10 likes | 147 Views
id 1. id 2. id k. id k+1. id k+2. DEF. k -anonymity :. k =5. ?. ?. Data Item. HID. Private trajectory. ≥. m. n. data items. moving objects. DEF. k - α -anonymity : k -anonymity + α -diversity. t. k = 5 α = 1000m. y. t. sampled. y. generated. √ α. T s. x. x.
E N D
id1 id2 idk idk+1 idk+2 DEF. k-anonymity : k=5 ? ? Data Item HID Private trajectory ≥ m n data items moving objects DEF. k-α-anonymity : k-anonymity + α-diversity t k = 5 α = 1000m y t sampled y generated √α Ts x x Secret or embarrassing visit / location λ= 60 sec odd even id2 idk Server … t id1 id2 idk id1 id2 idk y 1 Ts+2λ # of copies 2 Ts+λ 2 Ts x Select pdis for exchange idk+m x x x … id2 … idk+3 id1 id2 idk previously exchanged idk+4 id1 id2 idk id2 id1 id2 idk … idk+3 id1 id2 idk idk+4 id1 id2 idk DEF.α-diversity : y locations (extendable to trajectories) Anonymity Age of Oldest Data Item Number of Exchanges AREA(MBR) ≥α x Győző GidófalviXuegang Huang and Torben Bach Pedersen PRIVACY-PRESERVINGTRAJECTORY COLLECTION Problem Setting Accurate trajectory patterns are necessary for Location-Based Services. A method that can collect exact trajectories in a privacy-preserving manner is needed. A method that uses free and energy-saving short-range P2P communication is desirable. However, during such communication a fixed hardware ID is exposed. Hence it is necessary that when a data item, which contains the private trajectory with possibly secret or embarrassing locations, is communicated, the link between public and private information is broken. Location Privacy Definitions k-anonymity requires that each data item can be associated with at least k moving objects and vice versa. α-diversity requires some spatial or spatio-temporal diversity in a set of locations / trajectories. Finally, k-α-anonymity combines the two. Privacy-Preserving Trajectory Collection in Five Stages Client Registration (CR) In the CR stage, the client expresses its privacy requirements (k,α). In response, the server approves a group of k clients and sends them timing parameters (start time: Ts, reporting period: τ). The CR stage ensures the k-anonymity of clients. Trajectory Sampling and Anonymization (TSA) In the TSA stage, the client continuously samples its real trajectory and generates k-1 realistic and pair-wise α-diverse synthetic trajectories and cuts the trajectories into pieces at every λ-period. Trajectory pieces of a trajectory are tagged with an ID and form partial data items (pdis). At every λ-period an even number of copies of sampled pdi and odd number of copies of the generated pdis are stored in the trajectory DB of the client. The TSA stage ensures the k-α-anonymity of the client trajectory DB. Registration Queue Registration request (HID, k, α) … k Approval (Ts, τ, τmax) Data Summarization (DS) In the DS stage the server continuously records the reports, merges trajectory pieces and monitors the number of pdis received for each trajectory piece. For a given trajectory, if after Ts+2τ the majority parity of the number of pdis for the trajectory pieces is even the trajectory is real and is stored in the Trajectory Repository (TR), otherwise the trajectory is synthetic and is discarded. The DS stage ensures the k-anonymity of the data in TR. Trajectory Repository Trajectory Exchange (TE) In the TE stage, the client periodically performs a Neighborhood Discovery (ND) process to find other clients to exchange pdis with. The pdis to be exchanged are randomly selected, but contain at least two sampled or generated-pdis and older pdis are prioritized. The TE stage ensures the k-α-anonymity of the exchanged data. Neighborhood Discovery: Get neighbors with at least k respective neighbors! Data Reporting (DR) After the reporting period has elapsed or the client DB is full, the client enters the DR stage. In the DR stage the client determines a maximal anonymity set of pdis, in which the number of pdis for each ID is statistically equal, and sends this set to the server. The DR stage ensures the k-α-anonymity of the reported data. Maximal Anonymity Set exchange Report at time Ts+τ or if DB is full Empirical Evaluation and Results Realistic simulation shows that the method works under reasonable conditions and anonymity settings (communication range = 10 meters and k = 5 is shown). In particular, most clients can report most of the collected data in a privacy-preserving fashion. The collection is virtually lossless. In summary, the proposed system collects exact trajectories without loss, does not require trusted components, and provides strong privacy guarantees. Győző Gidófalvi: Uppsala University – Department of Information Technology – gyozo.gidofalvi@it.uu.seXuegang Huang: Aalborg University – Department of Computer Science – xghuang@acm.orgTorben Bach Pedersen: Aalborg University – Department of Computer Science – tbp@cs.aau.dk