Databases Reference
In-Depth Information
Example 2 (m-d Inferences with SUM).
Suppose now an adversary is prohib-
ited from accessing the core cuboid in Figure 1 but is allowed to access its
descendants
. The adversary can
no longer employ any 1-d inference to infer data in the first year, because
each cell in
quarter, department
and
year, employee
has at least two an-
cestors in the core cuboid. However, an m-d inference is possible as follows.
the adversary first sums the two cells
quarter, department
and
year, employee
Y
1
,Bob
and
Y
1
,Alice
in the cuboid
year, employee
and then subtracts from the result (that is, 18500) the two
cells
Q
2
, Book
and
Q
3
, Book
(that is, 11000). The final result yields a
sensitive cell
Q
1
,Bob
as 1500.
Example 3 (m-d Inferences with MAX).
Suppose now an adversary is pre-
vented from knowing the values in the empty cells. The core cuboid then seems
to the adversary full of unknown values. As we shall show later, such a data
cube will be free of inferences if the aggregation function is SUM. However,
the following m-d inference is possible with MAXs. The MAX values in cells
are 6400 and 6000, respectively. From those
two values the adversary can infer that one of the three cells
Y
1
, Mallory
and
Q
4
, Book
Q
1
, Mallory
,
Q
2
, Mallory
,and
Q
3
, Mallory
must be 6400, because
Q
4
, Mallory
must
be no greater than 6000. Similarly, an adversary infers neither
Q
2
, Mallory
and
Q
3
, Mallory
can be 6400. The sensitive cell
Q
1
, Mallory
is then suc-
cessfully inferred as 6400.
Example 4 (Inferences with SUM, MAX and MIN).
Now suppose an adversary
can ask queries using SUM, MAX, and MIN on the data cube. Following
Example 3,
Q
1
, Mallory
is 6400. The MAX, MIN, and SUM values of the cell
are 6400,6000, and 12400, respectively. From those three values
the adversary can infer the following. That is,
Y
1
, Mallory
Q
2
, Mallory
,
Q
3
, Mallory
,
and
must be 6000 and two zeroes, although he/she does not
know exactly which is 6000 and which are zeroes. The MAX,MIN, and SUM
values of
Q
4
, Mallory
Q
2
, Book
,
Q
3
, Book
and
Q
4
, Book
then tell the adversary the
following facts. In
, two cells in
Q
2 are 1500 and 4500;
those in
Q
3 are 5500 and 5500; those in
Q
4 are 3000 and 6000; and the rest
are all zeroes. The adversary then concludes that
quarter, employee
must be 6000,
because the values in
Q
3and
Q
2 cannot be. Similarly, the adversary can infer
Q
4
, Mallory
Q
4
,Jim
as 3000, and consequently infer all cells in
quarter, employee
.
3.2 The Requirements
As illustrated in above examples, a security solution for OLAP systems must
combine access control and inference control to remove security threats. At
the same time, providing security should not adversely reduce the usefulness
of data warehouses and OLAP systems. A practical solution must achieve a
balance among following objectives.
