@unpublished{stunes-search, author ="Mike Stunes", title ="Addressing Privacy Leakage from Search Engine Logs", note ="Internal DIG Report", month ="August", year ="2008" } @article{n3logic, author ="Tim Berners-Lee and Dan Connolly and Lalana Kagal and Yosi Scharf and Jim Hendler", title ="N3Logic: A Logical Framework For the World Wide Web", journal ="Journal of Theory and Practice of Logic Programming", year ="2007" } @article{info-account, author ="Daniel J. Weitzner and Harold Abelson and Tim Berners-Lee and Joan Feigenbaum and James Hendler and Gerald Jay Sussman", title ="Information Accountability", journal ="Communications of the ACM", year ="2008", month ="June" } @article{air, author ="Lalana Kagal and Chris Hanson and Daniel Weitzner", title ="Using Dependency Tracking to Provide Explanations for Policy Management", journal ="IEEE Policy 2008", year ="2008", URL ="http://dig.csail.mit.edu/2008/Papers/IEEE Policy/air-overview.pdf" } @inproceedings{rein, author ="Lalana Kagal and Tim Berners-Lee and Dan Connolly and Daniel Weitzner", title ="Using Semantinc Web Technologies for Policy Management on the Web", booktitle="21st National Conference on Artificial Intelligence (AAAI)", year ="2006", month ="July", URL ="http://dig.csail.mit.edu/2006/Papers/AAAI/" } @inproceedings{datafly, author ="Latanya Sweeney", title ="Guaranteeing Anonymity when Sharing Medical Data: the Datafly System", booktitle="AMIA Annual Fall Symposium", year ="1997", URL ="http://www.amia.org/pubs/symposia/D004462.pdf" } @article{kanon, author ="Latanya Sweeney", title ="k-Anonymity: A Model for Protecting Privacy", journal ="International Journal on Uncertainty, Fuzziness, and Knowledge-Based Systems", year ="2002", pages ="555-570", volume ="10 (5)" } @article{kanon2, author ="Latanya Sweeney", title ="Achieving k-Anonymity Privacy Protection Using Generalization and Suppression", journal ="International Journal on Uncertainty, Fuzziness, and Knowledge-Based Systems", year ="2002", pages ="571-588", volume ="10 (5)" } @article{idangel, author ="Latanya Sweeney", title ="Protecting Job Seekers from Identity Theft", journal ="IEEE Internet Computing", year ="2006", month ="March-April", pages ="74-79" } @inproceedings{rbac, author ="David F. Ferraiolo and D. Richard Kuhn", title ="Role-Based Access Controls", booktitle ="15th National Computer Security Conference", year ="1992", month ="October", pages ="554-563" } @inproceedings{rulebased, author ="Huiying Li and Xiang Zhang and Honghan Wu and Yuzhong Qu", title ="Design and Application of Rule Based Access Control Policies", booktitle ="ISWC Workshop on Semantic Web and Policy", year ="2005", pages ="34-41", URL ="http://iws.seu.edu.cn/publications/lzwq05" } @inproceedings{creative-commons, author ="Oshani Seneviratne and Lalana Kagal and Daniel Weitzner and Hal Abelson and Tim Berners-Lee and Nigel Shadbolt", title ="Detecting Creative Commons License Violations on Images on the World Wide Web", booktitle ="WWW2009", year ="2009", month ="April" } @misc{sparql, key ="W3C", title ="SPARQL Query Language for RDF", booktitle ="W3C Recommendation", month ="January", year ="2008", howpublished ="\url{http://www.w3.org/TR/rdf-sparql-query/}", URL ="http://www.w3.org/TR/rdf-sparql-query/" } @Article{ Kamra, title = "Detecting Anomalous Access Patterns in Relational Databases", author = "Ashish Kamra and Evimaria Terzi and Elisa Bertino", journal = "VLDB Journal: The International Journal on Very Large Data Bases", publisher = "Springer Berlin / Heidelberg", year = "2007", abstract = "A considerable effort has been recently devoted to the development of Database Management Systems (DBMS) which guarantee high assurance and security. An important component of any strong security solution is represented by Intrusion Detection (ID) techniques, able to detect anomalous behavior of applications and users. To date, however, there have been few ID mechanisms proposed which are specifically tailored to function within the DBMS. In this paper, we propose such a mechanism. Our approach is based on mining SQL queries stored in database audit log files. The result of the mining process is used to form profiles that can model normal database access behavior and identify intruders. We consider two different scenarios while addressing the problem. In the first case, we assume that the database has a Role Based Access Control (RBAC) model in place. Under a RBAC system permissions are associated with roles, grouping several users, rather than with single users. Our ID system is able to determine role intruders, that is, individuals while holding a specific role, behave differently than expected. An important advantage of providing an ID technique specifically tailored to RBAC databases is that it can help in protecting against insider threats. Furthermore, the existence of roles makes our approach usable even for databases with large user population. In the second scenario, we assume that there are no roles associated with users of the database. In this case, we look directly at the behavior of the users. We employ clustering algorithms to form concise profiles representing normal user behavior. For detection, we either use these clustered profiles as the roles or employ outlier detection techniques to identify behavior that deviates from the profiles. Our preliminary experimental evaluation on both real and synthetic database traces shows that our methods work well in practical situations.", issn = "1066-8888", url = "http://www.springerlink.com/content/n001w7182583465m/", } @INPROCEEDINGS{Cathey03misusedetection, author = {Rebecca Cathey and Ling Ma and Nazli Goharian and David Grossman}, title = {Misuse Detection for Information Retrieval Systems}, booktitle = {ACM 12th Conference on Information and Knowledge Management}, year = {2003} } @INPROCEEDINGS{demids, author = {Christina Yip Chung and Michael Gertz and Karl Levitt}, title = {DEMIDS: A misuse detection system for database systems}, booktitle = {In Third International IFIP TC-11 WG11.5 Working Conference on Integrity and Internal Control in Information Systems}, year = {1999}, pages = {159--178}, publisher = {Kluwer Academic Publishers} } @INPROCEEDINGS{Deutsch05privacyin, author = {Alin Deutsch and Yannis Papakonstantinou}, title = {Privacy in database publishing}, booktitle = {In ICDT}, year = {2005} } @INPROCEEDINGS{Qiu85trustedcomputer, author = {Lili Qiu and Yin Zhang and Feng Wang and Mi Kyung and Han Ratul Mahajan}, title = {Trusted Computer System Evaluation Criteria}, booktitle = {National Computer Security Center}, year = {1985}, url ="http://nsi.org/Library/Compsec/orangebo.txt", } @misc{mysql, title ="MySQL 6.0 Reference Manual", author ="{MySQL A.B.} and {Sun Microsystems}", key ="MySQL", year ="2009", howpublished ="\url{http://dev.mysql.com/doc/refman/6.0/en/index.html}", } @misc{acl-oracle, title ="Access Control Features in Oracle", author ="Ji-Won Byun", year ="2005", month ="April", howpublished ="\url{http://www.cs.purdue.edu/homes/ninghui/courses/Spring05/lectures/Oracle.pdf}" } @misc{oracle, title ="Oracle Database Security Guide, 10g Release 1", author ="Laurel P Hale and Jeffrey Levinger", year ="2003", month ="December", howpublished ="\url{http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/title.htm}", } @inproceedings{dac-db, author ="Roshan K. Thomas and Ravi S. Sandhu", title ="Discretionary Access Control in Object-Oriented Databases: Issues and Research Directions", booktitle ="National Computer Security Conference", year ="1993", month ="September", pages ="63-74", url ="https://eprints.kfupm.edu.sa/35285/", } @INPROCEEDINGS{rbac-commercial, author = {Ramouli Ramaswamy and Ravi S}, title = {Role-based access control features in commercial database management systems}, booktitle = {In Proceedings of 21st NIST-NCSC National Information Systems Security Conference}, year = {1998}, pages = {503--511} } @misc{spasql, title ="SPASQL: SPARQL Support In MySQL", author ="Eric Prud'hommeaux", year ="2007", month ="June", howpublished ="\url{http://www.w3.org/2005/05/22-SPARQL-MySQL/XTech}", }