Databases Reference
In-Depth Information
trustful insights into small details of the data, such as outliers. The methods
we shall introduce do not perturb data so any answer will always be precise
and trustful.
Secure multi-party data mining
allows multiple distrusted parties to coop-
eratively compute aggregations over each other's data [31, 14]. Cryptographic
protocols enable each party to obtain the final result with minimal disclosures
of their own data. This problem is different from inference control, because
the threat of inferences comes from what users know, not from the way they
know it. The
k-anonymity
model enables sensitive values to be released with-
out threatening privacy [24, 36]. Each record is indistinguishable from at least
k
1 others because they all have exactly the same identifying attribute val-
ues. An adversary can link an individual in the physical world to at least (the
sensitive values of)
k
records, which is considered a tolerable privacy threat.
Inference control and the k-anonymity model can be considered as dual ap-
proaches. The information theoretic approach in [22] formally characterizes
insecure queries as those that bring a user with more confidence in guessing
possible records [22]. However, such a
perfect-secrecy
metric will not tolerate
any partial disclosure, such as those caused by aggregations.
−
3 Security Requirements
In this section, we first demonstrate the threat of indirect inferences in OLAP
systems. We then describe various requirements in designing security measures
for such systems.
3.1 The Threat of Inferences
Unlike in traditional databases where unauthorized accesses are the main
security concern, an adversary using an OLAP system can more easily infer
prohibited data from answers to legitimate queries. Example 1 illustrates an
one dimensional
(or 1-d for short) inference where the sensitive cell is inferred
using exactly one of its descendants.
Example 1 (1-d Inference).
In Figure 1, suppose an adversary is prohibited
from accessing the cuboid
quarter, employee
but is allowed to access its
descendant
. Further suppose the empty cells denote
the values that the adversary already knows through outbound channels. The
adversary can then infer
quarter, department
Q
5
,Bob
Q
5
, Book
as exactly the same value in
(that is, 3500).
A
multi-dimensional
(or m-d) inference is the complementary case of 1-d
inferences. That is, a cell is inferred using two or more of its descendants, and
neither of those descendants causes 1-d inferences. Example 2 illustrates an
m-d inference in a two-dimensional SUM-only data cube. Example 3 and 4
illustrate m-d inferences with MAX-only, and with SUM, MAX, and MIN.
