A Database Intrusion Detection System (DIDS) attempts to detect intrusion attempts being made against a database system. A DIDS, in general, operates in two modes: 1) the learning mode and 2) the operational mode.
In the learning mode, a DIDS continuously examines how a database is being accessed and used over a period of time. Based on this examination, the DIDS develops a profile of what constitutes normal activity on the database.
In the operational mode, the DIDS monitors all database activity by examining all access attempts, queries, etc. on the database system. The DIDS compares attempted database activity to the profile of normal activity for the database built by the DIDS during the training mode. Through this process, the DIDS can determine whether the attempted database activity is normal or not. If a database activity is normal, the DIDS does not take any action. However, if the database activity is abnormal (or anomalous), the DIDS typically sends an alert message notifying an administrator about the abnormal activity.
Intrusions detection systems (including any DIDS) in general can produce a large number of alert messages, including some that are erroneously produced by legitimate activity. Such alert messages are commonly known as false-positives.
Additionally, it is not realistic to expect that activity on a database system will remain constant. As business conditions or employee workloads change, the activity of a database system is likely to change.
Whenever there is a change in legitimate activity of a database system due to a change in business conditions (for example end-of-quarter or end-of-year account closing activity) or employee workload, a DIDS will likely start generating false positives.
Under such a situation a DIDS looses much of its value. First, it becomes difficult to determine whether the alert messages are due to legitimate or illegitimate activity. Second, there is no restraint mechanism in DIDS's to account for alert messages that are due to legitimate activity (false positives).
What is needed are computer implemented methods, computer readable media and computer systems for reducing false positives generated by database intrusion detection systems, and for enabling retraining of a DIDS as changes in legitimate database activity occur.