Clay Brockman

ITK 478

Fall 2007

Why Monitoring Database Application Behavior is the Best Database

Intrusion Detection Method

Why intrusion detection?Comparing two types:

Monitoring Database Application Behavior

Using Time Signatures

Introduction

“Security is an integrative concept that includes the following properties: confidentiality …, authenticity …, integrity …, and availability” (Vieira and Madeira, 2005, p. 350)Explanation of these properties

Security

Occur in one of the following ways:“intentional unauthorized attempts to access or

destroy private data” (Vieira and Madeira, 2005, p. 351)

“malicious actions executed by authorized users to cause loss or corruption of critical data” (Vieira and Madeira, 2005, p. 351)

“external interferences aimed to cause undue delays in accessing or using data, or even denial of service” (Vieira and Madeira, 2005, p. 351)

Intrusions

False Positivethe detection system reports an intrusion but the

action is really a legitimate request (Afonso, et al., 2006, p.37)

accounts for 17% of recorded events (Afonso, et al., 2006, p.37)

False Negativesystem will allow a malicious request to pass,

identifying it as a legitimate request (Afonso, et al., 2006, p.37)

accounts for about 12% of recorded events (Afonso, et al., 2006, p.37)

Criteria

Developed by José Fonseca, Marco Vieira, and Henrique Madeira

This method “adds concurrent intrusion detection to DBMS using a comprehensive set of behavior abstractions representing database activity” (Fonseca, et al., 2006, p. 383).

Messages checked at 3 different levelsCommand LevelTransaction LevelSession Level

Monitoring Database Application Behavior

Command Level“checks if the structure of each executed command

belongs to the set of command structures previously learned” (Fonseca, et al., 2006, p. 383)

Transaction Level“checks if the command is in the right place inside the

transaction profile (a transaction is a unit formed by a set of SQL commands always executed in the same sequence)” (Fonseca, et al., 2006, p. 383)

Session Level“checks if the transaction fits in a known transaction

sequence. It represents the sequence of operations that the user executes in a session” (Fonseca, et al., 2006, p. 383)

Monitoring Database Application Behavior (cont.)

Results:1 normal request was found to be

malicious, resulting in 1 false positive100% accuracy on requests with slight

changesRandomly ordered SQL commands

resulted in 4.2% false negativesAll 50 manual injections were caught

Monitoring Database Application Behavior (cont.)

Expects requests to come in at certain times

Based on a real-time databaseExamples:

Stock MarketPower GridAir Traffic Control

Time Signatures

Two different types of intrusionsUser transactions:

“the characteristics of an intruding transaction are identical to a user transaction except for the data object access pattern” (Lee, et al., 2000, p. 128)

Sensor transactions:Read a sensor periodically to check for updated

information (Lee, et al., 2000, p. 127-128)

Time Signatures (cont.)

Results:False positive rate was as low as

0.36% (Lee, et al., 2000, p. 129)False negative rate was as high as

5.5% (Lee, et al., 2000, p. 129).

Time Signatures (cont.)

Both methods had very low false positive rates

Monitoring Database Application behavior was better on false negative rates by 1.5%

Conclusion