Simulatable Binding: Beyond Simulatable Auditing

A fundamental problem in online query auditingis that an outside attacker may compromise database privacy by exploiting the sequence of query responses and the information flow from the database state to the auditing decision. Kenthapadi et al. [14] proposed the simulatable auditingmodel to solve this problem in a way that completely blocks the aforementioned information flow. However, the security does not come for free. The simulatable auditing model actually suffers from unnecessary data utility loss. We assert that in order to guarantee database privacy, blocking the information flow from the true database state to the auditing decision is sufficient but far from necessary. To limit the loss in data utility, we suggest an alternative approach that controls, instead of blocks, such information flow. To this end, we introduce a new model, called simulatable binding, in which the information flow from the true database state to the auditing decision is provably controlled by a selected safe binding. We prove that the proposed simulatable binding model provides a sufficient and necessary condition to guarantee database privacy, and therefore, algorithms based on our model will provide better data utility than algorithms based on the simulatable auditing model. To demonstrate the strength and practicality of our model, we provide two efficient algorithms for the max query and sum query auditing, respectively. For the ease of comparison, each algorithm is built by applying our simulatable binding model, and is compared to an algorithm applying the simulatable auditing model. Clear improvements are shown through experiments.

[1]  Nabil R. Adam,et al.  Security-control methods for statistical databases: a comparative study , 1989, CSUR.

[2]  S L Warner,et al.  Randomized response: a survey technique for eliminating evasive answer bias. , 1965, Journal of the American Statistical Association.

[3]  Sushil Jajodia,et al.  Auditing Interval-Based Inference , 2002, CAiSE.

[4]  Cynthia Dwork,et al.  Practical privacy: the SuLQ framework , 2005, PODS.

[5]  Joachim Biskup,et al.  Controlled Query Evaluation for Known Policies by Combining Lying and Refusal , 2004, Annals of Mathematics and Artificial Intelligence.

[6]  Francis Y. L. Chin,et al.  Security problems on inference control for SUM, MAX, and MIN queries , 1986, JACM.

[7]  Alexandre V. Evfimievski,et al.  Limiting privacy breaches in privacy preserving data mining , 2003, PODS.

[8]  Richard J. Lipton,et al.  Secure databases: protection against user influence , 1979, TODS.

[9]  Christos Faloutsos,et al.  Auditing Compliance with a Hippocratic Database , 2004, VLDB.

[10]  Rajeev Motwani,et al.  Towards robustness in query auditing , 2006, VLDB.

[11]  Steven P. Reiss Security in Databases: A Combinatorial Study , 1979, JACM.

[12]  Irit Dinur,et al.  Revealing information while preserving privacy , 2003, PODS.

[13]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[14]  Gultekin Özsoyoglu,et al.  Auditing for secure statistical databases , 1981, ACM '81.

[15]  Ramakrishnan Srikant,et al.  Privacy preserving OLAP , 2005, SIGMOD '05.

[16]  Nina Mishra,et al.  Simulatable auditing , 2005, PODS.

[17]  Cynthia Dwork,et al.  Privacy-Preserving Datamining on Vertically Partitioned Databases , 2004, CRYPTO.

[18]  Jeffrey D. Ullman,et al.  A model of statistical database their security , 1977, TODS.

[19]  Jon M. Kleinberg,et al.  Auditing Boolean attributes , 2003, J. Comput. Syst. Sci..

[20]  Rakesh Agrawal,et al.  Privacy-preserving data mining , 2000, SIGMOD 2000.

[21]  Nina Mishra,et al.  Privacy via pseudorandom sketches , 2006, PODS.