Skip to main content
SpringerLink
Log in
Book cover

Policy-Based Autonomic Data Governance pp 82–90Cite as

Simulating User Activity for Assessing Effect of Sampling on DB Activity Monitoring Anomaly Detection

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11550))

Abstract

Monitoring database activity is useful for identifying and preventing data breaches. Such database activity monitoring (DAM) systems use anomaly detection algorithms to alert security officers to possible infractions. However, the sheer number of transactions makes it impossible to track each transaction. Instead, solutions use manually crafted policies to decide which transactions to monitor and log. Creating a smart data-driven policy for monitoring transactions requires moving beyond manual policies. In this paper, we describe a novel simulation method for user activity. We introduce events of change in the user transaction profile and assess the impact of sampling on the anomaly detection algorithm. We found that looking for anomalies in a fixed subset of the data using a static policy misses most of these events since low-risk users are ignored. A Bayesian sampling policy identified 67% of the anomalies while sampling only 10% of the data, compared to a baseline of using all of the data.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    http://www.businessinsider.com/uber-vs-waymo-how-google-figured-out-secrets-2018-2.

  2. 2.

    https://github.com/hagitGC/simulating_DB_user_activity.

References

  1. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 15 (2009)

    Article  Google Scholar 

  2. Feldman, D., Schmidt, M., Sohler, C.: Turning big data into tiny data: constant-size coresets for k-means, PCA and projective clustering. In: Proceedings of the Twenty-Fourth Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 1434–1453. Society for Industrial and Applied Mathematics (2013)

    Google Scholar 

  3. Grushka-Cohen, H., Sofer, O., Biller, O., Dymshits, M., Rokach, L., Shapira, B.: Sampling high throughput data for anomaly detection of data-base activity. arXiv preprint arXiv:1708.04278 (2017)

  4. Grushka-Cohen, H., Sofer, O., Biller, O., Shapira, B., Rokach, L.: CyberRank: knowledge elicitation for risk assessment of database security. In: Proceedings of the 25th ACM International on Conference on Information and Knowledge Management, pp. 2009–2012. ACM (2016)

    Google Scholar 

  5. Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Performance of flow-based anomaly detection in sampled traffic. J. Netw. 10(9), 512 (2015)

    Google Scholar 

  6. Jadidi, Z., Muthukkumarasamy, V., Sithirasenan, E., Singh, K.: Intelligent sampling using an optimized neural network. J. Netw. 11(01), 16–27 (2016)

    Google Scholar 

  7. Juba, B., Musco, C., Long, F., Sidiroglou-Douskos, S., Rinard, M.C.: Principled sampling for anomaly detection. In: NDSS (2015)

    Google Scholar 

  8. Kaplan, J., Sharma, S., Weinberg, A.: Meeting the cybersecurity challenge. Digit, McKinsey Google Scholar (2011)

    Google Scholar 

  9. Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014)

    Article  MathSciNet  Google Scholar 

  10. Kumar, A., Xu, J.J.: Sketch guided sampling-using on-line estimates of flow size for adaptive data collection. In: INFOCOM (2006)

    Google Scholar 

  11. Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 165–176. ACM (2006)

    Google Scholar 

  12. Sallam, A., Bertino, E., Hussain, S.R., Landers, D., Lefler, R.M., Steiner, D.: DBSAFE - an anomaly detection system to protect databases from exfiltration attempts. IEEE Syst. J. 11(2), 483–493 (2017)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Hagit Grushka-Cohen, Lior Rokach & Bracha Shapira

  2. IBM Guardium Security Division and IBM Cyber Security Center of Excellence, Beer-Sheva, Israel

    Ofer Biller

  3. IBM Guardium Security Division, Tel-Aviv, Israel

    Oded Sofer

Authors
  1. Hagit Grushka-Cohen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ofer Biller
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oded Sofer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lior Rokach
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bracha Shapira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hagit Grushka-Cohen .

Editor information

Editors and Affiliations

  1. IBM Research, Yorktown Heights, NY, USA

    Seraphin Calo

  2. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

  3. IBM Research, Yorktown Heights, NY, USA

    Dinesh Verma

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Grushka-Cohen, H., Biller, O., Sofer, O., Rokach, L., Shapira, B. (2019). Simulating User Activity for Assessing Effect of Sampling on DB Activity Monitoring Anomaly Detection. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham. https://doi.org/10.1007/978-3-030-17277-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17277-0_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17276-3

  • Online ISBN: 978-3-030-17277-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation