location privacy protection for location-based services
DESCRIPTION
Location Privacy Protection for Location-based Services. Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai. Location-based Services (LBS). Dilemma. - PowerPoint PPT PresentationTRANSCRIPT
Location Privacy Protection for Location-based Services
Ying Cai
Department of Computer ScienceIowa State UniversityAmes, Iowa, 50011
http://www.cs.iastate.edu/~yingcai
Location-based Services (LBS)
Dilemma To use an LBS, a user needs to disclose her
location, but a person’s whereabouts may imply sensitive private information
Hospital Political Party Nightclub Stalking….
Location Privacy Protection Policy-based approaches
Legislation governs the collection and distribution of personal location data
Personal location management lets users determine when and whom to release location information
These schemes cannot prevent location data from being abused by insiders
Internet::::
LBS Server
::::
Com3
Com3
LBS Server
Network
Users
Other companies
Challenge Simply using pseudonym is not
sufficient because a user’s location itself may reveal her real-world identity e.g., correlate with restricted spaces
such as home address and office
Location Depersonalization Basic idea: reducing location resolution
Report a cloaking area, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
Location Depersonalization Basic idea: reducing location resolution
Report a cloaking area, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
Research issue: each cloaking area must provide a desired level of depersonalization, and be as small as possible
The state of the art Ensuring each cloaking area contains a certain
number of users A cloaking area with K users provides K-anonymity
protection
Service Users
K = 4 K = 6
K = 5
Problem 1 The anonymity server requires frequent location
updates from all users
Practicality
Scalability
Service User
Users not engaged in LBSs may not be willing to help protect others’ anonymity
Problem 2 In the case of continuous LBSs, simply ensuring each
cloaking area contains at least K users does NOT guarantee K-anonymity protection
Problem 2 In the case of continuous LBSs, simply ensuring each
cloaking area contains at least K users does NOT guarantee K-anonymity protection
New threats1. Location resolution
refinement2. Trace attack
Problem 3 A cloaking area guarantees service anonymity, but
NOT location privacy An adversary does not know who requests the service, but
knows that the requestor was inside the area, and in particular, she was with some other people there
Where you are and whom you are with are closely related with what you are doing …
The root of the problems All existing techniques cloak a user’s position
based on her current neighbors
Service Users
K = 4 K = 6
K = 5
Observation Public areas are naturally depersonalized
A large number of visits by different people More footprints, more popular
Park Highway
Basic Idea Using footprints for location depersonalization
Each cloaking area contains at least K different footprints
Neighboring users Footprints
vs.Location privacy protection
An adversary may be able to identify all these users, but will not know who was there at what time
Trajectory database Source of historical location data
From wireless service carriers, which provide the communication infrastructure
From the users of LBSs, who need to report location for cloaking
Trajectory database
::
::
uid tlink c1, c2, …, cn
database domaincell table
trajectories
Source of historical location data From wireless service carriers, which provide the
communication infrastructure From the users of LBSs, who need to report location for
cloaking Trajectory indexing for efficient retrieval
Partition network domain into cells Maintain a cell table for each cell
Sporadic LBS A client reports server
p: its current location K: its desired privacy level
Server computes a circular region containing p and K-1
footprints, each from a different user
needs to be as small as possible
Sporadic LBS A client reports server
p: its current location K: its desired privacy level
Server computes a circular region containing p and K-1
footprints, each from a different user
needs to be as small as possible
Cmin
N
Cknn
Cbound
Continuous LBSs A client reports
a base trajectory T0 = {c1,c2,…,cn} the desired anonymity level K
Server computes a new trajectory T = { B1,B2,…,Bn }
c1c2
c3 c4
base trajectory
Continuous LBSs A client reports
a base trajectory T0 = {c1,c2,…,cn} the desired anonymity level K
The server computes a K-anonymity trajectory (KAT) T = { B1,B2,…,Bn }
When the user arrives at ci, server reports Bi for LBS
c1c2
c3 c4
base trajectory
c1c2
c3 c4
B1B2 B3 B4
additivetrajectory
K-Anonymity Trajectory (KAT)
Problem
How to find the KAT with the best resolution?
K=3c1c2
c3 c4
B1B2 B3 B4
additivetrajectory
base trajectory
Challenges Given a database of N trajectories, there are
sets of trajectories with size K-1
Given a fixed set of addictive trajectories, different orders of cloaking result in different KATs
Exhaustive search: expensive
NKC 1
A Heuristic Approach
Cloak T0 with one trajectory
Cloak T0 with a set of K-1 trajectories
Select additive trajectory candidates
Cloaking One Additive Trajectory Cloaking T0 with additive trajectory Ta
To = {c1,c2,…,cn}; Ta = {a1,a2,…,am}, where n ≤ m T = { B1,B2,…,Bn } is the cloaking result
Goal: minimize T ’s resolution
c1 c3
a8a1 a2 a3
a4a5
a6
a7
c2c3 c4
B1 B2B3 B4
T=Cloak(To,Ta)
To
Ta
Cloaking with a Set of Additive Trajectories Different order of cloaking can have vastly
different results
T0+T1+T2 = T0+T2+T1?
T0
T1
T2
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
Cloak(To, Ta) is called s + K – 1 times
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
Quadratic(T0,S) Once an additive trajectory is cloaked
Set the cloaking result as T For the rest trajectories, compare the
distance to T, instead of T0
In the worst case, Cloak(T0,Ta) is called (K-1)(s-K/2+1) times
T0
T2
bs,3bs,1
T1
T3
1. T1 is closest to T0, so T = Cloak(T0,Ta) 2. T3 is closest to T, so T = Cloak(T,Ta)
Select Additive Trajectory Candidates Only those trajectories close to the base trajectory
should be considered Searching algorithm
T0
bs,3bs,1
Performance Study Simulate mobile nodes movement
on the real road map.
Extract four types of roads
Speed changes at intersection.
Generate a footprints database containing certain number of trajectories with random assigned user ID.
Experiments Performance metric
Cloaking range: the average radius of the cloaking circles
Single location cloaking Neighboring nodes vs. footprints
Trajectory cloaking Linear, Quadratic, and BaseLine
Baseline: cloaking using neighboring mobile users
Trajectory Cloaking
Generate a set of LBS requests, each containing A User ID The start and destination
Randomly selected in the map The fastest path as the user’s expected route Select a location sample every 100 meters along
the route Required degree of privacy protection
Effective of Anonymity Level (a) shows cloaking range of different algorithms
Cloaking range increases as K increases (b) shows the cloaking range on different roads
Popular roads have a large number of footprints Unpopular roads are sensitive to the change of K
Concluding Remarks We explore historical location data for
location depersonalization Each reported location/trajectory has been
visited by at least K different people We develop a suite of novel location cloaking
algorithms for Sporadic LBSs Continuous LBSs
Up to date, this is the only solution that can support location privacy protection
Thanks and Some Key References
1. M. Gruteser and D. Grunwald. “Anonymous Usage of Location-based Services through Spatial and Temporal Cloaking”, ACM MobiSys'03.
2. B. Gedik and L. Liu, “A Customizable k-Anonymity Model for Protecting Location Privacy”, IEEE ICDCS'05.
3. M. F. Mokbel, C. Y. Chow, and W. G. Aref. “The New Casper: Query Processing for Location Services without Compromising Privacy”, VLDB’06.
4. T. Xu and Y. Cai. “Exploring Historical Location Data for Anonymity Preservation in Location-based Services”. IEEE Infocom'08.
Future Work Additive trajectories selection
Similar moving speeds
Similar time spans
On-the-fly cloaking Users do not have to submit a base trajectory
before a travel
7am - 5pm