A System for Profiling and Monitoring Database Access Patterns by Application Programs for Anomaly Detection | IEEE Journals & Magazine | IEEE Xplore

A System for Profiling and Monitoring Database Access Patterns by Application Programs for Anomaly Detection


Abstract:

Database Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBAs) to grant application programs access privileges to databas...Show More

Abstract:

Database Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBAs) to grant application programs access privileges to databases. Though such mechanisms are powerful, in practice finer-grained access control mechanism tailored to the semantics of the data stored in the DMBS is required as a first class defense mechanism against smart attackers. Hence, custom written applications which access databases implement an additional layer of access control. Therefore, securing a database alone is not enough for such applications, as attackers aiming at stealing data can take advantage of vulnerabilities in the privileged applications and make these applications to issue malicious database queries. An access control mechanism can only prevent application programs from accessing the data to which the programs are not authorized, but it is unable to prevent misuse of the data to which application programs are authorized for access. Hence, we need a mechanism able to detect malicious behavior resulting from previously authorized applications. In this paper, we present the architecture of an anomaly detection mechanism, DetAnom, that aims to solve such problem. Our approach is based the analysis and profiling of the application in order to create a succinct representation of its interaction with the database. Such a profile keeps a signature for every submitted query and also the corresponding constraints that the application program must satisfy to submit the query. Later, in the detection phase, whenever the application issues a query, a module captures the query before it reaches the database and verifies the corresponding signature and constraints against the current context of the application. If there is a mismatch, the query is marked as anomalous. The main advantage of our anomaly detection mechanism is that, in order to build the application profiles, we need neither any previous knowledge of application vulnerabilities nor an...
Published in: IEEE Transactions on Software Engineering ( Volume: 43, Issue: 5, 01 May 2017)
Page(s): 415 - 431
Date of Publication: 05 August 2016

ISSN Information:

Funding Agency:


1 Introduction

Data stored in databases is often critical to the organization's operations and also sensitive, for example with respect to privacy. Therefore, securing data stored in a database is a critical requirement. Data must be protected not only from external attackers, but also from users within the organizations  [1]. A wide range of institutions from government agencies (e.g., military, judiciary etc.) to commercial enterprises are witnessing attacks by insiders at an alarming rate. The most important objective of these insiders is to either exfiltrate sensitive data (e.g., military plans, trade secrets, intellectual property, etc.) or maliciously modify the data for deception purposes or for attack preparation [2], [3], [4].

Contact IEEE to Subscribe

References

References is not available for this document.