Cornelia Tadros

Towards controlled query evaluation for incomplete first-order databases

Controlled Query Evaluation (CQE) protects confidential information, stored in an information system. It prevents harmful inferences due to a users knowledge and reasoning. In this article we extend CQE to incomplete first-order databases, a data model which suits a broader range of applications than a previously studied propositional incomplete data model. Because of the complexity of the underlying implication problem, which describes the users reasoning, the representation of the users knowledge is the main obstacle to effective inference control. For knowledge representation, we introduce first-order modal logic to CQE. Especially, we deal with knowledge about a restricted data model in first-order logic. The restricted data model considered gives rise to a new problem: if the user is aware of the data model, his reasoning must be modeled appropriately. In the analysis of this “reasoning” model we consider both confidentiality and availability. Finally we show, how the considered data model can be reduced to the propositional case and analyze confidentiality properties of the resulting implementation.

Inference-Proof view update transactions with minimal refusals

Publishing information to clients of an information system may leak confidential information. Even more, update transaction protocols must ensure both integrity and confidentiality of information which results in a conflicting situation rather involved. To avoid confidentiality breaches, previous work allow views with misinformation provided to clients. In order to maintain correctness and reliability of information, we propose query and update protocols that refuse client requests for the sake of confidentiality. Further, this article focuses on availability of information in two ways: confidentiality policy specification can impose less strict confidentiality in favor of availability; the proposed transaction protocol is shown to be as cooperative and to provide as much information as possible among a discussed class of transaction protocols. Regarding the confidentiality policy, in our approach the security administrator can choose between protecting only sensitive information in the current instance or even outdated information of previous instances.

Revising belief without revealing secrets

In multiagent systems, agents interact and in particular exchange information to achieve a joint goal, e.g., arrange a meeting, negotiate a sales contract etc. An agent, as a rational reasoner, is able to incorporate new information into her belief about her environment (belief revision) or to share her belief with other agents (query answering). Yet, such an agent might be interested to hide confidential parts of her belief from other negotiating agents while these agents are supposed to reason about her reactions to revisions and queries. We study how an agent can control her reactions to revisions and queries requested by another agent who may attempt to skeptically entail confidential beliefs. As our main contribution, we present procedures that provably enforce confidentiality, to be employed by the reacting agent.

Preserving confidentiality while reacting on iterated queries and belief revisions

In multiagent systems, agents interact and in particular exchange information to achieve a joint goal, e.g., arrange a meeting, negotiate a sales contract etc. An agent, as a rational reasoner, is able to incorporate new information into her belief about her environment (belief revision) or to share her belief with other agents (query answering). Our agent model is based on a common line of research where belief revision is seen as the process of nonmonotonic reasoning from the available information. Yet, such an agent might be interested to hide confidential parts of her belief from another requesting agent and, thus, must control the respective reaction to a revision or query request. As our first contribution, we define the confidentiality aims of the reacting agent and postulate the requesting agent’s capabilities in attacking these interests. In particular, we study an operator by means of which the requesting agent attempts to skeptically entail confidential beliefs of the reacting agent from observed reactions. This skeptical entailment operator is based on a class of nonmonotonic consequence relations such that the reacting agent’s reasoning is implemented as an instance of this class. As our second contribution, we give an algorithmic solution for the reacting agent to enforce her confidentiality aims. To this end, we show how skeptical entailment could be computed via deduction with respect to an appropriate axiomatization of the class of consequence relations on which skeptical entailment is based. In particular, we present control procedures using the skeptical entailment operator and prove that these procedures effectively enforce confidentiality by means of refusal even if the requesting agent also takes their execution into consideration (meta-inference).

Using SAT-Solvers to compute inference-proof database instances

An inference-proof database instance is a published, secure view of an input instance containing secret information with respect to a security policy and a user profile. In this paper, we show how the problem of generating an inference-proof database instance can be represented by the partial maximum satisfiability problem. We present a prototypical implementation that relies on highly efficient SAT-solving technology and study its performance in a number of test cases.

Constructing Inference-Proof Belief Mediators

An information owner might interact with cooperation partners regarding its belief, which is derived from a collection of heterogeneous data sources and can be changed according to perceptions of the partners’ actions. While interacting, the information owner willingly shares some information with a cooperation partner but also might want to keep selected pieces of information confidential. This requirement should even be satisfied if the partner as an intelligent and only semi-honest attacker attempts to infer hidden information from accessible data, also employing background knowledge. For this problem of inference control, we outline and discuss a solution by means of a sophisticated mediator agent. Based on forming an integrated belief from the underlying data sources, the design adapts and combines known approaches to language-based information flow control and controlled interaction execution for logic-based information systems.

Reasoning on Secrecy Constraints under Uncertainty to Classify Possible Actions

Within a multiagent system, we focus on an intelligent agent

Idea: Towards a Vision of Engineering Controlled Interaction Execution for Information Services

\mathcal{D}

Policy-Based Secrecy in the Runs & Systems Framework and Controlled Query Evaluation.

maintaining a view on the world and interacting with another agent

On the Simulation Assumption for Controlled Interaction Processing.

\mathcal{A}