Skip to main content

Simulating User Activity for Assessing Effect of Sampling on DB Activity Monitoring Anomaly Detection

Part of the Lecture Notes in Computer Science book series (LNISA,volume 11550)


Monitoring database activity is useful for identifying and preventing data breaches. Such database activity monitoring (DAM) systems use anomaly detection algorithms to alert security officers to possible infractions. However, the sheer number of transactions makes it impossible to track each transaction. Instead, solutions use manually crafted policies to decide which transactions to monitor and log. Creating a smart data-driven policy for monitoring transactions requires moving beyond manual policies. In this paper, we describe a novel simulation method for user activity. We introduce events of change in the user transaction profile and assess the impact of sampling on the anomaly detection algorithm. We found that looking for anomalies in a fixed subset of the data using a static policy misses most of these events since low-risk users are ignored. A Bayesian sampling policy identified 67% of the anomalies while sampling only 10% of the data, compared to a baseline of using all of the data.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

  2. 2.


  1. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 15 (2009)

    CrossRef  Google Scholar 

  2. Feldman, D., Schmidt, M., Sohler, C.: Turning big data into tiny data: constant-size coresets for k-means, PCA and projective clustering. In: Proceedings of the Twenty-Fourth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1434–1453. Society for Industrial and Applied Mathematics (2013)

    Google Scholar 

  3. Grushka-Cohen, H., Sofer, O., Biller, O., Dymshits, M., Rokach, L., Shapira, B.: Sampling high throughput data for anomaly detection of data-base activity. arXiv preprint arXiv:1708.04278 (2017)

  4. Grushka-Cohen, H., Sofer, O., Biller, O., Shapira, B., Rokach, L.: CyberRank: knowledge elicitation for risk assessment of database security. In: Proceedings of the 25th ACM International on Conference on Information and Knowledge Management, pp. 2009–2012. ACM (2016)

    Google Scholar 

  5. Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Performance of flow-based anomaly detection in sampled traffic. J. Netw. 10(9), 512 (2015)

    Google Scholar 

  6. Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Intelligent sampling using an optimized neural network. J. Netw. 11(01), 16–27 (2016)

    Google Scholar 

  7. Juba, B., Musco, C., Long, F., Sidiroglou-Douskos, S., Rinard, M.C.: Principled sampling for anomaly detection. In: NDSS (2015)

    Google Scholar 

  8. Kaplan, J., Sharma, S., Weinberg, A.: Meeting the cybersecurity challenge. Digit, McKinsey Google Scholar (2011)

    Google Scholar 

  9. Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014)

    CrossRef  MathSciNet  Google Scholar 

  10. Kumar, A., Xu, J.J.: Sketch guided sampling-using on-line estimates of flow size for adaptive data collection. In: INFOCOM (2006)

    Google Scholar 

  11. Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 165–176. ACM (2006)

    Google Scholar 

  12. Sallam, A., Bertino, E., Hussain, S.R., Landers, D., Lefler, R.M., Steiner, D.: DBSAFE - an anomaly detection system to protect databases from exfiltration attempts. IEEE Syst. J. 11(2), 483–493 (2017)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Hagit Grushka-Cohen .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Grushka-Cohen, H., Biller, O., Sofer, O., Rokach, L., Shapira, B. (2019). Simulating User Activity for Assessing Effect of Sampling on DB Activity Monitoring Anomaly Detection. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17276-3

  • Online ISBN: 978-3-030-17277-0

  • eBook Packages: Computer ScienceComputer Science (R0)