Transcript malnets: Large-Scale Malicious Networks via Compromised

Systems and Internet
Infrastructure Security
Network and Security Research Center
Department of Computer Science and Engineering
Pennsylvania State University, University Park PA
Privacy, Location Based
Services, and You
Joshua Schiffman
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
1
They know where you are…
• A brief story about a bomb
and a razor blade…
• … and what about your
cell phone?
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
2
What is privacy to you?
• What should be made public?
• What is the primary difference
between normal and location
based services?
• What new threats do they
present?
• Trade-off between privacy
and utility
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
3
What can we do?
• We want to detach our identity from our requests
• Is removing identifiers enough?
‣
Can still re-identify
• k-anonymity [Sweeney ‘02]
‣
Use Generalizations to suppress
‣
Avoid linking of records
•
‣
public knowledge too…
Cliques, Cloaked Regions, etc…
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
4
The Friendly Ghost
• The New Casper: Query Processing for Location
Services without Compromising Privacy
• Mokbel et al. notice that previous approaches:
‣
Ignore the difficulties of privacy based queries
‣
Offer a severely limiting Location Anonymizer
•
Uniform privacy policy
•
Fundamentally flawed
•
Computationally heavy
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
5
Architecture
• Location Anonymizer receives continuous
updates
‣
Blurs the results based on privacy profile (kmin,Amin)
• Query Processor is built-in to the Database
‣
Returns candidate list of answers
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
6
Location Anonymizer
• Identify four requirements:
‣
Accuracy
‣
Quality
‣
Efficiency
‣
Flexibility
• Any others?
• Spatio-temporal cloaking meets only quality
• CliqueCloak gives some accuracy and flexibility
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
7
Data Structure
• A grid-based pyramid is used to represent the
entire service area
• Each cell is made up of 4 cells found a level
below
• Hash table is maintained for quick lookup
• Key Idea:
‣
Cells contain user count
‣
Boundaries are independent
of user’s location
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
8
Basic Cloaking Method
• Bottom-up approach using a complete pyramid
• Recursively move up the pyramid looking for a
cell that satisfies the privacy profile
‣
First attempt to combine neighbor
‣
Move up if both constraints in profile
are not met
• Is there anything wrong with this
data structure?
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page
9
Adaptive Cloaking Method
• Uses an incomplete pyramid structure
‣
Only maintain cells that contain users
‣
Only at the highest level necessary
•
Hash table will point to this level instead of lowest
‣
May not even need recursion
‣
Updates must consider
•
Splitting / Merging
• High speed users would invoke
costly updates
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 10
Is this better?
• Does the pyramid meet the four requirements?
‣
Accuracy: small grid cells
‣
Quality: predefined cells are independent of data
‣
Efficient: pre-computed cells
‣
Flexible: individual privacy profile
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 11
People are data too…
• Traditional LBSDBs do not consider the case of
private data objects
‣
User gathered data is sensitive
• Private over public
• Public over private
• Private over private
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 12
Private over Public
• How do we query if we don’t know the query
point?
‣
Two extremes are a little extreme…
‣
Solution: determine what could be the results
• Algorithm for NN queries:
‣
Filter
‣
Find the middle point
‣
Extend the search area
‣
Gather the candidate list
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 13
An example
•
Find Filters
Systems and Internet Infrastructure Security (SIIS) Laboratory
Midpoints
Extend
Page 14
Private over Private
• Only difference is the target
objects’ shape is unknown
‣
All steps must consider farthest
corner of cloaked data points
• Candidate list is selected from regions that are
covered by some desired percentage
‣
This is policy based and orthogonal
‣
Works with any probabilistic query processing
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 15
Is it correct?
• The result set must be both
‣
Inclusive
‣
Minimal (Accuracy)
• The proof is elementary… geometry
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 16
Sketch of Proof
• Theorem 1: The candidate
list contains the NN to the
query point.
‣
Two cases
• Theorem 2: The minimum
possible range query is
issued to get the candidate
list
• Private targets would
be the cloaked cells
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 17
Experiment
• Using the map of Nennepin County, MN and the
Network-based Generator of Moving Objects
• Location Anonymizer
‣
No comparisons done with other techniques
•
Limited to small number of users [previous paper]
•
Privacy requirement [CliqueCloak]
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 18
Results
• Pyramid Height greater than 6 levels
‣
Adaptive approach reigns supreme
•
Effective because of the tiered levels = less searching
• With lower levels, the basic approach is better
‣
Cell splitting and merging is expensive
• Smaller pyramid levels = less accurate
‣
Why?
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 19
Results - Scalability
• Basic method
‣
More relaxed users = faster cloaking time
‣
More restrictive users = more recursion
• Adaptive method
‣
More users = slower
‣
Always better than basic method
•
‣
Less maintained cells
More restrictive users = higher clustering
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 20
Results - Query Processor
• Number of filters are used as the experimental
factor
‣
1, 2, and 4 (normal)
• Public targets:
‣
Greater filters gave a smaller candidate list
‣
4 always gives a best processing time result
• Private:
‣
Similar to public for list size
‣
But greater CPU time for analyzing private areas
with 4
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 21
End to End
• How efficient is CASPER?
• For relaxed (<10) privacy profiles
‣
Query processing is the
dominate factor
• For stricter profiles transmission
time is exceedingly dominate
‣
Using less than 4 filters increase list size
‣
Any processing time gain with less filters
is negligible
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 22
Take Away
• So what does CASPER mean to us?
• A more complete framework
‣
Location Anonymizer that meets requirements
‣
Considers the processing side of private queries
‣
Differentiates between public and private targets
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 23
Criticism
• What are the flaws of this paper?
• Will extending the query to other types break the
system?
• What if all users fill the adaptive pyramid’s
lowest level?
• Can a user demand privacy that defeats the
utility of the system?
• Users on cell borders?
Systems and Internet Infrastructure Security (SIIS) Laboratory
Page 24