Authors: Azhar Rauf, Sareer Badshah, Shah Khusro

Abstract:

This paper analyzes different techniques of the fine grained security of relational databases for the two variables-data accessibility and inference. Data accessibility measures the amount of data available to the users after applying a security technique on a table. Inference is the proportion of information leakage after suppressing a cell containing secret data. A row containing a secret cell which is suppressed can become a security threat if an intruder generates useful information from the related visible information of the same row. This paper measures data accessibility and inference associated with row, cell, and column level security techniques. Cell level security offers greatest data accessibility as it suppresses secret data only. But on the other hand, there is a high probability of inference in cell level security. Row and column level security techniques have least data accessibility and inference. This paper introduces cell plus innocent security technique that utilizes the cell level security method but suppresses some innocent data to dodge an intruder that a suppressed cell may not necessarily contain secret data. Four variations of the technique namely cell plus innocent 1/4, cell plus innocent 2/4, cell plus innocent 3/4, and cell plus innocent 4/4 respectively have been introduced to suppress innocent data equal to 1/4, 2/4, 3/4, and 4/4 percent of the true secret data inside the database. Results show that the new technique offers better control over data accessibility and inference as compared to the state-of-theart security techniques. This paper further discusses the combination of techniques together to be used. The paper shows that cell plus innocent 1/4, 2/4, and 3/4 techniques can be used as a replacement for the cell level security.

Keywords: Fine Grained Security, Data Accessibility, Inference, Row, Cell, Column Level Security.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1071730

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1428

References:

[1] Oracle Virtual Private Database. "An Oracle Database 10g Release 2 White Paper", June 2005.
[2] Art Rask, Don Rubin, Bill Neumann. "Implementing Row and Cell Level Security in Classified Databases Using SQL Server 2005", MS SQL Server Technical Center, April 2005.
[3] Darryl "SQL Server 2005 Label Security Toolkit," Published November 16, 2006. URL: http://blogs.msdn.com/publicsector/archive/2006/11/16/sql-server-2005- label-security-toolkit.aspx
[4] "A Tradeoff Analysis between Data Accessibility and Inference Control for Row, Column, and Cell Level Security in Relational Databases," Azhar Rauf / Carol Keene, Bo I. Sanden, Elaine Waybright. Doctoral Thesis Published in January 2007 by Colorado Technical University.
[5] Dieter Gollmann, Computer Security, Copyright 1999 by John Wilsey and Sons Ltd., ISBN 0 471 97844 2
[6] Teresa F. Lunt, Dorothy E. Denning, Roger R. Schell, Mark Heckman, William R. Shockley, "The SeaView Security Model," IEEE Transactions on Software Engineering. VOL 16, NO 6. June 1990
[7] D. E. Denning. "A Preliminary Note on the Inference Problem in Multilevel Database Management Systems," In Proceedings of the National Computer Security Center Invitational Workshop on Database Security, June 1986
[8] Mathew Morgenstern, "Security and Inference in Multilevel Database and Knowledge-Base Systems," ACM 1987
[9] T. Su. Inferences in Database. Ph.D. Dissertation, Department of Computer Engineering and Science, Case Western Reserve University, August 1986
[10] T. Su and G. Ozsoyogiu. "Data Dependencies and Inference Control in Multilevel Relational Database Systems." In Proceedings of the IEEE Symposium on Security and Privacy, pp. 202-211, April 1987
[11] T. Su and G. Ozsoyoglu. "Multi-valued Dependency Inferences in Multilevel Relational Database Systems," In Database Security III: Status and Prospects, eds. D.L. Spooner and C. Landwehr, pp. 293-300, NorthHolland, Amsterdam, 1990
[12] C. Meadows and S. Jajodia. "Integrity Versus Security in Multi-Level Secure Databases." In Database Security: Status and Prospects, ed. Carl E. Landwehr, NorthHolland, Amsterdam, pp. 89-101, 1988
[13] Pierangela Samarati, "Protecting Respondents- Identities in Microdata Release," IEEE Trans. Knowl. Data Eng. 13(6): pp. 1010-1027 (2001).
[14] Kristen LeFevre, David J. DeWitt, Raghu Ramakrishnan, "Incognito: Efficient Full-Domain K-Anonymity", SIGMOD Conference 2005:pp. 49-60
[15] Ashwin Machanavajjhala, Daniel Kifer, Johannes Gehrke, Muthuramakrishnan Venkitasubramaniam, "L-diversity: Privacy beyond k-anonymity," TKDD 1(1): (2007)
[16] T. F. Keefe, M.B. Thuraisingham, and W.T. Tsai. "Secure Query Processing Strategies." In IEEE Computer. Vo. 22, #3, pages 63-70, March 1989
[17] M.B. Thuraisingham. "Security Checking in Relational Database Management Systems Augmented with Inference Engines," In Computers and Security, Vol. 6, pp. 479-492, 1987
[18] M.B. Thuraisingham, W. Tsai, and T. Keefe. "Secure Query Processing Using AI Techniques." In Proceedings of the Hawaii International Conference on Systems Sciences. January 1988
[19] M.B. Thuraisingham. "Towards the Design of a Secure Data/Knowledgebase Management System," In Data and Knowledge Engineering Journal. Vol. 5, #1, March 1990
[20] J.T. Haigh, R.C. O-Brien, P.D. Stachour, and D.L. Toups. "The LDV Approach to Security." In Database Security, III: Status and Prospects, ed. D.L. Spooner and C. Landwehr, North-Holland, Amsterdam, pp. 323-339, 1990
[21] J.T. Haigh, R.C. O-Brien, and D.J. Thompson. "The LDV secure relational DBMS model". In S. Jajodia and C Lawnwehr, editors, Database Security IV: Status and Prospects, pages 265-279. North Holland, 1991
[22] L.J. Buczkowski, and E.L. Perry. "Database Inference Controller Draft Top-Level Design." Ford Aerospace, July 1989
[23] S. Jajodia. "Aggregation and Inference Problems in Multilevel Secure Systems," In Proceedings of the 5th Rome Laboratory Database Security Workshop, June 1992
[24] L. S. Cox, S. McDonald, and D. Nelson. "Confidentiality Issues at the United States Bureau of the Census." In Journal of Official Statistics, Vol 2, No. 2, pp. 135-160, 1986
[25] L. S. Cox. "Practices of the Bureau of the Census with the Disclosure of Anonymized Microdata." In Forum der Bundesstatistik, pp. 26-42, 1987
[26] L. S. Cox. "Modeling and Controlling User Interface." In Database Security: Status and Prospects, ed. Carl E. Landwehr, North-Holland, Amsterdam, pp. 167-171, 1988
[27] D. E. Denning. "Cryptography and Data Security," Addison-Wesley, Reading, MA, 1982
[28] T.H. Hinke. "Inference Aggregation Detection in Database Management Systems." In Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 96-106, April 1988
[29] NCSC (National Computer Security Center) Technical Report, Volume 1/5, Library No. S-243,039, May 1996
[30] Transaction Processing Performance Council (TPC) Benchmark TM-H, Decision Support Standard Specification Revision 2.3.0, 1993-2005.