A method by a security system implemented by one or more electronic devices for detecting attacks on one or more databases hosted by one or more database servers. The method includes classifying, based on analyzing database logs of the one or more databases, a plurality of network entities used to access the one or more databases into different network entity types, where one or more of the plurality of network entities can be classified into the same network entity type and using a result of the classification of the plurality of network entities to detect attacks on the one or more databases.