DEMIDS: A Misuse Detection System for Database Systems

Despite the necessity of protecting information stored in database systems (DBS), existing security models are insu cient to prevent misuse, especially insider abuse by legitimate users. Further, concepts for misuse detection in DBS have not been adequately addressed by existing research in misuse detection. Even though there are available means to guard the information stored in a database system against misuse, they are seldom used by security o cers because security policies of the organization are either imprecise or not known at all. This paper presents a misuse detection system called DEMIDS which is tailored to relational database systems. DEMIDS uses audit logs to derive pro les that describe typical behavior of users working with the DBS. The pro les computed can be used to detect misuse behavior, in particular insider abuse. Furthermore, the pro les can serve as a valuable tool for security reengineering of an organization by helping the security o cers to de ne/re ne security policies and to verify existing security policies, if there are any. Essential to the presented approach is that the access patterns of users typically form some working scopes which comprise sets of attributes that are usually referenced together with some values in queries. DEMIDS considers domain knowledge about the data structures and semantics encoded in a given database schema through the notion of distance measure. Distance measures are used to guide the search for frequent itemsets describing the working scopes of users. In DEMIDS such frequent itemsets are computed e ciently from audit logs using the data management and query processing features of the database management system.