Visible to the public Detection of Temporal Insider Threats to Relational Databases

TitleDetection of Temporal Insider Threats to Relational Databases
Publication TypeConference Paper
Year of Publication2017
AuthorsSallam, A., Bertino, E.
Conference Name2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC)
ISBN Number978-1-5386-2565-1
Keywordsaccess anomalies, anomaly detection, composability, Data analysis, data analytics, Data Analytics for Security, data misuse, Data security, feature extraction, Human Behavior, insider threats, legitimate data access, Metrics, Periodicity, pubcrawl, query features, query processing, real-time anomaly detection, Real-time Systems, relational database security, relational databases, resilience, Resiliency, security, security of data, Temporal Attacks, temporal insider threat detection, time series, Training

The mitigation of insider threats against databases is a challenging problem as insiders often have legitimate access privileges to sensitive data. Therefore, conventional security mechanisms, such as authentication and access control, may be insufficient for the protection of databases against insider threats and need to be complemented with techniques that support real-time detection of access anomalies. The existing real-time anomaly detection techniques consider anomalies in references to the database entities and the amounts of accessed data. However, they are unable to track the access frequencies. According to recent security reports, an increase in the access frequency by an insider is an indicator of a potential data misuse and may be the result of malicious intents for stealing or corrupting the data. In this paper, we propose techniques for tracking users' access frequencies and detecting anomalous related activities in real-time. We present detailed algorithms for constructing accurate profiles that describe the access patterns of the database users and for matching subsequent accesses by these users to the profiles. Our methods report and log mismatches as anomalies that may need further investigation. We evaluated our techniques on the OLTP-Benchmark. The results of the evaluation indicate that our techniques are very effective in the detection of anomalies.

Citation Keysallam_detection_2017