On database intrusion detection

Abstract

One of the challenges in database security is timely detection of an insider attack. This gets more challenging in the case of sophisticated / expert insiders. Behavioral-based techniques have shown promising results in detecting insider attacks. Most of the behavioral-based techniques consider a query in isolation in order to model an insider's normative behavior thus only detecting malicious behavior that is limited to single query. A recently proposed approach considers sequences of queries to model an insider's normative behavior by using n-grams that capture shortterm correlations in an application [1]. However, behavioral-based approaches, including the n-gram approach, are vulnerable to mimicry attacks whereby a sophisticated inside attacker can craft a sequence of statements to mimic normal behavior as a set of legitimate transactions. Thus, a mechanism to detect this types of mimicry attack is desirable. In this paper, we first demonstrate an example mimicry attack on an n-gram based approach and then propose a behavioral-based technique that facilitate its detection. The proposed technique complements existing behavioral-based approaches including the n-gram approach and it can be deployed independently. Experiments are presented whereby a queryanalytics model is used to construct normative behavior from query logs of a synthetic banking application system. Initial results indicate that the proposed model to construct normative behavior is effective in detecting insider attacks conforming to a demonstrated mimicry attack.