Detecting intrusive transactions in databases using partially-ordered sequential rule mining and fractional-distance based anomaly detection

Illegitimate access to databases may compromise their integrity and confidentiality, resulting in legal and financial ramifications for organisations. We propose a database intrusion detection system (DIDS) called fractional distance based anomaly detection with partially-ordered dependency analysis (FADPDA) to identify malicious transactions issued to databases. To weed out such transactions, our DIDS combines data dependency analysis using security sensitive partially-ordered sequential rules (POSRs) with fractional distance based anomaly detection. Unlike most prior work, FADPDA can seamlessly run on both RBAC administered and non-RBAC databases. Detailed experiments on two databases- a TPC-C benchmark and a synthetic database, revealed that POSRs effectively and efficiently represent data dependencies. Furthermore, combining data dependency analysis and anomaly detection reduces our system's reliance on hyper-parameters such as support and confidence thresholds, and enhances its intrusion detection capabilities. We also show that our approach FADPDA outperforms major existing DIDS in terms of precision and recall values.