Detection of Temporal Data Ex-filtration Threats to Relational Databases

According to recent reports, the most common insider threats to systems are unauthorized access to or use of corporate information and exposure of sensitive data. While anomaly detection techniques have proved to be effective in the detection of early signs of data theft, these techniques are not able to detect sophisticated data misuse scenarios in which malicious insiders seek to aggregate knowledge by executing and combining the results of several queries. We thus need techniques that are able to track users' actions across time to detect correlated ones that collectively flag anomalies. In this paper, we propose such techniques for the detection of anomalous accesses to relational databases. Our approach is to monitor users' queries, sequences of queries and sessions of database connection to detect queries that retrieve amounts of data larger than the normal. Our evaluation of the proposed techniques indicates that they are very effective in the detection of anomalies.