Identification of malicious transactions in database systems

Existing host-based intrusion detection systems (IDSs) use the operating system log or the application log to detect misuse or anomaly activities. These methods are not sufficient for detecting intrusion in database systems. In this paper, we describe a method for database intrusion detection by using data dependency relationships. Typically before a data item is updated in the database some other data items are read or written. And after the update other data items may also be written. These data items read or written in the course of updating one data item construct the read set, pre-write set, and the post-write set for this data item. The proposed method identifies malicious transactions by comparing these sets with data items read or written in user transactions. We have provided mechanisms for finding data dependency relationships among transactions and use Petri nets to model normal data update patterns at user task level. Using this method we ascertain more hidden anomalies in the database log.