2016 International Conference on Global Trends in Signal Processing, Information Computing and Communication
A Framework for Database Intrusion Detection
System
Drashti Nandasana
IT Department. Sardar Vallabhbhai Patel
Institute of Technology, Vasad, Gujarat.
garadharia@gmail.com
Abstract - Database management system is not enough for new
high-tech attack, so Database Intrusion Detection System is
required as additional security layer. Over the last few years, many
database intrusion detection systems are developed using anomaly
method like mining data dependencies among data items, access
pattern etc. In this paper we have used signature based approach,
which is defined on role hierarchy. Roles classify the user and
makes management easy. We have worked on valid transaction
sequences which are stored in profile table. This approach takes
care of privilege right checking at attribute level.
Keywords – Database Intrusion Detection System (DIDS);
Transaction Profile; Pattern Matching Algorithm
I. INTRODUCTION
The Information works as very serious role in any
organization. Sensitive and private information is often stored
within the database. Authentication, Authorization, Auditing,
Encryption, Access control are traditional mechanisms which
do not provide higher level of confidence. However,
information era makes new responsibility for organization to
manage data which increase their size with time. New
Responsibility needs new technology which will work along
with the existing system.
Attack on database is divided in two categories Insider
Attack and Outsider Attack. Insider attacks are performed by
legitimate users who try to misuse their rights like breaking
privilege levels. Outsider Attack is performed by person who
does not have rights to access the secure application but
somehow they make access and are able to modify
information. They also sell private information to company
competitor or else who pay enough for that information. Based
on 2015 US Cybercrime Rising risks, reduced readiness
survey [1],” Almost one-third (32%) say insider crimes are
costlier or damaging than incidents perpetrated by
outsiders” which dictate that insider make more serious
damage due to their system familiarity. Based on Computer
Crime and Security Survey 2010 [2]
978-1-5090-0467-6/16/$31.00 ©2016 IEEE
Mr. Virendra Barot
IT Department, Sardar Vallabhbhai Patel
Institute of Technology, Vasad, Gujarat.
virendrabarot.it@svitvasad.ac.in
“Insider abuse of internet access or email was experienced by
25%.”, which is one-fourth of total attack. This statistic value
illustrates the importance of data security.
Intrusion detection technique can be divide in two approach
signature based approach and anomaly based approach. In
signature based approach it stores existing attack pattern, and on
each new transaction first it is matched with the existing attack
pattern then if it succeeds then those transactions are declared as
malicious. In Signature based method no mining technique are
used. In anomaly detection based approach, it stores normal
behavior and if new transaction request is far more diverse from
specified threshold value then it is called an attack. In anomaly
based intrusion detection system they represent normal behavior in
form of cluster, association rule etc. likewise it uses mining
technique to detect intrusion.
The network and OS intrusion detection system is not enough
for database security; therefore, we need an intrusion detection
system at the database.
II. RELATED WORK
Till now some research work has been done on database IDSs.
The Existing IDS takes care of security of Data from intruder for
example; SQL injection attacks are attacks that cannot be detected
by traditional security mechanism, where unchecked input is sent to
a back-end database for execution. Profile can be at different
category such as we can take table or table-attribute as object in our
learning stage. As per E Bertino’s [3] paper, there are three
strategies (Coarse triplet, medium triplet and fine triplet) each
categorized by a different amount of recorded information. As we
perform low level granularity checking IDS reduces false alarm and
increase true positive, but their disadvantage is it consumes more
time and storage. [3] Here they also introduced RBAC (Role Based
Access Control) dataset. In case of large Organization, the data
needs huge storage capacity, therefore maintaining it is not feasible.
RBAC is useful in different roles carrying different permissions to
access data. RBAC setup reduces false alarm [5]
74
compared with user specific profile. As per J. Fonseca [4] they
have introduced sniffer tool in LAN through switch which have
port mirroring configuration so they can listen to all port traffic.
This tool learns from real database but here limitation is that this
architecture does not support the execution of ad-hoc queries,
which are created to obtain information as the need arises.
Base on analysis in [10] they classify database intrusion
detection system in seven analysis techniques.
1) Temporal Analysis
2) Dependency and relation Analysis
3) Sequence Alignment Analysis
4) Integrated Dependency with Sequence Alignment
Analysis
5) Statistical Analysis
6) Information-Theoretic Analysis
7) Command Template Analysis
Temporal analysis works on fields which are updated
periodically like monthly event, festival notification etc. If that
periodic task is not completed on time, then there might have
been an attack. Temporal analysis is very basic intrusion
detection technique. Based on working pattern of user there are
some dependency in dataset object. This useful information is
stored in file which is matched with every new transaction if
proper matching not found then its declared as malicious. This
analysis is known as Dependency and relation analysis. To
perform some task, we have to follow some predefined steps
which is known as sequence steps. If users try to skip any step
or incomplete the step then it might be attack, this analysis
known as Sequence alignment analysis. Forth technique merges
second and third analysis concept. In statistical analysis
different data-mining technique are used. In Information-
Theoretic analysis, entropy and information gain ratio feature
are used. Real time learning makes profile in form of template
which is used in detection stage; this is known as command
Template analysis method.
As per YiRu [6] data dependency can be defined at multi-level
and multi-dimension. In this paper the problems are manual
setting of threshold value. As dataset size and their Attribute are
likely to change then we cannot fix threshold value throughout
system-life. Manual observation is also very tedious task. User
transaction pattern can be stored in form of user transaction
signature which represents user behaviour. In [7] pre-processing
of row log file, their learning stage and detection procedures are
controlled by program, as a result which reduces human effort
and increase speed of learning. In this process limitation is if
any valid transaction is missed in profile generation then that
transaction generate false alarm. Likewise, if any malicious
transaction come under learning stage and loads that transaction
as authorized access then it creates false negative. As a result,
we can say detailed checking requires great amount of effort.
Many researchers
75
used data mining technique for database intrusion detection
system. In [8] Yinzhao has used clustering for dataset
representation. Here database attack is determined by
calculating the edit distance value more than user defined
threshold value. U.P.Rao [9] made new profile representation in
which they make general profile using binary vector
representation. Advantage of using binary vector is that they
allow subset access allowance checking and also its increase
detection speed. But in this paper they are using the generalize
profile which means every user has same access rights but this
cannot be implement in real time. Here they used following
synthetic dataset audit log file [TABLE I] for learning rules.
U.P.Rao [13] used data dependency rule as classifier for
anomaly detection. Here if transaction disobey rule with 100%
confidence then there are more chances of having attack.
III. PROPOSED APPROCH
Our approach deals with known role-based access control
(RBAC) Database model, In RBAC, user behavior is
generalized at role levels. Each role is unique and has
precedence level. So we can say we have worked with role
hierarchy. To implement this model, we have two basic
requisites. First, divide users based on their access rights (like
Designation, Post etc.). Even when there is no role information
present in database, Role mining algorithm such as [11,12] can
be used to assign artificial roles. Second requisite is change in
existing role rights that must be handle manually and updated in
profile, which would have performed by the database
administrator. After having these prerequisites, we are ready to
apply IDS framework.
A. Proposed Architecture
The following architecture (Fig.1.) gives basic knowledge
about how Database Intrusion Detection System works.
Architecture is divided in two functions. Learning profile and
detection of intrusion.
Fig. 1. System architecture of proposed approach
The Offline Log History file decides how precise and
complete our profile is. So this file must be non-intrusive. This
file looks like TABLE I. In learning stage this file is input and
at end output is two profile tables. Sequence Profile Table and
Privilege Profile Tables. Sequence profile contains sequence 1. fetch log file which sorted on
userID,sessionID,SeqID (if log file empty then
of table accessed along with operation. All SQL commands validates)
are divided based on their effect on database. SQL SELECT 2. loop1 till all transaction set in log file accesed
command performs read operation and makes no change in 3. RID = transaction set's RoleID
4. Reset variable
database. SQL Update, Delete, Insert all performed write 5. fetch all record with RoleID=RID
operations means they modify content of database. The Binary 6. sessionID = first row's sessionID value
7. loop2 till transaction from same role RID
representation is used 0 for read and 1 for write. TABLE II 8. if sessioID value change (means new transaction set)
depicts the Sequence Profile’s and its third column shows Table 9. insert value(RID,TotalCmd,TAP)in Sequence profile table
10. end if
Access Pattern which have transaction sequence. For Example, 11. if transaction is read type
here Role-ID 1 allows two ways to perform transaction. First 12. tblist,Attrlist fetch from dv
valid transaction sequence is read operation on tblOrderMst and 13. find tablenumber from tablename if same transaction pattern
is not repeating (means 2-0 again 2-0)
then two write operation on tblOrderMst and tblShipperMst 14. then update in TAP and if last operation is read then merge
consecutively. TABLE III depicts the Privilege Profile. In with ',' (like 3,2-0|)
which for each role we have two rows one for read and one for 15. TotalCmd increment with 1
16. Attribute list updated and load in RAttrAcc
write. This means we have eight roles, we have total sixteen 17. end if
rows. In third column present of 1 at binary position in Attribute 18. else if transaction is write type
Sequence represent that attribute are in privilege-set. 19. then update TAP
20. Attribute list updated and load in WAttrAcc
In our experiment, database schema has four tables and each 21. end else
22. end loop2
table contains two attribute. In Table III first row’s attribute 23. increment in loop1 with number of transaction accessed withloop2
access pattern shows 11000000, which means Role 1 can read 24. insert value(RID,TotalCmd,TAP) in Sequence profile table
25. insert value(RID,"0",RAttrAcc) in Privilege profile table
from the first table only, the rest are 0 which means Role 1 26. insert value(RID,"1",WAttrAcc) in Privilege profile table
27. end loop1.
cannot read from rest of tables. When new user event is given
to DIDS, it first checks valid sequence from Sequence profile.
If event sequence match in existing or lower role profile, then C. Intrusion Detection Algorithm
move to next step, in that step we check for subset of role’s
attribute privilege right. In Our proposed work we have A Framework’s second step is anomaly detection. Detection
considered role hierarchy based profile means boss can perform algorithm will use the valid user transaction profile as reference
event which is a valid sequence for their employee. We allow and check malicious activity. In step 1 to 7 they collect profile
following feature a. Relaxation on consecutive select command for consecutive read operation written with comma separated
order matching, which means consecutive read operation can so in step 12 they collect that table list in tbArr and allow that
change the sequence b. Attribute level role based read/write array to be in any order as consecutive read not have consult
with table access order. In step 21 they check attribute request
privilege set c. Event sequence with table object and operation
are from their belonging privilege or not. In step 23 response
type. Here execution time is less and more precise result is due
0/1 updated in test file. higher and equal role category. In loop2
to profile design.
they check number of operation in that transaction if they
B. Transaction Profile Generation Algorithm matched with online transaction then check table and access
type similarity.
As discuses earlier architecture divided in two step. First step is
learning profile. Learning algorithm’s step 1 to 6 collects valid Detection Algorithm
Input: online(UserID,RID,SessionID,SeqID,Cmdtype,tbAcc,AttrAcc)
transaction for same role and in step 8 check session id value if it Output: response in test file
changed means last transaction-set is over. Step 11 to 17 checks Algorithm:
for read operation and attribute level privilege right stored in 1. n = find number of row present at test dataset
2. if n is zero
RAttrAcc variable. Here consecutive read operation are merge 3. then display Empty test dataset message.
4. else
and stored in sequence profile. Step 23 update curser point to next 5. loop1 till test table's all row processed
role log record. Step 24 adds last sequence profile for individual 6. dvSeq = fetch sequence profile where Role ID >= test txn's Role ID
7. dvPri = fetch attribute privilege readset-writeset for test txn's Role ID
role. Step 25, 26 add role based read and write Attribute access 8. loop2 till all profile table's rows are visited where number of operation are same
right in privilege profile. 9. split TAP attribute where two separate string array generated and divide in
10. tb(table number) and rw(access type - read or write)
Learning Algorithm 11. if operation type is same and that is read
12. then check if TB(table number) contain ',' means more than one table had
Input: LOG Table(UserID,RID,SessionID,SeqID,Cmdtype,tbAcc,AttrAcc) 13. consecutive read operation then split TB and stored in string array tbArr
tbAcc-table name which is used in transaction,AttrAcc-Access Attribute name list 14. loop3 till following row's table from tbArr and have read operation
OutPut:Sequence-Profile(RID,TotalCmd,TAP) , Privilege-Profile(RID,RW,AttrAcc) 15. then ok
TAP - Table Access Pattern, TotalCmd - Total command exist in that transaction set, 16. end loop3
RID - Role ID, RAttrAcc - Attribute Access right for Read operation, WAttrAcc - 17. increment profile current row with length of tbArr(transaction-set size)
Attribute Access right for Write operation 18. else operation type is same and that is write
Algorithm: 19. then check table sequence match
20. else not ok

76
 21. check for Attribute accessed are subset of respective read-set or write-set TABLE II
22. end loop2
23. if all match then insert response(1) in test dataset SEQUENCE PROFILE
24. otherwise response Zero would updated
25. end loop1 Role ID Total Command Table Access pattern

TABLE I 1 3 1-0|1-1|4-1|
AUDIT LOG
1 1 1-0|
Attribute
User Session Seq Command Access 2 2 2-0|2-1|
Target object
ID ID No type Information
2 2 3-0|3-1|
OrderID
1 10 1 Select tblOrderMst
OrderDate TABLE III
1 10 2 Update tblOrderMst OrderDate PRIVILEGE PROFILE

1 10 3 Update tblShipperMst ShipperID, Role ID RW AttrAcc

1 11 1 Select tblOrderMst OrderDate 1 0 11000000

1 1 01000000
2 15 1 Select tblProductMst ProductID 2 0 00100100
2 1 00010100
2 15 2 Update tblProductMst ProductName

2 20 1 Select tblCustomerMst CompanyName 1000

900 Existing Detection Avg
time with D2 Schema
2 20 2 Update tblCustomerMst CustomerName Execution Time (ms) 800
700
600 Proposed Detection Avg
500 timewithD2 Schema
400
IV. EXPERIMENTAL RESULTS
300
200 Existing Detection Avg
1200 time with D1 Schema
Existing Learning 100
Execution Avg time(D1 0
1000 200 400 600 800 1000 1500
Dataschema)
Proposed Detection Avg
Execution Average Time (ms)

800 time with D1 Schema

Existing Learning No of Online Log Records
Execution Avg time(D2
600 Dataschema)
Fig. 4. Detection process time consumption comparison
400 Proposed Learning
Execution Avg time(D1 The Experiment performed on Synthetic dataset with two
200 Dataschema) database schema, D1 contain 4 tables (8 Attribute) and D2
contain 5 tables (10 Attribute). Different Training Record size
0 Proposed Learning
50 200 350 700 1300 1900 2500 are taken for experiment but here ratio of read and write
Execution Avg time(D2
No of Training Log Record Dataschema) operation in Audit log file remains same. In Fig. 2 & Fig. 4 it is
clear that the proposed algorithm required less time. The
storage space of profile is in 2s power. When 200 training
Fig. 2. Learning process time consumption comparison record are used at that time existing profile having 24 KB and
the Proposed total profile size is 16KB (8 KB for Privilege
120
profile and 8KB for Sequence Profile) here behavior is divided
100 in two phases and that make better solution for repetition of
Attribute privilege rights. In Fig.3 profile storage size
Storage size (KB)

80
comparison is shown.
60 Existing Profile
V. CONCLUSION
ProSequence
40 In this paper we proposed a novel approach to detect database
ProPrivilege
20 intrusion, which is based on role hierarchy. We have made
changes to existing DIDS approach [9] to decrease storage
0
500 1000 1500 2000 2500 3000 space and execution time. We design profile table the way their
detection process is became fast and less maintenance.
No of Learning Records

Fig. 3. Profile Storage with different Learning Records size

77
 ACKNOWLEDGMENT
This research work is made possible due to persistent work and
my guide’s constant support. I would like to thank my friend and
family for their encouragement.
REFERENCE
[1] US cybercrime “Rising risks, reduced readiness Survey”, US State of
Cybercrime, 2014.
[2] R. Richardson, “Computer crime and security survey”, Computer
security Institution, 2010/11.
[3] Bertino, E. Terzi, A. Kamra and A. Vakali, “Intrusion Detection in
RBAC- administered Databases”, In Proceedings of the 21st Annual
Computer Security Applications Conference, pp. 170-182, 2005.
[4] J. Fonseca, M. Vieira, and H. Madeira, “Integrated Intrusion Detection
in Databases”, In proceedings of Dependable Computing, Vol. 4746, pp.
198-211, 2007. [5] Udai Rao, G. J. Sahani, Dhiren R. Patel, “Machine
Learning Proposed Approach for Detecting Database Intrusions in
RBAC Enabled Databases”, IEEE,2010.
[5] YiRu Campan, James Walden, Irina Vorobyeva, Justin Shelton “An
Effective Log Mining Approach for Database Intrusion Detection”,
IEEE, 2010.
78
[6] Yagnik Rathod, Prof. M.B. Chaudhari, Prof. G.B. Jethava “Database
Intrusion Detection by Transaction Signature”, IEEE, 2012.
[7] Yinzhao Li, Dongxu Yang, Jiadong Ren, Changzhen Hu,” An Approach
for Database Intrusion Detection Based on the Event Sequence
Clustering”, IEEE, 2009.
[8] Udai Rao, Nikhil Singh, Akash R. Amin, Kushal Sahu.” Enhancing
Detection Rate in Database Intrusion Detection System”, Science and
information conference, pp. 556-564, Aug 2014.
[9] Ricardo Jorge Santos, Jorge Bernardino, Marco Vieira ‘Approaches and
Challenges in Database Intrusion Detection’ SIGMOD Record, Vol. 43
September 2014.
[10] M.Kuhlmann, D.Shohat and G.Schimpf. “Role mining-revealing
business
[11] roles for security administration using data mining technology”, In
Proceedings of eighth ACM symposium on Access control models and
technologies, Pages 179-186. ACM, 2003.
[12] J.Vaidya, V. Atluri and Q. Guo. “The role mining problem: finding a
minimal descriptive set of roles” In SACMAT, Pages 175-184. ACM,
2007. [13] Udai Rao, Nikhil Singh. “Detection of Privilege Abuse in
RBAC Adminis tered Database” Springer, Intelligent system in science
and information, Vol. 591, pp 57-76, Feb 2015.