150 likes | 297 Views
Online Auditing. Kobbi Nissim Microsoft. Based on a position paper with Nina Mishra. q = (f ,i 1 ,…,i k ). f (d i1 ,…,d ik ). The Setting. Statistical database. Dataset: {d 1 ,…,d n } Entries d i : Real, Integer, Boolean Query: q = (f ,i 1 ,…,i k )
E N D
Online Auditing Kobbi Nissim Microsoft Based on a position paper with Nina Mishra
q = (f ,i1,…,ik) f (di1,…,dik) The Setting Statisticaldatabase • Dataset: {d1,…,dn} • Entries di: Real, Integer, Boolean • Query: q = (f ,i1,…,ik) • f : Min, Max, Median, Sum, Average, Count… • Some users are bad…
Statisticaldatabase Auditor Auditing Here’s the answer OR Query denied (as the answer would cause privacy loss) Here’s a new query: qi+1 Query log q1,…,qi
Auditing • [Adam, Wortmann 89] classify auditing as a query restriction method • Such methods limit the queries users may post, usually imposing some structure (e.g. combinatorial, algebraic) • “Auditing of an SDB involves keeping up-to-date logs of all queries made by each user (not the data involved) and constantly checking for possible compromise whenever a new query is issued” • Partial motivation:May allow for more queries to be posed, if no privacy threat occurs • Early work: Hofmann 1977, Schlorer 1976, Chin, Ozsoyoglu 1981, 1986 • Recent interest:Kleinberg, Papadimitriou, Raghavan 2000, Li, Wang, Wang, Jajodia 2002, Jonsson, Krokhin 2003
Design choices in Prior Work • Out of the scope for this talk (but important): • Very weak privacy guarantee: Privacy breached (only) when a database entry may be uniquely deduced • Exact answers given • Important for this talk: • Data taken into account in decision procedure • Answers to q1,…,qiandqi+1taken into account • Denials ignored
Auditor Example 1: Sum/Max auditing • di real, sum/max queries q1 = sum(d1,d2,d3) sum(d1,d2,d3) = 15 q2 = max(d1,d2,d3) Denied (the answer would cause privacy loss) q2 is denied iff d1=d2=d3 = 5 I win! Oh well…
Auditor Example 2: Interval Based Auditing • di [0,100], sum queries, =1 (PTIME) q1 = sum(d1,d2) Sorry, denied q2 = sum(d2,d3) sum(d2,d3) = 50 d1,d2 [0,1] d3 [49,50]
Colonel Oliver North, on the Iran-Contra Arms Deal: On the advice of my counsel I respectfully and regretfully decline to answer the question based on my constitutional rights. • David Duncan, Former auditor for Enron and partner in Andersen: Mr. Chairman, I would like to answer the committee's questions, but on the advice of my counsel I respectfully decline to answer the question based on the protection afforded me under the Constitution of the United States. Sounds Familiar?
dn-1 … d8 d7 d5 d3 d6 d4 d2 d1 dn q2 = max(d1,d2,d3) q2 = max(d1,d2) Auditor What about Max Auditing? • di real q1 = max(d1,d2,d3,d4) M1234 M123 / denied If denied: d4=M1234 M12 / denied If denied: d3=M123 Recover 1/8 of the database!
d2 dn-1 dn … d8 d7 d5 d3 d6 d1 d4 q1 = sum(d1,d2) q2=sum(d2,d3) q2=sum(di,dj,dk) Auditor What about Boolean Auditing? • di Boolean 1 / denied 1 / denied … qi denied iff di = di+1 learn database/complement Let di,dj,dk not all equal, where qi-1, qi,qj-1, qj, qk-1, qk all denied 1 / 2 Recover the entire database!
Possible assignments to {d1,…,dn} Assignments consistent with (q1,…qi) qi+1 denied What are the Problems? • Obvious problem: denied queries ignored • Algorithmic problem: not clear how to incorporate denials in the deicion • Subtle problem: • Query denials leak (potentially sensitive) information • Users cannot decide denials by themselves
q1,…,qi, qi+1 a1,…,ai, ai+1 • Sum/Max, Interval based, Boolean, Max • Cell suppression • k-anonimity q1,…,qi, qi+1 a1,…,ai A Spectrum of Auditors Decision data Examples “safe” q1,…,qi, qi+1 • Size overlap restriction • Algebraic structure “unsafe” *Note: can work in “unsafe” region, but need to prove denials do not leak crucial information
q1,…,qi Statisticaldatabase q1,…,qia1,…,ai qi+1 qi+1 Simulator Auditor Deny/answer Deny/answer Simulatable Auditing* An auditor is simulatable if a simulator exists s.t.: Simulation denials do not leak information * `self auditors’ in [DN03]
Summary • Subtleties in current definition of auditors allow for information leakage, and potentially, privacy breaches • Denials are not taken into account • Auditor uses information not available to user • Simulatable auditors provably don’t leak information in decision • New starting point for research on auditors