340 likes | 351 Views
This paper discusses the problem of preserving user privacy in location-based queries in distributed mobile systems and proposes a solution using an anonymizing spatial region. It introduces the concept of K-anonymity and presents the PRIVÉ architecture for preserving query source anonymity. The paper also evaluates the performance of the proposed solution through experimental evaluation.
E N D
PRIVÉ: Anonymous Location-Based Queries in Distributed Mobile Systems 1 National University of Singapore {ghinitag,kalnis}@comp.nus.edu.sg 2 University of Peloponnese, Greece spiros@uop.gr
Location-Based Services (LBS) • LBS users • Mobile devices with GPS capabilities • Spatial database queries • Queries • NN and Range Queries • Location server is NOT trusted “Find closest hospital to my present location”
Problem Statement • Queries may disclose sensitive information • Query through anonymous web surfing service • But user location may disclose identity • Triangulation of device signal • Publicly available databases • Physical surveillance • How to preserve query source anonymity? • Even when exact user locations are known
Solution Overview • Anonymizing Spatial Region (ASR) • Identification probability ≤ 1/K • Minimize overhead • Reduce ASR extent • Fast ASR assembly time • Support user mobility
Central Anonymizer Architecture • Intermediate tier between users and LBS Bottleneck and single point of attack/failure
K-Anonymity* (a) Microdata (b) Voting Registration List (public) * L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
K-Anonymity* • 2-anonymous microdata (b) Voting Registration List (public) * L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
42 44 46 48 50 52 54 56 Relational and Spatial Anonymity Age Zip 20k 25k 30k 35k 40k 45k 50k 55k
Redundant Queries • Send K-1 redundant queries • Gives away exact location of users • Potentially high overhead
CloakP2P [Chow06] • Find K-1 NN of query source • Source likely to be closest to ASR center • Vulnerable to “center-of-ASR” attack NOT SECURE !!! uq 5-ASR [Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06
QuadASR[Gru03, Mok06] • Quad-tree based • Fails to preserve anonymity for outliers • Unnecessarily large ASR size u2 • Let K=3 A1 u1 u3 • If any of u1, u2, u3 queries, ASR is A1 NOT SECURE !!! u4 • If u4 queries, ASR is A2 A2 • u4’s identity is disclosed [Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003 [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006
Reciprocity • Consider querying user uq and ASR Aq • Let ASq = {set of users enclosed by Aq} • Aq has the reciprocity property iff • |AS| ≥ K • ui,uj AS, ui ASj uj ASi
hilbASR • Based on Hilbert space-filling curve • index users by Hilbert value of location • partition Hilbert sequence into “K-buckets” Start End
Advantages of hilbASR • Guarantees source privacy • K-ASRs have the “reciprocity” property • Reduced ASR size • Hilbert ordering preserves locality well • K-ASR includes exactly K users (in most cases) • Efficient ASR assembly and user relocation • Balanced, annotated index tree • User relocation, ASR assembly in O(log #users)
hilbASR with Annotated Index K=6 Example
PRIVÉ Characteristics • P2P overlay network • Resembles annotated B+-tree • Hierarchical clustering architecture • Bounded cluster size [,3) S relocates to 60
Load Balancing • Hierarchical architecture • Inherent imbalance in peer load • Cluster head rotation mechanism • Rotation triggered by load • Communication cost predominant
Fault Tolerance • Soft-state mechanism • Cluster membership periodically updated • Recovery facilitated by state replication • Leader election protocol • In case of cluster head failure
Experimental Setup • San Francisco Bay Area road network • Network-based Generator of Moving Objects* • Up to 10000 users • Velocities from 18 to 68 km/h • Uniform and skewed query distributions • Anonymity degree K in the range [10, 160] * T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica, 6(2):153–180, 2002.
Load Balancing 0% 20% 40% 60% 80% 100% Node Fraction
Conclusions • LBS Privacy an important concern • Existing solutions have no privacy guarantees • Centralized approach has limitations • Poor scalability, legal issues • Contribution • Anonymization with privacy guarantees • hilbASR • Extension to decentralized systems • Improved scalability and availability • No single point-of-attack/failure
Bibliography on LBS Privacy http://anonym.comp.nus.edu.sg
Bibliography • [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06 • [Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003 • [Ged05] – Gedik et al, Location Privacy in Mobile Systems: A Personalized Anonymization Model, ICDCS 2005 • [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006
MobiHide • Randomized ASR assembly technique: • Also uses Hilbert ordering • ASR chosen as random K-user sequence • Advantages • No global knowledge required • Flat index structure (Chord DHT) • Disadvantages • No privacy guarantees for skewed query distributions • but still strong anonymity in practice