CRII: SaTC: Preventing inferences in databases through Dependency-Aware Access Control

About This Grant

Fine-grained access control policies define what data is sensitive or non-sensitive in a database. While these policies guard against direct access to sensitive data, attackers can still make guesses (or inferences) about sensitive data using non-sensitive data and data dependencies. Data dependencies, or simply dependencies, specify relationships between items within a database. For example, in an employee database, a data dependency could say that two employees with the same role and years of experience make the same salary. Such a dependency could be used to infer sensitive data, in this example an individual's salary. Detecting such inferences and protecting against them is critical to prevent attackers from learning about sensitive data items. This project will develop a novel approach to protect against dependency-based attacks while ensuring that databases can still answer queries quickly. This project's approach to enhancing access control will have a significant impact on how cybersecurity is implemented in social networks, healthcare, and other domains. This project will also support a cohort of PhD and undergraduate students and will be tightly integrated into databases and privacy courses at Portland State University. Detecting and preventing inferences due to data dependencies is challenging as the number of inference channels per sensitive data item and dependency are proportional to the size of the database. The dynamic nature of data and related dependencies, the need to maintain utility of the shared database, and an enormous number of dependencies add to this challenge. This project aims to address these challenges in three ways. First, the project will formulate inference detection and protection as query optimization and hyper-graph search problems respectively to solve them efficiently and optimally. Second, the team will develop an incremental approach and a flexible security model to deal with dynamic databases where new dependencies may emerge as database contents change. Third, the project will extend the work to inferences with approximate dependencies and adapt protection mechanisms to balance privacy, utility, and performance. The outcomes from this research will provide novel perspectives and methodologies to prevent inference attacks based on a broad class of data dependencies. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.