Methodology for Detecting Advanced Persistent Threats in Oracle Databases

Transcription

1 Methodology for Detecting Advanced Persistent Threats in Oracle Databases Henry Felch University of Maine at Augusta 46 University Drive, Augusta, ME (207) Loye L. Ray Undergraduate School, University of Maryland University College 3501 University Blvd Easy, Adelphi, MD USA (717) Abstract: Advanced persistent threats (APTs) have become a big problem for computer systems. Databases are vulnerable to these threats and can give attackers access to an organizations sensitive data. Oracle databases are at greater risk due to their heavy use as back-ends to corporate applications such as enterprise resource planning software. This paper will describe a methodology for finding APTs that may be hiding or operating deep within an Oracle database system. Using a deep understanding of Oracle normal operations provides a baseline to assist in discovering APT behavior. Incorporating these into a database intrusion detection system can raise the ability for finding these threats. Keywords: Agents, Advance Persistent Threats, APTs, Logging, Oracle, Profiling Introduction Today s attackers are skilled at using a vast amount of sophisticated tools to gather information and attack their targets (Tankard, 2011). These attackers are using Advanced Persistent Threat (APTs) techniques that are proving hard to detect with todays security appliances. The combination of stealth, zero-day exploits, social engineering and multiple techniques contributes to this problem. Oracle databases are a prime target for attackers using APTs because of their storage of sensitive data. To combat this threat, one needs to establish a means to detect these activities within the database. This paper provides some methods that can help in detecting APTs hiding or operating within oracle databases. The first section briefly describes what APTs are to better understand their purpose and how they operate. The second section describes various techniques to use in detecting them hiding or operating within an Oracle database. Using a combination of these techniques can greatly improve the possibility of finding APTs. Overview of APTs Before one can determine how to detect APTs, they need to understand just what is an APT. Also their means of operating is important to determining how to detect them.

2 What are they? APTs are sophisticated cyber attacks to get valuable information. They use custom malware to gain leverage within a network. They may use a wide variety of tools and techniques to gain access to the target. They can vary their tools and techniques used depending on the target. The attackers are persistent and adjust their tactics to get around any protection mechanism in their way. This makes them difficult to detect and stop. How do they work? APT attackers use an exploitation life cycle composed of seven steps. These include reconnaissance, initial entry, escalate privilege and being persistent in the attack (CA Technologies, 2012; Mandiant, 2010). An attacker selects a target and acquires information about it that can be exploited. They use infiltration by surveillance to gain as much information about the target (Brill, 2010; Sood & Enbody, 2012). Social engineering is an easy way of getting this information. The initial entry into a database can be done using several methods. One way is by the use of Universal Serial Bus (USB) drives loaded with malware or key loggers to gain information (Brill, 2010). Also APT malware can copy itself to the USB stick and spread to other machines that the stick is placed in. Another way is to establish a web site to store their malware and send s to unsuspecting victims. When a user clicks on a URL they are sent to the attackers site and the malicious software is downloaded. Then the malware establishes a command and control (C&C) communications pathway back to the attacker. From here the attacker can perform actions to gather information, destroy data or deface a system. One of these actions is to update the malware code and infrastructure used in the attack. These C&C paths may be encrypted to prevent easy detection (Mandiant, 2010). Now the attacker can look around and establish higher privileges or obtain passwords. They would be interested in discovering administrator accounts since they have elevated privileges into many systems. Next the attacker can install various utilities for carrying out their attack. Now they can establish a foothold and begin stealing data and setting up staging servers. They can also create many infected sites to use. If an infected system is found and taken down, the attacker finds out and moves operations to any infected machine on the same network. They may have several infected systems to use to hide their operations. They can also rotate these around to keep from being found. Thus increasing the difficulty in detecting APTs. Detecting APTs To reduce damages from APTs, one needs to find the malware-infected computers as soon as possible (Liu, Chen & Hung, 2012). To accomplish this requires establishing behavior-based pattern detection techniques to help in finding APTs. These techniques need to be different from detecting malicious applications in network or operating systems because of their design (Kamra, Terzi & Bertina, 2008). This is because APTs are designed for their specific targets. In this case, Oracle databases and files. One also needs to take into account insider threats such as disgruntled employees. Database Administrators (DBAs) are given greater privileges than others and could

3 cause grave damage to organizational data. The methods described will take into account the need to monitor all database activity to include insiders. Establish Dynamic Profiling Intrusion detection systems using anomaly-based techniques find malicious behavior from knowing what is normal. Kamra, Terzi and Bertino (2008) recommend using role-based access control (RBAC) for determining the presence of malicious behavior. Normal user profiles are built using RBAC as a baseline to standardize activities and access. Their method grouped individuals based on their normal behavior. Using this method one should be able to detect anomalies that deviate from the profile (Kamra, Terzi & Bertina, 2008). A classifier such as a neural network could be trained to identify normal behavior and alert when an abnormal behavior is detected. Creating a dynamic profile of how applications and users work helps establish a baseline or whitelist of approved activities (Imperva, 2012; Kamra, Bertino & Lebanon, 2008). Tankard (2011) recommends that this baseline should be complete and locked down to prevent unauthorized changes. All user activity to include use of SELECTs, CREATE, REVOKE, GRANT, UPDATE and stored procedures would be monitored for unusual activities. This makes it easier to determine abnormal activities that can identify APT malware. Scheduled changes to application or users can be used to update the baseline so that it is current. To create this profile takes time to collect and identify normal activities in the database. The profile needs to consist of information describing users, roles and processes at different levels of granularity based on transactions against the database (Kamra, Bertino & Lebanon, 2008; Kundu, Sural & Majumdar, 2010). The benefits out weight the tasks needed to create the profile. Dynamic profiling monitors both Oracle user and application activity and alerts security and DBA personnel when abnormal behavior is discovered. Using dynamic profiling, users and applications can be quarantined until they have been reviewed. The tasks needed to help establish this are described below. User Rights Management Normally APTs exploit the privileges of users for their gain. Attackers try to obtain trusted user accounts and work to get them elevated to administrator rights for accessing more areas in the database (Imperva, 2012). Monitoring any changes to user account privileges can lead to finding the presence of APTs within a database. CA Technologies (CA Technologies, 2012) recommend using privileged identity management for monitoring administration accounts since they can cause the most damage if compromised. User rights management establishes an automated process for reviewing user access rights to determine if excessive rights have been given. Oracle SYSDBA privileges allow one to control the database from outside normal controls (Oracle, 2012). These should be monitored for any unauthorized access or use in case an attacker is using them. Reviewing the ORA_DBA group for any unusual members can help detect the presence of APTs. Also the dab_role_privs and dba_tab_privs tables should be monitored for unauthorized users. Normal users would include the DBAs, object owners or application

4 administrators (Li, Yang, Ren & Hu, 2009). An APT attacker would want to elevate their privileges to allow them the amount of control as a DBA for establishing themselves. Manage Database Changes Another detection scheme for finding APTs is to capture and review all changes to the oracle database. These include changes to users, schemas, stored procedures, triggers and sensitive information stored in the database. Alerts and reports should be established to security and DBA personnel for review. Monitoring of unusual Data Manipulation Language (DML) activity such as INSERT, UPDATES and DELETEs can also be a sign that APT activity is present within the oracle database. All write operations are recorded in Oracle redo logs but is difficult to retrieve (Liu, 2001). However, triggers can be used to collect information regarding the above-mentioned statements. These then can be compared to the baseline for detecting malicious APT activity. The creation, modification or execution of stored procedures and triggers should be restricted to DBAs or authorized personnel. Any other users or accounts attempting to perform these actions could indicate the presence of APT malware. Kamra, Terzi and Bertino (2008) also recommended the fingerprinting of all database transactions. Their idea was focused on SQL statements that may be used to access a database. Creating a baseline pattern of all Oracle SQL statements would be helpful in detecting APTs. A detection engine could be used to compare a stored baseline to current SQL statements being used. It would monitor Data Definition Language (DLL) and DML statements making changes to the Oracle database. The engine would retrieve the information from the Oracle audit files to devise the baseline of normal behavior. This profile will be used in the engine to compare against activity on the database. Surveillance A common action of attackers using APTs is to gather intelligence about their target (Binde, McRee & O Connor, 2011; Tankard, 2011). They do this by port scans to discover what ports and services are running on the Oracle database (Sood & Enbody, 2012). These scans can also disclose the type of Oracle database, which could be used to find exploitable vulnerabilities. NMap is a readily available tool that can perform these scans. Detecting when these scans occur and alerting appropriate personnel can help recognize initial attempts to inject APTs in the database. The database intrusion detection system should be inline with the database to allow detection of these scans. Access to database To access an Oracle database, each user must be assigned access by a database administrator (DBA). Oracle uses profiles to help the DBA put specific controls on using or accessing resources (Paci, Mece & Xhuvani, 2012). In Oracle there are at least 100 privileges a user can be given. There are too many for a DBA to properly track and manage. One example called system privileges gives the user the ability to execute DDL statements that can create and manipulate individual objects (Paci, Mece & Xhuvani, 2012). Attackers can use APTs to gain access to a database and create an account. They can then elevate their rights by use of a GRANT privileges

5 command. Therefore, the DBA should monitor the use of this specific command. Also one should monitor who has system privileges since they can execute ALTER, CREATE, EXECUTE ANY PROCEDURE or DELETE commands to alter database tables (Paci, Mece & Xhuvani, 2012). Users are assigned roles to obtain database privileges. The Oracle Enterprise Security Manager is used for central privilege management. It gathers and stores roles from the Oracle Internet Directory. Groups of individuals are given roles and each role has certain privileges assigned to it. This makes it easier to manage users access to the database. In Oracle there are specific default roles that need to be monitored. The Connect Role gives users the ability to login and create tables (Paci, Mece & Xhuvani, 2012). An advanced role called Resource Role gives users advanced rights such as creating triggers and procedures. A DBA should have a baseline of what triggers and procedures are on the database. That way they can compare current activity with that of the baseline. This can help identify intruders or APTs that may be in the database. The last role is only assigned to DBAs and should be easy to find out if any unauthorized users have this role. There are specific procedures and tables that should be monitored to detect the presence of APTs in Oracle databases. The set_security procedures should be checked to ensure it is enabled. If disabled, it will remove database protection. Another group of procedures define changes to objects or creating objects. These can be important in discovering changes that an attacker may have created a new object in the database. The add_object procedures and remove_object procedures can show changes to protected objects. Grant_permission and revoke_permission procedures changes who can access the object. There are also tables linked to these procedures that should be monitored as well to detect changes from APTs. Security_object table contains information on protected objects while the user_permission table has information who has permission over these objects. The ddl_log would be invaluable to review because it contains information about DDL statements executed by users (Paci, Mece & Xhuvani, 2012). Access to sensitive data is the prime target for attackers using APTs. This checking of any activity that accesses the classified or sensitive data is of prime importance. Any unauthorized extracting of data is a clear sign APTs may be operating in the database. Activity logs can be used to prove the existence of APTs by monitoring the export of large amounts of data from a database like Oracle (CA Technologies, 2012). Any failed or successful use of SELECTs or data changes should be monitored. These can help in detecting the presence of an APT and attacker accessing sensitive data on the database. Failed logins and SQL errors can help pinpoint the attempt of attackers trying to use APTs to gain access to the database. Attackers through the malware may try to access sensitive data using user accounts with elevated privileges. Then the data is packaged and sent back to the attacker or to another malicious server under the control of the attacker. Monitoring this activity will be important to discovering APTs operating in the database. Tracking data exfiltration can be done using watermarks. Using watermarks, scanning software can be used to detect when watermark data is being extracted from the database (Brancik & Ghinita, 2011). It can also track when the data is stored on a compromised server for later exfiltration. APTs want to be stealthy and hide their tracks. Using watermarks on the data defeats this purpose.

6 Since attackers may not be aware of normal database access procedures, they will display a deviation from the way users normally access the database (Kundu, Sural & Majumdar, 2010). This is similar to an impersonation attack. This is when the attacker logs into the database using a stolen account and uses it during unusual times (Wu & Huang, 2009). Also APT attackers may use the authorized user account to attempt access to unauthorized areas. This alerts the security personnel of unauthorized access to database objects (Wu & Huang, 2009). Comparing this activity with baseline information on past normal database access sequences, one should be able to find APT activity in a database. Content-awareness is a method for finding new APT threats. Data intelligence is integrated into any decision on granting access to the database (CA Technologies, 2012). This helps in identifying data access patterns according to CA Technologies (2012). According to CS Technologies (2012), this method looks at changes in data access, use, quality and access frequency to determine abnormalities. An APT having acquired administrator privileges may consistently request access to sensitive data that they may not be authorized to. Also they may read and export large amount of the same data to a remote storage location. Downloading and requesting hundreds of gigabytes of data consistently can also be a clear sign of an APT operating. Suddenly increasing these actions from monthly to daily processes can also be an indication of an APT. Attack Behavior Another way of detecting APT in an Oracle database is to identify abnormal activity. This requires the use of rule-based heuristic analysis to find this activity. All the protocols and applications used within the database will need to be identified and analyzed to detect APTs. The Oracle database dynamic profile will help in identifying where abnormal is operating. This looks at monitoring activities, scanning for unusual activity and how data is being extracted from the database. Discovering abnormal activity by using whitelist technologies can help discover attempts to inject zero-day or unknown threats to the database (Tankard, 2011). Account Changes DBAs are usually the only group that can add or modify user accounts. Attackers may use an already established user account achieved by using social engineering. Then they will try to elevate their privileges to gain more control and access to the Oracle database. To detect this APTs activity, security and DBAs should setup alerts for all privileged activity, schema changes and the creation and modification of user accounts to include roles and permissions. Monitoring Oracle schema changes involve checking on the use of CREAT, DROP and ALTER commends. Changes in user accounts involve reviewing the use of the GRANT and REVOKE commands in Oracle. Suspect Communications Oracle uses very specific ports and services to operate. It is important that no two services used the same port at anytime. It is important to know what ports are running on the database at all times. These ports can be found in the Oracle /etc/services file. Therefore, it is important to

7 monitor communications between the malware and controller using command and control (C&C) traffic. This is because APTs attack patterns may use botnets and rootkits as part of their attack tools for infecting a database (Liu, Chen & Hung, 2012). Liu, Chen and Hung (2012) recommend using a mechanism called retrospective detection that finds infected systems using information about the C&C. In some cases botnets may connect to several C&C systems to prevent detection or for failover (Liu, Chen & Hung, 2012). Detecting the backdoor communications of APTs is made easy by the fact they usually only do outbound transmissions. That is why it s important to analyze all traffic leaving a database since they may exfiltrate sensitive data from the database (Tankard, 2011). These backdoors are used by the malware to call home periodically to check in. APTs can also utilize remote administration tools (RAT) or rootkits to setup these back doors (CA Technologies, 2012). These usually contain a Trojan horse within the APT. The attacker uses these to manage their exploited systems (Sood & Enbody, 2012). Monitoring ports that are used by RAT can help detect the presence of APTs. These may include file transfer protocol (FTP), simple mail transfer protocol (SMTP) and others (Sood & Enbody, 2012). These are not normally used ports for Oracle database servers. According to Sood and Enbody (2012), a misconfigured database server can allow these protocols to be used by attackers to launch attacks. One can detect APTs communicating over unusual ports or traveling to unrecognized destinations (Brill, 2010). Oracle databases use TCP ports to listen for requests. Other TCP ports include for handling processing of requests. Checking for other open ports can indicate the presence of C&C channels on the database. Mandiant (2010) found that backdoors might use UDP protocols as well to disguise their communications. It is also known that APTs may also use Secure Shell (port 22) and IRC (port 6667) for C&C. Listening for these beacons back to the control server can quickly identify the presence of the APTs (Brill, 2010). Szymczyk (2009) supports this and adds that peer-to-peer network (P2P) are also used and should be monitored as well. A known RAT called Poison Ivy uses port 3460 for communicating C&C (Binde, McRee & O Connor, 2011). Any of these ports and services arise not normal traffic communicating with an Oracle database and should be suspect of possible APTs. Sood and Enbody (2012) recommend breaking down C&C protocols using where the communication are coming from, patterns of the communications, and domain reputation. APTs may also use multiple backdoors to hide their C&C channel and provide alternate means to maintain communications. This may add difficulty in determining where the malicious backdoors are. Setting strict communication standards and establishing these in a baseline, one can find these malicious ports and services. One may also want to monitor the table dba_db_links table for unusual links to other databases outside the networks. A normal pattern for APTs is to gather and send captured data to a compromised database for later retrieval. Also APT malware may encrypt the data file going over the C&C channel to mast what they are doing. It can be difficult and costly to try and decrypt the traffic. An APT may also aggregate data into compressed files protected by a password (Binde, McRee & O Connor, 2011). Attackers may compress these files using RAR archive format and transferred using protocols such as FTP (Binde, McRee & O Connor, 2011; Mandiant, 2010). However, all one needs to do

8 is detect the presence of this unusual traffic to assume that something suspicious is going on. Mandiant (2010) found that only 10% of these backdoors were using this method. Also it is not a commonly used method. So another means of detecting APTs is looking for the use of encrypted traffic between an Oracle database and some unknown location. From this data, security personal and DBAs can create fingerprint rules as part of the dynamic profile baseline for rapidly detecting APTs in Oracle databases. Files Hiding APTs can be as simple as putting malware files in unusual places one normally doesn t look for. A good example is putting a cache of files in the recycle bin that can be an indicator of APTs (Brill, 2010). Finding executable programs in this cache should be treated as suspicious and dealt with immediately. APTs may try to access Oracle software libraries to plant executables or alter these libraries. Changes to the Oracle software directory can indicate malicious activity (Oracle, 2012). There may be normal changes to these areas but only by DBAs. Therefore, any unmanaged changes need to be detected before they can compromise the dataset. Any malicious activity within these areas can jeopardize the operation of the database. Processes The DBA should have a complete list of all normal Oracle processes and procedures. This is to facilitate auditing anyone accessing sensitive data. Any unusual activity should be investigated for possible APT malware. The attackers purpose is to find and access this data for possible gain. Finding APTs can be identified when least used applications or external systems are found. Also occasional traffic patterns can be identified in the dynamic profiling baseline as being abnormal. The routine beaconing of APT infected systems is a good example of this occasional traffic. APTs must periodically call back to their controller to check in and receive instructions. An important part of the dynamic profile is to establish normal transaction activities in order that they can be used to compare current transactions. These transactions contain a sequence of database queries composed of SELECT, INSERT, DELETE and UPDATE commands (Kundu, Sural & Majumdar, 2010). Kundu, Sural and Majumdar (2010) suggested using a transaction logger to parse the transactional data to find the specific information needed to compare against the baseline. Using a database ID tag for all transactions to find any dependencies in the data. Then use these against the baseline and log files to find abnormalities (Kamra, Bertino & Lebanon, 2008). Databases may have standing queries that are installed once and execute continuously (Cugola & Margara, 2012). These processes should be addressed in the baseline profile to guard against APTs from disguising their activities as a routine process. Routine monitoring of current standing queries and comparing them to the baseline can detect if an APT is present in the Oracle database. Other signs of APT activity in Oracle databases include off-hour processes running on the database. APTs like to access sensitive data and extract it late at night. It has been found that most attacks occur between 10 PM to 4 AM ET when most users would not be at work (Binde,

9 McRee & O Connor, 2011; Mandiant, 2010). Attackers may decide to extract data over time or all at once. These long sessions or large data transfers can be an indication of APTs in the database. Using the baseline profile can help to identify these processes as APTs. This information is extracted using botnets as part of the APT (Sood & Enbody, 2012). Therefore, detecting the presence or communications being used during non-business hours can help detect an APT operating within an Oracle database. Oracle has another procedure called extproc that allows someone to use the Oracle process account to execute an application located outside the database (Oracle, 2012). This is a normal operation for APTs after they get into a database. Some versions of Oracle have addressed this issue. Versions lower then 11.1 should be monitored for any activity using this procedure (Oracle, 2012). Security changes Attackers using APTs will try to hide their tracks by modifying audit or log files. Once they have elevated privileges, they can delete records in log files to remove any evidence of their activities (CA Technologies, 2012). APTs can also try to access password files to gain more information and elevate privileges to take over a database. A good technique is to monitor any changes to these files. Oracle creates an alert file when specific maintenance action occurs. These include adding a file and modifying a tablespace. This file along with the trace file can help in identifying intruders within the Oracle database. Monitoring access to these files should be done to help in determining the presence of APT activity in the database. Other Methods for Detecting APTs The methods described above can be integrated into automated techniques for detecting malicious behavior such as APTs in an Oracle database. These techniques include a baseline profile, audit logs, database agents and an neural networks. When properly integrated, these elements can help security personnel rapidly find APTs whether hiding or operating in oracle databases. Establish Baseline The first element to prepare is a baseline on normal activities in the database. The DBA should know what processes and users can access the oracle database. Many use TOAD, a database-monitoring tool, to check the activities in the database. Using this dynamic profiling process, DBA and security personnel should obtain enough information to create a baseline of normal activity on the database. The baseline may take weeks to months to collect and devise what is normal activity in the oracle database. They will also need to filter out any activities that are easily recognized as abnormal operations. Enough time and detail should be taken to collect and define the right activities for the baseline. Otherwise, the baseline could cause a high number of false positives making the detection of APTs difficult for the neural network IDS. False positive occurs when the detection systems can t clearly determine if the data shows an intrusion or not. It passes the decision to the human for sorting it out and making the final determination.

10 Developing the baseline is not a one-time event. There will always be changes and updates to the Oracle database that need to be recorded. The baseline needs to capture these and update as necessary. Otherwise, the false positive rate will increase while the detection rate will drop. Hopefully the baseline will not have to be updated more than a few times a year. Setup Auditing After devising the baseline, one needs to collect information on current activities. This will require Oracles log files to be collected. Auditing involves collecting information on SQL statements, privileges, schema and communications activity. Setting up this auditing is very important to detecting APTs. Auditing is used to account for any actions taken by users. Gathering this information will help determine whether an activity is legitimate or not. It will also be used to investigate suspicious behavior as well as the one performing the action. Establish Logging One must turn on Oracle logging in order to begin collecting information on possible APT activity. In Oracle, there are two types of audit records: standard and fine-grained. Enabling standard audit records will collect information on all operations. This will have a negative affect on the database performance and can be more harmful than the APT itself. Fine-grained audit records allow one to devise specific policies that are less harmful than standard audit records. These policies are simple and can record queries and SELECT, INSERT, UPDATE, MERGE and DELETE operations within the Oracle database. These policies are managed by the dbms_gfa package. One must set the parameters for the dbma_fga.add_policy to create finegrained audit policies (Oracle, 2011). The fine-grained audit reports can detect the abnormal activities that APTs do. These include accessing a table after hours or weekends, using remote IP addresses, making modifications to tables, multiple login failures and attempts to login by nonexistent users (Oracle, 2011). Therefore, we want to do finer auditing to capture specific events. The Oracle database audit information is written to the sys.aud$ and sys.fga_logs$ tables (Oracle, 2011). This makes it important to retrieve this information for determining if non-sys users are doing unauthorized activity. This is because only SYS users are allowed to perform DML operations. These tables can also be used to collect information on users who connect using SYSDBA and SYSOPER (Oracle, 2011). One can use a data dictionary view to find information on database activity in Oracle. The dba_fga_audit_train view will show all the audit trail information using fine-grained auditing (Oracle, 2011). Other data dictionary views that are important to detecting APTs include V$PROCESS and V$SESSION_LONGOPS. V$PROCESS has information on current processes running in the Oracle database (Oracle, 2011). This would be good for finding abnormal activity running in the Oracle database. V$SESSION_LONGOPS can be used to detect when an attacker is trying to transfer large amounts of data. These are manual processes and would be time consuming when trying to find APTs quickly. Automating the collection of this and other log data needs to be done so that a neural network IDS can process it. A simple method is to configure syslog to collect and store the information in

11 a file that can be accessed by the database agent. Configuring syslog is accomplished by adjusting the syslog.conf file in Oracle to identify where to store syslog data (Oracle, 2011). The DBA should set this up and use the SYSLOG() function to log the information. Review logs Organizations need to establish and maintain a process for reviewing all security logs and alerts. Their activity or presence can be found if the investigator is as persistent as the threat. APT activity can also be detected using security and activity logs. These should be reviewed daily but automating reports can reduce the workload. Performing timely and routine reviews of the audit logs can help discover APTs before they can cause too much harm (Oracle, 2012). The use of neural networks and database agents can help automate this process. They can collect these logs from multiple databases for correlation and discovery of APT activity. Gartner recommends the use of such database activity monitoring systems for helping detect changes in databases (Kamra, Bertino & Lebanon, 2008). In Oracle, syslog data can be prepared using the fine-grained audit information from sys.aud$ and sys.fga_logs$. Syslog can collect and store this information then send it to the neural network IDS for processing. Also logs should be collected for all possible activity over a long period of time to detect APTs. The reason is that an attack may have happened weeks or months ago (Liu, Chen & Hung, 2012). Every time a user logs in a trace file is created that identifies who and when they accessed the database. Reviewing these logs can help ID APTs. APTs may stay hidden for months before they show themselves (Tankard, 2011). This way one can detect where legitimate credentials could be used in places they shouldn t be (Brill, 2010). So logs can be used to detect abnormal activity. A good example is detecting someone using a person s credentials while they are away. Knowing when people are away or coming from another location. Also after hour activity can be a sign of malicious APTs. It has been found that attackers do most of their activity after normal hours. Use Database Agents The use of database software agents can help automate the detection of APTs. They can be installed and configured within Oracle databases to discover abnormal behavior and alerting the security and DBA personnel. Each agent is composed of a filtering agent and detection engine to discover anomalies in a database (Bhatt, Koshti, Agrawal, Malek & Trivedi, 2011), (Szymczyk, 2009). The filter agent collects information from the database logs and passes them to the detection engine. The detection engine compares the information to established rules. For databases we would use the current profile baseline as the rules to compare against. Agents can monitor activities such as the use of elevated privileges, changes to the database and access to sensitive tables by users. These are installed by system administrators and can detect when they are tampered with. They can send their information in real time thus allowing for a quicker response by appropriate personnel. These agents run continuously and are adaptive to changes in database behavior. They are also mobile and can be moved to other databases in case of possible infections in multiple locations.

12 Agents help to monitor blind spots such as when someone directly accesses the database. Their mining of large amounts of data and events make it an ideal device to use in detecting APTs in Oracle databases. These agents do create overheard on databases and take up CPU cycles (Kamra, Bertino & Lebanon, 2008). However, they communicate directly with the database and monitor changes to the database in places where no one can access. It can also monitor direct connections to the database that DBAs or other privileged users may use. These database agents are specific to the types of databases. This is because each agent needs to be configured to work with different types of database. Our model would use Oracle database agents so that they can collect Oracle specific log and audit data. The syslog and other audit information uses a specific format that the database agent needs to pass onto the neural network IDS engine. The database agent can be used to convert the data to a format for our neural network IDS engine to use when comparing the baseline to it. Neural Networks The heart of any IDS is the engine for analyzing all the information collected to detect APT activity. This engine must be able to take different inputs and determine if the activity is malicious. It will compare input data from database agents and baseline configurations to Oracle log information in order to detect APTs. An anomaly-based intrusion detection technique uses this same method to compare different data to determine abnormal behavior. This method is normally used in neural networks and can be used as a means to automate detection of APTs in a database. The neural network can automate many of the aforementioned techniques and methods for detecting APTs. Any deltas detected can mean the presence of APTs. The neural network would monitor users connection points usually in an application connected to the oracle data. The neural network will collect traffic entering and leaving the database to determine if APT C&C traffic exists. It will also detect if the traffic is encrypted or compressed. This can be a sign of possible APTs communicating with its remote control center. Data about what s going on in the Oracle database needs to be fed to the neural network. This is the job of the database agent. The database agent collects information from the Oracle logs to send to the neural network IDS engine. These logs contain information on current activities going on in the database. Combined with database agents, the neural network can check current database activity against the baseline profile. Before any detection can be done, the neural network will have to be trained. Training is needed to make sure the neural network can recognize legitimate activity. It can be trained on using the baseline from the dynamic profile as a model of normal behavior (Chandola, Banerjee & Kumar, 2009). Once trained to recognize normal activity. This way any abnormality in Oracle database activities can be easily detected. Li, Yang, Ren and Hu (2009) support the use of training intrusion detection system and comparing current behavior against an established model. Another important aspect of the training is that it relies heavily on having a current profile baseline to accurately find APTs. Alerting and Reporting

13 To help neural networks better detect APT behavior, one can configure activity captured and filter on specific events that could be malicious attacks (Binde, McRee & O Connor, 2011). This can be done using all the input systems (database agents, monitoring, etc.) to construct specific alerts. These alerts can be in a form of an or notification via a Web browser console. The neural network can send alerts to security and DBA personnel regarding the presence of APTs whether they are hiding or active in an Oracle database. Routine reports can also be prepared for review in determining patterns where APTs may be hiding or using stealthy methods. The information can be analyzed over time to discover small anomalies in Oracle activity. This is the normal activity of hiding APTs that may be communicating back to their controllers once in a while. Reports can also show how the APT is moving and working within an Oracle database. By correlating different events, one can discover a trail that may lead to an APT. Conclusion APTs can be a security issue and concern for Oracle databases. This becomes more apparent as more databases are used to store sensitive data and accessible globally. Compounding this is the fact that detecting their presence can be difficult and challenging to find. However, using a wide range of detection methods along with neural networks and database agents can help reduce this issue. Thus, its best that the security and DBA personnel be as persistent in their search for APTs as APTs are to attacking a database.

14 References Bhatt, C., Koshti, A., Agrawal, H., Malek, Z. & Trivedi, B. (2011). Architecture for intrusion detection system with fault tolerance using mobile agent. International Journal of Network Security & Its Applications 3(5), pp Binde, B. E., McRee, R. & O Connor, T. J. (2011). Assessing outbound traffic to uncover advanced persistent threat. Retrieved from Binde-McRee-OConnor.pdf Brancik, K. & G. Ghinita, G. (2011). The optimization of situational awareness for insider threat detection. Presented at the First ACM Conference on Data and Application Security and Privacy, San Antonio, TX, February 2011 (pp ). New York, NY: ACM. Brill, A. E. (2010). From hit and run to invade and stay: How cyberterrorists could be living inside your systems. Defense Against Terrorism Review 3(2), pp CA Technologies. (2012). Advanced persistent threats: Defending from the inside out. Retrieved from Defending-From-The-Inside-Out.aspx Chandola, V., Banerjee, A. & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Survey 41(3), pp. 15:1-58. Cugola, G. & Margara, A. (2012). Processing flows of information: From data stream to complex event processing. ACM Computing Surveys 44(3), pp. 62. Imperva (2012). Advanced persistent threat: Are you the next target. Retrieved from Kamra, A., Bertino, E. & Lebanon, G. (2008). Mechanisms for database intrusion detection and response. Presented at the Second SIGMOD PhD Workshop on Innovative Database Research, Vancouver, Canada, 13 June 2008 (pp ). New York, NY: ACM. Kamra, A., Terzi, E. & Bertina E. (2008). Detecting anomalous access patterns in relational databases. The VLDB Journal 17(5), pp Kundu, A., Sural, S. & Majumdar, A. K. (2010). Database intrusion detection using sequence alignment. International Journal of Information Security 9, pp Li, Y., Yang, D., Ren, J. & Hu, C. (2009). An approach for database intrusion detection based on the event sequence clustering. Presented at the Fifth International Joint Conference on INC, IMS and IDC, Seoul, Korea, August 2009 (pp ). Los Alamitos, CA: IEEE Computer Society.

15 Liu, P. (2001). DAIS: A real-time data attack isolation systems for commercial database applications. Presented at the 17 th Annual Computer Security Applications Conference, New Orleans, Louisiana, December 2001 (pp ). Los Alamitos, CA: IEEE Computer Society. Liu, S. T., Chen, Y. M. & Hung, H. C. (2012). N-victims: An approach to determine N victims for APT investigations. Presented at the 13 th International Workshop on information Security Applications, Jeju Island, Korea, August 2012 (pp ). Mandiant. (2010). M Trends: The advanced persistent threat. Retrieved from Oracle. (2011). Oracle Database Security Guide 11g Release 1 (11.1). Retrieved from Oracle (2012). DISA Oracle 11 database security technical implementation guide Version 8 Release 1.9. Retrieved from Paci, H., Mece, E. K. & Xhuvani, A. (2012). Protecting Oracle PLP/SQL source code from a DBA user. International Journal of Database Management Systems 4(4), pp Sood, A. K. & Enbody, R. J. (2012). Targeted cyber attacks: A superset of advanced persistent threats. IEEE Security & Privacy Magazine 99. Szymczyk, M. (2009). Detecting botnets in computer networks using multi-agent technology. Presented at the Fourth International Conference on Dependability of Computer Systems, Brunow, Poland, 30 June 2 July 2009 (pp ). Los Alamitos, CA: IEEE Computer Society. Tankard, C. (2011). Persistent threats and how to monitor and deter them. Network Security 8, pp Wu, G. & Huang, Y. (2009). Design of a new intrusion detection system based on database. Presented at the 2009 International Conference on Signal Processing Systems, Singapore, May 2009 (pp ). Los Alamitos, CA: IEEE Computer Society.