D. E. Denning, P. J. Denning and M. D. Schwartz, "The tracker: A threat to statistical database security", ACM Transactions on Database Systems, vol. 4, no. 1, pp. 76-96, 1979.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....the results of multiple queries. The first line of defence against this problem is the scrutiny of the queries by the parties. In addition, query restriction techniques from the statistical database literature [1, 44] can also help. These techniques include restricting the size of query results [17, 23], controlling the overlap among successive queries [19] and keeping audit trails of all answered queries to detect possible compromises [13] Schema Discovery and Heterogeneity We do not address the question of how to find which database contains which tables and what the attribute names are; we ....

D. Denning, P. Denning, and M. Schwartz. The tracker: A threat to statistical database security. ACM Transactions on Database Systems, 4(1):76--96, March 1979.

.... small queries whose cardinalities are smaller than some pre determined threshold n t [22] For arbitrary queries, query set size control can be easily subverted by asking two legitimate queries whose intersection yields a prohibited one, a mechanism known as the tracker in statistical databases [15]. It is shown that finding a tracker for arbitrary queries is possible even when n t is about half of the cardinality of the core. At first glance, trackers may seem to be more difficult to find when users are restricted to MDR queries. However, the following Proposition 1 shows that when n t is ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The tracker: A threat to statistical database security. ACM Trans. on Database Systems, 4(1):76--96, 1979. 16

....ones, leading to interval based inference. Inference Control Techniques For controlling exact inference, many restric tion based techniques have been studied (in the statistical database literature) which include restricting the size of a qe set (i.e. the entities that satisfy a single query) [17,13], controlling the overlap of query sets [15] suppressing sensitive data cells in a released table of statistics (i.e. query results) 9] partitioning data into mutually exclusive chunks and restricting each query set to some un divided data chunks [6,7] and (closer to our concerns in this ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The tracker: A threat to statistical database security. ACM 'ans. on Database Systems, 4(1):76-96, 1979. 554

....leading to interval based inference. Inference control techniques For controlling exact inference, many restric tion based techniques have been studied (in the statistical database literature) which include restricting the size of a query set (i.e. the entities that satisfy a single query) [17, 13], controlling the overlap of query sets [15] suppressing sensitive data cells in a released table of statistics (i.e. query results) 9] par titioning data into mutually exclusive chunks and restricting each query set to some undivided data chunks [6, 7] and (closer to our concerns in this ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The tracker: A threat to statistical database security. ACM Trans. on Database Systems, 4(1):76-96, 1979.

....count, average, maximum, minimum, pth percentile, etc. without compromising sensitive information about individuals [1] 47] The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query results [13] [18] controlling the overlap among successive queries [14] keeping audit trails of all answered queries and constantly checking for possible compromises [8] suppression of data cells of small size [9] and clustering entities into mutually exclusive atomic populations [61] The perturbation ....

D. Denning, P. Denning, and M. Schwartz. The tracker: A threat to statistical database security. March 1979.

....supply enough information to identify an individual, they can determine the value of confidential attributes by asking highly specific COUNT queries which will either return 0 or 1. In particular, methods which simply refuse to answer small cardinality COUNT queries can be defeated by trackers [DDS79, DS80] queries which pad their response counts to sufficient size to circumvent the restrictions on small COUNT queries. The padding introduced by the trackers can be removed, to reveal the desired counts and individual data. Such trackers could, in principle, be defeated by refusing to process ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The Tracker: A Threat to Statistical Database Security. ACM Transactions on Database Systems, 4(1):79--96, March 1979.

....of the work presented herein is to release all the information but to do so in a way in which designated properties are protected. Therefore, disclosure control lies outside of traditional work on access control and authentication. 3. 4 Multiple queries can leak inference Denning [46] and others [47, 48] were among the first to explore inferences realized from multiple queries to a database. For example, consider a table containing only (physician, patient, medication) A query listing the patients seen by each physician, i.e. a relation R(physician, patient) may not be sensitive. Likewise, a ....

D. Denning, P. Denning, and M. Schwartz. The tracker: A threat to statistical database security. ACM Trans. on Database Systems, 4(1):76--96, March 1979.

....activities) and for obtaining statistical summaries and reports. In some cases, personalization services are provided entirely by external consultancy firms. The need to balance legitimate use of the database with potential for malicious use is well recognized in the database literature [2]. Traditionally, only statistical queries (e.g. the use of AVERAGE, COUNT, and SUM operations) are allowed and consultants like Abby are not allowed to enquire about records by other means. Assume the database in Table 2, identifying consumers and book purchases: NW Book denotes a particular ....

....application domains (e.g. committee memberships, voting records) we can argue that being able to deduce a connection itself constitutes a breach of privacy. The second component of the attack is well studied in the database literature as the problem of inference control (see, for instance, [2]) In other words, how can we limit the inference capabilities of a malicious hacker who issues queries to a statistical database In this literature it is assumed that the hacker has somehow already deduced a connection that uniquely identifies a particular individual (such as people who buy ....

[Article contains additional citation context not shown here]

D.E. Denning, P.J. Denning, and M.D. Schwartz. The Tracker: A Threat to Statistical Database Security. ACM Transactions on Database Systems, Vol. 4(1):pages 76--96, March 1979.

....databases on which to build. 3. 1 Statistical databases The production and release of statistical databases has traditionally been concerned with inferences that can reveal private information about an individual using statistical compilations reported about a group containing the individual [8, 9, 10, 11, 12]. Like other data holders, statistics offices are also facing tremendous demand for entityspecific data for applications such as data mining, cost analysis, and retrospective research. But many of the established statistical database techniques, which involve various ways of adding noise [13] to ....

D. Denning, P. Denning, and M. Schwartz. The tracker: A threat to statistical database security. ACM Trans. on Database Systems, 4(1):76--96, March 1979.

....etc. without compromising sensitive information about individuals (see excellent surveys in [AW89] Sho82] The proposed techniques can be broadly classified into query restriction and data perturbation. The query restriction family includes restricting the size of query result (e.g. Fel72] DDS79] controlling the overlap amongst successive queries (e.g. DJL79] keeping audit trail of all answered queries and constantly checking for possible compromise (e.g. CO82] suppression of data cells of small size (e.g. Cox80] and clustering entities into mutually exclusive atomic ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The tracker: A threat to statistical database security. ACM TODS, 4(1):76--96, March 1979.

....of its own. The central issue in statistical database security has to do with the desire to provide accurate and reliable aggregates of data while preventing the disclosure of individual information. This is known to be infeasible if queries to the database are unrestricted and answers are exact [12]. Therefore, the strategies for statistical database protection rely on restricting the type of queries and or perturbing the answers to the queries [1] When a user submits a query to a statistical database, the difficult problem is how to decide whether the query is answerable or not; to make a ....

D. E. Denning, P. J. Denning and M. D. Schwartz, "The tracker: A threat to statistical database security", ACM Transactions on Database Systems, vol. 4, no. 1, pp. 76-96, 1979.

....issue in statistical database security has to do with the desire to provide accurate and reliable aggregates of data while preventing the #exact or partial# disclosure of individual information. This is known to be infeasible if queries to the database are unrestricted and answers are exact #Denning, Denning and Schwartz 1979#. The following assertion by Denning and Denning #1979# is still true nowadays Because queries inevitably carry some information out of the database, one cannot reasonably hope to design a system that is impossible to compromise. An important objective of research in statistical database ....

....desire to provide accurate and reliable aggregates of data while preventing the #exact or partial# disclosure of individual information. This is known to be infeasible if queries to the database are unrestricted and answers are exact #Denning, Denning and Schwartz 1979#. The following assertion by Denning and Denning #1979# is still true nowadays Because queries inevitably carry some information out of the database, one cannot reasonably hope to design a system that is impossible to compromise. An important objective of research in statistical database protection should be to assess the e#ort needed to ....

D. E. Denning, P. J. Denning and M. D. Schwartz #1979# #The tracker: A threat to statistical database security", ACM Transactions on Database Systems, vol. 4, pp. 76-96.

....information to identify an individual, they can determine the value of confidential attributes by asking highly specific COUNT queries which will either return 0 or 1. In particular, methods which simply refuse to answer small cardinality COUNT queries can be defeated by trackers (as described in Denning, Denning and Schwartz (1979) Denning and Schlorer (1980) queries which pad their response counts to sufficient size to circumvent the restrictions on small COUNT queries. The padding introduced by the trackers can be removed, to reveal the desired counts and individual data. Such trackers could, in principle, be defeated ....

Denning, D., Denning, P. and Schwartz, M. (1979). The tracker: A threat to statistical database security, ACM Transactions on Database Systems 4, 79--96.

....of the techniques we show in this paper and the mechanisms proposed in those researches is also an interesting issue. In this paper, we do not discuss properties of aggregate functions on sets. Interesting studies on that topic has been shown in the context of statistical databases [KU77, Chi78, DDS79, DJL79, Bec80, C O82] The result of these researches say, in short, that aggregate functions on a set of data almost always reveal the information on the individual elements of the set. Acknowledgments I would like to thank Atsushi Ohori for his valuable suggestions and discussions through the ....

Dorothy E. Denning, Peter J. Denning, and Mayer D. Schwartz. The tracker: A threat to statistical database security. ACM TODS, 4(1):76--96, Mar. 1979.

....during a session, user queries can be restricted or the query results modified. Diminishing the potential of query restriction control is the finding that through certain sequences of seemingly innocuous unrestricted queries called trackers, the answers to restricted queries can always be deduced [Denning 78] Therefore, response modification, which introduces uncertainty so as to reduce the risk of disclosure, has been the focus of much run time inference control research. 4.3.1.1 Constraint Processors Some MITRE research focuses on handling inferences during query processing [Keefe 89; ....

D. E. Denning, P. J. Denning, and M. D. Schwartz. The Tracker: A Threat to Statistical Database Security. In ACM Trans. Database Systems. 4,1,7-18, March 1978.

....supply enough information to identify an individual, they can determine the value of confidential attributes by asking highly specific COUNT queries which will either return 0 or 1. In particular, methods which simply refuse to answer small cardinality COUNT queries can be defeated by trackers [DDS79, DS80] queries which pad their response counts to sufficient size to circumvent the restrictions on small COUNT queries. The padding introduced by the trackers can be removed, to reveal the desired counts and individual data. Such trackers could, in principle, be defeated by refusing to process ....

D.E. Denning, P.J. Denning, and M.D. Schwartz. The Tracker: A Threat to Statistical Database Security. ACM Transactions on Database Systems, 4(1):79--96, March 1979.

No context found.

D. E. Denning, P. J. Denning and M. D. Schwartz, "The tracker: A threat to statistical database security", ACM Transactions on Database Systems, vol. 4, no. 1, pp. 76-96, 1979.

No context found.

D.E. Denning, P.J. Denning, and M.D. Schwartz, "The Tracker: A Threat to Statistical Database Security," ACM Trans. Database Systems, vol. 4, no. 1, March 1979, pp. 76-96.

No context found.

D. Denning, P. Denning, and M. Schwartz. The tracker: A threat to statistical database security. ACM Transactions on Database Systems, 4(1):76--96, March 1979.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC