Insiders are legitimate users of a system; however, they pose a threat because of their granted access privileges. Anomaly-based intrusion detection approaches have been shown to be effective in the detection of insiders' malicious behavior. Database management systems (DBMS) are the core of any contemporary organization enabling them to store and manage their data. Yet insiders may misuse their privileges to access stored data via a DBMS with malicious intentions. In this chapter, a taxonomy of anomalous DBMS access detection systems is presented. Secondly, an anomaly-based mechanism that detects insider attacks within a DBMS framework is proposed whereby a model of normative behavior of insiders n-grams are used to capture normal query patterns in a log of SQL queries generated from a synthetic banking application system. It is demonstrated that n-grams do capture the short-term correlations inherent in the application. This chapter also outlines challenges pertaining to the design of more effective anomaly-based intrusion detection systems to detect insider attacks.
TopIntroduction
Database Management Systems (DBMS) are at the heart of contemporary organizations. Contemporary organizations deploy DBMS to store and manage access to their application data. There exist traditional security controls including role-based access and authentication that control privileges to stored data. However, there is still the concern of insider threats within the DBMS framework whereby legitimate users of the system misuse their access privileges to access stored data with malicious intentions. For example, there are number of reported incidents (Carr, 2008; Report, 2007) where hospital staff, without cause, looked up the medical records of celebrity patients. It has been reported in a recent survey that 89% of respondent organizations are vulnerable to insider attacks (Insider Threat Report, Insider Threat Security Statistics, Vormetric, 2015). Another survey reports that malicious insiders are the cause of the costliest cybercrimes (2015 Cost of Cyber Crime: Global, 2015).
In order to detect insider attacks, intrusion detection systems can be deployed. An intrusion detection system can be further classified into either anomaly detection systems or misuse detection systems (Kemmerer & Vigna, 2002). Misuse detection systems look for well-known attack patterns that are a priori defined. Thus, misuse detection systems can detect previously known or existing attacks. In contrast to misuse detection systems, anomaly detection systems (Forrest, Hofmeyr, & Somayaji, 2008; Forrest, Hofmeyr, Somayaji, & Longstaff, 1996; Laszka, Abbas, Sastry, Vorobeychik, & Koutsoukos, 2016; Pieczul & Foley, 2013) look for deviations from normal behavior. Anomaly detection systems have the potential to detect previously unknown, or zero-day, attacks (Jamrozik, von Styp-Rekowsky, & Zeller, 2016; Pieczul & Foley, 2016). We are interested in considering the challenge of detecting anomalous DBMS queries made by insiders; while the insider may hold the correct access permission to make the query. This article provides two contributions on this challenge. Firstly, a taxonomy for understanding DBMS anomaly detection systems is proposed. Secondly, an n-gram model for DBMS anomaly detection, that extends (Khan & Foley, 2016), is developed and evaluated.
Anomaly-based intrusion detection techniques have been shown to be effective in detecting insider attacks (Sallam et al., 2015). The basic building block of an anomaly detection technique is how it models normative behavior. Existing anomaly-based intrusion-detection technique considers a query in isolation in order to construct a model of normative behavior. We consider sequences of SQL queries made to a DBMS (Khan & Foley, 2016) whereby n-grams are used to capture normal query patterns.
The book chapter is organized as follows. Section 2 provides an introduction to the problem of insider threat. A taxonomy for anomalous DBMS-access detection systems is developed in Section 3. This provides a context for understanding the different approaches to defining and detecting anomalous activity that might arise from insider threat. Our focus is on learning normal behavior from DBMS logs and then checking subsequent accesses against these normal behavior profiles. The book chapter consider how techniques from the taxonomy can help in achieving this. Section 4 describes our approach, and its evaluation using a simulated banking-style application is described in Section 5. Arising from this work, insights are provided on the challenges for future research on this topic in Section 6. Conclusions are presented in Section 7.