Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Inference Problem - I September 19, 2014
Outline l History l Access Control and Inference l Inference problem in MLS/DBMS l Inference problem in emerging systems l Semantic data model applications l Confidentiality, Privacy and Trust l Directions
History l Statistical databases (1970s – present) l Inference problem in databases (early 1980s - present) l Inference problem in MLS/DBMS (late 1980s – present) l Unsolvability results (1990) l Logic for secure databases (1990) l Semantic data model applications (late 1980s - present) l Emerging applications (1990s – present) l Privacy (2000 – present)
Statistical Databases l Census Bureau has been focusing for decades on statistical inference and statistical database l Collections of data such as sums and averages may be given out but not the individual data elements l Techniques include - Perturbation where results are modified - Randomization where random samples are used to compute summaries l Techniques are being used now for privacy preserving data mining
Access Control and Inference l Access control in databases started with the work in System R and Ingres Projects - Access Control rules were defined for databases, relations, tuples, attributes and elements - SQL and QUEL languages were extended l GRANT and REVOKE Statements l Read access on EMP to User group A Where EMP.Salary Security - Query Modification: l Modify the query according to the access control rules l Retrieve all employee information where salary < 30K and Dept is not Security
Query Modification Algorithm l Inputs: Query, Access Control Rules l Output: Modified Query l Algorithm: - Given a query Q, examine all the access control rules relevant to the query - Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rules l Example: rules are John does not have access to Salary in EMP and Budget in DEPT l Query is to join the EMP and DEPT relations on Dept # l Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget - Output is the resulting query
Security Constraints / Access Control Rules l Simple Constraint: John cannot access the attribute Salary of relation EMP l Content-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISS l Association-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by John l Release constraint: After X is released Y cannot be accessed by John l Aggregate Constraint: Ten or more tuples taken together cannot be accessed by John l Dynamic Constraint: After the Mission, information about the mission can be accessed by John
Security Constraints for Healthcare l Simple Constraint: Only doctors can access medical records l Content-based constraint: If the patient has Aids then this information is private l Association-based Constraint: Names and medical records taken together is private l Release constraint: After medical records are released, names cannot be released l Aggregate Constraint: The collection of patients is private, individually public l Dynamic Constraint: After the patient dies, information about him becomes public
Inference Problem in MLS/DBMS Inference is the process of forming conclusions from premises If the conclusions are unauthorized, it becomes a problem Inference problem in a multilevel environment Aggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are Unclassified Association problem: attributes A and B taken together is Secret - individually they are Unclassified
Revisiting Security Constraints l Simple Constraint: Mission attribute of SHIP is Secret l Content-based constraint: If relation MISSION contains information about missions in Europe, then MISSION is Secret l Association-based Constraint: Ship’s location and mission taken together is Secret; individually each attribute is Unclassified l Release constraint: After X is released Y is Secret l Aggregate Constraint: Ten or more tuples taken together is Secret l Dynamic Constraint: After the Mission, information about the mission is Unclassified l Logical Constraint: A Implies B; therefore if B is Secret then A must be at least Secret
Enforcement of Security Constraints User Interface Manager Constraint Manager Security Constraints Query Processor: Constraints during query and release operations Update Processor: Constraints during update operation Database Design Tool Constraints during database design operation MLS Database MLS/DBMS
Query Algorithms l Query is modified according to the constraints l Release database is examined as to what has been released l Query is processed and response assembled l Release database is examined to determine whether the response should be released l Result is given to the user l Portions of the query processor are trusted
Update Algorithms l Certain constraints are examined during update operation l Example: Content-based constraints l The security level of the data is computed l Data is entered at the appropriate level l Certain parts of the Update Processor are trusted
Database Design Algorithms l Certain constraints are examined during the database design time - Example: Simple, Association and Logical Constraints l Schema are assigned security levels l Database is partitioned accordingly l Example: - If Ships location and mission taken together is Secret, then SHIP (S#, Sname) is Unclassified, LOC-MISS(S#, Location, Mission) is Secret LOC(Location) is Unclassified - MISS(Mission) is Unclassified
Data Warehousing and Inference Oracle DBMS for Employees Sybase DBMS for Projects Informix DBMS for Travel Data Warehouse: Data correlating Employees With Travel patterns and Projects Could be any DBMS e.g., relational Users Query the Warehouse Challenge: Controlling access to the Warehouse and at the same time enforcing the access control policies enforced by the back-end Database systems Data
Data Mining as a Threat to Security l Data mining gives us “facts” that are not obvious to human analysts of the data l Can general trends across individuals be determined without revealing information about individuals? l Possible threats: - Combine collections of data and infer information that is private l Disease information from prescription data l Military Action from Pizza delivery to pentagon l Need to protect the associations and correlations between the data that are sensitive
Security Preserving Data Mining l Prevent useful results from mining - Introduce “cover stories” to give “false” results - Only make a sample of data available and that adversary is unable to come up with useful rules and predictive functions l Randomization - Introduce random values into the data or results; Challenge is to introduce random values without significantly affecting the data mining results - Give range of values for results instead of exact values l Secure Multi-party Computation - Each party knows its own inputs; encryption techniques used to compute final results
Inference problem for Multimedia Databases l Access Control for Text, Images, Audio and Video l Granularity of Protection - Text l John has access to Chapters 1 and 2 but not to 3 and 4 - Images l John has access to portions of the image l Access control for pixels? - Video and Audio l John has access to Frames 1000 to 2000 l Jane has access only to scenes in US - Security constraints l Association based constraints E.g., collections of images are classified
Inference Control for Semantic Web l According to Tim Berners Lee, The Semantic Web supports - Machine readable and understandable web pages l Layers for the semantic web: Security cuts across all layers l Semantic web has reasoning capabilities XML, XML Schemas Rules/Query Logic, Proof and Trust SECURITYSECURITY Other Services RDF, Ontologies URI, UNICODE PRIVACYPRIVACY
Inference Control for Semantic Web - II l Semantic web has reasoning capabilities l Based on several logics including descriptive logics l Inferencing is key to the operation of the semantic web l Need to build inference controllers that can handle different types of inferencing capability
Example Security-Enhanced Semantic Web Security Policies Ontologies Rules Semantic Web Engine XML, RDF Documents Web Pages, Databases Inference Engine/ Inference Controller Interface to the Security-Enhanced Semantic Web Technology to be developed by project
Security, Ontologies and XML l Access control for Ontologies - Who can access which parts of the Ontologies - E.g, Professor can access all patents of the department while the Secretary can access only the descriptions of the patents l Ontologies for Security Applications - Use ontologies for specifying security/privacy policies - Integrating heterogeneous policies l Access control for XML (also RDF) - Protecting entire documents, parts of documents, propagations of access control privileges; Protecting DTDs vs Document instances; Secure XML Schemas l Inference problem for XML documents - Portions of documents taken together could be sensitive, individually not sensitive
Semantic Model for Inference Control Patient John Cancer Influenza Has disease Travels frequently England address John’s address Dark lines/boxes contain sensitive information Use Reasoning Strategies developed for Semantic Models such as Semantic Nets and Conceptual Graphs to reason about the applications And detect potential inference violations
Directions l Inference problem is still being investigated l Census bureau still working on statistical databases l Need to find real world examples in the Military world l Inference problem with respect to medial records l Much of the focus is now on the Privacy problem l Privacy problem can be regarded to be a special case of the inference problem