This article was downloaded by: [202.161.58.88] On: 09 November 2014, At: 22:09Publisher: Institute for Operations Research and the Management Sciences (INFORMS)INFORMS is located in Maryland, USA
INFORMS Journal on Computing
Publication details, including instructions for authors and subscription information:http://pubsonline.informs.org
Statistical Database Auditing Without Query Denial ThreatHaibing Lu, Jaideep Vaidya, Vijayalakshmi Atluri, Yingjiu Li
To cite this article:Haibing Lu, Jaideep Vaidya, Vijayalakshmi Atluri, Yingjiu Li (2014) Statistical Database Auditing Without Query Denial Threat.INFORMS Journal on Computing
Published online in Articles in Advance 22 Sep 2014
. http://dx.doi.org/10.1287/ijoc.2014.0607
Full terms and conditions of use: http://pubsonline.informs.org/page/terms-and-conditions
This article may be used only for the purposes of research, teaching, and/or private study. Commercial useor systematic downloading (by robots or other automatic processes) is prohibited without explicit Publisherapproval, unless otherwise noted. For more information, contact [email protected].
The Publisher does not warrant or guarantee the article’s accuracy, completeness, merchantability, fitnessfor a particular purpose, or non-infringement. Descriptions of, or references to, products or publications, orinclusion of an advertisement in this article, neither constitutes nor implies a guarantee, endorsement, orsupport of claims made of that product, publication, or service.
Please scroll down for article—it is on subsequent pages
INFORMS is the largest professional society in the world for professionals in the fields of operations research, managementscience, and analytics.For more information on INFORMS, its publications, membership, or meetings visit http://www.informs.org
Yingjiu LiSchool of Information Systems, Singapore Management University, 178902 Singapore, [email protected]
Statistical database auditing is the process of checking aggregate queries that are submitted in a continuousmanner, to prevent inference disclosure. Compared to other data protection mechanisms, auditing has the
features of flexibility and maximum information. Auditing is typically accomplished by examining responses topast queries to determine whether a new query can be answered. It has been recognized that query denials releaseinformation and can cause data disclosure. This paper proposes an auditing mechanism that is free of query denialthreat and applicable to mixed types of aggregate queries, including sum, max, min, deviation, etc. The core ideasare (i) deriving the complete information leakage from each query denial and (ii) carrying the complete leakedinformation derived from past answered and denied queries to audit each new query. The information leakagederiving problem can be formulated as a set of parametric optimization programs, and the whole auditing processcan be modeled as a series of convex optimization problems.
Keywords : statistical database; privacy; auditing; query denial; optimizationHistory : Accepted by Alexander Tuzhilin, (former) Area Editor for Knowledge and Data Management; received
October 2012; revised August 2013, February 2014; accepted April 2014. Published online in Articles in Advance.
1. IntroductionInformation technologies have been extensively usedto collect and share personal data in areas such ashealthcare research, crime analysis, customer relation-ship management, credit analysis, and demographics.Although it has provided much convenience to ourwork and daily lives, it has raised strong public con-cerns about individual privacy. In the healthcare indus-try, we have recently observed rapid transition towardelectronic medical records and data sharing. It has beenreported that more than 70 million Americans havesome portion of their medical records in electronicformat (Kaelber et al. 2008). Healthcare researcherscan even access individual Medicare and Medicaidclaims data at the website of The Center of Medicareand Medicaid Service, a federal agency. Indeed, manymedical identity theft cases have been reported due toelectronic medical records, e.g., Agrawal and Budetti(2012). In demographics, it was found that 87% ofthe U.S. population is uniquely identified by {date ofbirth, gender, postal code} from the 1990 U.S. Censussummary data (Sweeney 2002). Privacy scandals canseriously damage a company’s reputation and credibil-ity. In August 2006, AOL released a file containing 20million search queries for more than 640,000 users, not
including the identities of the users, with the inten-tion to provide data for research into online browsingbehavior. It was soon found that many users couldbe easily reidentified by analyzing those seeminglyinnocuous queries. This caused several lawsuits andlegal complaints against AOL.
Various protection mechanisms have been proposesto address the data privacy concern. A conventionalapproach focuses on designing statistical databases(SDBs) and forming restrictions for accessing con-fidential data. A SDB (Adam and Wortmann 1989)typically refers to a database used for statistical analy-sis purposes. An important example is the databasemaintained by the U.S. Census Bureau. While a SDBcontains data at the individual record level, users aretypically only allowed to ask queries over aggregates.This is to protect the privacy of data that may besensitive at the individual record level. For example, ifthe record-level data include private information, suchas salary, product cost, and patient health information,the database users should only be allowed to accessinnocuous statistics over groups. With knowledge ofenough aggregate statistics, sophisticated adversariescan infer confidential data.
Securing SDBs has been the focus of much researchsince the late 1970s. To control inference from aggregate
statistics, many mechanisms have been proposes. Theyinclude auditing queries, e.g., Chin and Özsoyoglu(1982), Chowdhury et al. (1999), query restrictions, e.g.,Friedman and Hoffman (1980), Nunez et al. (2007),Dobkin et al. (1979), perturbation, e.g., Matloff (1986),Muralidhar et al. (1999), Lee et al. (2010), Muralidharet al. (1995), Li and Sarkar (2006), Sarathy et al. (2002),Li and Sarkar (2013), cell suppression, e.g., Castro(2007), Fischetti and Salazar (2001), providing approxi-mate answers, e.g., Kadane et al. (2006), Garfinkel et al.(2002), anonymous data collection, e.g., Kumar et al.(2010), and data shuffling or swapping, e.g., Muralidharand Sarathy (2006), Li and Sarkar (2011). A good surveyof classic inference control techniques on SDBs canbe found in Adam and Wortmann (1989). A surveyof current advancements on privacy in data publish-ing, e.g., k-anonymity (Samarati and Sweeney 1998),l-diversity (Machanavajjhala et al. 2006), t-closeness(Li et al. 2007), and differential privacy (Dwork 2008),can be found in Fung et al. (2010).
Clearly, not one proposes protection mechanism issuitable for all SDBs. But among various protectionmechanisms, auditing has attracted substantial researchinterests over the past three decades with its earliestdiscussion dated back to the 1970s (Chin 1978, Schlorer1975). Auditing is the continuous monitoring of theuser’s knowledge that is derived from responses to pastqueries and used to determine how to respond to anew query. As one of the better protection mechanisms,the features of auditing are well described by Chin andÖzsoyoglu (1982) as: (i) Absolute security: By checkingthe query history, auditing allows us to answer aquery only when it is secure to do so. (ii) Maximuminformation: Given the query history, auditing canprovide the maximum information to users, whichincludes accurate answers and as many query answersto the user as the security permits. (iii) Flexibility: It isflexible to use because protection can be tailored todifferent sets of queries of users’ choice.
Chin and Özsoyoglu (1981) proposes the first formalscheme for auditing. It is to deny a query when theanswer combined with past query answers can compro-mise the database. There exist efficient implementationalgorithms. For example, to audit sum-only queriesto prevent full disclosure, by representing answeredqueries and the new query with a matrix and per-forming Gauss transform, one can quickly determinewhether answering the new query would comprise thedatabase. The scheme has been used for decades as ade facto scheme for auditing, which we call conven-tional auditing. Much of the following research focus onvarious aspects of auditing, like improving algorithmperformance (Lu et al. 2009), auditing multidimensionalSDBs (Wang et al. 2003, Lu and Li 2008, Li and Lu 2008,Wang et al. 2004), preventing interval-based inference(Li et al. 2003), etc.
Recently, Kenthapadi et al. (2005) discovered a fun-damental security flaw in conventional auditing. Querydenials release information too. Conventional auditingfails to take the fact into consideration and causesprivacy disclosure in some cases. To illustrate it, weborrow the example used in Kenthapadi et al. (2005).A database has three variables 8x11 x21 x39 of the samevalue 5 and the auditing goal is to prevent full disclo-sure. The first query is the sum of the three variablesand answered. The second query is the maximum of thethree variables and denied because the answer impliesall three variables are 5. However, when the query isdenied, given the fact that a query is denied only if theanswer would cause full disclosure, a sophisticatedadversary can figure out that the denied answer mustbe 5.
Kenthapadi et al. (2005) proposes a new schemecalled simulatable auditing. It examines a new querysolely based on past query answers without consultingthe database. A new query is denied if there existsa database solution, which satisfies all past queryanswers, and the answer to the new query wouldcomprise that database. Indeed, this scheme effectivelyprevents the query denial threat, whereas the datautility is significantly hurt. Suppose a database containsall nonnegative elements. Then any sum query cannotbe answered, because if all elements are 0s, which isa feasible database solution, then the query answercomprises the database. Being aware of the issue,Kenthapadi et al. (2005) further proposes a relaxedscheme. At each auditing time, it samples a large num-ber of feasible database solutions, which are consistentto the past query answers. If answering a new querydoes not cause privacy disclosure for the majority of thesampled solutions, then answer the query. The schemehas two limitations: (i) Computationally expense. It isdifficult to sample a feasible database solution thatsatisfies all past query answers, while a large numberof feasible database solutions need to be generatedat each auditing time. (ii) No guarantee of security.It is because the sampled large number of databasesolutions may not include the real database. However,their work renewed research interest in auditing.
Malvestuto and Moscarini (2006) proposes anotherauditing scheme for sum-only queries that we call mod-ified conventional auditing. The scheme adds one morestep to the conventional auditing. At each auditingtime, it firstly computes the bounds of the answer tothe new query by inspecting past answered queries.Then it computes the bounds of each database variableby inspecting past answered queries and the derivedbounds of the answer to the new query. As the boundsof the answer to the new query are derived fromthe past answered queries, it does not improve onthe estimation of the bounds of database variables.Therefore the modified conventional auditing scheme
would always reach the same decisions as the conven-tional auditing scheme, and hence is insecure. Whatthe two schemes ignore is that an adversary can obtainadditional knowledge from past queries.
In this paper, we study SDBs auditing on varioustypes of queries, including sum, max, min, and devi-ation. We propose an auditing framework, free ofthe query denial threat. We strictly comply with theoriginal premise of auditing: continuously monitor theuser’s knowledge that is derived from responses topast queries and use it to determine how to respond toa new query. But we are aware that responses includeboth query answers and denials. We will proposethe first solution to derive the complete informationleakage from a query denial. We are also aware ofdifferent natures of various query types, as sum anddeviation are of continuous nature, and max and minpossess discrete nature. The discrete nature of querieswould cause full disclosure of element values whena query denial occurs. To eliminate the query denialthreat caused by the inherent discrete nature of maxand min queries, we employ the simulatable auditingscheme as an auxiliary step to our general auditingframework.
Our contributions can be summarized as: (i) Wepresent an auditing framework, free of the querydenial threat, for various types of queries, includingsum, max, min, and deviation. Note that deviationqueries have never been studied in the auditing setting.(ii) We provide the first solution to derive the completeinformation leaked from a query denial. (iii) We designimplementation algorithms built on existing parametricoptimization results.
2. SumSum is the most common aggregate query type andsupported in all database systems. We start withsum queries, which are also the focus of the auditingresearch. We first introduce the problem setting. Wedenote a SDB with n elements by 8x11 0 0 0 1 xn9, and theprior-known bounds on elements by L ≤ X ≤ U . Ifnone, then L and U are −� and �, respectively. Theprior-known bounds are to reflect reality. For instance,a person’s salary cannot be negative. We are awarethat in some cases adversaries may have more priorinformation than the bounds of data values. We are alsoaware that approaches like differential privacy (Dwork2008) can be used against arbitrary prior knowledge.The consequence of guarding against arbitrary priorknowledge is the significant degradation of the utilityof data, which we will discuss explicitly in §6. A useris allowed to continuously submit a sum query of∑
i∈S xi over any data group S. The task of auditing isto prevent an adversary from breaching the databaseprivacy. Full disclosure is commonly studied in the
auditing literature. However, one may argue that avariable of 100 is nearly disclosed if an adversaryascertains that the variable is between 99 and 101. Inthis paper, we adopt the interval-based privacy notion(Li et al. 2003) defined as follows.
Definition 1 (Interval-Based Privacy). A variablexi is considered safe if one cannot ascertain that xiresides in an interval with length less than �i, the safethreshold for xi.
Suppose a variable xi with threshold value 5. If oneascertains that xi is within 60157, xi is consideredsafe. But if the interval is improved to 60147, then xiis compromised. We are aware that there are otherprivacy notions, such as k-anonymity, l-diversity, anddistribution-based privacy notions. Because we considera SDB with all numerical values, this paper uses theinterval-based privacy notion. The auditing problemcan then be described as the following.
Definition 2 (Auditing Problem). Devise an effi-cient and effective query response strategy such that allvariables are safe regarding the interval-based privacynotion.
2.1. Existing Auditing SchemesBefore we present our auditing scheme, we firstexamine the limitations of existing auditing schemes.To illustrate them, throughout this section, we willuse one example as follows. A nonnegative numericdatabase consists of variables 8x11x21x31x41x59. Theyare 81011012121109 with safe thresholds 85151111169,respectively. Queries 8Q11Q21Q31Q49 with their accu-rate answers are listed in the following order:
Q1: x1 + x2 = 201
Q2: x1 + x3 = 121
Q3: x2 + x4 = 121
Q4: x1 + x5 = 200
Conventional Auditing. Conventional auditing is thefirst proposes auditing scheme in the literature. It canbe formally stated as the following.
Definition 3 (Conventional Auditing). When-ever a new query is posed, if the answer to it, whencombined with past query answers, can infer that forone variable the difference of its lower and upperbound is less than or equal to its safe threshold, denythe query, otherwise answer it.
To implement conventional auditing, the auditor onlyneeds to continuously solve LPs as formulated in (1),where AX = b represents the past answered queries,
According to conventional auditing, Q1 is firstanswered, because returning the answer of 20 onlyhelps refine the bounds for 8x11x29 to 601207; Q2 isanswered as well, although the bounds of x1 and x2 arerefined to 601127 and 681207, respectively. However, ifQ3 is answered, the bounds for both x1 and x2 wouldbe refined to 681127. The interval length is 4, which isless than their safe threshold 5. Therefore Q3 should bedenied. The system will proceed to examine Q4. To doso, the system needs to solve the following LPs:
The result is x1 ∈ 601127, x2 ∈ 681207, x3 ∈ 601127, x4 ≥ 0,and x5 ∈ 681207. Every variable is considered to besafe regarding their safe thresholds. Therefore, Q4 isanswered.
However, this is wrong. If Q4 is answered, x5 will bedisclosed, as it can be deduced to fall in 681137, andthe length is less than its safe threshold 6. The reasonis that the denial of Q3 releases some information.
To explain the reason, let us first denote the realanswer to Q3 by A3. Given Q12 x1 +x2 = 20, Q22 x1 +x3 =
12, and Q32 x2 + x4 =A3, it is not difficult to infer thatx1 ∈ 620 −A31127, x2 ∈ 681A37, x3 ∈ 601min8121A3 − 897,and x4 ∈ 601A3 − 87. Denying Q3 implies that if A3 isreleased, at least for one variable, the difference of itslower and upper bounds becomes less than or equal toits safe threshold. The following are four possibilities:
For cases x1 and x2, A3 ∈ 4−�1137. For cases x3and x4, A3 ∈ 4−�197. Because the adversary cannotascertain which variables are to be disclosed, all he caninfer is A3 ∈ 4−�1137∪ 4−�197= 4−�1137.
Given the answered Q2 of x1 + x3 = 12, we havex1 ≤ 12. By combining it with the answered Q1 of
x1 + x2 = 20, we further have x2 ≥ 8. Therefore, A3 =
x2 + x4 ≥ 8. Finally, from the denial of Q3 in addition tothe past two query answers, one can infer 8 ≤A3 ≤ 13.
Given 8 ≤ A3 ≤ 13 derived from the denial of Q3,the adversary can deduce x1 ∈ 671127 and x2 ∈ 681137,which make the privacy of both x1 and x2 at the edgeof being breached with safe thresholds of 5. However,they are still considered to be safe according to thedata disclosure definition.
The real threat of the query denial of Q3 comeswhen auditing Q4. By solving LPs (4), where Q32 8 ≤
x2 + x4 ≤ 13 is the complete information leakage fromthe denial of Q3, x5 is deduced to fall in 681137. Hencethe privacy of x5 is breached, because its safe thresholdis 6. However, conventional auditing fails to detect thebreach:
Simulatable Auditing. Simulatable auditing was pro-posed to prevent the attack of query denials. Its basicidea is essentially to protect data privacy by denyingany suspicious query that may cause trouble. Its origi-nal definition as stated in Kenthapadi et al. (2005) isgiven as follows.
Definition 4 (Simulatable Auditing (Kenthapadiet al. 2005)). An auditor is simulatable if the decisionto deny or give an answer to the query qt is madebased exclusively on q11 0 0 0 1 qt and a11 0 0 0 1 at−1 (and notat and not the data set X = 8x11 0 0 0 1 xn9), and possiblyalso the underlying probability distribution D fromwhich the data was drawn.
To achieve such a simulatable auditing, Kenthapadiet al. (2005) proposes to do the following. Given previ-ously posed queries 8q11 0 0 0 1 qm−19 and their answers8a11 0 0 0 1 am−19, a newly posed query qm will be denied if(i) there exists a feasible answer a′
m to the new query qm,which is consistent with all past query answers and(ii) releasing a′
m would breach some variable’s privacy.The essential idea of simulatable auditing is to denymore queries, including innocent queries to achievedata security. However, it suffers from the serious datautility issue.
Look at Q12 x1 + x2 = 20 in the previous example.Obviously x1 + x2 = 0 is a feasible answer to the query.If the answer is 0, given all variables are nonnegative,both x1 and x2 are 0, and hence uniquely identified.According to simulatable auditing, Q1 should be denied,as well as all subsequent queries.
Modified Conventional Auditing. Malvestuto andMoscarini (2006) propose an auditing scheme for sumqueries, which attempts to solve the query denial issue.Its basic idea is summarized as the following.
Definition 5 (Modified Conventional Auditing).Whenever a new query is posed, if the answer to itwhen combined with past query answers does notthreaten data privacy, answer the query; otherwise,return an approximate answer, the bounds of the realanswer, which are derived from past query answers.
The scheme adds one more step to conventionalauditing: If the answer to a new query is determinedto be dangerous, derive the bounds of the real answerfrom past query answers and release such boundsinstead of the real answer. However, the query submit-ter alone can derive such released bounds, as he knowsall past query answers. In fact, an intelligent adversarycan infer more information. Releasing bounds is thesame as telling the query submitter that the real answerwould make some variable to be in danger. Thus thequery submitter can narrow the denied real answerand would eventually use the narrowed results tothreaten data privacy. Therefore, modified conventionalauditing still suffers from the attack of query denials asconventional auditing, because it inaccurately calculatesthe complete information leakage from query denials.
To illustrate, look at the previous example again.Q1 and Q2 are answered, and Q3 obviously should bedenied. Instead of denying Q3, modified conventionalauditing derives the lower and upper bounds of Q3based on past query answers and returns such anapproximate answer to the query submitter. By solvingLPs (5), the constraints of which are answers to Q1and Q2, x2 + x4 is limited to 681+�5, which is issued tothe user and will be carried over to audit subsequentqueries.
The results of the above LP suggest that x1 ∈ 601127,x2 ∈ 681207, x3 ∈ 601127, x4 ≥ 0, and x5 ∈ 681207, whichis exactly the same as the results of conventional
auditing. Hence, according to modified conventionalauditing, Q4 is answered. However, as explained before,releasing Q4 would infer x5 ∈ 681137, and hence breachthe privacy of x5. The reason modified conventionalauditing fails is because it inaccurately calculates thecomplete information leakage from a query denial. Thedenial of Q3, in fact, can narrow down the answer ofQ3 to 681137 instead of 681+�5.
2.2. New Auditing SchemeFrom the previous example, we observe that thereis no privacy threat if every query is inspected byincorporating complete information released fromboth past query answers and denials. The observationnaturally leads to the prototype of our new auditingscheme as follows.
At each auditing time, the lower and upper boundsof every variable are derived by inspecting completeinformation released from both past query answersand denials along with the current query.
If we strictly comply with the above auditing scheme,it is unlikely to find a practical implementation algo-rithm. It is because a denied answer can be narroweddown to a feasible solution region composed of dis-crete intervals. Because discrete intervals cannot beformulated as linear equalities or inequalities employedin a standard LP form, it poses great difficulty forinspecting the subsequent queries. We are still able tosolve the problem by formulating it as a mixed-integerprogramming (MIP) problem by introducing slackinteger variables, and MIP is generally NP-hard (Gareyand Johnson 1979).
To further elaborate, consider the following exampleof nonnegative variables 8x11x21x31x49, all with safethresholds of 1. Suppose the following two queries areposed, where � denotes the answer of x1 + x2:
Q12 x1 + x2 + x3 + x4 = 51
Q22 x1 + x2 = �0(7)
Q1 is answered and then Q2 is denied. Because Q2is denied, an adversary would know that the answerof Q2 can infer an interval of some variable’s value,with length equal to or less than the variable’s safethreshold. Furthermore, the adversary can infer that� must fall in either 60117 or 64157. When � ∈ 60117,as 0 ≤ x1, x2 ≤ �, x1, and x2 suffer from the disclosurethreat, and hence Q2 has to be denied. When � ∈
64157, as 0 ≤ x3, x4 ≤ 5 −�, x3, and x4 suffer from thedisclosure threat, and hence Q2 needs to be denied.Denying Q2 is equivalent to releasing the informationof � ∈ 60117∪ 64157. If we need to carry this informationover to inspect subsequent queries, when auditing thefollowing query, the formulated optimization problemsfor deriving bounds of involved variables are no longerconvex optimization problems.
To address the issue, we propose a refined versionof the previous auditing scheme.
Definition 6 (Auditing Sum Queries). At eachauditing time, for each variable, derive its lower andupper bounds by inspecting both exact and approxi-mate query answers in the past along with the newquery:
• If the difference of the lower and upper boundsfor every variable is greater than its safe threshold,return the exact answer;
• Else, return an approximate answer, which isobtained by deriving the region of possible deniedquery answers (which could include multiple separateintervals), and returning the interval in the region thatcontains the real answer.
Note that if the region of possible denied answersinclude multiple nonoverlapping intervals, we returnthe interval containing the real answer, which cor-responds to a lower and upper bound of the realanswer.
To illustrate it, we still consider example (7). Supposex1 = 004, x2 = 004, x3 = 002, x4 = 4, and Q22 x1 + x2 = 008.Even though denying a query only helps infer � ∈
60117∪ 64157, we release � ∈ 60117. The information wereturn is more than what a query denial implies (sincewe in effect reveal which variables’ privacy is beingthreatened). The reason we return such an intervalis because the returned information still makes thewhole feasible solution space to be convex. Then toaudit subsequent queries, we are still able to formulateit as a series of LPs.
2.3. Security AnalysisIs the auditing scheme for sum queries secure? Thissection will answer this question. First, let us examinehow information is released from a query denial. Froman adversary’s perspective, if a query is denied, theremust exist some variable such that the difference ofits lower and upper bounds is less than or equal toits safe threshold, given the denied query’s answer.If xi causes the query denial, one can deduce a feasiblesolution region feasiblei4�5 of the denied answer �, suchthat � being any value in feasiblei4�5 would make thedifference of xi’s lower and upper bounds less than orequal to its safe threshold. But the adversary has noknowledge of which variable (variables) causes thequery denial. Therefore the complete information leak-age from a query denial is
⋃
i feasiblei4�5. The followingtheorem is used to prove that each feasiblei4�5 must beone continuous interval.
Theorem 1. If given 8AX = b1 aX = �1L≤X ≤U9, thevalues, which � can have so that it is possible to deduce thatthe difference of the lower and upper bounds of xi is lessthan or equal to �i, must be one continuous interval.
Denote S to be the value set of � such that ∀� ∈S,8AX = b1 aX = �1L≤X ≤U9 deduces xi’s upper boundof max�4xi5, and xi’s lower bound of min�4xi5, suchthat max�4xi5− min�4xi5≤ �i. Theorem 1 proves that if�11�2 ∈S, and �2 >�1, any �3 ∈ 6�11�27 must belong toS, in other words, max�3
4xi5− min�34xi5≤ �i. Because
max�34xi5− min�3
4xi5≤ �i is equivalent to that for anypair of solutions X14�35 and X24�35, both of whichsatisfy constraints of 8AX = b1aX = �31L ≤ X ≤ U9,�X1
i 4�35−X2i 4�35� ≤ �i holds, where X1
i 4�35 and X2i 4�35
denote the values of xi.For any �3 ∈ 6�11�27, we can represent �3 as �3 =
��1 + 41 − �5�2, where � ∈ 60117. Any feasible solutionX4�35 satisfying 8AX = b3aX = �33L≤X ≤U9 can berepresented as X4�35= �X4�15+ 41−�5X4�25 as well.This can be seen as follows:
��1 + 41 − �5�2 = �3;• X4�35= �X4�15+ 41 − �5X4�25≥ 4�+ 41 − �55L≥ L;• X4�35= �X4�15+ 41 −�5X4�25≤ 4�+ 41 −�55U ≤U .Next, we will prove that for any X14�35 and X24�35,
�X1i 4�35−X2
i 4�35� ≤ �i holds:∣
∣X1i 4�35−X2
i 4�35∣
∣
=∣
∣�X1i 4�15+41−�5X1
i 4�25−4�X2i 4�15+41−�5X2
i 4�255∣
∣
=∣
∣�4X1i −X2
i 5+41−�54X1i −X2
i 5∣
∣≤�i0
Theorem 1 shows that each feasiblei4x5 is one continu-ous interval. When a query denial occurs, the adversaryhas no knowledge of which variable (variables) causesthe query denial. The complete information leakagefrom a query denial is � ∈
⋃
i feasiblei4x5, where 8xi9are all involved variables. The complete informationleakage
⋃
i feasiblei4x5 could be one continuous intervalor multiple discrete intervals. Without loss of generality,⋃
i feasiblei4x5 can be represented by⋃
j 6Lj1Uj 7, where86Lj1Uj79 are nonoverlapping intervals. The auditingscheme is to release the single interval 6Lj1Uj 7, whichcontains the true answer, and carry it over to inspectsubsequent queries. Now, the security question is:would releasing � ∈ 6Lj1Uj 7 threaten data privacy?
Theorem 2. Suppose the past exact and approximatequery answers do not breach data privacy, a new query isdenied according to the auditing scheme for sum queries,and
⋃
j 6Lj1Uj 7, where 86Lj1Uj 79 are nonoverlapping, is thederived possible values of the denied answer �. Returningthe interval 6Lj1Uj 7, which contains the real query answer,does not threaten data privacy.
For convenience, we represent past exact answersand approximate answers as 8A1X = b3LB ≤A2X ≤UB9,and the new query as aX.
It is known that⋃
j6Lj1Uj7 =⋃
i feasiblei4�5, wherefeasiblei4�5 is the feasible value of the denied answer
� given xi causes the query denial. Theorem 1 statesthat feasiblei4�5 is a continuous interval. Therefore thereturned interval 6Lj1Uj7 must be the union of somefeasiblei4�5.
As such, all involved variables 8xi9 can be dividedinto two groups, one group with feasiblei4�5 belongingto 6Lj1Uj7, and the other group with feasiblei4�5 notbelonging to 6Lj1Uj7. If xi has feasiblei4�5 ⊆ 6Lj1Uj7,releasing 6Lj1Uj7 cannot breach the privacy of xi. Itis because 8A1X = b3aX ∈ 6Lj1Uj73LB ≤ A2X ≤ UB9cannot infer information more than 8A1X = b3aX ∈
feasiblei4�53LB ≤A2X ≤UB9, which only deduces aninterval of xi with length equal to �i, in which case xi isstill considered safe. If xi has feasiblei4�5 not belongingto 6Lj1Uj 7, releasing 6Lj1Uj 7 obviously does not affectthe privacy of xi at all.
2.4. Deriving Information LeakageThis section studies how to derive feasiblei4�5, the pos-sible values of the denied answer �, which would limitthe feasible solutions of xi to an interval with lengthless than or equal to its safe threshold. Suppose wehave answered a set of queries, which can be repre-sented by the equation system 8AX = b1L≤X ≤U9,where L≤X ≤U are prior known bounds for X andhave not denied any query yet. Assume a new queryaX, whose real answer is �, arrives. After solvinga series of LPs as (8) for all involved variables, theauditor decides to deny the query.
min4max5 xi
s.t.
AX = b1
aX = �1
L≤X ≤U0
(8)
As stated before, from the adversary’s perspective,the reason for this denial must be that for some vari-able xi, the difference of its upper bound and its lowerbound is less than or equal to its safe threshold �i.The problem of finding feasiblei4�5 can be described asfollows.
Problem 1. If given 8AX = b1 aX = �1L≤X ≤U9 forvariable xi, what values can � have so that max�4xi5−min�4xi5 ≤ �i, where max�4xi5 and min�4xi5 denotethe maximum and minimum values that xi can takegiven �?
When � is treated as an unknown parameter, theoptimization problem (8) becomes a typical right-handside (RHS) parametric LP problem. A RHS parametricLP problem is a LP problem with a variable (parameter)on the right-hand side of the linear constraints. Thestudy of RHS parametric LP can be traced back to thebeginning of operations research (Dantzig 1963). It hasbeen shown that the optimal objective function valueof a RHS parametric LP problem is a piecewise linear
function of the parameter. There exists an efficientalgorithm to derive such a function (Vanderbei 2008).The basic procedure is as follows: first, choose a feasiblevalue of � and determine its characteristic interval,where the objective function optimality does not change;then study adjacent characteristic intervals till thewhole real region is traversed.
We adopt the algorithm to deduce feasiblei4�5. First,use the algorithm to determine a piecewise function,say, f 1
i 4�5, for max�4xi5, and a piecewise function,say, f 2
i 4�5, for min�4xi5. Then feasiblei4�5 is the feasiblevalues of � that make f 1
i 4�5− f 1i 4�5≤ �i.
To illustrate this process, we reconsider the exampleemployed in §2. As explained before, Q32 x2 + x4 = 12has to be denied, because it can breach the privacy of x1and x2. Denote � to be the answer to Q3. Given Q3 beingdenied, we demonstrate how to compute feasible14�5,the feasible values of � that make the difference oflower and upper bounds of x1 less than or equal to itssafe threshold 5.
max4min5 x1
s.t.
x1 + x2 = 201x1 + x3 = 121x2 + x4 = �1
x11x21x31x4 ≥ 00
(9)
By solving the RHS parametric LP (9), we find thatmax x1 is 12 when �≥ 8, while it is infeasible to have�< 8. When 8 ≤ �≤ 20, min x1 is 20 −�, and when�≥ 20, min x1 is 0. The piecewise functions of max x1and min x2 dependent on � are depicted in Figure 1.It is not difficult to see that feasible14�5 is [8, 13].
2.5. DiscussionIn this section, we briefly discuss the two concernsthat some people may have: (i) the auditing schemereleases more information than necessary and (ii) anauditing process needs to solve a large number of LPs.
With the auditing scheme, feasible solutions aremaintained in a convex space. As such, whether audit-ing a query or deriving information from a query
denial, the auditor only needs to solve a number oflinear programs. However, the benefit comes at thecost of leaking more information than necessary, aswe release the specific interval of the denied answer.If the auditor does not feel comfortable with this sce-nario, he or she can simply take more computationaleffort to derive and release all intervals that the deniedanswer may fall in by employing the same informationleakage deriving method and carry them on to auditsubsequent queries. In particular, when the first querydenial occurs, because the previous queries constitutea polytope, the auditor can use the exact same methodto drive the feasible intervals of the denied answer.But for subsequent query denials, the auditor cannotemploy the method directly to derive informationleakage, because the feasible region of the previouslydenied answer might be the union of multiple discreteintervals. However, the auditor can derive the feasibleintervals for the subsequently denied answer by repet-itively employing the information leakage derivingmethod, because the feasible solution space constitutedby the past query answers and denials are the union ofmultiple polytopes. For each polytope, the auditor canderive intervals that may cause the new query to bedenied. The union of all such derived intervals is thecomplete information leakage.
Whether deriving information leakage from querydenials, auditing sum queries needs to solve a largenumber of LP problems to inspect the difference of thelower and upper bounds for every involved variable.While it is not difficult to solve one LP problem, solvingsuch LP problems is still a huge burden for the system.Worse, the size and number of LP problems keepgrowing as more queries are issued. Although wecannot avoid those LPs, we can reduce the overallcomputing time by adopting the strategy employedin Lu et al. (2009). It uses two patterns existing inthe LPs formulated in an auditing process. First, ateach auditing time, the formulated LPs share the sameconstraints. Second, the LPs formulated for auditingthe next query only have one more constraint than thecurrently formulated LPs. It is known that a feasiblesolution of one LP can be quickly constructed at thebasis of the solution of another similar LP. Finding afeasible solution is an integral part in simplex methodsand typically takes half the computing time of solvinga LP problem. By leveraging the similarity of LPsin an auditing process, we can reduce the overallcomputing time.
3. Max and MinMax and min queries have been less researched. Repre-sentative research results include Chin (1986), Kleinberget al. (2003), Kenthapadi et al. (2005), and Nabar et al.(2006). But none of those schemes can be directly
applied to our scenario, i.e., real-valued data regardinginterval-based data disclosure policy, free of querydenial threat. Chin (1986) proposes the first auditingscheme for max and min queries. Because they assumeall queries come together as a batch, their schemedoes not consider the query denial issue. The auditingscheme in Kleinberg et al. (2003) is able to eliminatethe query denial threat, but at the great loss of datautility. Motivated by Kleinberg et al. (2003), Kenthapadiet al. (2005) propose a simulatable auditing scheme,which effectively counteracts the query denial threatand also improves data utility. But their scheme consid-ers full data disclosure and is applicable to max- ormin-only queries. Improved upon Kenthapadi et al.(2005), the auditing scheme in Nabar et al. (2006) canhandle mixed max and min queries, but it does notaddress interval-based disclosure. More importantly,their scheme cannot be applied to mixed query types,including sum, max, min, and deviation. In this section,we modify the auditing scheme in Nabar et al. (2006)in accord with the interval-based data disclosure policy.We will later show how to incorporate the scheme into ageneral auditing framework for the mixed query types.
A max query Qj can be represented by max4Qj5= bj ,where bj is the query answer. Similarly, a min queryQj can be represented by min4Qj5= bj . Given a set ofmax and min queries 8Q11 0 0 0 1Qt9 and their answers8b11 0 0 0 1 bt9, the maximum possible value of xi ismin4bj �Qj is a max query, xi ∈Qj5, denoted by �i. Simi-larly, the minimum possible value of xi is max4bj �Qj isa min query, xi ∈Qj5, denoted by `i. We will say xi is amin extreme element of Qj , if Qj is a min query, xi ∈Qj ,and bj = `i, and xi is a max extreme element of Qj , if Qj
is a max query, xi ∈Qj , and bj =�i.The uniqueness of max and min queries comes
from their inherent discrete nature. Consider a maxquery max4Qj5 = bj ; it gives two pieces of informa-tion: (i) ∀xi ∈Qj1xi ≤ bj and (ii) ∃xi ∈Qj1 xi = bj . Theformer is of continuous nature, like sum queries,while the latter is combinatorial oriented. ConsiderQ12 max4x11x21x35= 10 and Q2: max4x11 x25= 5, wherethe safe threshold for every variable is 1. Q1 is answeredsince no privacy disclosure occurs. Q2 is denied,because given max4x11 x21 x35= 10 and max4x11 x25= 5,x3 becomes the only extreme element of Q1, and thusx3 must be 10. However, if Q2 is denied, an adversarycan still infer x3 to be 10, because otherwise Q2 wouldnot be denied. In this case, whether you answer ordeny Q2, x3 is disclosed.
We have observed that a max and min query denialcan occur in two cases: (i) some variable is fully dis-closed as it becomes a max or min extreme elementor (ii) some variable is partially disclosed because thedifference of its lower and upper bounds is less thanor equal to its safe threshold. For the former case, ifthere exists one element, which could become a max or
min extreme element because of the denied answer,then denying the query would still fully disclose theelement. For the latter case, answering a query wouldnot immediately compromise data privacy, because anadversary can only narrow down the denied answer toan interval, in which any possible answer could causesome variable to be partially disclosed. We propose thefollowing auditing scheme.
Definition 7 (Auditing Max and Min Queries).For each new max and min query, we first use thesimulatable auditing scheme in Nabar et al. (2006) tocheck if there exists any possible answer to the query,which is consistent to previous query answers andmakes some variable an extreme element.
• If yes, deny the query. (Note that the decision ismade without consulting the database.)
• Else, consult the database to see if the real answerwould make some element partially disclosed (i.e., thedifference of the lower and upper bounds is less thanthe safe threshold).
—If yes, deny the query and derive the infor-mation leakage from the query denial, which will becarried over to audit the subsequent queries.
—Else, answer the query.
The first step of the algorithm is to counteract thequery denial effect caused by the discrete nature of maxand min queries. Given a set of previously answeredmax and min queries, Q11 0 0 0 1Qt−1, the auditing schemeneeds to check if there is any possible answer to thenew query Qt that is consistent with past answersand would cause an xi to be an extreme element.Nabar et al. (2006) showed that it is not necessary tocheck all possible answers and it suffices to check afinite number of points. In particular, let Q′
11 0 0 0 1Q′
l
be the query sets of previous queries that intersectwith Qt , ordered according to their correspondinganswers b′
1 ≤ · · · ≤ b′
l. We only need to consider eachbt ∈ 8b′
lb1 b′11 4b
′1 + b′
25/21 b′21 0 0 0 1 b
′
l1 4b′
l−1 + b′
l5/21 b′
l1 b′
ub9,where b′
lb = b′1 − 1 and b′
ub = b′
l + 1, to check if it isconsistent to the previous answers and causes someelement to be an extreme element. All of them canbe efficiently implemented. The second step is toconsult the database to check if the true answer wouldcause some element to be partially disclosed. If aquery is denied, an adversary knows there exists someelement, which would be partially disclosed if theanswer is released. Without loss of generality, considerthe denied query Qj as a max query. The real answerbj to the max query Qj only affects the upper boundof variables in Qj . Therefore, the cause for the querydenial is ∃ i ∈ Sj1 bj − min4xi5≤ �j . Because an adversarydoes not know which one is at risk, the informationleakage from the denial of the max query Qj is bj ≤maxi∈Sj
4�j + min4xi5), where min4xi5 can be derivedfrom past query responses. Similarly, the denial of
the min query Qj releases bj ≥ mini∈Sj4max4xi5− �j).
The released information should be carried along withanswered queries to audit the subsequent queries.
4. Standard DeviationStandard deviation has never been studied in thedatabase auditing literature, although it is supportedby most SDBs. A standard deviation query Qj can berepresented by std4Qj5= bj , computed as
√
∑
i∈Qj4xi −
∑
t∈Qjxt/�Qj �5
2
�Qj � − 1= bj1
where �Qj � denotes the set size. The standard deviationvalue bj can be further expanded as a quadratic function
∑
i∈Qj
(
�Qj �xi −∑
t∈Qj
xt
)2
= 4�Qj � − 15�Qj �2b2
j 0
Standard deviation shows how much variation existsfrom the average. A low standard deviation indicatesthat the data points tend to be very close to the mean,whereas high standard deviation indicates that the datapoints are spread out. From the statistical inferenceperspective, the most risky case would be a standarddeviation value being 0, which implies all data pointshave the same value. However, answers to a set ofstandard deviation queries without additional informa-tion does not improve the lower and upper boundsof involved data points at all, since standard devi-ation only provides closeness information on datapoints. If there are prior known bounds of data points,then standard deviation query answers could compro-mise a database. Consider a database of 8x11x21x39and it is known that x11x2 ∈ 60127 and x3 ∈ 681107. Ifstd4x11 x21 x35= 304641, which is the minimum standarddeviation value among feasible solutions, then it isdisclosed that x1 and x2 are 2 and x3 is 8.
To avoid triviality, we study how to respond tostandard deviation queries with elements of prior-known bounds. Look at a batch of standard deviationqueries 8Q11 0 0 0 1Qt9; the bounds of variables X aredenoted by 6L1U7. To examine whether the queryanswers compromise the database, we can formulateand solve a set of nonlinear optimization problems asfollows:
min4max5 xi
s.t.
∑
i∈Qj
(
�Qj �xi−∑
t∈Qj
xt
)2
= 4�Qj �−15�Qj �2b2
j 1
for j=110001t1L≤X≤U0
(10)
Constraints (10) are typical semidefinite program-ming problems (Vandenberghe and Boyd 1996), because
2 is nonnegative forany X. It is well known that semidefinite programscan be solved efficiently, both in theory and prac-tice. However, a safe auditing scheme has to considerinformation leakage from a query denial and carryit over to audit subsequent queries. A good thingis that standard deviation queries are continuouslyoriented, which is the same as sum queries. In otherwords, if we deny a standard deviation query when∃ i1max4xi5− min4xi5≤ �i, the feasible solution spaceis a convex set or the union of several convex sets. Weadopt the same auditing strategy as for sum queries.
Definition 8 (Auditing Standard DeviationQueries). For each new standard deviation query, for-mulate and solve a series of semidefinite programmingproblems to compute the lower and upper bounds foreach variable. If ∃ i1max4xi5− min4xi5≤ �i, deny thequery, find the feasible values of the denied answerthat would make the query to be denied, and return theinterval of continuous feasible solutions that containthe real answer; else, answer the query.
We release the interval of feasible solutions thatcontain the real answer so that all following auditingproblems are forumulated as convex optimizationproblems. Although we release more information thannecessary, all variable privacy is kept intact. We skipthe scheme security analysis, since the proof for thesum query case can be easily extended here, as bothquery types are convex in nature.
Now we study how to find the feasible valuesof the denied answer that would deny a standarddeviation query. Denote the denied answer as �, andthe maximum and minimum of xi dependent on �as f 1
i 4�5 and f 2i 4�5, respectively. Computing f 1
i 4�5and f 2
i 4�5 is a typical RHS parametric semidefiniteprogramming problem. Berkelaar et al. (1996) showthat the solution to a RHS quadratic programmingis concave and piecewise quadratic. In Goldfarb andScheinberg (1999), an explicit formula is provided tocompute the interval of a RHS parameter value, wherethe optimal solution (a function of the RHS parameter)is unchanged. In fact, the formula is very similar to theone for RHS parametric LP. Given the formula, we canderive f 1
i 4�5 and f 2i 4�5 and find the feasible solutions
feasiblei4�5 that make f 1i 4�5− f 2
i 4�5 ≤ �i. Because anadversary cannot determine which one is at risk, thetotal information leakage is � ∈
⋃
i feasiblei4�5. We thenrelease the interval containing the real answer to enablethe subsequent auditing problems to be formulated asconvex optimization problems.
5. Mixed Query TypesIn this section, we provide a consolidated frame-work for auditing mixed query types, including
sum, max, min, and standard deviation. Supposeold queries are 8Q11 0 0 0 1Qt1
1Q′11 0 0 0 1Q
′t21Q′
11 0 0 0 1Q′t39,
where 8Q11 0 0 0 1Qt19 are sum queries, 8Q′
11 0 0 0 1Q′t29
max or min queries, and 8Q′′11 0 0 0 1Q
′′t39 standard devi-
ation queries. The auditing problem is to determinewhether to answer or deny a new query Qnew. Basedon what we have studied in the previous sections,the adversary’s knowledge from responses to the pastqueries can be represented by a set of equality andinequality constraints, which are either in a linearor positive definite quadratic form. Specifically, if asum query Qi is answered, the information leakageis sum4Qi5 = bi. If the query is deemed dangerous,an interval 6li1ui7 is returned and the informationleakage is li ≤ sum4Qi5 ≤ ui. Similarly, if a standarddeviation query Q′′
i is answered, the information leak-age is std4Q′′
i 5= b′′i . Else, an interval is returned and
the information leakage is l′′i ≤ std4Q′′i 5≤ u′′
i . A maxor min query Q′
i is either denied or fully answered.If it is denied because there exists a possible answer,which makes some element an extreme element, thenthere is no information leakage, because the decision isreached without consulting the database. If it is deniedbecause the real answer would make some elementpartially disclosed, then the information leakage canbe represented by l′i ≤ max/min4Q′
i5 ≤ b′i, such that
max/min4Q′i5 being any value in 6l′i1 b
′i7 would make
some element partially disclosed. We denote the set offeasible solutions satisfying those constraints, derivedfrom past query responses, by Q. The consolidatedauditing scheme for mixed query types is as follows.
Definition 9 (Auditing Mixed Query Types).Given x ∈ Q, the information leakage from the responsesto the past queries, to audit a new query Qnew, we dothe following:
• If it is a sum query, formulate and solve a set ofsemidefinite programming problems of max/min4xi �x∈ Q1 sum4Qnew5 = bnew5 for each xi. If there is an xibeing compromised, formulate and solve a set ofparametric semidefinite programming problems ofmax/min4xi �x ∈ Q1 sum4Qnew5= �5 for each xi to derivethe feasible values of � that would compromise thedatabase, and then return the interval containing theexact answer.
• If it is a standard deviation query, run the sameprocedure as above, except for replacing the constraintsum4Qnew5= bnew with std4Qnew5= bnew.
• If it is a max or min query, check whether thereexists a possible answer that is consistent to past answersand causes the existence of extreme elements.
—If yes, deny the query (note the decision ismade without consulting the database).
—If no, consult the database to see if the real an-swer makes some element partially compromised.
∗ If yes, deny the answer and derive informationleakage.
The framework treats max and min queries differ-ently, due to their inherent discrete nature. In the firststep of auditing a max or min query, there is no needto check all possible answers. It suffices to check afinite number of points, as what we did to audit maxand min-only queries. Suppose it is a max query. Forconsistency checking, we use a method in Vanden-berghe and Boyd (1996) to check the feasibility of thesemidefinite constraint set 8x ∈Q3xi ≤ b′
i1∀xi ∈Qnew9.To determine the existence of extreme elements, weadopt the same algorithm used in Nabar et al. (2006).To derive the information leakage from a query denial,we formulate and solve parametric semidefinite pro-gramming problems to find out the possible values ofb′i that would make some element partially disclosed.
We take the interval containing the real answer asthe information leakage and carry it over to audit thesubsequent queries.
6. Experimental StudyAn auditing scheme can be evaluated in three dimen-sions: privacy, utility, and efficiency. Privacy is the mostimportant because it is the reason for the existence of aprivacy protection mechanism. Data utility determinesthe usage of a database, and efficiency affects userexperience. Unanimously, privacy can be examinedwith regard to the defined data privacy policy andefficiency can be measured in running time. There aremany ways to measure utility. For example, Nabaret al. (2006) measure utility by the number of answeredqueries. But an auditing scheme could provide ambigu-ous and partial answers to unlimited queries withoutcompromising a database and that does not makethe auditing scheme preferable. So we measure utilityby the amount of released information on databaseelements. Regarding the interval-based privacy policy,the best auditing scheme is the one that allows a user toinfer the feasible database solutions to a polytope withmax4xi5− min4xi5= �i1∀xi, where �i is the predefinedsafe threshold of xi.
6.1. SumThe first experiment is to study sum-only queries.We compared our auditing scheme with conventionalauditing and simulatable auditing. Note that we do notconsider the modified auditing scheme, as it is essen-tially the same as the conventional auditing scheme.We generated a database of 100 elements with valuesrandomly drawn from 6111007, and 200 random sumqueries uniformly drawn from the pool of possiblesum queries. For each element, we set its safe thresholdto be 0.1 times its value. We run all auditing schemesagainst the same database and queries, and report theresults in Figures 2–4, where each diamond denotesa query and the dark diamond means the databaseis compromised. We observe the following: First, in
Answered
Denied
1 90 93 113 200
Compromised Safe
Figure 2 Conventional
terms of privacy, both our auditing scheme and simu-latable auditing protects the privacy throughout theauditing process, whereas conventional auditing isunable to protect privacy after query 90. We alsonotice that the first abnormal query response occursat query 90 for both conventional and our auditingscheme. Conventional auditing denied the query, whileour auditing scheme partially answered the query.After that, conventional auditing answered query 91,which immediately compromised the database, dueto the ignorance of information leakage of the denialof query 90. As the result, the database continuedto stay in the compromised state, even though themost subsequent queries were denied. In contrast,our auditing scheme partially answered queries 90–92and 94–200, and fully answered query 93. It providesdata information and maintains data privacy. Second,regarding utility, our auditing scheme provides themaximum data utility, because at query 96, the privacyboundaries had been reached. In contrast, conventionalauditing releases more information than the privacypolicy allows, which is unacceptable, and simulatableauditing does not answer any query, because all ele-ments are known to fall in a bounded range. Third,in terms of efficiency, our auditing scheme takes themost computing. However, the computing time of ourauditing scheme is comparable to that of conventionalauditing. Firstly, for queries 1–89, our auditing schemeand conventional auditing took the same amount oftime because no query denial occurs yet. For queries90–95, our auditing scheme took more computing time,as it needs to derive information leakage. But afterquery 96, our auditing scheme took the same amountof time as conventional auditing, because the privacyboundaries were reached and there was no need toderive information leakage. To provide a partial answer,
our auditing scheme only needs to formulate and solvetwo LPs with the information derived from queries1–96 as constraints to obtain the lower and upperbounds of the query.
Simulatable auditing took the least computing time,but with no query being answered. The zero data utilityis because the simulatable auditing scheme is too strict.Recall that the simulatable auditing scheme denies aquery if there is a feasible answer, which can causeprivacy disclosure. For a first query
∑
i xi against anonnegative database, a feasible and consistent answeris 0, which indicates every variable is zero. If theanswer is 0, all variables are uniquely determined tobe 0. Therefore the query must be denied, as must allsubsequent sum queries. The example shows that thesimulatable auditing scheme is not suitable for caseswhere variables have prior known bounds. However,databases with prior known bounds are very commonin practice. For instance, salary is nonnegative, age is apositive number less than 150, etc.
6.2. MixedThe second experiment is to study mixed query types.First, we present a result on a small data set, depictedin Figure 5, to provide some insights. The data set com-prises 20 elements 8x11 0 0 0 1 x209 with values randomlydrawn from 611207. The task is to audit 100 randomqueries generated by the following two-step procedure:(i) determine a random number k in 611207 and thenselect k random elements from 8x11 0 0 0 1 x209, and (ii) ran-domly specify the query type so that sum, max or min,and standard deviation have the same probability. Thesafe threshold is 0.1 times each element’s value. Wemade the following observations: (i) Eight sum queriesare fully answered. The number would be much larger
Fully answered
Partiallyanswered
Denied
10 23 40
Reaching privacyboundaries
SumMax or minStd
Figure 5 Auditing Mixed Query Types
if we were auditing sum-only queries. For a databaseof n elements, element values would be fully disclosedby n linearly independent sum queries. However, forreasonable safe threshold values, the number of fullyanswered queries should be close to the number of totalelements, which has been verified by many existingstudies. One recent evidence is Figure 4, in which 90queries over a database of 100 elements are answered.Figure 5 shows that as answers to max, min, and stan-dard deviation queries leak information, the number ofanswered sum queries is significantly reduced. (ii) Fourmax or min queries are fully answered and the restare denied, not partially answered. So the simulatableauditing step incorporated in our scheme to counteractthe discrete nature threat of max and min queries isthe sole cause for them to be denied. (iii) There are13 standard deviation queries being answered, whichis larger than the sum of answered sum, max, andmin queries. It shows that an answer to a standarddeviation query does not release much informationrelatively. (iv) After query 40, the privacy boundariesare reached; in other words, the maximum utility isachieved, while the privacy is well kept. It also tellsus that for the remaining queries, there is no needto apply our sophisticated auditing scheme, as noadditional information can be released. An auditor cansimply answer the query based on released informationwithout consulting the database.
To validate the observations made from the previoussingle case, we conducted more experiments. We gen-erated five databases with the number of elementsranging from 20 to 100, with the same generationprocedure as that for the previous example. The resultsare reported in Figure 6 with the patterns matchingthe findings from Figure 5. It is observed that (i) thequery types in the order of the number of queriesbeing fully answered are standard deviation, sum, andmax or min and (ii) the total number of queries beingfully answered increase as the database size increases.
We noticed that almost no max or query was partiallyanswered. Therefore we conducted more experimentsby removing the step of using the simulatable auditingstrategy to eliminate the discrete nature threat of maxand min queries. We found that nearly all max andmin queries were fully answered. As element valuesare uniformly drawn and widely dispersed, answers tomax and min queries do not improve the lower andupper bounds of elements by much. We conclude thatthe discrete nature is the main cause for fewer maxand min queries being answered.
6.3. Trade-offIn this section, we study the trade-offs along differ-ent dimensions. Because privacy is the principle ofauditing and should never be compromised, whatwe can do is exchange utility in return for efficiency.There are many ways to improve efficiency: one wayis to utilize the algorithm in Kleinberg et al. (2003)to eliminate occurrence of extreme elements, whenauditing a max or min query, instead of the algorithmin Nabar et al. (2006). Kleinberg et al. (2003) showthat given a collection 8Q11 0 0 0 1Qt9 of max (or min)queries, for element i to be a max extreme element,there must exist Qj\4
⋃
r∈c Qr 5= 8i9, where c is a subcol-lection. To eliminate occurrence of extreme elements,we can deny a max (or min) query without consultingthe database if there exists Qj\4
⋃
r∈c Qr 5= 8i9 for someelement i, which can be implemented efficiently. Theconsequence is that more innocuous queries wouldbe denied. If we use the modified scheme to auditmax- and min-only queries, the probability of a querydenial would be increased. If we audit mixed querytypes, including sum, max, min, and deviation, andconsider reaching privacy boundaries is the maximumutility, the modified scheme does not reduce utility.The only effect is fewer max and min queries would beanswered. To find out the detailed trade-off effect, weexecuted the original auditing scheme and the modifiedscheme with the algorithm in Kleinberg et al. (2003)being plugged against the five databases created forthe previous experiment. The results are reported inFigure 7. The left vertical axis denotes the ratio of fullyanswered max and min queries by the original schemeto the number of answered max and min queries by themodified scheme and the right vertical axis representsthe ratio of average auditing time for a max or minquery by the original scheme to the time by the modi-fied scheme. Figure 7 shows that the original schemetakes significantly more computing time, because theoriginal scheme requires solving a large number ofoptimization problems, while the modified schemetakes almost no time. However, the utility gain at thegreat cost of computing time is not that significant,as illustrated by the left vertical axis of Figure 7. Weconclude that if it is not critical to answer max and minqueries, it is advisable to take the modified scheme.
201.0
1.5
2.0
Rat
io o
f ans
wer
ed q
uerie
s
30 40 50 60 70 80 90 100500
1,000
Rat
io o
f com
putin
g tim
e
1,500
Number of elements
Figure 7 Answered Queries vs. Computing Time
Another way to improve efficiency is to deny a sumquery right after the first sum query denial occurs.As observed in Figure 5, after the first query denial,the privacy boundaries will be quickly approached.Because deriving information leakage takes a lot oftime, if we simply deny all queries after the first querydenial, then much time is saved. We conducted anexperiment to compare the original scheme with the“lazy” scheme regarding computing time and releasedinformation on five synthetic databases, with number nof elements ranging from 20 to 100 and element valuesdrawn from 601n7. All queries to be audited are sumqueries and the threshold value is 0.1 times an elementvalue. The maximum knowledge on xi that a user isallowed to obtain is the bounds being improved from601n7 to 6li1ui7, where ui − li = 001 × xi. Comparing theoriginal scheme and the “lazy” scheme regarding thereleased information of xi, we take the measure of4n−001×xi5/4n− 4u′
i − l′i55, where u′i and l′i are the lower
and upper bounds of xi at the end of the “lazy” scheme.We compute the average measure over all elements foreach database and report the results in the left verticalaxis of Figure 8. The right vertical axis represents theratio of the total auditing time of the original schemeto that of the “lazy” scheme. We observed that the“lazy” scheme provides decent information with lesscomputing time. We conclude that if efficiency is atop concern for a system, it is worth trying the “lazy”scheme.
There are many other ways to improve efficiency.For example, we could incorporate other privacy mech-anisms into the auditing mechanism, e.g., perturbationmight be the easiest way to achieve data privacy. Keepin mind that doing so would lose many properties ofauditing, such as flexibility and accuracy. As reportedin Dinur and Nissim (2003), for a SDB by an n-bitstring d11 0 0 0 1 dn with a query being a subset q ⊆ 6n7to be answered by
∑
i∈q di, to achieve privacy, one hasto add perturbation of magnitude ì4
√n5. For SDBs
of positive integers x11 0 0 0 1 xn, the perturbation needsto be of magnitude ì4
√
∑
i xi5. To illustrate this, wedid an experiment on a synthetic database of 100elements with five sum queries. Figure 9 reports the
answers returned by the auditing scheme and from aperturbed database. We observed that the perturbationmechanism significantly alters real answers. Therefore,perturbation might only be suitable for large data setswhere auditing is not feasible.
Note that it has long been recognized that“0 0 0auditing may serve as a solution to the SDB securityproblem for small SDBs” (Chin and Özsoyoglu 1982,p. 575). Auditing provides the complete data privacy,maximum data utility, and query flexibility at a greatcomputational cost. Auditing is typically formulatedas a set of linear programs, therefore the scalabilityand practicability of the auditing approach largelydepends on the state of art in optimization technolo-gies. For instance, the current front line large-scaleLP/QP solver engine1 can solve linear and quadraticprogramming problems with up to 32,000 variablesand 32,000 constraints in the standard version. It isreasonable to apply the auditing approach to SDBswith thousands of variables or less. As optimizationtechnologies advance, the practicability of auditingwill increase accordingly. Significant advancements onoptimization technologies have been observed since the
1970s when auditing was first introduced. In addition,our auditing algorithm is faster than the conventionalauditing algorithms. As briefly mentioned in §2.5, ouralgorithm takes advantage of the two patterns observedin the set of linear programs formulated in an auditingprocess, which allow us to utilize the sensitivity analy-sis technologies used in optimization to reduce half thecomputing time.
7. ConclusionIn this paper, we present an auditing framework, whichis applicable to mixed query types, including sum,max, min, and deviation. The framework provides themaximum data utility and is free of query denial threat.The key idea is acknowledging the fact that querydenials leak information. Upon each query denial, wederive information leakage and treat it as a part ofthe adversary knowledge when auditing subsequentqueries. Due to the discrete nature of max and minqueries, when auditing a max or min query, we employthe simulatable auditing strategy to eliminate theoccurrence of extreme elements. The experimental studyshows that our scheme provides the maximum datautility to users, as the privacy boundaries are reachedfor each case. Experimental results also show thatstandard deviation has more queries being answeredthan other types, which is because a standard deviationquery does not release much information. We alsoobserved that max and min have the least queries thatcan be answered, because the simulatable auditingstrategy that we added to the whole auditing processdenies many innocuous queries. Designing a betterauditing algorithm for max and min queries will beour future work.
ReferencesAdam NR, Wortmann JC (1989) Security-control methods for statis-
tical databases: A comparative study. ACM Comput. Surveys21:515–556.
Agrawal S, Budetti P (2012) Physician medical identity theft. JAMA307:459–460.
Berkelaar AB, Jansen B, Roos K, Terlaky T (1996) Sensitivity analysisin (degenerate) quadratic programming. Technical Report 96-26,(Delft University of Technology, Delft, the Netherlands).
Castro J (2007) A shortest-paths heuristic for statistical data protectionin positive tables. INFORMS J. Comput. 19:520–533.
Chin FY (1978) Security in statistical databases for queries with smallcounts. ACM Trans. Database Systems 3:92–104.
Chin FYL (1986) Security problems on inference control for sum,max, and min queries. J. ACM 33:451–464.
Chin FYL, Özsoyoglu G (1981) Statistical database design. ACMTrans. Database Systems 6:113–139.
Chin FYL, Özsoyoglu G (1982) Auditing and inference control instatistical databases. IEEE Trans. Software Engrg. 8:574–582.
Chowdhury SD, Duncan GT, Krishnan R, Roehrig SF, Mukherjee S(1999) Disclosure detection in multivariate categorical databases:Auditing confidentiality protection through two new matrixoperators. Management Sci. 45:1710–1723.
Dantzig GB (1963) Linear Programming and Extensions (PrincetonUniversity Press, Princeton, NJ).
Dinur I, Nissim K (2003) Revealing information while preservingprivacy. Proc. Twenty-Second ACM Sympos. Principles DatabaseSystems (ACM, New York), 202–210.
Dobkin D, Jones AK, Lipton RJ (1979) Secure databases: Protectionagainst user influence. ACM Trans. Database Systems 4:97–106.
Dwork C (2008) Differential privacy: A survey of results. TAMC4978:1–19.
Fischetti M, Salazar JJ (2001) Solving the cell suppression problemon tabular data with linear constraints. Management Sci. 47:1008–1027. .
Friedman AD, Hoffman LJ (1980) Towards a fail-safe approach tosecure databases. IEEE Sympos. Security and Privacy, Oakland, CA.
Fung BCM, Wang K, Chen R, Yu PS (2010) Privacy-preserving datapublishing: A survey of recent developments. ACM Comput.Surveys 42:14:1–14:53.
Garey MR, Johnson DS (1979) Computers and Intractability: A Guide tothe Theory of NP-Completeness (W.H. Freeman, New York).
Garfinkel R, Gopal R, Goes P (2002) Privacy protection of binaryconfidential data against deterministic, stochastic, and insiderthreat. Management Sci. 48:749–764.
Goldfarb D, Scheinberg K (1999) On parametric semidefinite pro-gramming. Appl. Numer. Math. 29:361–377.
Kadane JB, Krishnan R, Shmueli G (2006) A data disclosure policy forcount data based on the COM-Poisson distribution. ManagementSci. 52:1610–1617.
Kaelber DC, Jha AK, Johnston D, Middleton B, Bates DW (2008)A research agenda for personal health records (phrs). J. Amer.Medical Informatics Assoc. 15:729–736.
Kenthapadi K, Mishra N, Nissim K (2005) Simulatable auditing. Proc.Twenty-Fourth ACM Sympos. Principles Database Systems (ACM,New York), 118–127.
Kleinberg JM, Papadimitriou CH, Raghavan P (2003) AuditingBoolean attributes. J. Comput. Syst. Sci. 66:244–253.
Kumar R, Gopal R, Garfinkel R (2010) Freedom of privacy: Anony-mous data collection with respondent-defined privacy protection.INFORMS J. Comput. 22:471–481.
Lee S, Genton MG, Arellano-Valle RB (2010) Perturbation of numericalconfidential data via skew-t distributions. Management Sci.56:318–333.
Li N, Li T, Venkatasubramanian S (2007) t-Closeness: Privacy beyondk-anonymity and l-diversity. Chirkova R, Dogac A, Tamerözsu M,Sellis TK, eds. Proc. 23rd IEEE Internat. Conf. Data Engrg. (IEEEComputer Society, Los Alamitos, CA), 106–115.
Li X-B, Sarkar S (2006) Privacy protection in data mining: A per-turbation approach for categorical data. Inform. Systems Res.17:254–270.
Li X-B, Sarkar S (2011) Protecting privacy against record linkagedisclosure: A bounded swapping approach for numeric data.Inform. Systems Res. 22:774–789.
Li X-B, Sarkar S (2013) Class-restricted clustering and microperturba-tion for data privacy. Management Sci. 59:796–812.
Li Y, Lu H (2008) Disclosure analysis and control in statisticaldatabases. ESORICS, Lecture Notes in Computer Science, Vol. 5283(Springer, New York), 146–160.
Li Y, Wang L, Jajodia S (2003) Preventing interval-based inferenceby random data perturbation. Proc. 2nd Internat. Conf. PrivacyEnhancing Tech., San Francisco, 160–170.
Lu H, Li Y (2008) Practical inference control for data cubes. IEEETrans. Dependable Sec. Comput. 5:87–98.
Lu H, Li Y, Atluri V, Vaidya J (2009) An efficient online auditingapproach to limit private data disclosure. ACM Internat. Conf.Extending Database Tech. (ACM, New York), 636–647.
Machanavajjhala A, Gehrke J, Kifer D, Venkitasubramaniam M (2006)l-Diversity: Privacy beyond k-anonymity. IEEE Internat. Conf.Data Engrg. (IEEE Computer Society, Los Alamitos, CA), 24.
Malvestuto FM, Moscarini M (2006) Auditing sum-queries to make astatistical database secure. ACM Trans. Inform. System Security33:451–464.
Matloff NS (1986) Another look at the use of noise addition fordatabase security. IEEE Sympos. Security Privacy (IEEE ComputerSociety, Los Alamitos, CA), 173–181.
Muralidhar K, Sarathy R (2006) Data shuffling—A new maskingapproach for numerical data. Management Sci. 52:658–670.
Muralidhar K, Batra D, Kirs PJ (1995) Accessibility, security, andaccuracy in statistical databases: The case for the multiplicativefixed data perturbation approach. Management Sci. 41:1549–1564.
Muralidhar K, Parsa R, Sarathy R (1999) A general additive dataperturbation method for database security. Management Sci.45:1399–1415.
Nabar SU, Marthi B, Kenthapadi K, Mishra N, Motwani R (2006)Towards robustness in query auditing. Proc. 32nd Internat. Conf.Very Large Data Bases, Seoul, Korea.
Nunez MA, Garfinkel RS, Gopal RD (2007) Stochastic protectionof confidential information in databases: A hybrid of dataperturbation and query restriction. Oper. Res. 55:890–908.
Samarati P, Sweeney L (1998) Protecting privacy when disclosinginformation: k-anonymity and its enforcement through general-ization and suppression. Technical reportT, SRI International,Menlo Park, CA.
Sarathy R, Muralidhar K, Parsa R (2002) Perturbing nonnormalconfidential attributes: The Copula approach. Management Sci.48:1613–1627.
Schlorer J (1975) Confidentiality of statistical records: A threat-monitoring scheme for on line dialgoue. Methods Inform. Medicine14:36–42.
Sweeney L (2002) k-anonymity: A model for protecting privacy.Internat. J. Uncertainty Fuzziness Knowledge-Based Systems 10:557–570.
Vandenberghe L, Boyd S (1996) Semidefinite programming. SIAMRev. 38:49–95.
Vanderbei RJ (2008) Linear Programming: Foundations and Extensions,3rd ed. (Springer-Verlag, New York).
Wang L, Jajodia S, Wijesekera D (2004) Securing OLAP data cubesagainst privacy breaches. IEEE Sympos. Security Privacy (IEEEComputer Society, Los Alamitos, CA), 161–175.
Wang L, Li Y, Wijesekera D, Jajodia S (2003) Precisely answeringmulti-dimensional range queries without privacy breaches. Eur.Sympos. Res. Comput. Security (Springer, New York), 100–115.
