Abstract
Despite the necessity of protecting information stored in database systems (DBS), existing security models are insufficient to prevent misuse, especially insider abuse by legitimate users. Further, concepts for misuse detection in DBS have not been adequately addressed by existing research in misuse detection. Even though there are available means to guard the information stored in a database system against misuse, they are seldom used by security officers because security policies of the organization are either imprecise or not known at all.
This paper presents a misuse detection system called DEMIDS which is tailored to relational database systems. DEMIDS uses audit logs to derive profiles that describe typical behavior of users working with the DBS. The profiles computed can be used to detect misuse behavior, in particular insider abuse. Furthermore, the profiles can serve as a valuable tool for security re-engineering of an organization by helping the security officers to define/refine security policies and to verify existing security policies, if there are any.
Essential to the presented approach is that the access patterns of users typically form some working scopes which comprise sets of attributes that are usually referenced together with some values in queries. DEMIDS considers domain knowledge about the data structures and semantics encoded in a given database schema through the notion of distance measure. Distance measures are used to guide the search for frequent itemsets describing the working scopes of users. In DEMIDS such frequent itemsets are computed efficiently from audit logs using the data management and query processing features of the database management system.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35501-6_14
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
R. Agrawal, R. Srikant (1994): Fast algorithms for mining association rules. In J. Bocca, M. Jarke, C. Zaniolo (eds.), Proceedings of the 20th VLDB Conference. Morgan Kaufman Publishers, 487–499.
K. J. Biba (1977): Integrity considerations for secure computer systems. Technical Report ESD-TR-76–372, MITRE Corp., Redford, MA.
D. E. Bell, L.J. LaPadula (Nov, 1973 ): Secure computer systems: mathematical foundations. Technical Report ESD-TR-73–278, MITRE Corp., Redford, MA.
S. Castano, M.G. Fugini, G. Martella, P. Samarati (1995): Database Security. Addison-Wesley.
Carter, Katz (Dec, 1996 ): Computer crime: an emerging challenge for law enforcement. FBI Law Enforcement Bulletin, 1–8.
D.E. Denning et al. (1986): Secure distributed data view: security policy and interpretation for class Al multilevel secure relational database system. Technical Report A002, SRI International.
L.C. Dion (1981): A complete protection model. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 49–55.
B. Everitt (1973): Cluster Analysis. John Wiley amp Sons — New York.
S. Forrest, S. A. Hofmeyr, A. Somayaji, T. A. Longstaff (1996): A sense of self for unix processes. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 120–128.
L. T. Heberlein, G. V. Dias, K. N. Levitt, B. Mukherjee, J. Wood, D. Wolber (1990): A network security monitor. In Proceedings of the IEEE symposium on research in security and privacy, 296–304.
M. A. Harrison, W. L. Ruzzo, J. D. Ullman (Aug, 1976 ): Protection in operating systems. Communications of ACM, 19 (8): 461–471.
S. Jajodia, R. Sandhu (1990): Polyinstantiation integrity in multilevel relations. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 104–115.
H. Javitz, A. Valdez (1991): The SRI IDES statistical anomaly detector. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 316–326.
W. Lee, S. J. Stolfo (1998): Data mining approaches for intrusion detection. In Proceedings of the 7th USENIX Security Symposium (SECURITY-98), 79–94, Berkeley. Usenix Association.
Oracle8 Server Concepts, Release 8.0. (1997) Part No. A54643–01, Oracle Corporation, Redwood City, California.
S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle (1996): GrIDS-A graph based intrusion detection system for large networks. In Proceedings of the 19th National Information Systems Security Conference.
R. Sandhu, E. Coyne, H. Feinstein, C. Youman (1996): Role-based access control models. IEEE Computer, 29 (2): 38–47.
K. Smith, M. Winslett (1992): Entity Modeling in the MLS relational model. In Proceedings of the International Conference on Very Large Data Bases,Vancouver, British Columbia, Canada.
H. S. Vaccaro, G. E. Liepins (1989): Detection of anomalous computer session activity. In Proceedings of the IEEE Symposium on Research in Security and Privacy, 280–289.
C. Wood, R. C. Summers, E.B. Fernandez (1979): Authorization in multilevel database models. Information Systems, 4 (2): 155–161.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Chung, C.Y., Gertz, M., Levitt, K. (2000). DEMIDS: A Misuse Detection System for Database Systems. In: van Biene-Hershey, M.E., Strous, L. (eds) Integrity and Internal Control in Information Systems. IICIS 1999. IFIP — The International Federation for Information Processing, vol 37. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35501-6_12
Download citation
DOI: https://doi.org/10.1007/978-0-387-35501-6_12
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-5531-2
Online ISBN: 978-0-387-35501-6
eBook Packages: Springer Book Archive