A Comparative Study of Fine Grained Security Techniques Based on Data Accessibility and Inference
This paper analyzes different techniques of the fine grained security of relational databases for the two variables-data accessibility and inference. Data accessibility measures the amount of data available to the users after applying a security technique on a table. Inference is the proportion of information leakage after suppressing a cell containing secret data. A row containing a secret cell which is suppressed can become a security threat if an intruder generates useful information from the related visible information of the same row. This paper measures data accessibility and inference associated with row, cell, and column level security techniques. Cell level security offers greatest data accessibility as it suppresses secret data only. But on the other hand, there is a high probability of inference in cell level security. Row and column level security techniques have least data accessibility and inference. This paper introduces cell plus innocent security technique that utilizes the cell level security method but suppresses some innocent data to dodge an intruder that a suppressed cell may not necessarily contain secret data. Four variations of the technique namely cell plus innocent 1/4, cell plus innocent 2/4, cell plus innocent 3/4, and cell plus innocent 4/4 respectively have been introduced to suppress innocent data equal to 1/4, 2/4, 3/4, and 4/4 percent of the true secret data inside the database. Results show that the new technique offers better control over data accessibility and inference as compared to the state-of-theart security techniques. This paper further discusses the combination of techniques together to be used. The paper shows that cell plus innocent 1/4, 2/4, and 3/4 techniques can be used as a replacement for the cell level security.
[1] Oracle Virtual Private Database. "An Oracle Database 10g Release 2
White Paper", June 2005.
[2] Art Rask, Don Rubin, Bill Neumann. "Implementing Row and Cell
Level Security in Classified Databases Using SQL Server 2005", MS
SQL Server Technical Center, April 2005.
[3] Darryl "SQL Server 2005 Label Security Toolkit," Published November
16, 2006. URL:
http://blogs.msdn.com/publicsector/archive/2006/11/16/sql-server-2005-
label-security-toolkit.aspx
[4] "A Tradeoff Analysis between Data Accessibility and Inference Control
for Row, Column, and Cell Level Security in Relational Databases,"
Azhar Rauf / Carol Keene, Bo I. Sanden, Elaine Waybright. Doctoral
Thesis Published in January 2007 by Colorado Technical University.
[5] Dieter Gollmann, Computer Security, Copyright 1999 by John Wilsey
and Sons Ltd., ISBN 0 471 97844 2
[6] Teresa F. Lunt, Dorothy E. Denning, Roger R. Schell, Mark Heckman,
William R. Shockley, "The SeaView Security Model," IEEE
Transactions on Software Engineering. VOL 16, NO 6. June 1990
[7] D. E. Denning. "A Preliminary Note on the Inference Problem in
Multilevel Database Management Systems," In Proceedings of the
National Computer Security Center Invitational Workshop on Database
Security, June 1986
[8] Mathew Morgenstern, "Security and Inference in Multilevel Database
and Knowledge-Base Systems," ACM 1987
[9] T. Su. Inferences in Database. Ph.D. Dissertation, Department of
Computer Engineering and Science, Case Western Reserve University,
August 1986
[10] T. Su and G. Ozsoyogiu. "Data Dependencies and Inference Control in
Multilevel Relational Database Systems." In Proceedings of the IEEE
Symposium on Security and Privacy, pp. 202-211, April 1987
[11] T. Su and G. Ozsoyoglu. "Multi-valued Dependency Inferences in
Multilevel Relational Database Systems," In Database Security III:
Status and Prospects, eds. D.L. Spooner and C. Landwehr, pp. 293-300,
NorthHolland, Amsterdam, 1990
[12] C. Meadows and S. Jajodia. "Integrity Versus Security in Multi-Level
Secure Databases." In Database Security: Status and Prospects, ed. Carl
E. Landwehr, NorthHolland, Amsterdam, pp. 89-101, 1988
[13] Pierangela Samarati, "Protecting Respondents- Identities in Microdata
Release," IEEE Trans. Knowl. Data Eng. 13(6): pp. 1010-1027 (2001).
[14] Kristen LeFevre, David J. DeWitt, Raghu Ramakrishnan, "Incognito:
Efficient Full-Domain K-Anonymity", SIGMOD Conference 2005:pp.
49-60
[15] Ashwin Machanavajjhala, Daniel Kifer, Johannes Gehrke,
Muthuramakrishnan Venkitasubramaniam, "L-diversity: Privacy beyond
k-anonymity," TKDD 1(1): (2007)
[16] T. F. Keefe, M.B. Thuraisingham, and W.T. Tsai. "Secure Query
Processing Strategies." In IEEE Computer. Vo. 22, #3, pages 63-70,
March 1989
[17] M.B. Thuraisingham. "Security Checking in Relational Database
Management Systems Augmented with Inference Engines," In
Computers and Security, Vol. 6, pp. 479-492, 1987
[18] M.B. Thuraisingham, W. Tsai, and T. Keefe. "Secure Query Processing
Using AI Techniques." In Proceedings of the Hawaii International
Conference on Systems Sciences. January 1988
[19] M.B. Thuraisingham. "Towards the Design of a Secure
Data/Knowledgebase Management System," In Data and Knowledge
Engineering Journal. Vol. 5, #1, March 1990
[20] J.T. Haigh, R.C. O-Brien, P.D. Stachour, and D.L. Toups. "The LDV
Approach to Security." In Database Security, III: Status and Prospects,
ed. D.L. Spooner and C. Landwehr, North-Holland, Amsterdam, pp.
323-339, 1990
[21] J.T. Haigh, R.C. O-Brien, and D.J. Thompson. "The LDV secure
relational DBMS model". In S. Jajodia and C Lawnwehr, editors,
Database Security IV: Status and Prospects, pages 265-279. North
Holland, 1991
[22] L.J. Buczkowski, and E.L. Perry. "Database Inference Controller Draft
Top-Level Design." Ford Aerospace, July 1989
[23] S. Jajodia. "Aggregation and Inference Problems in Multilevel Secure
Systems," In Proceedings of the 5th Rome Laboratory Database Security
Workshop, June 1992
[24] L. S. Cox, S. McDonald, and D. Nelson. "Confidentiality Issues at the
United States Bureau of the Census." In Journal of Official Statistics,
Vol 2, No. 2, pp. 135-160, 1986
[25] L. S. Cox. "Practices of the Bureau of the Census with the Disclosure of
Anonymized Microdata." In Forum der Bundesstatistik, pp. 26-42, 1987
[26] L. S. Cox. "Modeling and Controlling User Interface." In Database
Security: Status and Prospects, ed. Carl E. Landwehr, North-Holland,
Amsterdam, pp. 167-171, 1988
[27] D. E. Denning. "Cryptography and Data Security," Addison-Wesley,
Reading, MA, 1982
[28] T.H. Hinke. "Inference Aggregation Detection in Database Management
Systems." In Proceedings of the IEEE Symposium on Research in
Security and Privacy, pp. 96-106, April 1988
[29] NCSC (National Computer Security Center) Technical Report, Volume
1/5, Library No. S-243,039, May 1996
[30] Transaction Processing Performance Council (TPC) Benchmark TM-H,
Decision Support Standard Specification Revision 2.3.0, 1993-2005.
[1] Oracle Virtual Private Database. "An Oracle Database 10g Release 2
White Paper", June 2005.
[2] Art Rask, Don Rubin, Bill Neumann. "Implementing Row and Cell
Level Security in Classified Databases Using SQL Server 2005", MS
SQL Server Technical Center, April 2005.
[3] Darryl "SQL Server 2005 Label Security Toolkit," Published November
16, 2006. URL:
http://blogs.msdn.com/publicsector/archive/2006/11/16/sql-server-2005-
label-security-toolkit.aspx
[4] "A Tradeoff Analysis between Data Accessibility and Inference Control
for Row, Column, and Cell Level Security in Relational Databases,"
Azhar Rauf / Carol Keene, Bo I. Sanden, Elaine Waybright. Doctoral
Thesis Published in January 2007 by Colorado Technical University.
[5] Dieter Gollmann, Computer Security, Copyright 1999 by John Wilsey
and Sons Ltd., ISBN 0 471 97844 2
[6] Teresa F. Lunt, Dorothy E. Denning, Roger R. Schell, Mark Heckman,
William R. Shockley, "The SeaView Security Model," IEEE
Transactions on Software Engineering. VOL 16, NO 6. June 1990
[7] D. E. Denning. "A Preliminary Note on the Inference Problem in
Multilevel Database Management Systems," In Proceedings of the
National Computer Security Center Invitational Workshop on Database
Security, June 1986
[8] Mathew Morgenstern, "Security and Inference in Multilevel Database
and Knowledge-Base Systems," ACM 1987
[9] T. Su. Inferences in Database. Ph.D. Dissertation, Department of
Computer Engineering and Science, Case Western Reserve University,
August 1986
[10] T. Su and G. Ozsoyogiu. "Data Dependencies and Inference Control in
Multilevel Relational Database Systems." In Proceedings of the IEEE
Symposium on Security and Privacy, pp. 202-211, April 1987
[11] T. Su and G. Ozsoyoglu. "Multi-valued Dependency Inferences in
Multilevel Relational Database Systems," In Database Security III:
Status and Prospects, eds. D.L. Spooner and C. Landwehr, pp. 293-300,
NorthHolland, Amsterdam, 1990
[12] C. Meadows and S. Jajodia. "Integrity Versus Security in Multi-Level
Secure Databases." In Database Security: Status and Prospects, ed. Carl
E. Landwehr, NorthHolland, Amsterdam, pp. 89-101, 1988
[13] Pierangela Samarati, "Protecting Respondents- Identities in Microdata
Release," IEEE Trans. Knowl. Data Eng. 13(6): pp. 1010-1027 (2001).
[14] Kristen LeFevre, David J. DeWitt, Raghu Ramakrishnan, "Incognito:
Efficient Full-Domain K-Anonymity", SIGMOD Conference 2005:pp.
49-60
[15] Ashwin Machanavajjhala, Daniel Kifer, Johannes Gehrke,
Muthuramakrishnan Venkitasubramaniam, "L-diversity: Privacy beyond
k-anonymity," TKDD 1(1): (2007)
[16] T. F. Keefe, M.B. Thuraisingham, and W.T. Tsai. "Secure Query
Processing Strategies." In IEEE Computer. Vo. 22, #3, pages 63-70,
March 1989
[17] M.B. Thuraisingham. "Security Checking in Relational Database
Management Systems Augmented with Inference Engines," In
Computers and Security, Vol. 6, pp. 479-492, 1987
[18] M.B. Thuraisingham, W. Tsai, and T. Keefe. "Secure Query Processing
Using AI Techniques." In Proceedings of the Hawaii International
Conference on Systems Sciences. January 1988
[19] M.B. Thuraisingham. "Towards the Design of a Secure
Data/Knowledgebase Management System," In Data and Knowledge
Engineering Journal. Vol. 5, #1, March 1990
[20] J.T. Haigh, R.C. O-Brien, P.D. Stachour, and D.L. Toups. "The LDV
Approach to Security." In Database Security, III: Status and Prospects,
ed. D.L. Spooner and C. Landwehr, North-Holland, Amsterdam, pp.
323-339, 1990
[21] J.T. Haigh, R.C. O-Brien, and D.J. Thompson. "The LDV secure
relational DBMS model". In S. Jajodia and C Lawnwehr, editors,
Database Security IV: Status and Prospects, pages 265-279. North
Holland, 1991
[22] L.J. Buczkowski, and E.L. Perry. "Database Inference Controller Draft
Top-Level Design." Ford Aerospace, July 1989
[23] S. Jajodia. "Aggregation and Inference Problems in Multilevel Secure
Systems," In Proceedings of the 5th Rome Laboratory Database Security
Workshop, June 1992
[24] L. S. Cox, S. McDonald, and D. Nelson. "Confidentiality Issues at the
United States Bureau of the Census." In Journal of Official Statistics,
Vol 2, No. 2, pp. 135-160, 1986
[25] L. S. Cox. "Practices of the Bureau of the Census with the Disclosure of
Anonymized Microdata." In Forum der Bundesstatistik, pp. 26-42, 1987
[26] L. S. Cox. "Modeling and Controlling User Interface." In Database
Security: Status and Prospects, ed. Carl E. Landwehr, North-Holland,
Amsterdam, pp. 167-171, 1988
[27] D. E. Denning. "Cryptography and Data Security," Addison-Wesley,
Reading, MA, 1982
[28] T.H. Hinke. "Inference Aggregation Detection in Database Management
Systems." In Proceedings of the IEEE Symposium on Research in
Security and Privacy, pp. 96-106, April 1988
[29] NCSC (National Computer Security Center) Technical Report, Volume
1/5, Library No. S-243,039, May 1996
[30] Transaction Processing Performance Council (TPC) Benchmark TM-H,
Decision Support Standard Specification Revision 2.3.0, 1993-2005.
@article{"International Journal of Information, Control and Computer Sciences:57960", author = "Azhar Rauf and Sareer Badshah and Shah Khusro", title = "A Comparative Study of Fine Grained Security Techniques Based on Data Accessibility and Inference", abstract = "This paper analyzes different techniques of the fine grained security of relational databases for the two variables-data accessibility and inference. Data accessibility measures the amount of data available to the users after applying a security technique on a table. Inference is the proportion of information leakage after suppressing a cell containing secret data. A row containing a secret cell which is suppressed can become a security threat if an intruder generates useful information from the related visible information of the same row. This paper measures data accessibility and inference associated with row, cell, and column level security techniques. Cell level security offers greatest data accessibility as it suppresses secret data only. But on the other hand, there is a high probability of inference in cell level security. Row and column level security techniques have least data accessibility and inference. This paper introduces cell plus innocent security technique that utilizes the cell level security method but suppresses some innocent data to dodge an intruder that a suppressed cell may not necessarily contain secret data. Four variations of the technique namely cell plus innocent 1/4, cell plus innocent 2/4, cell plus innocent 3/4, and cell plus innocent 4/4 respectively have been introduced to suppress innocent data equal to 1/4, 2/4, 3/4, and 4/4 percent of the true secret data inside the database. Results show that the new technique offers better control over data accessibility and inference as compared to the state-of-theart security techniques. This paper further discusses the combination of techniques together to be used. The paper shows that cell plus innocent 1/4, 2/4, and 3/4 techniques can be used as a replacement for the cell level security.
", keywords = "Fine Grained Security, Data Accessibility, Inference,
Row, Cell, Column Level Security.", volume = "3", number = "7", pages = "1790-9", }
