Abstract
Insider threats have gained prominence and pose the most challenging threats to a database system. In this paper, we have proposed a new approach for detecting intrusive attacks in databases by fusion of information sources and use of belief update. In database intrusion detection, only intra-transactional features are not sufficient for detecting attackers within the organization as they are potentially familiar with the day-to-day work. Thus, the proposed system uses inter-transactional as well as intra-transactional features for intrusion detection. Moreover, we have also considered three different sensitivity levels of table attributes for keeping track of the malicious modification of the highly sensitive attributes more carefully. We have analyzed the performance of the proposed database intrusion detection system using stochastic models. Our system performs significantly better compared to two intrusion detection systems recently proposed in the literature.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Altschul, S. F., Gish, W., Miller, W., Myers, W., & Lipman, J. (1990). Basic local alignment search tool. Journal of Molecular Biology, 215, 403–410.
Axelsson, S. (2000). The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3, 186–205.
Barbara, D., Goel, R., & Jajodia, S. (2002). Mining malicious data corruption with hidden markov models. In Proc. 16th annual IFIP WG 11.3 working conf. on data and application security (pp. 175–189).
Campos, F., & Cavalcante, S. (2003). An extended approach for Dempster–Shafer theory. In Proc. IEEE int. conf. on information reuse and integration (pp. 338–344).
Chen, T. M., & Venkataramanan, V. (2005). Dempster–Shafer theory for intrusion detection in ad hoc networks. In Proc. IEEE internet computing (pp. 35–41).
Chung, C. Y., Gertz, M., & Levitt, K. (1999). DEMIDS: A misuse detection system for database systems. In Proc. integrity and internal control in information system (pp. 159–178).
Damiani, E., Vimercati, S. D. C., Jajodia, S., Paraboschi, S., & Samarati, P. (2003). Balancing confidentiality and efficiency in untrusted relational DBMSs. In Proc. 10th ACM conf. on computer and communications security (pp. 93–102).
Fawcett, T. (2006). An introduction to ROC analysis. Pattern Recognition Letters, 27, 861–874.
Fayyad, U., Shapiro, G. P., & Smyth, P. (1996). The KDD process for extracting useful knowledge from volumes of data. Communications of the ACM, 39, 27–34.
Furnell, S. (2004). Enemies within: The problem of insider attacks. Journal of Computer Fraud & Security, 2004(7), 6–11.
Giacinto, G., Perdisci, R., Rio, M. D., & Roli, F. (2008). Intrusion detection in computer networks by a modular ensemble of one-class classifiers. Information Fusion, 9, 69–82.
Goan, T. (1999). A cop on the beat: Collecting and appraising intrusion evidence. Communications of the ACM, 42, 46–52.
Gordon, L. A., Loeb, M. P., Lucyshyn, W., & Richardson, R. (2009). 2005 CSI/FBI computer crime and security survey. http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf.
Hoglund, A. J., Hatonen, K., & Sorvari, A. S. (2000). A computer host-based user anomaly detection system using the self-organizing map. In Proc. IEEE-INNS-ENNS int. joint conf. on neural networks (IJCNN) (Vol. 5, pp. 411–416).
Hu, W., Hu, W., & Maybank, S. (2008). AdaBoost-based algorithm for network intrusion detection. IEEE Transactions on Systems, Man, and Cybernetics, Part B, 38, 577–583.
Hu, Y., & Panda, B. (2005). Design and analysis of techniques for detection of malicious activities in database systems. Journal of Network and Systems Management, 13, 269–291.
Julisch, K., & Dacier, M. (2002). Mining intrusion detection alarms for actionable knowledge. In Proc. ACM SIGKDD conf. on knowledge discovery and data mining (pp. 366–375).
Kamra, A., Terzi, E., & Bertino, E. (2007). Detecting anomalous access patterns in relational databases. The VLDB Journal, 17, 1063–1077.
Knorr, E. M., Ng, R. T., & Tucakov, V. (2000). Distance-based outliers: Algorithms and applications. The VLDB Journal, 8, 237–253.
Lee, S. Y., Low, W. L., & Wong, P. Y. (2002). Learning fingerprints for a database intrusion detection system. In Proc. 7th European symposium on research in computer security, 2502/2002 (pp. 264–280).
Lee, V., Stankovic, J., & Son, S. (2000). Intrusion detection in realtime databases via time signatures. In Proc. 6th IEEE real-time technology and applications symposium (RTAS) (pp. 124–133).
Lunt, T. (1996). Inside risks: Securing the information infrastructure. Communications of the ACM, 39, 130.
Murray, A. C. (2005). The threat from within, network computing. http://www.networkcomputing.com/showArticle.jhtml?articleID=166400792.
Panigrahi, S., Kundu, A., Sural, S., & Majumdar, A. K. (2007). Use of Dempster–Shafer theory and Bayesian inferencing for fraud detection in mobile communication networks. In Proc. Australasian conf. on information security and privacy (ACISP). Lecture notes in computer science (Vol. 4586/2007, pp. 446–460).
Panigrahi, S., Sural, S., & Majumdar, A. K. (2009). Detection of intrusive activity in databases by combining multiple evidences and belief update. In IEEE symposium on computational intelligence in cyber security (CICS 2009) (pp. 83–90). Nashville, Tennessee, USA.
Richardson, R. (2009). 2007 CSI computer crime and security survey. http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
Sentz, K. (2002). Combination of evidence in Dempster–Shafer theory. Sandia National Laboratories, US Department of Energy. http://www.sandia.gov/epistemic/Reports/SAND2002-0835.pdf.
Shafer, G. (1976). A mathematical theory of evidence. Princeton: Princeton University Press.
Srivastava, A., Sural, S., & Majumdar, A. K. (2006). Weighted intratransactional rule mining for database intrusion detection. In Proc. Pacific-Asia knowledge discovery and data mining (PAKDD). Lecture notes in artificial intelligence, 3918/2006 (pp. 611–620). Springer.
Transaction Processing Performance Council (2002). TPC Benchmark™ W (web commerce), specification, version 1.8. http://www.tpc.org/tpcw/default.asp.
Triantafyllopoulos, K., & Pikoulas, J. (2002). Multivariate bayesian regression applied to the problem of network security. Journal of Forecasting, 21, 579–594.
Wang, Y., Yang, H., Wang, X., & Zhang, R. (2004). Distributed intrusion detection system based on data fusion method. In Proc. 5th world congress on intelligent control and automation (pp. 4331–4334).
Wenhui, S., & Tan, T. (2001). A novel intrusion detection system model for securing web-based database systems. In Proc. 25th annual int. computer software and applications conf. (COMPSAC) (pp. 249–254).
Yi, Z., Khing, H. Y., Seng, C. C., & Wei, Z. X. (2000). Multi-ultrasonic sensor fusion for mobile robots. In Proc. IEEE intelligent vehicles symposium (pp. 387–391).
Zhong, Y., & Qin, X. (2004). Database intrusion detection based on user query frequent itemsets mining with item constraints. In Proc. 3rd int. conf. on information security (pp. 224–225).
Acknowledgements
This work is partially supported by a research grant from the Department of Information Technology, Ministry of Communication and Information Technology, Government of India, under Grant No. 12(34)/04-IRSD dated 07/12/2004.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Panigrahi, S., Sural, S. & Majumdar, A.K. Two-stage database intrusion detection by combining multiple evidence and belief update. Inf Syst Front 15, 35–53 (2013). https://doi.org/10.1007/s10796-010-9252-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-010-9252-2