Transcript Document
PRIVÉ:
Anonymous Location-Based Queries
in Distributed Mobile Systems
Gabriel Ghinita1
Panos Kalnis1
Spiros Skiadopoulos2
1
National University of Singapore
{ghinitag,kalnis}@comp.nus.edu.sg
2 University of Peloponnese, Greece
[email protected]
Location-Based Services (LBS)
LBS users
Mobile devices with GPS
capabilities
Spatial database queries
Queries
NN and Range Queries
Location server is
NOT trusted
“Find closest hospital to
my present location”
Problem Statement
Queries may disclose sensitive information
But user location may disclose identity
Query through anonymous web surfing service
Triangulation of device signal
Publicly available databases
Physical surveillance
How to preserve query source anonymity?
Even when exact user locations are known
Solution Overview
Anonymizing Spatial Region (ASR)
Identification probability ≤ 1/K
Minimize overhead
Reduce ASR extent
Fast ASR assembly time
Support user mobility
Central Anonymizer Architecture
Intermediate tier between users and LBS
Bottleneck and single point of attack/failure
PRIVÉ Architecture
K-Anonymity*
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
Disease
Name
Ulcer
Pneumonia
Flu
Gastritis
Dyspepsia
Bronchitis
Andy
Bill
Ken
Nash
Mike
Sam
(a) Microdata
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness
and Knowledge-Based Systems, 10(5):557-570, 2002.
K-Anonymity*
Age
42-46
42-46
50-54
50-54
48-56
48-56
ZipCode
Disease
25000-35000
Ulcer
25000-35000 Pneumonia
20000-40000
Flu
20000-40000 Gastritis
50000-55000 Dyspepsia
50000-55000 Bronchitis
(a) 2-anonymous microdata
Name
Andy
Bill
Ken
Nash
Mike
Sam
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness
and Knowledge-Based Systems, 10(5):557-570, 2002.
Relational and Spatial Anonymity
Age
Zip
42 44 46 48 50 52 54 56
20k
25k
30k
35k
40k
45k
50k
55k
Existing Cloaking Solutions
Redundant Queries
Send K-1 redundant queries
Gives away exact location of users
Potentially high overhead
CloakP2P [Chow06]
Find K-1 NN of query source
Source likely to be closest to ASR center
Vulnerable to “center-of-ASR” attack
NOT SECURE
!!!
uq
5-ASR
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Locationbased Services, ACM GIS ’06
QuadASR[Gru03, Mok06]
Quad-tree based
Fails to preserve anonymity for outliers
Unnecessarily large ASR size
A1
u2
• Let K=3
u1
u3
• If any of u1, u2, u3 queries,
ASR is A1
NOT SECURE
u !!!
4
A2
• If u4 queries, ASR is A2
• u4’s identity is disclosed
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal
Cloaking, MobiSys 2003
[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising
Privacy, VLDB 2006
Secure Location
Anonymization
Reciprocity
Consider querying user uq and ASR Aq
Let ASq = {set of users enclosed by Aq}
Aq has the reciprocity property iff
i.
ii.
|AS| ≥ K
ui,uj AS, ui ASj uj ASi
hilbASR
Based on Hilbert space-filling curve
index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
Start
End
Advantages of hilbASR
Guarantees source privacy
Reduced ASR size
K-ASRs have the “reciprocity” property
Hilbert ordering preserves locality well
K-ASR includes exactly K users (in most cases)
Efficient ASR assembly and user relocation
Balanced, annotated index tree
User relocation, ASR assembly in O(log #users)
hilbASR with Annotated Index
K=6 Example
PRIVÉ
PRIVÉ Characteristics
P2P overlay network
Resembles annotated B+-tree
Hierarchical clustering architecture
Bounded cluster size [,3)
S relocates to 60
Relocation
Load Balancing
Hierarchical architecture
Inherent imbalance in peer load
Cluster head rotation mechanism
Rotation triggered by load
Communication cost predominant
Fault Tolerance
Soft-state mechanism
Cluster membership periodically updated
Recovery facilitated by state replication
Leader election protocol
In case of cluster head failure
Experimental Evaluation
Experimental Setup
San Francisco Bay Area road network
Network-based Generator of Moving Objects*
Up to 10000 users
Velocities from 18 to 68 km/h
Uniform and skewed query distributions
Anonymity degree K in the range [10, 160]
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,
6(2):153–180, 2002.
Anonymity Strength (center-of-ASR)
ASR Size
Query Efficiency
Relocation Efficiency
Load Balancing
0%
20%
40%
60% 80%
Node Fraction
100%
Conclusions
LBS Privacy an important concern
Existing solutions have no privacy guarantees
Centralized approach has limitations
Poor scalability, legal issues
Contribution
Anonymization with privacy guarantees
hilbASR
Extension to decentralized systems
Improved scalability and availability
No single point-of-attack/failure
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
Bibliography
[Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking
Algorithm for Anonymous Location-based Services, ACM GIS ’06
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys 2003
[Ged05] – Gedik et al, Location Privacy in Mobile Systems: A
Personalized Anonymization Model, ICDCS 2005
[Mok06] – Mokbel et al, The New Casper: Query Processing for
Location Services without Compromising Privacy, VLDB 2006
MobiHide
Randomized ASR assembly technique:
Advantages
Also uses Hilbert ordering
ASR chosen as random K-user sequence
No global knowledge required
Flat index structure (Chord DHT)
Disadvantages
No privacy guarantees for skewed query
distributions
but still strong anonymity in practice