Research On Behavior-based Anomaly Detection

As the integration of the database and network technology, more and more government, business, financial department connect their databases to the internet, databases are under an escalating attacking environment. Traditional database security technology is no more fit for the situation. In order to enhance the security of the databases, it researches on the technology of the database intrusion detection, including the architecture of the database intrusion detection system, the definition of the behavior rule and it's creation algorithm, the rule-based database intrusion detection.It have brought forward the architecture of the database intrusion detection system, including four module and two warehouse, which are SQL Server profiler, data parser, rule generation, intrusion detection and audit warehouse , rule warehouse respectively. The intrusion detection system runs on the learning phase and the working phase. In the learning phase, the system generates the normal behavior rule, in the working phase, the system detects intrusion activity.Concerned with the behavior rule, under the stabilization and extractable of the database application behavior semantic, it gives the definition of the behavior rule, which build up a relation between the behavior rule and the database application behavior semantic. It brings forward the way to partition of the behavior rule in the audit data and gives the algorithm for the rule generation. Furthermore, it realizes the compression of the behavior rule by deleting the redundant rule, which can escalate the intrusion detection phase as the normal behavior rule reduces to a fairly small number.Concerned with the design and implementation of the intrusion detection, it brings the generation of the behavior rule into the intrusion detection under the definition of the behavior rule. It specifics the misuse detection and the abnormal detection as the two part of the intrusion detection phase. It also implemented the static and dynamic intrusion detection. Static intrusion detection analyzes the history audit data to find intrusion activity, dynamic intrusion detection analyzed the on-line audit data to find intrusion detection which brings the incremental audit data parser technique in it and achieves certain real time ability on the same time a little bit performance reducing.