【作者】 任毅；

【导师】 彭智勇；

【作者基本信息】 武汉大学 ， 计算机软件与理论， 2011， 博士

【摘要】 随着信息社会的发展和人们对隐私关注的不断加强,隐私数据库已经成为当前数据库研究领域和数据安全研究领域的热点之一。与安全数据库不同,隐私数据库要达到隐私保护和隐私使用的平衡。隐私数据库在收集、存储和管理隐私拥有者个体敏感数据的同时,还需依据隐私拥有者指定的隐私保护要求控制隐私数据的使用。这使得隐私数据保护严重依赖隐私拥有者的隐私偏好,导致隐私数据保护缺乏统一的保护规则,给当前隐私数据库研究带来了巨大的挑战。本文在当前隐私保护研究的基础上,对隐私的概念、模型、建模方法和隐私保护语言、隐私保护方法等问题进行了研究,具体内容包括：隐私的概念模型和逻辑模型；基于代理机制的隐私建模方法；基于EPAL规范的隐私保护SQL语言设计和实现；多拥有者隐私数据的隐私策略冲突检测机制；可信数据库隐私保护应用等。本文研究的内容和创新工作主要包括以下几个方面：1.面向数据库的隐私模型当前隐私数据库研究使用基于关系视图的隐私模型。该模型只关注了隐私与个体信息之间的语义关系映射,没有考虑隐私与环境的相互影响。本文提出了一种面向隐私数据库的隐私模型,定义了实现隐私保护需要考虑的操作映射。根据该模型,本文提出了一种隐私分类体系,提出了广泛存在、但未得到研究者关注的隐私类型——多拥有者隐私。本文阐述了这种隐私类型的产生机制,分析了这种隐私的保护要求。2.基于代理机制的隐私模型建模方法基于视图的隐私建模方法考虑了隐私多态性和个性化特性,但未考虑隐私的动态性特征。隐私的动态性指隐私会随环境而不断进化,它要求隐私数据库对隐私之间的进化模式、关联算法提供一致的保护力度,并需要协调不同隐私拥有者指派的隐私策略。视图机制难以满足这些隐私保护要求。本文提出一种基于对象代理机制的隐私建模方法。该方法以同时具有关系模型和面向对象模型两者优点的对象代理模型为理论基础,将初始隐私对象(称为最小保护单元)抽象为基本对象,将拥有者对该对象的不同隐私视角建模为不同类别和层次的代理对象,将由不同语义隐私操作生成的新隐私模式定义为该隐私类的不同代理类。所生成的新隐私对象既能根据用户需求选择性地释放特定的隐私属性,又能进一步根据不同语义隐私操作创建新的复杂隐私对象,并能通过对象及代理对象之间的更新迁移自动地维持同一隐私对象不同视角之间的一致性,减少隐私管理的代价。同时,为了解决代理类爆炸问题(对应与关系隐私数据模型中的视图爆炸问题),我们引入了切换操作集合扩展对象代理机制,并在对象代理数据库TOTEM中加以实现。3.基于EPAL规范的隐私保护SQL语言的设计和实现当前隐私数据库研究的一个基本假设是隐私拥有者有能力为每个隐私项详细地指定他们的隐私要求。但在现实情况下,这种假设并不存在。这是因为隐私策略定义涉及的语义和场景信息较为复杂。本文参考EPAL规范,结合SQL语法标准,设计了隐私保护SQL语言的体系架构,并结合应用场景定义各种操作语义,实现了一种具有SQL简单语法的隐私保护语言。4.多拥有者隐私数据的隐私策略冲突检测机制当前隐私数据库研究均认为隐私创建者和隐私拥有者是同一个个体。然而,本文通过研究发现多拥有者隐私的创建者和拥有者通常并不一致,并且多拥有者隐私在进化过程中会不断引入新的数据拥有者,每个隐私拥有者都会提出新的隐私保护要求。因此,使用多拥有者隐私既要满足隐私应用的公共隐私保护要求,也要满足各拥有者个性化的隐私保护要求。本文重点研究多拥有者隐私策略之间的隐私策略冲突问题,构建了拥有者隐私关注(称为隐私约束)图形化描述方式,提出数据库中隐私约束判定方法和一个基于子图同构的多拥有者隐私策略冲突检测方法。该方法用来判断所有拥有者隐私保护要求之间是否存在冲突。通过对象代理模型中源对象和代理对象之间的双向指针,能将同一多拥有者隐私的不同内容视图及其进化内容视图链接在一起,进而将各拥有者定义在不同视图上的隐私策略聚合成统一的隐私策略集合。该方法将该隐私策略集合抽象为一个分层隐私策略图,将每条隐私策略抽象为该图中的一条有向边,将每个隐私约束抽象为一个约束子图。通过比较隐私策略图中是否包含约束子图,来判断该隐私能否被正确的使用。该方法已实现在可信数据库的隐私保护模块中,并从理论和实验两方面验证了该方法的有效性。5.可信数据库中隐私保护模块的设计和实现本文所作的研究工作都应用在基于TOTEM的可信数据库系统隐私保护模块中,并且运用在以电子邮件为载体的多拥有者隐私保护中。实验证明,本文的研究成果能有效地保护多拥有者隐私。更多还原

【Abstract】 With the development of the society and the emphasis on the privacy, the research of the privacy database has been one of the hotspots of database security. The privacy database provides some protection mechanism for privacy data usage based on the privacy preferences defined by the privacy data providers. Compared with satefy database, the privacy database should protect the privacy data as well as be easy to use them. The reason why the privacy data protection lacks of uniform protection formula is that the protection for privacy data relies on the preference of privacy data owner. This dissertation is about studies on protection methodologies of multi-owner privacy data and implementation, which includes: the concept and taxonomy of multi-owner privacy data; the methodology of modeling multi-owner privacy data by object deputy model; the privacy data protection language in privacy database based on TOTEM; multi-owner privacy data protection policy detection mechanism and etc. Research contents and innovations of this dissertation are summarized as follows:1. The privacy concept and formal model for Hippocratci databaseNowadays, the research on privacy database focuses on that have single centralized owners. In fact, another kind of privacy data, which have multiple owners, extensively exists in our daily life. This kind of data usually comes into being in the interactions of multiple individuals, and they will expand in this procedure. Obviously, this kind of data should be treated much carefully. In my thesis, this kind of data and its hiberarchy is described, and the privacy protection demands are reviewed.2. Methodology of modeling privacy by object deputy mechanismPrivacy data of multi-owner includes the protection demands of the single owner data type, including polymorphism and individuation. It also asks for more demands in data evpOep enWassRciaWe reguOaWRn’s prrwcWON, and correspondence of policies defined by multiple defference owners. The single owner privacy daWp Rdeong is Eased Rn We "view" mechanism in the relationship databases. This is a very straightforward method, but cannot meet the demands of multi-owner privacy data type. In the thesis, a multi-owner privacy data modeling method based on the object deputy mechanism is brought forward, which has the merits of relational data models as well as that of object-oriented data models. In the multi-owner privacy data model, the basic objects are the initial privacy data, deputy objects are the different data versions designated by different data owners in different ratings. In this kind of data model, the new data, which are produced in semantic expanding, are defined as deputy data, too. This method can agilely define the attributes of any objects based on the deputy mechanism, generate the new data types based on the relationship of individual basic objects, as well as maintain the coherence of different data versions by objects renovating transference. For the sake of deputy class explosion, we define the switching manipulation to extend the deputy mechanism. In my thesis, the implementation of these methods is described.3. The privacy data protection language: design and implementationIn the research of privacy database, there is a basic hypothesis that data provider can designate the particular privacy demand for every privacy data type. In the fact, because of the complicated semantic scene, this hypothesis may not be satisfied. In the thesis, an architectonic of privacy data protection language is designed, referring with the EPAL regulations and SQL standards. A demo of the privacy data protection language in TOTEM database is shown in the thesis.4. Multi-owner privacy policy conflict detection mechanismIn the single owner privacy protection, the data creator and data owner is same individual. However, for the multi-owner, the creator and the owner may be different. Further more, in the procedure of data evolution; there will be new owners, and new demands. The privacy protection mechanism should meet the demands of every individual and that of the all individuals. In the thesis, a method of privacy data protection policy detection mechanism based on the sub-graph isomorphic is provided, which is to detect the collision among different owners. The bi-directional pointer in object deputy model can link all privacy policies defined for the privacy data and its different data versions and evolutional versions by defference owners. These policies form a policy set. Each policy in the set is abstracted as a directed edge, and the policy can be abstracted as a stratified-directed graph. Each policy constraint, which is defined by an owner and used to represent the prohibited privacy data release pattern of the owner, is abstracted as a stratified-directed subgraph. The method how to analyze and model the policy constraints is discussed in the section and an algorithm is proposed to detect whether the stratified-directed subgraph of a privacy constraint mode is isomorphic to the stratified-directed graph of a privacy policy set.5. The design and implementation of privacy data protection module in the trust databaseIn the TOTEM, an object deputy database system, there are privacy data protection modules. The methods discussed in my thesis, will be used in the trust database system in TOTEM circumstance. Discussed privacy data protection mechanism will be a part of protection module for emails. In the experimentation, the feasibility and validity of privacy data protection of multi-owner is proved the truth.更多还原