Inference attack

Last updated

An Inference Attack is a data mining technique performed by analyzing data in order to illegitimately gain knowledge about a subject or database. [1] A subject's sensitive information can be considered as leaked if an adversary can infer its real value with a high confidence. [2] This is an example of breached information security. An Inference attack occurs when a user is able to infer from trivial information more robust information about a database without directly accessing it. [3] The object of Inference attacks is to piece together information at one security level to determine a fact that should be protected at a higher security level. [4]

While inference attacks were originally discovered as a threat in statistical databases, [5] today they also pose a major privacy threat in the domain of mobile and IoT sensor data. Data from accelerometers, which can be accessed by third-party apps without user permission in many mobile devices, [6] has been used to infer rich information about users based on the recorded motion patterns (e.g., driving behavior, level of intoxication, age, gender, touchscreen inputs, geographic location). [7] Highly sensitive inferences can also be derived, for example, from eye tracking data, [8] [9] smart meter data [10] [11] and voice recordings (e.g., smart speaker voice commands). [12]

Related Research Articles

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

<span class="mw-page-title-main">Accelerometer</span> Device that measures proper acceleration

An accelerometer is a device that measures the proper acceleration of an object. Proper acceleration is the acceleration of the object relative to an observer who is in free fall. Proper acceleration is different from coordinate acceleration, which is acceleration with respect to a given coordinate system, which may or may not be accelerating. For example, an accelerometer at rest on the surface of the Earth will measure an acceleration due to Earth's gravity straight upwards of about g ≈ 9.81 m/s2. By contrast, an accelerometer that is in free fall will measure zero acceleration.

A voice-user interface (VUI) enables spoken human interaction with computers, using speech recognition to understand spoken commands and answer questions, and typically text to speech to play a reply. A voice command device is a device controlled with a voice user interface.

Internet of things (IoT) describes devices with sensors, processing ability, software and other technologies that connect and exchange data with other devices and systems over the Internet or other communication networks. The Internet of things encompasses electronics, communication, and computer science engineering. "Internet of things" has been considered a misnomer because devices do not need to be connected to the public internet; they only need to be connected to a network and be individually addressable.

Activity recognition aims to recognize the actions and goals of one or more agents from a series of observations on the agents' actions and the environmental conditions. Since the 1980s, this research field has captured the attention of several computer science communities due to its strength in providing personalized support for many different applications and its connection to many different fields of study such as medicine, human-computer interaction, or sociology.

<span class="mw-page-title-main">Virtual assistant</span> Software agent

A virtual assistant (VA) is a software agent that can perform a range of tasks or services for a user based on user input such as commands or questions, including verbal ones. Such technologies often incorporate chatbot capabilities to simulate human conversation, such as via online chat, to facilitate interaction with their users. The interaction may be via text, graphical interface, or voice - as some virtual assistants are able to interpret human speech and respond via synthesized voices.

Urban computing is an interdisciplinary field which pertains to the study and application of computing technology in urban areas. This involves the application of wireless networks, sensors, computational power, and data to improve the quality of densely populated areas. Urban computing is the technological framework for smart cities.

ProVerif is a software tool for automated reasoning about the security properties of cryptographic protocols. The tool has been developed by Bruno Blanchet and others.

Value sensitive design (VSD) is a theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner. VSD originated within the field of information systems design and human-computer interaction to address design issues within the fields by emphasizing the ethical values of direct and indirect stakeholders. It was developed by Batya Friedman and Peter Kahn at the University of Washington starting in the late 1980s and early 1990s. Later, in 2019, Batya Friedman and David Hendry wrote a book on this topic called "Value Sensitive Design: Shaping Technology with Moral Imagination". Value Sensitive Design takes human values into account in a well-defined matter throughout the whole process. Designs are developed using an investigation consisting of three phases: conceptual, empirical and technological. These investigations are intended to be iterative, allowing the designer to modify the design continuously.

Implicit authentication (IA) is a technique that allows the smart device to recognize its owner by being acquainted with his/her behaviors. It is a technique that uses machine learning algorithms to learn user behavior through various sensors on the smart devices and achieve user identification. Most of the current authentication techniques, e.g., password, pattern lock, finger print and iris recognition, are explicit authentication which require user input. Comparing with explicit authentication, IA is transparent to users during the usage, and it significantly increases the usability by reducing time users spending on login, in which users find it more annoying than lack of cellular coverage.

Crowdsensing, sometimes referred to as mobile crowdsensing, is a technique where a large group of individuals having mobile devices capable of sensing and computing collectively share data and extract information to measure, map, analyze, estimate or infer (predict) any processes of common interest. In short, this means crowdsourcing of sensor data from mobile devices.

The International Conference on Information Systems Security and PrivacyICISSP – aims to create a meeting point for practitioners and researchers interested in security and privacy challenges that concern information systems covering technological and social issues.

Network eavesdropping, also known as eavesdropping attack, sniffing attack, or snooping attack, is a method that retrieves user information through the internet. This attack happens on electronic devices like computers and smartphones. This network attack typically happens under the usage of unsecured networks, such as public wifi connections or shared electronic devices. Eavesdropping attacks through the network is considered one of the most urgent threats in industries that rely on collecting and storing data. Internet users use eavesdropping via the Internet to improve information security.

Permissions are a means of controlling and regulating access to specific system- and device-level functions by software. Typically, types of permissions cover functions that may have privacy implications, such as the ability to access a device's hardware features, and personal data. Permissions are typically declared in an application's manifest, and certain permissions must be specifically granted at runtime by the user—who may revoke the permission at any time.

<span class="mw-page-title-main">Pulse watch</span> Electronic devices

A pulse watch, also known as a pulsometer or pulsograph, is an individual monitoring and measuring device with the ability to measure heart or pulse rate. Detection can occur in real time or can be saved and stored for later review. The pulse watch measures electrocardiography data while the user is performing tasks, whether it be simple daily tasks or intense physical activity. The pulse watch functions without the use of wires and multiple sensors. This makes it useful in health and medical settings where wires and sensors may be an inconvenience. Use of the device is also common in sport and exercise environments where individuals are required to measure and monitor their biometric data.

Soft privacy technologies fall under the category of PETs, Privacy-enhancing technologies, as methods of protecting data. Soft privacy is a counterpart to another subcategory of PETs, called hard privacy. Soft privacy technology has the goal of keeping information safe, allowing services to process data while having full control of how data is being used. To accomplish this, soft privacy emphasizes the use of third-party programs to protect privacy, emphasizing auditing, certification, consent, access control, encryption, and differential privacy. Since evolving technologies like the internet, machine learning, and big data are being applied to many long-standing fields, we now need to process billions of datapoints every day in areas such as health care, autonomous cars, smart cards, social media, and more. Many of these fields rely on soft privacy technologies when they handle data.

Nina Vankova Nikolova is a Bulgarian climatologist, and a professor at Sofia University.

<span class="mw-page-title-main">IoT forensics</span> Branch of digital forensics

IoT Forensics or IoT Forensic Science, a branch of digital forensics, that deals with the use of any digital forensics processes and procedures relating to the recovery of digital evidence which originates from one or more IoT devices for the purpose of preservation, identification, extraction or documentation of digital evidence with the intention of reconstructing IoT-related events. These events may reside across one or more configurable computing resources that are within close proximity to the location where the event has taken place.

Usable security is a subfield of computer science, human-computer interaction, and cybersecurity concerned with the user interface design of cybersecurity systems. In particular, usable security focuses on ensuring that the security implications of interacting with computer systems, such as via alert dialog boxes, are accessible and understandable to human users. This differs from the software engineering method of secure by design in that it emphasizes human aspects of cybersecurity rather than the technical. Usable security also sits opposite the idea of security through obscurity by working to ensure that users are aware of the security implications of their decisions.

Keystroke inference attacks are a class of privacy-invasive technique that allows attackers to infer what a user is typing on a keyboard.

References

  1. "Inference Attacks on Location Tracks" by John Krumm
  2. http://www.ics.uci.edu/~chenli/pub/2007-dasfaa.pdf "Protecting Individual Information Against Inference Attacks in Data Publishing" by Chen Li, Houtan Shirani-Mehr, and Xiaochun Yang
  3. "Detecting Inference Attacks Using Association Rules" by Sangeetha Raman, 2001
  4. ""Database Security Issues: Inference" by Mike Chapple". Archived from the original on 2007-10-13. Retrieved 2007-10-23.
  5. V. P. Lane (8 November 1985). Security of Computer Based Information Systems. Macmillan International Higher Education. pp. 11–. ISBN   978-1-349-18011-0.
  6. Bai, Xiaolong; Yin, Jie; Wang, Yu-Ping (2017). "Sensor Guardian: prevent privacy inference on Android sensors". EURASIP Journal on Information Security. 2017 (1). doi: 10.1186/s13635-017-0061-8 . ISSN   2510-523X.
  7. Kröger, Jacob Leon; Raschke, Philip (January 2019). "Privacy implications of accelerometer data: a review of possible inferences". Proceedings of the International Conference on Cryptography, Security and Privacy. ACM, New York. pp. 81–87. doi: 10.1145/3309074.3309076 .
  8. Liebling, Daniel J.; Preibusch, Sören (2014). "Privacy considerations for a pervasive eye tracking world". Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct Publication. pp. 1169–1177. doi:10.1145/2638728.2641688. ISBN   9781450330473. S2CID   3663921.
  9. Kröger, Jacob Leon; Lutz, Otto Hans-Martin; Müller, Florian (2020). "What Does Your Gaze Reveal About You? On the Privacy Implications of Eye Tracking". Privacy and Identity Management. Data for Better Living: AI and Privacy. IFIP Advances in Information and Communication Technology. Vol. 576. pp. 226–241. doi: 10.1007/978-3-030-42504-3_15 . ISBN   978-3-030-42503-6. ISSN   1868-4238.
  10. Clement, Jana; Ploennigs, Joern; Kabitzsch, Klaus (2014). "Detecting Activities of Daily Living with Smart Meters". Ambient Assisted Living. Advanced Technologies and Societal Change. pp. 143–160. doi:10.1007/978-3-642-37988-8_10. ISBN   978-3-642-37987-1. ISSN   2191-6853.
  11. Sankar, Lalitha; Rajagopalan, S.R.; Mohajer, Soheil; Poor, H.V. (2013). "Smart Meter Privacy: A Theoretical Framework". IEEE Transactions on Smart Grid. 4 (2): 837–846. doi:10.1109/TSG.2012.2211046. ISSN   1949-3053. S2CID   13471323.
  12. Kröger, Jacob Leon; Lutz, Otto Hans-Martin; Raschke, Philip (2020). "Privacy Implications of Voice and Speech Analysis – Information Disclosure by Inference". Privacy and Identity Management. Data for Better Living: AI and Privacy. IFIP Advances in Information and Communication Technology. Vol. 576. pp. 242–258. doi: 10.1007/978-3-030-42504-3_16 . ISBN   978-3-030-42503-6. ISSN   1868-4238.