Data and syntax centric anomaly detection for relational databases

Recent studies show that insider attacks that aim at exfiltrating data are very common and that these attacks are performed according to specific patterns. Protecting against such threats requires complementing existing security techniques, such as access control and encryption, with tools able to detect anomalies in data accesses. In this paper, we present a technique specifically tailored for detecting anomalous database accesses. Our technique extracts users' access patterns based on both the syntax of the input queries and the amount of data in their output results. Our technique is based on mining SQL queries in database audit logs in order to form profiles of the normal users' access patterns. New queries are checked upon these profiles, and deviations from these profiles are considered anomalous and thus indicative of possible attempts to exfiltrate or misuse the data. Our technique works under two application scenarios. The first is when the database has role-based access control (RBAC) in place. Under an RBAC system, users belong to roles and privileges are associated with roles rather than individual users. For this scenario, we form profiles of roles which make our approach usable for database management systems (DBMSs) that have a large user population; in this scenario, we apply the naive Bayesian classifier which shows accurate results in practice. We also employ multilabeling classification to enhance accuracy when the access patterns are common to multiple roles. The second application scenario is when the DBMS does not apply RBAC. In this scenario, we apply the COBWEB clustering method. Experimental results indicate that our techniques are very effective. (C) 2016 John Wiley & Sons, Ltd