Narayanan-Shmatikov attack (IEEE S&P 2009)

2. Narayanan-Shmatikov attack (IEEE S&P 2009) • A. Narayanan and V. Shmatikov, De-anonymizing Social Networks, IEEE S&P 2009. • Anonymized data: Twitter (crawled in late 2007) • A microblogging service • 224K users, 8.5M edges • Auxiliary data: Flicker (crawled in late 2007/early 2008) • A photo-sharing service • 3.3M users, 53M edges • Result: 30.8% of the users are successfully de-anonymized Twitter Flicker Heuristics Eccentricity Edge directionality Node degree Revisiting nodes Reverse match User mapping

3. Srivatsa-Hicks Attacks (ACM CCS 2012) • M. Srivatsa and M. Hicks, De-anonymizing Mobility Traces: using Social Networks as a Side-Channel, ACM CCS 2012. • Anonymized data • Mobility traces: St Andrews, Smallblue, and Infocom 2006 • Auxiliary data • Social networks: Facebook, and DBLP • Over 80% users can be successfully de-anonymized

4. Motivation • Question 1: Why can structural data be de-anonymized? • Question 2: What are the conditions for successful data de-anonymization? • Question 3: What portion of users can be de-anonymized in a structural dataset? [1] P. Pedarsani and M. Grossglauser, On the Privacy of Anonymized Networks, KDD 2011. [2] L. Yartseva and M. Grossglauser, On the Performance of Percolation Graph Matching, COSN 2013. [3] N. Korula and S. Lattanzi, An Efficient Reconciliation Algorithm for Social Networks, VLDB 2014.

5. Motivation • Question 1: Why can structural data be de-anonymized? • Question 2: What are the conditions for successful data de-anonymization? • Question 3: What portion of users can be de-anonymized in a structural dataset? Our Constribution Address the above three open questions under a practical data model.

6. Outline • Introduction and Motivation • System Model • De-anonymization Quantification • Evaluation • Implication 1: Optimization based De-anonymization (ODA) Practice • Implication 2: Secure Data Publishing • Conclusion

7. System Model • Anonymized Data • Auxiliary Data • De-anonymization • Measurement

8. System Model • Anonymized Data • Auxiliary Data • De-anonymization • Measurement • Quantification • Configuration Model • G can have an arbitrary degree sequence that follows any distribution conceptual underlying graph

9. Outline • Introduction and Motivation • System Model • De-anonymization Quantification • Evaluation • Implication 1: Optimization based De-anonymization (ODA) Practice • Implication 2: Secure Data Publishing • Conclusion

10. De-anonymization Quantification • Perfect De-anonymization Quantification Structural Similarity Condition Graph/Data Size Condition

11. De-anonymization Quantification • -Perfect De-anonymization Quantification Graph/Data Size Condition Structural Similarity Condition

12. Outline • Introduction and Motivation • System Model • De-anonymization Quantification • Evaluation • Implication 1: Optimization based De-anonymization (ODA) Practice • Implication 2: Secure Data Publishing • Conclusion

13. Evaluation • Datasets

14. Evaluation Structural Similarity Condition • Perfect De-anonymization Condition Graph/Data Size Condition

15. Evaluation • -Perfect De-anonymization Condition Projection/Sampling Condition Structural Similarity Condition Graph/Data Size Condition

16. Evaluation Structural Similarity Condition • -Perfect De-anonymizability

17. Evaluation Structural Similarity Condition • -Perfect De-anonymizability How many users can be successfully de-anonymized

18. Outline • Introduction and Motivation • System Model • De-anonymization Quantification • Evaluation • Implication 1: Optimization based De-anonymization (ODA) Practice • Implication 2: Secure Data Publishing • Conclusion

19. Optimization based De-anonymization (ODA) • Our quantification implies • An optimum de-anonymization solution exists • However, it is difficult to find it. Select candidate users from unmapped users with top degrees Mapping candidate users by minimizing the Edge Error function

20. Optimization based De-anonymization (ODA) • Our quantification implies • An optimum de-anonymization solution exists • However, it is difficult to find it. ODA Features 1. Cold start (seed-free) 2. Can be used by other attacks for landmark (seed) identification 3. Optimization based Space complexity Time complexity

21. ODA Evaluation • Dataset • Google+ (4.7M users, 90.8M edges): using random sampling to get anonymized graphs and auxiliary graphs • Gowalla: • Anonymized graphs: constructed based on 6.4M check-ins<UserID, latitude, longitude, timestamp, location ID> generated by .2M users • Auxiliary graph: the Gowalla social graph of the .2 users (1M edges) • Results: landmark identification

22. ODA Evaluation • Dataset • Google+ (4.7M users, 90.8M edges): using random sampling to get anonymized graphs and auxiliary graphs • Gowalla: • Anonymized graphs: constructed based on 6.4M check-ins<UserID, latitude, longitude, timestamp, location ID> generated by .2M users • Auxiliary graph: the Gowalla social graph of the .2 users (1M edges) • Results: de-anonymization

23. Outline • Introduction and Motivation • System Model • De-anonymization Quantification • Evaluation • Implication 1: Optimization based De-anonymization (ODA) Practice • Implication 2: Secure Data Publishing • Conclusion

24. Secure Structural Data Publishing • Structural information is important • Based on our quantification • Secure structural data publishing is difficult, at least theoretically • Open problem …

25. Conclusion • We proposed the first quantification framework for structural data de-anonymization under a practical data model • We conducted a large-scale de-anonymizability evaluation of 26 real world structural datasets • We designed a cold-start optimization-based de-anonymization algorithm Acknowledgement We thank the anonymous reviewers very much for their valuable comments!

26. Thank you! Shouling Ji sji@gatech.edu http://users.ece.gatech.edu/sji/