Skip to main content

Techniques and Systems for Anomaly Detection in Database Systems

Part of the Lecture Notes in Computer Science book series (LNISA,volume 11550)

Abstract

Techniques for detection of anomalies in accesses to database systems have been widely investigated. Existing techniques operate in two main phases. The first phase is a training phase during which profiles of the database subjects are created based on historical data representing past users’ actions. New actions are then checked with these profiles to detect deviations from the expected normal behavior. Such deviations are considered indicators of possible attacks and may thus require further analyses. The existing techniques have considered different categories of features to describe users’ actions and followed different methodologies and algorithms to build access profiles and track users’ behaviors. In this chapter, we review the prominent techniques and systems for anomaly detection in database systems. We discuss the attacks they help detect as well as their limitations and possible extensions. We also give directions on potential future research.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-17277-0_7
  • Chapter length: 21 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-17277-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    https://www.postgresql.org/.

  2. 2.

    https://www.pgadmin.org/.

  3. 3.

    http://postgresguide.com/utilities/psql.html.

  4. 4.

    https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html.

  5. 5.

    https://docs.oracle.com/cd/B28359_01/server.111/b28310/schedover001.htm.

  6. 6.

    https://www.ibm.com/security/data-security/guardium.

  7. 7.

    https://en.wikipedia.org/wiki/Concolic_testing.

References

  1. Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security. ADIS, vol. 39, pp. 69–90. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77322-3_5

    CrossRef  Google Scholar 

  2. Software Engineering Institute: Analytic approaches to detect insider threats. Technical report, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2015). http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=451065. Accessed 28 Oct 2016

  3. Kamra, A., Terzi, E., Bertino, E.: Detecting anomalous access patterns in relational databases. VLDB J. 17(5), 1063–1077 (2008)

    CrossRef  Google Scholar 

  4. Mathew, S., Petropoulos, M., Ngo, H.Q., Upadhyaya, S.: A data-centric approach to insider attack detection in database systems. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 382–401. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15512-3_20

    CrossRef  Google Scholar 

  5. Sallam, A., Xiao, Q., Bertino, E., Fadolalkarim, D.: Anomaly detection techniques for database protection against insider threats. In: 2016 IEEE International Conference on Information Reuse and Integration, IRI 2016, Pittsburgh, PA, USA, pp. 28–30 (2016)

    Google Scholar 

  6. Sallam, A., Fadolalkarim, D., Bertino, E., Xiao, Q.: Data and syntax centric anomaly detection for relational databases. Wiley Interdisc. Rev.: Data Min. Knowl. Disc. 6(6), 231–239 (2016)

    Google Scholar 

  7. Sallam, A., Bertino, E.: Detection of temporal data ex-filtration threats to relational databases. In: Proceedings of the 4th IEEE International Conference on Collaboration and Internet Computing, CIC 2018, Philadelphia, PA, USA. IEEE (2018)

    Google Scholar 

  8. Sallam, A., Bertino, E.: Detection of temporal insider threats to relational databases. In: 2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC), pp. 406–415 (2017)

    Google Scholar 

  9. Sallam, A., Bertino, E.: Result-based detection of insider threats to relational databases. In: Proceedings of the 9th ACM Conference on Data and Application Security and Privacy, CODASPY 2019, pp. 25–35. ACM (2015)

    Google Scholar 

  10. Mazzawi, H., Dalal, G., Rozenblatz, D., Ein-Dorx, L., Niniox, M., Lavi, O.: Anomaly detection in large databases using behavioral patterning. In: 2017 IEEE 33rd International Conference on Data Engineering (ICDE), April 2017, pp. 1140–1149 (2017)

    Google Scholar 

  11. Yao, Q., An, A., Huang, X.: Finding and analyzing database user sessions. In: Zhou, L., Ooi, B.C., Meng, X. (eds.) DASFAA 2005. LNCS, vol. 3453, pp. 851–862. Springer, Heidelberg (2005). https://doi.org/10.1007/11408079_77

    CrossRef  Google Scholar 

  12. Sallam, A., Bertino, E., Hussain, S.R., Landers, D., Lefler, R.M., Steiner, D.: DBSAFE - an anomaly detection system to protect databases from exfiltration attempts. IEEE Syst. J. 11(2), 483–493 (2017)

    CrossRef  Google Scholar 

  13. Difallah, D.E., Pavlo, A., Curino, C., Cudre-Mauroux, P.: OLTP-Bench: an extensible testbed for benchmarking relational databases. Proc. VLDB Endow. 7(4), 277–288 (2013)

    CrossRef  Google Scholar 

  14. Fonseca, J., Vieira, M., Madeira, H.: Integrated intrusion detection in databases. In: Bondavalli, A., Brasileiro, F., Rajsbaum, S. (eds.) LADC 2007. LNCS, vol. 4746, pp. 198–211. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75294-3_15

    CrossRef  Google Scholar 

  15. Bossi, L., Bertino, E., Hussain, S.: A system for profiling and monitoring database access patterns by application programs for anomaly detection. IEEE Trans. Softw. Eng. PP(99), 1 (2016)

    Google Scholar 

  16. Hussain, S.R., Sallam, A.M., Bertino, E.: DetAnom: detecting anomalous database transactions by insiders. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015, pp. 25–35. ACM (2015)

    Google Scholar 

  17. Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_8

    CrossRef  Google Scholar 

  18. Costante, E., Vavilis, S., Etalle, S., den Hartog, J., Petković, M., Zannone, N.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Elisa Bertino .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

Sallam, A., Bertino, E. (2019). Techniques and Systems for Anomaly Detection in Database Systems. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham. https://doi.org/10.1007/978-3-030-17277-0_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17277-0_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17276-3

  • Online ISBN: 978-3-030-17277-0

  • eBook Packages: Computer ScienceComputer Science (R0)