Auditing Compliance with a Hippocratic Database

Abstract: We introduce an auditing framework for determining whether a database system is adhering to its data disclosure policies. Users formulate audit expressions to specify the (sensitive) data subject to disclosure review. An audit component accepts audit expressions and returns all queries (deemed "suspicious") that accessed the specified data during their execution.The overhead of our approach on query processing is small, involving primarily the logging of each query string along with other minor annotations. Da… Show more

“…The confidence he is in Paris is 0.64 = 0.4 + 0.4 -(0.4*0.4) and computed from the confidence levels of two tuples confirming that location [19]. We propose to extend the auditing infrastructure presented in [12], and discussed with regard to curation in Section 4.3, to also audit information provenance. The audit will track all logged queries or commands that access tuples containing information specified by an audit expression.…”

“…We suggest extending the audit expression language used in [12] to declaratively specify the curation information to be audited. Because curation auditing targets general updates, the before and after values of update operations should be features of the language.…”

“…Deny rules should also ensure that foreign keys do not leak any information about a table's contents, so access to tuples that have foreign keys to a denied tuple should also be denied. Finally, agencies can deter misuse by proactively auditing past database access [12].…”

“…The audit returns the IDs of logged commands having performed updates that qualify the audit expression. This command log is organized similarly to the query log in [12], which records all queries submitted to the database along with annotations such as the ID of the user submitting the query and the time the query was submitted (see Figure 11). In response to the above audit expression, the system would reveal that David lowered the classification of Lowenhardt's location to "unclassified" at time 4.…”

“…The auditing method in [12] relies on query logs and backlog tables to track the circumstances of past database access. We recommend using a similar infrastructure for curation auditing that stores all updates to data and policy tables in curation backlog tables.…”

Policy-Based Management and Sharing of Sensitive Information Among Government Agencies

“…The confidence he is in Paris is 0.64 = 0.4 + 0.4 -(0.4*0.4) and computed from the confidence levels of two tuples confirming that location [19]. We propose to extend the auditing infrastructure presented in [12], and discussed with regard to curation in Section 4.3, to also audit information provenance. The audit will track all logged queries or commands that access tuples containing information specified by an audit expression.…”

“…We suggest extending the audit expression language used in [12] to declaratively specify the curation information to be audited. Because curation auditing targets general updates, the before and after values of update operations should be features of the language.…”

“…Deny rules should also ensure that foreign keys do not leak any information about a table's contents, so access to tuples that have foreign keys to a denied tuple should also be denied. Finally, agencies can deter misuse by proactively auditing past database access [12].…”

“…The audit returns the IDs of logged commands having performed updates that qualify the audit expression. This command log is organized similarly to the query log in [12], which records all queries submitted to the database along with annotations such as the ID of the user submitting the query and the time the query was submitted (see Figure 11). In response to the above audit expression, the system would reveal that David lowered the classification of Lowenhardt's location to "unclassified" at time 4.…”

“…The auditing method in [12] relies on query logs and backlog tables to track the circumstances of past database access. We recommend using a similar infrastructure for curation auditing that stores all updates to data and policy tables in curation backlog tables.…”

Policy-Based Management and Sharing of Sensitive Information Among Government Agencies

Detecting Privacy Violations in Sensitive XML Databases

A Survey of Query Auditing Techniques for Data Privacy