Insider Threat on Databases: Modeling and Mitigation Techniques
MetadataShow full item record
Insider threat is one of the most prevalent problems for organizations, including military, intelligence communities, and business enterprises. One of the crucial reasons why it is very difficult to deal with data leakage and insider attacks is the trust aspect of the legitimate actors (i.e., employees). When an employee misuses the legitimate access rights, gains unauthorized access to a resource, steals someone else's access credentials, or even unintentionally gets their access credentials stolen, they become an insider threat. Unauthorized account openings and money transfers, identity thefts, and credit frauds are just a few well-known examples of this attack type.Most database security monitoring systems depend on rule-based analysis and take action against attack types such as SQL injection attacks. Nowadays, database security research is focused on outsourced database integrity and encrypted databases. These fields usually focus on preventive measures. Detecting such attacks is a complementary feature to the preventive measures.In this dissertation, primarily, the detection of insider threats to database management systems is addressed. First, a threat model that addresses the most common insider attacks to databases is created. This model is built considering the existing most common attack types, defense models, and their complexities. Then a framework for modeling normal behavior of users on database systems for detecting anomalous behavior while considering temporal behavior drift is presented. This framework extracts data access probability distributions from user issued queries and measures the statistical distance between them to identify the drift. It also utilizes deep learning to identify perpetrators in case of an attack. Finally, the usage areas of ontologies are investigated in order to reduce the false positive rate when the system detects an anomaly.The experiments are conducted by utilizing two large real-world datasets: query data collected from a national bank, and query logs from a smartphone-based testbed. The smartphone query logs are well annotated and used to validate the methodologies we created. The bank data, on the other hand, is heavily anonymized, and there is no user information associated with the SQL queries. Hence, the bank data is used to test the feasibility of using the methods presented in this dissertation in real-time.The specific tasks addressed in this dissertation are building a threat model for insider threats against relational databases, analyzing the existing attack and defense models in terms of complexity, creating a framework to construct normal behavior models of users on a database, providing a defense strategy against the modeled threat, and investigating the feasibility of ontologies to improve accuracy and usability of insider threat detection systems.