Probabilistic Inference Channel Detection and Restriction Applied to Patients’ Privacy Assurance

Probabilistic Inference Channel Detection and Restriction Applied to Patients’ Privacy Assurance

Bandar Alhaqbani, Colin Fidge
Copyright: © 2010 |Pages: 25
DOI: 10.4018/jisp.2010100103
(Individual Articles)
No Current Special Offers


Traditional access control models protect sensitive data from unauthorised direct accesses; however, they fail to prevent indirect inferences. Information disclosure via inference channels occurs when secret information is derived from unclassified (non-secure) information and other sources like metadata and public observations. Previously, techniques using precise and fuzzy functional dependencies were proposed to detect inference channels. However, such methods are inappropriate when probabilistic relationships exist among data items that may be used to infer information with a predictable likelihood of accuracy. In this paper, the authors present definitions and algorithms for detecting inference channels in a probabilistic knowledge base and maximising an attacker’s uncertainty by restricting selected inference channels to comply with data confidentiality and privacy requirements. As an illustration, a healthcare scenario is used to show how inference control can be performed on probabilistic relations to address patients’ privacy concerns over Electronic Medical Records. To limit an attacker’s ability to know secret data selected inference channels are restricted by using a Bayesian network that incorporates the information stored within a medical knowledge base to decide which facts must be hidden to limit undesired inferences.
Article Preview


Information systems are essential in many organisations to improve upon and automate business processes. In addition, they extend information accessibility to users outside the organisation’s physical boundary (e.g., through the Internet). Data that is stored and managed by these systems is captured from day-to-day operations and is a crucial input for decision making processes. Damage to, and misuse of, mission-critical data may affect not only a single user or application, but may have disastrous consequences for the entire organisation; therefore securing this data becomes a mandatory requirement.

Information security breaches are typically categorised as unauthorised data observation, incorrect data modification, and data unavailability (Bertino & Sandhu, 2005). Unauthorised data observation is defined as the direct or indirect disclosure of information to users not entitled to gain access to such information. The consequences of such an illegal access may be heavy losses to the organisation from both financial and human points of view as such breaches affect data confidentiality and privacy. Though the term ‘data privacy’ is often used as a synonym for ‘data confidentiality’, the two are quite different. Traditional data confidentiality mechanisms aim to give the owner of data control over its accessibility, whereas privacy means giving the subject of data control over who accesses it. A particular concern with data that has confidentiality or privacy implications is that once information has been released into the public domain it can never be effectively recalled.

Data confidentiality and privacy are breached once an attacker gets access to protected information, either by having illegal direct access to a protected data object or by inferring its value via legal accesses to related data objects. The problem of illegal direct access has gained lots of attention in database research in the last two decades. Applying Mandatory Access Control (MAC) is one of the proposed solutions to control direct accesses to confidential and private data (Brodsky, Farkas, & Jajodia, 2000). This is done by assigning security labels to data objects and security clearances to users, and employing a security-dominating access relation.

However, an attacker who can access unclassified (non-secure) data may still be able to infer secure information by employing metadata. For example, the observation that “Alice is taking the medication didanosine” and the general medical knowledge that “didanosine is prescribed only to treat HIV infections” can be combined easily to produce the information that Alice is an HIV patient. This problem is known in the literature as an inference channel whereby an attacker can combine several pieces of publicly-accessible information in order to infer confidential or private information.

In many situations, however, the relationships between facts are probabilistic or statistical in nature, rather than absolute. For instance, if a particular medication is used to treat several diseases then knowing that a patient takes this medication can be used to infer that the patient has a specific disease only with a certain likelihood. In this paper we present an inference channel detection and restriction technique that uses a Bayesian network and analyses causal probability between data elements. In particular, quantifying the probabilistic size of the channel allows us to restrict it to below a desired threshold, rather than just eliminating it entirely. We illustrate the approach using a healthcare scenario in which patients have privacy concerns over what can be learnt from their Electronic Medical Records (EMRs). We give abstract definitions for what information can be inferred from such records and how such inferences can be limited by hiding specific data items. We then present practical algorithms for restricting inference channels that breach a patient’s privacy desires. Also we show our implemented application that uses the developed algorithms.

Complete Article List

Search this Journal:
Volume 17: 1 Issue (2023)
Volume 16: 4 Issues (2022): 2 Released, 2 Forthcoming
Volume 15: 4 Issues (2021)
Volume 14: 4 Issues (2020)
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing