Data profiling and the access path model: A step toward addressing insider misuse in database systems
In recent years, there has been a significant increase in the use of complex information infrastructures by government, industry, military, and academia. The users of these infrastructures depend heavily on the availability, confidentiality, and accuracy of the information. Despite many advances in intrusion detection systems (IDS), insider misuse, in which the malicious behavior (intentional or accidental) comes from within a system, such as the operating system or a database system, is difficult to detect using IDS. This leaves the mission critical data managed in a database vulnerable to misuse.
The problem of insider misuse is complex and non-trivial. The models and techniques presented in this dissertation take a step toward addressing this problem. The approach is “data-centric” as it focuses on protecting the mission critical data from insider misuse. This approach facilitates the enforcement of information integrity principles of least privilege and accountability. The two major aspects of the approach presented include data profiling framework to describe the data behavior and the access path model to describe access paths to this data from database users, application users, and operating system users. The access path model is enriched further to include profile information regarding the data, their users, and their access correlations. Focusing on relational database systems, a methodology is presented for data profiling based on the observed data values and data accesses over a period of time. Finally, the access path model and the data profiles are used to derive a fine-grained access policy, which forms the basis for preventing, deterring, and detecting insider misuse.