Databases That Learn

A new generation of security software studies the way people normally access a database to identify hackers.

Protecting sensitive corporate, medical, and government databases--filled as they are with everything from credit-card numbers to personal health histories--has traditionally been a matter of granting passwords to employees, and allowing varying levels of access depending on users' job duties. But such measures haven't always stopped sophisticated hackers or insiders who stray from their assigned areas.

The latest generation of software goes further: it learns about appropriate database usage patterns, and sounds an alarm if something anomalous happens.

Now Symantec, a leading maker of anti-virus software, is releasing its own learning-based database security product, after a year-long pilot project. The company says the software can protect against insiders, as well as outsiders who find their way past security features and help themselves to sensitive information.

"It learns the behavior of who is accessing what. You put it into 'learn' mode and it figures out who should be asking for what data. If there is an odd request--say, a large list of students' social-security numbers, anything that's not a normal procedure--administrators are notified," says Carey Nachenberg, chief architect at Symantec Research Labs in Santa Monica, CA.

The technology can also be customized to alert administrators when a specific kind of request is made, such as one for multiple credit-card numbers.

Taken together, this approach could have advantages over traditional methods of database security, known as role-based access control. "Organizations have traditionally relied on access controls to meet confidentiality needs," says Sushil Jajodia, director of the center for secure information systems at George Mason University. "Security products typically focus on outsider attacks...but do not protect an organization from malicious insiders. This is one of the first products to address the insider threat."

Symantec says the new technology, announced this week, can detect clever attacks from outsiders, too. For example, most online shopping sites have fields that allow users to search for products. But if just the right queries and characters--such as quotes or asterisks--are put in the right places in a search field, a harmless search for books or videos can become a successful theft of credit-card numbers in the company's database. "This is a common attack, and many websites are vulnerable," says Nachenberg. "In order to catch such a thing, I need to identify that a different query is being sent than what is normal."