DetAnom: Detecting anomalous database transactions by insiders

Syed Rafiul Hussain, Asmaa Sallam, Elisa Bertino

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    26 Scopus citations

    Abstract

    DatabaseManagement Systems (DBMSs) provide access con- trol mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as at- tackers aiming at stealing data can take advantage of vul- nerabilities in the privileged applications and make applica- tions to issue malicious database queries. Therefore, even though the access control mechanism can prevent applica- tion programs from accessing the data to which the pro- grams are not authorized, it is unable to prevent misuse of the data to which application programs are authorized for access. Hence, we need a mechanism able to detect mali- cious behavior resulting from previously authorized applica- tions. In this paper, we design and implement an anomaly detection mechanism, DetAnom, that creates a profile of the application program which can succinctly represent the ap- plication's normal behavior in terms of its interaction (i.e., submission of SQL queries) with the database. For each query, the profile keeps a signature and also the correspond- ing constraints that the application program must satisfy to submit that query. Later in the detection phase, whenever the application issues a query, the corresponding signature and constraints are checked against the current context of the application. If there is a mismatch, the query is marked as anomalous. The main advantage of our anomaly detection mechanism is that we need neither any previous knowledge of application vulnerabilities nor any example of possible at- tacks to build the application profiles. As a result, our De- tAnom mechanism is able to protect the data from attacks tailored to database applications such as code modification attacks, SQL injections, and also from other data-centric attacks as well. We have implemented our mechanism with a software testing technique called concolic testing and the PostgreSQL DBMS. Experimental results show that our pro-filing technique is close to accurate, and requires acceptable amount of time, and that the detection mechanism incurs low run-time overhead.

    Original languageEnglish (US)
    Title of host publicationCODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
    PublisherAssociation for Computing Machinery, Inc
    Pages25-35
    Number of pages11
    ISBN (Electronic)9781450331913
    DOIs
    StatePublished - Mar 2 2015
    Event5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015 - San Antonio, United States
    Duration: Mar 2 2015Mar 4 2015

    Publication series

    NameCODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

    Other

    Other5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015
    CountryUnited States
    CitySan Antonio
    Period3/2/153/4/15

    All Science Journal Classification (ASJC) codes

    • Information Systems
    • Software
    • Computer Science Applications

    Fingerprint Dive into the research topics of 'DetAnom: Detecting anomalous database transactions by insiders'. Together they form a unique fingerprint.

    Cite this