Transcript Document

PRIVÉ:
Anonymous Location-Based Queries
in Distributed Mobile Systems
Gabriel Ghinita1
Panos Kalnis1
Spiros Skiadopoulos2
1
National University of Singapore
{ghinitag,kalnis}@comp.nus.edu.sg
2 University of Peloponnese, Greece
[email protected]
Location-Based Services (LBS)

LBS users



Mobile devices with GPS
capabilities
Spatial database queries
Queries


NN and Range Queries
Location server is
NOT trusted
“Find closest hospital to
my present location”
Problem Statement

Queries may disclose sensitive information


But user location may disclose identity




Query through anonymous web surfing service
Triangulation of device signal
Publicly available databases
Physical surveillance
How to preserve query source anonymity?

Even when exact user locations are known
Solution Overview

Anonymizing Spatial Region (ASR)


Identification probability ≤ 1/K
Minimize overhead

Reduce ASR extent

Fast ASR assembly time

Support user mobility
Central Anonymizer Architecture

Intermediate tier between users and LBS
Bottleneck and single point of attack/failure
PRIVÉ Architecture
K-Anonymity*
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
Disease
Name
Ulcer
Pneumonia
Flu
Gastritis
Dyspepsia
Bronchitis
Andy
Bill
Ken
Nash
Mike
Sam
(a) Microdata
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness
and Knowledge-Based Systems, 10(5):557-570, 2002.
K-Anonymity*
Age
42-46
42-46
50-54
50-54
48-56
48-56
ZipCode
Disease
25000-35000
Ulcer
25000-35000 Pneumonia
20000-40000
Flu
20000-40000 Gastritis
50000-55000 Dyspepsia
50000-55000 Bronchitis
(a) 2-anonymous microdata
Name
Andy
Bill
Ken
Nash
Mike
Sam
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness
and Knowledge-Based Systems, 10(5):557-570, 2002.
Relational and Spatial Anonymity
Age
Zip
42 44 46 48 50 52 54 56
20k
25k
30k
35k
40k
45k
50k
55k
Existing Cloaking Solutions
Redundant Queries

Send K-1 redundant queries


Gives away exact location of users
Potentially high overhead
CloakP2P [Chow06]
Find K-1 NN of query source
 Source likely to be closest to ASR center


Vulnerable to “center-of-ASR” attack
NOT SECURE
!!!
uq
5-ASR
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Locationbased Services, ACM GIS ’06
QuadASR[Gru03, Mok06]

Quad-tree based


Fails to preserve anonymity for outliers
Unnecessarily large ASR size
A1
u2
• Let K=3
u1
u3
• If any of u1, u2, u3 queries,
ASR is A1
NOT SECURE
u !!!
4
A2
• If u4 queries, ASR is A2
• u4’s identity is disclosed
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal
Cloaking, MobiSys 2003
[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising
Privacy, VLDB 2006
Secure Location
Anonymization
Reciprocity



Consider querying user uq and ASR Aq
Let ASq = {set of users enclosed by Aq}
Aq has the reciprocity property iff
i.
ii.
|AS| ≥ K
 ui,uj  AS, ui  ASj  uj  ASi
hilbASR

Based on Hilbert space-filling curve


index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
Start
End
Advantages of hilbASR

Guarantees source privacy


Reduced ASR size



K-ASRs have the “reciprocity” property
Hilbert ordering preserves locality well
K-ASR includes exactly K users (in most cases)
Efficient ASR assembly and user relocation


Balanced, annotated index tree
User relocation, ASR assembly in O(log #users)
hilbASR with Annotated Index
K=6 Example
PRIVÉ
PRIVÉ Characteristics

P2P overlay network


Resembles annotated B+-tree
Hierarchical clustering architecture

Bounded cluster size [,3)
S relocates to 60
Relocation
Load Balancing

Hierarchical architecture


Inherent imbalance in peer load
Cluster head rotation mechanism


Rotation triggered by load
Communication cost predominant
Fault Tolerance

Soft-state mechanism



Cluster membership periodically updated
Recovery facilitated by state replication
Leader election protocol

In case of cluster head failure
Experimental Evaluation
Experimental Setup

San Francisco Bay Area road network

Network-based Generator of Moving Objects*


Up to 10000 users
Velocities from 18 to 68 km/h

Uniform and skewed query distributions

Anonymity degree K in the range [10, 160]
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,
6(2):153–180, 2002.
Anonymity Strength (center-of-ASR)
ASR Size
Query Efficiency
Relocation Efficiency
Load Balancing
0%
20%
40%
60% 80%
Node Fraction
100%
Conclusions

LBS Privacy an important concern


Existing solutions have no privacy guarantees
Centralized approach has limitations


Poor scalability, legal issues
Contribution

Anonymization with privacy guarantees


hilbASR
Extension to decentralized systems


Improved scalability and availability
No single point-of-attack/failure
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
Bibliography




[Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking
Algorithm for Anonymous Location-based Services, ACM GIS ’06
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys 2003
[Ged05] – Gedik et al, Location Privacy in Mobile Systems: A
Personalized Anonymization Model, ICDCS 2005
[Mok06] – Mokbel et al, The New Casper: Query Processing for
Location Services without Compromising Privacy, VLDB 2006
MobiHide

Randomized ASR assembly technique:



Advantages



Also uses Hilbert ordering
ASR chosen as random K-user sequence
No global knowledge required
Flat index structure (Chord DHT)
Disadvantages

No privacy guarantees for skewed query
distributions

but still strong anonymity in practice