Techniques for detection of anomalies in accesses to database systems have been widely investigated. Existing techniques operate in two main phases. The first phase is a training phase during which profiles of the database subjects are created based on historical data representing past users' actions. New actions are then checked with these profiles to detect deviations from the expected normal behavior. Such deviations are considered indicators of possible attacks and may thus require further analyses. The existing techniques have considered different categories of features to describe users' actions and followed different methodologies and algorithms to build access profiles and track users' behaviors. In this chapter, we review the prominent techniques and systems for anomaly detection in database systems. We discuss the attacks they help detect as well as their limitations and possible extensions. We also give directions on potential future research.

View PDF No PDF? Try Arxiv!