A Semantic Approach to Frequency Based Anomaly Detection of Insider Access in Database Management Systems

  • Muhammad Imran KhanEmail author
  • Barry O’Sullivan
  • Simon N. Foley
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10694)


Timely detection of an insider attack is prevalent among challenges in database security. Research on anomaly-based database intrusion detection systems has received significant attention because of its potential to detect zero-day insider attacks. Such approaches differ mainly in their construction of normative behavior of (insider) role/user. In this paper, a different perspective on the construction of normative behavior is presented, whereby normative behavior is captured instead from the perspective of the DBMS itself. Using techniques from Statistical Process Control, a model of DBMS-oriented normal behavior is described that can be used to detect frequency based anomalies in database access. The approach is evaluated using a synthetic dataset and we also demonstrate this DBMS-oriented profile can be transformed into the more traditional role-oriented profiles.


Anomaly detection Database intrusion detection Insider threats Cybersecurity 



This work was supported by Science Foundation Ireland under grant SFI/12/RC/2289.


  1. 1.
    2015 cost of cyber crime: global. Technical report, Ponemon Institute (2015)Google Scholar
  2. 2.
    Grand Theft Data. Data exfiltration study: actors, tactics, and detection. Technical report, Intel Security and McAfee (2015)Google Scholar
  3. 3.
    Insider threat report: insider threat security statistics, vormetric. Technical report, Vormetric (2015)Google Scholar
  4. 4.
    2016 data breach investigations report. Technical report, Verizon (2016)Google Scholar
  5. 5.
    Carr, J.: Breach of britney spears patient data reported, SC magazine for IT security professionals (2008).
  6. 6.
    Costante, E., den Hartog, J., Petkovic, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017). Google Scholar
  7. 7.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings 1996 IEEE Symposium on Security and Privacy, pp. 120–128, May 1996Google Scholar
  8. 8.
    Hussain, S.R., Sallam, A.M., Bertino, E.: Detanom: detecting anomalous database transactions by insiders. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 25–35. ACM, New York (2015).
  9. 9.
    Kamra, A., Bertino, E., Nehme, R.: Responding to anomalous database requests. In: Jonker, W., Petković, M. (eds.) SDM 2008. LNCS, vol. 5159, pp. 50–66. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  10. 10.
    Kemmerer, R.A., Vigna, G.: Intrusion detection: a brief history and overview. Computer 35(4), 27–30 (2002)CrossRefGoogle Scholar
  11. 11.
    Khan, M.I., Foley, S.N.: Detecting anomalous behavior in DBMS logs. In: Cuppens, F., Cuppens, N., Lanet, J.-L., Legay, A. (eds.) CRiSIS 2016. LNCS, vol. 10158, pp. 147–152. Springer, Cham (2017). CrossRefGoogle Scholar
  12. 12.
    Lee, S.Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–279. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  13. 13.
    Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 382–401. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  14. 14.
    Oakland, J.S.: Statistical Process Control, 6th edn. Routledge, London (2011)Google Scholar
  15. 15.
    Pieczul, O., Foley, S.N.: Runtime detection of zero-day vulnerability exploits in contemporary software systems. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 347–363. Springer, Cham (2016). CrossRefGoogle Scholar
  16. 16.
    Report C: 27 suspended for Clooney file peek (2007).
  17. 17.
    Sallam, A., Fadolalkarim, D., Bertino, E., Xiao, Q.: Data and syntax centric anomaly detection for relational databases. Wiley Interdisc. Rev. Data Mining Knowl. Discov. 6(6), 231–239 (2016). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Muhammad Imran Khan
    • 1
    Email author
  • Barry O’Sullivan
    • 1
  • Simon N. Foley
    • 2
  1. 1.Insight Centre for Data Analytics, Department of Computer ScienceUniversity College CorkCorkIreland
  2. 2.IMT Atlantique, LabSTICCUniversité Bretagne LoireRennesFrance

Personalised recommendations