Data and Applications Security Developments and DirectionsOutlineHistoryStatistical DatabasesAccess Control and InferenceQuery Modification AlgorithmSecurity Constraints / Access Control RulesSecurity Constraints for HealthcareInference Problem in MLS/DBMSRevisiting Security ConstraintsEnforcement of Security ConstraintsQuery AlgorithmsUpdate AlgorithmsDatabase Design AlgorithmsData Warehousing and InferenceData Mining as a Threat to SecuritySecurity Preserving Data MiningInference problem for Multimedia DatabasesInference Control for Semantic WebInference Control for Semantic Web - IIExample Security-Enhanced Semantic WebSecurity, Ontologies and XMLSemantic Model for Inference ControlDirectionsData and Applications Security Developments and DirectionsDr. Bhavani ThuraisinghamThe University of Texas at DallasLecture #11Inference Problem - ISeptember 24, 2010Outline HistoryAccess Control and InferenceInference problem in MLS/DBMSInference problem in emerging systemsSemantic data model applicationsConfidentiality, Privacy and TrustDirectionsHistory Statistical databases (1970s – present)Inference problem in databases (early 1980s - present) Inference problem in MLS/DBMS (late 1980s – present)Unsolvability results (1990)Logic for secure databases (1990)Semantic data model applications (late 1980s - present)Emerging applications (1990s – present)Privacy (2000 – present)Statistical Databases Census Bureau has been focusing for decades on statistical inference and statistical databaseCollections of data such as sums and averages may be given out but not the individual data elementsTechniques include -Perturbation where results are modified -Randomization where random samples are used to compute summariesTechniques are being used now for privacy preserving data miningAccess Control and InferenceAccess control in databases started with the work in System R and Ingres Projects-Access Control rules were defined for databases, relations, tuples, attributes and elements-SQL and QUEL languages were extended GRANT and REVOKE StatementsRead access on EMP to User group A Where EMP.Salary < 30K and EMP.Dept <> Security-Query Modification: Modify the query according to the access control rulesRetrieve all employee information where salary < 30K and Dept is not SecurityQuery Modification AlgorithmInputs: Query, Access Control RulesOutput: Modified QueryAlgorithm:-Given a query Q, examine all the access control rules relevant to the query-Introduce a Where Clause to the query that negates access to the relevant attributes in the access control rulesExample: rules are John does not have access to Salary in EMP and Budget in DEPT Query is to join the EMP and DEPT relations on Dept #Modify the query to Join EMP and DEPT on Dept # and project on all attributes except Salary and Budget-Output is the resulting querySecurity Constraints / Access Control RulesSimple Constraint: John cannot access the attribute Salary of relation EMPContent-based constraint: If relation MISS contains information about missions in the Middle East, then John cannot access MISSAssociation-based Constraint: Ship’s location and mission taken together cannot be accessed by John; individually each attribute can be accessed by JohnRelease constraint: After X is released Y cannot be accessed by JohnAggregate Constraint: Ten or more tuples taken together cannot be accessed by JohnDynamic Constraint: After the Mission, information about the mission can be accessed by JohnSecurity Constraints for HealthcareSimple Constraint: Only doctors can access medical recordsContent-based constraint: If the patient has Aids then this information is privateAssociation-based Constraint: Names and medical records taken together is privateRelease constraint: After medical records are released, names cannot be releasedAggregate Constraint: The collection of patients is private, individually publicDynamic Constraint: After the patient dies, information about him becomes publicInference Problem in MLS/DBMSInference is the process of forming conclusions from premisesIf the conclusions are unauthorized, it becomes a problemInference problem in a multilevel environmentAggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are UnclassifiedAssociation problem: attributes A and B taken together is Secret - individually they are UnclassifiedRevisiting Security ConstraintsSimple Constraint: Mission attribute of SHIP is SecretContent-based constraint: If relation MISSION contains information about missions in Europe, then MISSION is SecretAssociation-based Constraint: Ship’s location and mission taken together is Secret; individually each attribute is UnclassifiedRelease constraint: After X is released Y is SecretAggregate Constraint: Ten or more tuples taken together is SecretDynamic Constraint: After the Mission, information about the mission is UnclassifiedLogical Constraint: A Implies B; therefore if B is Secret then A must be at least SecretEnforcement of Security Constraints User Interface ManagerConstraintManagerSecurity ConstraintsQuery Processor:Constraints during query and release operationsUpdate Processor:Constraints during update operationDatabase Design ToolConstraints during database design operationMLS DatabaseMLS/DBMSQuery AlgorithmsQuery is modified according to the constraintsRelease database is examined as to what has been releasedQuery is processed and response assembledRelease database is examined to determine whether the response should be releasedResult is given to the userPortions of the query processor are trustedUpdate AlgorithmsCertain constraints are examined during update operationExample: Content-based constraintsThe security level of the data is computedData is entered at the appropriate levelCertain parts of the Update Processor are trustedDatabase Design AlgorithmsCertain constraints are examined during the database design time-Example: Simple, Association and Logical ConstraintsSchema are assigned security levelsDatabase is partitioned accordinglyExample:-If Ships location and mission taken together is Secret, then SHIP (S#, Sname) is Unclassified, LOC-MISS(S#, Location, Mission) is Secret
View Full Document
Unlocking...