More Web Proxy on the site http://driver.im/

research-article

A-PANDDE: : Advanced Provenance-based ANomaly Detection of Data Exfiltration

Authors:

Daren Fadolalkarim,

Elisa BertinoAuthors Info & Claims

Volume 84, Issue C

Pages 276 - 287

https://doi.org/10.1016/j.cose.2019.03.021

Published: 01 July 2019 Publication History

Abstract

Insider threats are a serious problem that could be more damaging than outsiders’ attacks. The reason is that insiders are users who have legitimate access to the data. A database management system (DBMS) access control mechanism is unable to prevent misuse of the data to which the user is authorized to access. Many mechanisms were proposed to detect insiders’ attempts to misuse or steal data at the database level and application level. However, these mechanisms are unable to detect users’ attempts to exfiltrate the data if they store the data into files on their machines. Hence, we need a mechanism that is able to detect suspicious activities resulting from the insiders at the operating system level. As an initial step in this direction, we propose an anomaly detection system that monitors insiders’ actions on data outside the database. To be more precise, our system tracks file system access operations (e.g., read, write, and open to print) on data piped from the database to files. Our approach captures syntactic features of SQL queries that users submit to the DBMS to retrieve data from the database (e.g., select commands). It does that by recording the tables’ object identifiers. Also, the system collects some data features like the tables’ selectivities to profile the amount of data that is being accessed by the user. Furthermore, the system tracks frequencies of users’ actions on files that contain data from the database. The collected information is then used to build profiles of users’ activities. Such profiles are later used to indicate normal and abnormal users’ actions. Experimental results show that our technique is close to accurate, and the detection mechanism incurs low overhead.

References

[1]

P. Agrawal, O. Benjelloun, A.D. Sarma, C. Hayworth, S. Nabar, T. Sugihara, J. Widom, Trio: a system for data, uncertainty, and lineage, Proceedings of the 32nd international conference on very large data bases, VLDB Endowment, VLDB ’06, 2006, pp. 1151–1154.

[2]

L. Akoglu, Tong H., J. Vreeken, C. Faloutsos, Fast and reliable anomaly detection in categorical data, in: Chen X., Lebanon G., Wang H., Zaki M.J. (Eds.), 21st ACM international conference on information and knowledge management, CIKM’12, ACM, Maui, HI, USA, 2012, pp. 415–424,.

Digital Library

[3]

E. Bertino, Data protection from insider threats, Synth Lect Data Manag 4 (4) (2012) 1–91,.

[4]

L. Bossi, E. Bertino, S. Hussain, A system for profiling and monitoring database access patterns by application programs for anomaly detection, IEEE Trans Softw Eng PP (99) (2016).

[5]

M.M. Breunig, H.P. Kriegel, R.T. Ng, J. Sander, LOF: identifying density-based local outliers, Proceedings of the 2000 ACM SIGMOD international conference on management of data, SIGMOD ’00, ACM, New York, NY, USA, 2000, pp. 93–104,.

Digital Library

[6]

M. Chagarlamudi, B. Panda, Hu Y., Insider threat in database systems:preventing malicious users’ activities in databases, Proceedings of the 2009 sixth international conference on information technology: new generations, ITNG ’09, IEEE Computer Society, Washington, DC, USA, 2009, pp. 1616–1620,.

Digital Library

[7]

V. Chandola, A. Banerjee, V. Kumar, Anomaly detection: a survey, ACM Comput Surv 41 (3) (2009) 15:1–15:58,.

Digital Library

[8]

Chung C.Y., M. Gertz, K. Levitt, Integrity and internal control information systems, Kluwer Academic Publishers, Norwell, MA, USA, 2000, pp. 159–178.

[9]

M. Collins, M. Theis, R. Trzeciak, J. Strozer, J. Clark, D. Costa, T. Cassidy, M. Albrethsen, A. Moore, Common Sense Guide to Mitigating Insider Threats, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2016.

[10]

J.P.E. Elisa Bertino Ashish Kamra, Profiling database application to detect SQL injection attacks, Proceedings of the performance, computing, and communications conference, 2007, 2007, pp. 1097–2641.

[11]

D. Fadolalkarim, A. Sallam, E. Bertino, PANDDE: provenance-based anomaly detection of data exfiltration, Proceedings of the sixth ACM conference on data and application security and privacy, CODASPY ’16, ACM, New York, NY, USA, 2016, pp. 267–276,.

Digital Library

[12]

I.T. Foster, J.S. Vockler, M. Wilde, Zhao Y., Chimera: a virtual data system for representing, querying, and automating data derivation, Proceedings of the 14th international conference on scientific and statistical database management (SSDBM), IEEE Computer Society, Washington, DC, USA, 2002, pp. 37–46.

[13]

P. Garcia-Teodoro, J.E. Díaz-Verdejo, G. Maciá-Fernández, E. Vázquez, Anomaly-based network intrusion detection: techniques, systems and challenges, Comput Secur 28 (1–2) (2009) 18–28,.

Digital Library

[14]

F.E. Grubbs, Procedures for detecting outlying observations in samples, Technometrics 11 (1) (1969) 1–21,.

[15]

J.L. Hennessy, D.A. Patterson, Computer architecture, fifth edition: a quantitative approach, 5th, Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2011.

[16]

Hu Y., B. Panda, Identification of malicious transactions in database systems, Proceedings of the seventh international database engineering and applications symposium, 2003, 2003, pp. 329–335,.

[17]

S.R. Hussain, A.M. Sallam, E. Bertino, DETANOM: detecting anomalous database transactions by insiders, Proceedings of the fifth ACM conference on data and application security and privacy, CODASPY ’15, ACM, New York, NY, USA, 2015, pp. 25–35,.

Digital Library

[18]

Z. Ives, N. Khandelwal, A. Kapur, M. Cakir, Orchestra: rapid, collaborative sharing of dynamic data, Proceedings of the CIDR, 2005.

[19]

A.A. Jabal, E. Bertino, SIMP: secure interoperable multi-granular provenance framework, Proceedings of the 12th IEEE international conference on e-Science, e-Science 2016, Baltimore, MD, USA, 2016, pp. 270–275,.

[20]

A. Kamra, E. Terzi, E. Bertino, Detecting anomalous access patterns in relational databases, VLDB J 17 (5) (2008) 1063–1077,.

Digital Library

[21]

Lee S.Y., Low W.L., Wong P.Y., Learning fingerprints for a database intrusion detection system, Proceedings of the seventh European symposium on research in computer security, ESORICS ’02, Springer-Verlag, London, UK, 2002, pp. 264–280.

[22]

S. Mathew, M. Petropoulos, H.Q. Ngo, S. Upadhyaya, A data-centric approach to insider attack detection in database systems, Proceedings of the 13th international conference on recent advances in intrusion detection, RAID’10, Springer-Verlag, Berlin, Heidelberg, 2010, pp. 382–401.

[23]

S. Mehnaz, E. Bertino, Ghostbuster: a fine-grained approach for anomaly detection in file system accesses, Proceedings of the seventh ACM on conference on data and application security and privacy; CODASPY ’17, ACM, New York, NY, USA, 2017, pp. 3–14,.

Digital Library

[24]

K.K. Muniswamy-Reddy, D.A. Holland, U. Braun, M. Seltzer, Provenance-aware storage systems, Proceedings of the annual conference on USENIX ’06 annual technical conference, ATEC ’06, USENIX Association, Berkeley, CA, USA, 2006.

[25]

K.K. Muniswamy-Reddy, P. Macko, M. Seltzer, Provenance for the cloud, Proceedings of the fifth USENIX conference on file and storage technologies, ; FAST’10, USENIX Association, Berkeley, CA, USA, 2010.

[26]

J.D. Myers, C. Pancerella, C. Lansing, K.L. Schuchardt, B. Didier, Multi-scale science: supporting emerging practice with semantically derived provenance, Proceedings of the CEUR workshop, 83, 2003.

[27]

C. Pancerella, J. Hewson, W. Koegler, D. Leahy, Lee M., L. Rahn, Yang C., J.D. Myers, B. Didier, R. McCoy, K. Schuchardt, E. Stephan, T. Windus, K. Amin, S. Bittner, Lansing C., M. Minkoff, S. Nijsure, G. von Laszewski, R. Pinzon, B. Ruscic, A. Wagner, Wang B., W. Pitz, Ho Y.L., D. Montoya, Xu L., T.C. Allison, W.H. Green Jr., M. Frenklach, Metadata in the collaboratory for multi-scale chemical science, Proceedings of the 2003 international conference on Dublin core and metadata applications: supporting communities of discourse and practice—metadata research & applications, Dublin core metadata initiative DCMI ’03, 2003, pp. 13:1–13:9.

[28]

P. Parveen, Z.R. Weger, B.M. Thuraisingham, K.W. Hamlen, L. Khan, Supervised learning for insider threat detection using stream mining, Proceedings of the IEEE 23rd international conference on tools with artificial intelligence, ICTAI 2011, IEEE Computer Society, Boca Raton, FL, USA, 2011, pp. 1032–1039,.

Digital Library

[29]

Salem MB, Hershkop S, Stolfo SJ. A survey of insider attack detection research, Boston, MA: Springer US. p. 69–90. https://doi.org/10.1007/978-0-387-77322-3_5.

[30]

A. Sallam, E. Bertino, S.R. Hussain, D. Landers, R.M. Lefler, D. Steiner, DBSAFE-an anomaly detection system to protect databases from exfiltration attempts, IEEE Syst J 11 (2017) 483–493,.

[31]

A. Sallam, D. Fadolalkarim, E. Bertino, Xiao Q., Data and syntax centric anomaly detection for relational databases, Wiley Int Rev Data Min Knowl Disc 6 (6) (2016) 231–239,.

Digital Library

[32]

Sample Databases. (n.d.). Retrieved September, 2016, from https://wiki.postgresql.org/wiki/Sample_Databases.

[33]

Y.L. Simmhan, B. Plale, D. Gannon, A survey of data provenance in e-science, SIGMOD Rec 34 (3) (2005) 31–36,.

Digital Library

[34]

R.T. Simon, M.E. Zurko, Separation of duty in role-based environments, Proceedings of the 10th computer security foundations workshop, 1997, pp. 183–194,.

[35]

A. Spalka, J. Lehnhardt, A comprehensive approach to anomaly detection in relational databases, in: Jajodia S., Wijesekera D. (Eds.), Data and applications security XIX, in: Lecture Notes in Computer Science, 3654, Springer, Berlin Heidelberg, 2005, pp. 207–221,.

Digital Library

[36]

R. Spillane, R. Sears, C. Yalamanchili, S. Gaikwad, M. Chinni, E. Zadok, Story book: an efficient extensible provenance framework, Proceedings of the first workshop on on theory and practice of provenance, TAPP’09, USENIX Association, Berkeley, CA, USA, 2009, pp. 11:1–11:10.

[37]

S. Sultana, E. Bertino, A file provenance system, Proceedings of the third ACM conference on data and application security and privacy, CODASPY ’13, ACM, New York, NY, USA, 2013, pp. 153–156,.

Digital Library

[38]

M. Thottan, Ji C., Anomaly detection in IP networks, IEEE Trans Signal Process 51 (8) (2003) 2191–2204,.

Digital Library

[39]

E. Zadok, I. Bădulescu, A stackable file system interface for Linux, Proceedings of the LinuxExpo conference, Raleigh, NC, 1999, pp. 141–151.

[40]

Zhao J., C.A. Goble, R. Stevens, S. Bechhofer, Semantically linking and browsing provenance logs for e-science, in: Bouzeghoub M., Goble C.A., Kashyap V., Spaccapietra S. (Eds.), Proceedings of the first international IFIP conference on semantics for grid databases semantics of a networked world: ICSNW 2004, in: Lecture Notes in Computer Science, 3226, Springer, Paris, France, 2004, pp. 158–176.

Cited By

Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1145/3593294
Chung MYang YWang LCento GJerath KRaman ALie DChignell M(2023)Implementing Data Exfiltration Defense in Situ: A Survey of Countermeasures and Human InvolvementACM Computing Surveys10.1145/358207755:14s(1-37)Online publication date: 25-Jan-2023
https://dl.acm.org/doi/10.1145/3582077
Mehnaz SBertino E(2021)A Fine-Grained Approach for Anomaly Detection in File System Accesses With Enhanced Temporal User ProfilesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.295450718:6(2535-2550)Online publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2954507

Index Terms

A-PANDDE: Advanced Provenance-based ANomaly Detection of Data Exfiltration

Index terms have been assigned to the content through auto-classification.

Recommendations

PANDDE: Provenance-based ANomaly Detection of Data Exfiltration
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Preventing data exfiltration by insiders is a challenging process since insiders are users that have access permissions to the data. Existing mechanisms focus on tracking users' activities while they are connected to the database, and are unable to ...
Ghostbuster: A Fine-grained Approach for Anomaly Detection in File System Accesses
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Protecting sensitive data against malicious or compromised insiders is a challenging problem. Access control mechanisms are not always able to prevent authorized users from misusing or stealing sensitive data as insiders often have access permissions to ...
DetAnom: Detecting Anomalous Database Transactions by Insiders
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Database Management Systems (DBMSs) provide access control mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as attackers aiming at ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 84, Issue C

Jul 2019

403 pages

ISSN:0167-4048

Issue’s Table of Contents

Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 July 2019

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1145/3593294
Chung MYang YWang LCento GJerath KRaman ALie DChignell M(2023)Implementing Data Exfiltration Defense in Situ: A Survey of Countermeasures and Human InvolvementACM Computing Surveys10.1145/358207755:14s(1-37)Online publication date: 25-Jan-2023
https://dl.acm.org/doi/10.1145/3582077
Mehnaz SBertino E(2021)A Fine-Grained Approach for Anomaly Detection in File System Accesses With Enhanced Temporal User ProfilesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.295450718:6(2535-2550)Online publication date: 1-Nov-2021
https://dl.acm.org/doi/10.1109/TDSC.2019.2954507

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents