Databases, such as relational database management systems (RDBMS), provide varying levels of security from database attacks. Database security has usually attempted to prevent malicious modifications to database content or prevent illegitimate data exfiltration (extraction of information from a database). However, database security has generally involved detecting attacks that are similar to past attacks. It is more difficult to detect novel attacks that are unlike attacks that have been experienced before. As database system vulnerabilities are discovered, new methods of attack are developed.
Some methods of database security apply application-phase analysis to transaction logs after the attacks have already succeeded. Query transaction logs may be mined for suspicious or anomalous behavior, but this basic approach is generally only able to identify attacks after the fact because the transaction information is not available until the transaction completes. Other methods of database security involve real time monitoring and rolling back database activity after anomaly detection. However, simple attacks that auto-commit cannot be thwarted.
Such approaches cannot detect exfiltration attacks that do not attempt to modify the database. Exfiltration attacks are read-only; no transaction is needed. Most update attacks rely on a single structured database query language (SQL) statement, for example, to modify a specific record or to drop a table. Assuming the normal workload contains single statement transactions, these techniques will either generate large numbers of false positives or miss many common attacks.
Database security measures can compare models of SQL queries to SQL queries of privileged users to detect an attack. Some measures have focused on exfiltration, automatically designing regular expressions that represent legitimate SQL queries. However, these measures are limited to analyzing table access and syntactic features of SQL queries, and attacks instigated by insiders can look similar to legitimate queries at a syntactic level.
Although security measures can protect against a wide range of SQL injection attacks, they offer limited protection against insider attacks, which do not rely on convoluted syntax to achieve the adversaries' goals. Other measures apply machine learning techniques to generate signatures of known legitimate or illegitimate SQL queries. However, many security measures rely heavily on the latter signatures, which results in either a) the false positive rate is quite high (to catch all illegitimate activity) or b) novel threats and insider threats are not detected. Furthermore, security rules are often generated by hand, or hand-tuned based on the applications that access the database. For many insider attacks, or slow exfiltration attacks, many custom rules would need to be generated.