Databases Reference
In-Depth Information
2 Insider Misuse and Anomaly Detection
An overarching theme in computer security, which has been studied for more
than 20 years and also motivates the need for security re-engineering con-
cepts and techniques for databases, is
intrusion detection
[1, 20, 34, 38, 44].
In general, an intrusion is considered an activity that violates the security
policy of a system.
Intrusion detection systems
(IDSs) are based on the as-
sumption that the behavior of an intruder is different from that of an au-
thorized user and that respective unauthorized activities can be detected and
reacted upon. One typically distinguishes among host-based IDSs, network-
based IDSs and application-based IDSs. All these systems are based on the
analysis of audit data, which are collected by some audit procedures and de-
scribe events of interest at different levels of granularity, an aspect we will
elaborate on in Section 3.1. A host-based IDS uses audit data produced by
operating system calls on a local host, such as process executions, resource
consumptions, and file accesses. Network-based IDS, on the other hand, are
placed in a network and monitor all network trac. They analyze packages
for particular signatures and try to detect and prevent inappropriate network
usages. Application-based IDSs can be considered a special class of host-based
IDSs. They collect and analyze audit data specific to a particular application,
application component or function realized on one or more hosts [23, 54].
One could argue that a database management system (DBMS) is a par-
ticular type of such applications. However, as we will discuss in the following
sections, traditional application-based IDS techniques are not sucient to
realize an effective intrusion detection system for a DBMS. For this, it is im-
portant to understand the methodologies IDSs employ for the detection of
security policy violations. These methods are discussed next.
2.1 Misuse Detection
Misuse detection is one of two classes of intrusion detection approaches. Mis-
use detection is based on
signatures
that describe the characteristics of known
system attacks and vulnerabilities. The signatures are typically derived from
security policies. Mechanisms implementing a misuse detection approach mon-
itor the system, network, or application for any activities that match the spec-
ified signatures, e.g., a specific sequence of system calls or a particular type
of packet trac between two hosts.
Although misuse detection approaches work very well for known attacks
and misuse patterns, they fail in dealing with new attacks and security threats.
These misuse detection approaches need to continuously update the signatures
of security threats and vulnerabilities in order to effectively prevent intrusions.
2.2 Anomaly Detection
Most of the approaches to intrusion detection typically combine misuse de-
tection with anomaly detection. Anomaly detection approaches are the most
