Anomaly Detection in Database Systems
Objective
The objective of this project is to develop original approach
to effectively and efficiently detect misuse by legitimate
users in database systems through anomaly detection.
Motivation
Despite the fact that internal users can cause more damage to
a system than external attackers and the primary threat comes
from employees rather than hackers external to the system,
most of the existing anomaly detection approaches are built
for intrusion detection systems rather than for misuse
detection systems. Even fewer attention, if none, is drawn to
detect misuse in a database management system. In addition,
most of these approaches are applied at the file system and
program execution level. They are not particularly designed
for database systems which have a finer level of granularity,
i.e. at attribute and record level as oppose to at file level.
With a well-defined structures and semantics of the data,
database system is an excellent domain for developing
practical anomaly detection mechanisms.
Our Approach
Although the techniques in the existing anomaly detection
systems can be borrowed to detect anomaly in a database
management system, they generally only capture the context
aspect of user behaviour, such as categorising the CPU usage.
Regrettably they do not take in account of the nice structural
aspect of the database systems. Therefore, examining the
structure of the system is a promising direction to better
characterise the normal user behaviour in database systems.
The approach that we are investigating to detect anomalous
behaviour is:
- define a structural model to capture the structural
aspect of the database systems
- select the relevant features to characterise user
behaviour with respect to the structural model
- define normal user behaviour by cluster analysis base on
the structural model and the features
- detect abnormal user behaviour by classification
techniques base on the clusters defined in step (3)
Current Stage And Future Direction
We are currently in the stage of developing preliminary
structural model for the relational database systems and
possibly extending the model to capture other database
systems. We are also looking into promising data mining
techniques that can extract useful information about the
database systems. In addition, we plan to run some experiments
to select the best features, clustering and classification
techniques on database systems in business domain.
Contact: Raymond Yip
yip@cs.ucdavis.edu