clay brockman itk 478 fall 2007. why intrusion detection? comparing two types: monitoring database...
TRANSCRIPT
![Page 1: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/1.jpg)
Clay Brockman
ITK 478
Fall 2007
Why Monitoring Database Application Behavior is the Best Database
Intrusion Detection Method
![Page 2: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/2.jpg)
Why intrusion detection?Comparing two types:
Monitoring Database Application Behavior
Using Time Signatures
Introduction
![Page 3: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/3.jpg)
“Security is an integrative concept that includes the following properties: confidentiality …, authenticity …, integrity …, and availability” (Vieira and Madeira, 2005, p. 350)Explanation of these properties
Security
![Page 4: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/4.jpg)
Occur in one of the following ways:“intentional unauthorized attempts to access or
destroy private data” (Vieira and Madeira, 2005, p. 351)
“malicious actions executed by authorized users to cause loss or corruption of critical data” (Vieira and Madeira, 2005, p. 351)
“external interferences aimed to cause undue delays in accessing or using data, or even denial of service” (Vieira and Madeira, 2005, p. 351)
Intrusions
![Page 5: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/5.jpg)
False Positivethe detection system reports an intrusion but the
action is really a legitimate request (Afonso, et al., 2006, p.37)
accounts for 17% of recorded events (Afonso, et al., 2006, p.37)
False Negativesystem will allow a malicious request to pass,
identifying it as a legitimate request (Afonso, et al., 2006, p.37)
accounts for about 12% of recorded events (Afonso, et al., 2006, p.37)
Criteria
![Page 6: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/6.jpg)
Developed by José Fonseca, Marco Vieira, and Henrique Madeira
This method “adds concurrent intrusion detection to DBMS using a comprehensive set of behavior abstractions representing database activity” (Fonseca, et al., 2006, p. 383).
Messages checked at 3 different levelsCommand LevelTransaction LevelSession Level
Monitoring Database Application Behavior
![Page 7: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/7.jpg)
Command Level“checks if the structure of each executed command
belongs to the set of command structures previously learned” (Fonseca, et al., 2006, p. 383)
Transaction Level“checks if the command is in the right place inside the
transaction profile (a transaction is a unit formed by a set of SQL commands always executed in the same sequence)” (Fonseca, et al., 2006, p. 383)
Session Level“checks if the transaction fits in a known transaction
sequence. It represents the sequence of operations that the user executes in a session” (Fonseca, et al., 2006, p. 383)
Monitoring Database Application Behavior (cont.)
![Page 8: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/8.jpg)
Results:1 normal request was found to be
malicious, resulting in 1 false positive100% accuracy on requests with slight
changesRandomly ordered SQL commands
resulted in 4.2% false negativesAll 50 manual injections were caught
Monitoring Database Application Behavior (cont.)
![Page 9: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/9.jpg)
Expects requests to come in at certain times
Based on a real-time databaseExamples:
Stock MarketPower GridAir Traffic Control
Time Signatures
![Page 10: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/10.jpg)
Two different types of intrusionsUser transactions:
“the characteristics of an intruding transaction are identical to a user transaction except for the data object access pattern” (Lee, et al., 2000, p. 128)
Sensor transactions:Read a sensor periodically to check for updated
information (Lee, et al., 2000, p. 127-128)
Time Signatures (cont.)
![Page 11: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/11.jpg)
Results:False positive rate was as low as
0.36% (Lee, et al., 2000, p. 129)False negative rate was as high as
5.5% (Lee, et al., 2000, p. 129).
Time Signatures (cont.)
![Page 12: Clay Brockman ITK 478 Fall 2007. Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e985503460f94b9b0a8/html5/thumbnails/12.jpg)
Both methods had very low false positive rates
Monitoring Database Application behavior was better on false negative rates by 1.5%
Conclusion