home
projects
people
papers
awards
seminars
visitor information
internal
 
Computer Science Department
U C Davis
Comments
Contact Security Lab
SECURITY LAB SEMINAR
May 5, 1999
1-2pm
1131 ENG II

User Profiling in Relational Database Systems
Presented by Christina Chung

Slide Presentation

Abbreviations: CC: Christina Chung, KL: Karl Levitt, MB: Matt Bishop, MG: Michael Gertz, RP: Raju Pandey, TA: Tuomas Aura, CW: Chris Wee

Questions

  1. KL: Help with integrity?
    1. CC: Monitoring of data
  2. CW: Query in data is small
    1. CC: Log actual data that is changed; log query itself ² see whatžs changed
  3. MG: What is your definition of "complete" for profiles?
    1. CC: With respect to training set ² compare test data from profile.
  4. MB: Static profiles or profiles over time?
    1. CC: It depends on the type of data you're interested in. I donžt deal with temporal patterns yet.
  5. MB: Profile wonžt change over lifetime?
    1. CC: Yes, this is a feature to add on later.
  6. TA: Example of use for this database system?
    1. CC: Profiling for fixed known behavior. 
    2. CC: With applications, certain set of fixed queries. TA: Catch person who uses new things. CC: User behavior is not stable. TA: Trying to catch changes in behavior CC: Intrusion and insider abuse. Match it against policy ² compare profiles with policy. TA: It will detect any change in behavior. CC: Typical or expected behavior.
  7. MB: Profiler is a statistical aggregation of patterns of behavior. Policy is an aggregation of actions.
    1. MG: You have actions in a profile.
  8. RP: Way to arbitrarily add C programs. OS and programming languages are action based.
  9. CW; Types of security ² what is the class of threats youžre interested in?
    1. CC: Invasion of sensitive information. Insider threat
    2. CC: Data model and information of data is specified. Type of threat - information theft more interesting than DoS.
  10. What if the access affinity between A1 and A7 is high?
    1. CC: If they are referenced very often together, something is wrong with diagram. MG: Or user? User found some correlation. CC: Keys missing in ER diagram. MG Compare attribute values for A1 and A7.
  11. RP How are clusters different from working scopes? User-defined clusters.
    1. CC: Cluster ² only consider the object, attribute and select queries.
  12. KL: Donžt capture semantics of database?
    1. CC: Doesnžt capture that.
  13. RP: What do I do with profilers?
    1. CC: Detect misuse by comparing profiles with policy. Specify in policy ² discover profiles of user. 
    2. RP: Example ² make my profile as big as possible. Make my cluster to cover the entire schema.
    3. CC: Domain knowledge ² security officer will set threshold amount for distance measure. Assumption that the training data is bad. Known patterns in training data ² meaningful threshold to set.
  14. CW: Is it reasonable that one can obtain training data?
    1. CC: Trying to generate my own.
    2. TA: Working in office, accessing same databases.
    3. MG: Interactive process. Not necessarily clean ² confidence level generated. Feedback corresponds to reality. Iterative process.
  15. MB: OS systems are just databases; parallel between anomaly detection. Take this and apply it to anomaly detection? Fundamentally different here?
    1. CC: Capability ² SQL query to process large amounts of data. I do clustering in SQL. Data structure is different. OS has no data structure.
  16. RP: How effective is the data in small changes?
    1. CC: Crucial step - how we group audit sessions. Profiles for different window frames.
    2. MG: You can specify some kind of rules; specify how rules must behave; meta rules that you apply.
    3. RP: It seems to me that it is based on distance analysis. Distance is very inaccurate. Can be defeated by delta distances. CC: Deviation of behavior. Profile just discovers profile.
    4. RP: What will happen to this data? CC: Temporal patterns.
  17. TA: What kind o f behavior do you detect with that? Do one query thatžs not allowed. Need change in behavior.
    1. CC: Low threshold- high false alarm. TA: Avoid being caught by doing secret queries. CC: User tradeoff.
    2. TA: Queries all the time; snoop peopležs salaries. MG: Layout of database ² query out of working scope?
    3. MG: Really far away from working scope is more suspicious. Donžt have a system where you have privileges established.
  18. MB: Can you use this on statistical bases? Can you bar people from seeing certain entries?
    1. MG: Possible.
    2. CC: Not talking about statistical databases ² just relational databases.
    3. TA: Neural networks
    4. CC: Difficult to understand. Clusters more intuitive.
    5. CW: Looking at databases, written off application auditing project.
    6. TA: Once set up policies and profiles ² not how people actually work.