A Cloud and In-Memory Based Two-Tier Architecture of a Database Protection System from Insider Attacks

As a response of emerging insider attacks targeting on database, we are proposing architecture of database protection system from insider attacks. Existing pattern matching approach to detect insider attacks cannot provide perfect solution because of false positive and true negative ratios. Accordingly, we still need reasoning by a human at the last decision to declare that the insider is malicious or not using analysis on history of transaction logs performed by the insider. To construct a system with the consideration above, the system needs to satisfy following requirements: (1) effective monitoring and analysis on large amount of log data (2) scalable system depending on increase or decrease of the log data, and (3) prompt analysis even though the amount of the log data is large enough. We propose a two-tier, distributed, cloud, and in-memory computing based architecture. The proposed architecture brings several benefits such as managing a large amount of log data, distributing analysis workload over multiple nodes, being scalable on big log data, and supporting real-time analysis of big log data.