Database Inference

**zabagel** · 11-09-2008, 01:40 PM

I'm currently a member of a research team within a large university setting that was presented with the goal of determining the role of database inference in IT. This includes developing a concise definition of database inference, as well as determining its applicability both as an attack vector and as a mechanism for predictive database analytics. In doing this, our goal is primarily to develop course sections on the topic for integration into some of our DBA and IT courses. It would be a great help if some industry professionals could give me their take on database inference, such as a suitable definition, and if/how it differs from other attacks, mainly SQL injection. This, as well as any other comments or experience you have on the topic, would make it much easier for us to figure out what aspects of inference to focus on.

Thanks in advance.

**MAK** · 11-12-2008, 10:14 AM

Database Inference could happen when there is un-authorized access or an authorized person misusing the authority.

Un-authorized access could be passive or active and the intention of gaining access is to attack.

Mis-use of authority could be intentionally or un-intentionally. Authorized person should have the right code of conduct.

As far as definition as the definition is concerned... try this
http://phoenix.goucher.edu/~kelliher...s325/nov08.pdf

**maccro** · 01-27-2009, 04:07 PM

So here's my question...what techniques to folks use currently to deter inference? Polyinstantiation is what I'm finding in documentation, but I'm curious to hear from actual DBA's working with this.

Thanks!

**skhanal** · 01-28-2009, 01:48 PM

I have been a DBA for 10 years and I don't know what is polyinstantiation.

But we do use auditing features of database to record any unauthorized access attempt. Also depending on sensitivity of data, any changes in data can be audited.

A lot of effort is undertaken to lock down the systems as far as possible, with least possible privilege granted to authorized users and securing database with strong passwords, removing default accounts/passwords, applying security patches, etc.

**MAK** · 01-28-2009, 06:05 PM

Also. there should be balance. If you audit too many information then it cost lot of resources and archiving and what not.

If audit too less then SOX or E&Y will be after you.

**maccro** · 01-29-2009, 12:15 AM

Polyinstantiation is used in MLS (multi level security) databases...for example when you have data stored at different security levels (confidential, secret, top secret, etc.). Does anyone on here have experience working with such database systems?

**skhanal** · 01-30-2009, 09:53 AM

Oracle provides a feature called label security which allows you to label individual records with such tags. It was first developed for government agencies to secure their data.

**MAK** · 01-30-2009, 01:55 PM

Level1 clearance, leverl 2 clearance and so on can be built in application coding. It is merely business logic. Basically you encrypt the tagged rows in different encryption and create views based on the tagged rows and give special user and permission to those views

Thread: Database Inference

Thread Tools

Display

Database Inference

Methods to deter Inference

Polyinstantiation

Posting Permissions