Abstract
A privacy violation in an information system could take place either through explicit access or inference over already revealed facts using domain knowledge. In a post violation scenario, an auditing framework should consider both these aspects to determine exact set of minimal suspicious queries set. Update operations in database systems add more complexity in case of auditing, as inference rule applications on different data versions may generate erroneous information in addition to the valid information. In this paper, we formalize the problem of auditing inference based disclosures in dynamic databases, and present a sound and complete algorithm to determine a suspicious query set for a given domain knowledge, a database, an audit query, updates in the database. Each element of the output set is a minimal set of past user queries made to the database system such that data revealed to these queries combined with domain knowledge can infer the valid data specified by the audit query.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
AT & T privacy bird, http://www.privacybird.com/
OASIS, eXtensible Access Control Markup Language (XACML) TC, http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.1), IBM Research Report (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal
Bhattacharya, J., Gupta, S.K.: Privacy Broker for Enforcing Privacy Policies in Databases. In: Proceedings of Fifth international conference on knowledge based computer systems, Hyderabad, India (2004)
Rosencrance, L.: Toysrus.com faces online privacy inquiry, http://archives.cnn.com/2000/TECH/computing/12/14/toysrus.privacy.inquiry.idg/toysrus.privacy.inquiry.html
Associated Press: Fliers File Suit Against Jetblue (2003), http://www.wired.com/politics/security/news/2003/09/60551
Barse, E.L.: Logging For Intrusion And Fraud Detection. PhD Thesis, ISBN 91-7291-484-X Technical Report no.28D ISSN 1651-4971, School of Computer Science and Engineering, Chalmers University of Technology (2004)
Bruno, J.B.: Security Breach Could Expose 40M to Fraud (2005), http://www.freerepublic.com/focus/f-news/1425334/posts
Teasley, B.: Does Your Privacy Policy Mean Anything (2005), http://www.clickz.com/experts/crm/analyze_data/article.php
Broadsky, A., Farkas, C., Jajodia, S.: Secure Databases: Constraints, inference channels and monitoring disclosures. IEEE Transaction of Knowledge and Data Engineering 12(6), 900–919 (2000)
Marks, D.: Inference in MLS database systems. IEEE Transactions on Knowledge and Data Engineering 8, 46–55 (1996)
Dawson, S., de Capitani di Vimercati, S., Samarati, P.: Specification and enforcement of classification and inference constraints. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 181–195 (1999)
Farkas, C., Toland, T.S., Eastman, C.M.: The Inference Problem and Updates in Relational Databases. In: Das 2001: Proceedings of the fifteenth annual working conference on Database and application security, Norwell, MA, USA, pp. 181–194. Kluwer Academic Publishers, Dordrecht (2002)
Stachour, P., Thuraisingham, B.: Design of LDV: A Multilevel Secure Relational Database Management. IEEE Transactions on Knowledge and Data Engineering 02, 190–209 (1990)
Agrawal, R., Bayardo, R., Faloutsos, C., Kiernan, J., Rantzau, R., Srikant, R.: Auditing compliance with a Hippocratic database. In: VLDB 2004: Proceedings of the Thirtieth international conference on Very large data bases, VLDB Endowment, pp. 516–527 (2004)
Gupta, S.K., Goyal, V., Gupta, A.: Malafide Intension Based Detection of Violation in Privacy. In: Bagchi, A., Atluri, V. (eds.) ICISS 2006. LNCS, vol. 4332, pp. 365–368. Springer, Heidelberg (2006)
Böttcher, S., Steinmetz, R.: Detecting Privacy Violations in Sensitive XML Databases. In: Jonker, W., Petković, M. (eds.) SDM 2005. LNCS, vol. 3674, pp. 143–154. Springer, Heidelberg (2005)
Motwani, R., Nabar, S., Thomas, D.: Auditing a Batch of SQL Queries. In: IEEE 23rd International Conference on Data Engineering Workshop, pp. 186–191 (2007)
Machanavajjhala, A., Gehrke, J.: On the Efficiency of Checking Perfect Privacy. In: PODS 2006: Proceedings of the twenty-fifth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pp. 163–172. ACM Press, New York (2006)
Miklau, G., Suciu, D.: A Formal Analysis of Information Disclosure in Data Exchange. J. Comput. Syst. Sci. 73(3), 507–534 (2007)
Aho, A., Sagiv, Y., Ullman, J.D.: Equivalence of relational expressions. SIAM Journal of Computing 8(2), 218–246 (1979)
Chandra, A.K., Merlin, P.M.: Optimal implementation of conjunctive queries in relational databases. In: Proceedings of the Ninth Annual ACM Symposium on Theory of Computing, pp. 77–90 (1977)
Goyal, V., Gupta, S.K., Gupta, A.: A Unified Audit Expression Model for Auditing SQL Queries. In: DAS 2008, London, UK. LNCS, vol. 5094, pp. 33–47. Springer, Heidelberg (2008)
Ullman, J.D.: Principles of Database and Knowledge-Base Systems, vol. I and II. Computer Science Press (1988,1990)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Goyal, V., Gupta, S.K., Singh, M., Gupta, A. (2008). Auditing Inference Based Disclosures in Dynamic Databases. In: Jonker, W., Petković, M. (eds) Secure Data Management. SDM 2008. Lecture Notes in Computer Science, vol 5159. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85259-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-85259-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85258-2
Online ISBN: 978-3-540-85259-9
eBook Packages: Computer ScienceComputer Science (R0)