Presentation is loading. Please wait.

Presentation is loading. Please wait.

Don’t Reveal My Intension: Protecting User Privacy using Declarative Preferences during Distributed Query Processing Nicholas L Farnan, Adam J Lee, Panos.

Similar presentations


Presentation on theme: "Don’t Reveal My Intension: Protecting User Privacy using Declarative Preferences during Distributed Query Processing Nicholas L Farnan, Adam J Lee, Panos."— Presentation transcript:

1 Don’t Reveal My Intension: Protecting User Privacy using Declarative Preferences during Distributed Query Processing Nicholas L Farnan, Adam J Lee, Panos K Chrysanthis University of Pittsburgh Ting Yu North Carolina State University

2 ESORICS, 14 Sept Alice is Concerned her Employer Pollutes SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id;

3 ESORICS, 14 Sept Our Goals for this Work To empower users querying distributed database system with declarative controls over their privacy that are flexible enough to allow for a balance between privacy and performance

4 ESORICS, 14 Sept Roadmap ● Overview of Distributed Query Processing ● Privacy Definitions ● Overview of Our Methodology ● Proposed SQL Extensions ● Overview of Related Work ● Conclusion and Ongoing Work

5 ESORICS, 14 Sept Distributed Query Processing SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id; Alice Querier Inventory Facilities Pollution Watch UntrustedTrusted

6 ESORICS, 14 Sept How Does Optimization Affect Querier Privacy? SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id; Reveals sensitive information to ManuCoReveals sensitive information to Pollution Watch Results in a large amount of network trafficStrikes a balance between privacy and performance

7 ESORICS, 14 Sept Formalizing this Intensional Knowledge Given a globally-expanded query plan Q = We denote by κ p (Q) ⊆ N ∪ E the intensional knowledge that principal p ∈ P has of the query encoded by the plan Q. At a minimum, κ p (Q) contains the set of all locally-expanded query plans for each node n ∈ N annotated for execution by the principal p, and further all edges leaving or entering such nodes. κ Inventory κ Facilities κ Pollution_Watch

8 SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id; ESORICS, 14 Sept Our Approach ● Have users to define intensional regions ● Specify constraints on those regions ● Construct a query plan that respects those constraints Make sure all operations involving these conditions are evaluated by a trusted server!

9 ESORICS, 14 Sept A Formal Definition of Querier Privacy Given an intensional region I, And a set of colluding adversaries A ⊆ P, A globally-expanded query plan Q is said to be (I, A)-private iff κ A (Q) ⊭ I Where ⊨ denotes an inference procedure for extracting intensional knowledge from a collection of query plans.

10 ESORICS, 14 Sept Representing Query Plan Nodes

11 ESORICS, 14 Sept Representing Query Plan Nodes ● op - Relational algebra operation ● params - Parameters to that operation ● p - Principle where operation will be executed

12 ESORICS, 14 Sept Matching Against Query Tree Nodes

13 ESORICS, 14 Sept Constraining Dissemination of Intensional Regions Node descriptors can contain free variables Users author constraints on these free variables $l = Querier

14 SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id REQUIRING $l = Querier HOLDS OVER ; ESORICS, 14 Sept Extending SQL to Support Constraints

15 ESORICS, 14 Sept Balancing Privacy and Performance W. Kießling. Foundations of preferences in database systems. VLDB, All nodes operating on the pollutant attribute are evaluated by Querier & ( Query is estimated to take less than 2 minutes to run ⊗ All join operations are evaluated by Querier )

16 SELECT * FROM Plants, Supplies, Polluted_Waters WHERE Supplies.type = "solvent", AND Supplies.name = Polluted_Waters.pollutant, AND Polluted_Waters.location = Plants.location, AND Plant.id = Supplies.plant_id PREFERRING $l = Querier HOLDS OVER CASCADE LESSTHAN(runtime, 2) AND $l = Querier HOLDS OVER ; ESORICS, 14 Sept Expressing Preferences in SQL W. Kießling and G. Köstler. Preference SQL: Design, Implementation, Experiences. VLDB, 2002.

17 ESORICS, 14 Sept Related Work ● k-anonymity, l-diversity, t-closeness, differential privacy... ● All look at database privacy, though a compliment to our work ● Protect the privacy of those whose data is stored in the database ● Private Information Retrieval (PIR) ● Server support required for privacy to be achieved ● Our approach can utilize PIR techniques when they are available, applicable, and efficient ● Werner Kießling's work on partially ordered preferences ● Express preferences over query results ● We adapt his work to operate over query optimization

18 ESORICS, 14 Sept Conclusions and Ongoing Work ● How a query is evaluated in a distributed environment can drastically affect querier privacy ● We present a formalization of querier privacy, (I, A)-privacy, and further mechanisms for users to express their particular privacy preferences ● We have adapted Kießling's work on partially ordered preferences to query optimization as opposed to data retrieval ● We are currently modifying the PostgreSQL query optimizer to support (I, A)-privacy constraints.

19 ESORICS, 14 Sept Thank you. Questions? This research was supported in part by the National Science Foundation under awards CCF– , CNS– , CNS– , CNS– , CNS– , and CDI OIA– ; and by the K. C. Wong Education Foundation.


Download ppt "Don’t Reveal My Intension: Protecting User Privacy using Declarative Preferences during Distributed Query Processing Nicholas L Farnan, Adam J Lee, Panos."

Similar presentations


Ads by Google