Location Privacy in Mobile Systems: A Personalized
Download
Report
Transcript Location Privacy in Mobile Systems: A Personalized
Quality Aware Privacy Protection
for Location-based Services
Zhen Xiao, Xiaofeng Meng
Renmin University of China
Jianliang Xu
Hong Kong Baptist University
Presented by
Xiao Pan
Outline
Motivation
Contributions
Location K-Anonymity Model
Cloaking Algorithm
Improvement with Dummy
Experiments
Related Works
Conclusions
Motivation: Privacy in LBS
Where is
my nearest
hotel?
LBS Provider
Unique
identifier
Location information
Where is my
way to The
Emporium?
Privacy & QoS Trade-Off
Privacy Requirements
Location anonymity
L contains at least k-1
other users
– Sensitive location: clinic, nightclub
Identifier anonymity
– Sensitive message: political, financial
l(x,y) is covered by at
least k-1 other requests
k-anonymity model
location point l(x,y)
r2
r3
r1
cloaking region L
r4
Contribution
New
quality-aware anonymity model
– Protect location privacy
– Satisfy QoS requirements
Directed-graph
based cloaking algorithm
– Maximize cloaking success rate with QoS
guaranteed.
Improvement
– Use dummy locations to achieve a 100%
cloaking success rate
System Model
Location-based Service Providers
anonymized request
Anonymizing
Expand the
exact location
point into
cloaking region
Trusted
Anonymizing
Proxy
original request
Mobile Clients
Request formats
Original Request
r (id , l , t , k , , data, t )
Anonymized
– Identifier
– Current location l ( x, y )
– Quality of service
•
•
Maximum cloaking latency
Maximum cloaking region
– Location privacy
•
Minimum anonymity level
– Service related content
– Current time
Request
r ' (id ', L, data)
– Pseudonym
– Cloaking region
– Service related
content
Location K-Anonymity Model
,
,
,
r1 , r2 ...rn
r1, r2 ...rn
For any request ri , if and only if
• its cloaking region L covers the locations of at least k1 other requests (location anonymity set)
j rj .l ri , .L,1 j n, j i k 1
• its location l is covered by the cloaking regions of at
least k-1 other requests (identifier anonymity set).
j r .l r .L,1 j n, j i k 1
,
i
j
Quality Aware Location K-anonymity Model
Location
Privacy
– to expand the user location into a cloaking region
such that the location k-anonymity model is satisfied.
Temporal
QoS
– the request must be anonymized before the predefined maximum cloaking delay t t
Spatial
QoS
– the cloaking region size should not exceed a
threshold
Cloaking Algorithm
Directed
graph
– Find the location anonymity set and identifier
anonymity set to satisfy the location k-anonymity
model through neighbor ships of request nodes.
Spatial
index
– Use window query to facilitate construction and
maintenance of neighbor ships in the graph
Min-heap
– Order the requests according to their cloaking
deadlines, detect the expiration of requests
Directed Graph
G (V,
E): directed graph
– V: set of nodes (requests)
– E: set of edges
r2
r3
– edge eij=(ri, rj) ∈ E, iff | rirj |
< ri.
r1
– edge eji=(rj, ri) ∈ E, iff | rirj |
r4
< rj.
– ri can be anonymized
Location anonymity
immediately if there are at set U = {r , r , r }
out
2
3
4
least k-1 other forwarded outgoing neighbors
requests in Uout and k-1
other forwarded requests in
Identifier anonymity
Uin
set Uin= {r3, r4 }
incoming neighbors
Cloaking Algorithm: Maintenance
original
request
Anonymizing
Proxy
r (id , l , t , k , , data, t )
Range
Query
C
l ( x, y )
Spatial
Index
t t
id
Directed Graph
Location
Anonymity
Set r.Uout
Identifier
Anonymity
Set r.Uin
Min Heap
Cloaking Algorithm: Cloaking
Get the top request r
r
Min Heap
remove r in
the graph
Delay it until
all its
neighbors
have been
forwarded
Enough
forwarded
neighbors in
Uout and Uin?
Directed Graph
r
Min Heap
Spatial Index
remove r in
the graph
Improvement with Dummy
Guarantee a 100% success rate.
Only need to maintain the in-degree and out-degree of
each node r.
Cloaking region of each dummy request d is a random
spatial region between MBR (r, d) and MBR (r.Uout).
Both in-degree neighbors and out-degree neighbors high
privacy level
Satisfy the spatial QoS requirement of r
Indistinguishable from actual requests
Experimental Settings
Brinkhoff Network-based Generator of Moving Objects.
Input:
– Road map of Oldenburg County
Output:
–
–
–
–
–
–
20K moving objects with the location range [0-200]
Minimum Update interval=20K
The identifier, the location information (x,y).
K=2-5
= 2-10
t =1000-3000, =10
• CliqueCloak vs. No Dummy vs. Dummy
– The success rate with different requirements
– The relative anonymity level
• Cost of dummy
Cloaking Success Rate
varing k
Our
CliqueCloak
1
success rate
method (no dummy) has
5-25% higher success rate.
Larger k lower success
rate.
Our method (no dummy) is
more robust.
Proposed(No Dummy)
0.8
0.6
0.4
0.2
0
overall
2
3
4
5
k
Relative
location
anonymity level = k’ / k
Our method (no dummy)
supports larger k values
relative k level
Relative Anonymity Level
10
CliqueCloak
Proposed(No Dummy)
Proposed(Dummy)
8
6
4
2
0
2
3
4
k
5
Cloaking Success Rate
=[0.015-0.05]% of the
space
t =[0.05-0.25]% of the
update interval.
CliqueCloak
Proposed(No Dummy)
1
success rate
varing
0.8
0.6
0.4
0.2
0
0.015-0.02% 0.025-0.03% 0.035-0.04% 0.045-0.05%
maximum cloaking region size
varing
Our
t
1
CliqueCloak
Proposed(No Dummy)
0.8
success rate
method (no dummy)
has higher success rate.
Larger or t , more
flexibility, higher success
rate.
0.6
0.4
0.2
0
0.05-0.1%
0.05-0.15%
0.05-0.2%
maximum cloaking latency
0.05-0.25%
Dummy Cost & Cloaking Efficiency
=
dummy / (dummy + true)
Larger k, more dummies
Average 10%, acceptable
portion
Portion
portion of dummies
1
0.8
0.6
0.4
0.2
0
dummies
overall
2
3
4
5
k
Cloaking Efficiency
Our
method (no dummy)
has much shorter cloaking
time.
Larger k, longer time.
average cloaking
time(millisec)
CliqueCloak
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
Proposed(No Dummy)
Proposed(Dummy)
2
3
4
k
5
Related Works
Quad-tree based Cloaking Algorithm
– Recursively subdivides the entire into quadrants, until the quadrant includes
the user and other k-1 users
M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and
temporal cloaking, MobiSys, 2003
Clique-Cloak Algorithm
–
Personalized privacy requirements: k, spatial and temporal tolerance values
– An undirected graph is constructed to search for clique that includes the
user’s message and other k-1 messages.
B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model.
ICDCS, 2005.
Casper
– Grid-based cloaking algorithm
– Privacy-aware query processor
M. F. Mokbel, C. Chow and W. G. Aref. The New Casper: Query Processing for Location Services
without Compromising Privacy. VLDB. 2006.
Conclusions
Problem: quality-aware privacy protection in LBS
Classify location anonymity and identifier anonymity.
Solution
– New Quality-Aware K-Anonymity Model
– Efficient directed-graph based cloaking algorithm
– An option of using dummy requests
Experimental evaluation
– Various privacy and QoS requirements
– Efficient
Thank you