1 / 15

Online Auditing

Online Auditing. Kobbi Nissim Microsoft. Based on a position paper with Nina Mishra. q = (f ,i 1 ,…,i k ). f (d i1 ,…,d ik ). The Setting. Statistical database. Dataset: {d 1 ,…,d n } Entries d i : Real, Integer, Boolean Query: q = (f ,i 1 ,…,i k )

galena
Download Presentation

Online Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Auditing Kobbi Nissim Microsoft Based on a position paper with Nina Mishra

  2. q = (f ,i1,…,ik) f (di1,…,dik) The Setting Statisticaldatabase • Dataset: {d1,…,dn} • Entries di: Real, Integer, Boolean • Query: q = (f ,i1,…,ik) • f : Min, Max, Median, Sum, Average, Count… • Some users are bad…

  3. Statisticaldatabase Auditor Auditing Here’s the answer OR Query denied (as the answer would cause privacy loss) Here’s a new query: qi+1 Query log q1,…,qi

  4. Auditing • [Adam, Wortmann 89] classify auditing as a query restriction method • Such methods limit the queries users may post, usually imposing some structure (e.g. combinatorial, algebraic) • “Auditing of an SDB involves keeping up-to-date logs of all queries made by each user (not the data involved) and constantly checking for possible compromise whenever a new query is issued” • Partial motivation:May allow for more queries to be posed, if no privacy threat occurs • Early work: Hofmann 1977, Schlorer 1976, Chin, Ozsoyoglu 1981, 1986 • Recent interest:Kleinberg, Papadimitriou, Raghavan 2000, Li, Wang, Wang, Jajodia 2002, Jonsson, Krokhin 2003

  5. Design choices in Prior Work • Out of the scope for this talk (but important): • Very weak privacy guarantee: Privacy breached (only) when a database entry may be uniquely deduced • Exact answers given • Important for this talk: • Data taken into account in decision procedure • Answers to q1,…,qiandqi+1taken into account • Denials ignored

  6. Some Prior Work on Auditors

  7. Auditor Example 1: Sum/Max auditing • di real, sum/max queries q1 = sum(d1,d2,d3) sum(d1,d2,d3) = 15 q2 = max(d1,d2,d3) Denied (the answer would cause privacy loss) q2 is denied iff d1=d2=d3 = 5 I win! Oh well…

  8. Auditor Example 2: Interval Based Auditing • di  [0,100], sum queries,  =1 (PTIME) q1 = sum(d1,d2) Sorry, denied q2 = sum(d2,d3) sum(d2,d3) = 50 d1,d2  [0,1] d3  [49,50]

  9. Colonel Oliver North, on the Iran-Contra Arms Deal: On the advice of my counsel I respectfully and regretfully decline to answer the question based on my constitutional rights. • David Duncan, Former auditor for Enron and partner in Andersen: Mr. Chairman, I would like to answer the committee's questions, but on the advice of my counsel I respectfully decline to answer the question based on the protection afforded me under the Constitution of the United States. Sounds Familiar?

  10. dn-1 … d8 d7 d5 d3 d6 d4 d2 d1 dn q2 = max(d1,d2,d3) q2 = max(d1,d2) Auditor What about Max Auditing? • di real q1 = max(d1,d2,d3,d4) M1234 M123 / denied If denied: d4=M1234 M12 / denied If denied: d3=M123 Recover 1/8 of the database!

  11. d2 dn-1 dn … d8 d7 d5 d3 d6 d1 d4 q1 = sum(d1,d2) q2=sum(d2,d3) q2=sum(di,dj,dk) Auditor What about Boolean Auditing? • di Boolean 1 / denied 1 / denied … qi denied iff di = di+1  learn database/complement Let di,dj,dk not all equal, where qi-1, qi,qj-1, qj, qk-1, qk all denied 1 / 2 Recover the entire database!

  12. Possible assignments to {d1,…,dn} Assignments consistent with (q1,…qi) qi+1 denied What are the Problems? • Obvious problem: denied queries ignored • Algorithmic problem: not clear how to incorporate denials in the deicion • Subtle problem: • Query denials leak (potentially sensitive) information • Users cannot decide denials by themselves

  13. q1,…,qi, qi+1 a1,…,ai, ai+1 • Sum/Max, Interval based, Boolean, Max • Cell suppression • k-anonimity q1,…,qi, qi+1 a1,…,ai A Spectrum of Auditors Decision data Examples “safe” q1,…,qi, qi+1 • Size overlap restriction • Algebraic structure “unsafe” *Note: can work in “unsafe” region, but need to prove denials do not leak crucial information

  14. q1,…,qi Statisticaldatabase q1,…,qia1,…,ai qi+1 qi+1 Simulator Auditor Deny/answer Deny/answer Simulatable Auditing* An auditor is simulatable if a simulator exists s.t.:  Simulation  denials do not leak information * `self auditors’ in [DN03]

  15. Summary • Subtleties in current definition of auditors allow for information leakage, and potentially, privacy breaches • Denials are not taken into account • Auditor uses information not available to user • Simulatable auditors provably don’t leak information in decision • New starting point for research on auditors

More Related