Journal of Network and Computer...

A fast privacy-preserving framework for continuous location-basedqueries in road networks$

Yong Wang a, Yun Xia a, Jie Hou a, Shi-meng Gao a, Xiao Nie a, Qi Wang b,n

a School of Computer Science and Engineering, University of Electronic Science and Technology of China, 611731 Chengdu, Chinab National computer network emergency response technical team/coordination center of China, 100190, Beijing, China

a r t i c l e i n f o

Article history:Received 4 December 2013Received in revised form25 August 2014Accepted 31 January 2015Available online 14 March 2015

Keywords:Privacy-preservationLocation based services (LBS)Road networksContinuous query

a b s t r a c t

The prevalence of location based services (LBS) gives rise to personal privacy concerns as users sharetheir locations and queries to obtain desired services. For continuous queries where users report theirlocations periodically, attackers can infer more about users' privacy by analyzing the correlations of theirsnapshot samples. Traditional privacy-preserving solutions designed in Euclidean space can be hardlyapplied to the road network environment because of their ignorance of network topological properties.In this paper, we propose a novel continuous query privacy-preserving framework in road networks. Ourframework is based on the concepts of k-anonymity and l-diversity. To achieve the quality of service, thedistance limitation is taken into account. We build an Snet hierarchy based on the density of users,history traces, and road network topologies to accelerate the cloaking process performed at theanonymization server. Two types of cloaking algorithms, for a single user and a batch of users, aredesigned. The security analysis shows that our framework is robust to typical attacks. We evaluate ourframework from the aspects of privacy-preserving ability, quality of service, and system performance,which indicates that our framework can provide good privacy protection while ensuring users' quality ofservice.

& 2015 Elsevier Ltd. All rights reserved.

1. Introduction

Pushed by the widespread use of positioning devices (e.g., GPS),location-based services (LBS) have become ubiquitous in recentyears. With locations (latitudes and longitudes) obtained from thesedevices, LBS applications can provide users with highly persona-lized services, through local business searches (e.g., searching forrestaurants nearest to a user), e-marketing (e.g., sending e-couponsto nearby potential customers), and social networking (e.g., a batchof friends sharing their geo-tagged photos), etc. Generally, users cansend two types of queries to LBS providers: snapshot query, forexample, “Show me the hotels within one mile”, and continuousquery, for example, “Inform me of the nearest petrol station every5 min in the next 30 min”. Virtually, a continuous query consists ofseveral consecutive snapshots, which are processed with user'sreal-time locations one by one.

However, as locations are reported to a potentially untrust-worthy LBS provider, attackers may track users by exploiting their

exposed locations, which may lead to the concern of locationprivacy. The disclosure of a user's location may reveal sensitiveinformation, such as health condition and religious faith. Inparticular, such tracking capabilities of attackers trigger crimepossibilities, such as vehicle theft and kidnapping. In other aspects,a user may not want to be identified as the subscriber of a specificlocation-based service, especially when the service is sensitive(e.g., querying for the nearest Cancer Treatment Center), which isconcerned as query privacy. Apparently, privacy-preserving incontinuous query is more challenging than that in snapshot querysince an attacker could infer a user's privacy by utilizing the spatialand temporal correlations of snapshot samples. Hence, privacy ofcontinuous queries is what we focus on.

Plenty of privacy-preserving techniques (Samarati and Sweeney,1998; Gruteser and Grunwald, 2003; Liu et al., 2009) designed forEuclidean space have been proposed, wherein users can move inarbitrary directions at random speed. However, a user's movementmay be constrained by the underlying road network. For example, auser should move along a certain road within the maximum speedlimitation. Applying these techniques directly to road networks mayresult in privacy leakage. As shown in Fig. 1(a), u is anonymized with4 other users, denoted by red points, and his exact position is blurredinto a gray region with the spatial cloaking methods (Bamba et al.,2008; Gedik and Liu, 2008; Kainis et al., 2007). With such a cloaked

Contents lists available at ScienceDirect

journal homepage: www.elsevier.com/locate/jnca

Journal of Network and Computer Applications

http://dx.doi.org/10.1016/j.jnca.2015.01.0041084-8045/& 2015 Elsevier Ltd. All rights reserved.

☆This work was supported by the Joint Funds of the National Natural ScienceFoundation of China (Grant no. U1230106), and by the National InformationSecurity 242 Project of China (Grant no. 2013A050).

n Corresponding author.E-mail address: [email protected] (Y. Wang).

Journal of Network and Computer Applications 53 (2015) 57–73

www.sciencedirect.com/science/journal/10848045www.elsevier.com/locate/jncahttp://dx.doi.org/10.1016/j.jnca.2015.01.004http://dx.doi.org/10.1016/j.jnca.2015.01.004http://dx.doi.org/10.1016/j.jnca.2015.01.004http://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfhttp://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfhttp://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfmailto:[email protected]://dx.doi.org/10.1016/j.jnca.2015.01.004

region, 5-anonymity is achieved, the attacker can only tell that umight be somewhere in the gray area. Figure 1(b) shows the samecase but with the knowledge of underlying road networks. Since thegray area contains a single road segment, the attacker can infer that umust be located in the road segment and users being out of thesegment will be excluded. Hence, 5-anonymity is violated with onlytwo available users, which may enable attackers to track down umuch easier. Generally, this kind of attack is impossible to be appliedin practice by taking underlying road networks into account whileanonymizing. Furthermore, other road network properties, such asthe population density, which has a significant impact on the privacypreservation, should also be concerned.

Currently, several privacy-preserving solutions have been intro-duced to road networks. Unfortunately, existing approaches thatapply a traditional cloaking algorithm in road networks incur a hugetime cost. To avoid such huge time cost in the traditional approaches,we improve the speed of retrieving users to be cloaked togetherbased on a hierarchy structure. Furthermore, alternatively, thecloaking performs faster to process a batch of user simultaneouslyinstead of processing a single user at one time. We believe that this isthe first work to propose a fast LBS continuous query privacypreservation framework in road networks. The query privacy of auser is preserved even if his location is leaked. The networktopological properties are deliberated, so that we can effectivelyprovide privacy preservation for users while lowering down compu-tation overheads for both of LBS providers and the privacy-preserving system. The main idea of our solution is to abstract theunderlying road network into multiple levels. The abstracted unit isdenoted as an Snet. Correspondingly, we propose an Snet mergingalgorithm to construct the Snet hierarchical structure (see Section3.3.1). Based on the Snet hierarchy, our framework introduces atrusted third party to cloak the query issuer with others, whichsatisfies his specified privacy requirements (see Section 3.2). Fromthe view of LBS providers, they can only relate a set of users to a setof queries instead of a query to a particular user.

We present two versions of privacy-preserving algorithms, oneprocesses each query respectively, while the other handles a batchof queries simultaneously. Our main contributions include:

� The framework can resist the attacks that break k-anonymityby considering the topological properties of road networks. Toaccelerate the privacy-preserving process, we abstract the roadnetwork into a hierarchy structure by considering the densityof users, history traces, and the connectivity of road segments.

� The whole procedure is divided into three stages: initializationstage, execution stage, and update stage. The initialization stagebuilds a hierarchy structure to facilitate the cloaking process.Based on pre-computed hierarchy structure, the framework canprovide more efficient privacy preservation services in theexecution stage. As the underlying network may change overtime, the update stage enables our framework to adapt todifferent road conditions and maintain long-term effectiveness.

� We propose fast cloaking algorithms based on the hierarchicalstructure for a single user and a batch of users. Each Snet istreated as a cloaking unit. When users in the sub-Snets cannotsatisfy cloaking requirements, the cloaking process will shift tothe parent Snet.

� Users' moving trend, velocity difference, and distance differenceare taken into consideration, so as to maintain as many commonusers as possible to resist typical attacks. The attack resilienceanalysis and performance evaluation indicate that our frame-work can resist typical attacks and achieve good performance.

The rest of our paper is organized as follows: in Section 2, wediscuss related work on privacy preservation. We present thesystem model in Section 3, and detailed algorithms and the

framework maintenance are shown in Section 4. We analyze thesecurity of our cloaking algorithms in Section 5. Experiments andevaluations are presented in Section 6. In Section 7, we draw somebrief conclusions.

2. Related work

Section 2.1 reviews related work on privacy preservation inEuclidean space, Section 2.2 surveys the literature on privacypreservation in road networks, Section 2.3 explains the privacypreservation techniques based on multiparty computation, andSection 2.4 discusses privacy preservation against typical attacks.

2.1. Privacy preservation in Euclidean space

Previous work in Euclidean space can be classified into twocategories according to the system architecture: centralizedprivacy-preserving architecture and distributed privacy-preserving architecture.

2.1.1. Centralized privacy-preserving architectureIn the centralized privacy preservation architecture, a trusted

third party is involved to blur users' locations into spatial regions,which guarantees to satisfy the k-anonymity (Samarati andSweeney, 1998) requirement. Based on the idea of k-anonymity,the Interval Cloak algorithm (Gruteser and Grunwald, 2003) wasproposed, which recursively partitions an area into four sub-areasuntil users in the sub-area are less than k. The centralizedarchitecture has been applied to continuous queries (Chow andMokbel, 2007; Wang et al., 2012a,b; Guha et al., 2012). The L2P2scheme was presented by Wang et al. (2012a), which allows usersto define their dynamic and diverse privacy requirements forcontinuous queries. Wang et al. (2012b) proposed a query linkingprivacy-preserving algorithm (V-DCA) for continuous LBS queries,which considers users' velocities and acceleration similarities toselect users that can stay close in the long run.

2.1.2. Distributed privacy-preserving architectureIn the distributed architecture, users protect their privacy by

working collaboratively (Domingo-Ferrer, 2006) or autonomously(Olumofin et al., 2010; Huang and Vishwanathan, 2010; Durr et al.,2011). Domingo-Ferrer (2006) proposed a collaborative algorithm,in which a user broadcasts his perturbed location to form a groupwith k�1 neighbors. Olumofin et al. (2010) combined the cloakingwith Private Information Retrieval (PIR). Durr et al. (2011) pro-posed a position sharing scheme to hide the exact locationinformation. For continuous queries, Pingley et al. (2011) gener-ated dummy queries based on query contexts and motion modes.Wang et al. (2012c) designed a distributed architecture withseveral semi-honest anonymizing servers.

Unfortunately, these are designed for Euclidean space andcannot address the problem faced by road networks. In thisrespect, our proposed algorithm not only considers personalizedprivacy requirements and moving characteristics as in Wang et al.(2012b), but also takes the underlying road networks into account.In addition, to improve the system efficiency, our algorithm cancloak for a batch of users simultaneously.

2.2. Privacy preservation in road networks

Several privacy-preserving techniques have been proposed toprotect users' privacy in road networks. Based on the type oflocation-based queries, these techniques can be classified into twocategories: privacy preservation for snapshot location-based

Y. Wang et al. / Journal of Network and Computer Applications 53 (2015) 57–7358

queries and privacy preservation for continuous location-basedqueries.

2.2.1. Privacy preservation for snapshot location-based queriesPSNN and PSRQ techniques (Ku et al., 2007) solely rely on

Casper (Mokbel et al., 2006), which was designed for the Euclideanspace. As a result, the drawbacks of techniques for Euclidean spaceare inherited. Kolahdouzan and Shahabi (2004) partitioned thewhole road network into small Voronoi regions for anonymization.In Mouratidis and Yiu (2010), the Hilbert-order was used toanonymize users with their k�1 neighbors. Hence, the effective-ness of the algorithm depends much on the ordering. Papadiaset al. (2003) expanded the cloaked road segments until privacyrequirements are achieved. To balance the processing cost andprivacy preservation, Wang and Liu (2009) proposed a X-starbased privacy-preservation framework merging neighboringqueries into a newly established cloaking star (super-star). Chowet al. (2011) designed an effective shared execution paradigm. Baoet al. (2009) proposed a peer-to-peer location privacy-preservingsystem called Pros, in which a user collaborates with others toform a cloaked road segment set. However, simply applying thesetechniques into continuous location-based queries may sufferfrom the attacks correlating snapshot samples.

2.2.2. Privacy preservation for continuous location-based queriesPrevious research has mainly focused on breaking the con-

tinuity of location exposure by utilizing mix-zones to changeusers' identification. In Freudiger et al. (2009), the mixing effec-tiveness of possible mix zone locations was employed to optimizethe placement of mix zones. Mobimix (Palanisamy and Liu, 2011)takes multiple factors into consideration in the placement of mixzones, such as the statistical behavior of the user population.However, it pays no consideration to the network updating, whichmay lead to system unavailability in the long run. As the place-ment optimization is NP-hard, Liu et al. (2012) designed twoheuristic algorithms to strategically select mix zone locations. Ingeneral, although mix-zones protect the privacy of continuousqueries, they limit the field where users are served, which may beunacceptable for some users. Hence, our framework adopts thecloaking-based mechanism for continuous queries privacy preser-vation, which also considers road networks update.

2.3. PIR based privacy preservation

Methods relying on cryptographic or Private InformationRetrieval (PIR) are used in location privacy preservation. PrivateInformation Retrieval (PIR) techniques allow a user to retrieve anelement of a database without the owner of that database beingable to determine which element was selected (Chor et al., 1998).Generally, PIR based techniques do not require a trusted thirdparty. Zhong et al. (2007) introduced three protocols, namelyLouis, Lester and Pierre, to provide location privacy when answer-ing K Nearest Neighbor (KNN) queries. Similarly, Papadopouloset al. (2010) employed secure hardware-aided PIR to achievestrong location privacy. Ghinita et al. (2008) proposed a frame-work to support private location-dependent queries based on PIRtechniques. Their framework does not need a trusted third partyand can achieve strong privacy for snapshots of users' locations.Narayanan et al. (2011) proposed a variety of cryptographicprotocols that support private proximity testing. They use ”loca-tion tags” generated from the physical environment to strengthenthe security of proximity testing. Li and Jung (2013) designed asuite of Privacy-preserving Location Query Protocol (PLQP) toprotect users' locations privacy under the application scenario ofsocial network services (SNS).

This category of techniques provides strong privacy protection.However, its performance, although improved by utilizing specialhardwares, is still hard applicable in real world. On the other hand,it remains to be seen if any location-based services providers willdeploy cryptographic systems in the market.

2.4. Privacy preservation against attacks

Usually, there are four types of attacks faced by continuousqueries: the homogeneity attack, the query sampling attack, thereplay attack, and the query tracking attack.

2.4.1. Homogeneity attackHomogeneity attack (Bettini et al., 2007) is launched in case of

the lack of diversity among users in the anonymizing set withrespect to locations or queries. To counter the query homogeneityattack, Liu et al. (2009) defined the query l-diversity to ensure thatall queries in the same anonymizing set are different enough sothat a query is hard to be linked to a certain user.

2.4.2. Query sampling attackTo defend against the query sampling attack (Chow and

Mokbel, 2007; Pan et al., 2012), Chow and Mokbel (2007)introduced the concept of k-sharing region, i.e., a cloaked regionnot only covers at least k users but is treated as the cloaked regionby at least k users.

2.4.3. Replay attackWang and Liu (2009) presented the replay attack model, which

estimates the likelihood of some locations being a user's actualpositions by rerunning the anonymizing algorithm. It should benoted that the resilience to replay attack is correlated with theanonymizing algorithm itself.

2.4.4. Query tracking attackQuery tracking attack (Chow and Mokbel, 2007) identifies

potential query issuers by linking consecutive snapshots. To defendagainst this attack, Chow and Mokbel (2007) utilized the memor-ization property, which memorizes users in a cloaked region of acontinuous query at the time when the query is initiated.

In our work, typical attacks faced by continuous queries areresisted by tailoring the cloaking algorithm for road networks.Features of moving trend, velocity difference, and distance differ-ence are considered. To facilitate the cloaking process, we con-struct a hierarchical structure of road networks and correspondingmaintenance strategies are provided in case of road networksupdate.

3. System model

In this section, we formulate the privacy-preserving problemfirst, then introduce the privacy profile and the correspondingprivacy-preserving mechanism. Finally, we show the implementa-tion strategies.

3.1. Problem formulation

We define the underlying road network and the privacyproblem to be addressed.

3.1.1. The underlying road networkWe consider a space restricted by the underlying road network,

which is represented by a weighted directed graph G¼ ðV ; EÞ,

Y. Wang et al. / Journal of Network and Computer Applications 53 (2015) 57–73 59

where the vertex set V ¼ fv0; v1;…; vNg stands for road junctions,and the edge set E¼ fðvi; vjÞjvi; vjAVg represents road segmentsconnecting two junctions vi and vj. The listed order vivj indicatesthe direction of the road segment from vi to vj . Note that in ourmodel, the direction of a user's movement is preserved. When noconfusion occurs and to simplify, we do not explicitly mention thedirections of the underlying road network in figures appearing insubsequent sections.

We use dðvÞ to denote the degree of a vertex v in V. Specifically,a vertex with dðvÞ ¼ 1 is called end vertex, an intermediate vertexhas dðvÞ ¼ 2, and an intersection vertices has dðvÞZ3. Each edge e inE is associated with a non-negative weight w(e), which representsthe cost of an edge from one vertex to the other. The cost can bethe travel distance, trip time or toll of a corresponding road. In oursystem, we weigh edges with the travel distance and ordervertices in the road network, based on which, we define themoving direction towards the vertex with a larger number aspositive, otherwise, it is negative. In our work, all mobile users areassumed to reside in edges.

Combined with the underlying road network, the trace of auser u issuing a continuous query is a sequence of connectededges: Tu¼{ðvs1, ve1), ðvs2, ve2), …, ðvsn, venÞ}, where vsi and veidenote the start node and the end node, respectively, of the ithedge passed by u, and vei ¼ vsðiþ1Þ.

3.1.2. Problem settingsIn continuous location-based services, a query has three statuses:

(1) New: A newly initiated query is called new query. (2) Active:A query that was created before but not terminated yet is activequery. (3) Expired: A query reaching its expiring time and beingterminated is called expired query. For a new query, a mobile usersends it to a LBS provider in the form of ou; l; T init; Texp;Con4 ,where u is the identifier of the user, l is the user's current location(latitude and longitude), Tinit represents the query initiating time, Texpis the query expiring time, and Con is query text, such as “Inform meof the nearest petrol station in the next 30 min”. Once it turns active,the user only needs to update his location l with his identifier u andsends it to the LBS provider, because the provider will preserve Conuntil Texp. During the query lifetime, the LBS provider provides servicefor the user by answering the query periodically (e.g., every 30 s)with the updated locations.

Both locations and query contents are exposed to the LBSproviders, which may be untrustworthy. Considering some LBSneed users' exact locations for service provision, we try to preservethe query privacy of a user. In our system, we introduce a trustedthird party to cloak a user with others into a cloaked user set Su.Correspondingly, the cloaked segment set Ssg contains the seg-ments that users in Su reside in, and the queries sent by users in Suform the cloaked query set Q.

3.1.3. Attack modelIn order to explain our methods accurately, we establish the

attack model against whom the preservation is placed. Generally,two characteristics are used to represent an attacker: backgroundknowledge and attacks. We firstly specify an attacker's backgroundknowledge and then we demonstrate the attacks he performs inorder to steal privacy and harm individuals.

We assume that users' location and answers to queries canreveal nothing about query content, that is, the query issued by auser is unknown even if his locations are leaked. The backgroundknowledge BK of an attacker about user is assumed to know:

1. u's exact locations during his query lifetime.2. u's cloaked user set Su and corresponding query set Q for each

snapshot.

3. The privacy-preserving algorithms.

Given the employed privacy-preserving algorithms, the users'exact locations and cloaked user and query sets that are generatedby the privacy-preserving algorithms, the attacker can run fourtypical attacks, which are most frequently and particularly imple-mented against continuous queries, namely, the query samplingattack (Chow and Mokbel, 2007; Pan et al., 2012), query trackingattack (Chow and Mokbel, 2007), replay attack (Wang and Liu,2009), and homogeneity attack (Bettini et al., 2007). All of themaim to find-out associations between users and queries.

Homogeneity attack is due to lack of diversity, we use queryentropy to measure the diversity of a cloaked query set, which willbe explained in Section 3.2. With the diversity, homogeneity attackcan be naturally resisted by the privacy-preserving algorithms,therefore, we only consider the other three attacks. Generally, asthe attacker obtains the background knowledge, he tries to infersome private information of interest about the users' querycontent, such as linking a user's exact location to a specific queryand having access to the query content. Nevertheless, users arecloaked together in a region with the form of a cloaked user setand queries sent by them are grouped into a cloaked query set.Therefore, the problem of linking a user's exact location to hisactual query is probabilistic. The output of the attack can be aprobability distribution on the possible categories of attacks.Hence, we define linkability to quantify the vulnerability of ourframework under the three typical attacks.

Definition 1 (Linkability). The linkability of query q to user u underBK, denoted as link½u’qjBK�, is the probability that an attacker caninfer q is issued by u among users in the cloaked user set Su.

Query sampling attack (Chow and Mokbel, 2007): Query sam-pling attack means that when the distribution of users' locations isnot uniform, cloaked user sets overlap with each other. Therefore,some users can be cloaked into two or more sets, which increasesthe probability of linking the query to the query issuer.

Query sampling attack can be formalized as follows: supposethere are three users u1, u2, u3, respectively, issuing queries q1, q2,q3. Su1 containing u1 and u2 is the cloaked user set of u1 while Su2containing u2 and u3 is that of u2. An attacker can inferlink½u1’q1 jBK� ¼ 1, as u1 only belongs to Su1.

Query tracking attack (Chow and Mokbel, 2007): In continuousqueries, users continuously report their locations to LBS providers.Query tracking attack can link consecutive time snapshotstogether to identify a query issuer, although he is cloaked withother users.

Suppose user u issues query q. At time t1, he is cloaked into a userset Su1 and the corresponding query set is Q1. Hence, the Linkabilityis link½u’qjBK� ¼ 1j Q1 j . With time passing by, more cloaked sets aregenerated, denoted as Sui and Qi for time ti. As the query issuer mustbe in all the cloaked user sets, an attacker links the sets and theLinkability is changed to link½u’qjBK� ¼ 1jQ1⋂Q2⋂⋯⋂Qn j .

Replay attack (Wang and Liu, 2009): In the replay attack, weassume that an attacker has full knowledge regarding the cloakingalgorithm. By rerunning the cloaking algorithmwith an element inthe cloaked user set assumed to be the query issuer, the attackerestimates the likelihood of the user to generate the cloaked set.

An attacker replays the cloaking process as follows: for eachuser uiASu, (1) re-runs the cloaking algorithm by taking ui asthe query issuer of query q to generate a cloaked set S0ui, withjSu j ¼ jS0ui j ; (2) calculates the probability of ui to issue q, that is,Prob½Su jui;BK� ¼ j Su⋂S

0ui j

j Su j ; and (3) select ui with the largest probabilityvalue as the query issuer. The linkability is link½u’qjBK� ¼

Prob½Su j u;BK�Pni ¼ 0 Prob½Su j ui ;BK�

� 1j Q j .


In this paper, we aim to prevent linking a continuous location-based query to a specific user, i.e., low linkability, under the querysampling attack, query tracking attack, and replay attack.

3.2. Privacy profile

As mentioned above, Su, Ssg and Q, respectively, signify thecloaked user set, cloaked segment set, and corresponding queryset. A road segment is a sequence of edges (v0v1; v1v2;…; vm�1vm),among which only v0 and vm are intersection vertex or end vertex.The generated Su, Ssg and Q should satisfy a user's personalizedprivacy requirements defined in his privacy profile in the form of(klocal; kglobal; llocal; lglobal; Lmax;Dismax). They define privacy require-ments mainly from four aspects: k-anonymity, l-diversity, max-imum length and maximum distance.

3.2.1. k-anonymityA query obeys k-anonymity (Chow and Mokbel, 2007) if it

could be issued by any of k users. In our system, a query issuer iscloaked with at least k-1 other indistinguishable users to achievek-anonymity.

klocal and kglobal are requirements of k-anonymity. klocal ensuresthat the user is cloaked with at least klocal�1 other users at eachsnapshot. As for kglobal, it indicates that the number of commonusers in intersection of the cloaked set for consecutive snapshotsin a continuous query is at least kglobal. The query tracking attackwould fail as the query issuer is still indistinguishable fromkglobal�1 other users even if an attacker links all the cloaked sets.For a continuous query composed of n snapshots, we maintain that

Sui�� ZklocalSu1 \ Su2 \ ⋯ \ Sunj jZkglobal

where Suiði¼ 1;2;…;nÞ is the cloaked user set of the ith snapshot.

3.2.2. Query l-diversityFor a cloaked query set Q, given an integer l, it satisfies query l-

diversity if the query entropy of this set is equal to or greater thanlog ðlÞ.

Similar to yellow pages companies categorizing different busi-nesses, we classify queries into different categories according to thePoint of Interests (POIs), such as hospitals and restaurants. Forexample, a user issuing a query “Report me the nearest petrol stationevery 5 min in the next 30 min” seems to be interested in the petrolstation, hence, the query pertains to the petrol station category. Theset of categories is denoted as C ¼ fc1; c2;…; cng. Suppose that thequery categories are already known, and the accurate query contentscannot be inferred from these categories. For a specific query qpertaining to category ci, the query entropy H is defined as

H ¼ �X

pi log pi

where pi is the percentage of queries pertaining to ci in Q:

pi ¼j fqjqAQ ; q:c¼ cigj

jQ jQuery l-diversity is introduced to resist the homogeneity attack

(Bettini et al., 2007). Similar to the k-anonymity restriction, wehave llocal-diversity and lglobal-diversity for each single cloakedquery set and the intersection of all the sets. So we have

H Q Suið Þð ÞZ log llocalH Q Su1 \ Su2 \ … \ Sunð Þð ÞZ log lglobal

where Q ðSuiÞ is the set of cloaked queries issued by users in Sui, Hð�Þis the entropy function.

3.2.3. Maximum lengthA query fulfills the maximum length restriction when the total

length of road segments in the cloaked segment set Ssg is notlarger than the pre-defined maximum value.

In our system, it restricts the total weight of segments in Ssg toLmax, that is,

L Ssg� �

rLmaxwhere Lð�Þ is the total length of edges in Ssg.

Lmax is introduced to limit the expansion of the cloaked set,which may raise computation and communication costs withmore candidate results generated. The maximum length require-ment is especially important in a coarse area where the populationdensity is particularly low, because it needs a large cloakedsegment set to satisfy k-anonymity. While k-anonymity withinthe maximum length restriction is violated, we can generatedummy queries consistent with the query context (Pingley et al.,2011). Hence, user's privacy is preserved as the attacker cannot tellthe real one from dummies. Generating dummies is another topicin location-based queries privacy preservation, which is not thefocus of this paper.

3.2.4. Maximum distanceA query satisfies the maximum distance requirement only if the

distance between the query issuer and any of other cloaked usersis less than the pre-defined maximum distance, denoted as Dismaxin our framework. Then for each user uiASu, it holds

Disðu;uiÞrDismaxwhere u is the query issuer, Disðu;uiÞ is the length of the shortestpath from u to ui. It plays an important role especially when usersin an area have a high probability of requesting a certain categoryof queries.

3.3. Privacy-preserving mechanism

First of all, we present the basic concepts in our privacy-preserving mechanism. Then, we show the qualification for usersto be cloaked.

3.3.1. Snet and Snet hierarchyIn the road network, a portion conceptually covered by a

cluster (or community) can represent a potentially cloaked seg-ment set. Inspired by privacy-preserving techniques partitioningthe spatial domain into cells in Euclidean space, we construct sub-graphs of the road network recursively bottom-up. Each sub-graphis named as an Snet, which is the basic cloaking unit in our system.

Definition 2 (Snet). For a given road network graph G¼ ðV ; EÞ, anSnet is a sub-graph of G, which is denoted as Sn¼ðV s;Bs; EsÞ, whereVs, Bs, and Es respectively denotes vertex set, border vertex set, andedge set in Sn, besides:

1. EsDE.2. V s ¼ fvj ðv; v0ÞAEs3ðv0; vÞAEsg, where ðv; v0Þ is the edge linking

v and v0.3. Bs ¼ V s \ fvj ðv; v0ÞAE03ðv0; vÞAE0g, where E0 ¼ E�Es.

Figure 2 shows two Snets (in the dashed frame) of the roadnetwork graph G (in the solid frame). For the left Snet, thecorresponding vertex set Vs is {v1; v2; v3}, the edge set Es containsðv1; v3Þ and ðv2; v3Þ, and the border vertex set Bs is {v3} because theedge ðv3; v5Þ does not belong to the edge set Es. Similarly, for theright Snet, the corresponding vertex set V 0s is {v3; v4; v5}, the edgeset E0s contains ðv3; v5Þ and ðv4; v5Þ, and the border vertex set B0s is


fv3; v5g because the edges ðv1; v3Þ, ðv2; v3Þ, and ðv5; v7Þ are not in theedge set E0s. In addition, because the two Snets share the bordervertex v3, they are called neighboring Snets.

We build the underlying road network into an Snet hierarchy byconstructing Snets in a bottom-up manner, where Snets at upperlevels are formed by Snets at lower levels. For simplicity, We limitthat an Snet is composed of two sub-Snets at most. At each level,the road network is viewed as a graph of interconnected Snets.Specifically, each Snet at level 0 represents an original segment inthe road network. There is only one Snet at the top-level ht, whichcovers the entire road network.

While constructing an Snet, Snðhþ1; �Þ at level hþ1 with twosub-Snets, Snðh; iÞ, 1r ir2 at level h, where Snðhþ1; �Þ¼ðV sðhþ1; �Þ;Bsðhþ1; �ÞÞ; Esðhþ1; �Þ, the following three conditionsmust be held:

1. Edges of Snets at level h are disjoint, i.e., 8 i 8 j, ia j -Esðh; iÞ⋂Esðh; jÞ¼∅.

2. Edges in an Snet at level h only connect vertices in the sameSnet, i.e., 8m8 j, ma j; ðvm; vjÞAEsðh; iÞ-vmAðV sðh; iÞ⋃Bsðh; iÞÞ4vjA ðV sðh; iÞ⋃Bsðh; iÞÞ.

3. For a Snet at level hþ1 to be constructed, Snðhþ1; �Þ¼ðV sðhþ1; �Þ;Bsðhþ1; �Þ; Esðhþ1; �ÞÞ, where V sðhþ1; �Þ and Esðhþ1; �Þ areunions of the corresponding sets in the sub-Snets and Bsðhþ1; �Þis the union of the corresponding sets of the sub-Snets' bordervertices, that is,� V sðhþ1; �Þ¼⋃1r ir2V sðh; iÞ;� Esðhþ1; �Þ¼⋃1r ir2Esðh; iÞ;� Bsðhþ1; �Þ¼⋃1r ir2 Bs ðh; iÞ-fvjvA⋃1r ir2 Bsðh; iÞ3½ðv; v0ÞA Esðhþ1; �Þ 3ðv0; vÞA Es (hþ1, �Þ�g.

Definition 3 (Transition probability). The transition probabilityfrom edge i to j means the probability that users on edge i willmove to j. It can be pre-computed by counting the times that usersin i transfer into j according to history traces. Transition probabilityis calculated as the count of the transitions from edge i to edge j isdivided by the total number of transition from edge i toother edges.

Algorithm 1. Building the Snet hierarchy.

Input G¼(V, E)Output Snð0; �Þ; Snð1; �Þ…Snðht; �Þ.1: h’0, eAE is denoted by Snð0; jÞ, V inter’∅, Econ’∅,

flagðeÞ ¼ 02: while hoht do3: for vAV do

4: if dðvÞZ3 then5: V inter’V inter⋃fvg6: end if7: end for8: for vinterAV inter do9: Econ’Econ⋃fð�; vinterÞg⋃fðvinter; �Þg10: if ð(econAEconÞ&ðflagðeconÞ ¼ 0Þ&ðdðv0Þ ¼ 1Jdðv0Þ ¼ 2Þ,

ðvinter; v0Þ ¼ econ J ðv0; vinterÞ ¼ econ then11: initiation edge einit’econ12: else13: einit’elargest, where ðelargestAEconÞ&flowðEconÞ is the

largest14: end if15: Snðhþ1; jÞ’ merge einit with highest transition

possibility edge etranmax16: if length LðSnðhþ1; jÞÞr2h � DisðEÞ then17: flagðetranmaxÞ ¼ 1; flagðeinitÞ ¼ 118: else19: flagðeinitÞ ¼ 120: end if21: end for22: for e0AE23: if flagðe0Þ ¼ 0 then24: Snðhþ1; jÞ’fe0g25: end if26: end for27: each Snðhþ1; jÞ is denoted by an edge enew, E’fenewg28: h’hþ129: end while30: return Snð0; �Þ; Snð1; �Þ…Snðht; �Þ

Generally, vertices with larger degrees play more importantroles in road networks. Hence, we select intersection vertices andcorresponding edges to initiate the construction process. Amongall the neighboring edges, we give priority to those connected toan intermediate vertex or an end vertex. In case there is neither anintermediate nor an end vertex connected, we select the edgecarrying the largest historical user flow as the initial edge. Thenthe edge that users are most likely to transfer into from the initialedge (i.e., the highest transition possibility) is selected to form anSnet. The formed Snet is further denoted by an edge at a higherlevel, which connects with neighboring Snets through the com-mon border vertices. We recursively perform the Snet constructionsteps until the underlying road network is merged into one Snet attop-level ht. For an edge that is not merged with others, itassembles itself as an Snet at a higher level. To balance the privacy

Fig. 1. Euclidean space and road networks. (For interpretation of the references to color in this figure caption, the reader is referred to the web version of this article.)


preservation and system costs, we restrict the maximum totallength of edges in an Snet to the value Lmax. Suppose the averageedge length of the underlying road network is Dis(E), we use 2h �DisðEÞ as the maximum length limitation for Snets at level h,because there are at most 2h edges in an Snet at level h. Thedetailed process of building the Snet hierarchy is shown inAlgorithm 1.

Figure 3 shows an example of building the Snet hierarchy forthe road network in Fig 2. We use an edge to denote an Snet, theSnets encircled in the lower level means they will be constructedinto a parent Snet in the upper level. The blue vertex v5 iselaborately selected for the Snet construction process. The arrowindicates the transition direction from edge ðv4; v5Þ to edge ðv5; v3Þ.

In a special case, each edge at level 0 (the raw underlying roadnetwork) constructs an Snet. For example, ðv1; v3Þ denotes SnetSnð0;1Þ. Snð1;1Þ represents an Snet formed by ðv1; v3Þ and ðv2; v3Þ atlevel 0. For the Snet construction, intersection vertex v5 is selected.We pick ðv5; v4Þ as the initiation edge, because it connects an endvertex v4. We merge it with ðv3; v5Þ which has the highesttransition probability from ðv5; v4Þ among neighboring edges(edges sharing a common border vertex). Thus, we get SnetSnð1;2Þ at level 1. Similarly, Snets Snð1;2Þ and Snð1;3Þ are repre-sented by edges at level 1, and their neighboring Snets Snð1;1Þ,

Snð1;4Þ, and Snð1;5Þ are connected though vertices v3 and v7. TheSnet hierarchy construction process continues until the entire roadnetwork is merged into a single Snet Snð4;1Þ at the fourth level.

3.3.2. Cloaking qualificationsBased on the Snet hierarchy, our system generates cloaked sets

for users meeting predefined privacy profiles. To satisfy the klocaland llocal requirements, we expand the cloaked set in a bottom-upmanner from Snets at level 0. The expansion process is terminatedwhen the Lmax requirement is violated. Simultaneously, a userwith a distance to the query issuer longer than Dismax will bekicked out. As for kglobal and lglobal requirements, we try tomaintain users staying in the same Snet to remain in the sameset in the long run.

There are three features that affect which Snet the user willenter and when he will enter it in the future: transfer behavior,velocity, and distance to a border vertex. We use moving trend todescribe the transfer behavior that a user enters a certain Snetafter leaving the previous one. Users moving into the same Snet inthe future have the same moving trend. We treat users' velocitiesas vectors composed of moving directions and speed magnitudes,velocity difference is used to measure the velocity variationsbetween users. Users with low velocity difference are more likelyto stay close in the future. Similarly, we use distance difference toshow users' difference in distance to the border vertex that theywill pass through. Users with low distance difference are prone tostay in the same Snet. Thus, while selecting candidate users forcloaking, we prefer those with similar moving trend, low velocitydifference, and low distance difference compared to the queryissuer.

Moving trend: Users' moving trend can be modeled as MarkovChain on a set of neighboring Snets of the current Snet Sn. Let P

Sn

be the transition matrix of Sn, the element pSnij , i¼ 1…m, j¼ 1…wof PSn is the transition probability of users from edge i of Sn to Snetj, where m is the edge number of Sn, n is the amount ofneighboring Snets of Sn.

Figure 4 shows an example of transition matrix. Let PSnð1;2Þ bethe transition matrix of Snet Snð1;2Þ with edges ðv3; v5Þ and ðv4; v5Þ.Supposing the first row of PSnð1;2Þ denoted as pSnð1;2Þ1;� represents the

Fig. 3. An example of Snet hierarchy. (For interpretation of the references to color in this figure caption, the reader is referred to the web version of this article.)

Fig. 2. An example of Snet.


transition probability of ðv3; v5Þ to neighboring Snets Snð1;1Þ andSnð1;3Þ respectively, thus correspondingly, pSnð1;2Þ2;� is the transitionprobability from ðv4; v5Þ to Snð1;1Þ and Snð1;3Þ. User u1 denoted bya red rectangular is moving along edge ðv5; v3Þ in Snð1;2Þ.Obviously, u1 has a higher probability to enter Snð1;1Þ after leavingSnð1;2Þ.

Velocity difference: The difference between two users' velocitiesshould consider both the moving direction and the magnitude.However, only users having the same moving trend need to checkthe velocity difference, those with opposite directions will befiltered out. Thus, we take the magnitude into account whilecalculating the velocity difference. The velocity difference VLdiffbetween users ui and uj is defined as

VLdiff ðui;ujÞ ¼ vli�� vlj��

where jvli j and jvlj j are the velocity magnitude of ui and uj.Users qualified to be cloaked together should follow the

velocity difference restriction ζ:

VLdiff ui;uj� �

rζ

Distance difference: The road network distance dðu; vÞ betweenuser u and vertex v is defined as the sum of edge weight along theshortest path from u to v. In our system, u will pass through vwhile entering the predicted Snet. v is a common border node ofthe two neighboring Snet. While there are more than one commonborder nodes, v is the one nearest to u. For ui and uj, they mayenter the same Snet through different vertices, denoted as vi andvj. Then the distance difference between users to the vertex theymay pass through is calculated as

Ddiff ðui;ujÞ ¼ d ui; við Þ�d uj; vj� ��

Thus, users qualified to be cloaked together should furthersatisfy the distance difference restriction θ in the equation below:

Ddiff ui;uj� �

rθ

3.4. Framework implementation

In this section, we show the system architecture of our privacy-preserving framework. Then the storage scheme of the Snethierarchy is discussed.

3.4.1. System architectureFigure 5 shows the system architecture, it consists of three

components: mobile users, the trusted Anonymizing Server (AS),and the LBS provider. A mobile user sends a query through theprivacy phone agent to the AS with his privacy profile in the formof ou; l; p; Tq; Texp;Con4 , where u; l; Tq; Texp and Con mean thesame with those in Section 3.1.2, p denotes the user's definedprivacy profile oklocal; kglobal; llocal; lglobal; Lmax;Dismax4 discussedin Section 3.2. l is the user's location obtained by the positioningdevice. When the AS receives a query from a mobile user, thecloaking engine generates cloaked sets with the cloaking algo-rithms presented in Section 4. The AS sends queries issued by thecloaked users to the LBS provider, which returns the candidateresults to the AS which follows the users and keeps track of theirlocations. The results refiner improves the results based on theuser's accurate locations and forward the refined results to theprivacy phone agent. The phone agent further transfers the result

Fig. 6. The storage scheme.

Fig. 5. System architecture.

Fig. 4. An example of transition matrix. (For interpretation of the references to color in this figure caption, the reader is referred to the web version of this article.)


to LBS applications. For a query in Active status, the mobile userperiodically updates his locations until it turns Expired.

3.4.2. Snet storage schemeBecause the Snet at level hþ1 is formed by two Snets at level h

at most, we use the binary tree T to store the Snet hierarchy, whichmaintains the parent–child relationship of Snets at each level. EachSnet consisting of ðV s; Es;BsÞ is kept as a node. For each node, westore the transition matrix of the Snet discussed in Section 3.3.2.The total length of segments in the Snet is precomputed and storedin the node as well.

Figure 6 illustrates the storage structure of the Snet hierarchy inFig. 3. Let the ith Snet at level h be Snðh; iÞ, LðSnðh; iÞÞ be the totallength of edges in Snðh; iÞ, PSn be the transition matrix of Snðh; iÞ. Forour cloaking algorithms, the cloaked users are in the same treenode. In other words, for a query issuer residing in Snet Snð0; jÞ, theusers cloaked with him will be those in Snð0; jÞ or in one of itsancestors in the binary tree T.

4. Cloaking algorithms

We present two types of privacy-preserving algorithms basedon the Snet hierarchy. The first one consisting of Algorithms 2 and3 is designed for a single user, the other composed of Algorithms 4and 5 is for a batch of users. Recalling that in the Snet constructionprocess, an edge is merged with the edge that has the highesttransition probability. Hence, our algorithms treat Snet as the basiccloaking unit and retrieves the binary tree storing the Snethierarchy in the bottom-up manner. According to users' cloakingqualifications discussed in Section 3.3.2, our algorithms firstretrieve the Snet at level 0, then select users with similar moving

trend, satisfying the velocity difference and distance differencerestrictions predefined by our system. The candidate sets areformed by the selected users, after which, users' privacy profileswill be checked. If the candidate set cannot fulfill users' privacyprofiles, the algorithms search its parent Snet. These steps con-tinues until users' privacy profiles are satisfied, or reach the top-level of the Snet hierarchy. If no qualified cloaked set is generated,corresponding queries will be terminated. As all queries sent tothe LBS providers have to pass through the AS, the queries will becut from the LBS providers if they are dropped by the AS. Hence,users' privacy can be preserved.

Compared with the first type of algorithms for a single user, thesecond type aims to improve the efficiency of our privacy-preserving framework. It generates a cloaked set for a batch ofusers simultaneously to decrease the cloaking time. In addition,the user's privacy is enhanced because the query sampling attackcan be resisted by sharing the cloaked set among users.

4.1. Algorithms for a single user

We present algorithms for a single user in this section. When asequence of users arrives, Algorithm 2 finds qualified users in anSnet at a certain level to form the candidate cloaked set for eachuser. Algorithm 3 generates the cloaked sets for a single user.

Algorithm 2. Selecting qualified users.

Input query qou; l; p; Tq; Texp;Con4 , Snet Snðh; iÞ and edge e ofuser u, binary tree T.

Output candidate cloaked set S1.1: predicting moving trend Snðh; jÞ of u, Se’∅, S1’∅2: for ðei in Snðh; iÞÞ&ðeiaeÞ do3: if moving trend of users in ei¼Snðh; jÞ then4: Se’Se⋃feg

Table 3Example of cloaked user set and query set.

User S1 Q1 S2 Q2 S3 Q3

A {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}B {B;C;D} {q1 ; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}C {B;C;D} {q1 ; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}D {B;C;D} {q1 ; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}E {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}

Table 2Example of cloaked user set and query set.

User S1 Q1 S2 Q2 S3 Q3

A {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}B {A;B;D} {q1 ; q2; q3} {A;B;D} {q1; q2 ; q3} {A;B; E} {q1 ; q2; q3}C {B;C; E} {q1 ; q2; q3} {B;C; E} {q1; q2 ; q3} {B;C; E} {q1 ; q2; q3}D {A;B;D} {q1 ; q2; q3} {A;B;D} {q1; q2 ; q3} {A;B;D} {q1 ; q2; q3}E {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}

Table 1Example of privacy profile.

User Query Query category klocal llocal kglobal lglobal

A qA c1 2 2 2 2B qB c2 3 2 2 2C qC c1 3 3 3 2D qD c3 3 3 3 2E qE c3 2 2 2 2

Table 4Experiment parameters.

Parameters Values Default Unit

Number of users 2000 2000 –Number of snapshots 50 50 –Local privacy (klocal, llocal) 2–5, 3–6, 4–7, 5–8, 6–9 2–5 /Distance limit 1, 2, 3, 4, 5, 6 5 km


5: end if6: end for7: for ui residing in Se do8: if ðVLdiff ðu;uiÞrζÞ&ðDdiff ðu;uiÞrθÞ then9: S1’S1⋃fuig10: end if11: end for12: return S1

When selecting qualified users at each level, Algorithm 2 firstpredicts the Snet that user u will move into while leaving theoriginal one (step 1). Then it predicts the moving trend of usersstaying in the same Snet with u, and picks out those having thesame moving trend with u (steps 2–6). Among all the users pickedout, only those satisfying the velocity difference and distancedifference restrictions will be selected as qualified cloaked users(steps 7–11).

Algorithm 3. Cloaking for a single user.

Input query qou; l; p; Tq; Texp;Con4 , binary tree T.Output cloaked set Si of the ith snapshot, 1r irm (totally m

snapshots).1: if q is New then2: map l on edge e, find Snð0; jÞ containing e in T3: Ctemp ¼ Snð0; jÞ, h’0, S1’∅4: while ðjS1 joklocalÞJ ðHðQ ðS1ÞÞo logllocalÞ do5: S1’ Selecting Qualified Users ðq;Ctemp; e; TÞ6: Ctemp’Ctemp's parent node, h’hþ17: end while8: if LðCtempÞ4Lmax then9: suppress the query10: end if11: return S112: else13: for ujA ðS1⋃S2⋃⋯⋃Si�1Þ do14: if Distanceðu;ujÞrDismax then15: Si ¼ Si⋃fujg16: end if17: end for18: if (j Si⋂S1⋂S2⋂⋯⋂Si�1 jZkglobal)&

(HðQ ðSi⋂S1⋂S2⋂⋯⋂Si�1ÞÞZ log ðlglobal)) then19: return Si20: else21: suppress the query22: end if23: end if

As is shown in Algorithm 3, user u sends a query in the form ofou, l, p, Tq, Texp, Con4 . When receiving a query q in New statusfrom user u, the AS maps l into the road network. Algorithm 3treats S(0, j) that containing edge e where u resides as the initialcloaked set (step 2). S(0, j) is a leaf node in the binary tree T.The algorithm traverses the binary tree until k-anonymity andl-diversity requirements of u are fulfilled (steps 3–7). When the totallength of edges in the cloaked set is larger than Lmax, the algorithmstops (steps 8–10). If the query is in Active status, the algorithm checkscommon users in the previous i-1 cloaked sets, adds those satisfyingthe distance restriction into the cloaked set (steps 13–17). kglobal andlglobal-diversity requirements are also checked (steps 18–22).

4.2. Algorithms for a batch of users

As multiple queries may arrive at the AS simultaneously,cloaking for each respective user is inefficient. Following thereciprocity principle, we propose an optimized algorithms com-posed of Algorithms 4 and 5, which generates cloaked sets for abatch of users at one time. On the other hand, algorithms for asingle user are vulnerable to the query sampling attack. Therefore,we introduce the k-sharing method to resist this attack. In oursystem, the generated cloaked set is shared by all users in it. Thus,while generating the cloaked set qualified for all users in it, weensure the strictest privacy requirements of all the users cloaked,i.e., klocalmax, kglobalmax, llocalmax, lglobalmax, Lmaxmin, Dismaxmin. klocalmax,kglobalmax, llocalmax and lglobalmax indicate the maximum value ofklocal, kglobal, llocal, lglobal defined by the users in the candidatecloaked set, Lmaxmin and Dismaxmin stand for the minimum value ofusers defined Lmax and Dismax restrictions. When the strictestprivacy requirements can't be satisfied, the user requesting forsuch requirements should be kicked out from the candidatecloaked set. Similar to the first type of algorithms for a singleuser, the second type of algorithms for a batch of users includestwo parts: Algorithm 4 selects the qualified users, and Algorithm 5generates the cloaked set for a batch of users.

Algorithm 4. Selecting qualified users in batches.

Input query set fqou; l; p; Tq; Texp;Con4g, Snet set fSng, andbinary tree T.

Output a set of candidate cloaked sets fSig.1: for Snðh; iÞAfSng do2: fCLg’∅, fSig’∅ 3: if

(uAUðSnðh; iÞÞ)&ðLmaxðuÞoLðSnðh; iÞÞÞ then4: UðSnðh; iÞÞ’UðSnðh; iÞÞ�fug5: end if6: for uAUðSnðh; iÞÞ do7: predicting its moving trend Snðh; jÞ8: end for9: fCLg’fCLgfCLjCL’fusers with the same Snðh; jÞgg10: end for11: for CLiAfCLg do12: put the users in CLi satisfying ((VLdiff ðui;ujÞrζ) and

(Ddiff ðui;ujÞrθ)) into Si13: end for14: return fSig

For the uncloaked users, Algorithm 4 removes user u violatingits LmaxðuÞ restriction (steps 2–4). Then it predicts the movingtrend of all the users and clustered them with the same movingtrend together (steps 5–8). For each clustered user set, thosefollowing the velocity difference and distance difference restric-tions are selected as the qualified users (steps 10–12).

Algorithm 5 maps all users into the road network, findscorresponding Snets in the binary tree (steps 3–6). It repeatedlyselects qualified users until the klocalmax and llocalmax values of allusers in the Snet are fulfilled (steps 9–12). When there are nocandidates in the cloaked set or the traverse step goes beyond thetop level, we suppress users with klocalmax or llocalmax requirements,and traverse back for one level (steps 13–20). The cloaking set isshared by all users residing in it. For the following snapshots, foreach cloaked set, we check the maximum distance limit of all usersresiding in the previous i-1 cloaked sets (step 28–32), after which,the kglobal and lglobal requirements will also be checked (steps 33–35).


4.3. The framework maintenance

To maintain the longtime effectiveness of our framework, wediscuss the maintenance strategy in the presence of updatingusers' history traces and changing road network structures.

4.3.1. Users' history traces updateThe population density and the transition probability of each Snet

are calculated based on users' history traces. For a new user movingfrom edge a to edge b, only the population of edges a and b, and thetransition probability from a to b should be increased. Hence, weupdate the population density of edge a and edge b, and the transitionmatrix of the Snet containing edge a will also be updated. Becauseusers' movements have localization properties, the population densitystays stationary under the influence of users' history traces in the longrun. Hence, we keep the Snet hierarchy structure unchanged.

4.3.2. Road network structure updateAs rebuilding the Snet hierarchy leads to expensive cost, we

prefer to incrementally update the Snet hierarchy when the roadnetwork structure changes. Because we directly use the existingmap information, the update frequency of the Snet hierarchy isconsistent with that of the map, which may be about every six totwelve months. The road network is modeled as a weighteddirected graph, therefore, its structural changes are in two ways,i.e., change of edge lengths, and change of edge relations.

1. Change of edge lengths: When an edge length changes (e.g.,travel distance, trip time, or toll cost increases/decreases), thetotal length of the Snets containing the edge should be updated.

2. Change of edge relations: When new roads are constructed orexisting roads are closed, the network topology will be chan-ged. These changes can be depicted as adding or deleting edgesin the Snet hierarchy.Adding a new edge: A newly added edge ðv; v0Þ connects vertex v

Algorithm 5. Cloaking for a batch of users.

Input query set fqou; l; p; Tq; Texp;Con4g, binary tree T.Output set of the cloaked set fSig of the ith snapshot, 1r irm (totally m snapshots), SijAfSig1: if fqg is New then2: C’∅, h’0, fS1g’∅3: for qiAfqg do4: map qi on edge ei, find Snð0; jÞ containing ei in T5: C ¼ C⋃Snð0; jÞ6: end for7: Ctemp’C, fS1g’ selecting qualified users in batches ðq;C; TÞ8: for S1iAfS1g do9: while ðjS1i joklocalmaxÞJ ðHðQ ðS1iÞÞo log ðllocalmaxÞÞ do10: S1� temp’ selecting qualified users in batches ðq;Ctemp; TÞ11: S1i’S1i� temp, Snðh; jÞ’Snðh; jÞ's parent node, h’hþ1, Ctemp ¼ fSnðh; jÞg12: end while13: if (Snðh; jÞ ¼ Snðht; jÞÞJ ðjS1i j ¼∅) then14: Snðh; jÞ’Snðh; jÞ' child node15: while (jS1i joklocalmaxÞJ ðHðQ ðS1iÞÞo log ðllocalmaxÞÞ do16: if ðuAS1iÞ&ððklocal ¼ klocalmaxÞJ ðllocal ¼ llocalmaxÞÞ then17: S1i’S1i�fug18: end if19: end while20: end if21: fS1g ¼ fS1g⋃S1i22: end for23: for uAðfqg�fS1gÞ do24: mark u as New25: end for26: return fS1g27: else28: for uiAðS1j⋃S2j⋃…⋃Sði�1ÞjÞ do29: if distanceðu;uiÞrDismaxmin then30: Sij ¼ Sij⋃fuig31: end if32: end for33: if ðjSij⋂S1j⋂S2j⋂…⋂Sði�1Þj jZkglobalmaxÞ&ðHðQ ðSij⋂S1j⋂S2j⋂…⋂Sði�1ÞjÞÞr log ðlglobalmaxÞÞ then34: fSig ¼ fSig⋃Sij25: end if36: return fSig37: end if


and v0. Let the edge set connecting v be Ev, connecting v0 be E0v.If all edges in Ev and E0v belong to the same Snet at level 1, edgeðv; v0Þ is merged with the Snet. Otherwise, ðv; v0Þ is added to theSnet having most neighboring edges. Snets at the parent levelare updated recursively.Deleting an existing edge: When removing an edge ðv; v0Þ fromthe road network, it affects the Snets containing ðv; v0Þ. As aresult, we only update the Snets containing ðv; v0Þ by deleting itfrom their edge set.

5. Attack resilience analysis

In this section, we analyze the proposed algorithms' resilience tothe query sampling attack, query tracking attack, and replay attack.

5.1. Algorithms for a single user

Replay attack: Under the replay attack (Section 3.1.3), anattacker repeatedly runs the algorithms to generate S0i with u asthe input. It can be seen that Si⋂S

0i contains u. The linkability

satisfies 1j S j �jQ j r link½u’qjBK�o 1ððj S j � 1Þj S j þ1Þ�j Q j . Hence, an attackercan identify the query issuer with the maximum probability 12 iifjS⋂S0i j ¼ 1 with regard to all S0i. However, this is practicallyimpossible. Users in the cloaked set share the same predictedmoving trend, within the velocity difference and the distancedifference restrictions, i.e., all the users in the cloaked set tend tostay in nearby road segments, that is, jS⋂S0i jc1.

Query sampling attack: Under the query sampling attack(Section 3.1.3), an attacker observes the cloaked sets samples

S1; S2;…; Si with the corresponding query sets Q1;Q2;…;Q i. Hence,the linkability can be calculated as link½u’qjBK� ¼ 1j Q1⋂Q2⋂…Q i j .

Query tracking attack: By considering the characteristic of thequery tracking attack (Section 3.1.3), we introduce the principle ofkglobal and lglobal. The number of common users should be at leastkglobal and the entropy of the common query set should not be lessthan log ðlglobalÞ. Consequently, the probability of identifying aspecific user's query, i.e., the linkability link½u’qjBK�, is 1j Q1 j atleast and 1lglobal at most.

In addition, an attacker can combine the replay attack, querysampling attack, and query tracking attack to infer a user's querycontent. As a result, the linkability changes to link½u’qjBK� ¼

link½Sj u;BK�Pui A S

link½Sj ui ;BK�� 1j Pn

t ¼ 1Pm

i ¼ 1 ⋂Qit j, where Qit represents the query

set Qi containing u at time t, n is the number of snapshots and m isthe number of set containing u. Accordingly, the linkability to aspecific user is link½u’qjBK� ¼ 1j Pn

t ¼ 1Pm

i ¼ 1 ⋂Qit j

Example 1. We suppose that there are five users in the system.Their privacy profiles are partially listed in Table 1. The cloakeduser set Si and its corresponding query set Qi of each user forsnapshot i are shown in Table 2. In Table 2, qj means a querypertaining to category cj.

We suppose that an attacker observes a cloaked user setsample {A; E} and the corresponding query set sample {q1; q3},but the attacker does not know for whom the set is generated northe relations between the queries and the users. Hence theattacker runs the algorithms respectively with A and E as theinput, gets the same cloaked results. However, he still doesnot know the query issuer. The Prob½SjA;BK� is calculated as

Fig. 7. Privacy-preserving ability evaluation.


A;Ef g\ A;Ef gj jj fA;Egj ¼ 1, so is Prob½SjE;BK�. Hence, the linkability of the

replay attack is link A’q1 jBK� �¼ Prob Sj A;BK½ �Prob S j A;BK½ �þProb Sj E;BK½ � � 12¼ 14. It is

because the attacker cannot assure that A is the issuer and doesnot know A0s query is q1. Under the query sampling attack, if theattacker observes that A is in {A; E}, {A;B;D} at the first snapshot,he can infer A0s query must be in {q1; q3} with the probability of1/2. For the query tracking attack, if the attacker knows B0s cloakeduser set and cloaked query set during snapshot 1, 2, and 3, he caninfer B0s query with the probability of 1=jQ1 \ Q2 \ Q3 j ¼ 1=3.

5.2. Algorithms for a batch of users

Because a cloaked set is generated for all users in it, thealgorithms for a batch of users can effectively defend against thereplay attack and query sampling attack. Therefore, we onlyanalyze its resilience to the query tracking attack (Section 3.1.3).Similarly, the probability of identifying a specific user's query,i.e., the linkability link½u’qjBK� is 1lglobal at the most. The associationbetween all users and queries has at least

Plglobali ¼ 0 �1ð Þi

lglobali

� �lglobal� i� �kglobal kinds of assignments. Hence, the probability

Fig. 9. Quality of service evaluation.

Fig. 8. Snapshots maintenance evaluation.


of an attacker successfully infers the user's query is

1=Xlglobali ¼ 0

�1ð Þi lglobali

lglobal� i� �kglobal

Example 2. Suppose there are five same users as is shown inTable 1. Their cloaked user set Si and corresponding query set Qifor snapshot i are listed in Table 3. If an attacker knows user A0scloaked user set and query set during snapshot 1, 2 and 3, he caninfer A0s query with probability of 1=jQ1 \ Q2 \ Q3 j ¼ 1=2.

6. Experiments and evaluations

In this section, we evaluate the effectiveness of our proposedalgorithms. As there is no privacy-preserving approach for con-tinuous queries in road networks according to our knowledge, wewill do the comparison with another algorithm named V-DCA(Wang et al., 2012b) designed for Euclidean space. V-DCA is acontinuous query privacy-preserving approach taking the velocityand acceleration features of users into consideration while cloak-ing. However, it does not take the underlying road network intoconsideration, let alone building the network hierarchy to facilitatethe cloaking process. The evaluation criteria and metrics arepresented, followed by the experiments setup description. Then,the evaluating results are discussed in detail.

6.1. Evaluation criteria and metrics

We evaluate the algorithms from three aspects: privacy-preserving ability, quality of service and performance. Cloakingalgorithms generate cloaked sets for users meeting their privacy

profiles. The predefined parameters, such as kglobal and klocal, areusers' privacy requirements. However, the effectiveness of thealgorithms depends on the real achieved values of the cloaked set.Hence, we use the real archived values as the metrics to evaluateour framework. Correspondingly, we denote these values as K local,Kglobal, Llocal, Lglobal, Len, and Dis.

6.1.1. Privacy-preserving abilityFor a continuous query, the privacy level depends on the

common users and their queries of all the cloaked sets. We useprivacy to measure the privacy level of a user in a continuousquery, which can be computed as

privacy¼ Kglobal � LglobalHigher privacy means a better privacy preservation. Similarly,

we use the number of successfully cloaked snapshots n to measurethe maintenance of algorithms. A better privacy-preservingmethod can provide service for a user longer, that is, larger n.

6.1.2. Quality of serviceWe evaluate the quality of service with the average distance of

users in a cloaked segment set Ssg as query answers are moreaccurate within a smaller cloaked region. Hence, a smaller value ofdistance indicates better quality of service. While cloaking for asingle user, the average distance Davgðu; SsgiÞ of the cloakingsegment set Ssgi of the ith snapshot is calculated as

Davg u; Ssgi� �¼

Pi ¼ 1:to:K local �1D u;uið Þ

K local�1where u is the query issuer, ui represents user i cloaked with u in

Fig. 10. Success ratio evaluation.


Ssgi. The average distance DavgðuÞ of n consecutive snapshots is

Davg uð Þ ¼X

i ¼ 1:to:nDavg u; Ssgi

� �=n

Meanwhile, for a batch of users, the average distance

Davg U; Ssgi� �¼

Pj ¼ 1:to:K local �1Davg uj; Ssgi

� �K local

where U is the user set, ui represents user i residing in U. Theaverage distance of n consecutive snapshots is

Davg Uð Þ ¼X

i ¼ 1:to:nDavg U; Ssgi

� �=n

6.1.3. PerformanceWe evaluate the performance of our framework from two

aspects: cloaking success ratio and cloaking time.

1. Cloaking success ratio: It is the percentage of users that aresuccessfully cloaked:

SR¼P jSjjU j

where S is the set of successfully cloaked users and U is the setof all the query issuers. A higher cloaking success ratiocorresponds to a better performance.

2. Cloaking time: We use ti to represent the cloaking time forsnapshot i. For a well-performed privacy-preserving mechan-ism, the cloaking time should be short enough to achieve anenjoyable user experience.

6.2. Experiment setup

We use Thomas Brinkhoff Network-based Generator of MovingObjects (Brinkhoff, 2002) on the road map of Oldenburg. 2000mobile users are generated moving along the road network withmedium speed for 50 snapshots. Users' privacy requirements, suchas klocal and llocal, are set randomly within a certain range. Forexample, the default range of klocal and llocal is 2–5. The maximumdistance limit mentioned in Section 3.2 ranges from 1 km to 6 km.Parameters used in our experiment are listed in Table 4. Thedefault values are used if they are not specifically described in thefollowing experiments.

The simulating experiments are carried out using a PC withDual Dore 2.13 GHz CPU, 4 GB RAM memory, and Windows 7 �32ultimate operating system. We implement the algorithms withCþþ . For all the graphs, SINGLE denotes the proposed cloakingalgorithms for a single user, correspondingly, Batch is that for abatch of users. We repeatedly run each experiment for ten timesand take the average values as the evaluation results. The standarddeviation error bars are negligible.

6.3. Evaluation results

Figure 7 shows the privacy-preserving abilities of V-DCA andthe two types of algorithms we proposed. It can be seen from Fig. 7(a) that our algorithms perform better than V-DCA when thedistance exceeds 4 km. Specifically, the privacy of SINGLE remainsconstant until the distance limit exceeds 4 km, while the privacy ofBatch grows linearly and performs the best among them. Figure 7(b) shows that the privacy of V-DCA and SINGLE stay nearly stablewith the change of klocal and llocal (named as local privacy), whilethat of Batch keeps increasing and stays much higher than V-DCAand SINGLE. As shown in Fig. 7(c), over time, i.e., with the snapshot

Fig. 11. Cloaking time evaluation.


number going up, the privacy of BATCH keeps the highest among thethree algorithms.

The results of Fig. 7 indicate that BATCH provides the bestprivacy preservation among the three algorithms. Generally,SINGLE performs better than V-DCA.

Figure 8 shows that all the three algorithms provide privacypreservation for more snapshots with the growth of the distance limitor the increase of the local privacy value (i.e., klocal and llocal). In Fig. 8(a),V-DCA performs well with strict distance limit and maintains arelatively lesser number of snapshots when the distance limit exceeds3 km. SINGLE performs better than V-DCA because of its considerationof users' moving trend and distance relations. BATCH is more easilyinfluenced by the distance limit because it needs to balance the privacyrequirements, users' velocities and distance among users in a cloakedregion. It performs the best and can achieve nearly 50 snapshots with alooser distance limit. Figure 8(b) shows that local privacy can hardlyaffect the maintenance of SINGLE or BATCH. They perform pretty welleven if local privacy is very low. V-DCA can successfully cloak for 50snapshots when local privacy is larger than 4. This is because moreusers are cloaked for the first snapshot and are candidates to be choseninto the cloaked sets for the following snapshots. The results of Fig. 8indicate that a looser distance limit and a higher local privacy isconducive to the maintenance of queries. However, the number ofmaintained snapshots grows slowly while distance limit and localprivacy increase greatly.

We use average distance to measure the quality of service. Asshown in Fig. 9, BATCH has larger average distance than the othertwo because it considers all users instead of the centered user inthe cloaked region to provide an efficient cloaking function. Weconsider the moving trend and distance difference into thecloaking process, SINGLE can provide better quality of service thanV-DCA in the long run. The three algorithms can effectively selectusers staying together in the following snapshots because of theirconsideration of users' movement features. In addition, all of themperform fairly steady with the change of distance limit, localprivacy and snapshot numbers. Combining with Figs. 7 and 8, itcan be told that our proposed algorithms have a good balancebetween privacy and quality of service.

Figure 10 evaluates the success ratio influenced by the distancelimit and the local privacy. It is obvious that SINGLE and BATCH canobtain higher success ratio under the same distance limit and localprivacy requirements than V-DCA, because they take the underlyingroad network properties into account. Furthermore, BATCH performsthe best due to the validity of the cloaked set for all the users withinthe region. Our proposed algorithms can maintain much more usersthan V-DCA in the long run. Especially, BATCH can successfullyanonymize for about 45 percent users even to the 50th snapshot.

Figure 11 shows the average cloaking time for each user with thesethree algorithms. It can be seen that SINGLE takes approximately onein ten time of that V-DCA takes, and BATCH only takes about atwentieth of the time that SINGLE takes except for the first snapshot.The main reason is that SINGLE and BATCH are based on the Snethierarchy structure which improves the speed of retrieving users to becloaked together. Furthermore, BATCH cloaks for a batch of usersinstead of for a single user at one time, as a result, it is more efficient.

From all the evaluated results, we can conclude that ourproposed algorithms can achieve better privacy preservation thanV-DCA while maintaining quality of service and improving thesuccess ratio. Due to the initiation process of building the Snethierarchy, the cloaking time can be decreased.

7. Conclusion

In this paper, we proposed a fast continuous LBS query privacy-preserving framework in road networks. As shown in the above

statement, the framework considers the topological properties of theroad network when providing privacy-preserving mechanisms for asingle user and a batch of users. The analysis and experimentalresults indicate that our algorithms can resist typical attacks andpreserve users' query privacy effectively in road networks.

References

Bamba B, Liu L, Pesti P, Wang T. Supporting Anonymous Location Queries in MobileEnvironments with PrivacyGrid. In the 17th International Conference on WorldWide Web (WWW), 2008 pp. 237-246.

Bao J, Chen H, Ku WS. Pros: a peer-to-peer system for location privacy protection onroad networks. In: 17th ACM SIGSPATIAL international conference on advancesin geographic information systems (GIS); 2009. p. 552–3.

Bettini C, Jajodia S, Pareschi L. Anonymity and diversity in LBS: a preliminaryinvestigation. In: 5th IEEE international conference on pervasive computingand communications workshops (PERCOMW); 2007. p. 577–80.

Brinkhoff T. A framework for generating network-based moving objects. GeoInfor-matica 2002;6(2):153–80.

Chor B, Kushilevitz E, Goldreich O, Sudan M. Private information retrieval. J ACM1998;45.

Chow C-Y, Mokbel MF. Enabling private continuous queries for revealed userlocations. In: Proceedings of 10th international conference on advances inspatial and temporal databases (SSTD); 2007. p. 258–73.

Chow C-Y, Mokbel MF, Bao J, Liu. X. Query-aware location anonymization for roadnetworks. Geoinformatica 2011;15(3):571–607.

Domingo-Ferrer J. Microaggregation for database and location privacy. In: 6thinternational conference on next generation information technologies andsystems (NGITS); 2006. p. 106–16.

Durr F, Skvortsov P, Rothermel K. Position sharing for location privacy in non-trusted systems. In: 2011 IEEE international conference on pervasive computingand communications (PERCOM); 2011. p. 189–96.

Freudiger J, Shokri R, Hubaux J-P. On the optimal placement of mix zones. In: 9thinternational symposium on privacy enhancing technologies (PETS); 2009.p. 216–34.

Gedik B, Liu L. Protecting location privacy with personalized k-anonymity:architecture and algorithms. IEEE Trans Mob Comput 2008;7(1):1–18.

Ghinita G, Kalnis P, Khoshgozaran A, Shahabi C, Tan K-L. Private queries in locationbased services: anonymizers are not necessary. In: Proceedings of the ACMSIGMOD international conference on management data; 2008.

Gruteser M, Grunwald D. Anonymous usage of location-based services throughspatial and temporal cloaking. In: 1st international conference on mobilesystems, applications and services (MobiSys); 2003. p. 31–42.

Guha S, Jain M, Padmanabhan VN. Koi: a location-privacy platform for smartphoneapps. In: Proceedings of the NSDI ’12; 2012.

Huang Y, Vishwanathan R. Privacy preserving group nearest neighbor queries inlocation-based services using cryptographic techniques. In: Global telecommu-nications conference (GLOBECOM); 2010. p. 1–5.

Kainis P, Ghinita G, Mouratidis K, Papadias D. Preventing location-based identityinference in anonymous spatial queries. IEEE Trans Knowl Data Eng 2007;19(12):1719–33.

Kolahdouzan M, Shahabi C. Voronoi-based K nearest neighbor search for spatialnetwork databases. In: Thirtieth international conference on very large databases, vol. 30 (VLDB); 2004. p. 840–51.

Ku WS, Zimmermann R, Peng WC, Shroff S. Privacy protected query processing onspatial networks. In: 2007 IEEE 23rd international conference on data engi-neering workshop (PDM); 2007. p. 215–20.

Li XY, Jung T. Search Me If you can: privacy-preserving location query service. In:Proceedings of the IEEE INFOCOM; 2013.

Liu FY, Hua KA, Cai Y. Query l-diversity in location-based services. In: 2009 tenthinternational conference on mobile data management: systems, services andmiddleware (MDM); 2009. p. 436–42.

Liu XX, Zhao H, Pan M, Yue H, Li X, Fang Y. Traffic-aware multiple mix zoneplacement for protecting location privacy. In: IEEE INFOCOM; 2012. p. 972–80.

Mokbel MF, Chow CY. Aref WG. The new casper: query processing for locationservices without compromising privacy. In: 32nd international conference onvery large data bases (VLDB); 2006. p. 763–74.

Mouratidis K, Yiu ML. Anonymous query processing in road networks. IEEE TransKnowl Data Eng 2010;22(1):2–15.

Narayanan A, Thiagarajan N, Lakhani M, Hamburg M, Boneh D. Location privacy viaprivate proximity testing. In: Proceedings of the network distributed systemsecurity conference; 2011.

Olumofin F, Tysowski PK, Goldberg I, Hengartner U. Achieving efficient queryprivacy for location based services. In: 10th international conference on privacyenhancing technologies (PETS); 2010. p. 93–110.

Palanisamy B, Liu L. MobiMix: Protecting location privacy with mix-zones over roadnetworks. In: 2011 IEEE 27th international conference on data engineering(ICDE); 2011. p. 494–505.

Pan X, Xu J, Meng X. Protecting location privacy against location-dependent attacksin mobile services. IEEE Trans Knowl Data Eng 2012;24(8):1506–19.

Papadias D, Zhang J, Mamoulis N, Tao Y. Query processing in spatial networkdatabases. In: 29th international conference on very large data bases, vol. 29(VLDB); 2003. p. 802–13.


http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref4http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref4http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref7http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref7http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref11http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref11http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref23http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref23http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref27http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref27

Papadopoulos S, Bakiras S, Papadias D. Nearest neighbor search with stronglocation privacy. In: Proceedings of the VLDB endowment; 2010.

Pingley A, Zhang N, Fu XW, Choi H-A, Subramaniam S, Zhao W. Protection of queryprivacy for continuous location based services. IEEE INFOCOM 2011:1710–8.

Samarati P, Sweeney L. Protecting privacy when disclosing information:k-anonymity and its enforcement through generalization and suppression. TechnicalReport SRI-CSL-98-04. Computer Science Laboratory, SRI International; 1998.

Wang T, Liu L. Privacy-aware mobile services over road networks. In: Proceedings ofthe VLDB endowment, vol. 2, issue no. 1; 2009. p. 1042–53.

Wang Y, Xu DB, He X, Zhang C, Li F, Xu B. L2P2: location-aware location privacyprotection for location-based services. In: IEEE INFOCOM; 2012. p. 1996–2004.

Wang Y, He HL, Peng J, Zhang TT, Li HZ. Privacy preserving for continuous query inlocation based services. In: IEEE 18th international conference on parallel anddistributed systems (ICPADS); 2012. p. 213–20.

Wang Y, Peng J, He LP, Zhang TT, Li HZ. LBSs privacy preserving for continuousquery based on semi-honest third parties. In: IEEE 31st international perfor-mance computing and communications conference (IPCCC); 2012. p. 384–91.

Zhong G, Goldberg I, Hengartner U. Louis Lester and Pierre: three protocols forlocation privacy. In: Proceedings of the 7th international conference on privacyenhancing technologies; 2007.


http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref30http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref30

A fast privacy-preserving framework for continuous location-based queries in road networksIntroductionRelated workPrivacy preservation in Euclidean spaceCentralized privacy-preserving architectureDistributed privacy-preserving architecture

Privacy preservation in road networksPrivacy preservation for snapshot location-based queriesPrivacy preservation for continuous location-based queries

PIR based privacy preservationPrivacy preservation against attacksHomogeneity attackQuery sampling attackReplay attackQuery tracking attack

System modelProblem formulationThe underlying road networkProblem settingsAttack model

Privacy profilek-anonymityQuery l-diversityMaximum lengthMaximum distance

Privacy-preserving mechanismSnet and Snet hierarchyCloaking qualifications

Framework implementationSystem architectureSnet storage scheme

Cloaking algorithmsAlgorithms for a single userAlgorithms for a batch of usersThe framework maintenanceUsers' history traces updateRoad network structure update

Attack resilience analysisAlgorithms for a single userAlgorithms for a batch of users

Experiments and evaluationsEvaluation criteria and metricsPrivacy-preserving abilityQuality of servicePerformance

Experiment setupEvaluation results

ConclusionReferences

Date post:	31-Jan-2021
Category:	Documents
Upload:	others
View:	6 times
Download:	0 times

Journal of Network and Computer...

Documents