Databases Reference
In-Depth Information
popular and effective ones, as they are based on the normal behavior of a
subject, e.g., a user, system component, or application. In anomaly detection,
information about repetitive and usual behavior is collected and suitably rep-
resented as statistical models of normal behavior, e.g., in the form of
profiles
.
Current user or system activities are then compared to such profiles. If the
activities significantly deviate from the profile, the activities are considered
intrusive [8, 32, 34, 38, 44]. Deviations from the normal behavior indicate po-
tential violations of a security policy or an intrusion and thus might trigger
respective responses.
The advantage of anomaly detection over misuse detection is that pre-
viously unseen attacks and activities have a better chance of being detected.
Clearly, the effectiveness of an anomaly-based IDS depends on how well normal
behavior is modeled and how tight thresholds are set to indicate a deviation
from the normal behavior, aiming to reduce false positives (activities that are
not normal but do not violate a security policy) and avoiding false negatives
(suspicious activities that are considered normal).
It is obviously desirable to adopt techniques suggested for misuse-based
and anomaly-based detection techniques, which almost exclusively have been
realized in the context of host-based and network-based IDSs, for database
management systems and surrounding infrastructure, that is, applications and
the network. A major problem the development of a database intrusion detec-
tion system is facing, however, is that of insider misuse, an aspect we discuss
in more detail next as it drives most of the security re-engineering approach
we present in this paper.
2.3 Insider Misuse
The notion of intrusion intuitively refers to subjects that gain access to a sys-
tem to which they have no legitimate access otherwise. Such intrusions occur
by exploiting system vulnerabilities or by simply cracking or stealing accounts
of legitimate users. Once the subject has access to a system, the subject then
is considered a legitimate user by the system and has all the privileges and
rights associated with that user; the intruder is now considered an
insider
.
Thus, one objective of a security re-engineering approach to database systems
can be framed as “effectively detecting and preventing insider misuse”.
As several recent reports clearly indicate, traditional intrusion detection
techniques and systems are not sucient in dealing with insider misuse
[5, 6, 26, 43, 48]. In particular, the CSI/FBI reports state that
“The threat
from inside the organization is far greater than the threat from outside the or-
ganization”
and
“Inside jobs occur about as often as external attacks”
[26, 48].
Clearly, the problem of insider misuse is aggravated in the context of database
systems that manage large collections of sensitive and often mission-critical
data. There are many sources for potential insider misuse, ranging from the
frequently mentioned “disgruntled employee” who maliciously tampers with
