Preventing Denial-of-request Inference Attacks in Location-sharing Services

1. Preventing Denial-of-request Inference Attacks in Location-sharing Services Kazuhiro Minami Institute of Statistical Mathematics ICMU 2014

2. Location Sharing Services (LSSs) • Enable users to share their identifiable location information with others Retrieve Location data Publish location data GPS signal LSS Compute GPS coordinates Examples: - Google Latitude, -Glympse - Instamapper • Mobile Platforms: • - iPhone • - Android Raise significant concern on location privacy

3. Naïve Access Control in LSS Target user Requester LSS No Set of private locations S Define Examples: hospitals, drinking bars, etc.

4. However, just protecting private locations is not enough Assume that Dave knows Bob’s previous traces Bob can figure out that Alice is visiting the hospital here Hospital Bob’s path Book store Dave Bob

5. Location Predictor based on the Markov Model • Consider locations as states of a user and define a state transition matrix M • Probability of moving from li to lk in n steps: DCL Unihigh Union Siebel Center 0.5 Union Siebel Center 0.2 0.5 0.2 0.3 0.3 Unihigh DCL Mi,k(n) lk li n steps

6. (M, t)-Access control [MBL2011] Prevent predicting the target user’s visiting a private location with probability higher than a given threshold value t Target user Requester LSS For every private location lk Ask if Mi,k(n) < t Set of private locations S Matrix M Matrix M

7. However, not publishing location data reveals some information Only l2 is not publishable since the user will surely visit l3 next • A user moves l1, l2, and l3 in sequence • A threshold value t = 0.8 If we get a sequence (l1,ε) we learn: The user is currently at l2, and The user will visit l3 next ✔ 1.0 Next location is either l2 or l4 0.5 Private location 0.5 ✔ ✔ ✔

8. Denial-of-request Inferences • If LSS does not publish location data after publishing li, the requester learns that DENY lk li lj Private location n steps

9. Algorithm for converting the original matrix M to compressed M’ If we see (l1, ε), we know the user’s either at l2 or l3 S= {l6, l8} S= {l2, l3, l6, l8} If we see (l2, ε), we know the user’s at l6 0.8 0.4 0.5 0.2 0.1 0.2 1.0 0.1 1.0 0.8 0.9

10. Revisiting the previous examplewith our proposed method Hospital Bob’s path Book store

11. Comparison of the two access-control methods with the Geolife dataset Q: How many more non-releasable locations when we consider denial-of-request inferences? • Consider a rectangular region of 39 × 30 kilometers in Beijing, China • Use top 10 users in terms of data points • Divide the region into 140 × 140 (=19,600) unit regions • GPS dataset published by Microsoft Asia • 178 users in the period of four years • Logged every 1 – 5 seconds

12. Initial private locations S0 • Pick two locations of an restaurant and a hospital, which was actually visited by users • China-Japan Friendship Hospital（N. latitude 39.97260, E. longitude 116.42072） • South Beauty Restaurant （N. latitude 39.99635, E. longitude 116.40360 ） • Randomly choose a given number of locations from the top most frequently visited locations

13. Dependency on the number of initial private locations #Final private locations #Initial private locations A threshold δ= 0.8. #inference steps =1.

14. Dependency on the number of inference attacks #Final private locations #Inference steps A threshold δ= 0.8. #Initial private location = 2

15. Conclusions • Study a new inference problem concerning a denial of service request in LSSs • Model an adversary with a compressed state transition matrix • Experimental results show a considerable in existing LSSs • Future work includes studying inference problems based on the hidden Markov model

16. Thank you!