WO2006090354A1 - Detection of misuse of a database - Google Patents

Detection of misuse of a database Download PDF

Info

Publication number
WO2006090354A1
WO2006090354A1 PCT/IL2005/000235 IL2005000235W WO2006090354A1 WO 2006090354 A1 WO2006090354 A1 WO 2006090354A1 IL 2005000235 W IL2005000235 W IL 2005000235W WO 2006090354 A1 WO2006090354 A1 WO 2006090354A1
Authority
WO
WIPO (PCT)
Prior art keywords
transactions
groups
meta
processor
database
Prior art date
Application number
PCT/IL2005/000235
Other languages
French (fr)
Inventor
Yair Buchbaum
Original Assignee
Insight Solutions Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Insight Solutions Ltd. filed Critical Insight Solutions Ltd.
Priority to PCT/IL2005/000235 priority Critical patent/WO2006090354A1/en
Publication of WO2006090354A1 publication Critical patent/WO2006090354A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting

Definitions

  • the present invention relates to methods of detecting misuse of a database.
  • Databases are used to manage large quantities of information. Such information may include, for example, bank accounts, employee information and police records. While databases allow easy access and manipulation of their data, they increase the danger of unauthorized transactions (i.e., retrieval and/or manipulation) of the information.
  • the number of documents accessed by the user, that do not match the profile are counted.
  • the gathered documents are clustered into clusters of similar content and if the number of documents not included in any cluster is relatively large, a warning is generated.
  • the '251 publication also suggests identifying transactions that a user performed while being on vacation.
  • the '251 publication states that an employee's time sheet, or even the time of the query, can provide triggers for a misuse notification alarm.
  • An aspect of some embodiments of the present invention relates to identifying suspicious database transactions by organizing the transactions in a hierarchy of groups of transactions and finding a small group of transactions that has a profile substantially different from a profile of an associated larger group of transactions, with characteristics similar to those of the small group.
  • the transactions of associated groups have at least one attribute common to their transactions.
  • the transactions of small groups are included in the large groups with which they are associated.
  • the large groups do not include all the transactions of the small groups, for example when a small group is new and it is desired to wait until the transactions of the small group are validated.
  • a small group of transactions having a profile substantially different from a profile of a larger group with which it is associated is flagged as suspicious.
  • the transactions of each user are included in a small group, and the transactions of users having similar attributes are included in the larger group.
  • small transaction groups include the transactions, of one or more users, that occur during relatively short time periods.
  • Large transaction groups include transactions occurring in groups of time periods that have similar time characteristics. Small groups may include transactions performed in a single day, work shift, hour, half hour or even quarter of an hour. Larger groups may be defined, for example, for larger time spans and/or for same hours in different work days and/or same days of the week in different weeks.
  • An aspect of some embodiments of the present invention relates to comparing one or more database transactions of a specific user to a group profile of transactions of a group of users with similar characteristics. A user whose one or more transactions do not match the group profile is optionally marked as being suspicious.
  • a user profile is generated for the transactions of the user and the user profile is compared to the group profile.
  • the user and group profiles summarize the data accessed by the transactions, the types of the transactions (e.g., read, modify, insert, delete), the times of the transactions, the complexity of the transactions and/or the numbers of the transactions.
  • the user groups with which a user shares similar characteristics may include, for example, users having similar job tasks, users located in same physical locations and/or users having same or similar levels in a hierarchy of an organization.
  • the groups are defined based on the profiles of the users in a test period. User's having similar profiles in the test period are grouped together into a single group.
  • An aspect of some embodiments of the present invention relates to identifying suspicious database transactions by generating, for one or more users, transaction profiles of short periods and comparing the profiles of the short periods to expected profiles of the short periods.
  • the short periods are shorter than 24 hours, shorter than a work shift or even shorter than an hour.
  • the short periods are shorter than 15 minutes.
  • the profiles and/or groupings are generated based on the user inputs initiating the database transactions, without relation to any data returned in response to the transactions and/or altered by the transactions, except that included in the commands of the transactions.
  • a method of monitoring database transactions comprising collecting information on database transactions, grouping the transactions into base groups and meta groups, each meta- group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, generating profiles of the transactions of each of the base groups and meta groups, comparing the profiles of at least some of the base groups with profiles of meta- groups with which they are associated and generating a warning when compared profiles differ by more than a predetermined threshold value.
  • collecting the information on database transactions comprises, collecting transaction commands directed to the database and/or collecting responses to transaction commands generated by the database.
  • each of the meta groups includes all the transactions in the base groups with which the meta-group is associated.
  • at least some of the meta groups include transactions not included in any of the base groups with which the meta group is associated.
  • the meta groups include transactions having at least one common attribute, and the common attribute is also common to all the transactions of the base groups associated with the meta group.
  • each of the base groups represents transactions performed in a predetermined interval.
  • At least some of the base groups represent transactions performed in a predetermined interval shorter than one hour.
  • at least some of the meta groups represent transactions performed in intervals spanning over a plurality of intervals of base groups.
  • at least some of the meta groups represent transactions performed in intervals of similar attributes.
  • at least some of the meta groups represent transactions performed on a specific day of the week or a specific day of the month.
  • each of the base groups represents transactions performed by a specific user and at least some of the meta groups represent transactions performed by a plurality of users having similar characteristics.
  • At least one meta group serves as a base group for one or more other meta groups.
  • generating profiles of the transactions of each of the base groups comprises defining value range bins for one or more parameters of the transactions and determining for each bin, the number of transactions with values within the bin.
  • generating profiles of the transactions of each of the base groups comprises determining for each bin, at least one statistical value beyond the number of transactions with values within the bin.
  • defining value range bins for one or more parameters of the transactions comprises defining bins for different portions of the database and/or for different sums involved in the transactions.
  • defining value range bins for one or more parameters of the transactions comprises defining bins for transactions of different complexity levels.
  • defining value range bins for one or more parameters of the transactions comprises defining bins for different types of transactions.
  • a method of detecting misuse of a database comprising constructing a profile of database transactions of a plurality of users, comparing one or more database transactions of a specific user to the profile of the plurality of users and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison.
  • constructing the profile comprises constructing the profile of database transactions based partially on transactions of the specific user.
  • constructing the profile comprises determining a percentage of transactions of each transaction type or complexity level.
  • constructing the profile comprises determining an average number of transactions performed in one or more periods.
  • the plurality of users have similar job tasks or similar hierarchy levels in an organization.
  • the plurality of users access the database from a same locality.
  • the plurality of users had similar transaction profiles in a learning period.
  • the plurality of users for which the profile is generated are selected by a human operator.
  • the plurality of users for which the profile is generated are selected automatically by a computer based on the transactions they performed.
  • constructing the profile comprises constructing based on database accesses in a learning period in which database accesses are considered legal.
  • comparing the one or more database transactions of the specific user to the profile of the plurality of users comprises generating a profile of a plurality of transactions of the specific user and comparing the profile of the specific user to the profile of the plurality of users.
  • a method of detecting misuse of a database comprising constructing an expected profile of database transactions of a specific user, for a specific period of not longer than two hours, comparing a profile of transactions of the specific user in the specific period to the constructed expected profile and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison.
  • constructing the expected profile comprises constructing partially based on transactions of the specific user during the specific period.
  • constructing the expected profile comprises determining an expected percentage of transactions of each transaction type or complexity level.
  • constructing the expected profile comprises constructing a profile of transactions in a period at least twice as long as the specific period, which includes the specific period.
  • constructing the expected profile comprises constructing a profile of transactions at least including transactions of an entire work day including the specific period.
  • constructing the expected profile comprises constructing a profile of transactions in a plurality of time periods occurring in a same regularity as the specific period in respective larger time periods.
  • constructing the expected profile comprises constructing a profile of transactions in a plurality of time periods selected automatically by a computer based on the transactions performed in the periods.
  • the specific period is not longer than 20 minutes.
  • a method of detecting misuse of a database comprising constructing an expected profile of database transactions of a specific user, in a first period not longer than two hours, constructing an expected profile of database transactions of the specific user, in a second period not longer than two hours, different from the first period, gathering information on transactions of the specific user, comparing gathered information on one or more database transactions of the • specific user in the first period to the expected profile of the first period, comparing gathered information on one or more database transactions of the specific user in the second period to the expected profile of the second period and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in one or more of the comparisons.
  • the first period is not longer than 20 minutes.
  • a system for monitoring database transactions comprising an input interface for collecting information on database transactions, an output interface for providing warnings; and a processor adapted to group transactions received through the input interface into base groups and meta groups, each meta-group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, to generate profiles of the transactions of each of the base groups and meta groups, to compare the profiles of at least some of the base groups with profiles of meta-groups with which they are associated and to generate a warning provided through the output interface when compared profiles differ by more than a predetermined threshold value.
  • Fig. 1 is a schematic illustration of a database system, in accordance with an exemplary embodiment of the invention.
  • Fig. 2 is a flowchart of acts performed by a security monitor, in accordance with an exemplary embodiment of the invention.
  • Fig. 1 is a schematic illustration of a database system 100, in accordance with an exemplary embodiment of the invention.
  • Database system 100 includes a database memory 102 which stores relational tables which form a database.
  • a database server 104 receives database transaction commands from one or more terminals 106, and performs the transactions on the database.
  • a security monitor 108 optionally collects the transaction commands directed to database server 104 and analyzes the transaction commands to identify suspicious transactions or groups of transactions.
  • a security station 110 optionally displays warnings to a system manager. Alternatively or additionally, the security station 110 is used to define security parameters, such as groupings of transactions and/or sensitivity thresholds, as discussed below.
  • Fig. 1 is a schematic illustration of a database system 100, in accordance with an exemplary embodiment of the invention.
  • Database system 100 includes a database memory 102 which stores relational tables which form a database.
  • a database server 104 receives database transaction commands from one or more terminals 106, and performs the transactions on the database.
  • each base group includes transactions of a relatively short time period (e.g., 15 minutes, an hour), for a specific user (such that each base group includes transactions of a single user).
  • a profile of the transactions of the base group is generated (204).
  • Larger meta-groups are defined (206) by identifying, for each meta- group, a plurality of base groups belonging to the meta-group. The transactions of each of the meta-groups has one or more common characteristics, as described below.
  • a profile of the transactions of the meta-group is determined (208).
  • the profile of each base group is compared (210) to the profiles of meta-groups including the base group. If (212) a discrepancy is identified between the profile of the base group and the profile of the meta- group, a warning is generated with regard to the base group.
  • a human system manager defines the time periods of the base groups.
  • all the groups relate to time periods of the same length.
  • the base groups include transactions in a period not longer than three hours, not longer than two hours or even not longer than a single hour.
  • a group is defined for every 15 minutes, 20 minutes, or for every half hour.
  • different base groups relate to different time periods. For example, during work hours base groups may relate to short periods of 10 minutes, while during non-work hours, base groups relate to periods of 2- 4 hours. Similarly, different periods may be defined for base groups of transactions performed in different days of the week.
  • the time periods of the base groups are defined automatically, for example based on the number of transactions taking place at specific hours and/or on specific days.
  • the time periods of the base groups are optionally defined also according to the available processing resources for performing the method of Fig. 2.
  • the profile includes at least some of the following parameters:
  • the level of complexity of a transaction is optionally a function of the number of tables accessed by the transaction, the number of tables and/or fields accessed by the transaction and/or the number and/or types of conditions in the transaction command.
  • the level of complexity of a transaction is a function of the data resolution of the transaction, i.e., the level of grouping of data accessed by the transaction, such as whether the transaction relates to a single field, a row, a column or any other table grouping.
  • the level of complexity of a transaction is a function of the length of the transaction command.
  • the profile optionally includes the absolute number of transactions and/or the average number of transactions per hour (or any other time period).
  • the profile includes other statistical values, such as the standard deviation and the confidence interval (CI (1- ⁇ ) [a,b]) for one or more values of ⁇ .
  • the sizes of the intervals are optionally determined based on the values of the parameter, using the T and/or Z tables known in the art, according to the size of the population.
  • the profile of each of the parameters includes one or more measures of the density of the values within the relevant time interval (e.g., whether they are distributed relatively evenly or are concentrated around one or more sub-intervals).
  • the parameters included in the profile are user adjustable.
  • the system manager may identify data-portions which should be referred to with more granularity than other portions of the database.
  • a bank account balance table may be given more attention than other tables of the database.
  • the profile relates to each column of important tables separately, while all the columns of less important tables are related to together.
  • some or all of the columns are parsed into sub-groups which are related to separately.
  • the parameters are organized according to their importance and the parameters actually used in the group profiles are selected according to a desired level of complexity.
  • the larger meta-groups are predefined at installation.
  • the meta-groups are defined based on information provided by a human system manager.
  • the meta-groups are automatically identified, by finding base groups having similar profiles, for example during a test period.
  • the base groups are included in a plurality of different meta-groups.
  • the base groups may each be included in a predetermined number of meta-groups, or the number of meta groups in which each base group is included may vary according to the specific base group.
  • the meta groups include, one or more of: a) long term meta groups formed of a plurality of base groups of consecutive periods; b) similar-time meta groups formed of a plurality of base groups having periods expected to have similar transaction attributes; and c) multi-user meta groups formed of a plurality of base groups of users with similar attributes.
  • Long term meta groups may include, for example, meta-groups representing transactions of an entire day, work day, week, work week or work month. By comparing the profiles of the base groups to the profile of the long term meta-group, times at which a user behaved very differently, and therefore suspiciously, from other hours, may be determined. Finding only a single transaction during an entire work week that accesses a specific data portion is an example of a suspicious transaction that can be found by comparing base groups to their long term meta groups. In another example, work hours in which a user is extra active, under active, or otherwise performs a suspicious number of transactions, may be identified.
  • Similar-time meta groups may include, for example, all the base groups of a single user that relate to the same time of day for different days, to the same day in the week, to the same day of the month and/or to the same weather conditions.
  • days are classified according to their expected work load and similar time meta-groups relate to days with similar classifications.
  • the classifications may be predetermined or may be determined after the transactions are performed, based on external information (e.g., the stock market rose, high traffic conditions, a large number of workers on vacation) and/or based on an analysis of the transactions performed.
  • similar-time meta groups may be defined for rush hour, beginning or end of quarters or holidays.
  • Multi-user meta-groups may be defined, for example, for users of similar job definitions, of similar personal classification (e.g., age, gender, marital state) of similar operational environment (e.g., location of work place, terminal type, operating system) and/or similar tenure.
  • similar personal classification e.g., age, gender, marital state
  • similar operational environment e.g., location of work place, terminal type, operating system
  • meta-groups are defined also for groups of meta- groups, forming a hierarchy of groups.
  • the hierarchy may include three levels, four levels or even more than four levels.
  • the profiles of the high level meta groups may be compared to the profiles of groups of an adjacent lower level or may be compared to lower levels or even to the base groups of the lowest level.
  • Generating (208) the profiles of the meta-groups is optionally performed based on the profiles of the groups forming the meta groups.
  • the profiles of the meta-groups are generated based on the raw data.
  • the profiles of the meta-groups may be determined in parallel to, or even before, generation of the profiles of the base groups.
  • all the transactions of the meta-group are given same weight in generating the profile. Alternatively, different transactions are given different weight, for example, according to the times of the transactions. In some embodiments of the invention, in meta-groups spanning over relatively long periods, old transactions are given less weight in generating the profile. Alternatively or additionally, recent transactions, which have not yet been screened for validity, are given less weight in generating the meta-group profile. In some embodiments of the invention, the profiles of at least some of the meta-groups are generated without using current transactions of base groups which are to be tested for validity. For example, the profiles of similar time " meta groups are optionally generated using the transactions of a test period (i.e., a learning group), in which all the transactions are assumed to be valid.
  • new base-groups are compared to the previously generated profile.
  • the previously generated profiles of the meta-groups are updated using the transactions of base groups for which no warnings were generated and/or for groups whose warnings were determined to be false warnings. Generation of warnings
  • the system manager configures, for each profile parameter, a threshold which is used in determining whether a warning is generated.
  • a threshold which is used in determining whether a warning is generated.
  • at least some of the thresholds are predefined.
  • a parameter profile has a difference in value greater than its respective threshold between a base group and a meta-group to which it belongs, a warning regarding the base group is generated.
  • the thresholds are adjusted dynamically according to feedback received from the system manager regarding warnings generated. Warnings that are marked by the system manager as false warnings optionally cause the threshold to be increased.
  • the thresholds are optionally based on the confidence intervals of the parameters and/or assumption checks and p-value significance levels.
  • the p-values are optionally selected according to the desire sensitivity of the system and may be, for example, p ⁇ 05, p ⁇ .01 or pO.OOl depending on the desired sensitivity of the system.
  • Different thresholds are optionally defined for different parameters, according to the types of the parameters and the chances that they indicate a breach of authority.
  • each of the parameters of the profile is assigned a predetermined weight, which qualifies the extent in which the value of the parameter in the base group differs from the value of the parameter in the meta-group.
  • the sum of all the qualified differences optionally serves as a grading of the suspiciousness of the base group.
  • suspicion grades are assigned to the base group, for each meta-group related to the base group.
  • a total grade of the base group is optionally assigned according to a weighted sum of the grades for the different meta-groups, the weights being assigned according to the importance levels of the meta-groups.
  • security monitor 108 when a warning is generated or when otherwise a relatively high discrepancy is identified between a base group and one or more meta-groups to which it belongs, security monitor 108 performs more in depth tests on the user to which the base group belongs. For example, each query of the base group may be analyzed separately against external security rules in search of additional suspicious information. Alternatively or additionally, the more in depth tests may include relation to the data portions of the database in a higher granularity and/or to more in depth analysis of other details.
  • Suspicious actions which may be identified by the monitoring method of the present invention may include, for example, acts in which a user accesses a data portion which the user has never (or nearly never) accessed, which the user does not usually access at the time of the suspicious action and/or which his peers nearly never access. These actions may occur when a user uses his access authorization to view data that the user should not view or to alter data that the user is not supposed to change.
  • Other suspicious actions which may be identified may be based on the fact that a user generally accesses data portions for a predetermined number of times. Accessing a data portion only a single time may be indicative of an access performed for curiosity or mischievous reasons and not for performing a required task which generally requires a sequence of a plurality of actions. Similarly, a large number of accesses to a single data portion may be indicative of an interest in the specific data by the user, beyond regular tasks which the user is supposed to perform. In some embodiments of the invention, in determining whether a data portion was accessed a normal number of times is performed by adding up the accesses of all • the users, since a handling sequence may be carried out by a plurality of different workers.
  • warnings are generated when a data portion is accessed for a low number of times, that indicates that the data portion was not handled properly.
  • a user that accesses the database at times when he usually does not access the database and/or at times when his peers are not accessing the database may rouse suspicions that the user is taking advantage of times at which people are not around to perform prohibited transactions.
  • when a user becomes over productive (i.e., performs a substantially larger number of transactions) or under productive relative to his usual behavior on the same day of week or day of month it may indicate that the user is performing prohibited transactions.
  • Changes in the pattern of usually performed transactions (the meta group) by a user during some time period (the base group) can also be used to trigger an alarm. For example, a user that generally performs query transactions and all of a sudden performs an update transaction may be considered suspicious.
  • the rows of one or more tables of a monitored database are divided into subgroups according to geographical areas' and/or other logical attributes.
  • a user that usually accesses records corresponding to a specific geographical area that accesses records of a different geographical area arouses suspicion.
  • a user that usually accesses specific columns is considered suspicious when accessing a column that he and/or his peers do not usually access.
  • An example of a complex warning generation rule includes identifying transactions that are performed in time periods having a relatively low number of transactions, while the level of complexity of the transactions is not higher than average. This excludes generating warnings for cases in which the relatively low number of transactions is due to their complexity.
  • the method of Fig. 2 may be used on its own or may be combined with other security methods.
  • the meta-groups are searched for reoccurring transactions. For example, when a specific data cell of the database is accessed a much higher number of times than the average, it may be indicative of suspicious acts.
  • the transactions may be checked relative to external data, such as the vacation periods of the users, and transactions performed while the user is on vacation may be indicated as being suspicious.
  • the method of Fig. 2 may be performed periodically, e.g., once a week, once a month, or may be performed continuously, with each new transaction being immediately added to the profiles of the groups to which it belongs and an immediate comparison of updated profiles to each other and/or to the profiles of their meta-groups.
  • warnings are generated based on comparisons of profiles of base groups to profiles of meta-groups.
  • single transactions are compared to meta group profiles.
  • each newly received transaction command is compared to the profiles of meta-groups representing groups of users to which the specific user generating the received command belongs. If the received command does not match the profile of one of the meta-groups, a warning may be generated immediately.
  • the number of transaction commands that do not match a profile of a meta-group relating to a group to which the user belongs is determined and a user that has many transactions that do not match his user-group profile is identified as suspicious.
  • a meta-group profile is generated for all workers of a specific task. The profile, for example, indicates that update commands are only used between 8:00-9:00 in the morning. If an update command is received during other hours, a warning is generated.
  • each newly received transaction command is compared to meta-groups relating to the time of day of the transaction.
  • the meta-groups optionally relate to small periods, such as less than two hours, less than an hour or even less than 20 minutes.
  • meta groups are generated for every 5-10 minutes. If, for example, a profile of 15:00-15:15 shows that in this time period workers perform transactions that access a specific data portion, a warning may be generated for transaction commands performed between 15:00-15:15 that do not access the specific data portion.
  • analysis is performed based on the database transactions provided to the database, it is noted that in some embodiments of the invention the analysis may be performed based on the responses of the database to the transactions and/or based on any other representation of the acts of the users.
  • Databases that could be scanned in accordance with the present invention may represent substantially any data, and the scanning does not depend on the content of the database. That is, except for possibly stating the relations between the base groups and the meta groups, the generation of warnings is performed without knowledge of the meanings of the data which is scanned, but rather is based on finding suspicious differences between the data at different times and/or for different users, regardless of what the data is.
  • the database may represent monetary records, such as bank-account balances and/or credit card transactions.
  • databases which may be monitored using the present invention include databases having personal information, such as police records, medical records and government controlled databases, such as including citizen related information.
  • Other examples include business related databases, which may include trade secrets, business contacts, accounting, financing, knowledge-base information and/or inventory records.
  • Business related databases may include R&D related databases, such as databases relating to procedures, experiments and/or future plans.
  • the invention may be used to monitor diversely different databases without adaptations. Additional data related to the contents of the database may optionally be used to enhance the monitoring, but is not required for the basic monitoring operations. It is noted that a same monitoring system may be used for diversely different databases of a same organization.

Abstract

A method of monitoring database transactions. The method includes collecting information on database transactions, grouping the transactions into base groups and meta groups, each meta-group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, generating profiles of the transactions of each of the base groups and meta groups, comparing the profiles of at least some of the base groups with profiles of meta-groups with which they are associated and generating a warning when compared profiles differ by more than a predetermined threshold value.

Description

DETECTION OF MISUSE OF A DATABASE RELATED APPLICATIONS
This application is a continuation-in-part of U.S. Application No. 10/689,113, filed on October 21, 2003, the disclosure of which is incorporated herein by reference. FIELD OF THE INVENTION
The present invention relates to methods of detecting misuse of a database.
BACKGROUND OF THE INVENTION
Databases are used to manage large quantities of information. Such information may include, for example, bank accounts, employee information and police records. While databases allow easy access and manipulation of their data, they increase the danger of unauthorized transactions (i.e., retrieval and/or manipulation) of the information.
Many solutions to such unauthorized transactions are directed at preventing access to the database by unauthorized people. However, many unauthorized transactions are performed by people having authorization to access the database, but use that authorization to perform unauthorized transactions. For example, bank tellers may use their permission to access bank accounts in order to illegally transfer money from a client's bank account to their own bank account, A policeman, for example, may use his permission to access a police database, in order to retrieve sensitive information for private needs.
US patent publication 2003/0037251 to Frieder et al., the disclosure of which is incorporated herein by reference, describes a system for detecting the misuse of authorized access to a digital data gathering system by a user. During a learning session, documents accessed by the user are gathered and a profile is generated for the gathered documents.
Thereafter, in a monitoring stage, the number of documents accessed by the user, that do not match the profile, are counted. A user that accesses documents, not included in the profile, a number of times above a predetermined threshold, is considered suspicious of misuse of the database. In another embodiment, the gathered documents are clustered into clusters of similar content and if the number of documents not included in any cluster is relatively large, a warning is generated.
The '251 publication also suggests identifying transactions that a user performed while being on vacation. In addition, the '251 publication states that an employee's time sheet, or even the time of the query, can provide triggers for a misuse notification alarm. SUMMARY OF THE INVENTION
An aspect of some embodiments of the present invention relates to identifying suspicious database transactions by organizing the transactions in a hierarchy of groups of transactions and finding a small group of transactions that has a profile substantially different from a profile of an associated larger group of transactions, with characteristics similar to those of the small group. The transactions of associated groups have at least one attribute common to their transactions. In some embodiments of the invention, the transactions of small groups are included in the large groups with which they are associated. Alternatively, the large groups do not include all the transactions of the small groups, for example when a small group is new and it is desired to wait until the transactions of the small group are validated. A small group of transactions having a profile substantially different from a profile of a larger group with which it is associated is flagged as suspicious.
In some embodiments of the invention, the transactions of each user are included in a small group, and the transactions of users having similar attributes are included in the larger group.
In some embodiments of the invention, small transaction groups include the transactions, of one or more users, that occur during relatively short time periods. Large transaction groups include transactions occurring in groups of time periods that have similar time characteristics. Small groups may include transactions performed in a single day, work shift, hour, half hour or even quarter of an hour. Larger groups may be defined, for example, for larger time spans and/or for same hours in different work days and/or same days of the week in different weeks.
An aspect of some embodiments of the present invention relates to comparing one or more database transactions of a specific user to a group profile of transactions of a group of users with similar characteristics. A user whose one or more transactions do not match the group profile is optionally marked as being suspicious.
Optionally, a user profile is generated for the transactions of the user and the user profile is compared to the group profile. In some embodiments of the invention, the user and group profiles summarize the data accessed by the transactions, the types of the transactions (e.g., read, modify, insert, delete), the times of the transactions, the complexity of the transactions and/or the numbers of the transactions.
The user groups with which a user shares similar characteristics may include, for example, users having similar job tasks, users located in same physical locations and/or users having same or similar levels in a hierarchy of an organization. In some embodiments of the invention, the groups are defined based on the profiles of the users in a test period. User's having similar profiles in the test period are grouped together into a single group.
An aspect of some embodiments of the present invention relates to identifying suspicious database transactions by generating, for one or more users, transaction profiles of short periods and comparing the profiles of the short periods to expected profiles of the short periods. In some embodiments of the invention, the short periods are shorter than 24 hours, shorter than a work shift or even shorter than an hour. In some embodiments of the invention, the short periods are shorter than 15 minutes. In some embodiments of the invention, the profiles and/or groupings are generated based on the user inputs initiating the database transactions, without relation to any data returned in response to the transactions and/or altered by the transactions, except that included in the commands of the transactions.
There is therefore provided in accordance with an exemplary embodiment of the invention, a method of monitoring database transactions, comprising collecting information on database transactions, grouping the transactions into base groups and meta groups, each meta- group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, generating profiles of the transactions of each of the base groups and meta groups, comparing the profiles of at least some of the base groups with profiles of meta- groups with which they are associated and generating a warning when compared profiles differ by more than a predetermined threshold value.
Optionally, collecting the information on database transactions comprises, collecting transaction commands directed to the database and/or collecting responses to transaction commands generated by the database. Optionally, each of the meta groups includes all the transactions in the base groups with which the meta-group is associated. Optionally, at least some of the meta groups include transactions not included in any of the base groups with which the meta group is associated. Optionally, the meta groups include transactions having at least one common attribute, and the common attribute is also common to all the transactions of the base groups associated with the meta group. Optionally, each of the base groups represents transactions performed in a predetermined interval.
Optionally, at least some of the base groups represent transactions performed in a predetermined interval shorter than one hour. Optionally, at least some of the meta groups represent transactions performed in intervals spanning over a plurality of intervals of base groups. Optionally, at least some of the meta groups represent transactions performed in intervals of similar attributes. Optionally, at least some of the meta groups represent transactions performed on a specific day of the week or a specific day of the month.
Optionally, each of the base groups represents transactions performed by a specific user and at least some of the meta groups represent transactions performed by a plurality of users having similar characteristics.
Optionally, in comparing the profiles of at least some of the base groups with profiles of meta-groups, at least one meta group serves as a base group for one or more other meta groups. Optionally, generating profiles of the transactions of each of the base groups comprises defining value range bins for one or more parameters of the transactions and determining for each bin, the number of transactions with values within the bin.
Optionally, generating profiles of the transactions of each of the base groups comprises determining for each bin, at least one statistical value beyond the number of transactions with values within the bin. Optionally, defining value range bins for one or more parameters of the transactions comprises defining bins for different portions of the database and/or for different sums involved in the transactions. Optionally, defining value range bins for one or more parameters of the transactions comprises defining bins for transactions of different complexity levels. Optionally, defining value range bins for one or more parameters of the transactions comprises defining bins for different types of transactions. There is further provided in accordance with an exemplary embodiment of the invention, a method of detecting misuse of a database, comprising constructing a profile of database transactions of a plurality of users, comparing one or more database transactions of a specific user to the profile of the plurality of users and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison. Optionally, constructing the profile comprises constructing the profile of database transactions based partially on transactions of the specific user.
Optionally, constructing the profile comprises determining a percentage of transactions of each transaction type or complexity level. Optionally, constructing the profile comprises determining an average number of transactions performed in one or more periods. Optionally, the plurality of users have similar job tasks or similar hierarchy levels in an organization. Optionally, the plurality of users access the database from a same locality.
Optionally, the plurality of users had similar transaction profiles in a learning period. Optionally, the plurality of users for which the profile is generated are selected by a human operator. Optionally, the plurality of users for which the profile is generated are selected automatically by a computer based on the transactions they performed. Optionally, constructing the profile comprises constructing based on database accesses in a learning period in which database accesses are considered legal. Optionally, comparing the one or more database transactions of the specific user to the profile of the plurality of users comprises generating a profile of a plurality of transactions of the specific user and comparing the profile of the specific user to the profile of the plurality of users.
There is further provided in accordance with an exemplary embodiment of the invention, a method of detecting misuse of a database, comprising constructing an expected profile of database transactions of a specific user, for a specific period of not longer than two hours, comparing a profile of transactions of the specific user in the specific period to the constructed expected profile and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison.
Optionally, constructing the expected profile comprises constructing partially based on transactions of the specific user during the specific period. Optionally, constructing the expected profile comprises determining an expected percentage of transactions of each transaction type or complexity level. Optionally, constructing the expected profile comprises constructing a profile of transactions in a period at least twice as long as the specific period, which includes the specific period. Optionally, constructing the expected profile comprises constructing a profile of transactions at least including transactions of an entire work day including the specific period. Optionally, constructing the expected profile comprises constructing a profile of transactions in a plurality of time periods occurring in a same regularity as the specific period in respective larger time periods.
Optionally, constructing the expected profile comprises constructing a profile of transactions in a plurality of time periods selected automatically by a computer based on the transactions performed in the periods.
Optionally, the specific period is not longer than 20 minutes.
There is further provided in accordance with an exemplary embodiment of the invention, a method of detecting misuse of a database, comprising constructing an expected profile of database transactions of a specific user, in a first period not longer than two hours, constructing an expected profile of database transactions of the specific user, in a second period not longer than two hours, different from the first period, gathering information on transactions of the specific user, comparing gathered information on one or more database transactions of the specific user in the first period to the expected profile of the first period, comparing gathered information on one or more database transactions of the specific user in the second period to the expected profile of the second period and reporting a potential misuse of the database by the specific user, if a substantial discrepancy is found in one or more of the comparisons. ' Optionally, the first period is not longer than 20 minutes.
There is further provided in accordance with an exemplary embodiment of the invention, a system for monitoring database transactions, comprising an input interface for collecting information on database transactions, an output interface for providing warnings; and a processor adapted to group transactions received through the input interface into base groups and meta groups, each meta-group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, to generate profiles of the transactions of each of the base groups and meta groups, to compare the profiles of at least some of the base groups with profiles of meta-groups with which they are associated and to generate a warning provided through the output interface when compared profiles differ by more than a predetermined threshold value.
BRIEF DESCRIPTION OF THE DRAWINGS
Exemplary non-limiting embodiments of the invention will be described with reference to the following description of the embodiments, in conjunction with the figures, in which:
Fig. 1 is a schematic illustration of a database system, in accordance with an exemplary embodiment of the invention; and
Fig. 2 is a flowchart of acts performed by a security monitor, in accordance with an exemplary embodiment of the invention.
DETAILED DESCRIPTION OF EMBODIMENTS
Fig. 1 is a schematic illustration of a database system 100, in accordance with an exemplary embodiment of the invention. Database system 100 includes a database memory 102 which stores relational tables which form a database. In some embodiments of the invention, a database server 104 receives database transaction commands from one or more terminals 106, and performs the transactions on the database. A security monitor 108 optionally collects the transaction commands directed to database server 104 and analyzes the transaction commands to identify suspicious transactions or groups of transactions. A security station 110 optionally displays warnings to a system manager. Alternatively or additionally, the security station 110 is used to define security parameters, such as groupings of transactions and/or sensitivity thresholds, as discussed below. Fig. 2 is a flowchart of acts performed by security monitor 108, in accordance with an exemplary embodiment of the invention. The transactions directed to database server 104 are divided (202) into base groups according to the user performing the transaction and the time of the transaction. Optionally, each base group includes transactions of a relatively short time period (e.g., 15 minutes, an hour), for a specific user (such that each base group includes transactions of a single user). For each base group, a profile of the transactions of the base group, is generated (204). Larger meta-groups are defined (206) by identifying, for each meta- group, a plurality of base groups belonging to the meta-group. The transactions of each of the meta-groups has one or more common characteristics, as described below. For each meta group, a profile of the transactions of the meta-group is determined (208). The profile of each base group is compared (210) to the profiles of meta-groups including the base group. If (212) a discrepancy is identified between the profile of the base group and the profile of the meta- group, a warning is generated with regard to the base group.
Referring in detail to dividing (202) the transactions into base groups, in some embodiments of the invention, a human system manager defines the time periods of the base groups. Optionally, all the groups relate to time periods of the same length. Li an exemplary embodiment of the invention, the base groups include transactions in a period not longer than three hours, not longer than two hours or even not longer than a single hour. Optionally, a group is defined for every 15 minutes, 20 minutes, or for every half hour. Alternatively, different base groups relate to different time periods. For example, during work hours base groups may relate to short periods of 10 minutes, while during non-work hours, base groups relate to periods of 2- 4 hours. Similarly, different periods may be defined for base groups of transactions performed in different days of the week.
Alternatively or additionally to the time periods of the base groups being defined by a human system manager, the time periods of the base groups are defined automatically, for example based on the number of transactions taking place at specific hours and/or on specific days. The time periods of the base groups are optionally defined also according to the available processing resources for performing the method of Fig. 2.
Referring in more detail to generating (204) a profile for each group, in some embodiments of the invention, the profile includes at least some of the following parameters:
1) total number of transactions in the base group;
2) number of transactions of each type (query, update, insert, delete); 3) number of transactions, accessing each data portion (e.g., table, scheme, cluster, column, row, index, graph) of the database;
4) number of transactions of each level of complexity;
5) number of transactions in different bins of values; 6) number of transactions for each field type (e.g., numeric, alphanumeric, monetary, date, integer, real) accessed by the transaction;
7) average transaction value; and
8) number of transactions performed from each terminal, if the user performs transactions from different terminals. The level of complexity of a transaction is optionally a function of the number of tables accessed by the transaction, the number of tables and/or fields accessed by the transaction and/or the number and/or types of conditions in the transaction command. Alternatively or additionally, the level of complexity of a transaction is a function of the data resolution of the transaction, i.e., the level of grouping of data accessed by the transaction, such as whether the transaction relates to a single field, a row, a column or any other table grouping. Further alternatively or additionally, the level of complexity of a transaction is a function of the length of the transaction command.
For each of the parameters, the profile optionally includes the absolute number of transactions and/or the average number of transactions per hour (or any other time period). In some embodiments of the invention, for each parameter, the profile includes other statistical values, such as the standard deviation and the confidence interval (CI (1-α) [a,b]) for one or more values of α. The sizes of the intervals are optionally determined based on the values of the parameter, using the T and/or Z tables known in the art, according to the size of the population. In some embodiments of the invention, the profile of each of the parameters includes one or more measures of the density of the values within the relevant time interval (e.g., whether they are distributed relatively evenly or are concentrated around one or more sub-intervals).
Optionally, the parameters included in the profile are user adjustable. For example, the system manager may identify data-portions which should be referred to with more granularity than other portions of the database. For example, a bank account balance table may be given more attention than other tables of the database. In some embodiments of the invention, the profile relates to each column of important tables separately, while all the columns of less important tables are related to together. Alternatively or additionally, in relating to important tables, some or all of the columns are parsed into sub-groups which are related to separately. Alternatively or additionally, the parameters are organized according to their importance and the parameters actually used in the group profiles are selected according to a desired level of complexity.
Referring in more detail to defining (206) larger meta-groups, in some embodiments of the invention, the larger meta-groups are predefined at installation. Alternatively or additionally, the meta-groups are defined based on information provided by a human system manager.
Further alternatively or additionally, the meta-groups are automatically identified, by finding base groups having similar profiles, for example during a test period.
In some embodiments of the invention, at least some of the base groups are included in a plurality of different meta-groups. The base groups may each be included in a predetermined number of meta-groups, or the number of meta groups in which each base group is included may vary according to the specific base group.
Optionally, the meta groups include, one or more of: a) long term meta groups formed of a plurality of base groups of consecutive periods; b) similar-time meta groups formed of a plurality of base groups having periods expected to have similar transaction attributes; and c) multi-user meta groups formed of a plurality of base groups of users with similar attributes.
Long term meta groups may include, for example, meta-groups representing transactions of an entire day, work day, week, work week or work month. By comparing the profiles of the base groups to the profile of the long term meta-group, times at which a user behaved very differently, and therefore suspiciously, from other hours, may be determined. Finding only a single transaction during an entire work week that accesses a specific data portion is an example of a suspicious transaction that can be found by comparing base groups to their long term meta groups. In another example, work hours in which a user is extra active, under active, or otherwise performs a suspicious number of transactions, may be identified.
Similar-time meta groups may include, for example, all the base groups of a single user that relate to the same time of day for different days, to the same day in the week, to the same day of the month and/or to the same weather conditions. In some embodiments of the invention, days are classified according to their expected work load and similar time meta-groups relate to days with similar classifications. The classifications may be predetermined or may be determined after the transactions are performed, based on external information (e.g., the stock market rose, high traffic conditions, a large number of workers on vacation) and/or based on an analysis of the transactions performed. For example, similar-time meta groups may be defined for rush hour, beginning or end of quarters or holidays.
Multi-user meta-groups may be defined, for example, for users of similar job definitions, of similar personal classification (e.g., age, gender, marital state) of similar operational environment (e.g., location of work place, terminal type, operating system) and/or similar tenure.
In some embodiments of the invention, meta-groups are defined also for groups of meta- groups, forming a hierarchy of groups. The hierarchy may include three levels, four levels or even more than four levels. The profiles of the high level meta groups may be compared to the profiles of groups of an adjacent lower level or may be compared to lower levels or even to the base groups of the lowest level.
Generating (208) the profiles of the meta-groups is optionally performed based on the profiles of the groups forming the meta groups. Alternatively, the profiles of the meta-groups are generated based on the raw data. In accordance with this alternative, the profiles of the meta-groups may be determined in parallel to, or even before, generation of the profiles of the base groups.
In some embodiments of the invention, all the transactions of the meta-group are given same weight in generating the profile. Alternatively, different transactions are given different weight, for example, according to the times of the transactions. In some embodiments of the invention, in meta-groups spanning over relatively long periods, old transactions are given less weight in generating the profile. Alternatively or additionally, recent transactions, which have not yet been screened for validity, are given less weight in generating the meta-group profile. In some embodiments of the invention, the profiles of at least some of the meta-groups are generated without using current transactions of base groups which are to be tested for validity. For example, the profiles of similar time " meta groups are optionally generated using the transactions of a test period (i.e., a learning group), in which all the transactions are assumed to be valid. Thereafter, new base-groups are compared to the previously generated profile. Optionally, the previously generated profiles of the meta-groups are updated using the transactions of base groups for which no warnings were generated and/or for groups whose warnings were determined to be false warnings. Generation of warnings
In some embodiments of the invention, the system manager configures, for each profile parameter, a threshold which is used in determining whether a warning is generated. Alternatively or additionally, at least some of the thresholds are predefined. When a parameter profile has a difference in value greater than its respective threshold between a base group and a meta-group to which it belongs, a warning regarding the base group is generated. Optionally, the thresholds are adjusted dynamically according to feedback received from the system manager regarding warnings generated. Warnings that are marked by the system manager as false warnings optionally cause the threshold to be increased.
The thresholds are optionally based on the confidence intervals of the parameters and/or assumption checks and p-value significance levels. The p-values are optionally selected according to the desire sensitivity of the system and may be, for example, p<05, p<.01 or pO.OOl depending on the desired sensitivity of the system. Different thresholds are optionally defined for different parameters, according to the types of the parameters and the chances that they indicate a breach of authority.
The warnings are optionally generated for each parameter separately. Alternatively, for each base group, the results of all the comparisons indicating a high discrepancy are related to together in determining whether a warning is generated. In some embodiments of the invention, each of the parameters of the profile is assigned a predetermined weight, which qualifies the extent in which the value of the parameter in the base group differs from the value of the parameter in the meta-group. The sum of all the qualified differences optionally serves as a grading of the suspiciousness of the base group. In some embodiments of the invention, suspicion grades are assigned to the base group, for each meta-group related to the base group. A total grade of the base group is optionally assigned according to a weighted sum of the grades for the different meta-groups, the weights being assigned according to the importance levels of the meta-groups.
In some embodiments of the invention, when a warning is generated or when otherwise a relatively high discrepancy is identified between a base group and one or more meta-groups to which it belongs, security monitor 108 performs more in depth tests on the user to which the base group belongs. For example, each query of the base group may be analyzed separately against external security rules in search of additional suspicious information. Alternatively or additionally, the more in depth tests may include relation to the data portions of the database in a higher granularity and/or to more in depth analysis of other details.
Optionally, lower thresholds are used in cases in which previous warnings were generated. Alternatively or additionally, more in depth analysis is performed for users having previous warnings. Suspicious actions which may be identified by the monitoring method of the present invention may include, for example, acts in which a user accesses a data portion which the user has never (or nearly never) accessed, which the user does not usually access at the time of the suspicious action and/or which his peers nearly never access. These actions may occur when a user uses his access authorization to view data that the user should not view or to alter data that the user is not supposed to change.
Other suspicious actions which may be identified may be based on the fact that a user generally accesses data portions for a predetermined number of times. Accessing a data portion only a single time may be indicative of an access performed for curiosity or mischievous reasons and not for performing a required task which generally requires a sequence of a plurality of actions. Similarly, a large number of accesses to a single data portion may be indicative of an interest in the specific data by the user, beyond regular tasks which the user is supposed to perform. In some embodiments of the invention, in determining whether a data portion was accessed a normal number of times is performed by adding up the accesses of all the users, since a handling sequence may be carried out by a plurality of different workers.
The generation of warning is not necessarily limited to identification of unauthorized acts. In some embodiments of the invention, warnings are generated when a data portion is accessed for a low number of times, that indicates that the data portion was not handled properly. ' A user that accesses the database at times when he usually does not access the database and/or at times when his peers are not accessing the database may rouse suspicions that the user is taking advantage of times at which people are not around to perform prohibited transactions. In some embodiments of the invention, when a user becomes over productive (i.e., performs a substantially larger number of transactions) or under productive relative to his usual behavior on the same day of week or day of month, it may indicate that the user is performing prohibited transactions.
Changes in the pattern of usually performed transactions (the meta group) by a user during some time period (the base group) can also be used to trigger an alarm. For example, a user that generally performs query transactions and all of a sudden performs an update transaction may be considered suspicious.
In some embodiments of the invention, the rows of one or more tables of a monitored database are divided into subgroups according to geographical areas' and/or other logical attributes. A user that usually accesses records corresponding to a specific geographical area that accesses records of a different geographical area arouses suspicion. Similarly, a user that usually accesses specific columns is considered suspicious when accessing a column that he and/or his peers do not usually access.
An example of a complex warning generation rule includes identifying transactions that are performed in time periods having a relatively low number of transactions, while the level of complexity of the transactions is not higher than average. This excludes generating warnings for cases in which the relatively low number of transactions is due to their complexity.
It is noted that only a limited number of examples are provided herein to give a feeling of the types of suspicions that may arise. It is noted that many more differences between a base profile and a meta profile may be indicative of suspicious acts. One of the features of some embodiments of the present invention is that there is no need to determine in advance and/or to configure monitoring apparatus with expected suspicious profiles. The suspicious transactions are determined from a general comparison of the profiles of different groups.
The method of Fig. 2 may be used on its own or may be combined with other security methods. In some embodiments of the invention, the meta-groups are searched for reoccurring transactions. For example, when a specific data cell of the database is accessed a much higher number of times than the average, it may be indicative of suspicious acts. Alternatively or additionally, the transactions may be checked relative to external data, such as the vacation periods of the users, and transactions performed while the user is on vacation may be indicated as being suspicious.
The method of Fig. 2 may be performed periodically, e.g., once a week, once a month, or may be performed continuously, with each new transaction being immediately added to the profiles of the groups to which it belongs and an immediate comparison of updated profiles to each other and/or to the profiles of their meta-groups. In the above description, warnings are generated based on comparisons of profiles of base groups to profiles of meta-groups. In other embodiments of the invention, single transactions are compared to meta group profiles. Optionally, each newly received transaction command is compared to the profiles of meta-groups representing groups of users to which the specific user generating the received command belongs. If the received command does not match the profile of one of the meta-groups, a warning may be generated immediately. Alternatively or additionally, the number of transaction commands that do not match a profile of a meta-group relating to a group to which the user belongs, is determined and a user that has many transactions that do not match his user-group profile is identified as suspicious. In an exemplary embodiment of the invention, a meta-group profile is generated for all workers of a specific task. The profile, for example, indicates that update commands are only used between 8:00-9:00 in the morning. If an update command is received during other hours, a warning is generated. In still other embodiments of the invention, each newly received transaction command is compared to meta-groups relating to the time of day of the transaction. The meta-groups optionally relate to small periods, such as less than two hours, less than an hour or even less than 20 minutes. In an exemplary embodiment of the invention, meta groups are generated for every 5-10 minutes. If, for example, a profile of 15:00-15:15 shows that in this time period workers perform transactions that access a specific data portion, a warning may be generated for transaction commands performed between 15:00-15:15 that do not access the specific data portion.
Although in the above description the analysis is performed based on the database transactions provided to the database, it is noted that in some embodiments of the invention the analysis may be performed based on the responses of the database to the transactions and/or based on any other representation of the acts of the users.
Databases that could be scanned in accordance with the present invention may represent substantially any data, and the scanning does not depend on the content of the database. That is, except for possibly stating the relations between the base groups and the meta groups, the generation of warnings is performed without knowledge of the meanings of the data which is scanned, but rather is based on finding suspicious differences between the data at different times and/or for different users, regardless of what the data is. For example, the database may represent monetary records, such as bank-account balances and/or credit card transactions. Further examples of databases which may be monitored using the present invention include databases having personal information, such as police records, medical records and government controlled databases, such as including citizen related information. Other examples include business related databases, which may include trade secrets, business contacts, accounting, financing, knowledge-base information and/or inventory records. Business related databases may include R&D related databases, such as databases relating to procedures, experiments and/or future plans.
It is noted that since the above described invention monitors databases without direct relation to the meaning of their content, the invention may be used to monitor diversely different databases without adaptations. Additional data related to the contents of the database may optionally be used to enhance the monitoring, but is not required for the basic monitoring operations. It is noted that a same monitoring system may be used for diversely different databases of a same organization.
It will be appreciated that the above described methods may be varied in many ways, including, changing the order of steps, and/or performing a plurality of steps concurrently. It should also be appreciated that the above described description of methods and apparatus are to be interpreted as including apparatus for carrying out the methods and methods of using the apparatus.
The present invention has been described using non-limiting detailed descriptions of embodiments thereof that are provided by way of example and are not intended to limit the scope of the invention. For example, instead of identifying misuse for specific users, the procedures may relate to each terminal as a separate entity and relate to the transactions performed from the terminal together. It should be understood that features and/or steps described with respect to one embodiment may be used with other embodiments and that not all embodiments of the invention have all of the features and/or steps shown in a particular figure or described with respect to one of the embodiments. Variations of embodiments described will occur to persons of the art.
It is noted that some of the above described embodiments may describe the best mode contemplated by the inventors and therefore may include structure, acts or details of structures and acts that may not be essential to the invention and which are described as examples. Structure and acts described herein are replaceable by equivalents which perform the same function, even if the structure or acts are different, as known in the art. Therefore, the scope of the invention is limited only by the elements and limitations as used in the claims. When used in the following claims, the terms "comprise", "include", "have" and their conjugates mean "including but not limited to".

Claims

1. Apparatus for monitoring database transactions, comprising: an input interface for collecting information on database transactions; an output interface for providing warnings; and a processor adapted to group transactions received through the input interface into base groups and meta groups, each meta-group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions, to generate profiles of the transactions of each of the base groups and meta groups, to compare the profiles of at least some of the base groups with profiles of meta-groups with which they are associated and to generate a warning provided through the output interface when compared profiles differ by more than a predetermined threshold value.
2. Apparatus according to claim 1, wherein the processor is adapted to generate profiles of the transactions based on commands directed to the database.
3. Apparatus according to claim 1 or claim 2, wherein the processor is adapted to generate profiles of the transactions based on responses generated by the database, in response to transaction commands.
4. Apparatus according to any of claims 1-3, wherein the processor is adapted to generate the meta groups, such that each of the meta groups includes all the transactions in the base groups with which the meta-group is associated.
5. Apparatus according to any of claims 1-4, wherein the processor is adapted to generate the meta groups, such that at least some of the meta groups include transactions not included in any of the base groups with which the meta group is associated.
6. Apparatus according to any of claims 1-5, wherein the processor is adapted to generate the meta groups, such that the meta groups include transactions having at least one common attribute, and the common attribute is also common to all the transactions of the base groups associated with, the meta group.
7. Apparatus according to any of claims 1-6, wherein the processor is adapted to generate the base groups, such that each of the base groups represents transactions performed in a predetermined interval.
8. Apparatus according to claim 7, wherein the processor is adapted to generate the base groups, such that at least some of the base groups represent transactions performed in a predetermined interval shorter than one hour.
9. Apparatus according to claim 7 or claim 8, wherein the processor is adapted to generate the meta groups, such that at least some of the meta groups represent transactions performed in intervals spanning over a plurality of intervals of base groups.
10. Apparatus according to any of claims 7-9, wherein the processor is adapted to generate the meta groups, such that at least some of the meta groups represent transactions performed in intervals of a sim ilar attribute value .
11. Apparatus according to any of claims 7-10, wherein the processor is adapted to generate the meta groups, such that at least some of the meta groups represent transactions performed on a specific day of the week or a specific day of the month.
12. Apparatus according to any of claims 1-11, wherein the processor is adapted to generate the base groups and meta groups, such that each of the base groups represents transactions performed by a specific user and at least some of the meta groups represent transactions performed by a plurality of users having similar characteristics.
13. Apparatus according to any of claims 1-12, wherein the processor is adapted to compare at least one of the profiles of a meta group to a profile of a larger meta-group.
14. Apparatus according to any of claims 1-13, wherein the processor is configured to define value range bins for one or more parameters of the transactions and to determine for each bin, the number of transactions with values within the bin, for at least some of the groups.
15. Apparatus according to claim 14, wherein the processor is configured to determine for each bin at least one statistical value beyond the number of transactions with values within the bin.
16. Apparatus according to claim 14 or claim 15, wherein the processor is configured to define bins for different portions of the database.
17. Apparatus according to any of claims 14-16, wherein the processor is configured to define bins for different sums involved in the transactions.
18. Apparatus according to any of claims 14-17, wherein the processor is configured to define bins for transactions of different complexity levels.
19. Apparatus according to any of claims 14-18, wherein the processor is configured to define bins for different types of transactions.
20. Apparatus for monitoring database transactions, comprising: an input interface for collecting information on database transactions; an output interface for providing warnings; and a processor adapted to construct a profile of database transactions of a group including a plurality of users, to compare one or more database transactions of a specific user to the profile of the plurality of users and to provide a warning through the output interface of a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison.
21. Apparatus according to claim 20, wherein the processor is adapted to construct the profile of database transactions of the group based partially on transactions of the specific user.
22. Apparatus according to claim 20 or claim 21, wherein the processor is adapted to determine a percentage of transactions of each transaction type or complexity level, in constructing the profile.
23. Apparatus according to any of claims 20-22, wherein the processor is adapted to determine an average number of transactions performed in one or more periods, in constructing the profile.
24. Apparatus according any of claims 20-23, wherein the processor is adapted to construct the profile for a group of users having similar job tasks or similar hierarchy levels in an organization.
25. Apparatus according to any of claims 20-24, wherein the processor is adapted to construct the profile for a group of users having access to the database from a same locality.
26. Apparatus according to any of claims 20-25, wherein the processor is adapted to determine the users included in the group based on transactions performed in a learning period.
27. Apparatus according to any of claims 20-26, wherein the processor is adapted to receive a list of the users included in the group from a human.
28. Apparatus according to any of claims 20-27, wherein the processor is configured to construct the profile based on database accesses in a learning period in which database accesses are considered legal.
29. Apparatus according to claim 20, wherein the processor is adapted to generate a profile of a plurality of transactions of the specific user and to compare the profile of the specific user to the profile of the plurality of users.
30. Apparatus for monitoring database transactions, comprising: an input interface for collecting information on database transactions; an output interface for providing warnings; and a processor adapted to construct an expected profile of database transactions of a specific user, for a specific period of not longer than two hours, to compare a profile of transactions of the specific user in the specific period to the constructed expected profile and to report a potential misuse of the database by the specific user, if a substantial discrepancy is found in the comparison.
31. Apparatus according to claim 30, wherein the processor is adapted to construct the expected profile at least partially based on transactions of the specific user during the specific period.
32. Apparatus according to claim 30 or claim 31, wherein the processor is adapted to determine an expected percentage of transactions of each transaction type or complexity level, in constructing the expected profile.
33. Apparatus according to any of claims 30-32, wherein the processor is adapted to construct the expected profile based on transactions in a period including the specific period, which is at least twice as long as the specific period.
34. Apparatus according to any of claims 30-33, wherein the processor is adapted to construct the expected profile based on transactions of at least an entire work day including the specific period.
35. Apparatus according to any of claims 30-34, wherein the processor is adapted to construct the expected profile based on transactions in a plurality of time periods occurring in a same regularity as the specific period in respective larger time periods.
36. Apparatus according to any of claims 30-35, wherein the specific period is not longer than 20 minutes.
37. A method of monitoring database transactions, comprising: collecting information on database transactions; grouping the transactions into base groups and meta groups, each meta-group being associated with a plurality of base groups, and wherein each group includes a plurality of transactions; generating profiles of the transactions of each of the base groups and meta groups; comparing the profiles of at least some of the base groups with profiles of meta-groups with which they are associated; and generating a warning when compared profiles differ by more than a predetermined threshold value.
PCT/IL2005/000235 2005-02-27 2005-02-27 Detection of misuse of a database WO2006090354A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IL2005/000235 WO2006090354A1 (en) 2005-02-27 2005-02-27 Detection of misuse of a database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IL2005/000235 WO2006090354A1 (en) 2005-02-27 2005-02-27 Detection of misuse of a database

Publications (1)

Publication Number Publication Date
WO2006090354A1 true WO2006090354A1 (en) 2006-08-31

Family

ID=34962267

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2005/000235 WO2006090354A1 (en) 2005-02-27 2005-02-27 Detection of misuse of a database

Country Status (1)

Country Link
WO (1) WO2006090354A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009060328A1 (en) * 2007-11-07 2009-05-14 Sandisk Il Ltd Method and device for digital rights protection
US20130133066A1 (en) * 2011-11-22 2013-05-23 Computer Associates Think, Inc Transaction-based intrusion detection
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6671811B1 (en) * 1999-10-25 2003-12-30 Visa Internation Service Association Features generation for use in computer network intrusion detection
US20040230530A1 (en) * 2003-02-14 2004-11-18 Kenneth Searl Monitoring and alert systems and methods

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6671811B1 (en) * 1999-10-25 2003-12-30 Visa Internation Service Association Features generation for use in computer network intrusion detection
US20040230530A1 (en) * 2003-02-14 2004-11-18 Kenneth Searl Monitoring and alert systems and methods

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009060328A1 (en) * 2007-11-07 2009-05-14 Sandisk Il Ltd Method and device for digital rights protection
US20130133066A1 (en) * 2011-11-22 2013-05-23 Computer Associates Think, Inc Transaction-based intrusion detection
US8776228B2 (en) * 2011-11-22 2014-07-08 Ca, Inc. Transaction-based intrusion detection
CN105812200A (en) * 2014-12-31 2016-07-27 中国移动通信集团公司 Abnormal behavior detection method and device

Similar Documents

Publication Publication Date Title
US11516219B2 (en) System and method for role mining in identity management artificial intelligence systems using cluster based analysis of network identity graphs
Smith et al. An analysis of customer retention and insurance claim patterns using data mining: A case study
US10438308B2 (en) Systems and methods for identifying entities using geographical and social mapping
DeRosa Data mining and data analysis for counterterrorism
US9171334B1 (en) Tax data clustering
US9412141B2 (en) Systems and methods for identifying entities using geographical and social mapping
US7555482B2 (en) Automatic detection of abnormal data access activities
Xing et al. Employing latent dirichlet allocation for fraud detection in telecommunications
US11455587B2 (en) Continuous and anonymous risk evaluation
US20040064401A1 (en) Systems and methods for detecting fraudulent information
KR101593910B1 (en) System for online monitering individual information and method of online monitering the same
US20050067493A1 (en) System and method for overcoming decision making and communications errors to produce expedited and accurate group choices
CN104246786A (en) Field selection for pattern discovery
CN102598021A (en) Method and system for managing security objects
US20100332482A1 (en) Real time data collection system and method
CN111915468B (en) Network anti-fraud active inspection and early warning system
Curtis‐Ham et al. A new Geographic Profiling Suspect Mapping And Ranking Technique for crime investigations: GP‐SMART
WO2006090354A1 (en) Detection of misuse of a database
Lowatcharin et al. Decentralization and citizen trust: An empirical study of policing in more and less developed countries
Boqué et al. ‘Surfing’burglaries with forced entry in Catalonia: Large-scale testing of near repeat victimization theory
CN106156046A (en) A kind of informatization management method, device, system and analytical equipment
Steinmetz et al. The Role of Computer Technologies in Structuring Evidence Gathering in Cybercrime Investigations: A Qualitative Analysis
KR20180071699A (en) System for online monitoring individual information and method of online monitoring the same
Rahaman A Proposed Model for Cybercrime Detection Algorithm Using A Big Data Analytics
Sessink Using Machine Learning to Detect ICT in Criminal Court Cases

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05709131

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 5709131

Country of ref document: EP