Detection of intrusive activity in databases by combining multiple evidences and belief update

In this paper, we propose an innovative approach for database intrusion detection which combines evidences from current as well as past behavior of users. It consists of four components, namely, rule-based component, belief combination component, security sensitive history database component and Bayesian learning component. The rule-based component consists of a set of well-defined rules which give independent evidences about a transaction´s behavior. An extension of Dempster-Shafer´s theory is used to combine multiple such evidences and an initial belief is computed. First level inferences are made about the transaction depending on this initial belief. Once the transaction is found to be suspicious, belief is updated according to its similarity with malicious or genuine transaction history using Bayesian learning. Experimental evaluation shows that the proposed intrusion detection system can effectively detect intrusive attacks in databases without raising too many false alarms.