Sep 24, 2009 - db user. medB â (cancer ⨠flu), ¬flu query: medB answer: medB. Here: modify input database, i.e., remove or add entries (similiar to.
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Using SAT-Solvers to Compute Inference-Proof Database Instances Cornelia Tadros and Lena Wiese Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
September 24, 2009
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
1 / 19
Introduction :: Inference Control
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Outline 1
Introduction Inference Control Controlled Query Evaluation Preprocessing for CQE
2
Using SAT-Solvers for preCQE
3
preCQE Prototype and Tests
4
Conclusion
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
2 / 19
Introduction :: Inference Control
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Inference control Protect confidential and private information in database instance db Personalized security (confidentiality) policy pot sec Personalized availability requirements avail User profile (a priori knowledge) prior IC system automatically distorts some answers Avoids harmful user inferences: query: medB medB → (cancer ∨ flu), ¬flu
db answer: medB user
Here: modify input database, i.e., remove or add entries (similiar to Cover Stories; eg. Cuppens et al, 2001) Automatically generate “inference-proof” output instance C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
3 / 19
Introduction :: Controlled Query Evaluation
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Prior work: Controlled Query Evaluation (CQE) (Biskup/Bonatti, 2007; Biskup/Wiese, 2008)...
In (Biskup/Bonatti, 2007)... logical view of relational data model In ( Biskup/Wiese, 2008) and in the following: propositional data model Infinite propositional alphabet P Complete database instance as finite set of entries (propositional variables in P) All propositional formulas over P as query language (Biskup/Wiese, 2008) presents a branch & bound algorithm to
precompute an inference-proof propositional instance In this work precomputation employing SAT-solver technology
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
4 / 19
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Introduction :: Preprocessing for CQE
preCQE: Preprocessing for CQE
maintains
db
dbadm Q
declares
secadm
= h�1 �2 ;
pot sec
declares
queries
pre CQE
db 0
avail A
declares
prior
; : : :i
answers
user
= heval (�1 )(db 0 ) eval � (�2 )(db 0 ) �
; ;
: : :i
useradm
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
5 / 19
Introduction :: Preprocessing for CQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Example P = {cancer, aids, flu, cough, . . . , medA, medB, medC, . . . } db = {cancer, aids, medA, medB} with the query evaluation function eval ∗ (Φ)(db) = if I db |= Φ then Φ else ¬Φ In our example:eval ∗ (flu)(db) = ¬flu and eval ∗ (cancer)(db) = cancer pot sec = {cancer, aids}
C. Tadros
avail
= {medA ∧ medB, medB}
prior
= {¬medA ∨ cancer ∨ aids, ¬medB ∨ cancer ∨ flu}
Using SAT-Solvers to Compute Inference-Proof Database Instances
6 / 19
Introduction :: Preprocessing for CQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Preprocessing for CQE Definition: Inference-proofness of db 0 0
1
[Consistency]
I db |= prior
2
[Confidentiality]
I db 6|= Ψ for every Ψ ∈ pot sec
0
db = {cancer, aids, medA, medB} is not inference-proof for pot sec = {cancer, aids} and prior = {¬medA ∨ cancer ∨ aids, ¬medB ∨ cancer ∨ flu} db 01 = {medB, flu} and db 02 = ∅ are inference-proof Find db 0 that satisfies constraint set C := prior ∪ Neg(pot sec) with Neg(pot sec) := {¬Ψ | Ψ ∈ pot sec}. In our example: C := {¬medA ∨ cancer ∨ aids, ¬medB ∨ cancer ∨ flu, ¬cancer, ¬aids} C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
7 / 19
Introduction :: Preprocessing for CQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Definition: Availability / distortion distance avail dist(db 0 ) := ||{Θ ∈ avail | eval ∗ (Θ)(db 0 ) 6= eval ∗ (Θ)(db)}|| avail distcounts amount of modifications regarding the availability policy db dist(db 0 ) := ||{A ∈ P | eval ∗ (A)(db 0 ) 6= eval ∗ (A)(db)}|| db distcounts amount of modifications between db 0 and db Objectives (in descending order of priority): 1 2 3
construct inference-proof instance db 0 minimize availability avail dist(db 0 ) → min minimize distortion db dist(db 0 ) → min
No user history (log file) has to be stored db 0 can be accessed by a user modeled by prior without control but with the protection of pot sec
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
8 / 19
Using SAT-Solvers for preCQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Outline
1
Introduction
2
Using SAT-Solvers for preCQE
3
preCQE Prototype and Tests
4
Conclusion
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
9 / 19
Using SAT-Solvers for preCQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
SAT-Solver technology Motivation: Goal: Find (propositional) interpretation satisfying C := prior ∪ Neg(pot sec) with Neg(pot sec) := {¬Ψ | Ψ ∈ pot sec} under optimization benefit from elaborated SAT-Solver technology
yearly “SAT competition” including the “MAXSAT evaluation” for optimization problems connected with SAT, e.g. W-PMSAT
Definition W-PMSAT Given (propositional) clauses associated with weights (non-negative integers) Find an interpretation with maximal sum of weights of satisfied clauses, so that all clauses with highest weight (hard constraints) are satisfied C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
10 / 19
Using SAT-Solvers for preCQE
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
W-PMSAT instances for preCQE Three levels of constraints (clauses): 1 2 3
C1 with weight w1 := 1 C2 with weight w2 := card(C1 ) ∗ w1 + 1 C3 with weight w3 := card(C2 ) ∗ w2 + card(C1 ) ∗ w1 + 1
for three objectives (in ascending order of priority): 1
Distortion S Minimization: C1 := A∈Pdecision eval ∗ (A)(db) with weight w1 Pdecision
C. Tadros
= {cancer, aids, flu, medA, medB}
db
=
{cancer, aids, medA, medB}
C1
=
{cancer, aids, ¬flu, medA, medB} with weight w1 = 1
Using SAT-Solvers to Compute Inference-Proof Database Instances
11 / 19
Using SAT-Solvers for preCQE
2
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Availability Preservation: C2 := {SΘ | Θ ∈ avail } with weight w2 avail
= {medA ∧ medB, medB}
C2 = {SmedA∧medB , SmedB } with weight w2 = card(C1 ) + 1 = 6 3
Hard Constraints (incl. Inference-Proofness): C3 := C ∪ {c ∨ ¬SΘ | c clause of cnf (eval ∗ (Θ)(db)), Θ ∈ avail } with weight w3 and C := prior ∪ Neg(pot sec) C3 := C ∪ {medA ∨ ¬SmedA∧medB , medB ∨ ¬SmedA∧medB , medB ∨ ¬SmedB } with weight w3 = card(C2 ) ∗ w2 + card(C1 ) ∗ w1 + 1 = 2 ∗ 6 + 5 ∗ 1 + 1 = 18
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
12 / 19
preCQE Prototype and Tests
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Outline
1
Introduction
2
Using SAT-Solvers for preCQE
3
preCQE Prototype and Tests Implementation Test Cases
4
Conclusion
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
13 / 19
preCQE Prototype and Tests :: Implementation
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Implementation of Prototype TPTP format dbadm
TPTP format
TPTP secadm format TPTP format
db pot sec avail
weight assignation
prior
SAT solver
useradm
pre CQE view
C. Tadros
TPTP conversion auxiliary constraints
TPTP
format format conversion pre CQE core
db 0 pre CQE view
Using SAT-Solvers to Compute Inference-Proof Database Instances
14 / 19
preCQE Prototype and Tests :: Implementation
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
User interface
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
15 / 19
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
preCQE Prototype and Tests :: Test Cases
Test Case: Different patient types 250
seconds
deviation total runtime deviation 200solver runtime
rep. 1 25 50 75 100 125 150
150 100 50 0
0
20
40 60 80 100 120 repetitions per patient type
140
dec. vars. 120 3000 6000 9000 12000 15000 18000
clauses soft hard 120 96 3000 2400 6000 4800 9000 7200 12000 9600 15000 12000 18000 16800
160
pot sec = {cancer, aids} and prior = {¬medA ∨ cancer ∨ aids, ¬medB ∨ cancer ∨ flu}
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
16 / 19
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
preCQE Prototype and Tests :: Test Cases
Test Case: Availability Policy 600
seconds
deviation total runtime 500 deviation solver runtime 400
rep. 1 25 50 75 100 150 200 250 300 350
300 200 100 0
0
50
100 150 200 250 repetitions per patient type
300
dec. vars. 65 1625 3250 4875 6500 9750 13000 16250 19500 22750
low 65 1625 3250 4875 6500 9750 13000 16250 19500 22750
clauses aux. 26 650 1300 1950 2600 3900 5200 6500 7800 9100
hard 78 1950 3900 5850 7800 11700 15600 19500 23400 27300
350
avail = {n1 medA, n1 medB, n2 medA, n2 medB, . . . }
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
17 / 19
Conclusion
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Outline
1
Introduction
2
Using SAT-Solvers for preCQE
3
preCQE Prototype and Tests
4
Conclusion
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
18 / 19
Conclusion
Fakult¨ at f¨ ur Informatik LS 6 (ISSI)
Achievements and open subjects
precomputation of an inference-proof, availability-preserving and distortion-minimal instance by data modification (“lying”) by translation to W-PMSAT and use of SAT-Solver technology promising test results for a large number of database entries extension to relational data model update of policies or database instance
C. Tadros
Using SAT-Solvers to Compute Inference-Proof Database Instances
19 / 19
