![Page 1: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/1.jpg)
Inference Problem
![Page 2: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/2.jpg)
Access Control Policies
Direct access Information flow Not addressed: indirect data access
CSCE 522 - Farkas 2Lecture 19
![Page 3: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/3.jpg)
CSCE 522 - Farkas 3Lecture 19
Indirect Information Flow Channels Covert channels Inference channels
![Page 4: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/4.jpg)
CSCE 522 - Farkas 4Lecture 19
Inference Channels
+ Meta-data Sensitive Information
Non-sensitiveinformation =
![Page 5: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/5.jpg)
CSCE 522 - Farkas 5Lecture 19
Inference Channels Statistical Database Inferences General Purpose Database Inferences
![Page 6: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/6.jpg)
CSCE 522 - Farkas 6Lecture 19
Statistical Databases Goal: provide aggregate information about groups of
individuals E.g., average grade point of students
Security risk: specific information about a particular individual E.g., grade point of student John Smith
Meta-data: Working knowledge about the attributes Supplementary knowledge (not stored in database)
![Page 7: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/7.jpg)
CSCE 522 - Farkas 7Lecture 19
Types of Statistics Macro-statistics: collections of related statistics presented in 2-
dimensional tables
Micro-statistics: Individual data records used for statistics after identifying information is removed
Sex\Year 1997 1998 Sum
Female 4 1 5
Male 6 13 19
Sum 10 14 24
Sex Course GPA Year
F CSCE 590 3.5 2000
M CSCE 590 3.0 2000
F CSCE 790 4.0 2001
![Page 8: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/8.jpg)
CSCE 522 - Farkas 8Lecture 19
Statistical Compromise Exact compromise: find exact value of an
attribute of an individual (e.g., John Smith’s GPA is 3.8)
Partial compromise: find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)
![Page 9: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/9.jpg)
CSCE 522 - Farkas 9Lecture 19
Methods of Attacks and Protection Small/Large Query Set Attack
C: characteristic formula that identifies groups of individualsIf C identifies a single individual I, e.g., count(C) = 1 Find out existence of property
If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D
OR Find value of property
Sum(C, D), gives value of D
![Page 10: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/10.jpg)
CSCE 522 - Farkas 10Lecture 19
Small/Large Query Set Attack cont.
Protection from small/large query set attack: query-set-size control
A query q(C) is permitted only if N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database
![Page 11: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/11.jpg)
CSCE 522 - Farkas 11Lecture 19
Tracker attack
Tracker C
C1C2
C=C1 and C2T=C1 and ~C2
q(C)=q(C1) – q(T)
q(C) is disallowed
![Page 12: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/12.jpg)
CSCE 522 - Farkas 12Lecture 19
Tracker attack
TrackerC
C1C2
C=C1 and C2T=C1 and ~C2
D
C and Dq(C and D)=q(T or C and D) – q(T)
q(C and D) is disallowed
![Page 13: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/13.jpg)
CSCE 522 - Farkas 13Lecture 19
Query overlap attack
C1 C2
JohnKathy
Max
Fred
EvePaul
Mitch
Q(John)=q(C1)-q(C2)
Protection: query-overlap control
![Page 14: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/14.jpg)
CSCE 522 - Farkas 14Lecture 19
Insertion/Deletion Attack Observing changes overtime
q1=q(C) insert(i)q2=q(C)q(i)=q2-q1
Protection: insertion/deletion performed as pairs
![Page 15: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/15.jpg)
CSCE 522 - Farkas 15Lecture 19
Statistical Inference Theory Give unlimited number of statistics and correct
statistical answers, all statistical databases can be compromised (Ullman)
![Page 16: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/16.jpg)
Privacy Preserving Data Mining
Related to statistical DB privacy We will cover it later in the semester
CSCE 522 - Farkas 16Lecture 19
![Page 17: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/17.jpg)
CSCE 522 - Farkas 17Lecture 19
Inferences in General-Purpose Databases Queries based on sensitive data Inference via database constraints Inferences via updates
![Page 18: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/18.jpg)
CSCE 522 - Farkas 18Lecture 19
Queries based on sensitive data Sensitive information is used in selection
condition but not returned to the user. Example: Salary: secret, Name: public
NameSalary=$25,000
Protection: apply query of database views at different security levels
![Page 19: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/19.jpg)
How to mitigate this problem?
Time of evaluation Architecture
CSCE 522 - Farkas 19Lecture 19
![Page 20: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/20.jpg)
CSCE 522 - Farkas 20Lecture 19
Database Constraints Integrity constraints Database dependencies Key integrity
![Page 21: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/21.jpg)
CSCE 522 - Farkas 21Lecture 19
Integrity Constraints C=A+B A=public, C=public, and B=secret B can be calculated from A and C, i.e., secret
information can be calculated from public data
![Page 22: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/22.jpg)
CSCE 522 - Farkas 22Lecture 19
Database DependenciesMetadata: Functional dependencies Multi-valued dependencies Join dependencies etc.
![Page 23: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/23.jpg)
CSCE 522 - Farkas 23Lecture 19
Functional Dependency FD: A B, that is for any two tuples in the relation, if
they have the same value for A, they must have the same value for B.
Example: FD: Rank SalarySecret information: Name and Salary together Query1: Name and Rank Query2: Rank and Salary Combine answers for query1 and 2 to reveal Name and Salary together
See slides in dissertation-farkas-rotated.pdf
![Page 24: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/24.jpg)
CSCE 522 - Farkas 24Lecture 19
Key integrity Every tuple in the relation have a unique key Users at different levels, see different versions
of the database Users might attempt to update data that is not
visible for them
![Page 25: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/25.jpg)
CSCE 522 - Farkas 25Lecture 19
ExampleName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S
Secret View
Name (key) Salary AddressBlack P 38,000 P Null P
Public View
![Page 26: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/26.jpg)
CSCE 522 - Farkas 26Lecture 19
UpdatesPublic User:
Name (key) Salary AddressBlack P 38,000 P Null P
1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000, Manassas)IfRefuse update: covert channelAllow update: • Overwrite high data – may be incorrect• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
![Page 27: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/27.jpg)
CSCE 522 - Farkas 27Lecture 19
UpdatesName (key) Salary AddressBlack P 38,000 P Columbia S Red S 42,000 S Irmo S
Secret user:
1. Update Black’s salary to 45,000IfRefuse update: denial of serviceAllow update: • Overwrite low data – covert channel• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
![Page 28: Inference Problem. Access Control Policies Direct access Information flow Not addressed: indirect data access CSCE 522 - Farkas 2 Lecture 19](https://reader033.vdocuments.mx/reader033/viewer/2022051102/5a4d1b3e7f8b9ab05999fb40/html5/thumbnails/28.jpg)
CSCE 522 - Farkas 28Lecture 19
Inference Problem No general technique is available to solve the
problem Need assurance of protection Hard to incorporate outside knowledge