Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 215 times |
Download: | 2 times |
PRIVÉ: Anonymous Location-Based
Queries in Distributed Mobile Systems
1 National University of Singapore{ghinitag,kalnis}@comp.nus.edu.sg
2 University of Peloponnese, [email protected]
Gabriel Ghinita1 Panos Kalnis1
Spiros Skiadopoulos2
Location-Based Services (LBS) LBS users
Mobile devices with GPS capabilities
Spatial database queries
Queries NN and Range Queries Location server is NOT trusted
“Find closest hospital to my present location”
Problem Statement Queries may disclose sensitive information
Query through anonymous web surfing service
But user location may disclose identity Triangulation of device signal Publicly available databases Physical surveillance
How to preserve query source anonymity? Even when exact user locations are known
Solution Overview Anonymizing Spatial Region (ASR)
Identification probability ≤ 1/K
Minimize overhead Reduce ASR extent
Fast ASR assembly time
Support user mobility
Central Anonymizer Architecture Intermediate tier between users and LBS
Bottleneck and single point of attack/failure
PRIVÉ Architecture
K-Anonymity*
Age ZipCode Disease
42 25000 Ulcer
46 35000 Pneumonia
50 20000 Flu
54 40000 Gastritis
48 50000 Dyspepsia
56 55000 Bronchitis
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
(a) Microdata (b) Voting Registration List (public)
K-Anonymity*
Age ZipCode Disease
42-46 25000-35000 Ulcer
42-46 25000-35000 Pneumonia
50-54 20000-40000 Flu
50-54 20000-40000 Gastritis
48-56 50000-55000 Dyspepsia
48-56 50000-55000 Bronchitis
* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
(a) 2-anonymous microdata (b) Voting Registration List (public)
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
Relational and Spatial Anonymity
42 44 46 48 50 52 54 56
20k
25k
30k
35k
40k
45k
50k
55k
ZipAge
Existing Cloaking Solutions
Redundant Queries Send K-1 redundant queries
Gives away exact location of users Potentially high overhead
CloakP2P [Chow06]
Find K-1 NN of query source Source likely to be closest to ASR center
Vulnerable to “center-of-ASR” attack
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06
uq
5-ASR
NOT SECURE !!!
QuadASR[Gru03, Mok06]
Quad-tree based Fails to preserve anonymity for outliers Unnecessarily large ASR size
u1
u2
u3
u4
A1
A2• u4’s identity is disclosed
• If u4 queries, ASR is A2
• If any of u1, u2, u3 queries,
ASR is A1
• Let K=3
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003
[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006
NOT SECURE !!!
Secure LocationAnonymization
Reciprocity Consider querying user uq and ASR Aq
Let ASq = {set of users enclosed by Aq}
Aq has the reciprocity property iffi. |AS| ≥ Kii. ui,uj AS, ui ASj uj ASi
hilbASR Based on Hilbert space-filling curve
index users by Hilbert value of location partition Hilbert sequence into “K-buckets”
Start End
Advantages of hilbASR Guarantees source privacy
K-ASRs have the “reciprocity” property
Reduced ASR size Hilbert ordering preserves locality well K-ASR includes exactly K users (in most cases)
Efficient ASR assembly and user relocation Balanced, annotated index tree User relocation, ASR assembly in O(log #users)
hilbASR with Annotated Index
K=6 Example
PRIVÉ
PRIVÉ Characteristics P2P overlay network
Resembles annotated B+-tree Hierarchical clustering architecture
Bounded cluster size [,3)
S relocates to 60
Relocation
Load Balancing Hierarchical architecture
Inherent imbalance in peer load
Cluster head rotation mechanism Rotation triggered by load Communication cost predominant
Fault Tolerance Soft-state mechanism
Cluster membership periodically updated Recovery facilitated by state replication
Leader election protocol In case of cluster head failure
Experimental Evaluation
Experimental Setup San Francisco Bay Area road network
Network-based Generator of Moving Objects*
Up to 10000 users Velocities from 18 to 68 km/h
Uniform and skewed query distributions
Anonymity degree K in the range [10, 160]
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,6(2):153–180, 2002.
Anonymity Strength (center-of-ASR)
ASR Size
Query Efficiency
Relocation Efficiency
Load Balancing
0% 20% 40% 60% 80% 100%Node Fraction
Conclusions LBS Privacy an important concern
Existing solutions have no privacy guarantees Centralized approach has limitations
Poor scalability, legal issues
Contribution Anonymization with privacy guarantees
hilbASR Extension to decentralized systems
Improved scalability and availability No single point-of-attack/failure
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
Bibliography [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm
for Anonymous Location-based Services, ACM GIS ’06 [Gru03] - Gruteser et al, Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys 2003 [Ged05] – Gedik et al, Location Privacy in Mobile Systems: A
Personalized Anonymization Model, ICDCS 2005 [Mok06] – Mokbel et al, The New Casper: Query Processing for
Location Services without Compromising Privacy, VLDB 2006
MobiHide Randomized ASR assembly technique:
Also uses Hilbert ordering ASR chosen as random K-user sequence
Advantages No global knowledge required Flat index structure (Chord DHT)
Disadvantages No privacy guarantees for skewed query
distributions but still strong anonymity in practice