o Code Analysis and Development
o Database Security & Information Management
o Network & Wireless Security
o Policy & Management

Human-Enhanced Database Security

As databases are becoming more and more omnipresent, the ability to protect the data residing therein from unauthorized access is increasing dramatically. Protections of data in databases has huge implications - companies that fail to protect personal data of their employees and clients face potentially expensive lawsuits. The implications of identity

theft for national security remains a largely unexplored area as well.

The UMD team has made pioneering advances in two fields. We developed one

of the first and best known authorization languages for databases. In this framework, a database manager writes an authorization specification which answers the following questions: What data objects are to be protected? From whom should the data be protected? Under what conditions can be the data be released? What should be done if an unauthorized attempt to access the data is made? Our second major contribution is that of inferential security. Inferential security attempts to understand how users can infer secret information by asking one or more queries to extract open (non secret) information and then using common sense inference to infer secret information. We have developed a suite of methods to prevent such inferences from being made.

The Human Enhanced Database Security component of CHESS will attempt to answer the following questions: How can we mine a large collection of attempts to access data collaboratively with a human security manager so as to identify inference patterns that a user might be trying to make so that we can best guard against it? How can this mining be guided by a human security officer so that the accuracy of the mining process is substantially enhanced without placing an onerous load on the database security officer? How can authorization methods be changed (offline or online) so that perceived attacks can be nullified? Answers to these and other related questions will be critical in enforcing the security of databases that now contain information about most US citizens.