Anomaly Detection in Database Systems

Objective

The objective of this project is to develop original approach to effectively and efficiently detect misuse by legitimate users in database systems through anomaly detection.

Motivation

Despite the fact that internal users can cause more damage to a system than external attackers and the primary threat comes from employees rather than hackers external to the system, most of the existing anomaly detection approaches are built for intrusion detection systems rather than for misuse detection systems. Even fewer attention, if none, is drawn to detect misuse in a database management system. In addition, most of these approaches are applied at the file system and program execution level. They are not particularly designed for database systems which have a finer level of granularity, i.e. at attribute and record level as oppose to at file level. With a well-defined structures and semantics of the data, database system is an excellent domain for developing practical anomaly detection mechanisms.

Our Approach

Although the techniques in the existing anomaly detection systems can be borrowed to detect anomaly in a database management system, they generally only capture the context aspect of user behaviour, such as categorising the CPU usage. Regrettably they do not take in account of the nice structural aspect of the database systems. Therefore, examining the structure of the system is a promising direction to better characterise the normal user behaviour in database systems.

The approach that we are investigating to detect anomalous behaviour is:

  1. define a structural model to capture the structural aspect of the database systems
  2. select the relevant features to characterise user behaviour with respect to the structural model
  3. define normal user behaviour by cluster analysis base on the structural model and the features
  4. detect abnormal user behaviour by classification techniques base on the clusters defined in step (3)

Current Stage And Future Direction

We are currently in the stage of developing preliminary structural model for the relational database systems and possibly extending the model to capture other database systems. We are also looking into promising data mining techniques that can extract useful information about the database systems. In addition, we plan to run some experiments to select the best features, clustering and classification techniques on database systems in business domain.

Contact: Raymond Yip

yip@cs.ucdavis.edu