Article Preview
TopIntroduction
Information systems are essential in many organisations to improve upon and automate business processes. In addition, they extend information accessibility to users outside the organisation’s physical boundary (e.g., through the Internet). Data that is stored and managed by these systems is captured from day-to-day operations and is a crucial input for decision making processes. Damage to, and misuse of, mission-critical data may affect not only a single user or application, but may have disastrous consequences for the entire organisation; therefore securing this data becomes a mandatory requirement.
Information security breaches are typically categorised as unauthorised data observation, incorrect data modification, and data unavailability (Bertino & Sandhu, 2005). Unauthorised data observation is defined as the direct or indirect disclosure of information to users not entitled to gain access to such information. The consequences of such an illegal access may be heavy losses to the organisation from both financial and human points of view as such breaches affect data confidentiality and privacy. Though the term ‘data privacy’ is often used as a synonym for ‘data confidentiality’, the two are quite different. Traditional data confidentiality mechanisms aim to give the owner of data control over its accessibility, whereas privacy means giving the subject of data control over who accesses it. A particular concern with data that has confidentiality or privacy implications is that once information has been released into the public domain it can never be effectively recalled.
Data confidentiality and privacy are breached once an attacker gets access to protected information, either by having illegal direct access to a protected data object or by inferring its value via legal accesses to related data objects. The problem of illegal direct access has gained lots of attention in database research in the last two decades. Applying Mandatory Access Control (MAC) is one of the proposed solutions to control direct accesses to confidential and private data (Brodsky, Farkas, & Jajodia, 2000). This is done by assigning security labels to data objects and security clearances to users, and employing a security-dominating access relation.
However, an attacker who can access unclassified (non-secure) data may still be able to infer secure information by employing metadata. For example, the observation that “Alice is taking the medication didanosine” and the general medical knowledge that “didanosine is prescribed only to treat HIV infections” can be combined easily to produce the information that Alice is an HIV patient. This problem is known in the literature as an inference channel whereby an attacker can combine several pieces of publicly-accessible information in order to infer confidential or private information.
In many situations, however, the relationships between facts are probabilistic or statistical in nature, rather than absolute. For instance, if a particular medication is used to treat several diseases then knowing that a patient takes this medication can be used to infer that the patient has a specific disease only with a certain likelihood. In this paper we present an inference channel detection and restriction technique that uses a Bayesian network and analyses causal probability between data elements. In particular, quantifying the probabilistic size of the channel allows us to restrict it to below a desired threshold, rather than just eliminating it entirely. We illustrate the approach using a healthcare scenario in which patients have privacy concerns over what can be learnt from their Electronic Medical Records (EMRs). We give abstract definitions for what information can be inferred from such records and how such inferences can be limited by hiding specific data items. We then present practical algorithms for restricting inference channels that breach a patient’s privacy desires. Also we show our implemented application that uses the developed algorithms.