maskit: privately releasing user context streams for personalized mobile applications sigmod...
TRANSCRIPT
![Page 1: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/1.jpg)
MaskIt: Privately Releasing User Context Streams for
Personalized Mobile Applications
SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference on Management of Data
![Page 2: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/2.jpg)
Background
Not just location.
More sensors means more privacy can be detected.
![Page 3: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/3.jpg)
Background
User’s contexts have correlation with former context.
Some contexts are not sensitive.
![Page 4: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/4.jpg)
Solution
System Model
x1, x2,…, xt o1, o2,…, ot
To compute ot, MASKIT employs a check deciding whether to release or suppress the current context.
MaskIt
![Page 5: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/5.jpg)
Solution
Propose MASKIT: a system that decide whether to release or to suppress the current state of the use. Probabilistic check: flips for each context a coin is
chosen suitably to guarantee privacy. Simulatable check: makes the decision only based
on the released contexts so far and completely ignores the current context.
Explain how to select the better check.
![Page 6: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/6.jpg)
Problem Statement
Utility Goal Release as many states as possible, while satisfying
the privacy goal.
The MASKIT System
![Page 7: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/7.jpg)
Problem
What is privacy?
To preserve privacy: When context should be suppressed? What context should be suppressed?
How to ensure utility?
![Page 8: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/8.jpg)
Privacy
Privacy DEFINITION 1: We say that a system A preserves -
privacy against an adversary if for all possible inputs sampled from the Markov chain M with non-zero probability, for all possible outputs , for all times t and all sensitive contexts
![Page 9: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/9.jpg)
Utility
Measure utility as the expected number of released context:
for state ci at time t’ a suppression probability
![Page 10: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/10.jpg)
Probabilistic Privacy Check
![Page 11: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/11.jpg)
Probabilistic Privacy Check
Prior belief:
suppression probability pit at time t for state
ci , the prior belief is 1- pit
Posterior belief:
HMM
Forward procedure
Backward procedure
![Page 12: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/12.jpg)
Probabilistic Privacy Check
Utility : For vectors passing the check we can compute their
utility Return the one with the maximum utility
Efficiency Use algorithms to speeding up IsPrivate &
SearchAlgorithm
![Page 13: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/13.jpg)
Simulatable Privacy Check
Only based on information available to the adversary: The Markov chain M Output sequence
Posterior belief
t1: last time before or at t at which a context was released t2: earliest time after t at which a context was released t2: end state if t2 does not exist
![Page 14: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/14.jpg)
Simulatable Privacy Check
![Page 15: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/15.jpg)
Simulatable Privacy Check
Privacy :
![Page 16: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/16.jpg)
Simulatable Privacy Check
Utility: The simulatable check is locally optimal in the sense
that if the next state is published despite the indication of the privacy check to suppress it (improving the utility) then there is a chance that future states will inevitably breach privacy.
Efficiency Speeding up okayToRelease
![Page 17: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/17.jpg)
Comparative Analysis
Weakness of the simulatable check: It makes the suppression decision without looking at the current state.
Weakness of the probabilistic check: Its decision ignores the previously released states.
![Page 18: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/18.jpg)
Comparative Analysis
Hybrid Privacy Check: Probabilistic check
Simulatable checkUsing suppi(t) we can compute recursively the expected number of suppressions following the release of Xt = ci
utilitySimulatable(M) = T - expected number
![Page 19: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/19.jpg)
Limited Background Knowledge
Weak adversary: Knowing the Frequency of sensitive contexts Knowing a Set-Labeled chain
![Page 20: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/20.jpg)
Experiment
Continuous data on daily activities of 100 students and staff at MIT.
For each user, we train a Markov chain on the first half of his trace; the remaining half is used to for evaluation.
This paper only use location data.
![Page 21: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/21.jpg)
Experiment
Efficiency
![Page 22: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/22.jpg)
Experiments
Compare MASKIT using: The simulatable check The probabilistic check (with a granularity of d = 10) The hybrid check
with the naive approach, called MaskSensitive
![Page 23: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/23.jpg)
Experiments
![Page 24: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/24.jpg)
Experiments
![Page 25: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/25.jpg)
Experiments
![Page 26: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/26.jpg)
Experiments
![Page 27: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/27.jpg)
Thank you!
![Page 28: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/28.jpg)
Problem Statement
User Model User’s behaves like a sample from a Markov chain M The states in M are labeled with contexts {c1,…,cn}
Each day, the user starts at the “start” state in M and ends T steps later in the “end” state
X1,… ,XT : random variables generated from M, each taking on the value of some context ci
The independence property of Markov chains states that
![Page 29: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/29.jpg)
Problem Statement
Adversary Model Strong Adversary: know the Markov chain M of a user. Week Adversary: have less knowledge about M,but
they can learn more about M over time. can access the full output sequence generated by a
general suppression system A, and we assume the adversaries also know A.
adversaries have a prior belief about the user being in context ci at time t.
![Page 30: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/30.jpg)
Problem Statement
Preliminaries: Markov chains Markovian process with transition matrices A(1),…, A(T+1):
PROPOSITION 1: The prior belief of an adversary about the user being in a sensitive context s at time t is equal to
The joint probability of a sequence of states is:
The probability of transitioning from state c i at time t1 to state cj at time t2
ei is the unit vector that is 1 at position i and 0 otherwise
![Page 31: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/31.jpg)
Problem Statement
Preliminaries: Hidden Markov Models Hidden Markov models help us understand how
adversaries make inference about suppressed states.
Each state has a distribution over possible outputs from a set K = {k1,…,km}.
Define emission matrices B(t) as: For a given output sequence , we
compute the conditional probability that at tine t the hidden state was ci:
![Page 32: MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference](https://reader035.vdocuments.net/reader035/viewer/2022081503/5697bfbe1a28abf838ca294d/html5/thumbnails/32.jpg)
Problem Statement
Preliminaries: Hidden Markov Models Use the forward procedure and the backward
procedure to compute this ratio efficiently:
Initialize
Initialize , put everything together: