A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration

Abstract

Insider threats are a serious problem that could be more damaging than outsiders’ attacks. The reason is that insiders are users who have legitimate access to the data. A database management system (DBMS) access control mechanism is unable to prevent misuse of the data to which the user is authorized to access. Many mechanisms were proposed to detect insiders’ attempts to misuse or steal data at the database level and application level. However, these mechanisms are unable to detect users’ attempts to exfiltrate the data if they store the data into files on their machines. Hence, we need a mechanism that is able to detect suspicious activities resulting from the insiders at the operating system level. As an initial step in this direction, we propose an anomaly detection system that monitors insiders’ actions on data outside the database. To be more precise, our system tracks file system access operations (e.g., read, write, and open to print) on data piped from the database to files. Our approach captures syntactic features of SQL queries that users submit to the DBMS to retrieve data from the database (e.g., select commands). It does that by recording the tables’ object identifiers. Also, the system collects some data features like the tables’ selectivities to profile the amount of data that is being accessed by the user. Furthermore, the system tracks frequencies of users’ actions on files that contain data from the database. The collected information is then used to build profiles of users’ activities. Such profiles are later used to indicate normal and abnormal users’ actions. Experimental results show that our technique is close to accurate, and the detection mechanism incurs low overhead.