Depending upon how the database is set up (i.e., what platform, etc.) you
may be able to use Intrusion.com's Kane Secure Enterprise. KSE is the old
CMDS (Computer Misuse Detection System) from SAIC all dressed up in a new
interface and with some new capabilities. KSE is a statistical profiling
host based IDS that can watch for statistical patterns of access. This means
that once it gets a baseline of "normal" access by various accounts, it
"knows" that one of those accounts is acting outside of its normal profile
and alarms. That way if your hacker is masquerading as a legitimate user
(or if he/she is actually an insider with legitimate access) the departure
from normal access actions will be noticed by the KSE. Additionally, it can
be rule-based (like any other log parsing IDS) to do detection of rule
violations.

These measures, as Mike points out (directly or indirectly) are reactive.
You need to look at the kinds of things he mentions to be proactive as well.

--P

____________________________________________
Peter Stephenson, CPE, PCE
Director of Technology, Global Security
Netigy Corporation
Phone: +1-248-760-1152 - Fax: +1-248-373-9130
PGP Public Key Available At:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=peter.stephenso
n%40netigy.com
If you keep heading in the direction you've always headed, you'll end up
where you've always been.
http://www.netigy.com Driving eBusiness PerformanceSM

> -----Original Message-----
> From: Mike Ruscher [mailto:Mike.RuscherCSE-CST.GC.CA]
> Sent: Thursday, January 18, 2001 1:05 PM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Re: Data Mining IDS detection.
>
>
> It sounds like you should be enforcing a security policy to
> the access of
> the information. If you are making this information
> completely publicly
> available, but have concerns with aggregation to
> confidential, you should
> have access controls in place modelled after the policy. It
> seems like a bit
> of a contradiction to offer information and then scrutinize its use to
> finger (ahem) researchers (or competitors) of your public
> information. What
> do you propose to do to those you feel are snooping to deeply
> or widely? If
> you intend to prosecute, you need to provide a warning
> advertisement to the
> effect, but I don't think you would win anyway from the sound
> of it. I must
> be missing something here.
>
> Now if these researchers are hacking into your information,
> then you need
> better defences than the simple data-mining detection. A distributed
> data-mining attack over relatively long time framed (below
> the normal noise
> level) would beat anything an IDS could do for you, I'd bet.
> Your database
> access logs should be adequate, assuming they capture enough relevant
> information about the accesses.
>
> OTOH, maybe, you could use this type of knowledge to feed fictitious
> information to special targets once identified, assuming that
> they are even
> valid and not spoofed somehow. ;)
>
> You need to examine, who needs to know this price and availability
> information and set up secure channels of trust between your
> data and them,
> based on some form of risk assessment and acceptance. The
> onus is on the
> owner of the sensitive info to protect it from such potential attacks.
> Detection (after the fact) is not prevention. One real good
> nugget (read
> aggregated needle in a haystack) could spell the end of an
> organization!
> (Even if you can't see the aggregation yourself!!!)
>
> Mike Ruscher, ITS Specialist I2, CSE/CST
> mgruschercse-cst.gc.ca
> Phone: +1 613 991-8040
> ED/C200
> http://www.cse-cst.gc.ca
>
>
> > -----Original Message-----
> > From: Eric Hacker [mailto:ehackerLUCENT.COM]
> > Sent: Thursday, January 18, 2001 11:19 AM
> > To: FOCUS-IDSSECURITYFOCUS.COM
> > Subject: Data Mining IDS detection.
> >
> >
> > Hello,
> >
> > Does anyone know of IDS tools that attempt to detect
> > data-mining activity,
> > especially with regards to web traffic?
> >
> > Here is the scenario: An organization has a database driven B
> > to (C or B)
> > website that contains product information (price/availability
> > etc.) that is
> > variable. In individual quantities, this information is
> > mostly harmless and
> > necessary to give to the customer. However, in aggregate,
> > this data may give
> > competitors information that would otherwise be confidential.
> >
> > The idea would be to detect data-mining efforts of
> > competitors to aggregate
> > the data. One must assume that efforts will be made on the
> part of the
> > competitor to disguise such activity. It would seem to me,
> > however, that
> > there are practical limitations on the disguising capability
> > and that IDS
> > technology looking for anomalous traffic patterns may detect such.
> >
> > Anyone have any leads/ideas?
> >
> > Due to time constraints, I'm asking this question without
> > being able to do
> > much research. I apologize if I missed something obvious.
> >
> > Thank you,
> > Eric Hacker, CISSP, GCIA, MCSE, CCSE
> > Network Security Consultant
> > Lucent Worldwide Services
> > "Long gone are the days when one's surname referred to the role
> > one had in the community."
> >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]