More Web Proxy on the site http://driver.im/

Article

Learning Fingerprints for a Database Intrusion Detection System

Authors:

Pei Yuen WongAuthors Info & Claims

ESORICS '02: Proceedings of the 7th European Symposium on Research in Computer Security

Pages 264 - 280

Published: 14 October 2002 Publication History

Abstract

There is a growing security concern on the increasing number of databases that are accessible through the Internet. Such databases may contain sensitive information like credit card numbers and personal medical histories. Many e-service providers are reported to be leaking customers' information through their websites. The hackers exploited poorly coded programs that interface with backend databases using SQL injection techniques. We developed an architectural framework, DIDAFIT (Detecting Intrusions in DAtabases through FIngerprinting Transactions) [1], that can efficiently detect illegitimate database accesses. The system works by matching SQL statements against a known set of legitimate database transaction fingerprints. In this paper, we explore the various issues that arise in the collation, representation and summarization of this potentially huge set of legitimate transaction fingerprints. We describe an algorithm that summarizes the raw transactional SQL queries into compact regular expressions. This representation can be used to match against incoming database transactions efficiently. A set of heuristics is used during the summarization process to ensure that the level of false negatives remains low. This algorithm also takes into consideration incomplete logs and heuristically identifies "high risk" transactions.

References

[1]

Low, W. L., Lee, S. Y., Teoh, P.: DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions. In: Proceedings of the 4th International Conference on Enterprise Information Systems (ICEIS). (2002).

[2]

Atanasov, M.: The truth about internet fraud. In: Ziff Davis Smart Business, Available at URL http://techupdate.zdnet.com/techupdate/stories/main/ 0,14179,2688776-11,00.html (2001).

[3]

Hatcher, T.: Survey: Costs of computer security breaches soar. In: CNN.com, Available at URL http://www.cnn.com/2001/TECH/internet/03/12/csi.fbi.hacking.report/ (2001).

[4]

Poulsen, K.: Guesswork PlaguesWeb Hole Reporting. In: SecurityFocus, Available at URL http://online.securityfocus.com/news/346 (2002).

[5]

Internet Security Systems: RealSecure Intrusion Detection Solution, Available at URL http://www.iss.net (2001).

[6]

NFR Security: NFR network intrusion detection, Available at URL http://www.nfr.com/products/NID/ (2001).

[7]

Enterasys Networks, Inc.: The Dragon IDS, Available at URL http://www.enterasys.com/ids/dragonids.html (2001).

[8]

Cisco Systems, Inc.: Cisco Intrusion Detection, Available at URL http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ (2001).

[9]

Symantec Corporation: Enterprise Solutions, Available at URL http://enterprisesecurity.symantec.com/ (2001).

[10]

Roesch, M.: Snort: Lighweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration (LISA-99), USENIX Association (1999) 229-238.

[11]

Andrews, C.: SQL injection FAQ, Available at URL http://www.sqlsecurity.com (2001).

[12]

Anley, C.: Advanced SQL Injection In SQL Server Applications, Next Generation Security Software Ltd, Available at URL http://www.nextgenss.com/papers/ advanced_sql_injection.pdf (2002).

[13]

Anley, C.: (more) Advanced SQL Injection, Next Generation Security Software Ltd, Available at URL http://www.nextgenss.com/papers/ more_advanced_sql_injection.pdf (2002).

[14]

Oracle: Oracle, 2001, Available at URL http://www.oracle.com (2001).

[15]

Chung, C.Y., Gertz, M., Levitt, K.: Misuse detection in database systems through user profiling. In: Web Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID). (1999).

[16]

Quinlan, J. R.: Induction of decision trees. In Shavlik, J.W., Dietterich, T.G., eds.: Readings in Machine Learning. Morgan Kaufmann (1990) Originally published in Machine Learning 1:81-106, 1986.

[17]

Hovy, E., Lin, C.Y.: Automated Text Summarization in SUMMARIST. In: Proceedings of ACL/EACL Workshop on Intelligent Scalable Text Summarization. (1997) Madrid, Spain.

[18]

Boguraev, B., Bellamy, R.: Dynamic Presentation of Phrasally-Based Document Abstractions. In: Proceedings of Thirty-second Annual Hawaii International Conference on System Sciences (HICSS). (1998).

Cited By

Khan MFoley SO'Sullivan BVerma RSubramaniam DSung AVerma R(2019)Computing the Identification Capability of SQL Queries for Privacy ComparisonProceedings of the ACM International Workshop on Security and Privacy Analytics10.1145/3309182.3309188(47-52)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3309182.3309188
Warszawski TBailis PChirkova RYang JSuciu D(2017)ACIDRainProceedings of the 2017 ACM International Conference on Management of Data10.1145/3035918.3064037(5-20)Online publication date: 9-May-2017
https://dl.acm.org/doi/10.1145/3035918.3064037
Fadolalkarim DSallam ABertino EBertino ESandhu RPretschner A(2016)PANDDEProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857710(267-276)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857710
Show More Cited By

Recommendations

On database intrusion detection: A Query analytics-based model of normative behavior to detect insider attacks
ICCNS '17: Proceedings of the 2017 7th International Conference on Communication and Network Security

One of the challenges in database security is timely detection of an insider attack. This gets more challenging in the case of sophisticated / expert insiders. Behavioral-based techniques have shown promising results in detecting insider attacks. Most ...
The influence of database structure representation on database system learning and use

Successful use of a computerized database by end users requires both an understanding of the structure of the database and knowledge of the available query language. Previous research has focused almost exclusively on query languages with little concern ...
Integrated intrusion detection in databases
LADC'07: Proceedings of the Third Latin-American conference on Dependable Computing

Database management systems (DBMS), which are the ultimate layer in preventing malicious data access or corruption, implement several security mechanisms to protect data. However these mechanisms cannot always stop malicious users from accessing the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

ESORICS '02: Proceedings of the 7th European Symposium on Research in Computer Security

October 2002

284 pages

ISBN:3540443452

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 14 October 2002

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

32
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Khan MFoley SO'Sullivan BVerma RSubramaniam DSung AVerma R(2019)Computing the Identification Capability of SQL Queries for Privacy ComparisonProceedings of the ACM International Workshop on Security and Privacy Analytics10.1145/3309182.3309188(47-52)Online publication date: 13-Mar-2019
https://dl.acm.org/doi/10.1145/3309182.3309188
Warszawski TBailis PChirkova RYang JSuciu D(2017)ACIDRainProceedings of the 2017 ACM International Conference on Management of Data10.1145/3035918.3064037(5-20)Online publication date: 9-May-2017
https://dl.acm.org/doi/10.1145/3035918.3064037
Fadolalkarim DSallam ABertino EBertino ESandhu RPretschner A(2016)PANDDEProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857710(267-276)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857710
Ronao CCho S(2016)Anomalous query access detection in RBAC-administered databases with random forest and PCAInformation Sciences: an International Journal10.1016/j.ins.2016.06.038369:C(238-250)Online publication date: 10-Nov-2016
https://dl.acm.org/doi/10.1016/j.ins.2016.06.038
Hussain SSallam ABertino EPark JSquicciarini A(2015)DetAnomProceedings of the 5th ACM Conference on Data and Application Security and Privacy10.1145/2699026.2699111(25-35)Online publication date: 2-Mar-2015
https://dl.acm.org/doi/10.1145/2699026.2699111
Ronao CCho S(2015)Mining SQL Queries to Detect Anomalous Database Access using Random Forest and PCAProceedings of the 28th International Conference on Current Approaches in Applied Artificial Intelligence - Volume 910110.1007/978-3-319-19066-2_15(151-160)Online publication date: 10-Jun-2015
https://dl.acm.org/doi/10.1007/978-3-319-19066-2_15
Santos RBernardino JVieira M(2014)Approaches and Challenges in Database Intrusion DetectionACM SIGMOD Record10.1145/2694428.269443543:3(36-47)Online publication date: 4-Dec-2014
https://dl.acm.org/doi/10.1145/2694428.2694435
Anand VThatcher RDooling CMcLaughlin KWilliams B(2014)Intrusion DetectionProceedings of the 42nd annual ACM SIGUCCS conference on User services10.1145/2661172.2661186(69-73)Online publication date: 2-Nov-2014
https://dl.acm.org/doi/10.1145/2661172.2661186
Shebaro BSallam AKamra ABertino EGuerrini GPaton N(2013)PostgreSQL anomalous query detectorProceedings of the 16th International Conference on Extending Database Technology10.1145/2452376.2452469(741-744)Online publication date: 18-Mar-2013
https://dl.acm.org/doi/10.1145/2452376.2452469
Li XYan WXue YBertino ESandhu R(2012)SENTINELProceedings of the second ACM conference on Data and Application Security and Privacy10.1145/2133601.2133605(25-36)Online publication date: 7-Feb-2012
https://dl.acm.org/doi/10.1145/2133601.2133605
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents