1 / 34

PRIVÉ : Anonymous Location-Based Queries in Distributed Mobile Systems

This paper discusses the problem of preserving user privacy in location-based queries in distributed mobile systems and proposes a solution using an anonymizing spatial region. It introduces the concept of K-anonymity and presents the PRIVÉ architecture for preserving query source anonymity. The paper also evaluates the performance of the proposed solution through experimental evaluation.

Download Presentation

PRIVÉ : Anonymous Location-Based Queries in Distributed Mobile Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PRIVÉ: Anonymous Location-Based Queries in Distributed Mobile Systems 1 National University of Singapore {ghinitag,kalnis}@comp.nus.edu.sg 2 University of Peloponnese, Greece spiros@uop.gr

  2. Location-Based Services (LBS) • LBS users • Mobile devices with GPS capabilities • Spatial database queries • Queries • NN and Range Queries • Location server is NOT trusted “Find closest hospital to my present location”

  3. Problem Statement • Queries may disclose sensitive information • Query through anonymous web surfing service • But user location may disclose identity • Triangulation of device signal • Publicly available databases • Physical surveillance • How to preserve query source anonymity? • Even when exact user locations are known

  4. Solution Overview • Anonymizing Spatial Region (ASR) • Identification probability ≤ 1/K • Minimize overhead • Reduce ASR extent • Fast ASR assembly time • Support user mobility

  5. Central Anonymizer Architecture • Intermediate tier between users and LBS Bottleneck and single point of attack/failure

  6. PRIVÉ Architecture

  7. K-Anonymity* (a) Microdata (b) Voting Registration List (public) * L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

  8. K-Anonymity* • 2-anonymous microdata (b) Voting Registration List (public) * L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

  9. 42 44 46 48 50 52 54 56 Relational and Spatial Anonymity Age Zip 20k 25k 30k 35k 40k 45k 50k 55k

  10. Existing Cloaking Solutions

  11. Redundant Queries • Send K-1 redundant queries • Gives away exact location of users • Potentially high overhead

  12. CloakP2P [Chow06] • Find K-1 NN of query source • Source likely to be closest to ASR center • Vulnerable to “center-of-ASR” attack NOT SECURE !!! uq 5-ASR [Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06

  13. QuadASR[Gru03, Mok06] • Quad-tree based • Fails to preserve anonymity for outliers • Unnecessarily large ASR size u2 • Let K=3 A1 u1 u3 • If any of u1, u2, u3 queries, ASR is A1 NOT SECURE !!! u4 • If u4 queries, ASR is A2 A2 • u4’s identity is disclosed [Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003 [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006

  14. Secure LocationAnonymization

  15. Reciprocity • Consider querying user uq and ASR Aq • Let ASq = {set of users enclosed by Aq} • Aq has the reciprocity property iff • |AS| ≥ K •  ui,uj  AS, ui  ASj uj  ASi

  16. hilbASR • Based on Hilbert space-filling curve • index users by Hilbert value of location • partition Hilbert sequence into “K-buckets” Start End

  17. Advantages of hilbASR • Guarantees source privacy • K-ASRs have the “reciprocity” property • Reduced ASR size • Hilbert ordering preserves locality well • K-ASR includes exactly K users (in most cases) • Efficient ASR assembly and user relocation • Balanced, annotated index tree • User relocation, ASR assembly in O(log #users)

  18. hilbASR with Annotated Index K=6 Example

  19. PRIVÉ

  20. PRIVÉ Characteristics • P2P overlay network • Resembles annotated B+-tree • Hierarchical clustering architecture • Bounded cluster size [,3) S relocates to 60

  21. Relocation

  22. Load Balancing • Hierarchical architecture • Inherent imbalance in peer load • Cluster head rotation mechanism • Rotation triggered by load • Communication cost predominant

  23. Fault Tolerance • Soft-state mechanism • Cluster membership periodically updated • Recovery facilitated by state replication • Leader election protocol • In case of cluster head failure

  24. Experimental Evaluation

  25. Experimental Setup • San Francisco Bay Area road network • Network-based Generator of Moving Objects* • Up to 10000 users • Velocities from 18 to 68 km/h • Uniform and skewed query distributions • Anonymity degree K in the range [10, 160] * T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica, 6(2):153–180, 2002.

  26. Anonymity Strength (center-of-ASR)

  27. ASR Size

  28. Query Efficiency

  29. Relocation Efficiency

  30. Load Balancing 0% 20% 40% 60% 80% 100% Node Fraction

  31. Conclusions • LBS Privacy an important concern • Existing solutions have no privacy guarantees • Centralized approach has limitations • Poor scalability, legal issues • Contribution • Anonymization with privacy guarantees • hilbASR • Extension to decentralized systems • Improved scalability and availability • No single point-of-attack/failure

  32. Bibliography on LBS Privacy http://anonym.comp.nus.edu.sg

  33. Bibliography • [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06 • [Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003 • [Ged05] – Gedik et al, Location Privacy in Mobile Systems: A Personalized Anonymization Model, ICDCS 2005 • [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006

  34. MobiHide • Randomized ASR assembly technique: • Also uses Hilbert ordering • ASR chosen as random K-user sequence • Advantages • No global knowledge required • Flat index structure (Chord DHT) • Disadvantages • No privacy guarantees for skewed query distributions • but still strong anonymity in practice

More Related