Database intrusion detection using role and user behavior based risk assessment

Abstract Present-day organizations continue to expose their critical information infrastructures over the Internet for facilitating accessibility; substantially raising concerns about the security of data from both outsiders and insiders. In this paper, we propose a novel approach for detecting intrusive attacks on databases by assessing the risk for incoming transaction based upon the conflation of multiple behavior-based components for the user. In a database intrusion detection system for a role-based access (RBAC) environment, it is not sufficient to focus on role-based features as every user within the same role has a degree of uniqueness. Moreover, traditional database intrusion detection systems classify the incoming transactions into two classes (Malicious or Non-malicious), taking the same action for all transactions that are labeled as malicious irrespective of the damage it can cause to the system. Our approach, Role and User Behavior-based Risk Assessment (RUBRA) uses both role-behavior and user-behavior based features for detecting an intrusive attack. Further, we also quantify the risk associated with the incoming transaction, streamlining the countermeasure process. Experiments on stochastic datasets show promising results on both detection and labeling of malicious transactions.