Abstract
With the increasing complexity and dynamics of database systems, it becomes more and more difficult for administrative personnel to identify, specify and enforce security policies that govern against the misuse of data. Often security policies are not known, too imprecise or simply have been disabled because of changing requirements.
Recently several proposals have been made to use data mining techniques to discover profiles and anomalous user behavior from audit logs. These approaches, however, are often too fine-grained in that they compute too many rules to be useful for an administrator in implementing appropriate security enforcing mechanisms.
In this paper we present a novel approach to discover security policies from audit logs. The approach is based on using multiple concept hierarchies that specify properties of objects and data at different levels of abstraction and thus can embed useful domain knowledge. A profiler, attached to the information system’s auditing component, utilizes such concept hierarchies to compute profiles at different levels of granularity, guided by the administrator through the specification of an interestingness measure. The computed profiles can be translated into security policies and existing policies can be verified against the profiles.
Download to read the full chapter text
Chapter PDF
References
R. Agrawal and R. Srikant. Fast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, 487–499, Morgan Kaufmann, 1994.
R. Bueschkes, M. Borning, D. Kesdogan. Transaction-based anomaly detection. In Proc. of the Workshop on Intrusion Detection & Network Monitoring, 1999.
Y. Cai, N. Cercone, and J. Han, Attribute-oriented induction in relational data-bases. In Knowledge Discovery in Databases, 213–228. AAAI/MIT Press, 1991.
S. Castano, M.G. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, 1995.
C.Y. Chung, M. Gertz, and K. Levitt. Discovery of multi-level security policies. Technical Report, Department of Computer Science, University of California, Davis, http://www.db.cs.ucdavis.edu/publications/CGL00a.ps
C.Y. Chung, M. Gertz, and K. Levitt. DEMIDS: A misuse detection system for database systems. In Third International IFIP TC-11 WG11.5 Working Conf. on Integrity and Internal Control in Information Systems, 159–178, Kluwer, 1999.
C.Y. Chung, M. Gertz, and K. Levitt. Misuse detection in database systems through user-profiling. In 2nd Int. Workshop on Recent Advances in Intrusion Detection (RAID’99), West Lafayette, Indiana, 1999.
B. Everitt. Cluster Analysis. John Wiley & Sons New York, 1973.
T. Fawcett and F. Provost. Combining data mining and machine learning for effective user profiling. In The Second International Conference on Knowledge Discovery and Data Mining (KDD-96), 8–13, 1996.
J. Han and Y. Fu. Dynamic Generation and Refinement of Concept Hierarchies for Knowledge Discovery in Databases. AAAI’94 Workshop on Knowledge Discovery in Databases, 157–168, July 1994.
J. Han and Y. Fu. Discovery of multiple-level association rules from large databases. Proc. of Int. Conf. on Very Large Data Bases, 420–431, 1995.
W. Lee, S.J. Stolfo, and K.W. Mok. Mining audit data to build intrusion detection models. In Proc. of the 14th International Conf. on Knowledge Discovery and Data Mining (KDD-98), 66–72. AAAI Press, 1998.
R. Mukkamala, J. Gagnon, and S. Jajodia. Integrating data mining techniques with intrusion detection methods. In Proc. XIII Annual IFIP WG 11.3 Working Conf. On Database Security, Seattle, WA, July 1999.
R.S. Silken. Application intrusion detection. Technical Report CS-99-17, University of Virginia, Computer Science Department, June 1999.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Kluwer Academic Publishers
About this chapter
Cite this chapter
Chung, C.Y., Gertz, M., Levitt, K. (2002). Discovery of Multi-Level Security Policies. In: Thuraisingham, B., van de Riet, R., Dittrich, K.R., Tari, Z. (eds) Data and Application Security. IFIP International Federation for Information Processing, vol 73. Springer, Boston, MA. https://doi.org/10.1007/0-306-47008-X_16
Download citation
DOI: https://doi.org/10.1007/0-306-47008-X_16
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7514-2
Online ISBN: 978-0-306-47008-0
eBook Packages: Springer Book Archive