Journal of Network and Systems Management

, Volume 13, Issue 3, pp 269–291 | Cite as

Design and Analysis of Techniques for Detection of Malicious Activities in Database Systems

  • Yi Hu
  • Brajendra Panda


Existing host-based Intrusion Detection Systems use the operating system log or the application log to detect misuse or anomaly activities. These methods are not sufficient for detecting intrusion in the database systems. In this paper, we describe a method for detecting malicious activities in a database management system by using data dependency relationships. Typically, before a data item is updated in the database, some other data items are read or written. And after the update, other data items may also be written. These data items read or written in the course of update of a data item construct the read set, prewrite set, and the postwrite set for this data item. The proposed method identifies malicious transactions by comparing these sets with data items read or written in user transactions. We have provided mechanisms for finding data dependency relationships among transactions and use Petri-Nets to model normal data update patterns at user task level. Using this method, we ascertain more hidden anomalies in the database log. Our simulation on synthetic data reveals that the proposed model can achieve desirable performance when both transaction and user task level intrusion detection methods are employed.


Malicious transactions intrusion detection anomaly detection data dependency 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    B. Panda and J. Giordano, Defensive information warfare, Communications of the ACM, Vol. 42, No. 7, pp. 31–32, July 1999.Google Scholar
  2. 2.
    P. Liu, P. Ammann, and S. Jajodia, Rewriting histories: Recovering from malicious transactions, Distributed and Parallel Databases, Vol. 18, No. 1, pp. 7–40, January 2000.CrossRefGoogle Scholar
  3. 3.
    R. Sobhan and B. Panda, Reorganization of database log for information warfare data recovery, Proceedings of the 15th Annual IFIP WG 11.3 Working Conference on Database and Application Security, July 2001.Google Scholar
  4. 4.
    J. Zhou, B. Panda, and Y. Hu, Succinct and fast accessible data structures for database damage assessment, Proceedings of the International Conference on the Distributed Computing and Internet Technology, December 2004.Google Scholar
  5. 5.
    H. S. Javitz and A. Valdes, The SRI IDES Statistical Anomaly Detector, Proceedings of the IEEE Symposium on Security and Privacy, May 1991.Google Scholar
  6. 6.
    T. F. Lunt, R. Jagannathan,, IDES: A progress report, Proceedings of the 6th Annual Computer Security Applications Conference, December 1990.Google Scholar
  7. 7.
    S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff, A sense of self for Unix processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, IEEE Computer Society, pp. 120–128, 1996.Google Scholar
  8. 8.
    A. K. Ghosh, A. Schwartzbard, and M. Schatz, Learning program behavior profiles for intrusion detection, 1st USENIX Workshop on Intrusion Detection and Network Monitoring, 1999.Google Scholar
  9. 9.
    T. Lane and C. E. Brodley, Sequence matching and learning in anomaly detection for computer security, Proceedings of the AAAI-97 Workshop on AI Approaches to Fraud Detection and Risk Management, pp. 43–49, 1997.Google Scholar
  10. 10.
    J. Frank, Artificial intelligence and intrusion detection: Current and future directions, Proceedings of the 17th National Computer Security Conference, October 1994.Google Scholar
  11. 11.
    W. Lee and S. Stolfo, Data mining approaches for intrusion detection, USENIX Security Symposium, 1998.Google Scholar
  12. 12.
    W. Lee, R. A. Nimbalkar, K. K. Yee, S. B. Patil, P. H. Desai, T. T. Tran, and S. J. Stolfo, A data mining and CIDF-based approach for detecting novel and distributed intrusions, Proceedings of the 3rd International Workshop on the Recent Advances in Intrusion Detection, October 2000.Google Scholar
  13. 13.
    Y. Huang, W. Fan, W. Lee, and P. Yu, Cross-feature analysis for detecting ad-hoc routing anomalies, Proceedings of the 23rd International Conference on Distributed Computing Systems, May 2003.Google Scholar
  14. 14.
    V. C. S. Lee, J. A. Stankovic, and S. H. Son, Intrusion detection in real-time database systems via time signatures, Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium, 2000.Google Scholar
  15. 15.
    C. Chung, M. Gertz, and K. Levitt, DEMIDS: A misuse detection system for database systems, Third Annual IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems, Kluwer Academic, pp. 159–178, November 1999.Google Scholar
  16. 16.
    E. Codd, A relational model for large shared databanks, Communications of the ACM, Vol. 13, No. 6, pp. 377–387, June 1970.CrossRefGoogle Scholar
  17. 17.
    T. Murata, Petri-Nets: Properties, analysis, and applications, Proceedings of the IEEE, Vol. 77, No. 4, pp. 541–580, April 1989.Google Scholar
  18. 18.
    B. Panda and R. Yalamanchili, A host-based multisource information attack detection model design and implementation, Information: An International Journal, Vol. 4, No. 4, October 2001.Google Scholar

Copyright information

© Springer Science + Business Media, Inc. 2005

Authors and Affiliations

  1. 1.Computer Science and Computer Engineering DepartmentUniversity of ArkansasFayetteville

Personalised recommendations