%0 Thesis %1 noauthororeditor %A Schindler, Sebastian %D 2021 %K machine_learning ml ransomware security sss-group thesis_supervised_by_SSS_member thesis_supervised_by_sss_member %T Intrusion Detection Using Machine Learning in Databases %X Ransomware is a known threat that had a severe impact on computer security in the past five years. This type of malware has caused financial losses of about $13 Billion in 2017 and 2018 combined. Ransomware makes a user’s data unavailable to them, only granting access again when they pay a ransom. Traditionally, ransomware targeted the computer’s filesystem. Database ransomware is a new variant of the same principle. Instead of targeting individual files, it logs into DBMSs remotely and destroys the data, leaving only a ransom message behind. In most cases, attackers do not create a backup copy of the data. In this case, the data cannot be restored by the attackers, even if the ransom is paid. In 2018, Jobst et al. presented DIMAQS, a MySQL plugin to mitigate these attacks by detecting malicious activity through a Petri net classifier. Our work recognizes the main drawback of this approach: The Petri net cannot be easily adapted to new attack scenarios and has to be re-engineered manually. To solve this problem, we design a machine learning classifier to replace the original one. This approach yields a model that detects all attacks in our tests. Unfortunately, the model also produces a high number of false positives when trying to detect attacks before any harmful queries are issued. Overall, our approach achieves a 85.23% f1-score. The performance impact of the revised plugin is nonexistent for OLAP workloads and stays under 15% for OLTP tasks.

@mastersthesis{noauthororeditor, abstract = {Ransomware is a known threat that had a severe impact on computer security in the past five years. This type of malware has caused financial losses of about $13 Billion in 2017 and 2018 combined. Ransomware makes a user’s data unavailable to them, only granting access again when they pay a ransom. Traditionally, ransomware targeted the computer’s filesystem. Database ransomware is a new variant of the same principle. Instead of targeting individual files, it logs into DBMSs remotely and destroys the data, leaving only a ransom message behind. In most cases, attackers do not create a backup copy of the data. In this case, the data cannot be restored by the attackers, even if the ransom is paid. In 2018, Jobst et al. presented DIMAQS, a MySQL plugin to mitigate these attacks by detecting malicious activity through a Petri net classifier. Our work recognizes the main drawback of this approach: The Petri net cannot be easily adapted to new attack scenarios and has to be re-engineered manually. To solve this problem, we design a machine learning classifier to replace the original one. This approach yields a model that detects all attacks in our tests. Unfortunately, the model also produces a high number of false positives when trying to detect attacks before any harmful queries are issued. Overall, our approach achieves a 85.23% f1-score. The performance impact of the revised plugin is nonexistent for OLAP workloads and stays under 15% for OLTP tasks. }, added-at = {2021-10-03T19:14:22.000+0200}, author = {Schindler, Sebastian}, biburl = {https://www.bibsonomy.org/bibtex/2a6b6369a4b1c6cc1bc364a2e558588a3/sssgroup}, interhash = {1af6d6166e72d55f5cd20f8d12c39d94}, intrahash = {a6b6369a4b1c6cc1bc364a2e558588a3}, keywords = {machine_learning ml ransomware security sss-group thesis_supervised_by_SSS_member thesis_supervised_by_sss_member}, month = apr, school = {University of Würzburg}, timestamp = {2022-10-27T19:28:58.000+0200}, title = {Intrusion Detection Using Machine Learning in Databases}, type = {Master Thesis}, year = 2021 }