Abstract
Anomaly detection systems assume that a certain deviation from the regular behaviour of a system can be an indicator for a security violation. They proved their usefulness to networks and operating systems for a long time, but are much less prominent in the field of databases. Relational databases operate on attributes within relations, ie, on data with a very uniform structure, which makes them a prime target for anomaly detection systems. This work presents such a system for the database extension and the user interaction with a DBMS; it also proposes a misuse detection system for the database scheme. In a comprehensive investigation we compare two approaches to deal with the database extension, one based on reference values and one based on Δ-relations, and show that already standard statistical functions yield good detection results. We then apply our methods to the user interaction, which is split into user input and DBMS behaviour. All methods have been implemented in a semi-automatic anomaly detection tool for the MS SQL Server 2000.
Chapter PDF
Similar content being viewed by others
References
Axelsson, S.:Intrusion Detection Systems: A Survey and Taxonomy’. Technical Report 99.15 Dept. of Computer Engineering, Chalmers University of Technology, Sweden (2000)
Burgess, M., Haugerud, H., Straumsnes, S., Reitan, T.: Measuring system normality. ACM Transactions on Computer Systems 20(2), 125–160 (2002)
Chung, Yip, C., Gertz, M., Levitt, K.: DEMIDS: A misuse detection system for database systems. In: IFIP WG11.5 3rd Working Conference on Integrity and Internal Control in Information Systems, pp. 159–178. Kluwer Academic Publishers, Dordrecht (1999)
Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: 11th ACM Conference on Computer and Communications Security, pp. 318–329. ACM Computer Press, New York (2004)
Gertz, M.: Data Content Monitoring for Security, Integrity and Availability: A Mission-Critical Line of Defense. In: IICIS 2002: IFIP WG11.5 5th Working Conference on Integrity and Internal Control in Information Systems, pp. 189–201. Kluwer Academic Publishers, Dordrecht (2003)
Lee, S.-Y., Low, W.L., Wong, P.Y.: Learning fingerprints for a database intrusion detection system. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 264–279. Springer, Heidelberg (2002)
Lee, V.C.S., Stankovic, J.A., Son, S.H.: Intrusion Detection in Real-time Database Systems Via Time Signatures. In: RTAS 2000: 6th IEEE Real Time Technology and Applications Symposium, pp. 124–133. IEEE Computer Society Press, Los Alamitos (2000)
Michael, C.C., Ghosh, A.: Simple, state-based approaches to program-based anomaly detection. ACM Transactions on Information and System Security 5(3), 203–237 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Spalka, A., Lehnhardt, J. (2005). A Comprehensive Approach to Anomaly Detection in Relational Databases. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_16
Download citation
DOI: https://doi.org/10.1007/11535706_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28138-2
Online ISBN: 978-3-540-31937-5
eBook Packages: Computer ScienceComputer Science (R0)