PART 4 CONCLUSION

Conventional authorization models cannot completely prevent individuals from deriving unauthorized information, because unauthorized accesses need not be attempted. In this paper I have provided an overview of the inference problem, discussed the inferences strategies that users could utilize to draw inferences, and described the design and implementation of a prototype inference controller that can handle certain inference strategies of the users. I believe that due to the complexity of the inference problem, an incremental and integrated approach to handling inference is appropriate. This approach shows promise and will enhance the security of existing multilevel secure database management systems. I have described inference problem in multilevel database management systems, identified the needs for knowledge-based inference control, and discussed the issues involved in developing a knowledge-based inference controller.

In this paper, I introduced private inference control for aggregate queries. The need for inference control is particularly important in the aggregate query setting because it may be possible to use combined queries to extract individual elements from the database, thereby losing the privacy that the restriction to aggregate query setting because it may be possible to use combined queries to extract individual elements from the database, thereby losing the privacy that the restriction to aggregate queries is often used to provide. It also remains open to further extend private inference control additional inference control policies, as well as very ecient solutions for particular kinds of aggregate queries. Of particular interest are inference control policies that depend on the return values themselves, not only the indices of the inputs involved. In

this case, for maximum privacy to be guaranteed, it would also be necessary to incorporate notions of simulatable auditing. More generally, it would be extremely desirable to have private inference control for general keyword-based queries such as SQL provides. We are pursuing this as future research.

In this paper we present a technique that prevents users from inferring sensitive information from a series of seemingly innocuous queries. Compared to the deterministic inference approach in previous works, we include non-deterministic relations into inference channels for query-time inference detection. I have attempted to take a comprehensive look at the problem of inference control and its suggested solutions. This paper is not, by any means, exhausted. There has been an overwhelming amount of research and literature on the subject and it is impossible for any one paper to capture all the subleties and complicated issues. Our approach has been to briefly explain why the methods of inference control are inadequate, and critically compare them. We conclude that data transformations are the right direction at least within the current state of research. Because of the difficulty of the approach there are not many papers on data transformations. The existing literature requires enhancement.

Some inherent problems with the approaches discussed are the following: All previous studies have considered static databases in order to simplify the problem. The term statistical database has been used in substitution of statistical file; most authors actually mean the latter when they refer to statistical databases. Users may be equipped with information other than what is explicitly in records. The approaches have dealt with arbitrary query sets, which a lead to an explosion is complexity. Statistics about particular query sets may be meaningless and as such may never be requested.