An anomaly analysis framework for database systems

Anomaly detection systems are usually employed to monitor database activities in order to detect security incidents. These systems raise an alert when anomalous activities are detected. The raised alerts have to be analyzed to timely respond to the security incidents. Their analysis, however, is time-consuming and costly. This problem increases with the large number of alerts often raised by anomaly detection systems. To timely and effectively handle security incidents, alerts should be accompanied by information which allows the understanding of incidents and their context (e.g., root causes, attack type) and their prioritization (e.g., criticality level). Unfortunately, the current state of affairs regarding the information about alerts provided by existing anomaly detection systems is not very satisfactory. This work presents an anomaly analysis framework that facilitates the analysis of alerts raised by an anomaly detection system monitoring a database system. The framework provides an approach to assess the criticality of alerts with respect to the disclosure of sensitive information and a feature-based classification of alerts according to their associated type of attack. The framework has been deployed as a web-based alert audit tool that provides alert classification and risk-based ranking capabilities, significantly easing the analysis of alerts. We validate the classification and ranking approaches using synthetic data generated through an existing healthcare management system.