More Web Proxy on the site http://driver.im/

research-article

PANDDE: Provenance-based ANomaly Detection of Data Exfiltration

Authors:

Daren Fadolalkarim,

Elisa BertinoAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 267 - 276

https://doi.org/10.1145/2857705.2857710

Published: 09 March 2016 Publication History

Abstract

Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to detect anomalous actions that the users perform on the data once they gain access to it. Being able to detect anomalous actions on the data is critical as these actions are often sign of attempts to misuse data. In this paper, we propose an approach to detect anomalous actions executed on data returned to the users from a database. The approach has been implemented as part of the Provenance-based ANomaly Detection of Data Exfiltration (PANDDE) tool. PANDDE leverages data provenance information captured at the operating system level. Such information is then used to create profiles of users' actions on the data once retrieved from the database. The profiles indicate actions that are consistent with the tasks of the users. Actions recorded in the profiles include data printing, emailing, and storage. Profiles are then used at run-time to detect anomalous actions.

References

[1]

P. Agrawal, O. Benjelloun, A. D. Sarma, C. Hayworth, S. Nabar, T. Sugihara, and J. Widom. Trio: A system for data, uncertainty, and lineage. In Proceedings of the 32Nd International Conference on Very Large Data Bases, VLDB '06, pages 1151--1154. VLDB Endowment, 2006.

Digital Library

[2]

E. Bertino. Data protection from insider threats. Synthesis Lectures on Data Management, 4(4):1--91, 2012.

Digital Library

[3]

M. Chagarlamudi, B. Panda, and Y. Hu. Insider threat in database systems: Preventing malicious users' activities in databases. In Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations, ITNG '09, pages 1616--1620, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[4]

C. Y. Chung, M. Gertz, and K. Levitt. Integrity and internal control information systems. chapter DEMIDS: A Misuse Detection System for Database Systems, pages 159--178. Kluwer Academic Publishers, Norwell, MA, USA, 2000.

Digital Library

[5]

FUSE: Filesystem in userspace. http://fuse.sourceforge.net/.

[6]

J. L. Hennessy and D. A. Patterson. Computer Architecture, Fifth Edition: A Quantitative Approach. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 5th edition, 2011.

Digital Library

[7]

Y. Hu and B. Panda. Identification of malicious transactions in database systems. In Database Engineering and Applications Symposium, 2003. Proceedings. Seventh International, pages 329--335, July 2003.

[8]

S. R. Hussain, A. M. Sallam, and E. Bertino. Detanom: Detecting anomalous database transactions by insiders. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 25--35, New York, NY, USA, 2015. ACM.

Digital Library

[9]

A. Kamra, E. Terzi, and E. Bertino. Detecting anomalous access patterns in relational databases. The VLDB Journal, 17(5):1063--1077, August 2008.

Digital Library

[10]

S. Y. Lee, W. L. Low, and P. Y. Wong. Learning fingerprints for a database intrusion detection system. In Proceedings of the 7th European Symposium on Research in Computer Security, ESORICS '02, pages 264--280, London, UK, UK, 2002. Springer-Verlag.

Digital Library

[11]

W. Li, B. Panda, and Q. Yaseen. Mitigating insider threat on database integrity. In V. Venkatakrishnan and D. Goswami, editors, Information Systems Security, volume 7671 of Lecture Notes in Computer Science, pages 223--237. Springer Berlin Heidelberg, 2012.

[12]

K.-K. Muniswamy-Reddy, D. A. Holland, U. Braun, and M. Seltzer. Provenance-aware storage systems. In Proceedings of the Annual Conference on USENIX '06 Annual Technical Conference, ATEC '06, pages 4--4, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[13]

D. J. Pohly, S. E. McLaughlin, P. McDaniel, and K. R. B. Butler. Hi-fi: collecting high-fidelity whole-system provenance. In R. H. Zakon, editor, ACSAC, pages 259--268. ACM, 2012.

Digital Library

[14]

A. M. Sallam, E. Bertino, S. R. Hussain, D. Landers, R. M. Lefler, and D. Steiner. Dbsafe - an anomaly detection system to protect databases from exfiltration attempts. Under Submission, September 2014.

[15]

C. Sar and P. Cao. Lineage file system. Online at http://crypto.stanford.edu/ cao/lineage.html, January 2005.

[16]

A. Spalka and J. Lehnhardt. A comprehensive approach to anomaly detection in relational databases. In S. Jajodia and D. Wijesekera, editors, Data and Applications Security XIX, volume 3654 of Lecture Notes in Computer Science, pages 207--221. Springer Berlin Heidelberg, 2005.

Digital Library

[17]

R. Spillane, R. Sears, C. Yalamanchili, S. Gaikwad, M. Chinni, and E. Zadok. Story book: An efficient extensible provenance framework. In First Workshop on on Theory and Practice of Provenance, TAPP'09, pages 11:1--11:10, Berkeley, CA, USA, 2009. USENIX Association.

Digital Library

[18]

H. Xiong, P. Malhotra, D. Stefan, C. Wu, and D. Yao. User-assisted host-based detection of outbound malware traffic. In Proceedings of the 11th International Conference on Information and Communications Security, ICICS'09, pages 293--307, Berlin, Heidelberg, 2009. Springer-Verlag.

Digital Library

[19]

Q. Yaseen and B. Panda. Knowledge acquisition and insider threat prediction in relational database systems. In Computational Science and Engineering, 2009. CSE '09. International Conference on, volume 3, pages 450--455, August 2009.

Digital Library

[20]

Q. Yaseen and B. Panda. Predicting and preventing insider threat in relational database systems. In P. Samarati, M. Tunstall, J. Posegga, K. Markantonakis, and D. Sauveron, editors, Information Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, volume 6033 of Lecture Notes in Computer Science, pages 368--383. Springer Berlin Heidelberg, 2010.

Digital Library

[21]

E. Zadok and I. B\uadulescu. A stackable file system interface for Linux. In LinuxExpo Conference Proceedings, pages 141--151, Raleigh, NC, May 1999.

[22]

H. Zhang, D. D. Yao, and N. Ramakrishnan. Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '14, pages 39--50, New York, NY, USA, 2014. ACM.

Digital Library

Cited By

Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Fadolalkarim DBertino E(2019)A-PANDDEComputers and Security10.1016/j.cose.2019.03.02184:C(276-287)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1016/j.cose.2019.03.021

Index Terms

PANDDE: Provenance-based ANomaly Detection of Data Exfiltration
1. Security and privacy

Recommendations

A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration
Abstract
Insider threats are a serious problem that could be more damaging than outsiders’ attacks. The reason is that insiders are users who have legitimate access to the data. A database management system (DBMS) access control mechanism is ...
Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to ...
DetAnom: Detecting Anomalous Database Transactions by Insiders
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Database Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as attackers aiming at ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
387
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Grayson SAguilar FMilewicz RKatz DMarinov D(2024)A benchmark suite and performance analysis of user-space provenance collectorsProceedings of the 2nd ACM Conference on Reproducibility and Replicability10.1145/3641525.3663627(85-95)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3641525.3663627
Fadolalkarim DBertino E(2019)A-PANDDEComputers and Security10.1016/j.cose.2019.03.02184:C(276-287)Online publication date: 1-Jul-2019
https://dl.acm.org/doi/10.1016/j.cose.2019.03.021

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents