DEMIDS: A Misuse Detection System for Database Systems

Abstract

Despite the necessity of protecting information stored in database systems (DBS), existing security models are insufficient to prevent misuse, especially insider abuse by legitimate users. Further, concepts for misuse detection in DBS have not been adequately addressed by existing research in misuse detection. Even though there are available means to guard the information stored in a database system against misuse, they are seldom used by security officers because security policies of the organization are either imprecise or not known at all.This paper presents a misuse detection system called DEMIDS which is tailored to relational database systems. DEMIDS uses audit logs to derive profiles that describe typical behavior of users working with the DBS. The profiles computed can be used to detect misuse behavior, in particular insider abuse. Furthermore, the profiles can serve as a valuable tool for security re-engineering of an organization by helping the security officers to define/refine security policies and to verify existing security policies, if there are any.Essential to the presented approach is that the access patterns of users typically form some working scopes which comprise sets of attributes that are usually referenced together with some values in queries. DEMIDS considers domain knowledge about the data structures and semantics encoded in a given database schema through the notion of distance measure. Distance measures are used to guide the search for frequent itemsets describing the working scopes of users. In DEMIDS such frequent itemsets are computed efficiently from audit logs using the data management and query processing features of the database management system.KeywordsDistance MeasureAssociation RuleDatabase SystemSecurity PolicyFrequent ItemsetsThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.