Optimal Disclosure Limitation Strategy in Statistical Databases: Deterring Tracker Attacks Through Additive Noise
journal contribution
posted on 1998-01-01, 00:00authored byGeorge T. Duncan, Sumitra Mukherjee
Disclosure limitation methods transform statistical databases to protect confidentiality. A statistical database
responds to queries with aggregate statistics. The database administrator should maximize legitimate data
access while keeping the risk of disclosure below an acceptable level. Legitimate users seek statistical
information, generally in aggregate form; malicious users—the data snoopers—attempt to infer confidential
information about an individual data subject. Tracker attacks are of special concern for databases accessed
online. This article derives optimal disclosure limitation strategies under tracker attacks for the important case
of data masking through additive noise. Operational measures of the utility of data access and of disclosure
risk are developed. The utility of data access is expressed so that tradeoffs can be made between the quantity
and the quality of data to be released.
The article shows that an attack by a data snooper is better thwarted by a combination of query restriction and
data masking than by either disclosure limitation method separately. Data masking by independent noise
addition and data perturbation are considered as extreme cases in the continuum of data masking using
positively correlated additive noise. Optimal strategies are established for the data snooper. Circumstances are
determined under which adding autocorrelated noise is preferable to using existing methods of either
independent noise addition or data perturbation. Both moving average and autoregressive noise addition is
considered.