Research directions in data and applications security XVIII

RESEARCH DIRECTIONS IN DATA

AND APPLICATIONS SECURITY XVIII

IFIP – The International Federation for Information Processing

IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer

Congress held in Paris the previous year. An umbrella organization for societies working in

information processing, IFIP’s aim is two-fold: to support information processing within its

member countries and to encourage technology transfer to developing nations. As its mission

statement clearly states,

IFIP’s mission is to be the leading, truly international, apolitical organization

which encourages and assists in the development, exploitation and application of

information technology for the benefit of all people.

IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It operates through

a number of technical committees, which organize events and publications. IFIP’s events range

from an international congress to local seminars, but the most important are:

The IFIP World Computer Congress, held every second year;

Open conferences;

Working conferences.

The flagship event is the IFIP World Computer Congress, at which both invited and contributed

papers are presented. Contributed papers are rigorously refereed and the rejection rate is high.

As with the Congress, participation in the open conferences is open to all and papers may be

invited or submitted. Again, submitted papers are stringently refereed.

The working conferences are structured differently. They are usually run by a working group and

attendance is small and by invitation only. Their purpose is to create an atmosphere conducive to

innovation and development. Refereeing is less rigorous and papers are subjected to extensive

group discussion.

Publications arising from IFIP events vary. The papers presented at the IFIP World Computer

Congress and at open conferences are published as conference proceedings, while the results of

the working conferences are often published as collections of selected and edited papers.

Any national society whose primary activity is in information may apply to become a full member

of IFIP, although full membership is restricted to one society per country. Full members are

entitled to vote at the annual General Assembly, National societies preferring a less committed

involvement may apply for associate or corresponding membership. Associate members enjoy the

same benefits as full members, but without voting rights. Corresponding members are not

represented in IFIP bodies. Affiliated membership is open to non-national societies, and

individual and honorary membership schemes are also offered.

RESEARCH DIRECTIONS

IN DATA AND

APPLICATIONS

SECURITY XVIII

IFIP TC11 / WG11.3 Eighteenth Annual Conference on

Data and Applications Security

July 25–28, 2004, Sitges, Catalonia, Spain

Edited by

Csilla Farkas

University of South Carolina

USA

Pierangela Samarati

University of Milan

Italy

KLUWER ACADEMIC PUBLISHERS

NEW YORK, BOSTON, DORDRECHT, LONDON, MOSCOW

eBook ISBN: 1-4020-8128-6

Print ISBN: 1-4020-8127-8

Print ©2004 by International Federation for Information Processing.

All rights reserved

No part of this eBook may be reproduced or transmitted in any form or by any means, electronic,

mechanical, recording, or otherwise, without written consent from the Publisher

Created in the United States of America

Boston

©2004 Springer Science + Business Media, Inc.

Visit Springer's eBookstore at: http://www.ebooks.kluweronline.com

and the Springer Global Website Online at: http://www.springeronline.com

Contents

Preface

Conference Organization

Contributing Authors

Part I INVITED TALK I

Invited Talk - Inference Control Problems in Statistical

Database Query Systems

Lawrence H. Cox

Part II ACCESS CONTROL

Attribute Mutability in Usage Control

Jaehong Park, Xinwen Zhang, and Ravi Sandhu

Star-Tree: An Index Structure for Efficient Evaluation

of Spatiotemporal Authorizations

Vijayalakshmi Atluri and Qi Guo

An Extended Analysis of Delegating Obligations

Andreas Schaad

Implementing Real-Time Update of Access Control Policies

Indrakshi Ray and Tai Xin

Part III DATA PROTECTION TECHNIQUES

Defending Against Additive Attacks with Maximal

Errors in Watermarking Relational Databases

Yingjiu Li, Vipin Swarup, and Sushil Jajodia

Performance-Conscious Key Management in Encrypted Databases

Hakan Hacigümüs and Sharad Mehrotra

Damage Discovery in Distributed Database Systems

Yanjun Zuo and Brajendra Panda

ix

x

xi

1

15

31

49

65

81

95

111

vi DATA AND APPLICATIONS SECURITY XVIII

Part IV DATABASE THEORY AND INFERENCE CONTROL

Information Flow Analysis for File Systems and

Databases Using Labels

Ehud Gudes, Luigi V. Mancini, and Francesco Parisi-Presicce

Refusal in Incomplete Databases

Joachim Biskup and Torben Weibert

Why Is this User Asking so Many Questions?

Explaining Sequences of Queries

Aybar C. Acar and Amihai Motro

Part V INVITED TALK II

Invited Talk - Towards Semantics-Aware Access Control

Ernesto Damiani and Sabrina De Capitani di Vimercati

Part VI SYSTEM SECURITY ANALYSIS

RBAC/MAC Security for UML

T. Doan, S. Demurjian, T.C. Ting, and C. Phillips

Secure Bridges: A Means to Conduct Secure

Teleconferences over Public Telephones

Inja Youn and Duminda Wijesekera

Part VII ACCESS CONTROL DESIGN AND MANAGEMENT

Policy-based Security Management for Enterprise Systems

R. Mukkamala, L. Chekuri, M. Moharrum, and S. Palley

A Pattern System for Access Control

Torsten Priebe, Eduardo B. Fernandez, Jens I. Mehlau, and Günther Pernul

A Design for Parameterized Roles

Mei Ge and Sylvia L. Osborn

Part VIII DISTRIBUTED SYSTEMS

Efficient Verification of Delegation in

Distributed Group Membership Management

Ladislav Huraj and Helmut Reiser

Web Resource Usage Control in RSCLP

Steve Barker

Securely Distributing Centralized Multimedia Content Utilizing Peer-to-PeerCooperation

Indrajit Ray and Tomas Hajek

125

143

159

177

189

205

219

235

251

265

281

295

Contents vii

Part IX PRIVACY

On The Damage and Compensation of Privacy Leakage

Da-Wei Wang, Churn-Jung Liau, Tsan-sheng Hsu, and Jeremy K.-P. Chen

An Experimental Study of Distortion-Based Techniques for

Association Rule Hiding

Emmanuel D. Pontikakis, Achilleas A. Tsitsonis, and Vassilios S. Verykios

Privacy-Preserving Multi-Party

Decision Tree Induction

Justin Z. Zhan, LiWu Chang, and Stan Matwin

Part X NETWORK PROTECTION AND CONFIGURATION

Configuring Storage Area Networks for Mandatory Security

Benjamin Aziz, Simon N. Foley, John Herbert, and Garret Swart

A Framework for Trusted Wireless Sensor Networks

Joon S. Park and Abhishek Jain

Author Index

311

325

341

357

371

385

This page intentionally left blank

Preface

This volume contains the papers presented at the Eighteenth Annual IFIP

WG 11.3 Conference on Data and Applications Security held in Sitges, Cat￾alonia, Spain on July 25-28, 2004. The purpose of this conference is to present

and disseminate original research results in data and applications security. The

conference provides a forum for researchers and practitioners to discuss their

experiences and enables participants to benefit from scientific discussions.

In response to the call for papers, forty-nine research papers were submitted.

Based on the reviews by program committee members and volunteer reviewers

from the IFIP Working Group 11.3, twenty-three papers were selected for pre￾sentation and publication. The conference program also includes two invited

talks and a panel debate. The first invited talk, by Lawrence Cox, discusses sta￾tistical data protection methods and presents open problems in securing sen￾sitive data. The second invited talk, by Ernesto Damiani, introduces a new

research direction: semantics-aware access control. Future research directions

for access control models are the topics of the panel debate.

The success of a working conference depends on the volunteer efforts of

many individuals. We would like to thank the authors of the submitted papers,

and the program committee members and referees for their time and effort in

reviewing papers. We also thank Felix Saltor, General Chair, Marta Oliva,

Organizing Chair, and Eduardo Fernández-Medina for their hard work in or￾ganizing the conference and taking care of local arrangements. We would like

to thank the invited speakers and panelists for accepting our invitation to con￾tribute to the program. We express special thanks to Andrei Stoica for his help

in collating this volume and Sabrina De Capitani Di Vimercati for her help

with managing the online submissions. Last, but not least, we would like to

thank all the conference attendees and hope you find the program stimulating.

CSILLA FARKAS AND PIERANGELA SAMARATI

Conference Organization

Program co-Chairs

Csilla Farkas, University of South Carolina, USA

Pierangela Samarati, University of Milan, Italy

Organizational co-Chairs

Marta Oliva, University of Lleida, Spain

Eduardo Fernández-Medina, University of Castilla-La Mancha, Spain

General Chair

Fèlix Saltor, Technical University of Catalonia, Spain

Program Committee

Gail-Joon Ahn, University of North Carolina at Charlotte, U.S.A.

Vijay Atluri, Rutgers University, U.S.A.

Sabrina De Capitani di Vimercati, Università degli Studi di Milano, Italy

Eduardo Fernandez-Medina, Univ. of Castilla-La Mancha, Spain

Ehud Gudes, Ben-Gurion University, Israel

Carl Landwehr, National Science Foundation, U.S.A.

Tsau Young Lin, San Jose State University, U.S.A.

Peng Liu, Pennsylvania State University, U.S.A.

Peng Ning, North Carolina State University, U.S.A.

Ravi Mukkamala, Old Dominion University, U.S.A.

Martin Olivier, University of Pretoria, South Africa

Sylvia Osborn, University of Western Ontario, Canada

Indrakshi Ray, Colorado State University, U.S.A.

Indrajit Ray, Colorado State University, U.S.A.

Sujeet Shenoi, University of Tulsa, U.S.A.

David Spooner, Rennselaer Polytechnic Institute, U.S.A.

Bhavani Thuraisingham, NSF and MITRE Corp., U.S.A.

T.C. Ting, University of Connecticut, U.S.A.

Duminda Wijesekera, George Mason University, U.S.A.

External Reviewers

John Campbell

Lawrence Cox

Michael Geisterfer

Rajni Goel

Naren B. Kodali

Donggang Liu

Ioannis Mavridis

Shankar Pal

Peter Ryan

Dongwan Shin

Dan Thomsen

Xintao Wu

Tai Xin

Dingbang Xu

Meng Yu

Contributing Authors

Aybar C. Acar, George Mason University, USA

Vijayalakshmi Atluri, Rutgers University, USA

Benjamin Aziz, University College Cork, Ireland

Steve Barker, King’s College, UK

Joachim Biskup, University of Dortmund, Germany

LiWu Chang, Naval Research Laboratory, USA

Lakshmi Chekuri, Old Dominion University, USA

Jeremy K.-P. Chen, University of Texas, Austin, USA

Lawrence H. Cox, National Center for Health Statistics, USA

Ernesto Damiani, University of Milan, Italy

Sabrina De Capitani di Vimercati, University of Milan, Italy

Steven Demurjian, University of Connecticut, USA

Thuong Doan, University of Connecticut, USA

Eduardo B. Fernandez, Florida Atlantic University, USA

Simon N. Foley, University College Cork, Ireland

Mei Ge, University of Western Ontario, Canada

Ehud Gudes, Ben-Gurion University, Israel

Qi Guo, Rutgers University, USA

Hakan Hacigümüs, IBM Almaden Research Center, USA

Tomas Hajek, Colorado State University, USA

John Herbert, University College Cork, Ireland

Tsan-sheng Hsu, Academia Sinica, Taiwan

Ladislav Huraj, Matthias Bel University, Slovak Republic

Abhishek Jain, Syracuse University, USA

Sushil Jajodia, George Mason University, USA

Yingjiu Li, Singapore Management University, Singapore

Churn-Jung Liau, Academia Sinica, Taiwan

Luigi V. Mancini, University Roma La Sapienza, Italy

Stan Matwin, University of Ottawa, Canada

Jens I. Mehlau, University of Regensburg, Germany

Sharad Mehrotra, University of California, Irvine, USA

Mohammed A. Moharrum, Old Dominion University, USA

Amihai Motro, George Mason University, USA

Ravi Mukkamala, Old Dominion University, USA

Sylvia L. Osborn, The University of Western Ontario, Canada

Saritha Palley, Old Dominion University, USA

xii DATA AND APPLICATIONS SECURITY XVIII

Brajendra Panda, University of Arkansas, USA

Francesco Parisi-Presicce, George Mason University, USA

Jaehong Park, George Mason University, USA

Joon S. Park, Syracuse University, USA

Günther Pernul, University of Regensburg, Germany

Charles Phillips, U.S. Military Academy, USA

Emmanuel D. Pontikakis, University of Patras, Greece

Torsten Priebe, University of Regensburg, Germany

Indrajit Ray, Colorado State University, USA

Indrakshi Ray, Colorado State University, USA

Helmut Reiser, Ludwig Maximilian University Munich, Germany

Ravi Sandhu, George Mason University, USA

Andreas Schaad, SAP Labs, France

Garret Swart, University College Cork, Ireland

Vipin Swarup, The MITRE Corporation, USA

T.C. Ting, University of Connecticut, USA

Achilleas A. Tsitsonis, University of Patras, Greece

Vassilios S. Verykios, Research and Academic Computer Technology

Institute, Greece

Da-Wei Wang, Academia Sinica, Taiwan

Torben Weibert, University of Dortmund, Germany

Duminda Wijesekera, George Mason University, USA

Tai Xin, Colorado State University, USA

Inja Youn, George Mason University, USA

Justin Z. Zhan, University of Ottawa, Canada

Xinwen Zhang, George Mason University, USA

Yanjun Zuo, University of Arkansas, USA

INVITED TALK - INFERENCE CONTROL

PROBLEMS IN STATISTICAL DATABASE

QUERY SYSTEMS

Lawrence H. Cox

Abstract: The advent of public use statistical database query systems raises problems of

controlling inference of confidential information. Some of these problems are

new while others present new challenges in terms of scalability of

computational algorithms. We examine three problems: obtaining exact

interval estimates of data withheld to address confidentiality concerns;

confidentiality issues associated with the release of ordinary least squares

regression models; and, confidentiality issues associated with the release of

spatial statistical models based on ordinary kriging. For the first, we treat the

database as one large multi-dimensional contingency table (large number of

records, large dimension).

1. INTRODUCTION

National statistical offices (NSOs) collect, verify and refine statistical

data to make reliable information available to policy makers and the public.

By law or regulation and ethical practice, the NSO must preserve the

confidentiality of data pertaining to individual entities such as persons,

businesses, and health care providers.

Prior to 1960, NSOs made statistical information available primarily in

the form of computed or estimated tabulations, defined by cross￾classification of only one, two or a small number of variables. The NSO

determined which tabulations to release, first in printed form and later also

in electronic form. Confidentiality protection, more recently called

statistical disclosure limitation, was accomplished by suppressing or

combining selected tabulations or entire sets of tabulations or, less

frequently, by altering tabulations slightly through rounding or incorporation

of random noise. The NSO first determined which tabulations were worth

2 DATA AND APPLICATIONS SECURITY XVIII

releasing and then released correspondingly less information in

consideration of confidentiality and data quality concerns.

During the 1960s, first with the Continuous Work History Sample of the

U.S. Social Security Administration, followed by Public Use Microdata

Samples (PUMS) from the 1960 and subsequent U.S. Decennial Censuses,

NSOs began releasing statistical microdata files comprising records

pertaining to individual entities (mostly, persons). The data user was now

free to create all conceivable summaries from the unit record data and,

equally important, to fit statistical, demographic or econometric models to

the microdata. Statistical disclosure limitation became focused on altering

or removing selected microdata records. Longitudinal data presented

confidentiality problems that remain largely unsolved. Emerging research is

directed towards fitting the data to complex statistical models and releasing

instead model-derived synthetic microdata and/or the models themselves.

Disclosure limitation for tabulations and microdata are provably complex

theoretically and computationally.

NSOs are considering allowing data users direct access to statistical

databases, either on a public or restricted access basis, via a statistical

database query system. This heightens confidentiality risk and will motivate

disclosure limitation research in coming decades. In this paper, we

investigate through examples some of the confidentiality and data useability

problems raised by the advent of statistical database query systems. Several

problems are illustrated by specialized examples. We focus on two query

paradigms: tabulations from a database organized as a large multi￾dimensional contingency table (Section 4) and simple statistical models

derived from the database, namely, ordinary least squares regression models

and best linear unbiased prediction (kriging) models for spatial data (Section

5). Section 6 contains concluding comments.

2. THE STATISTICAL DATABASE

For purposes here, a statistical database is equivalent to an n￾dimensional contingency table: an enumeration of the units from a sample or

population with respect to n cross-classified categorical variables. Each

categorical variable i comprises mutually exclusive and exhaustive

characteristics The size of the n-dimensional contingency table is

Each internal entry of the table equals the number of

units with characteristics Internal entries therefore assume

nonnegative integer values. This characterization is general and flexible. If

every record in the underlying microdata file is uniquely identified by a

combination of characteristics, then the characterization encompasses the