Inference attack

An Inference Attack is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database.^[1] A subject's sensitive information can be considered as leaked if an adversary can infer its real value with a high confidence.^[2] This is an example of breached information security. An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it.^[3] The object of Inference attacks is to piece together information at one security level to determine a fact that should be protected at a higher security level.^[4]

Countermeasures

Computer security inference control is the attempt to prevent users to infer classified information from rightfully accessible chunks of information with lower classification. Computer security professionals install protocols into databases to prevent inference attacks by software. Techniques to detect and remove inference channels can be organized into two categories. The first category includes techniques that detect inference channels during database design time. Inference channels are removed by modifying the database design or by increasing the classification levels of some of the data items. Techniques in the second category seek to eliminate inference channel violations during query processing time. If an inference channel is detected, the query is either refused or modified to avoid security violations. While design-time is easier to manage and implement, query-time approach allows more availability of data than in design-time approach because more information (past and present queries/answers) can be used for disclosure inference. Disclosure Monitor (DiMon) detects and eliminates inference channels based on database constraints. A Disclosure Inference Engine (DiIE) is proposed, that generates all information that can be disclosed based on a user’s previous query results, the current query results, and a set of Horn-clause constraints. Dynamic Disclosure Monitor (D2Mon) guarantees data confidentiality and maximal availability even in the presence of inferences and updates. It is our intention to complement an existing access control mechanism (e.g., DAC, MAC, RBAC) to address the inference problem.

MAC: In the Mandatory Access Control (MAC) model, users are given permissions to resources by an administrator. Only an administrator can grant permissions or right to objects and resources. Access to resources is based on an object's security level, while users are granted security clearance. Only administrators can modify an object's security label or a user's security clearance.

DAC: In the Discretionary Access Control (DAC) model, access to resources is based on user's identity. A user is granted permissions to a resource by being placed on an access control list (ACL) associated with resource. An entry on a resource's ACL is known as an Access Control Entry (ACE). When a user (or group) is the owner of an object in the DAC model, the user can grant permission to other users and groups. The DAC model is based on resource ownership.

RBAC: In the Role-Based Access Control (RBAC) model, access to resources is based on the role assigned to a user. In this model, an administrator assigns a user to a role that has certain predetermined right and privileges. Because of the user's association with the role, the user can access certain resources and perform specific tasks. RBAC is also known as Non-Discretionary Access Control. The roles assigned to users are centrally administered. Dynamic Disclosure Monitor Architecture uses this MAC to detect any direct security violation, if any direct security violation is detected the query is rejected then and there, otherwise it is passed through inference engine to disclose data that can be inferred. All the disclosed data obtained from inference engine is again sent to MAC to detect any direct security violation. If any violation is detected the query is rejected, otherwise answered.

References