Upload
willa-roberts
View
212
Download
0
Embed Size (px)
Citation preview
Clay Brockman
ITK 478
Fall 2007
Why Monitoring Database Application Behavior is the Best Database
Intrusion Detection Method
Why intrusion detection?Comparing two types:
Monitoring Database Application Behavior
Using Time Signatures
Introduction
“Security is an integrative concept that includes the following properties: confidentiality …, authenticity …, integrity …, and availability” (Vieira and Madeira, 2005, p. 350)Explanation of these properties
Security
Occur in one of the following ways:“intentional unauthorized attempts to access or
destroy private data” (Vieira and Madeira, 2005, p. 351)
“malicious actions executed by authorized users to cause loss or corruption of critical data” (Vieira and Madeira, 2005, p. 351)
“external interferences aimed to cause undue delays in accessing or using data, or even denial of service” (Vieira and Madeira, 2005, p. 351)
Intrusions
False Positivethe detection system reports an intrusion but the
action is really a legitimate request (Afonso, et al., 2006, p.37)
accounts for 17% of recorded events (Afonso, et al., 2006, p.37)
False Negativesystem will allow a malicious request to pass,
identifying it as a legitimate request (Afonso, et al., 2006, p.37)
accounts for about 12% of recorded events (Afonso, et al., 2006, p.37)
Criteria
Developed by José Fonseca, Marco Vieira, and Henrique Madeira
This method “adds concurrent intrusion detection to DBMS using a comprehensive set of behavior abstractions representing database activity” (Fonseca, et al., 2006, p. 383).
Messages checked at 3 different levelsCommand LevelTransaction LevelSession Level
Monitoring Database Application Behavior
Command Level“checks if the structure of each executed command
belongs to the set of command structures previously learned” (Fonseca, et al., 2006, p. 383)
Transaction Level“checks if the command is in the right place inside the
transaction profile (a transaction is a unit formed by a set of SQL commands always executed in the same sequence)” (Fonseca, et al., 2006, p. 383)
Session Level“checks if the transaction fits in a known transaction
sequence. It represents the sequence of operations that the user executes in a session” (Fonseca, et al., 2006, p. 383)
Monitoring Database Application Behavior (cont.)
Results:1 normal request was found to be
malicious, resulting in 1 false positive100% accuracy on requests with slight
changesRandomly ordered SQL commands
resulted in 4.2% false negativesAll 50 manual injections were caught
Monitoring Database Application Behavior (cont.)
Expects requests to come in at certain times
Based on a real-time databaseExamples:
Stock MarketPower GridAir Traffic Control
Time Signatures
Two different types of intrusionsUser transactions:
“the characteristics of an intruding transaction are identical to a user transaction except for the data object access pattern” (Lee, et al., 2000, p. 128)
Sensor transactions:Read a sensor periodically to check for updated
information (Lee, et al., 2000, p. 127-128)
Time Signatures (cont.)
Results:False positive rate was as low as
0.36% (Lee, et al., 2000, p. 129)False negative rate was as high as
5.5% (Lee, et al., 2000, p. 129).
Time Signatures (cont.)
Both methods had very low false positive rates
Monitoring Database Application behavior was better on false negative rates by 1.5%
Conclusion