See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/334507095

Hands Off my Database: Ransomware Detection in Databases through Dynamic

Analysis of Query Sequences

Preprint · July 2019

CITATIONS READS

0 131

5 authors, including:

Lukas Iffländer Alexandra Dmitrienko

University of Wuerzburg University of Wuerzburg
26 PUBLICATIONS   51 CITATIONS    41 PUBLICATIONS   2,497 CITATIONS   

SEE PROFILE SEE PROFILE

Samuel Kounev
University of Wuerzburg
313 PUBLICATIONS   4,484 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Automation in Programming Lectures and Exercises View project

MediTrust View project

All content following this page was uploaded by Lukas Iffländer on 04 December 2019.

The user has requested enhancement of the downloaded file.

 Hands Off my Database: Ransomware Detection in Databases through Dynamic
Analysis of Query Sequences

Lukas Iffländer Alexandra Dmitrienko Christoph Hagen

University of Würzburg University of Würzburg University of Würzburg
arXiv:1907.06775v1 [cs.CR] 15 Jul 2019

Michael Jobst Samuel Kounev

University of Würzburg University of Würzburg

Abstract is hard to overestimate – the rapid growth of the data volume

Ransomware is an emerging threat which imposed a $ 5 bil- stored in the databases of service providers, in cloud environ-
lion loss in 2017 and is predicted to hit 11.5 billion in 2019. ments and enterprise data centers, as well as their increasing
While initially targeting PC (client) platforms, ransomware importance, make them attractive attack targets.
recently made the leap to server-side databases – starting Traditionally, attacks on data have aimed to undermine
in January 2017 with the MongoDB Apocalypse attack, fol- confidentiality and authenticity. More recently, however, at-
lowed by other attack waves targeting a wide range of DB tacks against the availability of data, services, and users have
types such as MongoDB, MySQL, ElasticSearch, Cassandra, become common as well – modern attackers deploy ransom-
Hadoop, and CouchDB. While previous research has devel- ware, malicious software that encrypts data and holds the de-
oped countermeasures against client-side ransomware (e.g., cryption key until the victim pays a ransom. They still claim
CryptoDrop and ShieldFS), the problem of server-side ran- the ransom pretending to have encrypted the data. The finan-
somware has received zero attention so far. cial loss from ransomware is significant – it reached 5 billion
In our work, we aim to bridge this gap and present USD in 2017 and is predicted to hit 11.5 billion by 2019 [50].
DIMAQS (Dynamic Identification of Malicious Query Se-
The rise of server-side ransomware While the first ransom-
quences), a novel anti-ransomware solution for databases.
ware attacks targeted client platforms (information stored in
DIMAQS performs runtime monitoring of incoming queries
users’ files), recently such attacks made a leap to server-
and pattern matching using Colored Petri Nets (CPNs) for
side databases that store, accumulate and process (big)
attack detection. Our system design exhibits several novel
data. In January 2017 tens of thousands of MongoDB
techniques to enable efficient detection of malicious query se-
servers were hit in an attack called MongoDB Apocalypse [9,
quences globally (i.e., without limiting detection to distinct
10], followed by a second attack wave targeting MySQL
user connections). Our proof-of-concept implementation tar-
servers [60]. Since then, server-side ransomware attacks
gets MySQL servers. The evaluation shows high efficiency
spread to a wide range of server technologies, including Elas-
with no false positives and no false negatives and very mod-
ticSearch [11], Cassandra [7], Hadoop and CouchDB [8].
erate performance overhead of under 5%. We will publish
our data sets and implementation allowing the community to Attack scenario The typical attack scenario of server-side
reproduce our tests and compare to our results. ransomware observed so far is as follows: First, an attacker
gains remote privileged access to the database database
1 Introduction through the exploitation of configuration vulnerabilities such
as the usage of default passwords 1 . Once connected, they ex-
In today’s era of digital transformation, data has become ecute commands for data enumeration (e.g., to learn names
more critical than ever before. The amount of data we pro- of databases and tables hosted), then drop (delete) data and
duce daily is astonishing – every day hundreds of millions insert the ransom message with instructions how to pay the
of people are taking photos, make videos and exchange mes- ransom. Remarkably, in contrast to client-side ransomware,
sages. Furthermore, data is not only an asset for users nowa- the new attack form wipes the data without making any plain-
days, but has also become the key component of digitization text or encrypted copy, e.g., acting as a wiper. This strategy
and transformation of today’s businesses globally – enter- has, on the one hand, more dramatic implications for the vic-
prises collect data on consumer preferences, purchases, and 1 Note that default passwords and other misconfiguration errors are preva-
trends and use it to optimize their business models and strate- lent real-world problems. For instance, Mirai botnet [1] used similar vulner-
gies. Given such trends, the importance of database security abilities to take over more than 600,000 IoT devices arond the globe.

1
tim, since the data is unrecoverable even if the ransom is Identification of Malicious Query Sequences), signature-
paid. On the other hand, the attack is stealthier, since no based intrusion detection tool that can detect sequences of
intensive and easily detectable operations required, such as malicious queries. Generally, the tool is not limited to ran-
bulk encryption or massive data copying, and no back chan- somware detection and can potentially be applied to detec-
nel to the attacker needed (e.g., for delivering the decryption tion of other attack classes as long as they rely on malicious
key or recovered data) that could be used to trace them back. sequences of queries (e.g., advanced SQL injections aiming
at removing code execution [15]). However, motivated by
Motivation for server-side ransomware to spread While the rise of server-side ransomware we apply it to the problem
server-side ransomware is more recent and to this day less of ransomware detection. We make the following contribu-
widespread than client-side ransomware, there are reasons tions:
why the situation might change quite soon. First, enter-
prises can afford to pay higher ransoms than private users.
• We provide design and implementation of DIMAQS, a
As a comparison, the typical ransom amount for regular
framework that can detect sequences of malicious queries.
users lies in the range of a few hundred dollars. However,
To keep track of queries and to perform detection, our solu-
businesses can pay much more – for instance, in a recent
tion leverages Colored Petri Nets (CPNs) to model the se-
attack, a Los Angeles Hospital paid USD 17 000 of ran-
ries of events used in attacks and to match them to known
som to attackers [49]. Second, in recent years, researchers
malicious patterns. Our system design exhibits several
and antivirus companies developed countermeasures against
novel techniques (dynamic creation of colors, merging of
client-side ransomware. However, to date, no solutions exist
tokens and token expiration) to reduce the complexity of
against ransomware targeting database servers. This lack of
the system representation and achieve better performance.
protection makes databases easy attack targets.
Our framework performs system-wide monitoring and as
Do victims pay the ransom to a wiper? Note that there is such can detect malicious sequences injected through sev-
evidence that even though server-side ransomware is a wiper, eral user sessions and interleaved with benign queries – a
some desperate victims paid the ransom, nonetheless. We quite interesting feature that eliminates most obvious eva-
identified that two known ransomware addresses involved sion strategies. Our implementation targets MySQL, one
in MySQL attacks [60] received 0.6 BTC (equivalent to 3 of the most popular database management systems, and im-
payments). For the attacks against MongoDB, we identified poses only a very moderate performance overhead under
a total of 160 ransom payments to the addresses collected 5%. We realize our solution in the form of a MySQL plu-
in [9], totaling in 26.35 BTC. Moreover, the survey [9] re- gin that is easily installable on existing MySQL servers,
veals that even production systems lack sufficient protection thus preserving compatibility with legacy software. We
by strong passwords and sensible backup strategy: Among will publish the source code on GitHub along with the pa-
123 surveyed ransom victims, only 11% had recent backups, per.
and 8% paid the ransom.
• We apply DIMAQS to the challenging problem of server-
State of the art Existing anti-ransomware solutions are aim- side ransomware. To make detection of such attacks pos-
ing at detection of client-side ransomware only. They follow sible, we analyze previously observed attacks and extract
two dominant strategies: Signature-based detection of mali- their distinctive properties that provide a basis for attack
cious binaries and runtime monitoring and behavioral analy- detection. We then evaluate the effectiveness and practical-
sis for anomaly detection. The first one builds upon detec- ity of our solution using three data sets: Malicious data set
tion of malicious binaries and is typically used by anti-virus recorded by us, and benign query sets from a publication
vendors, while the second strategy originates from research management system and a MediaWiki server. The results
papers [12, 13, 37, 54] and relies on runtime monitoring of demonstrate the high efficiency of our approach with no
file accesses and the detection of malicious activity based false negatives or false positives. We will publish our data
on heuristics, such as access to multiple files, their modifi- sets along with the paper to the benefit of the research com-
cation, and renaming. Unfortunately, both strategies are not munity. To the best of our knowledge, our malicious data
applicable for detection of database wipers. Since in server- set will be the first one publicly available.
side ransomware attack scenario an attacker connects to the
database remotely, there is no malicious binary on the plat-
form that could be detected. Furthermore, monitoring at the Outline. The remainder of this paper is structured as follows.
file system level for abnormal activity is not adequate either In Section 2 we present the necessary background followed
since there is no direct correlation between an attacker’s ac- by system design of DIMAQS in Section 3. In Section 4, we
tivity and file access patterns. reveal the details of our prototype implementation. Prototype
evaluation results are presented in Section 5. After a review
Our contributions In this paper, we aim to improve the se- of the related work in Section 6, we conclude the paper and
curity of database systems and propose DIMAQS (Dynamic outline future work in Section 7.

2
 p1 p1 p1

2 t1 2 t1 2 t1
1 1 1
1 p3 1 p3 1 p3
p2 p2 p2
a) Transition disabled b) Transition enabled c) Transition fired

Figure 1: Demonstration of Petri net execution using a simple example

p1 p1 p1
t1 (1,0) t1 (1,0) t1 (1,0)
1 2 1 1
2 1
2 2 2
(2,1) (2,1) (2,1)
p3 p3 p3
a) Transition disabled b) Transition enabled c) Transition fired

Figure 2: Colored Petri Net example. In comparison to the regular Petri net depicted in Figure 1, the number of required places
is reduced from two to one without reducing functionality.

2 Background at p1 as well as one token from p2 . At the same time, the

transition adds one token to p3 . Figure 1c shows the state
In this section, we provide the necessary background on Petri after the transition firing.
nets and their enhanced version, colored Petri nets. Petri nets are a powerful tool for modeling [5] and allow
for extensions to suit various tasks like queuing Petri nets for
Petri Nets are a commonly used mathematical modeling lan-
performance modeling. In this work, we use colored Petri
guage for the description of distributed systems [51] named
nets, an extension to ordinary Petri nets.
after their inventor Carl Adam Petri. They are a class of dis-
crete event dynamic systems. A Petri net is a directed bipar- Colored Petri Nets (CPNs) enable support for tokens of dif-
tite graph, in which nodes represent places and transitions, ferent types, also known as token colors. Places can now con-
while edges, called arcs, connect either a place to a transi- tain tokens of multiple colors. Arcs can define any combina-
tion or a transition to a place, but never connect two places tion of the colors for the number of input and output tokens.
or two transitions directly. Transitions are events in the sys- This addition allows for making Petri nets more compact.
tem, and places are conditions that need to be satisfied for Figure 2 illustrates the reduction in representation com-
the transition to fire. plexity by presenting a CPN derived from the previous ex-
Places may contain a discrete number of marks called to- ample. The places p1 and p2 depicted in Figure 1 are now
kens. Transitions fire if they are enabled, which is achiev- merged into a single place denoted as p1 , while tokens are
able by placing enough input tokens on the input places – now assigned different colors: Tokens formerly placed in p1
i.e., places directly connected to the transition. The value are now black (1) and those placed in p2 are red (2). The
of the arc defines the number of tokens required per place. transition now requires two black and one red token instead
Once a transition fires, it consumes the required number of of requiring two tokens from p1 and one from p2 . The over-
input tokens from the input places. The transition results in all Figure 2 depicts the same process as before. In Figure 2a,
creating the specified number of output tokens on the places one black token is missing for the transition to be enabled.
with arcs from the transition to them (output places). In Figure 2b this token is added, thus enabling the transition.
Figure 1 shows a simple example of a Petri net. The de- Finally, in Figure 2c the transition has fired, subtracting two
picted Petri net consists of three places (depicted as circles), black and one red token from p1 and adding a black token to
one transition (depicted as a bar), and three arcs. Enabling p3 .
the transition requires three tokens: Two tokens at place p1
and one token at place p2 . In Figure 1a only one token is
available at p1 . Regardless of the total count being three to- 3 Design
kens, with only one token on p1 , the transition is not yet
enabled. Adding another token to p1 in Figure 1b satisfies DIMAQS is the first system that aims at the detection of ran-
the requirement and thus enables the transition. When the somware attacks in databases. In a nutshell, it represents an
transition fires, two tokens are subtracted from the token set intrusion detection system that leverages knowledge about

3
the attack pattern (or signature) and performs real-time sys- tack remotely by connecting to the database using a TCP
tem monitoring and pattern matching to detect intrusion at- connection. Once connected, an attacker gains root ac-
tempts. For pattern matching, we leverage a CPN to encode cess through, e.g., brute-forcing the ‘root’ password of the
the system states and their transitions inside the color infor- database. Next, they enumerate the data in the database
mation to detect when the system transitions to the state as- through retrieval of the list of the databases present. After
sociated with the attack description. that, the attacker creates a new table with an arbitrary name
The usage of (colored) Petri nets is a known technique (e.g., the table with the name ‘WARNING’), either in a new
for pattern matching, and their application to intrusion detec- database (e.g., named ‘PLEASE_READ’) or in an already
tion problems was investigated in previous works [26, 40]. existing database. This table includes a ransom message con-
However, typical application scenarios of CPN-based intru- taining a contact email address as well as payment instruc-
sion detection systems target other environments, e.g., net- tions to a bitcoin address. Finally, the attacker deletes (drops)
works [59] and operating systems [2]. the databases on the server and disconnects.
The application of Petri nets for intrusion detection in The scenario above describes the attack steps recorded
databases was only considered by Hu et al. [26], who aimed in real-world attacks. Additionally, we accept that attack
at detection of anomalies of any sort, not specific to ransom- steps can deviate from this scenario: For instance, an at-
ware. However, they use uncolored Petri nets and leverage tacker could first perform the database deletion and only af-
them to model benign states of a database system rather than ter that insert the ransom message. Also, attackers may use
attack states. Hence, their solution requires a training phase arbitrary names for databases and tables and arbitrary pat-
to gain knowledge about the underlying data structure as well terns for the ransom message. We, however, assume that
as about benign data update patterns. In contrast, our system the attacker demands payments in cryptocurrency (such as
does not require similar training. Moreover, their work is the- Bitcoin or Ethereum) since they provide at least some level
oretical. Hence, they did not provide any implementation or of anonymity in contrast to more traditional payment meth-
evaluation results with which to compare. ods that involve banks2 . We also assume that an attacker
In our work, we aim to fill the gap and address the prob- continues to wipe data and does not aim to keep any data
lem of ransomware attacks targeting databases. As such, we copies, since this would slow down the attack significantly,
investigate the applicability of CPNs for ransomware attack and would require storage on attacker’s side and a commu-
detection in databases. We observe that databases are com- nication channel between the victim and the attacker, which
plex systems and modeling their state regarding dependency demands additional resources and increases chances of expo-
relationships and update patterns, as, e.g., done in [26], may sure. We also assume an attacker does not perform on-site
lead to overly complicated system representations (for large database encryption since we did not identify any standard
and complex databases) and non-trivial overhead. Hence, we SQL commands that could be used to do so.
tackle the problem differently and choose to model malicious
query sequences – an approach which results in a much sim- 3.2 Adversary Model
pler system representation, and independence from the struc-
ture of the underlying data and update patterns. We make the following assumptions about the goal and the
Our approach is system-centric and allows for detection of capabilities of the attacker. The attacker’s goal is to destroy
attacks that are carried out over multiple sessions or multiple the available data and claim the ransom. We assume the re-
user accounts. We also develop several novel techniques that mote attacker who is accessing the server over the Internet
even further to simplify the system representation, namely has no physical access to it. The software running on the
(1) dynamic color creation (creating an infinite color space), server is trusted, i.e., the attacker has no malicious software
(2) token merging and duplication, and (3) token expiration installed on the system. However, the attacker has full ac-
making the use of CPNs practical. cess to the network and can communicate with the DBMS
The remaining part of this section is structured as follows: without any restrictions. Furthermore, we assume an attacker
We first describe a typical ransomware attack scenario (Sec- with administrator-level privileges to the DBMS. This as-
tion 3.1). Next, we present our adversary model (Section 3.2) sumption is often fulfilled in practice since the problem of
followed by the system architecture description (Section 3.3). weak or re-used passwords [33] is well known and not satis-
Finally, we show the interaction of the system components factory solved for over decades. For instance, findings show
when handling incoming queries (Section 3.4). that most of the MySQL servers had no root password set due
to using an insecure default configuration [14]. Alternatively,
an attacker might exploit a security vulnerability like [19] to
3.1 Attack Scenario gain administrator privileges for the database.
We, however, do not assume administrator privileges of
Our attack scenario originates from an analysis of a large-
the attacker to the operating system. Also, we leave DoS
scale ransomware attack targeting MySQL servers that took
place in February 2017 [60]. The attacker performs the at- 2 Since banks are obliged to follow "know your customer" policy.

4
 dynamic and unbounded, conventional Petri nets would be
Database unable to represent all the possible states. This information
Server also provides additional information to the DIMAQS admin-
(1)
istrator in the case of an incident3 .
Query Extensions to CPNs. For our purposes, we extend CPNs
Monitoring (10)
Rewriter with three new features. The first is the dynamic creation
(7) of colors for storing information inside the tokens. The sec-
(2) (11) (6) ond is the ability to merge tokens that are identical except
Incident for their timestamps. This extension improves performance
Controller
Resolution and does not impede classification accuracy. The third ex-
(9)
(3) (5) (8) tension allows for token expiration. Since each place in the
(4) CPN can have timeout information, this feature can be used
Security to limit the time window of analyzed query sequences. It is
Policy Classifier Notifier
highly unlikely that a malicious query sequence spawns over
a long period (e.g., days), since this increases the risk of de-
DIMAQS Plugin
tection and complicates the attack (the database can change
considerably over time). Large or absent timeouts can addi-
Figure 3: System architecture of DIMAQS. Dark grey boxes tionally result in a higher false positive rate since eventually
are components provided by the database, light grey boxes all transitions might be triggered by unrelated queries. The
are components that interface between DIMAQS and the timeout threshold is, therefore, a security parameter, which
database, and white boxes belong to DIMAQS itself. enables a trade-off between effectiveness and false alerts. In
real-world attacks observed so far, attackers did not stretch
malicious query sequences over long periods. Hence, even
attacks are out of our attacker model since an attacker with short timeouts (1-2 minutes) would work well against them.
administrator privileges to DBMS can always cause a denial Attackers might increase the attack time window to avoid de-
of service, e.g., through the creation of fake DBs or tables tection. However, the longer they stay connected, the higher
and exhausting DB’s memory. The attacker wants to perform the burden for them (since the attacks are not generally au-
a hit-and-run attack without considering other services and tomated), and the higher the risk of being uncovered, espe-
ways of communication. cially given the fact that they do not know the currently used
threshold parameter and, hence, have no understanding for
how long they should stay connected to remain undetected.
3.3 System Architecture Security Policy The Security Policy component holds in-
Figure 3 shows the DIMAQS system architecture. DI- formation about patterns of malicious query sequences (or at-
MAQS is comprised of six components: (i) Monitoring, tack signatures). The CPN configuration represents it in our
(ii) Classifier, (iii) Security Policy, (iv) Incident system – it describes CPN’s places, place actions, transitions,
Resolution, (v) Notifier, (vi) Query Rewriter and transition actions, transition conditions, and arcs.
(vii) Controller. The Monitoring and Query Rewriter All places and transitions are named, and the arcs are each
components use the query parser embedded in the database weighted with a value of 1 token. Each place can be assigned
server. Hence, the figure shows them as belonging to both, several place actions executed upon CPN transitions to the
DIMAQS plugin and the database server. In the following, corresponding place. Transitions are used to check for the ex-
we describe the role of every component in more detail. ecution of a (next) step in a malicious query sequence. They
become active when the source place contains at least one
Monitoring The Monitoring component monitors all in-
token. Each transition is assigned one transition action, rep-
coming queries for potentially malicious query sequences.
resenting conditions for incoming queries. For instance, they
Note that this module monitors all queries arriving through
may specify the query type (e.g., query that lists tables) and
different connections, not specific to user sessions. Notifica-
the actual content of the query (such as a table name or a
tions on the occurrence of incoming queries result from the
typical ransom message).
database server’s audit functionality.
A transition may also have an arbitrary number of tran-
Classifier The Classifier component processes the incom- sition conditions which are used to evaluate the token data
ing queries and produces a verdict whether a query is benign from the source place against the query values. Our policy
or malicious. For the classification, DIMAQS uses a CPN includes only one transition condition, ensuring ransom mes-
with our extensions. The token colors are used to attach run-
time information to the tokens, such as time-stamps, table 3 Note that DIMAQS administrator and database administrator are differ-

names and modified cell values. Since such token colors are ent entities

5
 TabCreated Incident Resolution When an event in the Classifier com-
CreateTab
InsertMsg ponent issues an action, an action must be carried out by the
Incident Resolution module. Possible actions are “cre-
Initial1
ListDB DelDB ate backup,” “rewriting” and “create notification.” Incident
MsgInserted Resolution performs the rewriting of malicious queries as
Initial2 DBListed well as creates backups.
DelTab
Create backup action. Whenever the system detects a po-
ListTab
Initial3 TabListed Noti f yAdmin tential attack, the Incident Resolution component will
move the database, or the table dropped by an attacker to
ListCol ModTab Always a safe place instead of deleting it. The backup copy is invisi-
ColListed Ob jDel
ble to users (and, hence, from the attacker) so that an attacker
cannot drop it again or even identify that such a backup ex-
Figure 4: The CPN used to classify database transactions.
ists. To hide backed up tables and databases from users,
All arcs are weighted with a value of 1 token.
Incident Resolution uses a "rewriting" action. While
States: Initial x : initial states; List x : objects listed, TabCreated :
performing such a move, Incident Resolution renames
table created; Ob jDel : object (database or table) deleted;
the protected tables to avoid name collisions.
MSGInserted : ransom message inserted; Noti f yA dmin: noti-
fication sent Rewriting Action. Rewriting actions rewrite queries to ex-
Transitions: List DB : list databases; List Tab : list tables; List Col clude tables and databases created by DIMAQS. The Query
list columns; CreateTable : create table; DropTable : drop table; Rewriter component performs these actions.
Modi f yTable : modify table; Insert Msg : insert ransom mes-
sage Notification action. Notification actions are used by the
Incident Resolution component whenever there is a need
Place Description to notify an administrator about a detected attack. The
DBListed Rewriting Notifier component performs this notification as described
TabListed Rewriting below.
Col Listed Rewriting
TabCreated Trigger creation Notifier The Notifier component informs about security
Ob jDel Create backup incidents by sending an email to the DIMAQS administrator.
Noti f yAdmin Create notification The gathered information relevant to the incident is attached
to the notification so that the administrator can evaluate the
Table 1: Configured actions for the places inside the CPN in incident and respond accordingly (e.g., restore the deleted
Figure 4. When a token reaches a place, the specified action table).
can be executed.
Query Rewriter The Query Rewriter component rewrites
queries to exclude tables and databases created by DIMAQS
sage insertion into a previously created or modified table. from query results. For a ‘rewriting’ action, the Query
We depict the CPN that was tailored to the observed at- Rewriter receives the name of the table and, if applicable,
tacks configured according to our security policy in Figure 4. the name of the database from the Incident Resolution
Table 1 shows the place actions executed after putting a token component. If the queries are nested, the Query Rewriter
on the place. extracts them into sub-queries, rewriting each sub-query sep-
Transitions fire when an action occurs that is specified as arately. For instance, a query dropping a table will be rewrit-
malicious by the Security Policy component. Note, that ten to move the table to a safe storage space. This operation
no single action alone is enough to transit the CPN to the happens without any indication to the attacker. Additionally,
"attack detected" state. Typically, the sequence of actions some statements that list tables and databases will be rewrit-
would be required, and their execution requires a specific or- ten to exclude the hidden information from query results.
der (defined by the CPN configuration) to reach the state that
corresponds to attack detection. Controller The Controller component connects all other
The policy is easily adaptable to include new attack sig- DIMAQS system segments. It is the central element that or-
natures by modifying the Petri net. While reconfiguration is chestrates the processing of incoming queries by other com-
a manual process, it is not cumbersome and can be accom- ponents, e.g., through invocation of the Classifier com-
plished in a reasonable amount of time4 . ponent to classify the query as malicious or benign, or the
Incident Resolution component to initiate incident reso-
4 Our estimate is 30 min. lution upon attack detection.

6
3.4 Component Interaction Per default, the MySQL server does not provide any event
that returns the atomic values of database elements affected
Figure 3 depicts the interaction between the components dur-
by INSERT, UPDATE, and DELETE queries. These queries
ing query processing. The database server first receives the
are typical for the use in attacks like mimicry, e.g., for the
query and then notifies Monitoring (1). If Monitoring
insertion of ransom messages. To allow us to access the
raises an alert for a potentially malicious query type, the
atomic values, we create triggers. We generate “before IN-
Controller is notified (2). The Controller then forwards
SERT/UPDATE” triggers for every table. In these triggers,
the suspicious query to the Classifier (3) for evaluation.
we execute a user-defined function. This function forwards
The Classifier is configured using the security policy from
the values affected by the queries to the controller for evalu-
the Security Policy (4) and returns the classification re-
ation.
sult to the Controller (5). There are two possible outcomes:
As detailed in the MySQL trigger syntax [14], a trigger be-
the query’s classification is either benign or malicious. In
comes associated with a table named tbl_name. This name
a former case, the Controller terminates its actions, and
must refer to a permanent table, which means that a trigger
the server executes the query as-is (10). In the latter case,
does not applay to a temporary table or a view. This limita-
the query is considered malicious, and the Controller
tion does not affect our solution since it is unlikely that an
calls Incident Resolution (6), which in turn backs up
attacker would attack data stored in temporary tables.
dropped tables and rewrites the malicious query using Query
Rewriter (7). It then invokes the Notifier to inform
the administrator about an incident (8). The Controller 4.2 Component Implementation
then receives the rewritten "disarmed" query from Incident In the following, we detail the implementation of DIMAQS
Resolution (9). The database server then executes the modules.
query (10). The Controller informs Monitoring when ad-
Monitoring Additional triggers are required to access infor-
ditional objects need to be observed (11), e.g., when a query
mation that is not transparent to the DIMAQS plugin when
creates new tables.
using MySQL’s audit features. Trigger creation occurs when
loading the plugin, and existing triggers are recreated af-
4 Implementation ter server startup since the database structure might have
changed. Trigger creation within so-called “stored proce-
DIMAQS design is generic and can be applied to different dures” or “stored functions,” the conventional concepts sup-
database technologies. For the sake of illustration, we have ported by the MySQL server is not possible. Due to this lim-
chosen to prototype it for MySQL servers – our implementa- itation, the creation must be within the plugin code. The
tion is realized as MySQL plugin compatible with MySQL function dimaqs_plugin_init() performs the creation of
server versions 5.7.x. To function, DIMAQS requires our the additional triggers and is called directly after initializa-
own Petri net implementation library libPetri as well as the tion of the server and before entering the listening state.
mysqlservices library provided by the MySQL server. We dimaqs_plugin_init() creates a trigger for every non-
chose the C++11 language for DIMAQS since it is the de- virtual database. Virtual databases are databases that con-
fault language for MySQL plugins. DIMAQS consists of tain read-only views rather than base tables and have no
4908 lines of code (LoC), while libPetri results in 1008 LoC. database files associated with them. Hence, protection of vir-
tual databases is not necessary.
4.1 Plugin Integration The INSERT and UPDATE triggers call eval_value(). Sev-
eral values are passed to that function, namely (1) schema
The plugin is loaded during MySQL server start-up and reg- name, (2) table name, and (3) new column values. Using this
isters itself as an auditing plugin. structure, we can identify inserted/updated values.
The MySQL server plugin interface provides notifica-
Classifier The Classifier is implemented using our library
tions [14] for the following useful events:
libPetri. libPetri is a C++ library implementing the func-
• MYSQL_AUDIT_CONNECTION_CLASS, tionality of colored Petri nets. It includes dynamic coloring,
• MYSQL_AUDIT_CONNECTION_CONNECT, token timeout and token merging features mentioned above.
Since libPetri has been developed explicitly for DIMAQS, it
• MYSQL_AUDIT_CONNECTION_DISCONNECT, carries no additional feature overhead. Thus, libPetri con-
• MYSQL_AUDIT_PARSE_CLASS, tains all necessary functionality within around 1008 of LoC.
• MYSQL_AUDIT_PARSE_POSTPARSE. libPetri keeps track of all active transitions. Since all our
arcs in Classifier are weighted with the value one as seen
Notifications of the MYSQL_AUDIT_PARSE_CLASS class in Figure 4, active transitions have tokens on all input places.
provide an event of a single to-be-executed query. Queries, If the to-be-classified query matches the action attributed to
however, could also be nested. an active transition, that transition fires. When transferring

7
a token to a place with an associated action, that action ex- ProLiant DL360 Gen9 server [16]. The server is equipped
ecutes with the corresponding parameters. Until completion with a single 8-core Haswell generation Xeon E5-2640 CPU
of these actions, the Classifier does not accept additional with a base clock of 2.60 GHz and a turbo clock of 3,40 GHz
queries. and packaged with a total of 20 MB of cache [32]. Simul-
Security Policy The Security Policy is a database that taneous multithreading is enabled allowing the execution of
contains tables holding the information about the actions that 16 threads in parallel. The server features 32 GB of DDR4
can fire transitions (e.g., the regular expression for detecting RAM at 2133 MHz with dual channel capability. A 500
the ransom message) and the places with their associated ac- GB 3.5-inch hard drive provides storage I/O turning at 7.200
tions. Classifier processes this information on startup and rpm.
during classification. For the operating system, we chose Ubuntu 16.04.4 LTS
running Linux kernel 4.4.0-121. To provide a DBMS to eval-
Incident Resolution The Incident Resolution backs
uate against we install and run MySQL server 5.7.22 on this
up dropped databases and deleted values. The renaming
server.
of databases is not trivial due to MySQL limitations.
All tests are executed directly on this server. Thus, the
MySQL added a command to carry out a database re-
network is not a limiting factor for the benchmarks. Due to
naming called ’RENAME DATABASE <database_name>.’
the performance of the server, the resources consumed by
However, this command was only active through a
the client running in parallel to the server are expected to be
few minor releases before its discontinuation. The
negligible, and their performance influence is therefore not
simplest way to rename a database is to move its ta-
evaluated in this work.
bles to another database. Each moved table requires
recreation of the affected triggers. Table renaming fol- Data Sets We employ three data sets during our evalua-
lows the following schema “<storagespace>.<object tion. The first set (malicious set) includes malicious query
prefix>_<dbname>_<tablename>_<timestamp>” with sequences, which we generated ourselves using information
storagespace being a preconfigured variable of DIMAQS. about real-world attacks collected at [60]. Our resulting
The function renameTable() performs this renaming. query set contains query sequence permutations with an ex-
If a database drop occurs, renameDatabase() calls the pected malicious classification, as well as their possible per-
renameTable() for every table. mutations (since an attacker may execute them in an arbitrary
For backup actions, a ’DROP DATABASE <db_name>’ order). The full test set contains 13 485 tests. Each test con-
does not require rewriting. However, before executing, re- tains nine queries. The first five queries of each test are to set
nameTable or renameDatabase is executed to back up the up two databases and a table at the beginning of the experi-
database tables. ment and remove them at the end. Relevant to the detection
are four queries: (i) listing all databases, (ii) creating a table,
Notifier The Notifier sends an email with all transmit-
(iii) inserting a ransom message into this table, and (iv) drop-
ted information about the suspected attack to the administra-
ping a table or database. Therefore, the set performs 53 940
tor. The administrator’s address can be configured inside the
queries in total.
database or in a configuration file.
The second set (Bibspace set) is from the publication man-
Query Rewriter The Query Rewriter rewrites a query by agement system Bibspace [53], which was gathered over 40
adding a WHERE/AND condition to hide sensitive informa- days from 13th of April 2018 to 22nd of May 2018 and
tion or rewrites it entirely, e.g., for backup operations. contains a total of 52 085 queries. Among them, 24 430
Controller The Controller is implemented using the visi- are CREATE_TABLE_IF_NOT_EXISTS queries, 8 357 INSERT
tor design pattern. This visitor extracts the nested statements queries, and 38 DROP_TABLE_IF_EXISTS queries.
from inside to outside. It then forwards each extracted query The third query set (MediaWiki set) is from a locally run
to Classifier. MediaWiki [47] with the Semantic MediaWiki [55] plugin en-
abled, collected for 50 days from 3rd of April 2018 to 22nd of
May 2018. Containing 2 514 764 queries, it includes 69 261
5 Evaluation INSERT statements, 29 830 CREATE_TEMPORARY_TABLE
statements, and 29 797 DROP_TEMPORARY_TABLE statements.
In this section, we describe our test setup and evaluate our im- We will publish the data sets along with the paper, to allow
plementation with regards to effectiveness and performance. third parties to reproduce our tests and to enable follow up
We conclude by discussing security considerations. works to compare with our results.

5.1 Test Setup 5.2 Effectiveness

Testbed To execute performance and security tests, we use In the following, we evaluate the precision of the classifier
the following setup. For the database server, we use an HPE module. Thus, we evaluate whether a wrongful classification

8
 Query set Initial1 Initial2 Initial3 DBListed TabListed ColListed TabCreated Ob jectDeleted Noti f yAdmin
Bibspace 1 1 1 2 2 0 24 0 0
MediaWiki 1 1 1 7 5 1 0 0 0

Table 2: Petri net state after execution of query sets

of benign queries as malicious (false positives) or malicious

query sequences as benign (false negatives) occurs. 100 100 95.398.2 95.496.1
100
Security Policy: The execution policy for the Classifier is

throughput in %
as described in Section 3.3. Our policy is quite generic in the 80
sense that we do not look for specific table or database names,
but instead detect the removal or renaming of any table or 60
database. However, we are looking for a specific pattern of
40
the ransom message. We search for the occurrence of a BTC
or Bitcoin string inside the inserted message since attackers 20 sysbench
until now requested ransom in Bitcoins5 . We used the regular MediaWiki
expression ’(\d*[.]){0,1}\d+\s*(BTC|Bitcoin)’ (case insensi- 0
tive). The matching expressions are, e.g., 5 BTC|Bitcoin, .5 disabled initialized all active
BTC|Bitcoin, 20.1 btc|Bitcoin. plugin state
False Negatives: To test for false negatives, we used the at-
tack set described in Section 5.1. After processing all the Figure 5: Performance influence of DIMAQS for sysbench
queries from the data set by our CPN, we achieved 100% at- and MediaWiki. Values are normalized to the respective
tack detection rate and received no false negative result. This value for the disabled plugin.
result confirms that our CPN correctly models each attack
from our malicious data set. Test Transactions relative to
False Positives: To test for false positives, we choose to use per second baseline [%]
the Bibspace set and the MediaWiki set. The sets contain mean stdev conf mean stdev conf
a total of 2 566 849 benign queries. The Classifier per- int int
forms classification of every set. Afterward, the Classifier sysbench
disabled 9 245 28 ±9 100.0 0.3 ±0.1
state shows, if DIMAQS wrongfully detected attacks and
initialized 8 806 30 ±11 95.3 0.3 ±0.1
how many false detections occurred. If tokens reach place full 8 823 19 ±7 95.4 0.2 ±0.0
N in Classifier, their number represents raised alerts. For MediaWiki
this evaluation, we disable the token timeout, to increase the disabled 2 008 5 ±2 100 0.2 ±0.1
potential for false positives. initialize 1 971 7 ±2 98.2 0.3 ±0.1
Table 2 shows the population of the CPN after running all full 1 930 6 ±13 96.1 2.9 ±0.3
the queries from the Bibspace set through Classifier. No
token has reached the state N, that would have triggered an Table 3: Performance without the plugin, with the plugin en-
alert to the administrator. Next, the Classifier processed abled, and with tokens in each Petri net state.
the queries of the MediaWiki set. Table 2 shows the state
of CPN from Figure 4 after classification. Again, no token state. Sysbench benchmarks were run for 60 seconds per it-
has reached the state N, and no ransom attack was detected, eration, while the MediaWiki set was classified entirely every
which is a favorable result. time. We performed every benchmark for over 50 iterations.
Table 3 shows the resulting measurements (database transac-
5.3 Performance Evaluation tions per second). We report average values with standard
deviation and confidence intervals (5% quantile according
To evaluate the performance of the DIMAQS plugin, we used to the Student’s t-distribution). Figure 5 visualizes these re-
two data sets: The MediaWiki set described in Section 5.1 sults.
and the synthetic benchmark sysbench [38]. We use sys- The results show that the usage of the DIMAQS plugin re-
bench 0.4.12 with 16 active threads. We performed three sults in performance degradation of about 5 % for sysbench.
performance benchmarks: (1) without the plugin as a base- There is no substantial difference whether the Petri net is only
line measure, (2) operating on a newly initialized Petri net, initialized or entirely populated (overlapping confidence in-
and (3) with a fully occupied Petri net with tokens in each tervals). This marginal difference suggests that the overhead
5 Our policy can be trivially extended to detect ransom messages request- is not a result of querying the Petri net, but from analyzing
ing payments in other cryptocurrencies. and parsing the queries themselves. For the MediaWiki set

9
performance degradation is about 2% for the initialized Petri SIA [22,23] checks the application code for SQL queries gen-
net and 4% for an entirely populated net. This time, the in- erating automata for each query to match against dynamic re-
fluence of the set population has a more significant impact. quests during operation. SQLCheck [57] validates queries by
Our proof-of-concept prototype is not yet optimized for adding a key at the beginning and the end of each user’s input
performance. Neither DIMAQS nor libPetri has received ex- and validate syntactic correctness of the "augmented" queries
tensive profiling for potential bottlenecks. Also, no compiler at runtime. In contrast to our work, all these approaches con-
optimizations were enabled. Thus, performance improve- centrate on the analysis of single queries, while we aim at
ments are likely possible. the detection of malicious query sequences.
Intrusion detection frameworks [3, 6, 58] analyze database
audit logs to detect anomalous queries by matching against
5.4 Security Considerations role profiles. In contrast to our work, their analysis con-
In the following, we discuss potential attack scenarios centrates on irregular access patterns of single SQL queries.
against DIMAQS itself and show, how our system defends Moreover, their analysis is bound to user profiles, while DI-
itself against them. MAQS performs global monitoring across user sessions.
DIMAQS disabling: An attacker may try to disable DI- DAIS [42] and the solution by Liu et al. [43] combine
MAQS to avoid detection. However, such a scenario would intrusion detection with the dynamic isolation of malicious
and suspicious activities through rewriting of SQL state-
not be successful, since administrative privileges to the
database are insufficient to perform this task. One would ments. As a result, potentially malicious modifications are
need to have administrative privileges to the file system to performed on a shadowed incremental copy of the database.
manipulate corresponding config files. As an additional bur- In our work, we use a similar approach to preserve copies of
den, it is also non-trivial for an attacker to detect that the the values affected by potentially malicious queries.
system runs under DIMAQS observation because the Query The most similar work to ours is by Hu et al. [26,27], who
Rewriter component of DIMAQS rewrites the queries in proposed an intrusion detection system for databases using
such a way that it excludes information about DIMAQS from (uncolored) Petri Nets. However, Hu et al. choose to model
the results. data dependency relationships and regular data update pat-
terns and then detect anomalies, while we model malicious
DIMAQS triggers removal: A next possible attack vector query sequences and compare the sequences captured at run-
is specific to MySQL implementation, which uses triggers. time with the derived model. As such, their system requires
An attacker may attempt to delete triggers, which are used to knowledge about the legitimate state of the system, while
deliver additional information to the DIMAQS plugin. our approach represents a signature-based misuse detection
To defend against this attack vector, DIMAQS detects the system and needs knowledge about attack patterns. As a re-
removal of DIMAQS-specific triggers. Their absence be- sult, our solution applies to databases of arbitrary complexity
comes obvious, whenever the plugin does not receive infor- and without the need to learn about underlying data structure
mation about atomic values affected by the queries. Upon de- (which can be complex), while the solution by Hu et al. re-
tection, DIMAQS generates a notification for the DIMAQS quires a training phase to gain knowledge about the database
administrator and backups all the databases and tables af- under protection. On a positive side, their approach is likely
fected by subsequent queries. to detect previously unseen malware. The feasibility of the
approach by Hu et al. however was not practically verified,
6 Related Work since authors concentrated on theoretical aspects and did not
provide any implementation and evaluation. Their concept
In this section, we provide an overview of the related work in also relies on several assumptions that simplify the model but
three domains: (i) intrusion detection for databases, (ii) ran- might be too restrictive in practical scenarios. For instance,
somware detection, and (iii) application of Petri Nets for in- they assume low database load and that users only update
trusion detection in various application domains. the database through a limited number of fixed transactions
Intrusion Detection for Databases There is a plethora of modifying the same data items. Our solution, in contrast, op-
previous works on intrusion detection systems in databases, erates on databases of arbitrary complexity and with good
but none of them explicitly focused on detection of ransom- performance.
ware so far. The first line of works in this category con- Lee et al. [41] target real-time databases with regular ac-
centrate on detection of SQL injections. Fonseca et al. [18] cess patterns, which occur, e.g., in data collection from sen-
and Kemalis et al. [34] detect anomalies in SQL commands sors. They use time signatures to capture expectations about
given a training set of known valid query structures or their update rates and flag unexpected and possibly malicious op-
specifications. Buehrer et al. [21] and Bockermann et al. [4] erations. DIWeBa [52] is an anomaly-based intrusion clas-
use tree structure when parsing SQL statements and then dy- sifier for web databases that works at the session level by
namically compare them with the intended queries. AMNE- fingerprinting user sessions. DIDAFIT [44] models benign

10
query sequences and maps them to a directed graph, where level and are effective in recovering encrypted files without
graph vertices represent query signatures. Enforcement of impacting performance or lifetime.
sequence orders on the graph prevents anomalous queries. The related work presented in this section targets client-
In contrast to our work, solutions above require a training side crypto-ransomware and is not applicable for detection
phase to learn the benign behavior of users, manual setup and of wipers at databases, as those do not use crypto primitives
knowledge of the database content, or to construct graphs of and do not access the file system directly.
benign queries. Petri Nets and State Analysis Previous work has explored
Mathew et al. [46] argue that query classification based on the concept of state analysis and more specifically the use
syntax is more error-prone than observing the accessed data of Petri nets for intrusion detection. Kumar et al. [39, 40]
points since syntactically similar queries can produce signif- present a generic model and a misuse detection system for
icantly different results. Their system is another example of OS kernel audit logs using CPNs. This work is conceptu-
observing anomalous database access patterns, which need a ally comparable to our work regarding the use of a Petri net
training phase or some predetermined knowledge of accept- to match attack patterns but focuses on intrusions in UNIX
able behavior. systems. Ilgun et al. [31] also focus on UNIX systems and
It is also possible to perform intrusion detection through use states and transitions to identify the necessary steps for
complex event processing (CEP) [45]. Romano et al. [17] penetrations, resulting in a flexible rule-based system to de-
propose a generic framework for intrusion detection through tect intrusions. Similarly, Shieh et al. [56] propose a pattern-
CEP, where they examine different intrusions, including pol- oriented model with system states and transitions to iden-
icy violations, buffer overflows and SQL injections. It should tify context-dependent patterns of intrusion. USTAT [30]
be noted that CEP is not a single algorithmic concept, but is a similar state transition analysis tool for UNIX systems,
rather the more general idea to infer not directly observable which describes penetrations as sequences of state changes
events from multiple, related events. In a way, our implemen- and uses rule-based analysis of audit trails to identify intru-
tation with CPNs acts similarly, observing individual queries sions. Ho et al. [25] describe the use of Petri nets for intru-
that together form a ransomware attack. On the other hand, sion detection through the example of privilege escalation,
CEP systems are mostly merely a monitoring and informa- again in UNIX systems. Helmer et al. [24] describe a general
tion processing tool, while our solution includes active com- approach using Software Fault Trees to create CPNs for intru-
ponents, such as the automatic table backup functionality. sion detection. The work focuses on modeling of intrusions
Commercial solutions, such as IBM Guardium [29] and and concentrates on the detection of FTP bounce attacks.
IMPERVA SecureSphere [20], offer intrusion detection for Overall, all the works discussed above are intended for
databases for detection of misbehaving users. While detailed intrusion detection in other environments, mostly in UNIX
evaluation of these products is impossible due to their propri- systems, and are not explicitly aimed at anomaly detection
etary nature, we speculate that an attacker could easily evade in databases or for ransomware detection.
their detection, since their analysis is bound to user sessions.
Ransomware Detection Several solutions have been pro-
7 Conclusion and Future Work
posed to detect and prevent ransomware at the file level. Ransomware attacks are an emerging threat, and their server-
CryptoDrop [54], ShieldFS [12, 13] and Redemption [36] side variance that appeared recently imposes a significant
all monitor the file system to detect intrinsic ransomware be- threat to databases and stored data. In this work, we present
havior, such as file type changes, file entropy, and file sim- DIMAQS (Dynamic Identification of Malicious Query Se-
ilarity. They differ by their choice of observed properties, quences), the first solution against server-side ransomware.
and by the mechanisms provided to prevent data loss, such In its heart, DIMAQS has colored Petri nets (CPN)-based
as providing shadowed copies of files to possibly malicious classifier, which models malicious query sequences and
processes. UNVEIL [35] tries to detect evasive ransomware matches them against query sequences captured at runtime.
by generating artificial user environments for dynamic anal- We introduce several novel extensions for the CPN, which
ysis. However, their approach does not apply to server-side allow us to reduce the complexity of the system representa-
database ransomware. PayBreak [37] observes the use of tion and achieve better performance.
symmetric keys commonly used by ransomware to encrypt Our solution is implemented for MySQL servers and real-
files and holds them in escrow. This observation enables the ized as a MySQL plugin, which is easily installable on ex-
recovery of the decryption keys upon ransomware detection. isting servers. We evaluated our solution with regards to the
For the observed attacks on databases this approach hardly precision of the attack detection as well as its performance
applicable since the files were deleted instead of encrypted. and report no false positives, no false negatives and perfor-
FlashGuard [28] and RWGuard [48] propose ransomware- mance overhead under 5% for our non-optimized implemen-
tolerant Solid-State Drives (SSDs) which are based on the tation.
property of SSDs to perform out-of-place writes in order to In our future work, we plan to extend DIMAQS for de-
mitigate long erase latency. Both operate on the firmware tection of other attack types, since generally the framework

11
can be used for detection of arbitrary malicious query se- [9] Catalin Cimpanu. Massive Wave of MongoDB Ran-
quences and thus not necessarily limited to ransomware de- som Attacks Makes 26,000 New Victims. Bleeping
tection. Moreover, we will investigate possibilities for au- Computer, 2017. URL: https://bit.ly/2wAfq3X.
tomated policy generation, which is potentially achievable
given more elaborate malicious data sets and by applying ma- [10] Catalin Cimpanu. MongoDB Apocalypse: Profes-
chine learning techniques. Furthermore, we plan to perform sional Ransomware Group Gets Involved, Infections
performance optimization to decrease the imposed overhead Reach 28K Servers. Bleeping Computer, 2017. URL:
further. Finally, we plan to develop new prototypes that tar- https://bit.ly/2idWSRn.
get other database technologies6. [11] Catalin Cimpanu. MongoDB Hijackers Move on
to ElasticSearch Servers. Bleeping Computer, 2017.
References URL: https://bit.ly/2NX0SYk.

[1] Manos Antonakakis, Tim April, Michael Bailey, [12] Andrea Continella, Alessandro Guagnelli, Giovanni
Matthew Bernhard, Elie Bursztein, Jaime Cochran, Za- Zingaro, Giulio De Pasquale, Alessandro Barenghi,
kir Durumeric, J. Alex Halderman, Luca Invernizzi, Stefano Zanero, and Federico Maggi. ShieldFS: The
Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Last Word in Ransomware Resilient Filesystems. In
Ma, Joshua Mason, Damian Menscher, Chad Seaman, Black Hat USA, 2017.
Nick Sullivan, Kurt Thomas, and Yi Zhou. Understand-
[13] Andrea Continella, Alessandro Guagnelli, Giovanni
ing the Mirai Botnet. In USENIX Security Symposium,
Zingaro, Giulio De Pasquale, Alessandro Barenghi,
2017.
Stefano Zanero, and Federico Maggi. ShieldFS: A
[2] Stefan Axelsson. Intrusion Detection Systems: A Sur- Self-healing, Ransomware-aware Filesystem. In An-
vey and Taxonomy. Technical report, Department of nual Conference on Computer Security Applications
Computer Engineering, Chalmers University of Tech- (ACSAC), 2016.
nology, Goteborg, Sweden, 2000.
[14] Oracle Corporation. MySQL 5.7 Manual, 2018. URL:
[3] E. Bertino, A. Kamra, E. Terzi, and A. Vakali. Intrusion https://bit.ly/2xQAe8F.
Detection in RBAC-administered Databases. In Annual
Computer Security Applications Conference (ACSAC), [15] Muhaimin Dzulfakar. Advanced MySQL Exploitation.
2005. In Black Hat USA, 2009.

[4] Christian Bockermann, Martin Apel, and Michael [16] Hewlet Packard Enterprise. HPE ProLiant
Meier. Learning SQL for Database Intrusion Detec- DL360 Generation9 (Gen9), 2014. URL:
tion Using Context-Sensitive Modelling (Extended Ab- https://bit.ly/2XL6iKt.
stract). In Detection of Intrusions and Malware, and
Vulnerability Assessment (DIMVA), 2009. [17] Massimo Ficco and Luigi Romano. A Generic Intru-
sion Detection and Diagnoser System Based on Com-
[5] H. Chen, L. Amodeo, F. Chu, and K. Labadi. Modeling plex Event Processing. In International Conference
and Performance Evaluation of Supply Chains Using on Data Compression, Communications and Process-
Batch Deterministic and Stochastic Petri Nets. IEEE ing (CCP), 2011.
Transactions on Automation Science and Engineering
(T-ASE), 2005. [18] José Fonseca, Marco Vieira, and Henrique Madeira.
Detecting Malicious SQL. In Trust, Privacy and Se-
[6] Christina Yip Chung, Michael Gertz, and Karl Levitt. curity in Digital Business (TrustBus), 2007.
DEMIDS: A Misuse Detection System for Database
Systems. In Integrity and Internal Control in Informa- [19] Dawid Golunski. MySQL-Exploit-Remote-Root-
tion Systems (IICIS), 1999. Code-Execution-Privesc-CVE-2016-6662, 2017. URL:
https://bit.ly/2SjtMAC.
[7] Catalin Cimpanu. A Benevolent Hacker Is Warning
Owners of Unsecured Cassandra Databases. Bleeping [20] Rob Gravelle. IMPERVA SecureSphere
Computer, 2017. URL: https://bit.ly/2SiAnLz. Database Audit and Protection, 2018. URL:
https://bit.ly/2NZk2gm.
[8] Catalin Cimpanu. Database Ransom Attacks Hit
CouchDB and Hadoop Servers. Bleeping Computer, [21] Gregory T. Buehrer and Bruce W. Weide and Paolo A.
2017. URL: https://bit.ly/2iVbas0. G. Sivilotti. Using Parse Tree Validation to Prevent
6 E.g., for Prolog databases the ransom message insertion and table dele- SQL Injection Attacks. In International Workshop on
tion could be mapped to the assert and the retractall commands. Software Engineering and Middleware (SEM), 2005.

12
[22] William G. J. Halfond and Alessandro Orso. AM- [35] Amin Kharaz, Sajjad Arshad, Collin Mulliner, William
NESIA. In IEEE/ACM International Conference on Robertson, and Engin Kirda. UNVEIL: A Large-scale,
Automated Software Engineering (ASE), 2005. Automated Approach to Detecting Ransomware. In
USENIX Security Symposium, 2016.
[23] William G. J. Halfond and Alessandro Orso. Prevent-
ing SQL Injection Attacks Using AMNESIA. In Inter- [36] Amin Kharraz and Engin Kirda. Redemption: Real-
national Conference on Software Engineering (ICSE), Time Protection Against Ransomware at End-Hosts. In
2006. International Symposium on Research in Attacks, Intru-
[24] Guy Helmer, Johnny Wong, Mark Slagell, Vasant sions, and Defenses (RAID), 2017.
Honavar, Les Miller, Yanxin Wang, Xia Wang, and Na-
[37] Eugene Kolodenker, William Koch, Gianluca Stringh-
talia Stakhanova. Software Fault Tree and Coloured
ini, and Manuel Egele. PayBreak: Defense Against
Petri Net-based Specification, Design and Implementa-
Cryptographic Ransomware. In ACM Asia Confer-
tion of Agent-based Intrusion Detection Systems. In-
ence on Computer and Communications Security (ASI-
ternational Journal of Information and Computer Secu-
ACCS), 2017.
rity, 1(1/2), 2007.
[25] Yuan Ho, Deborah Frincke, and Donald Tobin. Plan- [38] Alexey Kopytov. akopytov/sysbench, 2018. URL:
ning, Petri Nets, and Intrusion Detection. In National https://bit.ly/2jjeuf4.
Information Systems Security Conference (NISSC),
[39] Sandeep Kumar and Eugene Spafford. A Software Ar-
1998.
chitecture to Support Misuse Intrusion Detection. Tech-
[26] Yi Hu and B. Panda. Identification of Malicious nical report, Department of Computer Science, Purdue
Transactions in Database Systems. In International University, 1999. URL: https://bit.ly/2Sij6C6.
Database Engineering and Applications Symposium
(IDEAS), 2003. [40] Sandeep Kumar and Eugene H. Spafford. A Pat-
tern Matching Model for Misuse Intrusion Detection.
[27] Yi Hu and Brajendra Panda. A Data Mining Approach Technical report, Purdue University, 1994. URL:
for Database Intrusion Detection. In ACM Symposium https://bit.ly/2YVb3xA.
on Applied computing (SAC), 2004.
[41] V. C. S. Lee, J. A. Stankovic, and S. H. Son. In-
[28] Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moin- trusion Detection in Real-time Database Systems Via
uddin K. Qureshi. FlashGuard: Leveraging Intrin- Time Signatures. In IEEE Real-Time Technology and
sic Flash Properties to Defend Against Encryption Ran- Applications Symposium (RTAS), 2000.
somware. In ACM SIGSAC Conference on Computer
and Communications Security (CCS), 2017. [42] P. Liu. DAIS: A Real-Time Data Attack Isolation Sys-
[29] IBM. IBM Security Guardium, 2018. URL: tem for Commercial Database Applications. In Annual
https://ibm.co/2ShttWW. Computer Security Applications Conference (ACSAC),
2001.
[30] K. Ilgun. USTAT: A Real-time Intrusion Detection Sys-
tem for UNIX. In IEEE Computer Society Symposium [43] Peng Liu. Architectures for Intrusion Tolerant
on Research in Security and Privacy, 1993. Database Systems. In Annual Computer Security Ap-
plications Conference (ACSAC), 2002.
[31] K. Ilgun, R. A. Kemmerer, and P. A. Porras. State
Transition Analysis a Rule-based Intrusion Detection [44] Wai Lup Low, Joseph Lee, and Peter Teoh. DIDAFIT:
Approach. IEEE Transactions on Software Engineer- Detecting Intrusions in Databases Through Fingerprint-
ing, 21(3), 1995. ing Transactions. In International Conference on En-
terprise Information Systems (ICEIS), 2002.
[32] Intel®. Xeon® Processor E5-2640 v3 Specifications,
2014. URL: https://intel.ly/2qFbGJX. [45] David C. Luckham and Brian Frasca. Complex
[33] Blake Ives, Kenneth R. Walsh, and Helmut Schneider. Event Processing in Distributed Systems. Tech-
The Domino Effect of Password Reuse. Communica- nical report, Stanford University, 1998. URL:
tions of the ACM, 47(4), 2004. https://bit.ly/2YUIa4J.

[34] Konstantinos Kemalis and Theodores Tzouramanis. [46] Sunu Mathew, Michalis Petropoulos, Hung Q. Ngo,
SQL-IDS: A Specification-based Approach for SQL- and Shambhu Upadhyaya. A Data-Centric Approach
Injection Detection. In ACM Symposium on Applied to Insider Attack Detection in Database Systems. In
Computing (SAC), 2008. Lecture Notes in Computer Science, RAID, 2010.

13
 [47] MediaWiki. MediaWiki/de — Medi- Ransomware Attacks on User Data. In IEEE Interna-
aWiki, The Free Wiki Engine, 2018. URL: tional Conference on Distributed Computing Systems
https://bit.ly/2XROloW. (ICDCS), 2016.
[48] Shagufta Mehnaz, Anand Mudgerikar, and Elisa
[55] semantic mediawiki.org. Semantic MediaWiki, 2018.
Bertino. RWGuard: A Real-Time Detection System
URL: https://bit.ly/30tny3U.
Against Cryptographic Ransomware. In Research in
Attacks, Intrusions, and Defenses (RAID), 2018.
[56] Shiuh-Pyng Shieh and V. D. Gligor. On a Pattern-
[49] Steve Morgan. Los Angeles Hospital Pays oriented Model for Intrusion Detection. IEEE Transac-
Hackers $17,000 After Attack, 2016. URL: tions on Knowledge and Data Engineering, 9(4), 1997.
https://nyti.ms/2GrlIt1.
[57] Zhendong Su and Gary Wassermann. The Essence of
[50] Steve Morgan. Cybersecurity Business Report. Ran- Command Injection Attacks in Web Applications. In
somware Damage Costs predicted to hit USD 11.5B by SIGPLAN-SIGACT Symposium on Principles of Pro-
2019, 2017. URL: https://bit.ly/2VNjsB1. gramming Languages (POPL), 2006.
[51] James Lyle Peterson. Petri Net Theory and the Model-
ing of Systems. Prentice Hall PTR, 1981. [58] Fredrik Valeur, Darren Mutz, and Giovanni Vigna. A
Learning-Based Approach to the Detection of SQL At-
[52] Alex Roichman and Ehud Gudes. DIWeDa - Detecting tacks. In Detection of Intrusions and Malware, and
Intrusions in Web Databases. In Annual IFIP WG 11.3 Vulnerability Assessment (DIMVA), 2005.
Working Conference on Data and Applications Security
and Privacy (DBSEC), 2008. [59] Theuns Verwoerd and Ray Hunt. Intrusion Detection
[53] Piotr Rygielski. vikin91/BibSpace, 2018. URL: Techniques and Approaches. Computer Communica-
https://bit.ly/2JBr07c. tions, 25(15), 2002.

[54] Nolen Scaife, Henry Carter, Patrick Traynor, and Kevin [60] Ofri Ziv. 0.2 BTC strikes back, now attacking MySQL
R. B. Butler. CryptoLock (and Drop It): Stopping databases, 2017. URL: https://bit.ly/2JImQsR.

14

View publication stats