DBMS Application Layer Intrusion Detection for Data Warehouses Ricardo Jorge Santos 1 , Jorge Bernardino 2 and Marco Vieira 3 1,3 CISUC – DEI – FCTUC – University of Coimbra – Coimbra, Portugal 2 CISUC – DEIS – ISEC – Polytechnic Institute of Coimbra – Coimbra, Portugal 1 lionsoftware.ricardo@gmail.com, 2 jorge@isec.pt, 3 mveira@dei.uc.pt Abstract. Data Warehouses (DWs) are used for producing business knowledge and aiding decision support. Since they store the secrets of the business, secur- ing their data is critical. To accomplish this, several Database Intrusion Detec- tion Systems (DIDS) have been proposed. However, when using DIDS in DWs, most solutions either produce too many false positives (i.e. false alarms) that must be verified or too many false negatives (i.e. true intrusions that pass unde- tected). Moreover, many approaches detect intrusions a posteriori which, given the sensitivity of DW data, may result in irreparable cost. To the best of our knowledge, no DIDS specifically tailored for DWs has been proposed. This pa- per examines intrusion detection from a data warehousing perspective and the reasons why traditional database security methods are not sufficient to avoid in- trusions. We define the specific requirements for a DW DIDS and propose a conceptual approach for a real-time DIDS for DWs at the SQL command level that works transparently as an extension of the DataBase Management System (DBMS) between the user applications and the database server itself. A prelim- inary experimental evaluation using the TPC-H decision support benchmark is included to demonstrate the DIDS’ efficiency. Keywords: Database intrusion detection systems, Database security, Anomaly detection, Misuse detection, Data warehousing 1 INTRODUCTION Intrusion is a set of actions that attempt to violate the integrity, confidentiality or availability of a system [4, 11, 16]. Intrusion Detection Systems (IDS) detect unautho- rized access in an automated way, based on two main approaches: misuse detection, matching user actions with well-known predefined attack patterns; and anomaly de- tection, analyzing user actions to find deviations from determined normal behavior. Many IDS have been proposed, but they mainly focus the network or operating sys- tem level. These IDS are ineffective to detect application level attacks, as they are perceived as authorized commands executed by authorized users and because they do not have the knowledge of application level semantics, required separation of duties, and normal working scope of the users. Thus, the best way to avoid these attacks is to place an additional ID layer at the database level, i.e., a Database IDS (DIDS). Data Warehouses (DWs) are used for producing business knowledge and decision support purposes, making them the core of enterprise sensitive data, which in some cases is worth millions of dollars. Given the ad hoc and unpredictable nature of deci- sion support queries and the diversity of their data access patterns, the boundary be- tween normal and anomalous behavior is frequently fuzzy, i.e., it is very difficult to