A Data-Centric Approach to Insider Attack Detection in Database Systems

The insider threat against database management systems is a dangerous security problem. Authorized users may abuse legitimate privileges to masquerade as other users or to maliciously harvest data. This paper proposes a new direction to address this problem. The authors model users' access patterns by profiling the data points that users access, in contrast to analyzing the query expressions in prior approaches. The data-centric approach is based on the key observation that query syntax alone is a poor discriminator of user intent, which is much better rendered by what is accessed.