Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Private Queries in Location-Based Services: Anonymizers are Not Necessary Gabriel Ghinita1 Panos Kalnis1 Ali Khoshgozaran2 Cyrus Shahabi2 Kian Lee Tan1 National University of Singapore 2 University of Southern California 1 2 Location-Based Services (LBS) LBS users Mobile devices with GPS capabilities Queries NN Queries Location server is NOT trusted “Find closest hospital to my present location” 3 Problem Statement Queries may disclose sensitive information But user location may disclose identity Query through anonymous web surfing service Triangulation of device signal Publicly available databases Physical surveillance How to preserve query source anonymity? Even when exact user locations are known 4 PIR Overview Computationally hard to find i from q(i) Bob can easily find Xi from r (trap-door) 5 Existing LBS Privacy Solutions 6 Spatial K-Anonymity Query issuer “hides” among other K-1 users Probability of identifying query source ≤ 1/K Idea: anonymizing spatial regions (ASR) 7 Casper[Mok06] Quad-tree based Fails to preserve anonymity for outliers Unnecessarily large ASR size A1 u2 • Let K=3 u1 u3 • If any of u1, u2, u3 queries, ASR is A1 NOT SECURE u !!! 4 A2 • If u4 queries, ASR is A2 • u4’s identity is disclosed [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006 8 Reciprocity u3 u2 u1 u5 u4 u6 [KGMP07] – Kalnis P., Ghinita G., Mouratidis K., Papadias D., "Preventing Location-Based Identity Inference in Anonymous Spatial Queries", IEEE TKDE 2007. 9 Hilbert Cloak (HC) Based on Hilbert space-filling curve index users by Hilbert value of location partition Hilbert sequence into “K-buckets” Start End 10 Continuous Queries[CM07] Problems ASRs grows large Query dropped ifusome user in U disconnects 1 u 3 u2 [CM07] C.-Y. Chow and M. Mokbel “Enabling Private Continuous Queries For Revealed User Locations”. In Proc. of SSTD 2007 11 Space Encryption[KS07] Drawbacks Hilbert Mapping approximate answers are makes use of tamper-resistant devices P4 may be vulnerable if some POI12are 14 known 19 24 P1 P2 Q P1 P2 P4 P 3 P3 NN(15)=P2 15 [KS07] A. Khoshgozaran, C. Shahabi. Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy , In Proc. Of SSTD 2007 12 Motivation Limitations of existing solutions Assumption of trusted entities Considerable overhead for sporadic benefits anonymizer and trusted, non-colluding users maintenance of user locations No privacy guarantees especially for continuous queries 13 Our Approach 14 LBS Privacy with PIR PIR Two-party cryptographic protocol No pooling of a large user population required No trusted anonymizer required No trusted users required No need for location updates Location data completely obscured 15 PIR Theoretical Foundations Let N =q1*q2, q1 and q2 large primes Quadratic Residuosity Assumption (QRA) QR/QNR decision computationally hard Essential properties: QR * QR = QR QR * QNR = QNR 16 PIR Protocol for Binary Data a y1 Get X10 y2 y3 y4 QNR a=2, b=3 X4 X8 X12 X16 z4 X3 X7 X11 X15 z3 X2 X6 X10 X14 z2 X1 X5 X9 X13 z1 b 4 z2=QNR => X10=1 4( j 1) i j z2=QR => X10=0 j 1 zi X y 17 Approximate Nearest Neighbor p4 p6 p1 p5 p8 p2 p7 p9 p3 u Data organized as a square matrix Each column corresponds to index leaf An entire leaf is retrieved – the closest to the user 18 Exact Nearest Neighbor A A3: p1, p2, p3 A4: p1, --, -- B C D 4 p 1 3 2 Z4 p3 p4 u p2 Z3 Z2 Z1 1 Y1 Y2 Y3 Y4 QNR Only z2 needed 19 Rectangular PIR Matrix 20 Avoiding Redundant Computations Data mining Identify frequent partial products 21 Parallelize Computation Values of z can be computed in parallel Master-slave paradigm Offline phase: master scatters PIR matrix Online phase: Master broadcasts y Each worker computes z values for its strip Master collects z results 22 Experimental Settings Sequoia dataset + synthetic sets 10,000 to 100,000 POI Modulus up to 1280 bits 23 Parallel Execution 24 Data Mining Optimization 25 Disclosed POI 26 Conclusions PIR-based LBS privacy No need to trust third-party Secure against any location-based attack Future work Further reduce PIR overhead Support more complex queries Include more POI information in the reply 27 Bibliography [KGMP07] – Kalnis P., Ghinita G., Mouratidis K., Papadias D., "Preventing Location-Based Identity Inference in Anonymous Spatial Queries", IEEE Transactions on Knowledge and Data Engineering (IEEE TKDE), 19(12), 1719-1733, 2007. [GZPK07] – Ghinita G., Zhao K., Papadias D., Kalnis P., Reciprocal Framework for Spatial K-Anonymity, Technical Report [GKS07a] – Ghinita G., Kalnis P., Skiadopoulos S., "PRIVE: Anonymous Location-based Queries in Distributed Mobile Systems", Proc. of World Wide Web Conf. (WWW), Banff, Canada, 371-380, 2007. [GKS07b] – Ghinita G., Kalnis P., Skiadopoulos S., "MOBIHIDE: A Mobile Peer-to-Peer System for Anonymous Location-Based Queries", Proc. of the Int. Symposium in Spatial and Temporal Databases (SSTD), Boston, MA, 221-238, 2007. http://anonym.comp.nus.edu.sg