1 location privacy. 2 context better localization technology + pervasive wireless connectivity =...
Post on 20-Jan-2016
226 Views
Preview:
TRANSCRIPT
1
Location Privacy
2
Context
Better localization technology
+
Pervasive wireless connectivity
=
Location-based applications
3
Location-Based Apps
For Example: GeoLife shows grocery list near WalMart Micro-Blog allows location scoped querying Location-based ad: Coffee coupon at Starbucks …
Location expresses context of user Facilitating content delivery
Location is the IP addressLocation is the IP addressIts as if for content
4
While location drives this new class of applications,
it also violates user’s privacy
Sharper the location, richer the app, deeper the violation
Double-Edged Sword
5
The Location Based Service Workflow
Client Server LBS Database
(Location Based Service)
Request:Retrieve all available services in
client’s location
Forward to local service:Retrieve all available services in
location
Reply:Reply:
6
The Location Anonymity Problem
Client Server LBS Database
(Location Based Service)
Request: Retrieve all bus lines from location to address
= =
Privacy Violated
7
Moreover, range of apps are PUSH based.
Require continuous location information
Phone detected at Starbucks, PUSH a coffee coupon
Phone located on highway, query traffic congestion
Double-Edged Sword
8
Location Privacy
Problem:
Research:
Continuous location exposure
a serious threat to privacy
Continuous location exposure
a serious threat to privacy
Preserve privacy without
sacrificing the quality of
continuous loc. based apps
Preserve privacy without
sacrificing the quality of
continuous loc. based apps
9
Just Call Yourself ``Freddy”
Pseudonymns [Gruteser04] Effective only when infrequent location exposure Else, spatio-temporal patterns enough to deanonymize
… think breadcrumbs
Romit’s OfficeRomit’s Office
John Leslie Jack Susan
Alex
10
A Customizable k-Anonymity Model for Protecting Location Privacy
Paper by:
B. Gedik, L.Liu
(Georgia Tech)
Slides adopted from: Tal Shoseyov
11
Location Anonymity
“A message from a client to a database is called location anonymous if the client’s identity cannot be distinguished from other users based on the client’s location information.”
Database
12
k-Anonymity
“A message from a client to a database is called location k-anonymous if the client cannot be identified by the database based on the client’s location from other k-1 clients.”
13
Implementation of Location Anonymity
Client sends plain request to the server
Server sends “anonymized”
message
Database executes request according to the
received anonymous dataDatabase replies to server
with compiled data
Server forwards data to client
Server transforms the message by
“anonymizing” the location data in the message
14
Implementation of Location k-Anonymity
Spatial Cloaking – Setting a range of space to be a single box, where all clients located within the range are said to be in the “same location”.
x
y
Temporal Cloaking – Setting a time interval, where all the clients in a specific location sending a message in that time interval are said to have sent the message in the “same time”.
t
15
Implementation of Location k-Anonymity
x
yt
Spatial-Temporal Cloaking – Setting a range of space and a time interval, where all the messages sent by client inside the range in that time interval. This spatial and temporal area is called a “cloaking box”.
16
Previous solutions
M. Gruteser, D Grunwald (2003) – For a fixed k value, the server finds the smallest area around the client’s location that potentially contains k-1 different other clients, and monitoring that area over time until such k-1 clients are found.
Drawback:
Fixed anonymity value for all clients (service dependent)
17
Add Noise
K-anonymity [Gedic05] Convert location to a space-time bounding box Ensure K users in the box Location Apps reply to boxed region
Issues Poor quality of location Degrades in sparse regions Not real-time
YouBounding Box
K=4
18
Confuse Via Mixing
Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later
19
Confuse Via Mixing
Path intersections is an opportunity for privacy If users intersect in space-time, cannot say who is who later
Unfortunately, users may not intersect
in both space and time
Unfortunately, users may not intersect
in both space and time
Hospital
Airport
?
?
20
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07] Expose after a delay
Hospital
Airport
21
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07] Expose after a delay
But delays unacceptable to real-time appsBut delays unacceptable to real-time apps
Hospital
Airport
22
Existing solutions seem to suggest:
Privacy and Quality of Localization (QoL) is a zero sum game
Need to sacrifice one to gain the other
23
Hiding Stars with Fireworks:Location Privacy through Camouflage
24
Goal
Break away from this tradeoff
Target: Spatial accuracy
Real-time updates
Privacy guarantees
Even in sparse populations
New Proposal: CacheCloakNew Proposal: CacheCloak
25
The Intuition
Predict until paths intersect
Hospital
Airport
26
The Intuition
Predict until paths intersect
Hospital
Airport
Predict
Predict
27
The Intuition
Predict until paths intersect Expose predicted intersection to application
Hospital
Airport
Cache the information on each predicted locationCache the information on each predicted location
Predict
Predict
28
CacheCloak
System Design and Evaluation
29
Assume trusted privacy provider Reveal location to CacheCloak CacheCloak exposes anonymized location to Loc. App
Architecture
CacheCloakCacheCloak
Loc. App1Loc. App1 Loc. App2Loc. App2 Loc. App3Loc. App3 Loc. App4Loc. App4
30
In Steady State …
Location Based ApplicationLocation Based Application
CacheCloak
31
Prediction
Location Based ApplicationLocation Based Application
Backward
prediction
Forward
prediction
CacheCloak
32
Prediction
Location Based ApplicationLocation Based Application
CacheCloak
33
Predicted Intersection
Location Based ApplicationLocation Based Application
Predicted Path
CacheCloak
34
Query
Location Based ApplicationLocation Based Application
Predicted Path
CacheCloak
35
Query
Location Based ApplicationLocation Based Application
?
? ?
?
CacheCloak
36
LBA Responds
Location Based ApplicationLocation Based Application
Array of responses
CacheCloak
37
Cached
Location Based ApplicationLocation Based Application
Cached Responses
Location based
Information
CacheCloak
38
Cached Response
Location Based ApplicationLocation Based Application
Cached Responses
Location based
Information
CacheCloak
39
Cached Response
Location Based ApplicationLocation Based Application
Cached Responses
Location based
Information
CacheCloak
40
Cached Response
Location Based ApplicationLocation Based Application
Cached Responses
CacheCloak
41
Cached Response
Location Based ApplicationLocation Based Application
Predicted
Path
CacheCloak
42
Benefits
Real-time Response ready when user
arrives at predicted location
High QoL Responses can be specific to location Overhead on the wired backbone (caching helps)
Entropy guarantees Entropy increases at traffic intersections
Sparse population Can be handled with dummy users, false branching
Predicted Path
43
Quantifying Privacy
City converted into grid of small sqaures (pixels) Users are located at a pixel at a given time
Each pixel associated with 8x8 matrix Element (x, y) = probability that user enters x and exits y
Probabilities diffuse At intersections Over time
Privacy = entropy
x
y
€
Euser = − pipixels∑ log pi
pixel
44
Diffusion
Probability of user’s presence diffuses Diffusion gradient computed based on history i.e., what fraction of users take right turn at this
intersectionTime t1
Time t2
Time t3
Road
Intersection
45
Evaluation
Trace based simulation VanetMobiSim + US Census Bureau trace data Durham map with traffic lights, speed limits, etc.
Vehicles follow Google map paths Performs collision avoidance
6km x 6km
10m x 10m pixel
1000 cars
6km x 6km
10m x 10m pixel
1000 cars
46
Results
High average entropy Quite insensitive to user density (good for sparse regions) Minimum entropy reasonably high
Number of Users (N)Time (Minutes)
Min.
Max.
Bit
s o
f M
ean
En
tro
py
47
Results
Peak Counting # of places where attacker’s confidence is > Threshold
Time (Seconds)Time (Seconds)
Me
an
# o
f P
ea
ks
48
Results
Peak Counting # of places where attacker’s confidence is > Threshold
Number of Users (N)
Me
an
# o
f P
ea
ks
49
Limitations, Discussions …
CacheCloak overhead Application replies to lot of queries However, overhead on wired infrastructure Caching reduces this overhead significantly
CacheCloak assumes same, indistinguishable query Different queries can deanonymize Possible through query combination … future work
Per-user privacy guarantee not yet supported Adaptive branching & dummy users
CacheCloak - a central trusted entity Distributed version proposed in the paper
50
Closing Thoughts
Two nodes may intersect in space but not in time
Mixing not possible, without sacrificing timeliness
Mobility prediction creates space-time intersections
Enables virtual mixing in future
51
Closing Thoughts
CacheCloak Implements the prediction and caching function
High entropy possibleeven under sparse population
Spatio-temporal accuracy remains uncompromised
52
53
54
Thank You
For more related work, visit:
http://synrg.ee.duke.edu
top related