DetAnom: Detecting anomalous database transactions by insiders

Syed Rafiul Hussain, Asmaa Sallam, Elisa Bertino

Research output: Chapter in Book/Report/Conference proceedingConference contribution

32 Scopus citations


DatabaseManagement Systems (DBMSs) provide access con- trol mechanisms that allow database administrators (DBA) to grant application programs access privileges to databases. However, securing the database alone is not enough, as at- tackers aiming at stealing data can take advantage of vul- nerabilities in the privileged applications and make applica- tions to issue malicious database queries. Therefore, even though the access control mechanism can prevent applica- tion programs from accessing the data to which the pro- grams are not authorized, it is unable to prevent misuse of the data to which application programs are authorized for access. Hence, we need a mechanism able to detect mali- cious behavior resulting from previously authorized applica- tions. In this paper, we design and implement an anomaly detection mechanism, DetAnom, that creates a profile of the application program which can succinctly represent the ap- plication's normal behavior in terms of its interaction (i.e., submission of SQL queries) with the database. For each query, the profile keeps a signature and also the correspond- ing constraints that the application program must satisfy to submit that query. Later in the detection phase, whenever the application issues a query, the corresponding signature and constraints are checked against the current context of the application. If there is a mismatch, the query is marked as anomalous. The main advantage of our anomaly detection mechanism is that we need neither any previous knowledge of application vulnerabilities nor any example of possible at- tacks to build the application profiles. As a result, our De- tAnom mechanism is able to protect the data from attacks tailored to database applications such as code modification attacks, SQL injections, and also from other data-centric attacks as well. We have implemented our mechanism with a software testing technique called concolic testing and the PostgreSQL DBMS. Experimental results show that our pro-filing technique is close to accurate, and requires acceptable amount of time, and that the detection mechanism incurs low run-time overhead.

Original languageEnglish (US)
Title of host publicationCODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery
Number of pages11
ISBN (Electronic)9781450331913
StatePublished - Mar 2 2015
Event5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015 - San Antonio, United States
Duration: Mar 2 2015Mar 4 2015

Publication series

NameCODASPY 2015 - Proceedings of the 5th ACM Conference on Data and Application Security and Privacy


Other5th ACM Conference on Data and Application Security and Privacy, CODASPY 2015
Country/TerritoryUnited States
CitySan Antonio

All Science Journal Classification (ASJC) codes

  • Information Systems
  • Software
  • Computer Science Applications


Dive into the research topics of 'DetAnom: Detecting anomalous database transactions by insiders'. Together they form a unique fingerprint.

Cite this