A safeguard to database intrusions

“This paper describes how the fingerprints for database transactions can be represented and presents an algorithm to learn and summarize SQL statements into fingerprints.”

Learning Fingerprints for a Database Intrusion Detection System, By Sin Yeung Lee, Wai Lup Low, and Pei Yuen Wong. October 14-16, LNCS 2502, p. 264ff.

Prepared by Yuman Huang

Basic concepts Database Intrusion refers to “the act of individuals

who use the database without authorisation, and those who are authorised, but abuse their privileges”.[1]

DIDAFIT detects database intrusions by matching incoming transactions with fingerprints of the signature database at the application level.

The authors claim that the paper is the only work using SQL transaction fingerprints or signatures to detect database intrusions.

Architecture for DIDAFIT

Building up an accurate signature database is an essential part of the architecture. Accurate means “free from error”, i.e. properly classifies SQL statements as “legitimate” or “illegitimate”.

Comments

Criticism Only work on a relational DB, based on SQL injection in

a SQL Server environment.

The security of the signature/fingerprint database has not been considered in this paper.

Appreciation It’s a way of protecting important database assets, for

instance, our credit card numbers at the application level.

Database administrator (DBA) plays an important role in the learning process.

The role of a DBA

Optional: To specify a trace log and a set of attributes with implicit

meaning for algorithm inputs.

To determine whether an attribute value contains implicit meaning for operations and data sensitivity.

An attribute with “implicit meaning” means that its valid values are restricted to a small list of pre-determined values, also carry implications for operations and data sensitivity.

Required: To confirm the legitimacy of a produced fingerprint, before it

being included to the signature database.

How DBA may affect the accuracy

If DBA has no enough knowledge or experience to play his/her role, not only business rules are overruled because of oversummarised fingerprints, but also illegitimate fingerprints are included to the signature database.

The accuracy of the signature database is ruined. DIDAFIT is no longer a safeguard to database

intrusions, but a barrier of database performance.

Questions

Can we use an expert system to support the learning process instead of relying on DBA?

Is it possible to apply the principles of DIDAFIT on an object-oriented DB or a native XML DB?