410 likes | 634 Views
Location Privacy Protection for Location-based Services. Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai. Location-based Services (LBS) . Dilemma.
E N D
Location Privacy Protection for Location-based Services Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai
Dilemma • To use an LBS, a user needs to disclose her location, but a person’s whereabouts may imply sensitive private information Stalking…. Nightclub Hospital Political Party
Location Privacy Protection • Policy-based approaches • Legislation governs the collection and distribution of personal location data • Personal location management lets users determine when and whom to release location information • These schemes cannot prevent location data from being abused by insiders
Challenge • Simply using pseudonym is not sufficient because a user’s location itself may reveal her real-world identity • e.g., correlate with restricted spaces such as home address and office
Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking area, instead of actual location
Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking area, instead of actual location • Research issue: each cloaking area must • provide a desired level of depersonalization, and • be as small as possible
The state of the art • Ensuring each cloaking area contains a certain number of users • A cloaking area with K users provides K-anonymity protection
Problem 1 • The anonymity server requires frequent location updates from all users • Practicality • Scalability Users not engaged in LBSs may not be willing to help protect others’ anonymity
Problem 2 • In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection
Problem 2 • In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection New threats Location resolution refinement Trace attack
Problem 3 • A cloaking area guarantees service anonymity, but NOT location privacy • An adversary does not know who requests the service, but knows that the requestor was inside the area, and in particular, she was with some other people there Where you are and whom you are with are closely related with what you are doing …
The root of the problems • All existing techniques cloak a user’s position based on her current neighbors
Observation • Public areas are naturally depersonalized • A large number of visits by different people • More footprints, more popular Highway Park
Basic Idea • Using footprints for location depersonalization • Each cloaking area contains at least K different footprints Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time
Trajectory database • Source of historical location data • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking
Trajectory database • Source of historical location data • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking • Trajectory indexing for efficient retrieval • Partition network domain into cells • Maintain a cell table for each cell
Sporadic LBS • A client reports server • p: its current location • K: its desired privacy level • Server computes a circular region • containing p and K-1 footprints, each from a different user • needs to be as small as possible
Sporadic LBS • A client reports server • p: its current location • K: its desired privacy level • Server computes a circular region • containing p and K-1 footprints, each from a different user • needs to be as small as possible
Continuous LBSs • A client reports • a base trajectory T0 = {c1,c2,…,cn} • the desired anonymity level K • Server computes a new trajectory T = { B1,B2,…,Bn }
Continuous LBSs • A client reports • a base trajectory T0 = {c1,c2,…,cn} • the desired anonymity level K • The server computes a K-anonymity trajectory (KAT) T = { B1,B2,…,Bn} When the user arrives at ci, server reports Bi for LBS
K-Anonymity Trajectory (KAT) K=3 Problem How to find the KAT with the best resolution?
Challenges • Given a database of N trajectories, there are sets of trajectories with size K-1 • Given a fixed set of addictive trajectories, different orders of cloaking result in different KATs • Exhaustive search: expensive
A Heuristic Approach • Cloak T0 with one trajectory • Cloak T0 with a set of K-1 trajectories • Select additive trajectory candidates
B2 B1 B3 B4 Cloaking One Additive Trajectory • Cloaking T0 with additive trajectory Ta • To = {c1,c2,…,cn}; Ta = {a1,a2,…,am}, where n ≤ m • T = { B1,B2,…,Bn} is the cloaking result • Goal: minimize T ’s resolution T=Cloak(To,Ta) To Ta
Cloaking with a Set of Additive Trajectories • Different order of cloaking can have vastly different results T0 T1 T2 ? T0+T1+T2 = T0+T2+T1
Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance
Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times
Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.
Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.
Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.
Quadratic(T0,S) • Once an additive trajectory is cloaked • Set the cloaking result as T • For the rest trajectories, compare the distance to T, instead of T0 • In the worst case, Cloak(T0,Ta) is called (K-1)(s-K/2+1) times T1 is closest to T0, so T = Cloak(T0,Ta) T3is closest to T, so T = Cloak(T,Ta)
Select Additive Trajectory Candidates • Only those trajectories close to the base trajectory should be considered • Searching algorithm
Performance Study • Simulate mobile nodes movement on the real road map. • Extract four types of roads • Speed changes at intersection. • Generate a footprints database containing certain number of trajectories with random assigned user ID.
Experiments • Performance metric • Cloaking range: the average radius of the cloaking circles • Single location cloaking • Neighboring nodes vs. footprints • Trajectory cloaking • Linear, Quadratic, and BaseLine • Baseline: cloaking using neighboring mobile users
Trajectory Cloaking • Generate a set of LBS requests, each containing • A User ID • The start and destination • Randomly selected in the map • The fastest path as the user’s expected route • Select a location sample every 100 meters along the route • Required degree of privacy protection
Effective of Anonymity Level • (a) shows cloaking range of different algorithms • Cloaking range increases as K increases • (b) shows the cloaking range on different roads • Popular roads have a large number of footprints • Unpopular roads are sensitive to the change of K
Concluding Remarks • We explore historical location data for location depersonalization • Each reported location/trajectory has been visited by at least K different people • We develop a suite of novel location cloaking algorithms for • Sporadic LBSs • Continuous LBSs • Up to date, this is the only solution that can support location privacy protection
Thanks and Some Key References • M. Gruteserand D. Grunwald. “Anonymous Usage of Location-based Services through Spatial and Temporal Cloaking”, ACM MobiSys'03. • B. Gedikand L. Liu, “A Customizable k-Anonymity Model for Protecting Location Privacy”, IEEE ICDCS'05. • M. F. Mokbel, C. Y. Chow, and W. G. Aref. “The New Casper: Query Processing for Location Services without Compromising Privacy”, VLDB’06. • T. Xu and Y. Cai. “Exploring Historical Location Data for Anonymity Preservation in Location-based Services”. IEEEInfocom'08.
Future Work • Additive trajectories selection • Similar moving speeds • Similar time spans • On-the-fly cloaking • Users do not have to submit a base trajectory before a travel