Temporal sequence learning and data reduction for anomaly detection
ACM Transactions on Information and System Security (TISSEC)
DEMIDS: a misuse detection system for database systems
Integrity and internal control information systems
A Novel Intrusion Detection System Model for Securing Web-based Database Systems
COMPSAC '01 Proceedings of the 25th International Computer Software and Applications Conference on Invigorating Software Development
Architectures for Intrusion Tolerant Database Systems
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Intrusion Detection in Real-Time Database Systems via Time Signatures
RTAS '00 Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium (RTAS 2000)
A Computer Host-Based User Anomaly Detection System Using the Self-Organizing Map
IJCNN '00 Proceedings of the IEEE-INNS-ENNS International Joint Conference on Neural Networks (IJCNN'00)-Volume 5 - Volume 5
NOMAD: Traffic-based Network Monitoring Framework for Anomaly Detection
ISCC '99 Proceedings of the The Fourth IEEE Symposium on Computers and Communications
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 13th international conference on Architectural support for programming languages and operating systems
Detecting anomalous access patterns in relational databases
The VLDB Journal — The International Journal on Very Large Data Bases
SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack
HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences
Privilege states based access control for fine-grained intrusion response
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Design and Implementation of an Intrusion Response System for Relational Databases
IEEE Transactions on Knowledge and Data Engineering
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.00 |
Data represent an extremely important asset for any organization. Confidential data such as military secrets or intellectual property must never be disclosed outside the organization. Therefore, one of the most severe threats in the case of cyber-insider attacks is the loss of confidential data due to exfiltration. A malicious insider who has the proper credentials to access the organization databases may, over time, send data outside the organization network through a variety of channels, such as email, crafted HTTP requests that encapsulate data, etc. Existing security tools for detection of cyber-attacks focus on protecting the boundary between the organization and the outside world. Numerous network-level intrusion detection systems (IDS) exist, which monitor the traffic pattern and attempt to infer anomalous behavior. While such tools may be effective in protecting against external attacks, they are less suitable when the data exfiltration is performed by an insider who has the proper credentials and authorization to access resources within the organization. In this paper, we argue that DBMS-layer detection and prevention systems are the best alternative to defend against data exfiltration because: (1) DBMS access is performed through a standard, unique language (SQL) with well-understood semantics; (2) monitoring the potential disclosure of confidential data is more effective if done as close as possible to the data source; and (3) the DBMS layer already has in place a thorough mechanism for enforcing access control based on subject credentials. By analyzing the pattern of interaction between subjects and the DBMS, it is possible to detect anomalous activity that is indicative of early signs of exfiltration. In the paper, we outline a taxonomy of cyber-insider dimensions of activities that are indicative of data exfiltration, and we discuss a high-level architecture and mechanisms for early detection of exfiltration by insiders. We also outline a virtualization-based mechanism that prevents insiders from exfiltrating data, even in the case when they manage to gain control over the network. The protection mechanism relies on explicit authorization of data transfers that cross the organizational boundary.