1. Data and Applications Security Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #7
Inference Problem - I
February 6, 2006

2. Outline History Access Control and Inference
Inference problem in MLS/DBMS
Inference problem in emerging systems
Semantic data model applications
Confidentiality, Privacy and Trust
Directions

3. History Statistical databases (1970s – present)
Inference problem in databases (early 1980s - present)
Inference problem in MLS/DBMS (late 1980s – present)
Unsolvability results (1990)
Logic for secure databases (1990)
Semantic data model applications (late 1980s - present)
Emerging applications (1990s – present)
Privacy (2000 – present)

4. Statistical Databases
Census Bureau has been focusing for decades on statistical inference and statistical database
Collections of data such as sums and averages may be given out but not the individual data elements
Techniques include
Perturbation where results are modified
Randomization where random samples are used to compute summaries
Techniques are being used now for privacy preserving data mining

5. Access Control and Inference
Access control in databases started with the work in System R and Ingres Projects
Access Control rules were defined for databases, relations, tuples, attributes and elements
SQL and QUEL languages were extended
GRANT and REVOKE Statements
Read access on EMP to User group A Where EMP.Salary < 30K and EMP.Dept <> Security
Query Modification:
Modify the query according to the access control rules
Retrieve all employee information where salary < 30K and Dept is not Security

6. Query Modification Algorithm
Inputs: Query, Access Control Rules
Output: Modified Query
Algorithm:
Given a query Q, examine all the access control rules relevant to the query
Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules
Example: rules are John does not have access to Salary in EMP and Budget in DEPT
Query is to join the EMP and DEPT relations on Dept #
Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget
Output is the resulting query

7. Security Constraints / Access Control Rules
Simple Constraint: John cannot access the attribute Salary of relation EMP
Content-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISS
Association-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by John
Release constraint: After X is released Y cannot be accessed by John
Aggregate Constraint: Ten or more tuples taken together cannot be accessed by John
Dynamic Constraint: After the Mission, information about the mission can be accessed by John

8. Inference Problem in MLS/DBMS
Inference is the process of forming conclusions from premises
If the conclusions are unauthorized, it becomes a problem
Inference problem in a multilevel environment
Aggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are Unclassified
Association problem: attributes A and B taken together is Secret - individually they are Unclassified

9. Revisiting Security Constraints
Simple Constraint: Mission attribute of SHIP is Secret
Content-based constraint: If relation MISSION contains information about missions in Europe, then MISSION is Secret
Association-based Constraint: Ship’s location and mission taken together is Secret; individually each attribute is Unclassified
Release constraint: After X is released Y is Secret
Aggregate Constraint: Ten or more tuples taken together is Secret
Dynamic Constraint: After the Mission, information about the mission is Unclassified
Logical Constraint: A Implies B; therefore if B is Secret then A must be at least Secret

10. Enforcement of Security Constraints
User Interface Manager
Security Constraints
Constraint
Manager
Database Design Tool
Constraints during database design operation
Update Processor:
Constraints during update operation
Query Processor:
Constraints during query and release operations
MLS/DBMS
MLS
Database

11. Query Algorithms Query is modified according to the constraints
Release database is examined as to what has been released
Query is processed and respond assembled
Release database is examined to determine whether the response should be released
Result is given to the user
Portions of the query processor are trusted

12. Update Algorithms
Certain constraints are examined during update operation
Example: Content-based constraints
The security level of the data is computed
Data is entered at the appropriate level
Certain parts of the Update Processor are trusted

13. Database Design Algorithms
Certain constraints are examined during the database design time
Example: Simple, Association and Logical Constraints
Schema are assigned security levels
Database is partitioned accordingly
Example:
If Ships location and mission taken together is Secret, then SHIP (S#, Sname) is Unclassified, LOC-MISS(S#, Location, Mission) is Secret LOC(Location) is Unclassified
MISS(Mission) is Unclassified

14. Data Warehousing and Inference
Challenge: Controlling access to the Warehouse and at the same time
enforcing the access control policies enforced by the back-end
Database systems
Oracle
DBMS for
Employees
Sybase
Projects
Informix
Travel
Data Warehouse:
Data correlating
Employees With
Travel patterns
and Projects
Could be
any DBMS
e.g., relational
Users
Query
the Warehouse
Data
Data
Data

15. Data Mining as a Threat to Security
Data mining gives us “facts” that are not obvious to human analysts of the data
Can general trends across individuals be determined without revealing information about individuals?
Possible threats:
Combine collections of data and infer information that is private
Disease information from prescription data
Military Action from Pizza delivery to pentagon
Need to protect the associations and correlations between the data that are sensitive

16. Security Preserving Data Mining
Prevent useful results from mining
Introduce “cover stories” to give “false” results
Only make a sample of data available and that adversary is unable to come up with useful rules and predictive functions
Randomization
Introduce random values into the data or results; Challenge is to introduce random values without significantly affecting the data mining results
Give range of values for results instead of exact values
Secure Multi-party Computation
Each party knows its own inputs; encryption techniques used to compute final results
Interest measures – make sure that sensitive facts, if they exist, will be deemed uninteresting by algorithms
Extra data – example, a “phone book” that contains extra entries. Still useful if goal is to find phone given name, but access to complete phone book doesn’t allow determining facts about (for example) department sizes.
Performance – maybe not an issue for small amounts of data, but on large data sets (terabyte); exponential performance is an issue (disk limited)
Note that we don’t have the same problem faced by (for example) the GPS military/civilian accuracy encoding. There, the goal is to make information (position) known to all, but just more clearly for some. Here, the information to be made known, and the information to be kept hidden, are completely different. A better analogy would be getting position from communications satellites (e.g. measuring delay). Introducing a small random delay will wreak havoc with trying to determine position by this method, but will not alter the information communicated.

17. Inference problem for Multimedia Databases
Access Control for Text, Images, Audio and Video
Granularity of Protection
Text
John has access to Chapters 1 and 2 but not to 3 and 4
Images
John has access to portions of the image
Access control for pixels?
Video and Audio
John has access to Frames 1000 to 2000
Jane has access only to scenes in US
Security constraints
Association based constraints
E.g., collections of images are classified

18. Inference Control for Semantic Web
According to Tim Berners Lee, The Semantic Web supports
Machine readable and understandable web pages
Layers for the semantic web: Security cuts across all layers
Challenge: Not only integrating the layers for the semantic web, but also ensuring secure interoperability S E C U R I T Y
Logic, Proof and Trust P R I V A C Y
Rules/Query
Other
Services
RDF, Ontologies
XML, XML Schemas
URI, UNICODE

19. Inference Control for Semantic Web - II
Semantic web has reasoning capabilities
Based on several logics including descriptive logics
Inferencing is key to the operation of the semantic web
Need to build inference controllers that can handle different types of inferencing capability

20. Example Security-Enhanced Semantic Web
Interface to the Security-Enhanced Semantic Web
Technology
to be developed
by project
Inference Engine/
Inference Controller
Security Policies
Ontologies
Rules
XML, RDF
Documents
Web Pages,
Databases
Semantic Web
Engine

21. Security and Ontologies
Access control for Ontologies
Who can access which parts of the Ontologies
E.g, Professor can access all patents of the department while the Secretary can access only the descriptions of the patents in the patent ontology
Ontologies for Security Applications
Use ontologies for specifying security/privacy policies
Integrating heterogeneous policies may involve integrating ontologies and resolving inconsistencies

22. Inference Control in XML Documents
Access control and authorization models
Protecting entire documents, parts of documents, propagations of access control privileges; Protecting DTDs vs Document instances; Secure XML Schemas
Inference problem for XML documents
Portions of documents taken together could be sensitive, individually not sensitive

23. Semantic Model for Inference Control
Dark lines/boxes contain
sensitive information
Cancer
Influenza
Has disease
John’s
address
Patient John
England
address
Travels frequently
Use Reasoning Strategies developed for Semantic Models such as
Semantic Nets and Conceptual Graphs to reason about the applications
And detect potential inference violations

24. Directions Inference problem is still being investigated
Census bureau still working on statistical databases
Need to find real world examples in the Military world
Inference problem with respect to medial records
Much of the focus is now on the Privacy problem
Privacy problem can be regarded to be a special case of the inference problem