Slide 1
1
: Enhancing Detection Rate in Database IntrusionDetection System
: : 93
2
3
( ) : . .
4
False positive
False negative 5
log file : .Offline audit log file : Feature selector : (queries) .
6
Online audit log feature selector Profile transaction Detection engine DBMS .7
Detection Engine
FeatureSelectorDBMS Profile Creator
Alarm User raw queryRequested Features Online Audit trail Audit log ProfilesConsultInvalid Transaction Commit TransactionValid TransactionFigure.1: Architecture of Proposed Database IDS8
U_nameSes_idTrans_idSeq_noCmd_typeTarget_objsales14717selectOrdersales14718selectProductware13523updateStockware11325selectWaresales913insertOrdersales121236updateStockware11326selectProductware11327selectStocksales14721updateStockware13521selectWaresales14723updateStockWare13522selectstocksales14720insertOrder_linesales14722insertOrder_linesales14719insertproduct
9
21 select[ware]22 select[stock]23 update[stock]Transaction # 5[ware]25 select[ware]26 select[product]27 select[stock]Transaction # 3[ware]Authorized Transactions Profile10
17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[stock] 22 insert[order-line] 23 update[stock] Transaction # 7[sales]Authorized Transactions Profile11
U_nameSes_idTrans_idSeq_noCmd_typeTarget_objsales14717selectOrdersales14718selectProductsales14719insertordersales14720insertOrder_linesales14721updateproductsales14722insertOrder_linesales14723updateStock
12
17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[product]22 insert[order-line] 23 update[product]Transaction # 7[sales]Transaction Profile for Executable Transaction 13
17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[stock] 22 insert[order-line] 23 update[stock] Transaction # 7[sales]Authorized Transactions ProfileTransaction Profile for Executable Transaction 17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[product]22 insert[order-line] 23 update[product]Transaction # 7[sales]
14
sql IP query ... .
false negative false positive 15
1DB 1 1 16
UsernameSessionidSeq.no.CommandtypeTargetobjectAttributeinformationDB1719SelectProductPrice, NameDB1723updateCustomerBalance,Payment_cnt,DataDB1722updateStockQuantity, Order_cntDB1718SelectOrderC_id, Entry_d, Carrier_idDB1720InsertOrderD_id, W_id, C_id,Entry_d, Carrier_idDB1721InsertOrder_lineD_id, W_id, Number,I_id
TABLE I. OFFLINE AUDIT-LOG TABLE17
Fig. 1. Transaction profile for offline audit log data18
1 :1DB 2 2 .
19
UsernameSessionidSeq.no.CommandtypeTargetobjectAttributeinformationDB11444SelectOrderC_id, Entry_d, Carrier_idDB11449updateCustomerBalance, Payment_cnt,DataDB11448updateStockQuantity, Order_cntDB11445SelectProductPrice, NameDB11446InsertOrderD_id, W_id, C_id, Entry_d,Carrier_idDB11447InsertOrder_lineD_id, W_id, Number, I_id
TABLE II. OFFLINE AUDIT-LOG TABLE20
20
Fig. 2. Transaction profile for offline audit log data21
21
22
22
: select . . select
23
23
21DB 3 3 .
24
24
UsernameSessionidSeq.no.CommandtypeTargetobjectAttributeinformationDB12133SelectProductPriceDB12137updateCustomerBalance, Payment_cnt,DataDB12136updateStockQuantity, Order_cntDB12132SelectOrderEntry_dDB12134InsertOrderD_id, W_id, C_id, Entry_d,Carrier_idDB12135InsertOrder_lineD_id, W_id, Number, I_id
TABLE III. OFFLINE AUDIT-LOG TABLE25
25
Fig. 3. Transaction profile for offline audit log data26
26
27
27
: select . .28
28
false positive . :Altered sequence of consecutive select commands Attribute subset access pattern
select . . 29
29
. ... .
.
30
30
OfflineLogHistoryOnlineAudit LogDBMSTransaction Profile Generator< UserID, SessionID, ReadSet, WriteSet >Transaction Profile GenerationOfflineTransactionProfilesFeature ExtractorCurrent SessionRaise AlarmDetectionOnline EngineCommitFig. 4. System architecture of proposed approachInvalidTransactionValidTransaction31
Username .SessionID session Identification of session established when the user connects to the database.
UserIDSessionIDRead SetsWrite Sets
32
Read sets : (Read, TB_Acc[],Attr_Acc[][])
Write sets : (Write,TB_Acc[],Attr_Acc[][])
Read/write read :0 write :1 TB_Acc[] ( ) Attr_Acc[][] N N () .33
33
1 = Attr_Acc[i][j] j i . : :
Altered sequence of consecutive select commands Attribute subset access pattern34
Altered sequence of consecutive select commands select select select commit detection engine .35
Attribute subset access pattern commit AND . commit 36
UserIDSessionIDRead/WriteTB-Acc[ ]Attr-Acc[ ][ ]17311
Cont.....Read/WriteTB-Acc[ ]Attr-Acc[ ][ ]
1
Read/WriteTB-Acc[ ]Attr-Acc[ ][ ]
0
Cont.....TABLE IV. VALID PROFILE37
UserIDSessionIDRead/WriteTB-Acc[ ]Attr-Acc[ ][ ]17131
Cont.....Read/WriteTB-Acc[ ]Attr-Acc[ ][ ]
1
Read/WriteTB-Acc[ ]Attr-Acc[ ][ ]
0
Cont.....TABLE V. PROFILE OF NEW TRANSACTION38
(10101100) ^(10000100)= 10000100
same39
(10101100) ^(10101011)= 10101000
and .40
Fig. 5. No. of Transactions vs. False Positive Rate41
Fig. 6. No. of Transactions vs. False Negative Rate42
Fig. 7. No. of Transactions vs. Recall43
17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[stock] 22 insert[order-line] 23 update[stock] Transaction # 7[sales]17 select[order] 18 select[product] 19 insert[order] 20 insert [order-line] 21 update[product]22 insert[order-line] 23 update[product]Transaction # 7[sales]Authorized Transactions ProfileTransaction Profile for Executable Transaction 44