Anomaly Detection in a SQL database: A Retrospective Investigation

Abstract: Insider attacks aiming at stealing data are highly common, according to recent studies, and they are carried out in precise patterns. In order to protect against these threats, additional security measures, such as access control and encryption, must be used in conjunction with tools and methods that can detect anomalies in data access. By analyzing the input query syntax and the amount of data returned in the responses, we can deduce individuals' access patterns. Our method is based on SQL queries in database log files, which allow us to build profiles of ordinary users' access behavior by their doctors. Anomalies that deviate from these characteristics are deemed anomalous and thus indicative of possible data exfiltration or misuse. This paper uses machine learning techniques in existing algorithms to detect outliers and aggregate related data into clusters. Due to the sensitivity of the real-world data and restricting access to such datasets, we have developed our logfiles that groups log lines sequentially based on time and access intervals. Generated log files containing known abnormalities are used to demonstrate the use of real datasets. Our findings demonstrate that our method can effectively detect these anomalies, albeit more research by specialists is required to ensure whether the abnormalities detected were appropriately recognized.