Monitoring, 1999.Google Scholar
- Y. Cai, N. Cercone, and J. Han, Attribute-oriented induction in relational data-bases. In Knowledge Discovery in Databases, 213–228. AAAI/MIT Press, 1991.Google Scholar
- S. Castano, M.G. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, 1995.Google Scholar
- C.Y. Chung, M. Gertz, and K. Levitt. Discovery of multi-level security policies. Technical Report, Department of Computer Science, University of California, Davis, http://www.db.cs.ucdavis.edu/publications/CGL00a.ps
- C.Y. Chung, M. Gertz, and K. Levitt. DEMIDS: A misuse detection system for database systems. In Third International IFIP TC-11 WG11.5 Working Conf. on Integrity and Internal Control in Information Systems, 159–178, Kluwer, 1999.Google Scholar
- C.Y. Chung, M. Gertz, and K. Levitt. Misuse detection in database systems through user-profiling. In 2nd Int. Workshop on Recent Advances in Intrusion Detection (RAID’99), West Lafayette, Indiana, 1999.Google Scholar
- B. Everitt. Cluster Analysis. John Wiley & Sons New York, 1973.Google Scholar
- T. Fawcett and F. Provost. Combining data mining and machine learning for effective user profiling. In The Second International Conference on Knowledge Discovery and Data Mining (KDD-96), 8–13, 1996.Google Scholar
- J. Han and Y. Fu. Dynamic Generation and Refinement of Concept Hierarchies for Knowledge Discovery in Databases. AAAI’94 Workshop on Knowledge Discovery in Databases, 157–168, July 1994.Google Scholar
- J. Han and Y. Fu. Discovery of multiple-level association rules from large databases. Proc. of Int. Conf. on Very Large Data Bases, 420–431, 1995.Google Scholar
- W. Lee, S.J. Stolfo, and K.W. Mok. Mining audit data to build intrusion detection models. In Proc. of the 14th International Conf. on Knowledge Discovery and Data Mining (KDD-98), 66–72. AAAI Press, 1998.Google Scholar
- R. Mukkamala, J. Gagnon, and S. Jajodia. Integrating data mining techniques with intrusion detection methods. In Proc. XIII Annual IFIP WG 11.3 Working Conf. On Database Security, Seattle, WA, July 1999.Google Scholar
- R.S. Silken. Application intrusion detection. Technical Report CS-99-17, University of Virginia, Computer Science Department, June 1999.Google Scholar