A hybrid approach for database intrusion detection at transaction and inter-transaction levels

Document Type: ORIGINAL RESEARCH PAPER

Authors

Abstract

Nowadays, information plays an important role in organizations. Sensitive information is often stored in databases. Traditional mechanisms such as encryption, access control, and authentication cannot provide a high level of confidence. Therefore, the existence of Intrusion Detection Systems in databases is necessary. In this paper, we propose an intrusion detection system for detecting attacks in both database transaction level and inter-transaction level (user task level). For this purpose, we propose a detection method at transaction level, which is based on describing the expected transactions within the database applications. Then at inter-transaction level, we propose a detection method that is based on anomaly detection and uses data mining to find dependency and sequence rules. The main advantage of this system, in comparison with the previous database intrusion detection systems, is that it can detect malicious behaviors in both transaction and inter-transaction levels. Also, it gains advantages of a hybrid method, including specification-based detection and anomaly detection, to minimize both false positive and false negative alarms. In order to evaluate the accuracy of the proposed system, some experiments have been done. The experiment results demonstrate that the true positive rate (recall metric) is higher than 80%, and the false positive rate is lower than 10% per different data sets and choosing appropriate ranges for support and confidence thresholds. The experimental evaluation results show high accuracy and effectiveness of the proposed system.

Keywords


[1] C.Y. Chung, M. Gertz, and K. Levitt. DEMIS: A Misuse Detection System for Database Systems. In Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, pages 159-178, 1999.

[2] E. Bertino, A. Kamra, and E. Terzi. Intrusion Detection in RBAC-administered Databases. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), pages 170-182, 2005.

[3] A. Kamra, E. Bertino, and E. Terzi. Detecting Anomalous Access Patterns in Relational Databases. The International Journal on Very Large Data Bases, 17(5):1063-1077, 2008.

[4] U.P. Rao, G.J. Sahani, and D.R. Patel. Machine Learning Proposed Approach for Detecting Database Intrusions in RBAC Enabled Databases. In The International Conference on Computing Communication and Networking Technologies (ICCCNT), pages 1-4, 2010.

[5] Y. Hu and B. Panda. Identification of Malicious Transactions in Database Systems. In Proceedings of the International Database Engineering and Applications Symposium (IDEAS '03), pages 329-335, 2003.

[6] Y. Hu and B. Panda. A Data Mining Approach for Database Intrusion Detection. In Proceedings of the ACM Symposium on Applied Computing, pages 711-716, 2004.

[7] A. Srivastava, S. Sural, and A.K. Majumdar. Weighted Intra-transactional Rule Mining for Database Intrusion Detection. In Proceedings of the Pacific-Asia Knowledge Discovery and Data (PAKDD), pages 611-620, 2006.

[8] V.C.S. Lee, J.A. Stankovic, and S.H. Son. Intrusion Detection in Real-time Database Systems Via Time Signatures. In Proceedings of the 6th IEEE Real Time Technology and Application Symposium (RTAS), pages 124-133, 2000.

[9] Y. Hu and B. Panda. Mining Inter-transaction Data Dependencies for Database Intrusion Detection. In Innovations and Advances in Computer Sciences and Engineering, pages 67-72, 2010.

[10] W.L. Low, J. Lee, and P. Teoh. DIDAFIT: Detecting Intrusions in Databases Through Fingerprint Transactions. In Proceedings of the 4th International Conference on Enterprise Information Systems, pages 264-269, 2002.

[11] E. Bertino, A. Kamra, and J.P. Early. Profiling Database Application to Detect SQL Injection Attacks. In IEEE International Performance Computing and Communications Conference (IPCCC), pages 449-458, 2007.

[12] R. Sekar, A. Gupta, and J. Frullo. Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 265-274, 2002.

[13] R. Agrawal, T. Imieliiski, and A. Swami. Mining Association Rules Between Sets of Items in Large Databases. In Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pages 207-216, 1993.

[14] R. Agrawal and R. Srikant. Mining Sequential Patterns. In Proceedings of the 11th International Conference on Data Engineering, pages 3-14, 1995.