Result-Based Detection of Insider Threats to Relational Databases

Abstract

Insiders misuse of resources is a real threat to organizations. According to recent security reports, data has been the most vulnerable to attacks by insiders, especially data located in databases and corporate file servers. Although anomaly detection is an effective technique for flagging early signs of insider attacks, modern techniques for the detection of anomalies in database access are not able to detect several sophisticated data misuse scenarios such as attempts to track data updates and the aggregation of data by an insider that exceeds his/her need to perform job functions. In such scenarios, if the insider does not have prior knowledge of the distribution of the target data, many of his/her queries may extract no data or small amounts of data. Therefore, monitoring the total size of data retrieved by each user and comparing it to normal levels will either result in low anomaly detection accuracy or long time to anomaly detection. In this paper, we propose anomaly detection techniques designed to detect data aggregation and attempts to track data updates. Our techniques infer the normal rates of tables references and tuples retrievals from past database access logs. User queries are then analyzed to detect queries that lead to exceeding the normal data access rates. We evaluated the proposed techniques on the query logs of a real database. The results of the evaluation indicate that when the system configuration parameters are adequately selected and sufficient data is available for training, our techniques have low false alarm generation rate and high anomaly detection accuracy.