35
OB-PWS: Obfuscation-Based Private Web Search Ero Balsa, Carmela Troncoso and Claudia Diaz ESAT/COSIC, IBBT - KU Leuven Wednesday, 23 May 2012
OB-PWS:Obfuscation-BasedPrivate Web Search
Ero Balsa, Carmela Troncoso and Claudia Diaz
ESAT/COSIC, IBBT - KU Leuven
Wednesday, 23 May 2012
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
The Privacy Problem
sportsart
music
PRIVACY PROBLEM:Individual search queries and/or profilingmay reveal sensitive information.
Some solutions:
Anonymous communicationsPIROB-PWS ⇒ Prevent profiling and provide query deniability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 2/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
The Privacy Problem
sportsart
music
restaurantsin Chicago
quitsmokingbio
products
PRIVACY PROBLEM:Individual search queries and/or profilingmay reveal sensitive information.
Some solutions:
Anonymous communicationsPIROB-PWS
⇒ Prevent profiling and provide query deniability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 2/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
The Privacy Problem
sportsart
music HIVtreatment
EcoActivism
cross-dressingrestaurantsin Chicago
quitsmokingbio
products
PRIVACY PROBLEM:Individual search queries and/or profilingmay reveal sensitive information.
Some solutions:
Anonymous communicationsPIROB-PWS ⇒ Prevent profiling and provide query deniability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 2/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
The Privacy Problem
sportsart
music HIVtreatment
EcoActivism
cross-dressingrestaurantsin Chicago
quitsmokingbio
products
PRIVACY PROBLEM:Individual search queries and/or profilingmay reveal sensitive information.
Some solutions:
Anonymous communicationsPIROB-PWS ⇒ Prevent profiling and provide query deniability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 2/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
The Privacy Problem
sportsart
music HIVtreatment
EcoActivism
cross-dressingrestaurantsin Chicago
quitsmokingbio
products
PRIVACY PROBLEM:Individual search queries and/or profilingmay reveal sensitive information.
Some solutions:
Anonymous communicationsPIROB-PWS ⇒ Prevent profiling and provide query deniability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 2/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
The Privacy ProblemOur contribution
Our contribution
General model.
Evaluation framework⇒ with relevant privacy properties (details in the paper).
Analysis of 6 existing systems (4 in this talk).
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 3/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An abstract model for OB-PWS
real queriesthe user
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 4/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An abstract model for OB-PWS
real queriesthe user
semanticclassificationalgorithm
real profile
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 4/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An abstract model for OB-PWS
real queriesthe user
dummy queries
dummygenerationstrategy
semanticclassificationalgorithm
real profile
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 4/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An abstract model for OB-PWS
real queriesthe user
dummy queriesunclassified queries
adversarial semanticclassification algorithm
observed profile
dummygenerationstrategy
semanticclassificationalgorithm
real profile
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 4/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An abstract model for OB-PWS
real queriesthe user
dummy queriesunclassified queries
profilefilteringalgorithm
adversarial semanticclassification algorithm
observed profile
dummyclassificationalgorithm
filteredprofile
queriesclassifiedas real
queriesclassified
as dummiesdummy
generationstrategy
semanticclassificationalgorithm
real profile
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 4/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An Evaluation framework for DGS
A dual analysis is required:
Query-Based Analysis
Exploit vulnerabilities in the DGS to distinguishreal from dummy queries.
Profile-Based Analysis
Exploit vulnerabilities in the DGS to filterobserved profile and recover the real profile.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 5/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An Evaluation framework for DGS
A dual analysis is required:
Query-Based Analysis
Exploit vulnerabilities in the DGS to distinguishreal from dummy queries.
Profile-Based Analysis
Exploit vulnerabilities in the DGS to filterobserved profile and recover the real profile.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 5/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Abstract modelEvaluation framework
An Evaluation framework for DGS
A dual analysis is required:
Query-Based Analysis
Exploit vulnerabilities in the DGS to distinguishreal from dummy queries.
Profile-Based Analysis
Exploit vulnerabilities in the DGS to filterobserved profile and recover the real profile.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 5/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
GooPIR h(k)-Private Information Retrieval
from Privacy-Uncooperative Queryable Databases [1]
.
A k-anonymity inspired approach.
Prevents attacks based on:
Timing/metadata.
Popularity of queries.
Statistical disclosure.
However does not consider thetopic of the queries. ⇒ No dummy indistinguishability.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 6/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PDS Plausibly Deniable Search [2]
LionCAT
S
LeopardCAT
S
TigerCAT
S
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 7/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PDS Plausibly Deniable Search [2]
LionCAT
S
LeopardCAT
S
Shower(du
mmy)
BATHROOM Stock
(dummy
)
BUSINESS
TigerCAT
S
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 7/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PDS Plausibly Deniable Search [2]
LionCAT
S
LeopardCAT
S
Shower(du
mmy)
BATHROOM
Sink(du
mmy)
BATHROOM
Stock(du
mmy)
BUSINESS
Investing(du
mmy)
BUSINESS
TigerCAT
S Toilet(du
mmy)
BATHROOM (du
mmy)
BUSINESSShares
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 7/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PDS Plausibly Deniable Search [2]
LionCAT
S
LeopardCAT
S
Shower(du
mmy)
BATHROOM
Sink(du
mmy)
BATHROOM
Stock(du
mmy)
BUSINESS
Investing(du
mmy)
BUSINESS
TigerCAT
S Toilet(du
mmy)
BATHROOM (du
mmy)
BUSINESSShares
Justin Bieber
Disneyland
Toy Story
Napoleon
Einstein
BMW
Justin BieberMUS
IC
Toy StoryMOV
IES
Disneyland
AMUSEM
ENT
PARKS (du
mmy)
HISTORY
(dummy
)
(dummy
)PHYSICS
CARS
Napoleon
Einstein
BMW
Justin BieberKID
S
Toy Story
Disneyland
SCIENCE
CARS{ {KID
S
KIDS
HISTORY
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 7/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
Considering prior information Pr[X = X ]:
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
observedprofile
distance between profiles (depends on dummy rate)
high probability regionfor the real profile
Considering prior information Pr[X = X ]:
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
observedprofile
distance between profiles (depends on dummy rate)
high probability regionfor the real profile Considering prior information Pr[X = X ]:
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
observedprofile
distance between profiles (depends on dummy rate)
high probability regionfor the real profile Considering prior information Pr[X = X ]:
high probability regionfor the real profile
observedprofile
distance between profiles (depends on dummy rate)
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
observedprofile
distance between profiles (depends on dummy rate)
high probability regionfor the real profile Considering prior information Pr[X = X ]:
high probability regionfor the real profile
observedprofile
distance between profiles (depends on dummy rate)
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
PRAW (A PRivAcy model for the Web) [3]
Privacy = Dissimilarity.
Dissimilarity ∝ amount of dummy queries.
observedprofile
distance between profiles (depends on dummy rate)
high probability regionfor the real profile Considering prior information Pr[X = X ]:
high probability regionsfor the real profile
observedprofile
distances between profiles (depend on dummy rate)
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 8/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]
Privacy = similarity to population’s average profile.
Exploitable features:
Known target profile.Amount of dummy queries.
Waterfilling-based DGS.
Query-based Analysis: Unpopular queries must be real.
Profile-based Analysis:
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 9/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]
Privacy = similarity to population’s average profile.
Exploitable features:
Known target profile.Amount of dummy queries.
Waterfilling-based DGS.
Query-based Analysis: Unpopular queries must be real.
Profile-based Analysis:
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 9/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]
Privacy = similarity to population’s average profile.
Exploitable features:
Known target profile.Amount of dummy queries.
Waterfilling-based DGS.
Query-based Analysis: Unpopular queries must be real.
Profile-based Analysis:
averagepopulationprofile
b < c < a
dummy rate
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 9/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]
Privacy = similarity to population’s average profile.
Exploitable features:Known target profile.Amount of dummy queries.
Waterfilling-based DGS.
Query-based Analysis: Unpopular queries must be real.Profile-based Analysis:
averagepopulationprofile
b < c < a a = b < c
dummy rate
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 9/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
GooPIRPDSPRAWOQF-PIR
OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]
Privacy = similarity to population’s average profile.
Exploitable features:Known target profile.Amount of dummy queries.
Waterfilling-based DGS.
Query-based Analysis: Unpopular queries must be real.Profile-based Analysis:
averagepopulationprofile
b < c < a a = b < c
dummy rate
observed profile equal to
target profile
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 9/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Systems’ Analysis SummaryOpen Problems / Future WorkConclusions
Systems’ Analysis Summary
Two main categories of DGS:
Query based.Profile based.
Different definitions of what privacy means:
k-deniability.The (dis)similarity of profiles.
Ad-hoc analyses and evaluations.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 10/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Systems’ Analysis SummaryOpen Problems / Future WorkConclusions
Open problems and future work
Plausibility of dummy queries, e.g., The dictionary issue.
Adversarial modelling, e.g., Adversarial SCA issue.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 11/13
IntroductionModelling OB-PWS
Existing OB-PWS SystemsSummary, future work and conclussions
Systems’ Analysis SummaryOpen Problems / Future WorkConclusions
Conclusions
Abstract model for OB-PWS systems.
Analysis framework⇒ Definition and formalization of relevant privacy properties.
Analysis of 6 existing OB-PWS systems (4 in this talk).
Both profile and query based analyses are needed!
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 12/13
Thank you. Questions?
Main references:
[1] Josep Domingo-Ferrer, Agusti Solanas, and Jordi Castella-Roca.h(k)-private information retrieval from privacy-uncooperative queryable databases.Online Information Review, 33(4):720–744, 2009.
[2] Mummoorthy Murugesan and Christopher W. Clifton.Plausibly Deniable Search.In Proceedings of the Workshop on Secure Knowledge Management (SKM 2008), November 2008.
[3] Bracha Shapira, Yuval Elovici, Adlay Meshiach, and Tsvi Kuflik.PRAW - A PRivAcy model for the Web.JASIST, 56(2):159–172, 2005.
[4] David Rebollo-Monedero and Jordi Forne.Optimized query forgery for private information retrieval.IEEE Transactions on Information Theory, 56(9):4631–4642, 2010.
E. Balsa, C. Troncoso and C. Diaz Obfuscation-Based Private Web Search 13/13
