1 / 26

The New Casper: Query Processing for Location Services without Compromising Privacy

Delve into the major privacy threats posed by location-based services and explore innovative solutions like Casper Architecture and Privacy-aware Query Processor.

gerryc
Download Presentation

The New Casper: Query Processing for Location Services without Compromising Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The New Casper: Query Processing for Location Services without Compromising Privacy Mohamed F. Mokbel University of Minnesota Chi-Yin Chow University of Minnesota Walid G. Aref Purdue University

  2. Major Privacy Threats YOU ARE TRACKED…!!!! “New technologies can pinpoint your location at any time and place. They promise safety and convenience but threaten privacy and security” Cover story, IEEE Spectrum, July 2003 VLDB 2006

  3. Major Privacy Threats VLDB 2006

  4. WHY location-detection devices? With all its privacy threats, why do users still use location-detection devices? • Location-based services rely on the implicit assumption that users agree on revealing their private user locations • Location-based services trade their services with privacy Location-based DatabaseServer Wide spread of location-based services • Location-based store finders • Location-based traffic reports • Location-based advertisements VLDB 2006

  5. 100% Service 0% Privacy 0% 100% Service-Privacy Trade-off • Example: • Where is my nearest bus VLDB 2006

  6. Privacy-aware Query Processor Location-based DatabaseServer Location Anonymizer The Casper Architecture 2: Query + blurred Spatial Region 3: Candidate Answer Third trusted party that is responsible on blurring the exact location information. 1: Query + Location Information 4: Candidate/Exact Answer VLDB 2006

  7. Time k Amin ___ 8:00 AM - 1 5:00 PM - 1 mile 100 10:00 PM - 1000 5 miles System Users: Privacy Profile • Each mobile user has her own privacy-profile that includes: • K. A user wants to be k-anonymous • Amin. The minimum required area of the blurred area • Multiple instances of the above parameters to indicate different privacy profiles at different times VLDB 2006

  8. Location Anonymizer: Grid-based Pyramid Structure • The entire system area is divided into grids. • The Location Anonymizer incrementally keeps track the number of users residing in each grid. • Traverse the pyramid structure from the bottom level to the top level, until a cell satisfying the user privacy profile is found. • Disadvantages: • High location update cost. • High searching cost, Grid-based Pyramid Structure VLDB 2006

  9. Adaptive Location Anonymizer • Each sub-structure may have a different depth that is adaptive to the environmental changes and user privacy requirements. • Cell Splitting:A cell cid at level i needs to be split into four cells at level i+1 if there is at least one user u in cid with a privacy profile that can be satisfied by some cell at level i+1. • Cell Merging: Four cells at level i are merged into one cell at a higher level i-1 only if all users in the level i cells have strict privacy requirements that cannot be satisfied within level i. Adaptive Grid-based Pyramid Structure VLDB 2006

  10. The Privacy-aware QueryProcessor • Embedded inside the location-based database server • Process queries based on cloaked spatial regions rather than exact location information • Two types of data: • Public data. Gas stations, restaurants, police cars • Private data. Personal data records VLDB 2006

  11. Privacy-aware QueryProcessor: Query Types • Private queries over public data • What is my nearest gas station • Public queries over private data • How many cars in the downtown area • Private queries over private data • Where is my nearest friend VLDB 2006

  12. Private Queries over Public Data: Naive Approaches • Complete privacy • The Database Server returns all the target objects to the Location Anonymizer. • High transmission cost • Shifting the burden of query processing work onto the mobile user • Nearest target object to center of the spatial query region • Simple but NOT accurate Location Anonymizer (The correct NN object is T13.) VLDB 2006

  13. Private Queries over Public Data Step 1:Locate four filters • The NN target object for each vertex Step 2 :Find the middle points • The furthest point on the edge to the two filters Step 3:Extend the query range Step 4:Candidate answer m34 m24 m13 m12 VLDB 2006

  14. Private Queries over Public Data: Proof of Correctness • Theorem 1 • Given a cloaked area A for user u located anywhere within A, the privacy-aware query processor returns a candidate list that includes the exact nearest target to u. • Theorem 2 • Given a cloaked area A for a user u and a set of filter target object t1 to t4, the privacy-aware query processor issues the minimum possible range query to get the candidate list. (a) ti=tj (b) ti≠tj VLDB 2006

  15. Private Queries over Private Data Step 1:Locate four filters • The NN target object for each vertex Step 2:Find the middle points • The furthest point on the edge to the two filters Step 3:Extend the query range Step 4:Candidate answer m34 m24 m13 m12 VLDB 2006

  16. Private Queries over Private Data: Proof of Correctness • Theorem 3 • Given a cloaked area A for user u located anywhere within A and a set of target objects represented by their cloaked regions, the privacy-aware query processor returns a candidate list that includes the exact nearest target to u. • Theorem 4 • Given a cloaked area A for a user u and a set of filter target object t1 to t4 represented by their cloaked areas, the privacy-aware query processor issues the minimum possible range query to get the candidate list. (a) ti=tj (b) ti≠tj VLDB 2006

  17. Experimental Settings • We use the Network-based Generator of Moving Objects to generate a set of moving objects and moving queries. • The input to the generator is the road map of Hennepin County, MN, USA. • Compare the performance between Basic Location Anonymizer and Adaptive Location Anonymizer • Study the performance of Casper on processing • Private queries over publicdata • Private queries over privatedata • The Casper end-to-end performance VLDB 2006

  18. Location Anonymizer: Number of Moving Users • Parameter settings: • k = [10, 50] • Amin=[0.005, 0.1]% of the system area • Pyramid height = 9 • Basic LA and Adaptive LA are scalable to the number of moving users. • Adaptive LA outperforms Basic LA in terms of the cloaking CPU time and the maintenance cost. VLDB 2006

  19. Location Anonymizer: Effect of k Privacy Requirement • Parameter settings: • Amin=0 • Pyramid height = 9 • Basic LA and Adaptive LA are salable to the value of k. • Adaptive LA also outperforms Basic LA, as the value of k gets larger. VLDB 2006

  20. Privacy-aware Query Processor: Number of Public Target Objects • Parameter settings: • k = [10, 50] • Amin=[0.005, 0.1]% of the system area • # of moving users = 50K • The case of 4 filters outperforms the case of 1 filter and 2 filters in terms of query processing CPU time and candidate answer size VLDB 2006

  21. The Casper End-to-End Performance • Parameter settings: • Amin= 0 • # of moving users = 10K • # of target objects 5K • Bandwidth = 20 Mbps • Using 4 filters gives much better performance than that of using 1 filter • The bottleneck is moved to be the transmission time. Public Data Private Data VLDB 2006

  22. Summary • Addressing a major privacy threat to the user in location-based service environment • Casper • Location Anonymizer • Privacy-aware Query Processor • Experiment results depict that Casper is • Scalable • Accurate • Efficient VLDB 2006

  23. Related Work (1/2) • Adaptive-Interval Cloaking Algorithm • Divide the entire system area into quadrants of equal area iteratively, until the quadrant includes the user and other k-1 users • Drawbacks • Not scalable to the number of users • Not consider minimum required resolution of the cloaked region • Not support query processing • Compared with Casper • Flexibility  • Efficiency  • Quality  • Accuracy  M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking, MobiSys, 2003 VLDB 2006

  24. Related Work (2/2) • Clique-Cloak Algorithm • Each user has her own k-anonymity requirement. • A clique graph is constructed to search for a minimum bounding rectangle that includes the user’s message and other k-1 messages. • Drawbacks • Not scalable to k • Not consider minimum required resolution of the cloaked region • Not support query processing • An adversary can guess the location information of the users lying on the rectangle boundary with high probability. • Compared with Casper • Flexibility  • Efficiency  • Quality  • Accuracy  B. Gedik and L. Liu.Location Privacy in Mobile Systems: A Personalized Anonymization Model. ICDCS, 2005. VLDB 2006

  25. Location Anonymizer: Pyramid Height • Parameter settings: • k = [10, 50] • Amin=[0.005, 0.1]% of the system area • # of moving users = 50K • Cloaking CPU time and maintenance cost get higher with increasing pyramid height • Adaptive LA performs better than Basic LA, as the pyramid height increases VLDB 2006

  26. Privacy-aware Query Processor: Number of Private Target Objects • Parameter settings: • k = [10, 50] • Amin=[0.005, 0.1]% of the system area • # of moving users = 50K • The case of 4 filters outperforms the case of 1 filter and 2 filters in terms of query candidate answer size • The case of 4 filters performs better than the case of 1 filter and 2 filters in terms of query processing CPU time when number of target object is over 8K VLDB 2006

More Related