The Research Of Application Signature-based Database Intrusion Detection

Along with the rapid development and pervasive application of the computer network, many institutions and enterprises link their database with the network to achieve information sharing. However, when people enjoy the convenience brought along, the database on line is suffering from more and more attack. So database security has become an important research area of information security.Nowadays, Most large scale DBMSs(Database Management System) such as Oracle and SQL SERVER all have its own security mechanisms, however, existing security mechanisms can't solve all problems. for example, if a user who has the account of administrator can completely control the DBMS. Although all large scale DBMSs have the ability of auditing, it is very hard to find the possible invasion from the large amount of statistics by hand because of its large data volume.In this paper we firstly introduced the develop process of intrusion detection system and described its functions, model, classification and common used techniques for intrusion detection. we also pointed out the problems of existing intrusion detection system, including the perspective of intrusion detection system. Secondly, we introduce the problems existing in database security and database audit system, and proposed a new type online database audit system, which collects operation information from clients using the way of monitoring the network transaction by pass, without any changes of network architecture, any affects to normal transactions. By this way we can get unified format audit data, which is easy to query and statistics. Secondly we analyzed the difference between misuse-based and anomaly-based intrusion detection, and bring forward the way of describing application signatures by combining regular expression with its context. Based on this description, we proposed a new model of application signature-based database intrusion detection based on data mining. The model has two forms-online and offline one. We can get real-time audit data and discovery intrusion actions quickly using the combination of above audit subsystem and detection subsystem. Also we give the result of experiments.