2. Introduction
• Database : Asset of an organization
• CSW survey:26% of attacks caused by insiders.[1]
• Out of total attacks 16% because of theft of sensitive
data.
• 15% because of exposure of confidential data.
• Organization worried about misuse of data
4. Motivation
• Insider may misuse crucial information of a Firm.
• Limiting access to data is not the solution.
• Need to mitigate misuse of Information from Insider.
5. Related Work
• Two approaches to detect misuse of Data.
1)Syntax Centric
2)Data Centric
• Syntax Centric : Data requests are analyze to detect
misuse.
•
Data Centric : Actual Data accessed is analyze to
detect misuse.
6. Related Work cont’d:
• “Detecting Anomalous Access Patterns in Relational
Data- bases”[2]
Syntax Centric approach
Capture all SQL statements submitted by user.
Extract Features from captured SQL stmts.
Use Extracted features to detect Anomaly.
7. Related Work cont’d..
• “A Risk Management Approach to RBAC,” Risk and
Decision Analysis[3]
Syntax centric approach
Designed Model for risk management Distributed DB
systems
Measures Risk poses by user to misuse data
8. Related Work cont’d..
• “Data-Centric Approach to Insider Attack Detection
in Database Systems”[4]
Data Centric Approach
S-vector is created for every access to DB.
S-vector : Extracted statistical information from result set.
Analyze S-vector to detect inside misuse.
9. Related work cont’d..
• “Insider Threat Prediction Evaluating the Probability
of IT Misuse”[5]
Preventive approach
Insider Prediction tool
Evaluated Potential Threat (EPT) measure to predict inside
threat.
10. Related Work Evaluation
• Some related work in this area analyze requests by
user submitted to DB to detect misuse.
• Another way to do that is analyze result set access by
user
• Some calculate Risk of misuse from particular user in
the organization.
11. Proposal
(A)To measure(M-score ) how much damage is
possible
if requested data is given to user and it is
misused ,in particular context .
(B)Utilize M-Score to mitigate misuse of data from
insiders.
• Our proposed work is limited to Relational DB.
12. Proposal cont’d : M-score
• Assign M-score :
1) Presentation Dependent(Tabular , structured , text)
2)Domain Specific
• Dimensions For Misuseability
1)No of Entities
2) Anonymity level
3) Number of properties
4) Values of properties
13. Proposal cont’d..
M-score based Dynamic Access control System
• Purpose : To regulate insider access control to
sensitive data.
• Data Centric approach.
• Each insider given Threshold M-score
• M-score of Result set calculated.
• Access is granted if user’s threshold is greater or
equal than Result-set score.
14. MDAC system cont’d..
MDAC works in two modes
1)Binary Mode
2)Subset disclosure Mode
Binary Mode : Complete access to data or No access.
Subset Disclosure Mode: Complete access or Subset of
actual result set
16. System Design
• General Architecture
DATABASE
Qi
Qi
Ri
User
Interface
Insider( I )
Result set for
Query
URi
URi
Qi-Query Submitted by user
Ri –Result Set For Qi
Uri-Updated Result set for Qi
MDAC
Decision
Block
Fig 1:Genral Architecture of MDAC
Calculate
M-score of
Ri
17. System Design
User login to the
system
• Flowchart
User submits query
to DB
Result Set(RS) for query
evaluated
Calculate M-score of RS
YES
M-score >
Threshold of
user M-score
NO
Mode?
Binary
Subset Disclosure
Remove most Sensitive Data
“Access
denied”
Display Result
set to user
Display subset of RS
User logout
Fig 2:Flowchart
18. Algorithm : M-score evaluation
Input :RS (Result Set for Query q) Table.
1)Calculate Raw Record Score(RRS) for each record in
the RS Table
2)Calculate Record Distinguishing Factor(RFD)
3)Calculate Final Record Score(FSD)
4)Calculate M-score of the Table
Output : M-score of the table
19. MDAC algorithm
• Input :M-score of RS Table And Threshold M-score Value of the User
1.
If (M-score of Rs table >= Threshold)
2.
then
3.
{
4.
if (Mode : Binary)
5.
then
6.
{
7.
Display Message ”Access denied”
8.
}
9.
else
10.
{
11.
Remove Most Sensitive Data Till
12.
M-score of RS Table<=Threshold
13.
Show Subset Of RS(i.e. Appropriate RS)
14.
}
15.
}
16.
Else
17.
{
18.
Show Result Set To the user
19.
}
23. Expected Results
• When M-score evaluated of result set before
exposing it to the user ,we can estimate the extent of
damage to firm if data is misused.
• We can take appropriate steps to mitigate inside
misuse
24. Conclusion
We proposed new concept, in which we
focused on degree of damage to the firm if
particular information in particular context by
particular insider is misused can be used to
mitigate the misuse of information.
25. Future Work
• Score Function in proposed system is strongly
domain dependent.
• Upgrade that score function to mitigate domain
dependency.
• Develop more applications of M-score to mitigate
data misuse.
26. References
[1] 2010 Cyber Security Watch Survey, http://www.cert.org/
archive/pdf/ecrimesummary10.pdf, 2012.
[2]A. Kamra, E. Terzi, and E. Bertino, “Detecting Anomalous
Access Patterns in Relational Data- bases,” Int’l J. Very Large
Databases,vol. 17, no. 5, pp. 1063-1077, 2008.
[3]E. Celikel et al., “A Risk Management Approach to RBAC,”
Risk and Decision Analysis, vol. 1, no. 2, pp. 21-33, 2009.
[4]S. Mathew, M. Petropoulos, H.Q. Ngo, and S. Upadhyaya,
“Data-Centric Approach to Insider Attack Detection in
Database Systems,” Proc. 13th Conf. Recent Advances in
Intrusion Detection,2010.
[5]G.B. Magklaras and S.M. Furnell, “Insider Threat Prediction
Tool : Evaluating the Probability of IT Misuse,” Computers
and Security , vol. 21, no. 1, pp. 62-73, 2002.