Transcript Why Monitoring Database Application Behavior is the Best

Clay Brockman
ITK 478
Fall 2007
 Why intrusion detection?
 Comparing two types:
 Monitoring Database Application
Behavior
 Using Time Signatures
 “Security is an integrative concept
that includes the following
properties: confidentiality …,
authenticity …, integrity …, and
availability” (Vieira and Madeira,
2005, p. 350)
 Explanation of these properties
 Occur in one of the following ways:
 “intentional unauthorized attempts to access or destroy
private data” (Vieira and Madeira, 2005, p. 351)
 “malicious actions executed by authorized users to cause
loss or corruption of critical data” (Vieira and Madeira,
2005, p. 351)
 “external interferences aimed to cause undue delays in
accessing or using data, or even denial of service” (Vieira
and Madeira, 2005, p. 351)
 False Positive
 the detection system reports an intrusion but the action
is really a legitimate request (Afonso, et al., 2006, p.37)
 accounts for 17% of recorded events (Afonso, et al., 2006,
p.37)
 False Negative
 system will allow a malicious request to pass,
identifying it as a legitimate request (Afonso, et al.,
2006, p.37)
 accounts for about 12% of recorded events
(Afonso, et al., 2006, p.37)
 Developed by José Fonseca, Marco Vieira, and
Henrique Madeira
 This method “adds concurrent intrusion detection to
DBMS using a comprehensive set of behavior
abstractions representing database activity” (Fonseca,
et al., 2006, p. 383).
 Messages checked at 3 different levels
 Command Level
 Transaction Level
 Session Level
 Command Level
 “checks if the structure of each executed command belongs to
the set of command structures previously learned” (Fonseca,
et al., 2006, p. 383)
 Transaction Level
 “checks if the command is in the right place inside the
transaction profile (a transaction is a unit formed by a set of
SQL commands always executed in the same sequence)”
(Fonseca, et al., 2006, p. 383)
 Session Level
 “checks if the transaction fits in a known transaction
sequence. It represents the sequence of operations that the
user executes in a session” (Fonseca, et al., 2006, p. 383)
 Results:
 1 normal request was found to be malicious,
resulting in 1 false positive
 100% accuracy on requests with slight changes
 Randomly ordered SQL commands resulted in
4.2% false negatives
 All 50 manual injections were caught
 Expects requests to come in at certain
times
 Based on a real-time database
 Examples:
 Stock Market
 Power Grid
 Air Traffic Control
 Two different types of intrusions
 User transactions:
 “the characteristics of an intruding transaction are
identical to a user transaction except for the data object
access pattern” (Lee, et al., 2000, p. 128)
 Sensor transactions:
 Read a sensor periodically to check for updated
information (Lee, et al., 2000, p. 127-128)
 Results:
 False positive rate was as low as 0.36%
(Lee, et al., 2000, p. 129)
 False negative rate was as high as 5.5%
(Lee, et al., 2000, p. 129).
 Both methods had very low false
positive rates
 Monitoring Database Application
behavior was better on false
negative rates by 1.5%