Abstract
There is a growing security concern on the increasing number of databases that are accessible through the Internet. Such databases may contain sensitive information like credit card numbers and personal medical histories. Many e-service providers are reported to be leaking customers’ information through their websites. The hackers exploited poorly coded programs that interface with backend databases using SQL injection techniques. We developed an architectural framework, DIDAFIT (Detecting Intrusions in DAtabases through FIngerprinting Transactions) [1], that can efficiently detect illegitimate database accesses. The system works by matching SQL statements against a known set of legitimate database transaction fingerprints. In this paper, we explore the various issues that arise in the collation, representation and summarization of this potentially huge set of legitimate transaction fingerprints. We describe an algorithm that summarizes the raw transactional SQL queries into compact regular expressions. This representation can be used to match against incoming database transactions efficiently. A set of heuristics is used during the summarization process to ensure that the level of false negatives remains low. This algorithm also takes into consideration incomplete logs and heuristically identifies “high risk” transactions.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Low, W.L., Lee, S.Y., Teoh, P.: DIDAFIT: Detecting Intrusions in Databases Through Fingerprinting Transactions. In: Proceedings of the 4th International Conference on Enterprise Information Systems (ICEIS). (2002)
Atanasov, M.: The truth about internet fraud. In: Ziff Davis Smart Business, Available at URL http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2688776-11,00.html (2001)
Hatcher, T.: Survey: Costs of computer security breaches soar. In: CNN.com, Available at URL http://www.cnn.com/2001/TECH/internet/03/12/csi.fbi.hacking.report/ (2001)
Poulsen, K.: Guesswork Plagues Web Hole Reporting. In: SecurityFocus, Available at URL http://online.securityfocus.com/news/346 (2002)
Internet Security Systems: RealSecure Intrusion Detection Solution, Available at URL http://www.iss.net (2001)
NFR Security: NFR network intrusion detection, Available at URL http://www.nfr.com/products/NID/ (2001)
Enterasys Networks, Inc.: The Dragon IDS, Available at URL http://www.enterasys.com/ids/dragonids.html (2001)
Cisco Systems, Inc.: Cisco Intrusion Detection, Available at URL http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/ (2001)
Symantec Corporation: Enterprise Solutions, Available at URL http://enterprisesecurity.symantec.com/ (2001)
Roesch, M.: Snort: Lighweight intrusion detection for networks. In: Proceedings of the 13th Conference on Systems Administration (LISA-99), USENIX Association (1999) 229–238
Andrews, C.: SQL injection FAQ, Available at URL http://www.sqlsecurity.com (2001)
Anley, C.: Advanced SQL Injection In SQL Server Applications, Next Generation Security Software Ltd, Available at URL http://www.nextgenss.com/papers/advancedsqlinjection.pdf (2002)
Anley, C.: (more) Advanced SQL Injection, Next Generation Security Software Ltd, Available at URL http://www.nextgenss.com/papers/moreadvancedsqlinjection.pdf (2002)
Oracle: Oracle, 2001, Available at URL http://www.oracle.com (2001)
Chung, C. Y., Gertz, M., Levitt, K.: Misuse detection in database systems through user profiling. In: Web Proceedings of the 2nd International Workshop on the Recent Advances in Intrusion Detection (RAID). (1999)
Quinlan, J. R.: Induction of decision trees. In Shavlik, J.W., Dietterich, T. G., eds.: Readings in Machine Learning. Morgan Kaufmann (1990) Originally published in Machine Learning 1:81-106, 1986.
Hovy, E., Lin, C. Y.: Automated Text Summarization in SUMMARIST. In: Proceedings of ACL/EACL Workshop on Intelligent Scalable Text Summarization. (1997) Madrid, Spain.
Boguraev, B., Bellamy, R.: Dynamic Presentation of Phrasally-Based Document Abstractions. In: Proceedings of Thirty-second Annual Hawaii International Conference on System Sciences (HICSS). (1998)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lee, S.Y., Low, W.L., Wong, P.Y. (2002). Learning Fingerprints for a Database Intrusion Detection System. In: Gollmann, D., Karjoth, G., Waidner, M. (eds) Computer Security — ESORICS 2002. ESORICS 2002. Lecture Notes in Computer Science, vol 2502. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45853-0_16
Download citation
DOI: https://doi.org/10.1007/3-540-45853-0_16
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44345-2
Online ISBN: 978-3-540-45853-1
eBook Packages: Springer Book Archive