Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Anonymizing Location-based data Jarmanjit Singh Jar_sing(at)encs.concordia.ca Qing Shi q_shi(at)encs.concordia.ca Harpreet Sandhu h_san(at)encs.concordia.ca Benjamin Fung fung(at)ciise.concordia.ca Concordia Institute for Information Systems Engineering Concordia University Montreal, Quebec Canada H3G 1M8 C3S2E-2009 The research is supported in part by the Discovery Grants (356065-2008) from Natural Sciences and Engineering Research Council of Canada (NSERC). Overview RFID basics RFID data publishing Problem statement Proposed algorithms Evaluation Conclusion 1 RFID basics Tag Radio frequency identification Uses radio frequency (RF) to identify (ID) objects. Wireless technology That allows a sensor (reader) to read, from a distance, and without line of sight, a unique electronic product code (EPC) associated with a tag. Reader 2 Data flow in RFID system This is where we use anonymiziation algorithms to preserve the privacy of data to be published. 3 Motivating example For example, Alice has used her RFID-based credit card at: Grocery store, Dental clinic, Shopping mall, Beer bar, Casino, AIDs clinic etc. Assume that Eve has seen Alice using her card at grocery store and shopping mall. However, RFIDcompany Company publish data And while therekeeping is only How can theif RFID safeguard theitsdata privacy one record containing groceryRFID store shopping mall. the released dataand useful? Then Eve can immediately infer that this record belongs to Alice and can also learn other locations visited by her. 4 RFID database Person-Specific Path Table Path <EPC#; loc; time> <EPC1; a; t1> <EPC2; b; t1> <EPC3; c; t2> <EPC2; d; t2> <EPC1; e; t2> <EPC3; e; t4> <EPC1; c; t3> <EPC2; f; t3> <EPC1; g; t4> EPC1 < a1 e2 c3 g4 > EPC2 < b1 d2 f3 > EPC3 < c2 e4 > <(loc1t1) … (locntn)> where, (lociti) is a pair indicating the location and time (called transaction), <(loc1t1) … (locntn)> is a path (called record) RFID database 5 Attacker knowledge If there is only record containing e4 and c7 then attacker can easily Attacker knowledge: Suppose the adversary knows that infer that this Alice, record Alice also learn other the target victim, hasbelongs visited eto and c at and timecan 4 and locations visited by Alice 7, respectively. 6 Problem statement We model attacker knowledge by I. Attacker can learn maximum of I transactions within any record. Knowledge is constrained by “effort” required to learn. We transform person-specific path database D to (k,I)-anonymized database D’. Such that, no attacker having prior knowledge of m transactions of a record r Є D and m ≤ I, can use his knowledge to identify less than k records from D’. 7 Problem statement cont. Assume, Attacker knowledge I=2 and, K value = 3 <e4c7>, r = 31 s = <d2f6>, • A table T satisfies (K,I)-anonymity if and only if r ≥ K for any subsequence s with |s| ≤ I of any path in T, where r is the number of records containing s and K is an anonymity threshold. 8 This is easy said but how to transform database D to version D’ that is immunized against re-identification attacks ? 9 Proposed method: Three steps Pre-suppression Firstly, we scan D to find items support < K. And, delete them from D to get Dpre. Generate subsets of size-i We generate subsets of size-I from Dpre. And, make additional scan to count their support. Add dummy records We make infrequent subsets to be frequent by using IF-anonymity algorithm. 10 Generate subsets of size-i Subset generation Increasing lexicographical order, means we do not consider the reverse combinations of transactions within a record. The size of subsets generated should not exceed I. Suppose, I=2 {a1, d2}, {a1, b3}, {a1, e4}, {a1, f6}, {a1, c7}, {d2, b3}, {d2, {b3,{d2, e4},f6}, {b3,{d2, f6},c7}, {b3,{b3, e8},e4}, {e4,{b3, f6}, f6}, {e4,{b3, e8},c7}, {f6, {e4, e8} f6}, e4}, {e4, c7}, {f6, c7} Do this for all records!! 11 Count support Count support for each subset. Identify frequent and infrequent subsets. Frequent subsets Infrequent subsets These subsets have support value < K value. We need to add dummy records to make them (K,I) anonymous These subsets have support value ≥ K value. 12 Pre-suppression: Example Suppose, k=3 Infrequent Infrequent subsets subsets Subsets containing ‘a1’ 14 What is dummy record? Dummy records are fake records inserted in a database In order to make infrequent subsets meet support value. Some properties of adding dummy record: Property 1: Length of dummy record should not exceed the maximum length. Property 2: The transactions within dummy record should have reasonable time difference. 15 Process to add dummy record Construct tree out of infrequent subsets. Two properties: Null e4: 3 b6: 2 d2: 1 Reasonable time difference. Length of dummy record. b6: 1 c7: 2 g9: 1 e4: 1 a5: 1 we can get the minimum reasonable time difference between any two locations either by learning from D or by using geographical databases 16 Divide tree if time conflict Rule 1: Let β is the set of nodes at level 1 of tree And ‘n’ be the node at which tree need to be divided. Let γ be the set of children nodes of ‘n’. If there exists an intersection α between β and γ, β ∩ γ = α ≠ ф. Let δ be the set of children nodes of α. And intersection |δ ∩ γ| ≥ |δ| / 2. We separate ‘n’ and α along with their children nodes (γ and δ respectively) from original tree to construct different tree. 17 Divide tree if large Count the number of nodes in each tree except null. If any tree has nodes more than threshold. Divide tree again by taking ratio: Let X be the number of nodes in tree and X > λ Ratio: X / λ . 18 Divide tree Cont.. Rule2: suppose number of nodes at level-1 of tree are |1x|. And ratio: X / λ ≥ |1x| We divide tree for each node at level-1 and we compute ratio again for each tree. And if ratio: X / λ < |1x| We divide tree at level-1 by combining nodes (at level-1) having more intersecting children’s in one tree. 19 Add dummy After having each tree satisfying X ≈ λ. We can write dummy record by following rule 3. Rule 3: let Xj be the set of nodes at level-i (initially i =1) And Xj+1 be the set of nodes at level-(i+1), ....., Xm be the set of nodes at level-m. All sets have their values in ascending order by time. We get dummy record by taking Union of (X1, X2 , .., Xm). 20 Recount support Dummy will also generate some subsets for which we do not know the support. For ex, {a, b} , {b, c} are infrequent subsets and we added dummy a b c. To make the frequent but there is also one new subset {a, c} for which we don’t know the support value. So, we generate subsets of size-I from dummies and count support for each. We repeat IF-anonymity algorithm for new infrequent subsets. Process stops when there is no infrequent subset. 21 22 Experimental evaluation: Distortion vs. Dimensions 23 Distortion vs. Attacker knowledge 24 Distortion vs. Number of record 26 Conclusion Privacy in publishing high dimensional data has become an important issue. We illustrate the treat of re-identification attack caused by publishing RFID data. In this paper, we have proposed an efficient scheme to (K,I)-anonymize high dimensional data. 27 References • • • • • • • • A. R. Beresford and F. Stajano. Location privacy in pervasive computing. IEEE Pervasive Computing, 2003. L. Sweeney. Achieving k-Anonymity Privacy Protection Using Generalization and Suppression. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10(5), 2002. R. J. Bayardo and R. Agrawal. Data Privacy through Optimal k-Anonymization. In IEEE ICDE, pages 217–228, 2005. K. LeFevre, D. J. DeWitt, and R. Ramakrishnan. Incognito: Efficient Full-domain kAnonymity. In ACM SIGMOD, pages 49–60, 2005. K. LeFevre, D. J. DeWitt, and R. Ramakrishnan. Mondrian Multidimensional kAnonymity. In IEEE ICDE, 2006. C. C. Aggarwal and P. S. Yu. A Condensation Based approach to Privacy Preserving Data Mining. In EDBT, pages 183-199, 2004. L. Sweeney. k-Anonymity: A Model for Protecting Privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pages 557– 570, 2002. A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam. l-Diversity: Privacy beyond k-Anonymity. In IEEE ICDE, 2006. 28 References cont. • • • • • • • C. C. Aggarwal. On k-Anonymity and the Curse of Dimensionality. In VLDB, pages 901–909, 2005. J. Xu, W. Wang, J. Pei, X. Wang, B. Shi, and A. Fu, Utility-Based anonymization Using Local Recoding. In ACM SIGKDD, 2006. X. Xiao and Y. Tao. Anatomy: Simple and Effective Privacy Preservation. In VLDB, 2006. Y. Xu, B. C. M. Fung, K. Wang, A. W. C. Fu, and J. Pei. Publishing sensitive transactions for itemset utility. In IEEE ICDM, pages 1109-1114, December 2008. G. Ghinita, Y. Tao, P. Kalnis. On the anonymization of sparse high-dimensional data. In IEEE ICDE, 2008. M. Terrovitis, N. Mamoulis and P. Kalnis. Anonymity in unstructured data. Technical Report, Hong Kong University, 2008. J. Han and M. Kamber. Data mining: Concepts and Techniques. The Morgan Kaufmann series in Data Management Systems, Jim Gray, Series Editor Morgan Kaufmann Publishers, March 2006. ISBN 1-55860-901-6 29 References cont. • • • • • • • • B. C. M. Fung, K. Wang, R. Chen, and P. S. Yu. Privacy-preserving data publishing: a survey on recent developments. ACM Computing Surveys, 2010. B. C. M. Fung, K. Wang, L. Wang, and P. C. K. Hung. Privacy-preserving data publishing for cluster analysis. Data & Knowledge Engineering, 2009. N. Mohammed, B. C. M. Fung, P. C. K. Hung, and C. K. Lee. Anonymizing healthcare data: a case study on the Red Cross. In ACM SIGKDD, June 2009. B. C. M. Fung, K. Wang, and P. S. Yu. Anonymizing classification data for privacy preservation. IEEE (TKDE), 19(5):711-725, May 2007. K. Wang, B. C. M. Fung, and P. S. Yu. Handicapping attacker's confidence: an alternative to k-anonymization. Knowledge and Information Systems (KAIS), 11(3):345-368, April 2007. Springer-Verlag. B. C. M. Fung, K. Wang, A. W. C. Fu, and J. Pei. Anonymity for continuous data publishing. In EDBT, pages 264-275, March 2008. K. Wang and B. C. M. Fung. Anonymizing sequential releases. In ACM SIGKDD, pages 414-423, August 2006. DOI= http://www.cs.sfu.ca/~wangk/pub/WF06kdd.pdf B. C. M. Fung, K. Wang, and P. S. Yu. Top-down specialization for information and privacy preservation. In IEEE ICDE, pages 205-216, April 2005. 30 Thank you ? 32