A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems
Timely detection of an insider attack is prevalent among challenges in database security. Research on anomaly-based database intrusion detection systems has received significant attention because of its potential to detect zero-day insider attacks. Such approaches differ mainly in their construction of normative behavior of (insider) role/user. In this paper, a different perspective on the construction of normative behavior is presented, whereby normative behavior is captured instead from the perspective of the DBMS itself. Using techniques from Statistical Process Control, a model of DBMS-oriented normal behavior is described that can be used to detect frequency based anomalies in database access. The approach is evaluated using a synthetic dataset and we also demonstrate this DBMS-oriented profile can be transformed into the more traditional role-oriented profiles.
KeywordsAnomaly detection Database intrusion detection Insider threats Cybersecurity
This work was supported by Science Foundation Ireland under grant SFI/12/RC/2289.
- 1.2015 cost of cyber crime: global. Technical report, Ponemon Institute (2015)Google Scholar
- 2.Grand Theft Data. Data exfiltration study: actors, tactics, and detection. Technical report, Intel Security and McAfee (2015)Google Scholar
- 3.Insider threat report: insider threat security statistics, vormetric. Technical report, Vormetric (2015)Google Scholar
- 4.2016 data breach investigations report. Technical report, Verizon (2016)Google Scholar
- 5.Carr, J.: Breach of britney spears patient data reported, SC magazine for IT security professionals (2008). https://www.scmagazine.com/breach-of-britney-spears-patient-data-reported/article/554340/
- 6.Costante, E., den Hartog, J., Petkovic, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017). http://www.sciencedirect.com/science/article/pii/S2214212616302629 Google Scholar
- 7.Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996Google Scholar
- 8.Hussain, S.R., Sallam, A.M., Bertino, E.: Detanom: detecting anomalous database transactions by insiders. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 25–35. ACM, New York (2015). https://doi.org/10.1145/2699026.2699111
- 13.Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 382–401. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_20 CrossRefGoogle Scholar
- 14.Oakland, J.S.: Statistical Process Control, 6th edn. Routledge, London (2011)Google Scholar
- 16.Report C: 27 suspended for Clooney file peek (2007). http://edition.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html?eref=ew