| This dissertation addresses the inference problem in dynamic, multilevel secure (MLS) relational databases (RDB's) when the data items are modified. The inference problem occurs when data classified at a higher level can be inferred from data classified at a lower level. This work proposes a framework and methods to prevent unauthorized inferences in dynamic MLS/RDBs while supporting maximal data availability. The Dynamic Disclosure Monitor (D 2Mon) architecture prevents sensitive data from being inferred even in the presence of data updates. D2Mon uses a mechanism, called Update Consolidator (UpCon), to propagate updates to a user history database. This ensures that no query is rejected based on inferences derived from outdated data. UpCon uses a process, called stamping, that updates the outdated data items in the history database with the updated data items. The stamped history database is used by a Disclosure Inference Engine (DiIE) to compute inferences. D2Mon uses a Mandatory Access Control (MAC) component to determine if sensitive data items are revealed by either direct or indirect accesses.; In addition to securing particular data values, this dissertation extends the protection to an interval of values for an attribute. Although the data items that are revealed by DiIE do not disclose exact data items that are stored in the base relation, it could be the case that the disclosed data items cannot be released because they are too close to the data items that are in the base relation. This dissertation presents a technique that will prevent interval-based inferences. Interval-based inferences are addressed by defining the notation of an attribute interval. An attribute interval is used to identify a range of data items. If an inference is within an attribute interval, then it is considered too close to a previously released data value to be released. If a database update is within the attribute interval, then the current query is rejected; otherwise, the current query is accepted and the query results are released.; The inference algorithms are evaluated from the perspective of soundness (an inference that is found is true) and completeness (all inferences are computed). Complexity analysis and empirical results from a simulation are presented. These results provide insight into the feasibility and usability of the security architecture. |
