Transcript Location Privacy in Mobile Systems: A Personalized

Quality Aware Privacy Protection
for Location-based Services
Zhen Xiao, Xiaofeng Meng
Renmin University of China
Jianliang Xu
Hong Kong Baptist University
Presented by
Xiao Pan
Outline
Motivation
Contributions
Location K-Anonymity Model
Cloaking Algorithm
Improvement with Dummy
Experiments
Related Works
Conclusions
Motivation: Privacy in LBS
Where is
my nearest
hotel?
LBS Provider
Unique
identifier
Location information
Where is my
way to The
Emporium?
Privacy & QoS Trade-Off
Privacy Requirements

Location anonymity
L contains at least k-1
other users
– Sensitive location: clinic, nightclub

Identifier anonymity
– Sensitive message: political, financial
l(x,y) is covered by at
least k-1 other requests
k-anonymity model
location point l(x,y)
r2
r3
r1
cloaking region L
r4
Contribution
 New
quality-aware anonymity model
– Protect location privacy
– Satisfy QoS requirements
 Directed-graph
based cloaking algorithm
– Maximize cloaking success rate with QoS
guaranteed.
 Improvement
– Use dummy locations to achieve a 100%
cloaking success rate
System Model
Location-based Service Providers
anonymized request
Anonymizing
Expand the
exact location
point into
cloaking region
Trusted
Anonymizing
Proxy
original request
Mobile Clients
Request formats

Original Request
r  (id , l , t , k ,  , data, t )
 Anonymized
– Identifier
– Current location l  ( x, y )
– Quality of service
•
•
Maximum cloaking latency
Maximum cloaking region
– Location privacy
•
Minimum anonymity level
– Service related content
– Current time
Request
r '  (id ', L, data)
– Pseudonym
– Cloaking region
– Service related
content
Location K-Anonymity Model
,
,
,
r1 , r2 ...rn
r1, r2 ...rn
For any request ri , if and only if
• its cloaking region L covers the locations of at least k1 other requests (location anonymity set)


j rj .l  ri , .L,1  j  n, j  i  k  1
• its location l is covered by the cloaking regions of at
least k-1 other requests (identifier anonymity set).
 j r .l  r .L,1  j  n, j  i  k 1
,
i
j
Quality Aware Location K-anonymity Model
 Location
Privacy
– to expand the user location into a cloaking region
such that the location k-anonymity model is satisfied.
 Temporal
QoS
– the request must be anonymized before the predefined maximum cloaking delay t  t
 Spatial
QoS
– the cloaking region size should not exceed a
threshold 
Cloaking Algorithm
 Directed
graph
– Find the location anonymity set and identifier
anonymity set to satisfy the location k-anonymity
model through neighbor ships of request nodes.
 Spatial
index
– Use window query to facilitate construction and
maintenance of neighbor ships in the graph
 Min-heap
– Order the requests according to their cloaking
deadlines, detect the expiration of requests
Directed Graph
 G (V,
E): directed graph
– V: set of nodes (requests)
– E: set of edges
r2
r3
– edge eij=(ri, rj) ∈ E, iff | rirj |
< ri.

r1
– edge eji=(rj, ri) ∈ E, iff | rirj |
r4
< rj.
– ri can be anonymized
Location anonymity
immediately if there are at set U = {r , r , r }
out
2
3
4
least k-1 other forwarded outgoing neighbors
requests in Uout and k-1
other forwarded requests in
Identifier anonymity
Uin
set Uin= {r3, r4 }
incoming neighbors
Cloaking Algorithm: Maintenance
original
request
Anonymizing
Proxy
r  (id , l , t , k ,  , data, t )
Range
Query
C
l  ( x, y )
Spatial
Index
t  t
id
Directed Graph
Location
Anonymity
Set r.Uout
Identifier
Anonymity
Set r.Uin
Min Heap
Cloaking Algorithm: Cloaking
Get the top request r
r
Min Heap
remove r in
the graph
Delay it until
all its
neighbors
have been
forwarded
Enough
forwarded
neighbors in
Uout and Uin?
Directed Graph
r
Min Heap
Spatial Index
remove r in
the graph
Improvement with Dummy



Guarantee a 100% success rate.
Only need to maintain the in-degree and out-degree of
each node r.
Cloaking region of each dummy request d is a random
spatial region between MBR (r, d) and MBR (r.Uout).



Both in-degree neighbors and out-degree neighbors  high
privacy level
Satisfy the spatial QoS requirement of r
Indistinguishable from actual requests
Experimental Settings


Brinkhoff Network-based Generator of Moving Objects.
Input:
– Road map of Oldenburg County

Output:
–
–
–
–
–
–
20K moving objects with the location range [0-200]
Minimum Update interval=20K
The identifier, the location information (x,y).
K=2-5
 = 2-10
t =1000-3000, =10

• CliqueCloak vs. No Dummy vs. Dummy
– The success rate with different requirements
– The relative anonymity level
• Cost of dummy
Cloaking Success Rate
varing k
Our
CliqueCloak
1
success rate
method (no dummy) has
5-25% higher success rate.
Larger k  lower success
rate.
Our method (no dummy) is
more robust.
Proposed(No Dummy)
0.8
0.6
0.4
0.2
0
overall
2
3
4
5
k
Relative
location
anonymity level = k’ / k
Our method (no dummy)
supports larger k values
relative k level
Relative Anonymity Level
10
CliqueCloak
Proposed(No Dummy)
Proposed(Dummy)
8
6
4
2
0
2
3
4
k
5
Cloaking Success Rate

=[0.015-0.05]% of the
space

t =[0.05-0.25]% of the
update interval.

CliqueCloak
Proposed(No Dummy)
1
success rate

varing
0.8
0.6
0.4
0.2
0
0.015-0.02% 0.025-0.03% 0.035-0.04% 0.045-0.05%
maximum cloaking region size
varing
Our
t
1
CliqueCloak
Proposed(No Dummy)
0.8
success rate
method (no dummy)
has higher success rate.
Larger  or t , more
flexibility, higher success
rate.
0.6
0.4
0.2
0
0.05-0.1%
0.05-0.15%
0.05-0.2%
maximum cloaking latency
0.05-0.25%
Dummy Cost & Cloaking Efficiency
=
dummy / (dummy + true)
Larger k, more dummies
Average 10%, acceptable
portion
Portion
portion of dummies
1
0.8
0.6
0.4
0.2
0
dummies
overall
2
3
4
5
k
Cloaking Efficiency
Our
method (no dummy)
has much shorter cloaking
time.
Larger k, longer time.
average cloaking
time(millisec)
CliqueCloak
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
Proposed(No Dummy)
Proposed(Dummy)
2
3
4
k
5
Related Works

Quad-tree based Cloaking Algorithm
– Recursively subdivides the entire into quadrants, until the quadrant includes
the user and other k-1 users
M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and
temporal cloaking, MobiSys, 2003

Clique-Cloak Algorithm
–
Personalized privacy requirements: k, spatial and temporal tolerance values
– An undirected graph is constructed to search for clique that includes the
user’s message and other k-1 messages.
B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model.
ICDCS, 2005.

Casper
– Grid-based cloaking algorithm
– Privacy-aware query processor
M. F. Mokbel, C. Chow and W. G. Aref. The New Casper: Query Processing for Location Services
without Compromising Privacy. VLDB. 2006.
Conclusions

Problem: quality-aware privacy protection in LBS
 Classify location anonymity and identifier anonymity.
 Solution
– New Quality-Aware K-Anonymity Model
– Efficient directed-graph based cloaking algorithm
– An option of using dummy requests

Experimental evaluation
– Various privacy and QoS requirements
– Efficient
Thank you