skip to main content
research-article
Public Access

Database Audit Workload Prioritization via Game Theory

Published:10 June 2019Publication History
Skip Abstract Section

Abstract

The quantity of personal data that is collected, stored, and subsequently processed continues to grow rapidly. Given its sensitivity, ensuring privacy protections has become a necessary component of database management. To enhance protection, a number of mechanisms have been developed, such as audit logging and alert triggers, which notify administrators about suspicious activities. However, this approach is limited. First, the volume of alerts is often substantially greater than the auditing capabilities of organizations. Second, strategic attackers can attempt to disguise their actions or carefully choose targets, thus hide illicit activities. In this article, we introduce an auditing approach that accounts for adversarial behavior by (1) prioritizing the order in which types of alerts are investigated and (2) providing an upper bound on how much resource to allocate for each type.

Specifically, we model the interaction between a database auditor and attackers as a Stackelberg game. We show that even a highly constrained version of such problem is NP-Hard. Then, we introduce a method that combines linear programming, column generation, and heuristic searching to derive an auditing policy. On the synthetic data, we perform an extensive evaluation on the approximation degree of our solution with the optimal one. The two real datasets, (1) 1.5 months of audit logs from Vanderbilt University Medical Center and (2) a publicly available credit card application dataset, are used to test the policy-searching performance. The findings demonstrate the effectiveness of the proposed methods for searching the audit strategies, and our general approach significantly outperforms non-game-theoretic baselines.

References

  1. Lillian Ablon, Martin C. Libicki, and Andrea A. Golay. 2014. Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. Rand.Google ScholarGoogle Scholar
  2. Rakesh Agrawal and Chris Johnson. 2007. Securing electronic health records without impeding the flow of information. Int. J. Med. Info. 76, 5--6 (2007), 471--479.Google ScholarGoogle ScholarCross RefCross Ref
  3. Khalid Alsubhi, Issam Aib, and Raouf Boutaba. 2012. FuzMet: A fuzzy-logic-based alert prioritization engine for intrusion detection systems. Int. J. Netw. Manage. 22, 4 (2012), 263--284. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bo An, Fernando Ordóñez, Milind Tambe, Eric Shieh, Rong Yang, Craig Baldwin, Joseph DiRenzo III, Kathryn Moretti, Ben Maule, and Garrett Meyer. 2013. A deployed quantal response-based patrol planning system for the U.S. Coast Guard. Interfaces 43, 5 (2013), 400--420.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ron Ben-Natan. 2008. System and methods for nonintrusive database security. U.S. Patent 7,437,362.Google ScholarGoogle Scholar
  6. Siddhartha Bhattacharyya, Sanjeev Jha, Kurian Tharakunnel, and J. Christopher Westland. 2011. Data mining for credit card fraud: A comparative study. Decis. Support Syst. 50, 3 (2011), 602--613.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel Procaccia, and Arunesh Sinha. 2014. Audit games with multiple defender resources. arXiv preprint arXiv:1409.4503.Google ScholarGoogle Scholar
  8. Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, and Arunesh Sinha. 2013. Audit games. arXiv preprint arXiv:1303.0356.Google ScholarGoogle Scholar
  9. Aziz A. Boxwala, Jihoon Kim, Janice M. Grillo, and Lucila Ohno-Machado. 2011. Using statistical and machine learning to help institutions detect suspicious access to electronic health records. J. Amer. Med. Inform. Assoc. 18, 4 (2011), 498--505.Google ScholarGoogle ScholarCross RefCross Ref
  10. R. Brause, T. Langsdorf, and Michael Hepp. 1999. Neural data mining for credit card fraud detection. In Proceedings of the International Conference on Tools with Artificial Intelligence. 103--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Matthew Brown, Arunesh Sinha, Aaron Schlenker, and Milind Tambe. 2016. One size does not fit all: A game-theoretic approach for dynamically and effectively screening for threats. In Proceedings of the AAAI Conference on Artificial Intelligence. 425--431. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Philip K. Chan, Wei Fan, Andreas L. Prodromidis, and Salvatore J. Stolfo. 1999. Distributed data mining in credit card fraud detection. IEEE Intell. Syst. Appl. 14, 6 (1999), 67--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Rong-Chang Chen, Tung-Shou Chen, and Chih-Chiang Lin. 2006. A new binary support vector system for increasing detection rate of credit card fraud. Int. J. Pattern Recogn. Artific. Intell. 20, 2 (2006), 227--239.Google ScholarGoogle ScholarCross RefCross Ref
  14. You Chen, Steve Nyemba, and Bradley Malin. 2012. Detecting anomalous insiders in collaborative information systems. IEEE Trans. Depend. Secure Comput. 99 (2012), 1--1. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. You Chen, Steve Nyemba, Wen Zhang, Bradley Malin, H. Y. Shahir, U. Glässer, R. Farahbod, P. Jackson, H. Wehn, K. Glass et al. 2012. Specializing network analysis to detect anomalous insider actions. Secur. Inform. 1, 1 (2012), 5.Google ScholarGoogle ScholarCross RefCross Ref
  16. Vincent Conitzer. 2016. On stackelberg mixed strategies. Synthese 193, 3 (2016), 689--703.Google ScholarGoogle ScholarCross RefCross Ref
  17. William R. Cook and Martin R. Gannholm. 2004. Rule-based database security system and method. U.S. Patent 6,820,082.Google ScholarGoogle Scholar
  18. Frédéric Cuppens and Alexandre Miege. 2002. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the IEEE Symposium on Security and Privacy. 202--215. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Linda Delamaire, H. A. H. Abdou, and John Pointon. 2009. Credit card fraud and detection techniques: A review. Banks Bank Syst. 4, 2 (2009), 57--68.Google ScholarGoogle Scholar
  20. Daniel Fabbri and Kristen LeFevre. 2011. Explanation-based auditing. Proc. VLDB Endow. 5, 1 (2011), 1--12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Daniel Fabbri and Kristen LeFevre. 2013. Explaining accesses to electronic medical records using diagnosis information. J. Amer. Med. Inform. Assoc. 20, 1 (2013), 52--60.Google ScholarGoogle ScholarCross RefCross Ref
  22. Daniel Fabbri, Ravi Ramamurthy, and Raghav Kaushik. 2013. Select triggers for data auditing. In Proceedings of the IEEE International Conference on Data Engineering. 1141--1152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Fei Fang, Thanh H. Nguyen, Rob Pickles, Wai Y. Lam, Gopalasamy R. Clements, Bo An, Amandeep Singh, Brian C. Schwedock, Milind Tambe, and Andrew Lemieux. 2017. PAWS—A deployed game-theoretic application to combat poaching. AI Mag. 38, 1 (2017), 23--36.Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Rajesh Ganesan, Sushil Jajodia, Ankit Shah, and Hasan Cam. 2016. Dynamic scheduling of cybersecurity analysts for minimizing risk using reinforcement learning. ACM Trans. Intell. Syst. Technol. 8, 1 (2016), 4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Carl Gunter, David Liebovitz, and Bradley Malin. 2011. Experience-based access management. IEEE Secur. Privacy Mag. 9 (2011), 48--55. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Ashish Kamra and Elisa Ber. 2009. Survey of machine-learning methods for database security. Mach. Learn. Cyber Trust (2009), 53--71.Google ScholarGoogle Scholar
  27. Ashish Kamra, Evimaria Terzi, and Elisa Bertino. 2008. Detecting anomalous access patterns in relational databases. Int. J. Very Large Data Bases 17, 5 (2008), 1063--1077. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Christopher Kiekintveld, Manish Jain, Jason Tsai, James Pita, Fernando Ordóñez, and Milind Tambe. 2009. Computing optimal randomized resource allocations for massive security games. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems. 689--696. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Peter Kieseberg, Bernd Malle, Peter Frühwirt, Edgar Weippl, and Andreas Holzinger. 2016. A tamper-proof audit and control system for the doctor in the loop. Brain Inform. 3, 4 (2016), 269--279.Google ScholarGoogle ScholarCross RefCross Ref
  30. Horacio D. Kuna, Ramón García-Martinez, and Francisco R. Villatoro. 2014. Outlier detection in audit logs for application systems. Info. Syst. 44 (2014), 22--33.Google ScholarGoogle Scholar
  31. Aron Laszka, Yevgeniy Vorobeychik, Daniel Fabbri, Chao Yan, and Bradley Malin. 2017. A game-theoretic approach for alert prioritization. In Proceedings of the AAAI Workshop on Artificial Intelligence for Cyber Security.Google ScholarGoogle Scholar
  32. Federico Maggi, Matteo Matteucci, and Stefano Zanero. 2009. Reducing false positives in anomaly detectors through fuzzy alert aggregation. Info. Fusion 10, 4 (2009), 300--311. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Sunu Mathew, Michalis Petropoulos, Hung Q. Ngo, and Shambhu J. Upadhyaya. 2010. A data-Centric approach to insider attack detection in database systems. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses. 382--401. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Andrew McAfee and Erik Brynjolfsson. 2012. Big data: The management revolution. Harvard Business Rev. (Oct. 2012), 3--9.Google ScholarGoogle Scholar
  35. E. W. T. Ngai, Yong Hu, Y. H. Wong, Yijun Chen, and Xin Sun. 2011. The application of data mining techniques in financial fraud detection: A classification framework and an academic review of literature. Decis. Support Syst. 50, 3 (2011), 559--569. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Humphrey Waita Njogu and Luo Jiawei. 2010. Using alert cluster to reduce IDS alerts. In Proceedings of the International Conference on Computer Science and Information Technology, Vol. 5. 467--471.Google ScholarGoogle Scholar
  37. Sara Ashley O’Brien. 2017. Giant Equifax data breach: 143 million people could be affected. Retrieved from http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/index.html.Google ScholarGoogle Scholar
  38. Lillian Rostad and Ole Edsberg. 2006. A study of access control requirements for healthcare systems based on audit trails from access logs. In Proceedings of the Annual Computer Security Applications Conference. 175--186. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Sriram Samu, Namit Jain, and Wei Wang. 2002. Database system event triggers. U.S. Patent 6,405,212.Google ScholarGoogle Scholar
  40. Aaron Schlenker, Milind Tambe, Christopher Kiekintveld, Haifeng Xu, Mina Guirguis, Arunesh Sinha, Solomon Sonya, Noah Dunstatter, and Darryl Balderas. 2017. Don’t bury your head in warnings: A game-theoretic approach for intelligent allocation of cyber-security alerts. In Proceedings of the International Joint Conference on Artificial Intelligence.Google ScholarGoogle ScholarCross RefCross Ref
  41. Abhinav Srivastava, Amlan Kundu, Shamik Sural, and Arun Majumdar. 2008. Credit card fraud detection using hidden Markov model. IEEE Trans. Depend. Secure Comput. 5, 1 (2008), 37--48. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Michael Sternberg and Robert G. Reynolds. 1997. Using cultural algorithms to support re-engineering of rule-based expert systems in dynamic performance environments: A case study in fraud detection. IEEE Trans. Evol. Comput. 1, 4 (1997), 225--243. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Mubeena Syeda, Yan-Qing Zhang, and Yi Pan. 2002. Parallel granular neural networks for fast credit card fraud detection. In Proceedings of the IEEE International Conference on Fuzzy Systems. 572--577.Google ScholarGoogle ScholarCross RefCross Ref
  44. Chee-Wooi Ten, Govindarasu Manimaran, and Chen-Ching Liu. 2010. Cybersecurity for critical infrastructures: Attack and defense modeling. IEEE Trans. Syst. Man Cybernet. Part A: Syst. Hum. 40, 4 (2010), 853--865. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Liang Tong, Sixie Yu, Scott Alfeld, and Yevgeniy Vorobeychik. 2018. Adversarial regression with multiple learners. In Proceedings of the 35th International Conference on Machine Learning. 4946--4954.Google ScholarGoogle Scholar
  46. Shisong Xiao, Yugang Zhang, Xuejiao Liu, and Jingju Gao. 2008. Alert fusion based on cluster and correlation analysis. In Proceedings of the International Conference on Convergence and Hybrid Information Technology. 163--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. I.-Cheng Yeh and Che-hui Lien. 2009. The comparisons of data mining techniques for the predictive accuracy of probability of default of credit card clients. Expert Syst. Appl. 36, 2 (2009), 2473--2480. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Sixie Yu, Yevgeniy Vorobeychik, and Scott Alfeld. 2018. Adversarial classification on social networks. In Proceedings of the International Conference on Autonomous Agents and Multiagent Systems. 211--219. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Database Audit Workload Prioritization via Game Theory

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Privacy and Security
            ACM Transactions on Privacy and Security  Volume 22, Issue 3
            August 2019
            143 pages
            ISSN:2471-2566
            EISSN:2471-2574
            DOI:10.1145/3328797
            Issue’s Table of Contents

            Copyright © 2019 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 10 June 2019
            • Accepted: 1 March 2019
            • Revised: 1 January 2019
            • Received: 1 May 2018
            Published in tops Volume 22, Issue 3

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          HTML Format

          View this article in HTML Format .

          View HTML Format
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!