Leveraging large language models for SQL behavior-based database intrusion detection

TL;DR

This paper presents a two-tiered SQL anomaly detection system leveraging DistilBERT, combining unsupervised and supervised learning to effectively identify both internal and external database intrusions with minimal data labeling.

Contribution

Introduces a novel hybrid approach using DistilBERT for SQL anomaly detection, improving accuracy and efficiency in identifying sophisticated database threats.

Findings

Effective detection of in-scope and out-of-scope SQL anomalies

High precision in internal attack detection with limited labeled data

Reduced false positives compared to traditional methods

Abstract

Database systems are extensively used to store critical data across various domains. However, the frequency of abnormal database access behaviors, such as database intrusion by internal and external attacks, continues to rise. Internal masqueraders often have greater organizational knowledge, making it easier to mimic employee behavior effectively. In contrast, external masqueraders may behave differently due to their lack of familiarity with the organization. Current approaches lack the granularity needed to detect anomalies at the operational level, frequently misclassifying entire sequences of operations as anomalies, even though most operations are likely to represent normal behavior. On the other hand, some anomalous behaviors often resemble normal activities, making them difficult for existing detection methods to identify. This paper introduces a two-tiered anomaly detection approach for Structured Query Language (SQL) using the Bidirectional Encoder Representations from Transformers (BERT) model, specifically DistilBERT, a more efficient, pre-trained version. Our method combines both unsupervised and supervised machine learning techniques to accurately identify anomalous activities while minimizing the need for data labeling. First, the unsupervised method uses ensemble anomaly detectors that flag embedding vectors distant from learned normal patterns of typical user behavior across the database (out-of-scope queries). Second, the supervised method uses fine-tuned transformer-based models to detect internal attacks with high precision (in-scope queries), using role-labeled classification, even on limited labeled SQL data. Our findings make a significant contribution by providing an effective solution for safeguarding critical database systems from sophisticated threats.