Information disclosure by answers to XPath queries
Journal of Computer Security - Selected papers from the Third and Fourth Secure Data Management (SDM) workshops
Information disclosure by XPath queries
SDM'06 Proceedings of the Third VLDB international conference on Secure Data Management
Hi-index | 0.00 |
Whenever private information that is legally used by multiple employees of a company has been illegally exposed to a third party, it is of significant importance to the concerned company to find the information leak in its staff for a variety of reasons, e.g., to keep confidence of its customers. In this paper, we present a privacy audit system for XML databases and the XPath query language which uses the concept of an audit query to describe the secret information. For a given audit query, our system returns a set of suspicious user queries that may have used the secret information. Suspicious user queries are identified in a sequence of four steps: first, a static analysis based on the time constraints; second, a comparison of the nodename tests of the audit query and the user queries; third, an analysis of the associations of the node-name tests found in the audit query and in the user queries; and finally, a test on 'historic data'. Furthermore, we discuss privacy violation detection in case of an attacker who submits multiple queries and externally compares the results.