Abstract not found

As network security is a growing concern, system administrators lock down their networks by closing inbound ports and only allowing outbound communication over selected protocols such as HTTP. Hackers, in turn, are forced to find ways to communicate with compromised workstations by tunneling through web requests. While several tools attempt to analyze inbound traffic for denial-of-service and other attacks on web servers, Web Tap’s focus is on detecting attempts to send significant amounts of information out via HTTP tunnels to rogue Web servers from within an otherwise firewalled network. A related goal of Web Tap is to help detect spyware programs, which often send out personal data to servers using HTTP transactions and may open up security holes in the network. Based on the analysis of HTTP traffic over a training period, we designed filters to help detect anomalies in outbound HTTP traffic using metrics such as request regularity, bandwidth usage, interrequest delay time, and transaction size. Subsequently, Web Tap was evaluated on several available HTTP covert tunneling programs as well as a test backdoor program, which creates a remote shell from outside the network to a protected machine using only outbound HTTP transactions. Web Tap’s filters detected all the tunneling programs tested after modest use. Web Tap also analyzed the activity of approximately thirty faculty and students who agreed to use it as a proxy server over a 40 day period. It successfully detected a significant number of spyware and adware programs. This paper presents the design of Web Tap, results from its evaluation, as well as potential limits to Web Tap’s capabilities.

Abstract — Data mining is widely used to identify interesting, potentially useful and understandable patterns from a large data repository. With many organizations focusing on webbased on-line transactions, the threat of security violations has also increased. Since a database stores valuable information of an application, its security has started getting attention. An intrusion detection system (IDS) is used to detect potential violations in database security. In every database, some of the attributes are considered more sensitive to malicious modifications compared to others. We propose an algorithm for finding dependencies among important data items in a relational database management system. Any transaction that does not follow these dependency rules are identified as malicious. We show that this algorithm can detect modification of sensitive attributes quite accurately. We also suggest an extension to the Entity-Relationship (E-R) model to syntactically capture the sensitivity levels of the attributes.

Abstract — In this paper, we propose an innovative approach for database intrusion detection which combines evidences from current as well as past behavior of users. It consists of four components, namely, rule-based component, belief combination component, security sensitive history database component and Bayesian learning component. The rule-based component consists of a set of well-defined rules which give independent evidences about a transaction’s behavior. An extension of Dempster-Shafer’s theory is used to combine multiple such evidences and an initial belief is computed. First level inferences are made about the transaction depending on this initial belief. Once the transaction is found to be suspicious, belief is updated according to its similarity with malicious or genuine transaction history using Bayesian learning. Experimental evaluation shows that the proposed intrusion detection system can effectively detect intrusive attacks in databases without raising too many false alarms. Index Terms − Database security, Dempster-Shafer theory, Bayesian learning, Intrusion detection, Suspicion score