file (PPT), Adobe acrobat file (PDF), ETC. Sensitive .... following question: Can we find classes of students ... data such as name or registered class and sensitive.
PRBAC: An Extended Role Based Access Control for Privacy preserving Data mining Eun Hee Kim, Keun Ho Ryu, Jun Heo Dept. Computer science, National University, Korea *Electronics and telecommunications researsch {anwarking, ehkim, khr } dblab.chungbuk.ac.kr
ABSTRACT Issues about privacy-preserving data mining have emerged globally, but still the main problem is that non- sensitive information or unclassified data, one is able to infer sensitive information that is not supposed to be disclosed. This paper proposes an approach to PPDM based on an extended Role based access control called Privacy preserving Data mining using an extended role based access C); Sensitive objects (SOBS) component is added to the model in order to privacy protecting during data mining. Users are allowed to access and thereby mine different sets of data according to their roles. Our proposed model can be used over the existing technologies. The paper goal is topreserve individual’sprivacy. Keywords:
Privacy preserving data mining
1. Introduction Explosive progress in networking, storage, and processor technology has led to the creation of ultra large databases that record unprecedented amount of transactional information. The main problem is that non-sensitive information or unclassified data, one is able to infer sensitive information that is not supposed to be disclosed. Despite its benefits in various areas such as marketing, business, medical analysis, bioinformatics and others, data mining can also pose a threat to privacy in database security if not done or used properly Privacy preserving data mining , is a novel research direction in data mining and statistical databases, where data mining algorithms are analyzed for the side-effects they incur in data privacy. The central problem in privacy preserving data mining community is how to get data mining results without access to the original data. This brings about a lot of topics such as definition of privacy, measurement of privacy
and techniques that can help to preserve privacy. The main consideration in privacy preserving data mining is two fold. First, sensitive raw data like identifiers names, addresses and the like, should be modified or trimmed out from the original database, in order for the recipient of the data not to be able to compromise another person’s privacy This paper proposes an approach to privacypreserving data mining based on an extended Role based access control called where we have added SOBS, even using the same data mining technique, users are allowed to mine different sets of data. Our proposed PRBAC, The users will only access to objects tables, attributes, views) that are compatible with their roles permission compared to SOBS permission where existing access control system in the database server may continue to be in place. The effort described in this paper is by no means meant to be complete or comprehensive. Rather, our primary goal is to present our preliminary ideas in order to motivate This discussion on richer access control of paper organized as follows. Related work is reviewed in section 2. Section 3 presents the privacy preservation requirement in PRBAC. In section 4 we describe our proposed PRBAC model to privacy preserving data mining. In section 5, we present the Privacy Preservation process by providing a scenario of use in web-based application. Finally, section 6 presents conclusions and future directions for our work.
2. Related Work For the past few years, several approaches have been proposed in the context of privacy preserving data mining. Some of the approaches have been developed, namely: heuristic based approach; centralized data perturbation based association rule perturbation, which is accomplished by the alteration of an attribute value by a new value changing a I-value to a 0- value, or adding 5, centralized data blocking based
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
association rule confusion and centralized data blocking based classification rule confusion which is the replacement of an existing attribute value The central idea of the heuristic with a based approach techniques is that how to hide sensitive rules that can be mined the original data while maximizing the utility of the released data. The second approach is the reconstruction the central idea of the based approach [6, 8, reconstruction based approach is that we first use some methods to distort the values of the original data and then release these distorted data. The third approach is Cryptography based approach [ 10, 11, 12, The cryptography based approach has been developed to solve the following problem: Two or more parties want to conduct a computation based on their private inputs, but neither party is willing to disclose its own output to anybody else. This problem is referred to as the Secure Multiparty Computation (SMC) problem, which requires that no more information be revealed to a participant in the computation than that’s participant’s input and output. It is important to realize that data modification results in degradation of the database performance. In order to quantify the degradation of the data, we mainly use two metrics. The first one, measures the confidential data protection, while the second measures the loss of functionality. Finally the access control based approach in this approach the authors wanted to provide the groundwork to build an access control model over existing technologies; they suggested a basic theory for their proposed access control model called Multi-relational association rules (MRAR). MRAR model is composed of three layers notably Authenticator, checker and the database server. In MRAR, the type of policy is Mandatory access control where the users are associated to mining levels; this is extremely disadvantage of MRAR especially when focusing on the third requirement of that model The addressed problem in MRAR is multilevel association rules. The major disadvantage of MRAR is that, Not always possible to assign clearances to users of a commercial information systems and Not always possible to assign sensitivity levels to data in case of level contains another level. The problem of MRAR has motivated our work .Our proposed PRBAC falls into the category, access control based approach; based on Roles concept, the type of policy is Role based and the target system is Privacy preservation in data mining in the context of databases which can be built over existing database technologies. We illustrate this idea taking into account the flexibility of role based access control models which satisfies the companies and organizations dynamicity.
3. Privacy Preservation in PRBAC Clifton gave a complete discussion on how to define privacy for data mining. According to there are two different views on privacy: Individual privacy: protecting individual data, and corporate privacy- the release of information about a collection of data rather than an individual data item. We refer to individual’s privacy for our PRBAC focus. In the following section, we present the preliminary concept and additional requirements for an access control model for PRBAC.
3.1 Preliminary for privacy preserving for PRBAC Type of Policy: laws according to which accesses are controlled. Policy in access control models can be classified into mandatory, discretionary, role- based. In PRBAC the policy type is Role based policy since users are assigned to roles and roles have certain permission for objects. Type of Subject is a human being. Type of Object: In we have two types of objects. Object types are Text document, Audio file, video file, web board, power point presentation file (PPT), Adobe acrobat file (PDF), ETC. Sensitive object types could be Database table, Columns, Rows, in specific tables predetermined by System Administrator and accessed only according to role permission. Target System: PRBAC targets Privacy preservation in data mining, in the context of databases. Type of Control: Oriented to control the access control of information. Security Aspects: The focus is mainly on secrecy, however integrity is also guaranteed implicitly since this access control model does not allow users to update the data.
3.2 Additional PRBAC model
requirement
for
Must be based on the role based concept. Users associated with certain role can not delegate their access rights to other Users are granted rights to access only parts of the data that they need to perform their mining tasks. The access control of PRBAC might be able to deal with multiple users mining concurrently, but the same user can not have multiple active sessions. A user can never have an active mining session that is not authorized for that user.
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
A user can perform an operation reading, mining) only if the user’s role permission is authorized for the role session in which the user is currently active.
4. PRBAC Model A preliminary concept to PRBAC model is presented in this section, and then we introduce PRBAC model specifications.
4.1 Traditional Role based access control RBAC (Sandhu, Feinstein has been one of the most known approaches to protect information in the context of relational databases which prevents users obtaining a sufficiently large and varied sample of a database. The model is based on three sets of entities called users roles (R) and permissions a role can have much permission and the same permissions can be assigned to many roles. A permission is an approval of a particular mode of access to one or more objects in the system. The terms authorization, access right and privilege are also used in the literature to denote permission. Although RBAC ensures that only authorized users are given access to certain data or resource, it does not prevent users from finding patterns that they are not supposed to discover using data mining
4.2 PRBAC model Our proposed PRBAC is designed to resolve the problem of finding patterns that they are not supposed to be discovered by the addition of sensitive objects SOBS. Figure1 shows our PRBAC model components.
.-
Figure 1 PRBAC Model
Our proposed PRBAC model is defined as follows: User U: A user in this model is a human being, intelligent autonomous agents such as robots, immobile computers, or even networks of computers. For simplicity, we focus on a user as a
human being. Role R and Role hierarchy A role is a job function or job title within the organization with some associated semantics regarding the authority and responsibility conferred on a member of the department manager). Role hierarchy role (RH) in is a natural way of organizing roles to reflect the organization’s lines of authority and responsibility Department managers). A senior junior roles role can inherit permissions department manager can inherit the deputy manager’s role permission). Note that we assume no Role delegation in the Role hierarchy in this paper. Permission P: Permission is an approval of a particular mode of access to one or more objects in the system. Session S: A user establishes a session during which he activates some subset of roles that he or she is a member Object OB: An entity that contains or receives information, or has exhaustible system resources Text document, Audio and Video files, PPT files ETC.). Sensitive object SOB : sensitive objects (is predetermined by the database administrator (DBA) or system administrator and it differs role permission, could be according to Database Table, columns, Rows, in specific tables ). In order to access the sensitive objects, our model has two operations namely: include and discard. Entity Relationships in PRBAC model Users and Roles many-to-many user to role assignment relation. Roles and Permissions : many to many: A role can have much permission and the same permissions can be assigned to many roles. Permissions and Object : many to Many: A permission is an approval to one or more objects in the system. Permissions and SOBS : many to Many: A permission is an approval to one or more sensitive objects in the system according to Role permission Users and Sessions A user establishes a session during which he activates some subset of roles that he is a member of Sessions and Roles : many to many: Each session is a mapping of one user to possibly many roles. Operation I : Include means that the Role permission has an access to certain sensitive If any user is satisfied this operation, then will be allowed to include the sensitive data during data mining. This operation can be expressed as (U R SOBS P) {include}
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
Operation 2: Discard can not access the sensitive objects. If any user is satisfied this operation, then will be replaced by NULL value privacy data during data mining. This operation can be expressed as (U R SOBS" P) {discard} model represents Policy: Policy in one task during the active role and consists of the following set : ob, sob, where is user; r is assigned role for each user; ob and sob represent general object list and sensitive object list respectively. is a permission to general object and is permission for sensitive objects; And finally op is the operation that answers whether or not the specified role permission is given an access to a certain SOBS. The process of privacy preservation is described he following major steps If (user == activity) session then disconnect; mutually exclusive tasks Else if (user != activity) that attempt to login then (userid and password); else if user users then get Role from Role table Create session Session start and end time) Get Role permission from Permission table Get general and sensitive objects fmrn Disk and Tables respectively Get list of each object permission, SOBS permission Compare Role permission to object and SOBS permissions policy to miner Engine sob, Close All Completed tasks;
Figure 2 Authentication process
In here, each role permission will be compared to the selected SOBS permission and automatically replace a NULL value to each unmatched permission. The combination of the policy, tables, allowed object lists are the input of the mining stage. The output is the extracted knowledge using the existing mining method, so in our model, there is no need to modify any of the existing mining methods.
5. The Privacy Preservation Process In this part, the terminology mentioned in the previous section will be used to show the scenario of use for our model, for the web-based educational site. Data mining methods, such as classification are useful in web-based educational systems, and can be applied to discover interesting associations based on students' features and the actions taken by students in solving homework and exam problems the paper tries to answer the following question: Can we find classes of students? In other words, do there exist groups of students who use these online resources in a similar No doubt that such question will raise the way? privacy issue, because of protecting student's privacy is a necessity for such applications. For instance, let's consider this scenario in which there is a web-based educational site that provides online testing materials (Text, files, PDF files, Audio and Video of language exams serious TOEFL, for site members and TOEIC, GRE and ETC area for guests; the site visitors are mainly students who use these materials for the sake of training or preparing for tests. This site has two types of teachers who upload the educational materials, full-time and part time teacher each of them are assigned to role and has a limited write, set grades, modify ,upload, and delete). The site database relations shows figure
4. ( ID, Name User to Class ID, Name, User}, Permission ( ID, Name), Role to Permission , Input: Select allowed attribute-list in each table) from The original DB thmugh materialized view; with NULL value Replace each SOBS the Role permission is not allowed to select that SOBS; else disconnect; : discovered patterns Method :using existing mining algorithm
Figure 3 Mining process
ID, Type,
Figure 4 site database relations (The bolded italic attributes shows the sensitive objects in the relations) Site members can perform certain tasks on the objects according to their roles permission (Read, write to board, execute audio and video, download files). That is, each user must be registered during active role session. Each of site members own personal data that contains general has data such as name or registered class and sensitive
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
(SOBS) data such as age, sex and telephone, stored in a database and can not be disclosed by anyone except the data owner. The site is using web based Association rules mining engine that helps in extracting knowledge from the site database, both the site Administrator and the teachers are allowed to use this mining engine, which course are likely to imply another course) , the association will be the in the TOEFL) [support, form takes (x, TOIEC) confidence] Such knowledge helps the site owner to the provided classes and at the same time requires access to normal and sensitive data.
5.1 Process description Figure shows the whole process framework. The process of protecting privacy of sensitive objects is accomplished in two major steps as follows: Through the web based user interface, the user enters user id and password. The first step is that the authentication module performs the following steps: Checks the user existence from the users database, Alice), gets the user role from the Role of Alice: Full-time teacher), role database. and gets role permission from permission database permission of teacher Alice: read, write, upload, modify). The goal of this step is build the PW, Role, Permission> Materialized policy view appears showing the allowed attribute lists in each resource set. ..... .......
...........
Figure 5 Process framework Let's assume that the site administrator determines the student's age, sex, telephone, job and scores as SOBS, then automatically it will be replaced by NULL to the each unmatched role permission and include it in their mining processes. Hence, if we have three users (Administrator, Parttime teacher and member student) accessing the site, then three different policies will be generated. We observe the following three different policies: Policy-1. For Admin policy: Admin, {all}, {all}, {age, address, sex, tel, Policy-2. For Part-time teacher policy: Jain, Part-time teacher, {all}, {all}, {age, address, sex, tel, j o b ,
Policy-3. For Member student policy: Member-student, {all},
{all},
For example, Jain wants to get some information (student name, age, class level, score, etc) about all students in her class. If she tries to extract knowledge from the database, then she obtains her policy Jain, Part-time teacher, {all}, {all}, Where Jain is user name, Part-time teacher is the assigned role, {all} stands for the general objects (ppt, pdf, audio {all} is the assigned privilege for these objects (read, write, execute, etc), {age, address, sex, the tel, job} stands for the sensitive objects, privileges for the sensitive objects. The second step is the mining step. In order for Jain to extract knowledge, firstly according to her policy, our framework generates a materialized view that contains NULL values for some attributes (unmatched sensitive objects permission) according to Jain's policy. In Jain case, she can access only her sensitive objects (name and class) and a NULL value instead of the score attribute in the materialized view. Therefore, we can protect privacy during extracting the knowledge. Hence, each an unmatched permission with the SOBS permission will be replaced by NULL value in the materialized view and no longer included in the mining engine.
6. Conclusion and future work The major contributions paper are: Privacy preserving data mining using an extended Role based access control called PRBAC, can be used over existing technologies and an efficient method that prevent sensitive attributes disclosure. We analyzed the necessary security requirements for an access control model of PRBAC, provided a scenario of use for an application area of PRBAC, and we have provided a conceptual foundations and introduced basic definitions of our model. Our proposed model has two modules: Authentication which checks for the Role existence and the assigned Role permission where it verifies the SOBS permission materialized view module which matches the sensitive attributes and replace them with NULL value if the role permission is not allowed to select that objects, and the existing data mining technique. This paper contribution is by no means meant to be complete and comprehensive. Rather, our primary goal is to step forward toward motivating richer discussion about applying our extended PRBAC for privacy preserving data in mining. We argue that our PRBAC is an insuring sensitive attributes disclosure and will limit the privacy breaches. Future work will examine the Role delegation. Our aim is to develop efficient and
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
methods feasible individual's privacy.
without
sacrificing
7. References Clifton and Murat Kantarcioglu and Jaideep Vaidya. Defining Privacy for Data Mining. In Proceedings of the National Science Foundation Mining, November Workshop on Next Generation 3, 2002, Baltimore, MD. Invited paper. [2] A. C. Yao. How to generate and exchange secrets. In Proceedings of the 27th IEEE Symposium on Foundations of Computer Science, pages 162.167. 986 [3] S. Verykios, E. Bertino, I. N. L. P. Y. Saygin, Theodoridis. State-of-the-art in Privacy Preserving Data Mining. SIGMOD Record, Vol. 33, No. Pages: 50 2004 [4] Mike J. Elisa Bertino, Ahmed K. Elmagarmid, Mohamed and Vassilios S. Verykios, Disclosure Limitation of Sensitive Rules, In Proceedings of the IEEE Knolwedge and Data Engineering Workshop [5] Elena Vassilios S. Verykios, Ahmed K. and Elisa Bertino, Hiding Association Rules by using Confidence and Support In Proceedings of the 369.383. 4th Information Hiding Workshop [6] Saygin, Vassilios and Ahmed K. Privacy preserving association rule mining, In Proceedingsof International Workshop on Research Issues in Data Engineering pages 151.158. [7] Chang and Ira S. Moskowitz, Parsimonious downgrading and decision trees applied to the inference problem, In Proceedings of the 1998 New Security Workshop 82.89. 10. [8] Rakesh Agrawal, Srikant. Privacy Preserving Data Mining. ACM SIGMOD, 2000. Agrawal, Johannes Gehrke. Privacy Preserving Mining of Association Rules. SIGKDD 02 Edmonton, Alberta, Canada. C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin and M. Y. Zhu. Tools for Privacy Preserving Distributed Data Mining. In SIGKDD Explorations, 28-34 December 2002. Murat Kantarcioglu, Chris Clifton. Mining of association IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, 2003. Jaideep Vaidya, Chris Clifton. Privacy Preserving Association Rule Mining in Vertically Partitioned Data. 2002. [ Means over Partitioned Data. SIGKDD August 2427,2003, Washington, DC, USA. D. and C. C. On the design and quantification of privacy preserving data mining algorithms. In Proceedings o f the Twentieth ACM SIGACTSIGMOD- SIGART Symposium on Principles of Database Systems, pages 247.255, Santa Barbara, California, USA, May 21-23 2001
[ Stanley R. M. , Osmar R. Foundationsfor an access control modelfor privacy preservation in multi-relational association rule mining. In Proceedings of the IEEE international conference on Privacy, security and data mining -Volume 14 Maebashi City, Japan Pages: 26 ,2002 [ Johannes, Gehrke, Limiting privacy breaches in privacy preserving data mining. In Proceedings of thetwentysymposium on Principles of database systems 2003 Stanley R. M. Osmar R. Protecting Knowledge By Data Sanitization. In Proceedings of the Third IEEE International Conference on Data Mining. 2003 Rakesh Agrawal, Tomasz imielinski, and Arun Swami. Mining association rules between sets of items in large databases. In Proceedings of the ACM Conference on Management of Data, pages 207-216, Washington, D. C., May 1993. Ravi S. Edward J. Coynek, Hal L. Feinsteink and Charles E. Youmank. Role-Based Access Control Models. IEEE Computer Society Press Alamitos, CA, USA, - 47 February 1996. Minaei-Bigdoli, B., Kortemeyer, G, Punch, W.F., "Enhancing Online Learning Performance: An Application of Data Mining Methods", The 7th IASTED International Conference on Computers and Advanced Technology in Education (CATE pp 173-178, Hawaii, USA, August 2004
,
,
Acknowledgement This work was supported by Electronics and Telecommunications Research Institute, Regional Research Centers Program and University IT Research Center Project in Korea
Proceedings of the Fourth Annual ACIS International Conference on Computer and Information Science (ICIS’05) 0-7695-2296-3/05 $20.00 © 2005 IEEE
