1. Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Inference Problem - I February 3, 2005

2. Outline l History l Access Control and Inference l Inference problem in MLS/DBMS l Inference problem in emerging systems l Unsolvability and Complexity l Logic for Secure data and knowledge bases l Semantic data model applications l Directions

3. History l Statistical databases (1970s – present) l Inference problem in databases (early 1980s - present) l Inference problem in MLS/DBMS (late 1980s – present) l Unsolvability results (1990) l Logic for secure databases (1990) l Semantic data model applications (late 1980s - present) l Emerging applications (1990s – present) l Privacy (2000 – present)

4. Statistical Databases l Census Bureau has been focusing for decades on statistical inference and statistical database l Collections of data such as sums and averages may be given out but not the individual data elements l Techniques include - Perturbation where results are modified - Randomization where random samples are used to compute summaries l Techniques are being used now for privacy preserving data mining

5. Access Control and Inference l Access control in databases started with the work in System R and Ingres Projects - Access Control rules were defined for databases, relations, tuples, attributes and elements - SQL and QUEL languages were extended l GRANT and REVOKE Statements l Read access on EMP to User group A Where EMP.Salary Security - Query Modification: l Modify the query according to the access control rules l Retrieve all employee information where salary < 30K and Dept is not Security

6. Query Modification Algorithm l Inputs: Query, Access Control Rules l Output: Modified Query l Algorithm: - Given a query Q, examine all the access control rules relevant to the query - Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules l Example: rules are John does not have access to Salary in EMP and Budget in DEPT l Query is to join the EMP and DEPT relations on Dept # l Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget - Output is the resulting query

7. Security Constraints / Access Control Rules l Simple Constraint: John cannot access the attribute Salary of relation EMP l Content-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISS l Association-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by John l Release constraint: After X is released Y cannot be accessed by John l Aggregate Constraint: Ten or more tuples taken together cannot be accessed by John l Dynamic Constraint: After the Mission, information about the mission can be accessed by John

8. Inference Problem in MLS/DBMS Inference is the process of forming conclusions from premises If the conclusions are unauthorized, it becomes a problem Inference problem in a multilevel environment Aggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are Unclassified Association problem: attributes A and B taken together is Secret - individually they are Unclassified

9. Revisiting Security Constraints l Simple Constraint: Mission attribute of SHIP is Secret l Content-based constraint: If relation MISSION contains information about missions in Europe, then MISSION is Secret l Association-based Constraint: Ship’s location and mission taken together is Secret; individually each attribute is Unclassified l Release constraint: After X is released Y is Secret l Aggregate Constraint: Ten or more tuples taken together is Secret l Dynamic Constraint: After the Mission, information about the mission is Unclassified l Logical Constraint: A Implies B; therefore if B is Secret then A must be at least Secret

10. Enforcement of Security Constraints User Interface Manager Constraint Manager Security Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation Database Design Tool Constraints during database design operation MLS Database MLS/DBMS

11. Query Algorithms l Query is modified according to the constraints l Release database is examined as to what has been released l Query is processed and respond assembled l Release database is examined to determine whether the response should be released l Result is given to the user l Portions of the query processor are trusted

12. Update Algorithms l Certain constraints are examined during update operation l Example: Content-based constraints l The security level of the data is computed l Data is entered at the appropriate level l Certain parts of the Update Processor are trusted

13. Database Design Algorithms l Certain constraints are examined during the database design time - Example: Simple, Association and Logical Constraints l Schema are assigned security levels l Database is partitioned accordingly l Example: - If Ships location and mission taken together is Secret, then SHIP (S#, Sname) is Unclassified, LOC-MISS(S#, Location, Mission) is Secret LOC(Location) is Unclassified - MISS(Mission) is Unclassified

14. Data Warehousing and Inference Oracle DBMS for Employees Sybase DBMS for Projects Informix DBMS for Travel Data Warehouse: Data correlating Employees With Travel patterns and Projects Could be any DBMS e.g., relational Users Query the Warehouse Challenge: Controlling access to the Warehouse and at the same time enforcing the access control policies enforced by the back-end Database systems Data

15. Data Mining as a Threat to Security l Data mining gives us “facts” that are not obvious to human analysts of the data l Can general trends across individuals be determined without revealing information about individuals? l Possible threats: - Combine collections of data and infer information that is private l Disease information from prescription data l Military Action from Pizza delivery to pentagon l Need to protect the associations and correlations between the data that are sensitive

16. Security Preserving Data Mining l Prevent useful results from mining - Introduce “cover stories” to give “false” results - Only make a sample of data available and that adversary is unable to come up with useful rules and predictive functions l Randomization - Introduce random values into the data or results; Challenge is to introduce random values without significantly affecting the data mining results - Give range of values for results instead of exact values l Secure Multi-party Computation - Each party knows its own inputs; encryption techniques used to compute final results - Rules, predictive functions l Approach: Only make a sample of data available - Limits ability to learn good classifier

17. Inference problem for Multimedia Databases l Access Control for Text, Images, Audio and Video l Granularity of Protection - Text l John has access to Chapters 1 and 2 but not to 3 and 4 - Images l John has access to portions of the image l Access control for pixels? - Video and Audio l John has access to Frames 1000 to 2000 l Jane has access only to scenes in US - Security constraints l Association based constraints E.g., collections of images are classified

18. Inference Control for Semantic Web l According to Tim Berners Lee, The Semantic Web supports - Machine readable and understandable web pages l Layers for the semantic web: Security cuts across all layers l Challenge: Not only integrating the layers for the semantic web, but also ensuring secure interoperability XML, XML Schemas Rules/Query Logic, Proof and Trust SECURITYSECURITY Other Services RDF, Ontologies URI, UNICODE PRIVACYPRIVACY

19. Inference Control for Semantic Web - II l Semantic web has reasoning capabilities l Based on several logics including descriptive logics l Inferencing is key to the operation of the semantic web l Need to build inference controllers that can handle different types of inferencing capability

20. Example Security-Enhanced Semantic Web Security Policies Ontologies Rules Semantic Web Engine XML, RDF Documents Web Pages, Databases Inference Engine/ Inference Controller Interface to the Security-Enhanced Semantic Web Technology to be developed by project

21. Security and Ontologies l Access control for Ontologies - Who can access which parts of the Ontologies - E.g, Professor can access all patents of the department while the Secretary can access only the descriptions of the patents in the patent ontology - Can we apply the research on secure metadata management for secure ontology management? l Ontologies for Security Applications - Use ontologies for specifying security/privacy policies - Integrating heterogeneous policies may involve integrating ontologies and resolving inconsistencies

22. Inference Control in XML Documents l Some ideas have evolved from research in secure multimedia/object data management l Access control and authorization models - Protecting entire documents, parts of documents, propagations of access control privileges; Protecting DTDs vs Document instances; Secure XML Schemas l Update Policies and Dissemination Policies l Secure publishing of XML documents - How do you minimize trust for third party publication l Use of Encryption l Inference problem for XML documents - Portions of documents taken together could be sensitive, individually not sensitive

23. On the Complexity of the Inference Problem l Technical Report MTP 291, June 1990 9The MITRE Corporation); version presented at the IEEE Computer Security Foundations Workshop l Some Definition and Results - Defined Database, Deductive Database, Inference Function, Security Enhanced Database, Security Enhanced Deductive Database, Inference Problem with respect to Security Level L denoted IP(L) l Theorem: - For each security level L, IP(L) is recursively enumerable - For each security level L, IP(L) is either recursive of nonsimple - If all inference functions which model the rules in deductive databases are deterministic, then for each privacy level L, IP(L) is either recursive or a cylinder - If the privacy level L1 dominates the privacy level L2, then IP(L1) is a subset of IP(L2)

24. Logic for Data and Knowledge Bases l NTML: Nonmonotonic Typed Multilevel Logic l Extends First order Logic with Security Levels l Supports Polyinstantiation l Proof theory and model theoretic viewpoints l Need to extend the concepts for semantic web and other emerging application l Thuraisingham, 1991; IEEE Computer Security Foundations Workshop

25. Semantic Model for Inference Control Patient John Cancer Influenza Has disease Travels frequently England address John’s address Dark lines/boxes contain sensitive information Use Reasoning Strategies developed for Semantic Models such as Semantic Nets and Conceptual Graphs to reason about the applications And detect potential inference violations

26. Directions l Inference problem is still being investigated l Census bureau still working on statistical databases l Need to find real world examples in the Military world l Inference problem with respect to medial records l Much of the focus is now on the Privacy problem l Privacy problem can be regarded to be a special case of the inference problem l Lecture #9 will focus on some designs of Inference Controller as well as on Semantic nets for handling the inference problem