Protecting databases from inference attacks

This paper presents a model of database inference and a taxonomy of inference detection approaches. The Merlin inference detection system is presented as an example of an automated inference analysis tool that can assess inference vulnerabilities using the schema of a relational database. A manual inference penetration approach is then offered as a means of detecting inferences that involve instances of data or characteristics of groups of instances. These two approaches are offered as practical approaches that can be applied today to address the database inference problem. The final section discusses future directions in database inference research.

[1]  R. Cranley,et al.  Multivariate Analysis—Methods and Applications , 1985 .

[2]  Peter D. Karp,et al.  Detection and elimination of inference channels in multilevel relational database systems , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Leonard J. Binns Implementation Considerations for Inference Detection: Intended vs. Actual Classification , 1993, DBSec.

[4]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[5]  Leoan J. Buczkowski Database Inference Controller , 1989, Database Security.

[6]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[7]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[8]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[9]  Matthew Morgenstern,et al.  Controlling logical inference in multilevel database systems , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  Randall P. Wolf,et al.  A Framework for Inference-Directed Data Mining , 1996, DBSec.

[11]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[12]  Jeffrey D. Ullman,et al.  Principles of database and knowledge-base systems, Vol. I , 1988 .

[13]  Harry S. Delugach,et al.  Layered Knowledge Chunks for Database Inference , 1993, DBSec.

[14]  Thomas H. Hinke,et al.  Inference aggregation detection in database management systems , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[15]  Ivar Jacobson,et al.  The unified modeling language reference manual , 2010 .

[16]  Harry S. Delugach,et al.  A Fast Algorithm for Detecting Second Paths in Database Inference Analysis , 1995, J. Comput. Secur..

[17]  Jeffrey D. Ullman,et al.  Principles Of Database And Knowledge-Base Systems , 1979 .

[18]  Leonard J. Binns Inference Through Secondary Path Analysis , 1993, DBSec.

[19]  Peter P. Chen The entity-relationship model: toward a unified view of data , 1975, VLDB '75.

[20]  Matthew Morgenstern,et al.  Security and inference in multilevel database and knowledge-base systems , 1987, SIGMOD '87.

[21]  Harry S. Delugach,et al.  Aerie: An Inference Modeling and Detection Approach for Databases , 1993, DBSec.

[22]  Sujeet Shenoi,et al.  A Tool for Inference Detection and Knowledge Discovery in Databases , 1995, DBSec.

[23]  John E. Dobson,et al.  Database security IX: Status and prospects , 1996 .

[24]  Thomas H. Hinke,et al.  Database Inference Engine Design Approach , 1988, DBSec.

[25]  Peter J. Denning,et al.  The tracker: a threat to statistical database security , 1979, TODS.

[26]  Gultekin Özsoyoglu,et al.  Multivalued Dependency Inferences in Multilevel Relational Database Systems , 1989, DBSec.

[27]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[28]  Teresa F. Lunt,et al.  Toward a multilevel relational data language , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.