Privately Querying Location-based Services with SybilQuery Pravin Shankar, Vinod Ganapathy, and...

Privately Querying Location-based Serviceswith SybilQuery

Pravin Shankar, Vinod Ganapathy, and Liviu IftodeDepartment of Computer Science

Rutgers University

{ spravin, vinodg, iftode } @ cs.rutgers.edu

Sep 9, 2010 IBM Frontiers of Cloud Computing 2010 2

Location-based Services (LBSes)Location-based Services (LBSes)

Implicit assumption: Users agree to reveal their locations for access to services

How is the traffic in the road ahead?

Where is my nearest

restaurant?


Privacy concerns while querying an LBSPrivacy concerns while querying an LBS

• With two weeks of GPS data from a user’s car, we can infer home address (median error < 60 m) [Krumm ‘07]• 5% of people are uniquely identified by their home and work locations even if it is known only at the census tract level [Golle and Partridge ‘09]


Querying an LBSQuerying an LBS

LBS

. . .

Work

loc1

locn

Home

loc2

Client


Work''Work'Work

Basic IdeaBasic Idea

LBS

. . .

Home

ClientHome''Home'

loc1, loc1', loc1

''

loc2, loc2', loc2

''

locn, locn', locn

''


What the LBS seesWhat the LBS sees

Which of these is the real user?


OutlineOutline

• Introduction• SybilQuery Overview• Design Challenges• Implementation• Evaluation and Results• Conclusions and Future Work


SybilQuery OverviewSybilQuery Overview

• Basic Idea: Achieves privacy using synthetic (Sybil) queries

• For each real user trip, the system generates– k-1 Sybil start and end points (termed endpoints)– k-1 Sybil paths

• For each real query made, the system generates– k-1 Sybil Queries


SybilQuery DesignSybilQuery Design


OutlineOutline



SybilQuery ChallengesSybilQuery Challenges

• Endpoint generation:– How to automatically generate synthetic endpoints

similar to a pair of real endpoints?

• Path generation:– How to choose the waypoints of the Sybil path?

• Query generation:– How to simulate motion along the Sybil path?


Endpoint GeneratorEndpoint Generator

• Produces synthetic endpoints that resemble the real source and destination

• High-level idea: – Tag locations with features

– Identify clusters of locations that share similar features

• Feature used in SybilQuery: traffic statistics


Tagging locations with traffic statisticsTagging locations with traffic statistics

• Naïve approach: Annotate locations with descriptive tags– Eg. “parking lot”, “downtown office building”, “freeway” – Laborious manual task

• Our approach: Automatically compute features using a database of regional traffic statistics– Dataset: Month-long GPS traces from the San

Francisco Cabspotter project - 530 unique cabs; 529,533 trips

– Compute traffic density τl for each location from dataset


Path GeneratorPath Generator

• Consults an off-the-shelf navigation service– Our implementation uses

Microsoft Multimap API to obtain waypoints

• Users may not always follow the shortest path to destination– Detours, road closures, user

intention• Computes multiple paths to

the destination (with varying lengths)

• Uses a probability distribution to choose path


Query GeneratorQuery Generator

• Triggered each time the user queries the LBS

• Simulates the motion of users along the Sybil paths

• Uses current traffic conditions to more accurately simulate user movement– Eg. Simulate slower

movement if traffic is congested


Endpoint cachingEndpoint caching

• Attack 1: If a real path P frequented by the user (e.g., commuter paths) is associated with multiple Sybil paths:– P can be statistically identifed as the real path

• Attack 2: After arriving at the first destination, when a user travels to a new location shortly :– Since the real paths share an endpoint, they could be identified

• Solution: Endpoint caching1. For most common trips, Sybil endpoints are cached

2. If the user makes multiple trips from one common endpoint (e.g., home/office), the corresponding Sybil endpoints are cached

3. When the user embarks on a multi-destination trip, the endpoint of a trip is the same as the startpoint of the following trip


Providing path continuityProviding path continuity

• Attack: If a real trip ends before some Sybil trips end– The system stops sending queries– The LBS can differentiate the real path from Sybil paths

• SybilQuery guards against this by being an “always on” tool– continues to simulate movement along Sybil paths even when

the user’s real trip is complete


OutlineOutline



SybilQuery ImplementationSybilQuery Implementation

• An interface akin to navigation systems

• Input:– The source and

destination address for the trip

– A security parameter k• Number of Sybil users

• Query interface:– Integrated with Yahoo!

Local Search


OutlineOutline

• Introduction• SybilQuery Overview• Design Challenges• Implementation • Evaluation and Results• Conclusions and Future Work


Evaluation GoalsEvaluation Goals

1. Privacy• How indistinguishable are Sybil queries from real

queries?

2. Performance• Can Sybil queries be efficiently generated?


Evaluation: PrivacyEvaluation: Privacy

• User Study– Give the working system to adversarial users, who

would try to break the system by find real user paths hidden between Sybil paths

– 15 volunteers

• Methodology– Pick real paths from the Cabspotter traces– Use SybilQuery to generate Sybil paths with different

values of k


Results from user studyResults from user study

k # Questions # Correct Probability

4 75 20 0.26

6 75 14 0.19


User approaches to distinguish queriesUser approaches to distinguish queries

• Contrasting rationale to guess real users– “Circuitous paths”– “Prominent start/end location”– “Odd man out”


Evaluation: PerformanceEvaluation: Performance

• Setup:– Server:

• 2.33 GHz Core2 Duo, 3 GB RAM, 250 GB SATA (7200 RPM)

– Client:• 1.73 GHz Pentium-M laptop, 512 MB RAM, Linux 2.6

– Privacy parameter k = 4 (unless otherwise specified)

• Micro-benchmarks– One-time and once-per-trip costs– Query-response latency of SybilQuery

• Comparison with Spatial Cloaking for Yahoo! local search


One-time and once-per-trip costsOne-time and once-per-trip costs

• One-time cost – preprocessing of traffic database– 2 hours 16 mins (processed 529,533 trips)

• Once-per-trip costs – endpoint generation and path generation

Task Average Time (sec) St dev (sec)

Endpoint generation 5.47 1.02

Path generation * 0.36 0.15

* Includes network latency to query the Microsoft MultiMap API


Query-response latency of SybilQueryQuery-response latency of SybilQuery

• Scales linearly with k (number of Sybil users)• Sub-second latency for typical values of k


Conclusions and Future WorkConclusions and Future Work

• SybilQuery: Efficient decentralized technique to hide user location from LBSes

• Experimental results demonstrate:– Sybil queries can be generated efficiently– Sybil queries resemble real user queries

• Future Work– Enhance SybilQuery to achieve stronger privacy

guarantees, such as l-diversity, t-closeness and differential privacy


My research on location in mobile computingMy research on location in mobile computing

• Privacy: Users may not want to reveal their private locations for accessing location-based services.SybilQuery – Ubicomp 2009.

• Querying mobile phones for real-time location-based state. SocialTelescope – Internship at IBM, Summer 2010.

• Incentives for sharing in social networks – WINE 2009.• Rapid change of client location affects network connectivity

and performance. Context-Aware Rate Selection (CARS) – a solution for improving network performance by using client location – ICNP 2008.

Thank You!Thank You!

Pravin Shankar

[email protected]


Related WorkRelated Work

• Synthetic Locations for Privacy [Krumm ’09, Kido ‘05]

• Spacial Cloaking [Gruteser and Grunwald ’03, and others]

• Peer-to-peer Schemes [Chow ’06, Ghinita ‘07]• Private Information Retrieval (PIR) [Ghinita ’08]

Detailed list is available in paper


Spatial CloakingSpatial Cloaking

• Spatial Cloaking – k-anonymity solution that uses anonymizers

• Users send their location to anonymizer• Anonymizer computes cloaked region

– Region where atleast k users are present

clientserveranonymizer


Performance Comparison with Spatial CloakingPerformance Comparison with Spatial Cloaking

• Cloaked regions grow as users travelCloaked regions grow as users travel• SybilQuery overhead constantSybilQuery overhead constant

Response Size as users travelResponse Size as users travel


Prior techniques (1/2)Prior techniques (1/2)

• Spatial Cloaking

– Need for Anonymizer - Trusted Third Party– Single point of failure– Scalability and performance bottleneck

clientserveranonymizer


Prior techniques (2/2)Prior techniques (2/2)

• Peer-to-peer schemes– Rely on participating peers

• Private Information Retrieval (PIR)– Computationally inefficient


Tagging locations with traffic statistics (2/2)Tagging locations with traffic statistics (2/2)

• Locations represented as QuadTree– Balances precision with scalability

San Francisco Airport. Black blocks have higher densities


Finding suitable endpoints using reverse geocodingFinding suitable endpoints using reverse geocoding

• Real endpoints do not start in non-driveable terrain

Random point in geographic location

Reverse

Geocoding

Street address closest to the random point


Our goalsOur goals

• Performance

• Autonomy

• Ease of deployment


Basic design of SybilQueryBasic design of SybilQuery


Design enhancementsDesign enhancements

• Endpoint Generator– Endpoint caching

• Path Generator– Randomizing path selection

• Query Generator– Providing path continuity– Adding GPS sensor noise– Handling active adversaries


Endpoint caching (1/2)Endpoint caching (1/2)

• Attack 1: If a real path P frequented by the user (e.g., commuter paths) is associated with multiple sets of Sybil paths:– P can be statistically identifed as the real path

• Attack 2: After arriving at the first destination, when a user travels to a new location shortly :– Since the real paths share an endpoint, they could be

distinguished from the Sybil paths


Endpoint caching (2/2)Endpoint caching (2/2)

• Solution: SybilQuery employs three types of caching1. For most common trips, Sybil endpoints are cached

2. If the user makes multiple trips from one common endpoint (e.g., home/office), the corresponding Sybil endpoints are cached

3. When the user embarks on a multi-destination trip, the start points of the Sybil trips are cached• i.e. the endpoint of a trip is the same as the startpoint of the

following trip


Randomizing path selectionRandomizing path selection

• Real users may not always follow the shortest path to destination– Detours, road closures, user intention

• Path generator computes multiple paths to the destination (each with varying lengths)

• Uses a probability distribution (of the frequency with which users choose paths other than the shortest path) to choose an appropriate path


Handling active adversariesHandling active adversaries

• An actively adversarial LBS may return doctored query responses to differentiate Sybil paths from a client’s real path– For example, it falsely reports traffic congestion at the query

location.

• SybilQuery handles active adversaries using N-variant queries to multiple LBSes– Unless all the LBSes collude, the adversarial LBS can be detected


ImplementationImplementation

• SybilQuery implemented as a Python client• Endpoint generator:

– Uses a PostgreSQL database with PostGIS spacial extensions to process regional traffic information

• Path generator:– Queries the Microsoft Multimap API for waypoints

• Query generator:– Interfaced with Yahoo! Local API to simulate movement under

the constraints of current traffic

Date post:	18-Jan-2016
Category:	Documents
Upload:	marjorie-boyd
View:	215 times
Download:	1 times

Privately Querying Location-based Services with SybilQuery Pravin Shankar, Vinod Ganapathy, and...

Documents