Intrusion detection in real-time database systems via time signatures

The authors describe a method for intrusion detection applied to real time database systems. The novel idea pursued in this study is to exploit the real time properties of data in intrusion detection. Data objects will be tagged with «time semantics» that capture expectations about update rates that are unknown to the intruders. This is not simply timestamping data. Our notion of time signatures can be used to detect violations of the security policy. For testing purposes, we use intruders that disguise themselves as «normal» transactions, and compare the ability of different numerically quantifiable measures to capture the behavior of the expected update and to recognize intrusions. For instance, by using a hidden periodic update rate, the system can detect unauthorized update requests, as they will likely not occur at the right time, thereby triggering an alarm to the system. The experimental results show that this technique could be a powerful discriminating measure to identify intruders with a low false alarm rate. While the results are presented for real time databases, the idea is also applicable to traditional systems.