Data and syntax centric anomaly detection for relational databases

Abstract: Recent studies show that insider attacks that aim at exfiltrating data are very common and that these attacks are performed according to specific patterns. Protecting against such threats requires complementing existing security techniques, such as access control and encryption, with tools able to detect anomalies in data accesses. In this paper, we present a technique specifically tailored for detecting anomalous database accesses. Our technique extracts users’ access patterns based on both the syntax of the … Show more

“…Such a tailored IDS for DBMS is known as Database Intrusion Detection System (DIDS). The literature has shown that intrusion detection systems tailored to databases are effective in the detection of these malicious queries made by an insider [39,57,65,14]. The following sections of this paper review DIDS research and proposes a taxonomy of IDS in the context of DBMS.…”

“…These features can be syntax-centric, context-centric, and data-centric, which is sometimes is referred to as result-centric in the literature [39,65,57].…”

“…A combination of the context, syntax and data-centric features, can be used while modelling normative behaviours. One such anomaly detection technique that uses syntax and data-centric features is proposed in [65].…”

Database Intrusion Detection Systems (DIDs): Insider Threat Detection via Behaviour-Based Anomaly Detection Systems - A Brief Survey of Concepts and Approaches

“…Such a tailored IDS for DBMS is known as Database Intrusion Detection System (DIDS). The literature has shown that intrusion detection systems tailored to databases are effective in the detection of these malicious queries made by an insider [39,57,65,14]. The following sections of this paper review DIDS research and proposes a taxonomy of IDS in the context of DBMS.…”

“…These features can be syntax-centric, context-centric, and data-centric, which is sometimes is referred to as result-centric in the literature [39,65,57].…”

“…A combination of the context, syntax and data-centric features, can be used while modelling normative behaviours. One such anomaly detection technique that uses syntax and data-centric features is proposed in [65].…”

Database Intrusion Detection Systems (DIDs): Insider Threat Detection via Behaviour-Based Anomaly Detection Systems - A Brief Survey of Concepts and Approaches

“…Abstraction is a tuple representation of an SQL query and consists of query features like relation name, attribute names, the amount of returned data, and any statistics on the returned data. One can categorize query features into syntax-centric, data (result)centric and context-centric features (Mathew et al, 2010;Sallam et al, 2016). For our work, we originally considered a naïve abstraction where only the SQL command type (i.e., INSERT, SELECT, UPDATE) is selected to represent the original SQL query.…”

“…It is necessary to consider the audit logs of SQL queries at some level of abstraction, for example, in their use for anomaly-based intrusion detection systems to detect insider threats to an organization's DBMS (Lee et al, 2002 ; Low et al, 2002 ; Hussain et al, 2015 ; Kul et al, 2016 ; Sallam et al, 2016 ), where an insider is an employee of an organization with legitimate access privileges (Uno et al, 2004 ; Koh and Rountree, 2005 ). The use of abstraction, in practice, is considered since audit logs typically encompass a large number of queries.…”

Quantitatively Measuring Privacy in Interactive Query Settings Within RDBMS Framework

Log-Based Malicious Activity Detection Using Machine and Deep Learning