TRADS: A Temporal and Role-Based Anomaly Detection System for Insider Threats to Relational Databases
摘要
Insider misuse of resources poses a serious threat to enterprises. Since insiders have legitimate access to the database, it becomes challenging to protect it from malicious insider operations. The existing techniques tried to solve the problem by considering the normal behavior of applications and roles in terms of data items accessed, size of the result set, and access frequencies. We found that the data access requirements of a role in an organization, change depending on the time slots in a day and also can change over a period of time. In this work, we propose an anomaly detection system, Temporal and Role-based Anomaly Detection System (TRADS), that considers the roles played by insiders, and temporal data access frequencies to figure out abnormalities. To overcome the limitation of role-level granularity in prior systems, TRADS also logs the UserId for each query, enabling anomaly detection at the user level and improving accountability during investigations. We designed and implemented TRADS to validate the correctness. Our experimental results show that our approach works correctly and can complement the existing techniques.