Hiding Stars (Elliott)
Download
Report
Transcript Hiding Stars (Elliott)
Hiding Stars with Fireworks:
Location Privacy through Camouflage
Joseph Meyerowitz
ECE and Physics
Romit Roy Choudhury
Dept. of ECE and CS
1
Context
Better localization technology
+
Pervasive wireless connectivity
=
Location-based applications
2
Location-Based Apps
For Example:
GeoLife shows grocery list near WalMart
Micro-Blog allows location scoped querying
Location-based ad: Coffee coupon at Starbucks
…
Location expresses context of user
Facilitating content delivery
Its as if Location is the IP address for content
3
Double-Edged Sword
While location drives this new class of applications,
it also violates user’s privacy
Sharper the location, richer the app, deeper the violation
4
Double-Edged Sword
While location drives this new class of applications,
it also violates user’s privacy
Sharper the location, richer the app, deeper the violation
Moreover, range of apps are PUSH based.
Require continuous location information
Phone detected at Starbucks, PUSH a coffee coupon
Phone located on highway, query traffic congestion
5
Location Privacy
Problem:
Continuous location exposure
a serious threat to privacy
Research:
Preserve privacy without
sacrificing the quality of
continuous loc. based apps
6
Just Call Yourself ``Freddy”
Pseudonymns [Gruteser04]
Effective only when infrequent location exposure
Else, spatio-temporal patterns enough to deanonymize
… think breadcrumbs
John
Leslie
Jack
Susan
Alex
Romit’s Office
7
Add Noise
K-anonymity [Gedic05]
Convert location to a space-time bounding box
Ensure K users in the box
Location Apps reply to boxed region
Bounding Box
You
K=4
Issues
Poor quality of location
Degrades in sparse regions
Not real-time
8
Confuse Via Mixing
Path intersections is an opportunity for privacy
If users intersect in space-time, cannot say who is who later
9
Confuse Via Mixing
Path intersections is an opportunity for privacy
If users intersect in space-time, cannot say who is who later
?
Hospital
?
Airport
Unfortunately, users may not intersect
in both space and time
10
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07]
Expose after a delay
Hospital
Airport
11
Hiding Until Mixed
Partially hide locations until users mixed [Gruteser07]
Expose after a delay
Hospital
Airport
But delays unacceptable to real-time apps
12
Existing solutions seem to suggest:
Privacy and Quality of Localization (QoL)
is a zero sum game
Need to sacrifice one to gain the other
13
Our Goal
Break away from this tradeoff
Target:
Spatial accuracy
Real-time updates
Privacy guarantees
Even in sparse populations
We design: CacheCloak
14
The Intuition
Predict until paths intersect
Hospital
Airport
15
The Intuition
Predict until paths intersect
Predict
Hospital
Airport
Predict
16
The Intuition
Predict until paths intersect
Expose predicted intersection to application
Predict
Hospital
Airport
Predict
Cache the information on each predicted location
17
CacheCloak
System Design and Evaluation
18
Architecture
Assume trusted privacy provider
Reveal location to CacheCloak
CacheCloak exposes anonymized location to Loc. App
Loc. App1
Loc. App2
Loc. App3
Loc. App4
CacheCloak
19
In Steady State …
Location Based Application
CacheCloak
20
Prediction
Location Based Application
Backward
prediction
Forward
prediction
CacheCloak
21
Prediction
Location Based Application
CacheCloak
22
Predicted Intersection
Location Based Application
Predicted Path
CacheCloak
23
Query
Location Based Application
Predicted Path
CacheCloak
24
Query
Location Based Application
?
?
?
?
CacheCloak
25
LBA Responds
Location Based Application
Array of responses
CacheCloak
26
Cached
Location Based Application
Cached Responses
CacheCloak
Location based
Information
27
Cached Response
Location Based Application
Cached Responses
CacheCloak
Location based
Information
28
Cached Response
Location Based Application
Cached Responses
CacheCloak
Location based
Information
29
Cached Response
Location Based Application
Cached Responses
CacheCloak
30
Cached Response
Location Based Application
Predicted
Path
CacheCloak
31
Benefits
Real-time
Response ready when user
arrives at predicted location
Predicted Path
High QoL
Responses can be specific to location
Overhead on the wired backbone (caching helps)
Entropy guarantees
Entropy increases at traffic intersections
Sparse population
Can be handled with dummy users, false branching
32
Quantifying Privacy
City converted into grid of small sqaures (pixels)
Users are located at a pixel at a given time
Each pixel associated with 8x8 matrix
Element (x, y) = probability that user enters x and exits y
y
Probabilities diffuse
At intersections
Over time
x
pixel
Privacy = entropy
E user
pixels
pi log pi
33
Diffusion
Probability of user’s presence diffuses
Diffusion gradient computed based on history
i.e., what fraction of users take right turn at this
intersection
Time t1
Time t2
Time t3
Road
Intersection
34
Evaluation
Trace based simulation
VanetMobiSim + US Census Bureau trace data
Durham map with traffic lights, speed limits, etc.
6km x 6km
10m x 10m pixel
1000 cars
Vehicles follow Google map paths
Performs collision avoidance
35
Results
High average entropy
Bits of Mean Entropy
Quite insensitive to user density (good for sparse regions)
Minimum entropy reasonably high
Max.
Min.
Time (Minutes)
Number of Users (N)
36
Results
Peak Counting
Mean # of Peaks
# of places where attacker’s confidence is > Threshold
Time (Seconds)
Time (Seconds)
37
Results
Peak Counting
Mean # of Peaks
# of places where attacker’s confidence is > Threshold
Number of Users (N)
38
Limitations, Discussions …
CacheCloak overhead
Application replies to lot of queries
However, overhead on wired infrastructure
Caching reduces this overhead significantly
CacheCloak assumes same, indistinguishable query
Different queries can deanonymize
Possible through query combination … future work
Per-user privacy guarantee not yet supported
Adaptive branching & dummy users
CacheCloak - a central trusted entity
Distributed version proposed in the paper
39
Closing Thoughts
Two nodes may intersect in space but not in time
Mixing not possible, without sacrificing timeliness
Mobility prediction creates space-time
intersections
Enables virtual mixing in future
40
Closing Thoughts
CacheCloak
Implements the prediction and caching function
High entropy possible
even under sparse population
Spatio-temporal accuracy
remains uncompromised
41
QuickTi me™ and a
TIFF ( Uncompressed) decompressor
are needed to see thi s pi ctur e.
42
43
Thank You
For more related work, visit:
http://synrg.ee.duke.edu
44