An architectural design for a hybrid intrusion detection system for database

Abstract

In today's business world, information is the most valuable asset of organizations and thus requires appropriate management and protection. Amongst all types of data repositories, database is said to play the role of the heart in the body of IT infrastructure. On the other hand, nowadays, a growing number of efforts have concentrated on handling the vast variety of security attacks. The characteristic of such handling method depends on when we want it to be occurred and how we intent to deal with attack attempts. Generally there are two ways to handle subversion attempts. One way is to equip our systems by security controls. However in reality this is not feasible due to many reasons. Hence, we are interested in detecting the security attacks. Amongst different types of intrusion detection systems (like network-based, host-based and application-based IDS), database intrusion detection systems which are considered as a type of application-based IDS has become a matter of increasing concern. In this paper we proposed the architecture for a hybrid database intrusion detection system (DB-IDS). This architecture consists of several component and sub-components. It encompasses Anomaly Detection and Misuse Detection subcomponents as Detector component. Anomaly detection component works based on the Profiles constructed by Profiler. Suspicious sequence of events which are considered as potential attacks would be detected by Misuse Detector. Data Collector components is responsible for capturing necessary data for profiling. Moreover, the Transformer component is in place to convert the raw log files into an understandable format for Profiler. Finally, Anomaly Detector and Misuse Detector components send alert to Responder component in case of detection any suspicious activity.