Research On A Database Intrusion Detection Method Based On Log Mining

Information systems are becoming more and more open for now. People’s information is directly or implicitly stored in the Internet. If the information was leaked or stolen, some lawbreakers can use this information to gain the telephone number, address and job, which they could send advertisement and service. What’s more, lawbreakers get people’s credit card account and password through computer technique, so as to acquire more money. Therefore, information security is very important. People and organizations spend a lot of money and equipment securing their host computers and servers. However, most devices cannot be used to protect the security of database where stores the information directly. This paper proposes a novel method MRDID(Database Intrusion Detection based on Maximal Rules) for detecting the anomaly database transactions in database system. Anomaly transactions are different from the usual operations. They may destroy the information security. Maximal rules contain two different rules: frequent maximal data item rule and frequent maximal domain rule. The MRDID mines hiding maximal rules between data item and date item and between domain and domain from database logs at two different granularities. There are two steps to mine maximal rules: data preprocessing and mining maximal rules. The MRDID mines the maximal rules from database logs. Compared to other existed simplified methods of database logs, the MRDID can simplify the SQL statements in database logs for three basic operations: read operation, write operation and delete operation instead of previous: read operation and write operation. The new simplification can process the DELETE statements in database logs. However, other existed simplified methods could not process the DELETE statements. This could process more statements. Through the conversion of the database log format, this makes it easy to mine maximal rules from the uniform format. Maximal rules mined from the normal database transactions set are regarded as the normal transaction set. We think the maximal rules can contain the largest and most complete normal transaction set. The transaction which does not comply with the maximal rules would be considered as anomaly transaction. The anomaly transactions may contain malicious transactions and some normal transactions which do not comply with the maximal rules. The experiments demonstrate that the MRDID method can mine anomaly transactions effectively with high true positive rate and low false positive rate.