An adaptive anomaly-based intrusion prevention system for databases

Conventional database security can employ a wide range of access controls including database roles, fine-grained object access and virtual private databases. Access controls are used to protect against malicious attacks and to ensure that established database privileges are not misused. Intrusion detection systems can augment these controls by alerting the intrusion response team after an attack has occurred. While intrusion detection can assist forensic analysis, a passive response to detection can permit the inflicted damage to go undetected for a long period of time, allowing the damage to potentially propagate. In contrast, we propose an adaptive anomaly-based intrusion prevention system to secure the database from attacks. The approach requires the database to learn the activities considered normal using training data taken from production. The model adapts to stringent variations of the training data while in operation, reducing the potential for normal activities to be misclassified as malicious.