Goal

• derive profiles for roles and users in a RDBMS
• detect misuse by matching audit records against security policy and profiles

• audit data of which attributes are accessed by the ‘select’ SQLs
• Example

• user accesses attribute symptom from entity treat in the first ‘select’ SQL
• user accesses attributes symptom and diagnosis from entity treat from second ‘select’ SQL

• Association rules:
• X1 ... Xn => Y1 ... Yn, sup, conf
• When X1 .... Xn are accessed, Y1...Yn are also accessed.
• Support = number of audit records such that X1=...=Xn=Y1=...=Yn=1
• Confidence = probability that LHS implies RHS

• Example:

• Frequent itemset:
• {I1 ... In}, sup
• I1 ... In are usually accessed together with support sup.
• Example: {treat$symptom, patient$allergy, drug$drugID}, sup=20

• Distance measure: user defines the similarity between variables
• Automatically generate clusters based on the distance measure
• Example:
• ERDistance(E1$A1, E2$A2)

• Freq(E1$A1)

• FreqSim(E1$A1, E2$A2)

• Distance(E1$A1, E2$A2)

• Thus, attributes that are accessed with similar frequency in a session and are closer in the E-R diagram would be formed in the same cluster.

Problems

• Association rules do not consider the distance between attributes, but are very fast and scale well because they can be implemented by SQL.
• Clustering algorithms do not scale well and computationally expensive, but distance measure can be adjusted in a flexible manner.
• How to extend association rule and frequent itemsets with distance measure?
• X1 ... Xn => Y1 ... Yn, sup, conf, dist
• {I1 ... In}, sup, dist
• How to combine frequent itemsets with clustering? Use SQL to implement clustering?

• Association rules
• derive association rules from audit records (R’)
• match R’ against the rules in the profiles /policy for the corresponding user and role (R)
• define mismatch score by
• # of mismatch rules between R and R’
• # of new rules in R’
• # of missing rules in R
• support, confidence, distance of the rules can be used to adjust the weight of mismatch for each rule
• Frequent itemsets / clusters
• derive frequent itemsets / clusters (F’) from audit records
• match F’ against those in the profiles (F)
• define mismatch score by
• # of missing items
• # of new items
• support and dist of F and F’ can be used to adjust the weight of mismatch

1. Questions/Comments
1. KL: One of the problems Steven Templeton ran into was defining sessions. It used to be one log in and log out constituted a session; now people never log out.
2. KL: Consider looking at other clustering algorithms (AutoClass)
3. KL: Todd Heberlein looked at a distance measure in terms of directories - so many hops from the work directory constituted inappropriate use.
4. KL: First profiles are generated independently, then combined. One rule may subsume another
5. Object hierarchy - Attributes à Entity à Views à Schemes
6. Suggested Reading
1. Machine Learning - Russel Norvik AI - induction, Decision Tree, Clustering (AutoClass)
2. Justin Doak's thesis
3. Ides
4. Haystack
7. Missing from proposed work
1. Strong concepts - new analysis method, language, etc.
1. Consider developing an algebra for combining association rules
2. Consider detecting the kind of misuse
3. Ultimately, what problem are you solving?
4. What will you do with the distance measure?
2. Not taking advantage of the structure of the database.
3. Not sure what will/won't work
4. Data generation
5. Conditional probabilities (clerk use vs. researcher use)
6. Tie in with Intel project
1. Intel interested in configuration
2. Think of possible applications for Intel - they may be able to help add to application
3. IBM funding? Misuse detection, Freud management system
8. Karl and Michael Gertz to visit Christina at Intel in August, possibly.
9. Christina's quals rescheduled to May 19^th.