TY - GEN
T1 - DetAnom
T2 - 5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015
AU - Hussain, Syed Rafiul
AU - Sallam, Asmaa
AU - Bertino, Elisa
N1 - Publisher Copyright:
Copyright © 2015 ACM.
PY - 2015/3/2
Y1 - 2015/3/2
N2 - DatabaseManagement Systems (DBMSs) provide access con- trol mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as at- tackers aiming at stealing data can take advantage of vul- nerabilities in the privileged applications and make applica- tions to issue malicious database queries. Therefore, even though the access control mechanism can prevent applica- tion programs from accessing the data to which the pro- grams are not authorized, it is unable to prevent misuse of the data to which application programs are authorized for access. Hence, we need a mechanism able to detect mali- cious behavior resulting from previously authorized applica- tions. In this paper, we design and implement an anomaly detection mechanism, DetAnom, that creates a profile of the application program which can succinctly represent the ap- plication's normal behavior in terms of its interaction (i.e., submission of SQL queries) with the database. For each query, the profile keeps a signature and also the correspond- ing constraints that the application program must satisfy to submit that query. Later in the detection phase, whenever the application issues a query, the corresponding signature and constraints are checked against the current context of the application. If there is a mismatch, the query is marked as anomalous. The main advantage of our anomaly detection mechanism is that we need neither any previous knowledge of application vulnerabilities nor any example of possible at- tacks to build the application profiles. As a result, our De- tAnom mechanism is able to protect the data from attacks tailored to database applications such as code modification attacks, SQL injections, and also from other data-centric attacks as well. We have implemented our mechanism with a software testing technique called concolic testing and the PostgreSQL DBMS. Experimental results show that our pro-filing technique is close to accurate, and requires acceptable amount of time, and that the detection mechanism incurs low run-time overhead.
AB - DatabaseManagement Systems (DBMSs) provide access con- trol mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as at- tackers aiming at stealing data can take advantage of vul- nerabilities in the privileged applications and make applica- tions to issue malicious database queries. Therefore, even though the access control mechanism can prevent applica- tion programs from accessing the data to which the pro- grams are not authorized, it is unable to prevent misuse of the data to which application programs are authorized for access. Hence, we need a mechanism able to detect mali- cious behavior resulting from previously authorized applica- tions. In this paper, we design and implement an anomaly detection mechanism, DetAnom, that creates a profile of the application program which can succinctly represent the ap- plication's normal behavior in terms of its interaction (i.e., submission of SQL queries) with the database. For each query, the profile keeps a signature and also the correspond- ing constraints that the application program must satisfy to submit that query. Later in the detection phase, whenever the application issues a query, the corresponding signature and constraints are checked against the current context of the application. If there is a mismatch, the query is marked as anomalous. The main advantage of our anomaly detection mechanism is that we need neither any previous knowledge of application vulnerabilities nor any example of possible at- tacks to build the application profiles. As a result, our De- tAnom mechanism is able to protect the data from attacks tailored to database applications such as code modification attacks, SQL injections, and also from other data-centric attacks as well. We have implemented our mechanism with a software testing technique called concolic testing and the PostgreSQL DBMS. Experimental results show that our pro-filing technique is close to accurate, and requires acceptable amount of time, and that the detection mechanism incurs low run-time overhead.
UR - http://www.scopus.com/inward/record.url?scp=84928168636&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84928168636&partnerID=8YFLogxK
U2 - 10.1145/2699026.2699111
DO - 10.1145/2699026.2699111
M3 - Conference contribution
AN - SCOPUS:84928168636
T3 - CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
SP - 25
EP - 35
BT - CODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery
Y2 - 2 March 2015 through 4 March 2015
ER -