Inference Controls

Internal
Assessment Presentation

Name: Nishant Kumar Kaushal

Roll no: 215/UCC/001
Program: BTech CSE – Cybersecurity
Faculty: Dr. Aarti Gautam Dinker
Course: Data privacy And Database
Security
 Requirements For Database Security

Database Access Controls

SQL Access Controls

Inference
Agenda
Inference controls

Direct Attack

Indirect Attack

Protecting against inference

 Physical Database Integrity:
• Ensures data is accurately stored on physical storage media without corruption or
unauthorized changes.
• Involves mechanisms like checksums, data redundancy, and data mirroring to
prevent physical data loss or corruption.
• Protects against hardware failures, disk errors, and data tampering at the storage
level.

Logical Database Integrity:

Requirements • Focuses on maintaining the accuracy and consistency of data within the database.
for Database • Includes constraints (e.g., primary keys, foreign keys, uniqueness constraints) to
enforce data integrity rules.
Security • Prevents logical inconsistencies such as duplicate records, referential integrity
violations, and data anomalies.

Access Control:
• Regulates who can access what data and what actions they can perform within
the database system.
• Involves authentication (verifying user identity), authorization (granting
appropriate privileges), and auditing access activities.
• Enhances security by limiting unauthorized access and ensuring data
confidentiality and integrity.
 Element User
Auditability: Availability:
Integrity: Authentication:
Ensures the correctness Refers to the ability to Verifies the identity of Ensures that database
and consistency of track and monitor users attempting to resources and services
individual data elements database activities, access the database or are accessible and
or fields within a changes, and access its resources. operational when
database record. attempts. Methods include needed.
Utilizes validation rules, Includes logging passwords, biometrics, Involves redundancy,
data types, and domain mechanisms, audit multi-factor failover mechanisms,
constraints to enforce trails, and security authentication, and disaster recovery plans,
integrity at the attribute policies for recording digital certificates. and monitoring for
level. and analyzing Ensures only authorized timely response to
Prevents invalid or database events. users can log in and disruptions.
nonsensical data from Supports compliance perform actions based Minimizes downtime,
being entered into the requirements, forensic on their assigned maintains service
database. investigations, and privileges. continuity, and supports
detecting unauthorized business continuity
actions. objectives.
Database Access
control
SQL Access Controls
SQL access controls refer to the mechanisms and processes used to regulate access to databases and their data
through SQL queries.
• Access Control Lists (ACLs):
• ACLs define which users or groups have permissions to perform specific actions on database objects,
such as tables, views, or stored procedures.
• They can grant or deny privileges like SELECT, INSERT, UPDATE, DELETE, and EXECUTE on database
objects.
• Role-Based Access Control (RBAC):
• RBAC assigns permissions based on roles rather than individual users.
• Users are assigned to roles, and roles are granted specific privileges on database objects.
• This simplifies management by grouping users with similar access requirements.
• Grant and Revoke Statements:
• SQL provides GRANT and REVOKE statements to assign or remove privileges from users or roles.
• For example, GRANT SELECT ON table_name TO user_name; grants the SELECT privilege on a
table to a specific user.
INFERENCE

■ Process of performing authorized queries & deducing unauthorized information from the legitimate
responses received.

■ The inference problem arises when the combination of a number of data items is more sensitive than
the individual items, or when a combination of data items can be used to infer data of a higher
sensitivity.

■The attacker may make use of nonsensitive data as well as metadata.

■ Metadata refers to knowledge about correlations or dependencies among data items that can be used
to deduce information not otherwise available to a particular user.
The information transfer
path by which unauthorized
data is obtained is referred
to as an inference channel.
■ Two inference techniques
can be used to derive
additional information:
1. Analyzing functional
dependencies between
attributes within a table or
across tables;
2. Merging views with the
same constraints.
Inference Controls
Inference controls are measures implemented to prevent unauthorized users from inferring sensitive information from available data.
Types of inference controls :
• Statistical Disclosure Control (SDC):
• SDC techniques alter or suppress data to prevent statistical analyses from revealing sensitive information.
• Methods include data aggregation, adding noise to data, or applying statistical disclosure limitation techniques.
• Access Control Mechanisms:
• Access controls restrict access to sensitive data based on users' roles, privileges, or clearance levels.
• This includes role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC)
mechanisms.
• Data Masking and Anonymization:
• Data masking obscures sensitive data by replacing it with fictional or anonymized values.
• Anonymization techniques like k-anonymity and differential privacy protect individuals' identities in datasets.
• Query Restrictions:
• Limiting the types of queries that users can perform can prevent them from deducing sensitive information.
• For example, restricting aggregate queries or limiting the number of records returned in a query.
Inference Attacks
1.Direct Attack

In a direct attack, a user tries to find sensitive information by asking very specific questions that
only return a small amount of data. The best way to do this is to make a query so precise that it
only matches one piece of data.
In Table 6-7, a sensitive query might be
List NAME where
SEX-M DRUGS-1
This query discloses that for record ADAMS, DRUGS=1.
However, it is an obvious attack because it selects people for whom DRUGS=1, and the DBMS might
reject the query because it selects records for a specific value of the sensitive attribute DRUGS.
Table 6-7 (Sample Database)
We assume that AID, FINES, and DRUGS
are sensitive fields, although when
the values are related to a specific
individual. In this section, we look at ways
to determine sensitive data values from
the database.
2.Indirect Attack

Organizations hide personal details like names and addresses that could identify specific individuals.
Only neutral statistics, such as sum, count, and mean, are released.
The indirect attack tries to figure out a final result by looking at some in-between statistical results.

Sum
A sum attack tries to guess a specific value by looking at the total sum of data.
For instance, in Table 6-7 of a sample database, someone might try to figure out individual student aid amounts
based on the total reported aid for each category like sex and dorm.
Such a report is shown in Table 6-8. This seemingly innocent report reveals that no female living in Grey is
receiving financial aid.
Thus, we can infer that any female living in Grey (such as Liu) is certainly not receiving financial aid. This
approach often allows us to determine a negative result.
Count
The count can be combined with the sum to produce some even more
revealing results. Often these two statistics are released for a database
to allow users to determine average values. (Conversely, if count and
mean are released, sum can be deduced.)
Table 6-9 shows the count of records for students by dorm and sex.
This table demonstrates that the two males in Holmes and West are
receiving financial aid in the amount of $5000 and $4000, respectively.
We can obtain the names by selecting the subschema of NAME, DORM,
which is not sensitive because it delivers only low-security data on the
entire database.

Mean
The arithmetic mean (average) allows exact disclosure if the attacker
can manipulate the subject population. As a trivial example, consider
salary. Given the number of employees, the mean salary for a company
and the mean salary of all employees except the president, it is easy to
compute the president's salary.
Median

By a slightly more complicated process,

we can determine an individual value
from medians. The attack requires finding
selections having one point of
intersection that happens to be exactly in
the middle, as shown in Figure 6-4.
• For example, in our sample database, there are
five males and three persons whose drug use
value is 2. Arranged in order of aid, these lists
are shown in Table 6-10.
• Notice that Majors is the only name common to
both lists, and conveniently that name is in the
middle of each list.
• Someone working at the Health Clinic might be
able to find out that Majors is a white male
whose drug-use score is 2. That information
identifies Majors as the intersection of these
two lists and pinpoints Majors' financial aid as
$2000.
• In this example, the queries
q = median(AID where SKX = M)
p = median (AID where DRUGS = 2)
reveal the exact financial aid amount for Majors
 Two distinct approaches to protection of an SDB
from inference attacks.
1. Query restriction:

Protecting ■Rejects a query that can lead to a compromise.

■ The answers provided are accurate.

against ■ Query restriction techniques defend against

inference by restricting statistical queries so that they

inference do not reveal user confidential information.

■Restriction in this context simply means that some
queries are denied.
■The simplest form of query restriction is query size
restriction.
2.Perturbation:
Perturbation refers to intentionally changing data values or parameters in a system to analyze
its behavior under different conditions.

■This can be done in one of two ways:

A) Data Perturbation:
The data in the SDB can be modified (perturbed) so as to produce statistics that cannot be
used to infer values for individual records.
B) Output Perturbation:
When a statistical query is made, the system can generate statistics that are modified from
those that the original database would provide, again opposing attempts to gain knowledge
of individual records.
Thank you