Securing DBMS: Characterizing and detecting query floods

Abstract

Current multi-tiered Web-based applications are very often characterized by the use of a database system. Database systems are thus not any longer confined to well-protected environments. In this paper, we focus on a specific type of attack, known as query flood. Under such an attack, a subject, or a colluding set of subjects, floods the database with a very large number of requests thus making the database unable to serve, with adequate response time, requests from honest subjects. The approach we propose is based on modeling access profiles and using these profiles to detect unusual behaviors in the subjects accessing the database. Our approach supports varying granularities in that one can build a single profile for the entire database or build specialized profiles for each table in the database. We employ our techniques both in misuse and anomaly detection settings. An evaluation of the proposed approach has been carried out and some preliminary experimental results are reported. © Springer-Verlag 2004.