feeling-based location privacy protection for lbs
DESCRIPTION
Feeling-based location privacy protection for LBS. Location privacy. Location privacy leak in LBSs A person’s whereabouts may imply private information Potential abuse of users’ location data collected by service providers. Location privacy protection. - PowerPoint PPT PresentationTRANSCRIPT
Feeling-based location privacy protection for LBS
Location privacy
• Location privacy leak in LBSs– A person’s whereabouts may imply private
information
– Potential abuse of users’ location data collected by service providers
Internet
::::
LBS Server
::::
Com3
Com3
LBS Server
Network
Users
Other companies
Location privacy protection
• Simply using pseudonym is not sufficient. – a user’s location may reveal her real identity
• Reducing location resolution– Cloak a client’s location with a spatial region,
called cloaking region
Location privacy protection
• Location cloaking techniques– Anonymous use of LBSs• Ensure each cloaking region
contains a number of users• Prevent adversary identifying the
service client
– Location privacy protection• Ensure each cloaking region has
been visited by a number of users• Prevent adversary deriving who is
where at what time
Problems (1)• Privacy modeling– Users need to specify a K value– Privacy is about personal feelings– Difficult for users to choose a K value• What is the difference between K=20 and K=19?• Users have no idea how much K should be in order to
make them feel safe enough.– A user may choose a very large K, but it leads to poor cloaking
resolution
Problems (2)• Robustness– Just ensuring each cloaking region have been visited
by K people may NOT provide protection at level K. • Robust only when the users’ footprints are uniformly
distributed• Dominant users are more likely be the service client
Problem (3)
• On-the-fly cloaking– Current cloaking technique needs a client submit
her route before a travel– In many cases, the moving route is not
predetermined– Cloaking should be in an on-the-fly fashion
Basic idea
• Let a client specify her privacy requirement by a spatial region, called public region– A spatial region is considered public by a user if
the user feels comfortable that the region is reported as her location
– E.g., a user can specify a shopping mall as her safe region
Feeling-based privacy model
• A user u specifies a public region Ru instead of K– The user feels that Ru is public enough, reporting Ru
is safe for herself.
• Challenge:– How to measure the privacy level that such region
can provide to the user
Popularity (1)
• Use entropy to measure the popularity of a region– Let R be a region, S(R)={u1, u2,…,um} be the set of
users who have visited R. – Entropy of R is E(R) = – Popularity of R is P(R) =
Popularity (2)
• E(R): the amount of information needed for the adversary to identify the client
• P(R): actually indicates the number of users among which the client is indistinguishable
• 1<P(R)≤m• P(R) is lower if footprint distribution is more skewed
• From a client’s perspective, a spatial region is a public region as long as its popularity is no less than P(Ru)
Public trajectory (1)• Continuous LBS – a sequence of location updates– Location updates are not independent– Simply ensuring each cloaking box is a public region is
not enough• T={R1, R2, …, Rn}
• Adversary may identify S(Ri), and then join all S(Ri).
• As a result, the privacy level is reduced
Public trajectory (2)
• We must use the common set of users to compute the popularity– Let U ={u1, u2,…,um’} be a sub set of S(R)
– The entropy of R with respect to U is
– The popularity of R with respect to U is
– Goal: the popularity of each cloaking box in the trajectory with respect to a common set of users is no less than P(Ru) ----- P-Public Trajectory (PPT)
On-the-fly trajectory cloaking
• System overview– Clients communicate with LBS providers through a
location depersonalization server (LDS)– To receive a LBS, a client needs to submit• Public region Ru
• Travel bound B• Location updates repeatedly during her travel
– In response, LDS • Generates a cloaking box for each location update• Ensure the sequence of cloaking boxes form a PPT
Data structure• Grid-based pyramid structure– 4i-1 cells at layer i– Cells at the bottom layer h keep the footprint index• Footprint table, stores the footprints in this cell• Cell table, stores the number of footprints each user has
in the cell
Generating PPT
• Given public region Ru, calculate Pu=P(Ru)• Each cloaking box in a PPT– Contains footprints of a same set of users, called
cloaking set– Popularity with respect to the cloaking set is no
less than Pu
• Challenge:– How to find the cloaking set which can generate
PPT with fine resolution
Selecting cloaking set
• Simple solution• Cloak the client’s first location using the footprints
closest to it• Record the corresponding users as cloaking set• Cloak the client’s rest location updates using the
historical trajectories of the users in cloaking set
• Disadvantage• First cloaking box is small, but the rest will become
larger and larger as the client moves
Basic idea
• Observation – Popular user: has visited many places in the
client's travel bound– Using her historical trajectories to cloak tends to
have a fine cloaking resolution, no matter where the client moves
• Idea– Find the most popular users for cloaking
Popular level• Measure how popular a user is in B, based on
her footprints in B– l-popular : the user has visited all cells at layer l
overlapping with B– l is larger, the user is more popular• If a user is l-popular, she must be l’-popular for any l’<l• Example
– u1, u2, u3 : 2-popular
– u2, u3 : 3-popular
– u3: 4-popular
Cloaking set selection algorithm
• From bottom to top of the pyramid – Find the l-popular users in terms of B for each
layer l, say Sl (l from h down to 1)
– Calculate the popularity of B with respect to Sl
– If for some l, the popularity is no less than Pu, Sl is set as the cloaking set candidate
Refine the cloaking set• Sl needs refinement if PSl
(B) > Pu– Overprotect– Larger cloaking set may downgrade the cloaking resolution
• Find a subset of Sl – Remove some users who are l-popular but not (l+1)-
popular, i.e., S’=Sl - Sl+1
• A user is more popular – if visited more cells at layer l+1– if visited cells are closer to the client’s start position
• Measure a user u in S’ with – C’l+1 is the cells at layer l+1 overlapping with B– dc is the distance between a cell c and the cell containing the client’s
start position
1'
1
lCc cd
Cloaking client’s location
• Let S be the cloaking set, p be the client’s location, we cloak p by– 1) find closest footprints to p for each user in S– 2) compute the minimal bounding box of these
footprints, say R– 3) calculate PS(R)• If PS(R) < Pu, expand R by merging its neighbors, goto 2)
• If PS(R) ≥ Pu, R is reported as the client’s location
Performance
• Evaluate the impact of the cloaking technique on the quality of LBSs– Metric: cloaking area, average area of cloaking
boxes in a PPT
• Comparison– Baseline: determine the cloaking set based on the
closest footprints to client’s start position– Advanced: the proposed technique
Effect of privacy requirement
• Our technique has better performance• The cloaking resolution on more popular roads is finer
Conclusion
• We proposed a feeling-based model for location privacy protection– Allow users to configure their privacy preference
based on intuitive feelings ---- public region– Borrow the concept of entropy to measure the
privacy level of a cloaking box
• Based on this model, we developed algorithms for on-the-fly trajectory cloaking
Thanks