Journal of Intelligent Information Systems

, Volume 42, Issue 3, pp 619–644 | Cite as

Detecting intrusion transactions in database systems:a novel approach

  • Mina Sohrabi
  • Mohammad M. Javidi
  • Sattar Hashemi


The security of computers and their networks is of crucial concern in the world today. One mechanism to safeguard information stored in database systems is an Intrusion Detection System (IDS). The purpose of intrusion detection in database systems is to detect malicious transactions that corrupt data. Recently researchers are working on using data mining techniques for detecting such malicious transactions in database systems. Their approach concentrates on mining data dependencies among data items. However, the transactions not compliant with these data dependencies are identified as malicious transactions. Algorithms that these approaches use for designing their data dependency miner have limitations. For instance, they need to experimentally determine appropriate settings for minimum support and related constraints, which does not necessarily lead to strong data dependencies. In this paper we propose a new data mining algorithm, called the Optimal Data Access Dependency Rule Mining (ODADRM), for designing a data dependency miner for our database IDS. ODADRM is an extension of k-optimal rule discovery algorithm, which has been improved to be suitable in database intrusion detection domain. ODADRM avoids many limitations of previous data dependency miner algorithms. As a result, our approach is able to track normal transactions and detect malicious ones more effectively than existing approaches.


Intrusion detection Malicious transactions Data mining Data dependency K-optimal rule discovery 


  1. Agrawal, R., & Srikant, R. (1994). Fast algorithms for mining association rules. In Proceedings of the 20th international conference on very large databases (pp. 487–499). Santiago.Google Scholar
  2. Agrawal, R., & Srikant, R. (1995). Mining sequential patterns. In Proceedings of the 1995 international conference data engineering (pp. 3-14). Taipei.Google Scholar
  3. Agrawal, R., Imielinski, T., Swami, A. (1993). Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD conference on management of data (pp. 207–216). Washington.Google Scholar
  4. Barbara, D., Goel, R., Jajodia, S. (2002). Mining malicious data corruption with Hidden Markov Models. In Proceedings of the 16th annual IFIP WG 11.3 working conference on data and application security. Cambridge.Google Scholar
  5. Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N. (2001). ADAM: detecting intrusions by data mining. In Proceedings of the IEEE workshop on information assurance and security. New York: IEEE Press.Google Scholar
  6. Bayardo, R.J. (1998). Efficiently mining long patterns from databases. In Proceedings of the 1998 ACM-SIGMOD international conference on management of data (pp. 85–93).Google Scholar
  7. Bayardo, R.J., & Agrawal, R. (1999). Mining the most interesting rules. In Proceedings of the fifth ACM SIGKDD international conference on knowledge discovery and data mining (pp. 145–154).Google Scholar
  8. Bertino, E., Kamra, A., Terzi, E., Vakali, A. (2005). Intrusion detection in RBAC-administered databases. In Proceedings of 21st annual computer security applications conference (pp. 170–182).Google Scholar
  9. Bon, S., & Negmat, M. (2006). Extracting forensic explanation from intrusion alerts. In International conference on data mining (pp. 283–289). Las Vegas: CSREA Press.Google Scholar
  10. Casewell, B., & Beale, J. (2004). SNORT 2.1 Intrusion detection, 2nd edn. Massachusetts: Syngress.Google Scholar
  11. Chung, C.Y., Gertz, M., Levitt, K. (2000). Demids: a misuse detection system for database systems. Integrity and internal control information systems: strategic views on the need for control (pp. 159–178). Norwell: Kluwer.CrossRefGoogle Scholar
  12. Cohen, E., Datar, M., Fujiwara, S., Gionis, A., Indyk, R., Motwani, P., Ullman, J., Yang, C. (2000). Finding interesting associations without support pruning. In Proceedings of international conference on data engineering.Google Scholar
  13. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Srivava, J., Kumar, V., Dokas, P. (2004). The MINDS – Minnesota intrusion detection system. In Next generation data mining. Boston: MIT Press.Google Scholar
  14. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: detecting intrusions in unlabeled data. Applications of data mining in computer security. Dordrecht: Kluwer.Google Scholar
  15. Fan, W., Miller, M., Stolfo, S., Lee, W., Chan, P. (2001). Using artificial anomalies to detect unknown and known network intrusions. In Proceedings of the 1st IEEE international conference on data mining. New York: IEEE Press.Google Scholar
  16. Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A. (1996). A Sense of self for unix processes. In Proceedings of the 1996 IEEE symposium on security and privacy, IEEE computer society press (pp. 120–128).Google Scholar
  17. Frank, J. (1994). Artificial intelligence and intrusion detection: current and future directions. In Proceedings of the 17th national computer security conference.Google Scholar
  18. Hashemi, S., Yang, Y., Zabihzadeh, D., Kangavari, M. (2008). Detecting intrusion transactions in databases using data item dependencies and anomaly analysis. Expert Systems, 25(5), 460–473.CrossRefGoogle Scholar
  19. Hashler, M. (2011). A comparison of commonly used interest measures for association rules. .
  20. Heady, R., Luger, G., Maccabe, A., Servilla, M. (1990). The architecture of a network level intrusion detection system. Technical Report. University of New Mexico: Computer Science Department.Google Scholar
  21. Hu, Y., & Panda, B. (2004). A data mining approach for database intrusion detection. In Proceedings of the ACM symposium on applied computing (pp. 711–716).Google Scholar
  22. Hu, Y., & Panda, B. (2010). Mining inter-transaction data dependencies for database intrusion detection. In Proceedings of innovations and advances in computer sciences and engineering. Springer.Google Scholar
  23. Hwang, K., Cai, M., Chen, Y., Qin, M. (2007). Hybrid intrusion detection with weighted signature generation over anomalous Internet episodes. IEEE Transactions on Dependency and Secure Computing, 4(1), 41–55.CrossRefGoogle Scholar
  24. Javidi, M.M., Sohrabi, M., Kuchaki Rafsanjani, M. (2010). Intrusion detection in database systems. In Proceedings of FGCN 2010, Part II, CCIS, 120 (pp. 93–101).Google Scholar
  25. Javidi, M.M., Kuchaki Rafsanjani, M., Hashemi, S., Sohrabi, M. (2012). An overview of anomaly based database intrusion detection systems. Indian Journal of Science and Technology 5(10), 3550–3559.Google Scholar
  26. Javitz, H.S., & Valdes, A. (1991). The SRI IDES statistical anomaly detector. In Proceedings of the IEEE symposium on security and privacy.Google Scholar
  27. Karjoth, G. (2003). Access control with IBM tivoli access manager.ACM Transactions on Information and Systems Security (TISSEC), 6(2), 232–257.CrossRefGoogle Scholar
  28. Killourhy, K.S., & Maxion, R.A. (2002). Undermining an anomaly-based intrusion detection system using common exploits. In Proceedings of the international symposium on recent advances in intrusion detection (RAID ’02) (pp. 54–73). Berlin: Springer.Google Scholar
  29. Lee, V.C., Stankovic, J., Son, S.H. (2000). Intrusion detection in real-time database systems via time signatures. In Proceedings of the sixth IEEE real time technology and applications symposium (RTAS’00) (pp. 124–133). New York: IEEE Press.Google Scholar
  30. Lee, W., Stolfo, S.J., Mok, K. (2000). Adaptive intrusion detection: a data mining approach. Artificial Intelligence Review, 14(6), 533–567.CrossRefMATHGoogle Scholar
  31. Noel, S., Wijesekera, D., Youman, C. (2002). Modern intrusion detection, data mining, and degrees of attack guilt. In Applications of data mining in computer security. Dordrecht: Kluwer.Google Scholar
  32. Paxson, V. (1998). Bro: a system for detecting network intrusions in real time. In Proceedings of the 7 \(^{th}\) USENIX security symposium. Berkeley: USENIX Association.Google Scholar
  33. Piatetsky-Shapiro, G. (1991). Discovery, analysis, and presentation of strong rules. In G., Piatetsky-Shapiro, & J., Frawley (Eds.), Knowledge discovery in databases AAAI (pp. 229–248). Cambridge: MIT Press.Google Scholar
  34. Qin, M., & Hwang, K. (2004). Frequent episode rules for Internet traffic analysis and anomaly detection. In Proceedings of the IEEE conference on network computing and applications (NAC ’04). New York: IEEE Press.Google Scholar
  35. Roesch, M. (1999). SNORT – lightweight intrusion detection for networks. In Proceedings of the USENIX 13th systems administration conference (LISA ’99) (pp. 229–238). Berkeley: USENIX Association.Google Scholar
  36. Sandhu, R., Ferraiolo, D., Kuhn, R. (2000). The NIST model for role based access control: towards a unified standard. In Proceedings of the 5th ACM workshop on role based access control.Google Scholar
  37. Srivastava, A., Sural, S., Majumdar, A.K. (2006). Database intrusion detection using weighted sequence mining. Journal of Computers, 1(4), 8–17.CrossRefGoogle Scholar
  38. Todorovski, L., Flach, P., Lavrac, N. (2000). Predictive performance of weighted relative accuracy. In D. A., Zighed, J., Komorowski, J., Zytkow (Eds.), Proceedings of the fourth European conference on principles of data mining and knowledge discovery (PKDD2000) (pp. 255–264). Springer-Verlag.CrossRefGoogle Scholar
  39. Webb, G.I. (1995). OPUS: an efficient admissible algorithm for unordered search. Journal of Artificial Intelligence Research, 3, 431–465.MATHGoogle Scholar
  40. Webb, G.I. (2000). Efficient search for association rules. In The Sixth ACM SIGKDD international conference on knowledge discovery and data mining (pp. 99–107). Boston: The Association for computing machinery.CrossRefGoogle Scholar
  41. Webb, G.I., & Zhang, S. (2005). K-Optimal rule discovery. Data Mining and Knowledge Discovery, 10(1), 39–79.CrossRefMathSciNetGoogle Scholar
  42. White, G.B., Fisch, E.A., Pooch, U.W. (1996). Cooperating security managers: a peer-based intrusion detection system. IEEE Network, 10(1), 20–23.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Mina Sohrabi
    • 1
  • Mohammad M. Javidi
    • 2
  • Sattar Hashemi
    • 3
  1. 1.Department of Computer Science, Young Researchers SocietyShahid Bahonar University of KermanKermanIran
  2. 2.Department of Computer ScienceShahid Bahonar University of KermanKermanIran
  3. 3.Computer Science and Engineering Department, Electrical and Computer Engineering SchoolShiraz UniversityShirazIran

Personalised recommendations