Customizable Information Systems

Security in Multimedia Web Databases

Caroline M. Eastman

August 2002

In this research area we consider the problem of security in multimedia information systems, with emphasis on inference problems in multimedia Web databases. This research is conducted as part of the Information Security Laboratory in the Department of Computer Science and Engineering. This lab is under the direction of Dr. Csilla Farkas; it is funded by the National Science Foundation and supports undergraduate and graduate education and research in information security and assurance.

Some aspects of security have been very well studied, including such areas as statistical databases and models of access control. Others, such as inference problems, have been less thoroughly investigated. The inference problem in relational databases arises from the ability of a user to use metadata to infer sensitive information in a relational database from nonsensitive information to which access has been legitimately granted. Even though access to the actual data is restricted, access to the metadata in addition to some of the data may allow the database to be compromised through inference.

One research question investigated with Csilla Farkas and Tyrone Toland (PhD student in Computer Science and Engineering) was the problem of inference in dynamic databases (Farkas, Toland, and Eastman, 2001); this work was an extension of previous work on inference by Dr. Farkas (Brodsky, Farkas, and Jajodia, 2000). As changes are made in a dynamic database, information previously given to a user may become obsolete and no longer useful. Maintenance of a history file allows the system to keep track of user requests and determine which valid inferences can still be made. This means that more information can be made available without compromising the confidentiality of the sensitive information.

Another recent research effort considered the problem of security in geographic information system (GIS) databases (De, Eastman, and Farkas, 2002). Work on GIS has been largely independent of that on relational databases, and security has not been seen as a major issue. With the increasing availability of GIS to a broader population and the integration of GIS within geodatabases and multimedia databases, security issues have become more important. We developed a role-based access model that provides access to predefined views and considered various implementation options using existing commercial software (ArGIS 8.1, ArcSDE 8.1, and MS SQL Server 2000). The most promising implementation option was to maintain separate relations at each security level that can be combined as appropriate when accessed. Although security modules can be provided as wrappers at this time, a more desirable long-term solution is to have security issues adequately addressed in the GIS software itself.

The potential addition of a variety of media types and formats to a relational database system opens up new opportunities for database compromise, largely because of the relatively unstructured nature of the resulting multimedia database. In a relational database, the attributes and tuples are well defined, as are the dependencies that constrain the possible values. However, relational databases are being gradually replaced or supplemented with databases containing nontabular data in one form or another, including text, geographic information (GIS), pictures and graphics, sound, and video. XML (extended markup language) is increasingly used to structure these databases and can encompass a wide variety of information types and structures.

One of the first questions we are addressing is an extension of the inference problem in a relational database. In that narrower context, an inference engine can be constructed which can identify information that should not be released based upon the potential for inference of sensitive information from knowledge of metadata and previous queries. Suppose, however, that the information to be restricted is in fact also present in some form in a nonrelational part of the multimedia database. A user could use then infer the sensitive information without accessing the restricted part of the database. So we are now faced with two problems. One is the ability to restrict access to the appropriate nonrelational section of the database. The other, more difficult, problem is that of determining that the duplicative information is, in fact, present in or derivable from the alternative media.

Brodsky, A., Farkas, C., and Jajodia, S. (2000) Secure databases. Constraints, inference channels and monitoring disclosures. IEEE Transactions on Knowledge and Data Engineering, 12(6), 900-919.

De, S., Eastman, C., and Farkas, C. (2002) Secure access control in a multi-user geodatabase. ESRI User Conference, 2002. CD-ROM and Web publication. http://www.esri.com/library/userconf/proc02/pap0355/p0355.htm

Farkas, C., Toland, T., and Eastman, C. (2001) The inference problem and updates in relational databases. Proceedings of the 15^th IPIF WG11.3 Working Conference on Database and Application Security, Niagara on the Lake, Ontario, Canada, July 15-18, 2001.