ITIS 60108010 Wireless Network Security

1
ITIS 6010/8010 Wireless Network Security

• Dr. Weichao Wang

2
Quality Aware Privacy Protection for
Location-based Services
3
Outline

• Motivation
• Contributions
• Location K-Anonymity Model
• Cloaking Algorithm
• Improvement with Dummy
• Experiments
• Conclusions

4
Motivation Privacy in LBS
Where is my nearest hotel?
LBS Provider
Where is my way to The Emporium?

• Unique identifier
• Location information

5
Privacy Requirements
Privacy QoS Trade-Off

• Location anonymity
• Sensitive location clinic, nightclub

L contains at least k-1 other users

• Identifier anonymity
• Sensitive message political, financial

l(x,y) is covered by at least k-1 other requests
k-anonymity model
location point l(x,y)
cloaking region L
6
Contribution

• New quality-aware anonymity model
• Protect location privacy
• Satisfy QoS requirements
• Directed-graph based cloaking algorithm
• Maximize cloaking success rate with QoS
  guaranteed.
• Improvement
• Use dummy locations to achieve a 100 cloaking
  success rate

7
System Model
Location-based Service Providers
anonymized request
Anonymizing Expand the exact location point into
cloaking region
Trusted Anonymizing Proxy
original request
Mobile Clients
8
Request formats

• Original Request
• Identifier
• Current location
• Quality of service
• Maximum cloaking latency
• Maximum cloaking region
• Location privacy
• Minimum anonymity level
• Service related content
• Current time

• Anonymized Request
• Pseudonym
• Cloaking region
• Service related content

9
Location K-Anonymity Model

• For any request , if and only if
• its cloaking region covers the locations of at
  least k-1 other requests (location anonymity set)
  
• its location is covered by the cloaking regions
  of at least k-1 other requests (identifier
  anonymity set).

10
Quality Aware Location K-anonymity Model

• Location Privacy
• to expand the user location into a cloaking
  region such that the location k-anonymity model
  is satisfied.
• Temporal QoS
• the request must be anonymized before the
  pre-defined maximum cloaking delay
• Spatial QoS
• the cloaking region size should not exceed a
  threshold

11
Cloaking Algorithm

• Directed graph
• Find the location anonymity set and identifier
  anonymity set to satisfy the location k-anonymity
  model through neighbor ships of request nodes.
• Spatial index
• Use window query to facilitate construction and
  maintenance of neighbor ships in the graph
• Min-heap
• Order the requests according to their cloaking
  deadlines, detect the expiration of requests

12
Directed Graph

• G (V, E) directed graph
• V set of nodes (requests)
• E set of edges
• edge eij(ri, rj) ? E, iff rirj lt ri.
• edge eji(rj, ri) ? E, iff rirj lt rj.
• ri can be anonymized immediately if there are at
  least k-1 other forwarded requests in Uout and
  k-1 other forwarded requests in Uin

Location anonymity set Uout r2, r3, r4
outgoing neighbors
Identifier anonymity set Uin r3, r4 incoming
neighbors
13
Cloaking Algorithm Maintenance
Range Query
C
Location Anonymity Set r.Uout
Identifier Anonymity Set r.Uin
14
Improvement with Dummy

• Guarantee a 100 success rate.
• Only need to maintain the in-degree and
  out-degree of each node r.
• Cloaking region of each dummy request d is a
  random spatial region
• Both in-degree neighbors and out-degree neighbors
  ? high privacy level
• Satisfy the spatial QoS requirement of r
• Indistinguishable from actual requests

15
Experimental Settings

• Brinkhoff Network-based Generator of Moving
  Objects.
• Input
• Road map of Oldenburg County
• Output
• 20K moving objects with the location range
  0-200
• Minimum Update interval20K
• The identifier, the location information (x,y).
• K2-5
• 2-10
• 1000-3000, 10
• CliqueCloak vs. No Dummy vs. Dummy
• The success rate with different requirements
• The relative anonymity level
• Cost of dummy

16
Cloaking Success Rate

• Our method (no dummy) has 5-25 higher success
  rate.
• Larger k ? lower success rate.
• Our method (no dummy) is more robust.

• Relative location anonymity level k / k
• Our method (no dummy) supports larger k values

17
Cloaking Success Rate

• Our method (no dummy) has higher success rate.
• Larger or , more flexibility, higher
  success rate.

18
Dummy Cost Cloaking Efficiency

• Portion
• dummy / (dummy true)
• Larger k, more dummies
• Average 10, acceptable

• Our method (no dummy) has much shorter cloaking
  time.
• Larger k, longer time.

19
Related Works

• Quad-tree based Cloaking Algorithm
• Recursively subdivides the entire into quadrants,
  until the quadrant includes the user and other
  k-1 users
• M. Gruteser and D. Grunwald. Anonymous usage of
  location-based services through spatial and
  temporal cloaking, MobiSys, 2003
• Clique-Cloak Algorithm
• Personalized privacy requirements k, spatial and
  temporal tolerance values
• An undirected graph is constructed to search for
  clique that includes the users message and other
  k-1 messages.
• B. Gedik and L. Liu. Location Privacy in Mobile
  Systems A Personalized Anonymization Model.
  ICDCS, 2005.
• Casper
• Grid-based cloaking algorithm
• Privacy-aware query processor
• M. F. Mokbel, C. Chow and W. G. Aref. The New
  Casper Query Processing for Location Services
  without Compromising Privacy. VLDB. 2006.

20
Conclusions

• Problem quality-aware privacy protection in LBS
• Classify location anonymity and identifier
  anonymity.
• Solution
• New Quality-Aware K-Anonymity Model
• Efficient directed-graph based cloaking algorithm
• An option of using dummy requests
• Experimental evaluation
• Various privacy and QoS requirements
• Efficient