An Approach For Database Intrusion Detection Based On The Event Sequence Clustering

Database intrusion detection technology is an important part of database security. Using pattern matching method, existing intrusion detection systems have both good detection efficiency and high accuracy. However, its detection efficiency and accuracy are limited by the unknown attacks. To improve the intrusion detection system performance on unknown attacks, this paper has mainly focused on the two problems, designing anomaly detection approach based on clustering events sequence and improving misuse detection algorithm.Firstly, we analyze the existing database intrusion detection technology. The existing systems generally have high execution speed but low efficiency. To overcome these shortcomings, a database intrusion detection model based on clustering event sequence is proposed. In this model, the anomaly detection technology, which is designed based on clustering event sequences, reduces the detection false alarm rate. In the meantime, with the parallel execution of misuse detection and anomaly detection, the system efficiency is greatly improved.Secondly, according to the dynamic increasing characteristics of the audit data, the misuse detection algorithm is improved. It not only keeps up the advantages of traditional misuse detection, but also establishes a parallel operation mechanism of intrusion detection. If any intrusion has been found, the anomaly detection is immediately terminated. Thereby the system resource utilization is improved. In the meantime, with the dynamic sliding window used in the improving algorithm, the matching time between the new intrusion and the misuse rules base is reduced, thus the detection efficiency is improved.Thirdly, the three types of operation on event sequences, insert, delete and move, are re-defined in the anomaly detection procedure. With the operation defined, the edit distance is improved. Thereby a sequence of events clustering algorithm, shorted for SOEC, is proposed. The SOEC algorithm calculates the similarity between two series with the edit distance. By clustering SQL statements sequences, the similarity related with the difference of event sequences could be addressed. In addition, SOEC algorithm timely improves and updates the base of user's normal behavior rules, thus the system false rate and negative rate are reduced.