The Research And Implementation Of Database Intrusion Detection System GKD-DBIDS

Nowadays, database is the foundation for data processing and management of our information society. The information system's security is of most importance. At present, the primary database security techniques, such as user authentication, access control, encryption and so on, could not meet the need of information security. Intrusion detection technique could detect attacker's intention and deed before the serious result happened, and could adopt relevant measurement in order to guarantee information system's security. Intrusion detect system which is based on database audit log'analysis is very necessary. In the future, Database intrusion detect system will play a very important role in information security and war battle.First of all, this paper not only discusses the standard of database security, but also discusses the Oracle database's security mechanism in the round, and also analyses the existent weakness of Oracle database security mechanism, which includes database host machine's security, user authentication's restriction, access control's restriction and audit trace's restriction. Four kinds of exterior attack of Oracle, including inference attack, interpolation attack, denial of service attack and illegality login attack also enumerated. In the next place,this paper analyses intrusion detection technique in the round,including intrusion detection technique's definition, function and category.Two database anomaly detection technologies are deeply studied, one is based on cluster analysis and associate rule mining, and the other is based on hidden Markov model. The first takes full advantage of cluster analysis and associate rule mining benefits. It reduces the time of associate rule mining, and increases the number of associate rule, and also increases the detection exactness rate. The design of system architecture, audit data statistics pretreatment, subject and object quantization, subject and object cluster, Boolean pretreatment, associate rule mining and the research of anomaly detection algorithm are presented. The second method is based on hidden Markov model and is more simplicity, time complexity low, storage space smallness, detection algorithm simplicity, detection exactness rate high compared to the first. The related issues include how to put forward a hidden Markov model into the database anomalous detection. With the observation sequences becoming longer, the result ofΡ{Ο/λ} becomes less, which brings the difficulty of anomalous sequence reorganization, the concept of the sliding window is introduced. In the algorithm, at first, the operation sequence of database user is divided into short operation sequences, and then the computationΡ{ X /λ} of each sequence is calculated based on the normal model. If its output probability exceeds a given threshold, the short operation sequence is recognized as an"anomalous". If the ratio of the number of anomalous operation sequences to the number of all sequences exceeds another given threshold , the observation sequence is then considered as an intrusion. The computation of output probability of obvious symbol, the algorithm of computationΡ{Ο/λ} also discussed.Based on two databases anomaly detection method, a database intrusion detection prototype system GKD-DBIDS is implemented with VC++6.0 and Oracle10g in Windows 2003 Server. The system architecture, database design, key data structure and multithreading technology are presented. This prototype system could do detection job in online and offline ways.At the end, GKD-DBIDS is tested and evaluated. It contains attack testing and performance testing. The inference attack, interpolation attack, denial of service attack and illegality login attack are considered. Performance testing is done between cluster analysis based associate rule mining, associate rule mining and hidden Markov model based anomaly detection method.