Databases Reference
In-Depth Information
Application Query #11 @ T15
:
select
Audit Expression
:
audit
x.name, y.diagnosis
y.diagnosis
from
Patient x, Treatment y
from
Patient x, Treatment y
where
x.pid=y.pid and x.state='CA'
where
x.pid=y.pid and x.name = 'Adam'
Parse and
build QGM
Parse and
build QGM
select: x.name, y.diagnosis
where: x.pid=y.pid and
x.state='CA'
select: y.diagnosis
where: x.pid=y.pid and
x.name='Adam'
Generate
Audit
Query
x
y
x
y
Patient
Treatment
Patient
Treatment
select: '#11'
where: name='Adam'
select: x.name, y.diagnosis
where: x.pid=y.pid and
x.state='CA'
x
y
@ T15
@ T15
Patient
backlog
Treatment
backlog
Fig. 5.
Audit Query Generation
In addition to the flexibility and eciency benefits, HDB auditing has
an additional advantage over existing auditing approaches in that it captures
information revealed by a query that may not be reflected in the query results.
For example, the query “Select 'yes' if employee 'Adam' has a diagnosis =
diabetes” would output only the word “yes” in the result, but actually reveal
information about Adam's diagnosis to the user. The same is true for queries
that aggregate values from the records accessed. In contrast, an HDB audit
would reveal all information
accessed
by the query.
Additional research has explored auditing batches of SQL queries to de-
termine whether the queries are suspicious with regard to unauthorized views
of the data [10]. Beyond the notions of suspiciousness discussed above, this
work also considers database instance independent notions of
syntactic sus-
piciousness
wherein the suspiciousness of the batch of queries is determined
without the underlying database.
Auditing Disclosure by Relevance Ranking.
Query ranking is an
extension of HDB auditing that assists in tracking the origin of information
after it has been leaked or misappropriated from a database. This auditing
system ranks queries that accessed the data in accordance with the relevance
of each query as the source of the improper disclosure [11]. The system uses a
