quality aware privacy protection for location-based services
DESCRIPTION
Quality Aware Privacy Protection for Location-based Services. Zhen Xiao, Xiaofeng Meng Renmin University of China Jianliang Xu Hong Kong Baptist University Presented by Xiao Pan. Outline. Motivation Contributions Location K-Anonymity Model Cloaking Algorithm Improvement with Dummy - PowerPoint PPT PresentationTRANSCRIPT
Quality Aware Privacy Protection for Location-based Services
Zhen Xiao, Xiaofeng MengRenmin University of China
Jianliang XuHong Kong Baptist University
Presented byXiao Pan
OutlineMotivationContributions
Location K-Anonymity ModelCloaking AlgorithmImprovement with Dummy
ExperimentsRelated WorksConclusions
Motivation: Privacy in LBS
Unique identifier Location information
LBS Provider
Where is my nearest
hotel?
Where is my way to The Emporium?
Privacy Requirements Location anonymity
– Sensitive location: clinic, nightclub
Privacy & QoS Trade-Off
r1
r2
r4
r3
L contains at least k-1 other users
k-anonymity model
Identifier anonymity– Sensitive message: political, financial
location point l(x,y)
l(x,y) is covered by at least k-1 other requests
cloaking region L
Contribution New quality-aware anonymity model
– Protect location privacy – Satisfy QoS requirements
Directed-graph based cloaking algorithm– Maximize cloaking success rate with QoS
guaranteed.
Improvement– Use dummy locations to achieve a 100%
cloaking success rate
System Model
Trusted Anonymizing
Proxy
Anonymizing Expand the
exact location point into
cloaking region
Mobile Clients
Location-based Service Providers
original request
anonymized request
Request formats Original Request
– Identifier – Current location – Quality of service
• Maximum cloaking latency• Maximum cloaking region
– Location privacy • Minimum anonymity level
– Service related content– Current time
Anonymized Request
– Pseudonym – Cloaking region – Service related
content
( , , , , , , )r id l t k data t
( , )l x y
' ( ', , )r id L data
Location K-Anonymity Model
For any request , if and only if• its cloaking region covers the locations of at least k-
1 other requests (location anonymity set)
• its location is covered by the cloaking regions of at least k-1 other requests (identifier anonymity set).
1 2, ... nr r r , , ,1 2, ... nr r r
irL
,. . ,1 , 1j ij r l r L j n j i k
,. . ,1 , 1i jj r l r L j n j i k
l
Quality Aware Location K-anonymity Model Location Privacy
– to expand the user location into a cloaking region such that the location k-anonymity model is satisfied.
Temporal QoS – the request must be anonymized before the pre-
defined maximum cloaking delay
Spatial QoS– the cloaking region size should not exceed a
threshold
t t
Cloaking Algorithm Directed graph
– Find the location anonymity set and identifier anonymity set to satisfy the location k-anonymity model through neighbor ships of request nodes.
Spatial index– Use window query to facilitate construction and
maintenance of neighbor ships in the graph
Min-heap– Order the requests according to their cloaking
deadlines, detect the expiration of requests
Directed Graph G (V, E): directed graph
– V: set of nodes (requests) – E: set of edges– edge eij=(ri, rj) E∈ , iff | rirj |
< ri.– edge eji=(rj, ri) E∈ , iff | rirj |
< rj.– ri can be anonymized
immediately if there are at least k-1 other forwarded requests in Uout and k-1 other forwarded requests in Uin
r1
r2
r4
r3
r1
r2
r4
r3
Location anonymity set Uout= {r2, r3, r4 } outgoing neighborsIdentifier
anonymity set Uin= {r3, r4 } incoming neighbors
Cloaking Algorithm: Maintenance
( , , , , , , )r id l t k data t
Anonymizing Proxy
original request
Spatial Index
Min Heap
( , )l x y t t
Directed Graph
idRangeQuery
Location Anonymity Set r.Uout
Identifier Anonymity Set r.Uin
C
Cloaking Algorithm: Cloaking
Min Heap
rGet the top request r
Directed Graphremove r in the graph
remove r in the graph
Delay it untilall its
neighbors have been forwarded
Spatial IndexMin Heap
r
Enough forwarded neighbors in Uout and Uin?
Improvement with Dummy Guarantee a 100% success rate. Only need to maintain the in-degree and out-degree of
each node r. Cloaking region of each dummy request d is a random
spatial region between MBR (r, d) and MBR (r.Uout). Both in-degree neighbors and out-degree neighbors high
privacy level Satisfy the spatial QoS requirement of r Indistinguishable from actual requests
Experimental Settings Brinkhoff Network-based Generator of Moving Objects. Input:
– Road map of Oldenburg County Output:
– 20K moving objects with the location range [0-200]– Minimum Update interval=20K– The identifier, the location information (x,y).– K=2-5– = 2-10 – =1000-3000, =10
• CliqueCloak vs. No Dummy vs. Dummy – The success rate with different requirements– The relative anonymity level
• Cost of dummy
t
Cloaking Success Ratevari ng k
0
0. 2
0. 4
0. 6
0. 8
1
overal l 2 3 4 5
k
success rate
Cl i queCl oak
Proposed(No Dummy)
Rel ati ve Anonymi ty Level
0
2
4
6
8
10
2 3 4 5
k
rela
tive
k l
evel Cl i queCl oak
Proposed(No Dummy)
Proposed(Dummy)
Our method (no dummy) has 5-25% higher success rate.Larger k lower success rate.Our method (no dummy) is more robust.
Relative location anonymity level = k’ / kOur method (no dummy) supports larger k values
Cloaking Success Rate
vari ng
0
0. 2
0. 4
0. 6
0. 8
1
0. 05- 0. 1% 0. 05- 0. 15% 0. 05- 0. 2% 0. 05- 0. 25%maxi mum cl oaki ng l atency
success
rate
Cl i queCl oakProposed(No Dummy)
=[0.015-0.05]% of the space =[0.05-0.25]% of the update interval.
t
vari ng
0
0. 2
0. 4
0. 6
0. 8
1
0. 015- 0. 02%0. 025- 0. 03%0. 035- 0. 04%0. 045- 0. 05%
maxi mum cl oaki ng regi on si ze
succ
ess
rate
Cl i queCl oakProposed(No Dummy)
tOur method (no dummy) has higher success rate. Larger or , more flexibility, higher success rate.
t
Dummy Cost & Cloaking Efficiency
porti on of dummi es
00. 20. 40. 60. 8
1
overal l 2 3 4 5
k
port
ion
dummi es
Our method (no dummy) has much shorter cloaking time. Larger k, longer time.
Cl oaki ng Effi ci ency
00. 20. 40. 60. 8
11. 21. 41. 61. 8
2 3 4 5
k
aver
age
cloa
king
time
(mil
lise
c)
Cl i queCl oak
Proposed(No Dummy)
Proposed(Dummy)
Portion = dummy / (dummy + true)Larger k, more dummiesAverage 10%, acceptable
Related Works Quad-tree based Cloaking Algorithm
– Recursively subdivides the entire into quadrants, until the quadrant includes the user and other k-1 users
M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking, MobiSys, 2003
Clique-Cloak Algorithm– Personalized privacy requirements: k, spatial and temporal tolerance values – An undirected graph is constructed to search for clique that includes the
user’s message and other k-1 messages.
B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model. ICDCS, 2005.
Casper– Grid-based cloaking algorithm– Privacy-aware query processor
M. F. Mokbel, C. Chow and W. G. Aref. The New Casper: Query Processing for Location Services without Compromising Privacy. VLDB. 2006.
Conclusions Problem: quality-aware privacy protection in LBS Classify location anonymity and identifier anonymity. Solution
– New Quality-Aware K-Anonymity Model– Efficient directed-graph based cloaking algorithm– An option of using dummy requests
Experimental evaluation– Various privacy and QoS requirements– Efficient
Thank you