Databases Reference
In-Depth Information
6 Related Work
Compared to the numerous research and development activities in the context
of intrusion detection systems for host and network based systems, there is
only little work on misuse and anomaly detection for databases and security
evaluation approaches in particular. Only Castano et al. [12] give a detailed
though idealized description of the steps and approaches in database secu-
rity design. An extension of Entity-Relationship (ER) modeling concepts to
address security and authorization features has been proposed by Oh and
Navathe [46].
Chung et al. [13, 14] proposed a technique specifically designed for detect-
ing anomalies and misuse in database systems. In their approach, typical user
access patterns are discovered from audit data using association rule mining.
It is assumed that users typically access data that is semantically related, an
aspect that can easily be captured and utilized based on relationships (e.g.,
foreign key dependencies) in the underlying database schema. Distances mea-
sures are introduced to determine if an observed user data access is within the
normal, previously observed boundaries, and if not, an alarm is raised indi-
cating a possible misuse. This approach has been extended in [15] to discover
security policies at different levels of granularity and access patterns. In [25],
the aspect of monitoring mission critical data for integrity and availability is
discussed in detail. In particular, different audit approaches are presented.
Some more recent work on anomaly detection are by Spalka and Lehn-
hardt [56] and Kamra et al. [29]. Spalka and Lehnhardt introduce the concept
of delta relations, which are derived from attributes of relations and basically
represent data profiles, to detect anomalies in user operations on the data.
In particular, they provide a prototypical implementation of their system us-
ing the Microsoft SQL Server 2000. In the approach proposed by Kamra et
al., information about user queries to the database system is exploited to
build access profiles, which are then compared to new queries based on some
distance metrics to determine potential anomalies. That is, profiles are built
using the syntactic information from SQL queries rather than from the data
SQL statements operate on. It is an interesting and useful approach to detect-
ing anomalous access pattern, and it would be worthwhile to investigate how
the access patterns can be used to re-design underlying security mechanisms.
Nabar et al. propose a similar approach to query auditing in [40].
Most of the approaches to user and data profiling make extensive use of
data mining techniques (see, e.g., [57]) tailored to audit data collected at
different components of computing system infrastructure. The edited topic by
Barbara and Jajodia [8] give an excellent overview of different data mining
techniques with a specific focus on intrusion and anomaly detection, although
primarily for the network and operating system layer and not for databases.
Further data analysis techniques in the context of data and user profiling have
already been discussed in Section 3.3.
