Download Preserving Privacy in GPS Traces via Uncertainty

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
Virtual Trip Lines for Distributed PrivacyPreserving Traffic Monitoring
Baik Hoh et al.
MobiSys08
Slides based on Dr. Hoh’s MobiSys presentation
Collaborative Traffic Monitoring using Cellphonebased Probe Vehicles
Anonymization
Access
Control
Satellite
Cellular
Service
Provider
Probe
Vehicles
Location
Proxy
Traffic Estimation
Data mining and
logging
Vehicle ID | timestamp | Lon | Lat | Speed | Heading
-----------------------------------------------------------------254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135
372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100
182,18-oct-2006 10:11:12,-85.4092,42.4726,50.15,75
254,18-oct-2006 10:12:12,-85.3462,42.4998,45.18,135
372,18-oct-2006 10:12:12,-85.3512,42.4944,60.01,185
182,18-oct-2006 10:12:12,-85.4102,42.4753,45.88,235
…
254,18-oct-2006 10:21:12,-85.3856,42.5129,45.67,135
Anonymous Trace log files
Inference/Insider Attacks Compromise Location
Privacy
Still insider attacks and remote
break-ins possible
Re-identification
of traces
through data
analysis
.. . . . .
.
.
...
.. .
..
Tracking algorithms recover individual trace
[Hoh05] (Median trip time only 15min)
Anonymous
Trace log
files
Home
Identification
[Hoh06]
GPS often precise enough to identify home
Related Works: Uncertainty-Aware Path Cloaking
Requires a Trustworthy Proxy Server [Hoh07]
• Time-to-confusion
(TTC) criterion*
measures time an
adversary can track with
high confidence
• Disclosure control
algorithm that
selectively reveals GPS
samples to limit the
maximum Time-toconfusion
.. . . . .
.
.
.... .. ..
. .. .
What if location proxy got compromised?
Satellite
Cellular
Service
Provider
Probe
Vehicles
Location
Proxy
Traffic
Estimation
Data mining and
logging
Vehicle ID | timestamp | Lon | Lat | Speed | Heading
-----------------------------------------------------------------254,18-oct-2006 10:11:12,-85.3452,42.4928,42.18,135
372,18-oct-2006 10:11:12,-85.3427,42.4898,63.72,100
• Idea: distributed “privacy” preserving scheme (a la secret
splitting) using Virtual Trip Lines (VTLs)
Virtual Trip Lines (VTLs) Enables Sampling in Space
•
•
•
Better than sampling in time (periodic reports)?
Chance of distributed architecture?
VTL has the same effect as "road side” sensor based measurement
– VTL can be strategically chosen (optimal placement in the paper)
Privacy Risks and Threat Model
• Any single entity can be compromised (but no collusion)
• A driver’s cellphone is trustworthy
Satellite
Cellular
Service
Provider
Location
Proxy
My
Phone
Others
Traffic
Estimation
Data mining
and logging
Probablistic Guarantee Model (Mix Zone)
• Mobile generates data: VTL ID, speed, direction
• Mobile encrypts data using VTL server’s public key
• Privacy guarantee:
– Location proxy: can’t decrypt location data
– VTL server: can’t find user’s identity (but still inference attack is
feasible, e.g., only single vehicle reporting data..)
Cell Service
Provider
Location
Proxy
VTL Server
Traffic
Estimation
E(VTL ID, speed, dir)
Mobile’s ID,
E(VTL ID, speed, dir)
 Remove Mobile’s ID
E(VTL ID, speed, dir)
 VTL decrypts the data
Placement Privacy Constraints: Minimum Spacing
• Tracking uncertainty is dependent on the spacing between
VTLs, the penetration rate, and speed variations of vehicles
Placement Privacy Constraints: Exclusion Areas
• Low speed samples are likely generated by vehicles that just
entered after the ramp
• Suppress sampling on on-/off-ramps
Guaranteed Privacy Model with VTL-based k-anonymity
(called Distributed VTL-Based Temporal Cloaking)
VTLIDnew = h (nonce, VTLIDold),
h is a secure hash function
k=7
ID Proxy
Temporally cloaks
flow updates, limits
update rate per
phone, and
authenticate users
Traffic Server
4. Send the cloaked
VTL updates
5. Store the cloaked VTL
updates
VTL Generator
VTL
Update
Log
3. Forward the VTL update
1a. Nonce for area
Handset
Coarse location
verification to
prevent location
spoofing
1b. Broadcast nonce to
phones in area
2. Send the VTL update
Location
Verifier
Phone
generates the
new ID for trip
line with nonce
from VTL
generator
Distributed VTL-Based Temporal Cloaking
• Motivated by secret splitting scheme
• Traffic estimation is immune to temporal error
Entity
Role
Identity
Location
Time
Handset
Sensing
Yes
Accurate
Accurate
Location Verifier
Distributing VTL
ID updates
Yes
Coarse
Accurate
ID proxy
Anonymizing and
Cloaking
Yes
Not available
Accurate
Traffic Server
Computing Traffic
Congestion
No
Accurate
Cloaked
Virtual Trip Lines
Temporal Cloaking
Related documents