Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect...
-
Upload
angelica-bailey -
Category
Documents
-
view
224 -
download
0
description
Transcript of Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect...
Inference Problem
Access Control Policies
Direct access Information flow Not addressed: indirect data access
CSCE 522 - Farkas 2Lecture 19
CSCE 522 - Farkas 3Lecture 19
Indirect Information Flow Channels Covert channels Inference channels
CSCE 522 - Farkas 4Lecture 19
Inference Channels
+ Meta-data Sensitive Information
Non-sensitiveinformation =
CSCE 522 - Farkas 5Lecture 19
Inference Channels Statistical Database Inferences General Purpose Database Inferences
CSCE 522 - Farkas 6Lecture 19
Statistical Databases Goal: provide aggregate information about groups of
individuals E.g., average grade point of students
Security risk: specific information about a particular individual E.g., grade point of student John Smith
Meta-data: Working knowledge about the attributes Supplementary knowledge (not stored in database)
CSCE 522 - Farkas 7Lecture 19
Types of Statistics Macro-statistics: collections of related statistics presented in 2-
dimensional tables
Micro-statistics: Individual data records used for statistics after identifying information is removed
Sex\Year 1997 1998 Sum
Female 4 1 5
Male 6 13 19
Sum 10 14 24
Sex Course GPA Year
F CSCE 590 3.5 2000
M CSCE 590 3.0 2000
F CSCE 790 4.0 2001
CSCE 522 - Farkas 8Lecture 19
Statistical Compromise Exact compromise: find exact value of an
attribute of an individual (e.g., John Smith’s GPA is 3.8)
Partial compromise: find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)
CSCE 522 - Farkas 9Lecture 19
Methods of Attacks and Protection Small/Large Query Set Attack
C: characteristic formula that identifies groups of individualsIf C identifies a single individual I, e.g., count(C) = 1 Find out existence of property
If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D
OR Find value of property
Sum(C, D), gives value of D
CSCE 522 - Farkas 10Lecture 19
Small/Large Query Set Attack cont.
Protection from small/large query set attack: query-set-size control
A query q(C) is permitted only if N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database
CSCE 522 - Farkas 11Lecture 19
Tracker attack
Tracker C
C1C2
C=C1 and C2T=C1 and ~C2
q(C)=q(C1) – q(T)
q(C) is disallowed
CSCE 522 - Farkas 12Lecture 19
Tracker attack
TrackerC
C1C2
C=C1 and C2T=C1 and ~C2
D
C and Dq(C and D)=q(T or C and D) – q(T)
q(C and D) is disallowed
CSCE 522 - Farkas 13Lecture 19
Query overlap attack
C1 C2
JohnKathy
Max
Fred
EvePaul
Mitch
Q(John)=q(C1)-q(C2)
Protection: query-overlap control
CSCE 522 - Farkas 14Lecture 19
Insertion/Deletion Attack Observing changes overtime
q1=q(C) insert(i)q2=q(C)q(i)=q2-q1
Protection: insertion/deletion performed as pairs
CSCE 522 - Farkas 15Lecture 19
Statistical Inference Theory Give unlimited number of statistics and correct
statistical answers, all statistical databases can be compromised (Ullman)
Privacy Preserving Data Mining
Related to statistical DB privacy We will cover it later in the semester
CSCE 522 - Farkas 16Lecture 19
CSCE 522 - Farkas 17Lecture 19
Inferences in General-Purpose Databases Queries based on sensitive data Inference via database constraints Inferences via updates
CSCE 522 - Farkas 18Lecture 19
Queries based on sensitive data Sensitive information is used in selection
condition but not returned to the user. Example: Salary: secret, Name: public
NameSalary=$25,000
Protection: apply query of database views at different security levels
How to mitigate this problem?
Time of evaluation Architecture
CSCE 522 - Farkas 19Lecture 19
CSCE 522 - Farkas 20Lecture 19
Database Constraints Integrity constraints Database dependencies Key integrity
CSCE 522 - Farkas 21Lecture 19
Integrity Constraints C=A+B A=public, C=public, and B=secret B can be calculated from A and C, i.e., secret
information can be calculated from public data
CSCE 522 - Farkas 22Lecture 19
Database DependenciesMetadata: Functional dependencies Multi-valued dependencies Join dependencies etc.
CSCE 522 - Farkas 23Lecture 19
Functional Dependency FD: A B, that is for any two tuples in the relation, if
they have the same value for A, they must have the same value for B.
Example: FD: Rank SalarySecret information: Name and Salary together Query1: Name and Rank Query2: Rank and Salary Combine answers for query1 and 2 to reveal Name and Salary together
See slides in dissertation-farkas-rotated.pdf
CSCE 522 - Farkas 24Lecture 19
Key integrity Every tuple in the relation have a unique key Users at different levels, see different versions
of the database Users might attempt to update data that is not
visible for them
CSCE 522 - Farkas 25Lecture 19
ExampleName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S
Secret View
Name (key) Salary AddressBlack P 38,000 P Null P
Public View
CSCE 522 - Farkas 26Lecture 19
UpdatesPublic User:
Name (key) Salary AddressBlack P 38,000 P Null P
1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000, Manassas)IfRefuse update: covert channelAllow update: • Overwrite high data – may be incorrect• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
CSCE 522 - Farkas 27Lecture 19
UpdatesName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S
Secret user:
1. Update Black’s salary to 45,000IfRefuse update: denial of serviceAllow update: • Overwrite low data – covert channel• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
CSCE 522 - Farkas 28Lecture 19
Inference Problem No general technique is available to solve the
problem Need assurance of protection Hard to incorporate outside knowledge