250 likes | 528 Vues
Ying Cai Department of Computer Science Iowa State University Ames, IA 50011. Cloaking and Modeling Techniques for location Privacy protection. Location-based Services. Risks Associated with LBS. Exposure of service uses Location privacy . Stalking…. Nightclub. Hospital.
E N D
Ying Cai Department of Computer Science Iowa State University Ames, IA 50011 Cloaking and Modeling Techniques for location Privacy protection
Risks Associated with LBS • Exposure of service uses • Location privacy Stalking…. Nightclub Hospital Political Party
Challenge • Restricted space identification • Simply using a pseudonym is not sufficient because anonymous location data may be correlated with restricted spaces such as home and office for subject re-identification ……… identified
Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking region, instead of actual location
Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking region, instead of actual location • Key Issue • Each cloaking area must provide a • desired level of depersonalization, and • be as small as possible
Existing Solution • Ensuring each cloaking area contains a certain number of users [MobiSys’03, ICDCS’05, VLDB’07]
Problems (1) • The anonymity server needs frequent location update from all users • Practicality • Scalability • Difficult to support continuous LBS • Simply ensuring each cloaking region contains K users does not support K-anonymity protection
Problems (2) • Guarantee only anonymous uses of services, but notlocation privacy • An adversary may not know who requests the service, but knows that the K users are all there at the time when the service is requested Where you are and whom you are with are closely related with what you are doing …
The root of the problems • These techniques cloak a user’s position based on his current neighbors
Observation • Public areas are naturally depersonalized • A large number of visits by different people • More footprints, more popular Highway Park
Proposed solution [Infocom’08] • Using footprintsfor location cloaking • A footprint is a historical location sample • Each cloaking region contains at least K different footprints Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time
Footprint database • Source of footprints • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking
Footprint database • Source of footprints • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking • Trajectory indexing for efficient retrieval • Partition network domain into cells • Maintain a cell table for each cell
Cloaking Techniques • Sporadic LBS • Each a cloaking region needs to 1) be as small as possible, 2) contain footprints from at least K different users • Continuous LBS • Each trajectory disclosed must be a K-anonymity trajectory (KAT)
Privacy Requirement Modeling • K-anonymity model • To request a desired level of protection, a user needs to specify a value of K • Problem: choosing an appropriate K is difficult • Privacy is about feeling, and it is difficult to scale one’s feeling using a number • A user can always choose a large K, but this will reduce location resolution unnecessarily
Proposed Solution [CCS09] • A feeling-based approach • A user specifies a public region • A spatial region which she feels comfortable that it is reported as her location should she request a service inside it • The public region becomes her privacy requirement • All location reported on her behalf will be at least as popular as the public region she identifies
Challenge • How to measure the popularity of a spatial region? • More visitors higher popularity • More even distribution higher popularity • Given a spatial region R, we define • Entropy E(R) = • Popularity P(R) = 2E(R)
Cloaking Techniques • Sporadic LBS • Each cloaking region needs to 1) be as small as possible, 2) have a popularity no less than P(R) • Continuous LBS • A sequence of location updates which form a trajectory • The strategy for sporadic LBSs may not work • Adversary may identify the common set of visitors
Cloaking Techniques • Sporadic LBS • Each disclosed cloaking region must be as small as possible and have a popularity no less than P(R) • Continuous LBS • The time-series sequence of location samples must form a P-Populous Trajectory (PPT) • A trajectory is a PPT if its popularity is no less than P • The popularity of each cloaking region in the trajectory must be computed w.r.t. a common set of users
Finding a cloaking set • A simple solution is to find the set of users who have footprints closest to the service-user • Resolution becomes worse • There may exist another cloaking set which leads to a finer average resolution
Proposed solution • Using populous users for cloaking • Popular users have more footprints spanning in a larger regions • Pyramid footprint indexing • A user is l-popular if she has footprints in all cells at level l Sort users by the level l, and choose the most popular ones as the cloaking set
Simulation • We implement two other strategies for comparison • Naive cloaks each location independently • Plain selects cloaking set by finding footprints closest to service user’s start position • Performance metrics • Cloaking area • Protection level
Experiment • A Location Privacy Aware Gateway (LPAG) • ePost-It: a spatial messaging system [MobiSys’08]
Concluding Remarks • Exploring historical location samples for location cloaking • Up to date, this is the only solution that can prevent anonymous location data from being correlated with restricted spaces to derive who’s where at what time • A feeling-based approach for users to express their location privacy requirement • K-anonymity model was the only choice • A suite of location cloaking algorithms • Satisfy a required level of protection while resulting in good location resolution • A location privacy-aware gateway prototype has been implemented