77 / 2015-12-21 14:21:37

Anomaly Detection of User Behavior for Database Security Audit Based on OCSVM

Security audit, user behavior, OCSVM, log preprocessing, anomaly detection

In view of the defects of Safety monitoring and comprehensive audit in information network boundaries of State Grid Corporation of China(SGCC), a kind of security audit technology based on One-Class support vector machine(OCSVM) is proposed for the security audit of user access behavior. Firstly, feature selection, syntax parsing of SQL statements and numerical processing of audit log are first completed to obtain the feature vector of user behavior, which can be trained and identified by OCSVM. Then the audit log that reflect the rules of normal behavior in the long-term operation of the database is used as the OCSVM's training input. After training, the OCSVM classifier is trained to build the pattern library of user behavior. Finally, the OCSVM classifier is used to detect the abnormal behavior of database operation, and to realize the security audit of database user access behavior.