Description:

Database Assurance: Anomaly Detection for Relational Databases

Abstract:

Speaker Bio:

This talk titled "" was given by Dr. Peter Mork in the CERIAS Security Seminar. Behind countless complex applications lurk trusty relational databases that are responsible for managing the data that fuel these applications. For example, relational databases are used to support electronic medical health record systems, timecard reporting systems, and transportation systems. Ideally, the relational database system has been sufficiently hardened to prevent exfiltration or modification of data. Unfortunately, adversaries often have insider access to the networks and machines on which the database is running and can easily circumvent such security measures. Therefore, in this research project, we create profiles of known, legitimate behavior so that we can flag any anomalous behavior as potentially illegitimate.In this presentation, because SQL injection remains the #1 attack vector, I will first illustrate how SQL injection attacks can exfiltrate data from a database system. I will then discuss various locations within the database engine that one might monitor activity, highlighting the benefits of placing a monitor between the query optimizer and query execution engine. Next, I will describe how we use cross-feature analysis to generate profiles of legitimate behavior and how these profile are used at run-time to identify anomalous activity. Then, I will present experimental results both in terms of performance overhead and precision/recall. I will conclude with a discussion of when our techniques are most applicable and how a clever adversary might nevertheless elude our monitor.Dr. Peter Mork is a Senior Technology Advisor and Principal Database Research at The MITRE Corporation. At MITRE his research revolves around data management topics including metadata management, data discovery, privacy and security. He also advises the Department of Health and Human Services on strategies for sharing data, particularly in the presence of privacy constraints. He received his PhD in 2005 from the University of Washington on the topic of Peer Architectures for Knowledge Sharing.