sql-guessing-advantage-analyser
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
sql-guessing-advantage-analyser [2019/09/26 14:24] alisa [Quick guide] |
sql-guessing-advantage-analyser [2020/04/15 17:54] pullonen [Quick guide] |
||
|---|---|---|---|
| Line 18: | Line 18: | ||
| === Table constraints === | === Table constraints === | ||
| - | The syntax for table constraints is the same as for [[sql-derivative-sensitivity-analyser|combined sensitivity analyser]]. | + | The syntax for table constraints is similar to [[sql-derivative-sensitivity-analyser|combined sensitivity analyser]], with some extensions. The keyword ''exact'' states that the attacker already knows some attribute precisely, and ''total'' says how many elements there can be, without specifying their values. More options can be found in [[sql-derivative-sensitivity-analyser_advanced|analyser advanced settings]]. |
| + | |||
| + | <code> | ||
| + | table_1.attr_1 exact; --attacker knows the exact value | ||
| + | table_2.attr_2 total int; --there are n possible values | ||
| + | table_3.attr_3 set v1 ... vn; --there are values {v1 ... vn} | ||
| + | table_4.attr_4 range lb ub; --the values come from range [lb,ub) | ||
| + | </code> | ||
| === Attacker goal === | === Attacker goal === | ||
| - | Attacker goal is given in form of an SQL guery. It defines a set of sensitive components, which the attacker is trying to guess. For each sensitive attribute, the guess can either be ''exact'' (discrete attributes), or ''approx r'' (approximated by r > 0 units). It is possible to combine several attributes into a vector and define approximation w.r.t. some l_p-norm as ''approxWrtLp(p)'' and ''approxWrtLinf''. The guesses can be combined into an expression using AND and OR operation, describing the case where leakage is considered successful. The filter ''WHERE condition'' describes which rows of the considered tables are treated as sensitive. The delimiter '';'' finishes the description of the attacker goal. | ||
| + | Attacker goal is given in form of an SQL guery. It defines a set of sensitive components, which the attacker is trying to guess. Even if the attacker cannot guess the location precisely, it can still be bad even if he guesses the location precisely enough, so we need to introduce approximation. For each sensitive attribute, the guess can either be ''exact'' (discrete attributes), or ''approx r'' (approximated by r > 0 units). The delimiter '';'' finishes the description of the attacker goal. | ||
| <code> | <code> | ||
| SELECT | SELECT | ||
| - | (t.x, t.y) approxWrt(5) AND | + | t.x approx 5 AND |
| - | t.z exact | + | t.y approx 5 |
| - | FROM t | + | FROM t; |
| - | WHERE t.b; | + | |
| </code> | </code> | ||
| - | In this example, the attacker wins iff he guesses //both// ''t.z'' exactly and ''(t.x,t.y)'' within 5-unit precision w.r.t. l_2-norm of any row of the table ''t'' where ''t.b'' holds. The definition of "unit" depends on the data table, e.g. if the location was defined in miles, then a unit is also a mile. | + | In this example, the attacker wins iff he guesses both ''t.x'' and ''t.y'' within 5-unit precision. The definition of "unit" depends on the data table, e.g. if the location was defined in miles, then a unit is also a mile. |
| - | If we want to express that the attacker wins if he guesses //either// ''t.z'' or ''(t.x,t.y)'', we replace AND operation with OR. | + | Additional syntax for specifying attacker goal can be found in [[sql-derivative-sensitivity-analyser_advanced|analyser advanced settings]]. |
| === Running analysis === | === Running analysis === | ||
| - | Click on //Run analysis// button to run analysis. The analyser internally converts these values to a suitable ε for differential privacy, and computes the noise required to achieve the bound on attacker’s advantage. The results (entitled //Analysis results//) appear in the sidebar as well. The result consists of the following components. | + | Select the tasks that should be considered for the analysis (E.g. all the data processing tasks up to the computations of the value that the adversary uses for the guess). You should run the propagation if the part of the workflow that is analyzed does not start from the input objects of the process. |
| + | |||
| + | Click on //Run analysis// button to run analysis. The analyser internally converts these values to a suitable ε for differential privacy, and computes the noise required to achieve the bound on attacker’s advantage. The results (entitled //Analysis results//) appear in the sidebar as well. The result consists of the following components, which are the same as for [[sql-derivative-sensitivity-analyser|combined sensitivity analyser]]. | ||
| * **actual outputs y** are the true outputs of the query, without noise. | * **actual outputs y** are the true outputs of the query, without noise. | ||
| Line 41: | Line 49: | ||
| * **p%-realtive error |a|/|y|** is the quotient of the additive noise and the query output. If there are several outputs, it is the quotient of corresponding vector norms. | * **p%-realtive error |a|/|y|** is the quotient of the additive noise and the query output. If there are several outputs, it is the quotient of corresponding vector norms. | ||
| - | To see more precise values of prior and posterior guessing probabities, click //View more//. This can be useful for choosing appropriate value on the guessing advantage slider. For example, if the prior guessing probability was already 75%, then any value above 25% makes no sense since it would mean that the attacker is allowed to learn everything. Clicking //View more// also provides more information about how the noise should actually be generated, and it does it for Cauchy and Laplace noise distributions. | + | To see more precise values of prior and posterior guessing probabilities, click //View more//. This can be useful for choosing appropriate value on the guessing advantage slider. For example, if the prior guessing probability was already 75%, then any value above 25% makes no sense since it would mean that the attacker is allowed to learn everything. Clicking //View more// also provides more information about how the noise should actually be generated, and it does it for Cauchy and Laplace noise distributions. |
| ===== Source code ===== | ===== Source code ===== | ||
| The source code of SQL guessing advantage editor is available at [[https://github.com/pleak-tools/pleak-guessing-advantage-editor|pleak-sql-guessing-advantage-editor]] and the source code of SQL sensitivity analysis tools at [[https://github.com/pleak-tools/pleak-sql-analysis|pleak-sql-analysis]] repositories. Installation details can be found at [[sql-derivative-sensitivity-analyser_install|analyser installation guide]]. | The source code of SQL guessing advantage editor is available at [[https://github.com/pleak-tools/pleak-guessing-advantage-editor|pleak-sql-guessing-advantage-editor]] and the source code of SQL sensitivity analysis tools at [[https://github.com/pleak-tools/pleak-sql-analysis|pleak-sql-analysis]] repositories. Installation details can be found at [[sql-derivative-sensitivity-analyser_install|analyser installation guide]]. | ||
sql-guessing-advantage-analyser.txt · Last modified: 2021/06/14 11:46 by alisa
Page Tools
