Inference Problem

Access Control Policies

Direct access Information flow Not addressed: indirect data access

CSCE 522 - Farkas 2Lecture 19

CSCE 522 - Farkas 3Lecture 19

Indirect Information Flow Channels Covert channels Inference channels

CSCE 522 - Farkas 4Lecture 19

Inference Channels

+ Meta-data Sensitive Information

Non-sensitiveinformation =

CSCE 522 - Farkas 5Lecture 19

Inference Channels Statistical Database Inferences General Purpose Database Inferences

CSCE 522 - Farkas 6Lecture 19

Statistical Databases Goal: provide aggregate information about groups of

individuals E.g., average grade point of students

Security risk: specific information about a particular individual E.g., grade point of student John Smith

Meta-data: Working knowledge about the attributes Supplementary knowledge (not stored in database)

CSCE 522 - Farkas 7Lecture 19

Types of Statistics Macro-statistics: collections of related statistics presented in 2-

dimensional tables

Micro-statistics: Individual data records used for statistics after identifying information is removed

Sex\Year 1997 1998 Sum

Female 4 1 5

Male 6 13 19

Sum 10 14 24

Sex Course GPA Year

F CSCE 590 3.5 2000

M CSCE 590 3.0 2000

F CSCE 790 4.0 2001

CSCE 522 - Farkas 8Lecture 19

Statistical Compromise Exact compromise: find exact value of an

attribute of an individual (e.g., John Smith’s GPA is 3.8)

Partial compromise: find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)

CSCE 522 - Farkas 9Lecture 19

Methods of Attacks and Protection Small/Large Query Set Attack

C: characteristic formula that identifies groups of individualsIf C identifies a single individual I, e.g., count(C) = 1 Find out existence of property

If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D

OR Find value of property

Sum(C, D), gives value of D

CSCE 522 - Farkas 10Lecture 19

Small/Large Query Set Attack cont.

Protection from small/large query set attack: query-set-size control

A query q(C) is permitted only if N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database

CSCE 522 - Farkas 11Lecture 19

Tracker attack

Tracker C

C1C2

C=C1 and C2T=C1 and ~C2

q(C)=q(C1) – q(T)

q(C) is disallowed

CSCE 522 - Farkas 12Lecture 19

Tracker attack

TrackerC

C1C2

C=C1 and C2T=C1 and ~C2

D

C and Dq(C and D)=q(T or C and D) – q(T)

q(C and D) is disallowed

CSCE 522 - Farkas 13Lecture 19

Query overlap attack

C1 C2

JohnKathy

Max

Fred

EvePaul

Mitch

Q(John)=q(C1)-q(C2)

Protection: query-overlap control

CSCE 522 - Farkas 14Lecture 19

Insertion/Deletion Attack Observing changes overtime

q1=q(C) insert(i)q2=q(C)q(i)=q2-q1

Protection: insertion/deletion performed as pairs

CSCE 522 - Farkas 15Lecture 19

Statistical Inference Theory Give unlimited number of statistics and correct

statistical answers, all statistical databases can be compromised (Ullman)

Privacy Preserving Data Mining

Related to statistical DB privacy We will cover it later in the semester

CSCE 522 - Farkas 16Lecture 19

CSCE 522 - Farkas 17Lecture 19

Inferences in General-Purpose Databases Queries based on sensitive data Inference via database constraints Inferences via updates

CSCE 522 - Farkas 18Lecture 19

Queries based on sensitive data Sensitive information is used in selection

condition but not returned to the user. Example: Salary: secret, Name: public

NameSalary=$25,000

Protection: apply query of database views at different security levels

How to mitigate this problem?

Time of evaluation Architecture

CSCE 522 - Farkas 19Lecture 19

CSCE 522 - Farkas 20Lecture 19

Database Constraints Integrity constraints Database dependencies Key integrity

CSCE 522 - Farkas 21Lecture 19

Integrity Constraints C=A+B A=public, C=public, and B=secret B can be calculated from A and C, i.e., secret

information can be calculated from public data

CSCE 522 - Farkas 22Lecture 19

Database DependenciesMetadata: Functional dependencies Multi-valued dependencies Join dependencies etc.

CSCE 522 - Farkas 23Lecture 19

Functional Dependency FD: A B, that is for any two tuples in the relation, if

they have the same value for A, they must have the same value for B.

Example: FD: Rank SalarySecret information: Name and Salary together Query1: Name and Rank Query2: Rank and Salary Combine answers for query1 and 2 to reveal Name and Salary together

See slides in dissertation-farkas-rotated.pdf

CSCE 522 - Farkas 24Lecture 19

Key integrity Every tuple in the relation have a unique key Users at different levels, see different versions

of the database Users might attempt to update data that is not

visible for them

CSCE 522 - Farkas 25Lecture 19

ExampleName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S

Secret View

Name (key) Salary AddressBlack P 38,000 P Null P

Public View

CSCE 522 - Farkas 26Lecture 19

UpdatesPublic User:

Name (key) Salary AddressBlack P 38,000 P Null P

1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000, Manassas)IfRefuse update: covert channelAllow update: • Overwrite high data – may be incorrect• Create new tuple – which data it correct

(polyinstantiation) – violate key constraints

CSCE 522 - Farkas 27Lecture 19

UpdatesName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S

Secret user:

1. Update Black’s salary to 45,000IfRefuse update: denial of serviceAllow update: • Overwrite low data – covert channel• Create new tuple – which data it correct

(polyinstantiation) – violate key constraints

CSCE 522 - Farkas 28Lecture 19

Inference Problem No general technique is available to solve the

problem Need assurance of protection Hard to incorporate outside knowledge