Results 1 - 10
of
22
Data swapping: Variations on a theme by dalenius and reiss.
- Journal of Official Statistics,
, 2005
"... ..."
Securing OLAP data cubes against privacy breaches
- In Proc. IEEE Symp. on Security and Privacy
, 2004
"... An OLAP (On-line Analytic Processing) system with insufficient security countermeasures may disclose sensitive information and breach an individual’s privacy. Both unauthorized accesses and malicious inferences may lead to such inappropriate disclosures. Existing access control models in relational ..."
Abstract
-
Cited by 26 (1 self)
- Add to MetaCart
(Show Context)
An OLAP (On-line Analytic Processing) system with insufficient security countermeasures may disclose sensitive information and breach an individual’s privacy. Both unauthorized accesses and malicious inferences may lead to such inappropriate disclosures. Existing access control models in relational databases are unsuitable for the multidimensional data cubes used by OLAP. Inference control methods in statistical databases are expensive and apply to limited situations only. We first devise a flexible framework for specifying authorization objects in data cubes. The framework can partition a data cube both vertically based on dimension hierarchies and horizontally based on slices of data. We then study how to control inferences in data cubes. The proposed method eliminates both unauthorized accesses and malicious inferences. Its effectiveness does not depend on specific types of aggregation functions, external knowledge, or sensitivity criteria. The technique is efficient and readily implementable. Its on-line performance overhead is comparable to that of the minimal security requirement. Its enforcement requires little modification to existing OLAP systems. 1.
Masking and Re-identification Methods for Public-Use Microdata: Overview and Research Problems
, 2004
"... This paper provides an overview of methods of masking microdata so that the data can be placed in public-use files. It divides the methods according to whether they have been demonstrated to provide analytic properties or not. For those methods that have been shown to provide one or two sets of an ..."
Abstract
-
Cited by 20 (2 self)
- Add to MetaCart
This paper provides an overview of methods of masking microdata so that the data can be placed in public-use files. It divides the methods according to whether they have been demonstrated to provide analytic properties or not. For those methods that have been shown to provide one or two sets of analytic properties in the masked data, we indicate where the data may have limitations for most analyses and how re-identification might or can be performed. We cover several methods for producing synthetic data and possible computational extensions for better automating the creation of the underlying statistical models. We finish by providing background on analysis-specific and general information-loss metrics to stimulate research.
Auditing Interval-Based Inference
- In Proceedings of the 14th Conference on Advanced Information Systems Engineering (CAiSE’02
, 2001
"... In this paper we study the feasibility of auditing inteval - based inference. Sensitive information about individuals is said to be compromised if an accurate enough interval, called inference inteval, is obtained into which the value of the sensitive information must fall. ..."
Abstract
-
Cited by 18 (8 self)
- Add to MetaCart
(Show Context)
In this paper we study the feasibility of auditing inteval - based inference. Sensitive information about individuals is said to be compromised if an accurate enough interval, called inference inteval, is obtained into which the value of the sensitive information must fall.
Cardinality-based Inference Control in Sum-only Data Cubes
- In Proceedings of the 7th European Symposium on Research in Computer Security (ESORICS 2002
, 2002
"... This paper deals with the inference problems in data warehouses and decision support systems such as on-line analytical processing (OLAP) systems. ..."
Abstract
-
Cited by 14 (7 self)
- Add to MetaCart
(Show Context)
This paper deals with the inference problems in data warehouses and decision support systems such as on-line analytical processing (OLAP) systems.
Database security and confidentiality: Examining disclosure risk vs. data utility through the RU confidentiality map
, 2004
"... Managers of database security must ensure that data access does not compromise the confidentiality afforded data providers, whether individuals or establishments. Recognizing that deidentification of data is generally inadequate to protect confidentiality against attack by a data snooper, managers o ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Managers of database security must ensure that data access does not compromise the confidentiality afforded data providers, whether individuals or establishments. Recognizing that deidentification of data is generally inadequate to protect confidentiality against attack by a data snooper, managers of information organizations (IOs)—such as statistical agencies, data archives, and trade associations—can implement a variety of disclosure limitation (DL) techniques—such as topcoding, noise addition and data swapping—in developing data products. Desirably, the resulting restricted data have both high data utility U to data users and low disclosure risk R from data snoopers. IOs lack a framework for examining tradeoffs between R and U under a specific DL procedure. They also lack systematic ways of comparing the performance of distinct DL procedures. To provide this framework and facilitate comparisons, the R-U confidentiality map is introduced to trace the joint impact on R and U to changes in the parameters of a DL procedure. Implementation of an R-U confidentiality map is illustrated in the case of multivariate noise addition. Analysis is provided for two important multivariate estimation problems: a data user seeks to estimate linear combinations of means and to estimate regression coefficients. Implications for managers are explored.
New approaches to disclosure limitation while answering queries to a database: protecting numerical confidential data against insider threat based on data or algorithms
- PROCEEDINGS OF THE 39 TH HAWAII INTERNATIONAL CONFERENCE ON SYSTEM SCIENCES
, 2006
"... Confidentiality via Camouflage (CVC) is a practical method for giving unlimited, correct, numerical responses to ad-hoc queries to an on-line database, while not compromising confidential numerical data. Responses are in the form of intervals that are guaranteed to contain the exact answer. Virtuall ..."
Abstract
-
Cited by 8 (2 self)
- Add to MetaCart
Confidentiality via Camouflage (CVC) is a practical method for giving unlimited, correct, numerical responses to ad-hoc queries to an on-line database, while not compromising confidential numerical data. Responses are in the form of intervals that are guaranteed to contain the exact answer. Virtually any imaginable query type can be answered and although sharing of query answers among users presents no problem, the threat of insider information is real. In this work we identify two distinct types of insider information, depending on whether the knowledge is of data in the confidential field or of the algorithmic process that is used to answer queries. We show that different realizations of CVC can protect against one type of insider threat or the other, while a combination of realizations can be used if the database administrator is not able to specify the type of threat that is present. Various strategies for dealing with cases where a user poses both types of threats are also presented. Computational experience relates the degradation of answer intervals that can be expected based on the type of threat that is protected against and indicates that, in general, algorithmic threat causes the greatest degradation.
Precisely Answering Multi-dimensional Range Queries Without Privacy Breaches
- ESORICS
, 2003
"... This paper investigates the privacy breaches caused by multi-dimensional range (MDR) sum queries in OLAP systems. We show that existing inference control methods are generally ineffective or infeasible for MDR queries. We then consider restricting users to even MDR queries (that is, the MDR queries ..."
Abstract
-
Cited by 8 (4 self)
- Add to MetaCart
(Show Context)
This paper investigates the privacy breaches caused by multi-dimensional range (MDR) sum queries in OLAP systems. We show that existing inference control methods are generally ineffective or infeasible for MDR queries. We then consider restricting users to even MDR queries (that is, the MDR queries involving even number of data values). We show that the collection of such even MDR queries is safe if and only if a special set of sum-two queries (that is, queries involving exactly two values) is safe. On the basis of this result, we give an efficient method to decide the safety of even MDR queries. Besides safe even MDR queries we show that any odd MDR query is unsafe. Moreover, any such odd MDR query is different from the union of some even MDR queries by only one tuple. We also extend those results to the safe subsets of unsafe even MDR queries.
Cardinality-based Inference Control in Data Cubes
- Journal of Health Services Research and Policy 2001
, 2003
"... This paper deals with the inference problem of data cube queries in on-line analytical processing (OLAP) systems. Even though OLAP systems restrict user accesses to predefined aggregations, the possibility of inappropriate disclosure of sensitive attribute values still exists. Based on a definitio ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
(Show Context)
This paper deals with the inference problem of data cube queries in on-line analytical processing (OLAP) systems. Even though OLAP systems restrict user accesses to predefined aggregations, the possibility of inappropriate disclosure of sensitive attribute values still exists. Based on a definition of non-compromiseability to mean that any member of a set of variables satisfying a given set of their aggregates can have more than one value, we derive sufficient conditions for non-compromiseability in sum-only data cubes. Specifically, (1) the non-compromiseability of multi-dimensional aggregates can be reduced to that of one dimensional aggregates, (2) full or dense core cuboids are non-compromiseable, and (3) there is a tight lower bound for the cardinality of a core cuboid to remain non-compromiseable.
Local Recoding by Maximum Weight Matching for Disclosure Control of Microdata Sets
, 1999
"... We propose "local recoding" as a new technique for controlling disclosure risk of microdar sets.Compa03 to the technique ofgloba recoding, where the observed va043 a0 grouped intobroaM7 intervar orca0000FPG throughout the daF set, in lo recoding di#erent grouping is performed for ea h obse ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
We propose "local recoding" as a new technique for controlling disclosure risk of microdar sets.Compa03 to the technique ofgloba recoding, where the observed va043 a0 grouped intobroaM7 intervar orca0000FPG throughout the daF set, in lo recoding di#erent grouping is performed for ea h observaser whennecessa4 . Asa mea0 of performing lo ca recoding we propose to form pamF of closeindividuaF an recode observed va74U withinea hpaU7 Foroptima04 formingpami wecaemployEdmonds'amonds'F (Edmonds (1965)) ofmaMU um weightma7 hing. We illustraH the technique bya7723UF it to theJaFM0GH vita statistics data.
