Download 07statisticalDB - Emory Math/CS Department

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
Document related concepts

Microsoft Access wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

ContactPoint wikipedia , lookup

Versant Object Database wikipedia , lookup

Clusterpoint wikipedia , lookup

Relational model wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Security Control Methods for
Statistical Database
Li Xiong
CS573 Data Privacy and Security
Statistical Database
 A statistical database is a database which
provides statistics on subsets of records
 OLAP vs. OLTP
 Statistics may be performed to compute SUM,
MEAN, MEDIAN, COUNT, MAX AND MIN of
records
Types of Statistical Databases
 Static – a static
 Dynamic – changes
database is made
once and never
changes
continuously to reflect
real-time data
 Example: most online
 Example: U.S. Census
research databases
Types of Statistical Databases
 Centralized – one
database
 General purpose –
like census
 Decentralized –
multiple decentralized
databases
 Special purpose –
like bank, hospital,
academia, etc
Access Restriction
 Databases normally have different access levels for
different types of users
 User ID and passwords are the most common methods
for restricting access

In a medical database:
 Doctors/Healthcare Representative – full access to
information
 Researchers – only access to partial information (e.g.
aggregate information)
 Statistical database: allow query access only to
aggregate data, not individual records
Accuracy vs. Confidentiality
Accuracy –
Researchers want to
extract accurate and
meaningful data
Confidentiality –
Patients, laws and
database
administrators want
to maintain the
privacy of patients
and the
confidentiality of
their information
Data Compromise
 Exact compromise – a user is able to determine the




exact value of a sensitive attribute of an individual
Partial compromise – a user is able to obtain an
estimator for a sensitive attribute with a bounded
variance
Positive compromise – determine an attribute has a
particular value
Negative compromise – determine an attribute does not
have a particular value
Relative compromise – determine the ranking of some
confidential values
Security Methods
 Query restriction
 Data perturbation/anonymization
 Output perturbation
Comparison
 Query restriction techniques cannot avoid
inference, but they accurate response to valid
queries.
 Data perturbation techniques can prevent
inference, but they cannot consistently
provide useful query results.
 Output perturbation has low storage and
computational overhead, however, is subject
to the inference (averaging effect) and
inaccurate results .
Statistical database vs. data
anonymization
 Data anonymization is one technique that can
be used to build statistical database
 Data anonymiztion can be used to release
data for other purposes such as mining
 Other techniques such as query restriction
and output purterbation can be used to build
statistical database
Evaluation Criteria
 Security – level of protection
 Statistical quality of information – data utility
 Cost
 Suitability to numerical and/or categorical
attributes
 Suitability to multiple confidential attributes
 Suitability to dynamic statistical DBs
Security
 Exact compromise – a user is able to
determine the exact value of a sensitive
attribute of an individual
 Partial compromise – a user is able to obtain
an estimator for a sensitive attribute with a
bounded variance
 Statistical disclosure control – require a large
number of queries to obtain a small variance
of the estimator
Statistical Quality of Information
 Bias – difference between the unperturbed
statistic and the expected value of its
perturbed estimate
 Precision – variance of the estimators
obtained by users
 Consistency – lack of contradictions and
paradoxes


Contradictions: different responses to same
query; average differs from sum/count
Paradox: negative count
Cost
 Implementation cost
 Processing overhead
 Amount of education required to enable users
to understand the method and make effective
use of the SDB
Security Methods
 Query set restriction



Query size control
Query set overlap control
Query auditing
 Data perturbation/anonymization
 Output perturbation
Query Set Size Control
 A query-set size control limit the number of
records that must be in the result set
 Allows the query results to be displayed only
if the size of the query set |C| satisfies the
condition
K <= |C| <= L – K
where L is the size of the database and K is a
parameter that satisfies 0 <= K <= L/2
Query Set Size Control
Query 2
Query 1
Original
Database
Query 1
Results
K
Query
Results
Query 2
Results
K
Query
Results
Tracker
 Q1: Count ( Sex = Female ) = A
 Q2: Count ( Sex = Female OR
(Age = 42 & Sex = Male & Employer = ABC) ) = B
If B = A+1
 Q3: Count ( Sex = Female OR
(Age = 42 & Sex = Male & Employer = ABC) &
Diagnosis = Schizophrenia)
Positively or negatively compromised!
Query set size control
 With query set size control the database can be
easily compromised within a frame of 4-5
queries
 For query set control, if the threshold value k is
large, then it will restrict too many queries
 And still does not guarantee protection from
compromise
Query Set Overlap Control
 Basic idea: successive queries must be checked
against the number of common records.
 If the number of common records in any query
exceeds a given threshold, the requested
statistic is not released.
 A query q(C) is only allowed if:
|X (C) X (D) | ≤ r, r > 0
Where α is set by the administrator
 Number of queries needed for a compromise
has a lower bound 1 + (K-1)/r
Query-set-overlap control
 Ineffective for cooperation of several users
 Statistics for a set and its subset cannot be
released – limiting usefulness
 Need to keep user profile
 High processing overhead – every new query
compared with all previous ones
Auditing
 Keeping up-to-date logs of all queries made
by each user and check for possible
compromise when a new query is issued
 Excessive computation and storage
requirements
 “Efficient” methods for special types of
queries
Audit Expert (Chin 1982)
 Query auditing method for SUM queries
 A SUM query can be considered as a linear equation
where
is whether record i belongs to the query set, xi
is the sensitive value, and q is the query result
 A set of SUM queries can be thought of as a system of
linear equations
 Maintains the binary matrix representing linearly
independent queries and update it when a new query is
issued
 A row with all 0s except for ith column indicates disclosure
Audit Expert
 Only stores linearly independent queries
 Not all queries are linearly independent
Q1: Sum(Sex=M)
Q2: Sum(Sex=M AND Age>20)
Q3: Sum(Sex=M AND Age<=20)
Audit Expert
 O(L2)
time complexity
 Further work reduced to O(L) time and
space when number of queries < L
 Only for SUM queries
 No restrictions on query set size
 Maximizing non-confidential information
is NP-complete
Auditing – recent developments
 Online auditing


“Detect and deny” queries that violate privacy
requirement
Denial themselves may implicitly disclose
sensitive information
 Offline auditing


Check if a privacy requirement has been
violated after the queries have been executed
Not to prevent
Security Methods
 Query set restriction
 Data perturbation/anonymization




Partitioning
Cell suppression
Microaggregation
Data perturbation
 Output perturbation
Partitioning
 Cluster individual entities into mutually
exclusive subsets, called atomic populations
 The statistics of these atomic populations
constitute the materials
Microaggregation
su
lts
Re
Qu
e
ry
User
Original
Data
Averaged
Microaggregated
Data
Data Perturbation
User 1
Re
su
lts
Qu
e
ry
Noise Added
Original
Database
Perturbed
Database
Re
ue
Q
su
lts
ry
User 2
Security Methods
 Query set restriction
 Data perturbation/anonymization
 Output perturbation



Sampling
Varying output perturbation
Rounding
Output Perturbation
 Instead of the raw data being transformed as in
Data Perturbation, only the output or query
results are perturbed
 The bias problem is less severe than with data
perturbation
Output Perturbation
ry
e
u
Q
Query
User 1
Results
su
Re
lts
Noise Added
to Results
Original
Database
Re
Query
Q
ue
sul
ts
Results
ry
User 2
Random Sampling
 Only a sample of the query set (records meeting
the requirements of the query) are used to
compute and estimate the statistics
 Must maintain consistency by giving exact same
results to the same query
 Weakness - Logical equivalent queries can
result in a different query set – consistency issue
Varying output perturbation
 Apply perturbation on the query set
 Less bias than data perturbation
Some Comparisons
Method
1
Security
Richness of
Information
Costs
Query-set-size control
Low
Low1
Low
Query-set-overlap
control
Low
Low
High
Auditing
Moderate-Low
Moderate
High
Partitioning
Moderate-low
Moderate-low
Low
Microaggregation
Moderate
Moderate
Moderate
Data Perturbation
High
High-Moderate
Low
Varying Output
Perturbation
Moderate
Moderate-low
Low
Sampling
Moderate
Moderate-Low
Moderate
Quality is low because a lot of information can be eliminated if the query does not meet the
requirements
Sources
 Partial slides:
http://www.cs.jmu.edu/users/aboutams
 Adam, Nabil R. ; Wortmann, John C.; SecurityControl Methods for Statistical Databases: A
Comparative Study; ACM Computing Surveys, Vol.
21, No. 4, December 1989
 Fung et al. Privacy Preserving Data Publishing: A
Survey of Recent Development, ACM Computing
Surveys, in press, 2009
Related documents
The Gaian Database: a Dynamic Distributed Federated Database
The Gaian Database: a Dynamic Distributed Federated Database
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Introduction to MS Access - San Francisco State University
Access1
Access1
CSE 510 Database Management System Implementation
CSE 510 Database Management System Implementation
Spreadsheet Internet Hunt
Spreadsheet Internet Hunt
Database Intro Test
Database Intro Test
VizDB
VizDB
6.897 Advanced Data Structures (Spring`05) Prof. Erik Demaine
6.897 Advanced Data Structures (Spring`05) Prof. Erik Demaine
A parallel database system seeks to improve performance through
A parallel database system seeks to improve performance through
Eg, s balance
Eg, s balance
Advanced Database Systems
Advanced Database Systems
Wed., February 7, 11 AM, 535 Mudd
Wed., February 7, 11 AM, 535 Mudd