11 24 2009
play

11/24/2009 Privacy in Location Based Services Where's the Blind - PDF document

11/24/2009 Privacy in Location Based Services Where's the Blind Evaluation of Nearest Blind Evaluation of Nearest nearest ? Neighbor Queries Using Space Neighbor Queries Using Space Transformation to Preserve Location Privacy


  1. 11/24/2009 Privacy in Location Based Services Where's the Blind Evaluation of Nearest Blind Evaluation of Nearest nearest ? Neighbor Queries Using Space Neighbor Queries Using Space Transformation to Preserve Location Privacy Transformation to Preserve Location Privacy POI Location Ali Khoshgozaran and Cyrus Shahabi Server (LS) University of Southern California Which Los Angeles, CA 90089-0781 is nearby? [jafkhosh, shahabi]@usc.edu http://infolab.usc.edu Introduction Introduction Motivation Motivation Our Work Our Work Problem Definition Problem Definition /42 2 Related Work Related Work Proposed Work Proposed Work Isn’t Confidentiality Enough? Problem Definition Office Sensitive information obtained by Sensitive information obtained by Objects S = {o 1 , o 2 , …, o n } Residence Q anonymous location data anonymous location data kNN Query R kNN with respect to query point Q: Identity • Baraba Baraba´ ´si et al., Nature’08 si et al., Nature’08 Prevalent Spatial Queries in Location-based Services S ' ⊆ S of k objects where for any object o ' ∈ S ' and o ∈ S - S ' D(o',Q) ≤ D(o,Q) Human Mobility Spatial Probability Distribution Human Mobility Spatial Probability Distribution Range (Window) Query Range with respect to query window R: S ' ⊆ S of objects where for any object o ' ∈ S ' o ' is within R • Anonymous queries leak information Anonymous queries leak information W hat is required to m ake these queries “ Privacy Aw are ” ? Blind Evaluation Criteria Location Queries Affiliations (political, religious, etc.) Location Queries Affiliations (political, religious, etc.) When querying LS, the location of the querying user should Abortion not be revealed to untrusted entities through R, Q, or the Church Clinic query result set. /42 3 /42 4 Trust and Threat Model Privacy/Efficiency Dilemma •Privacy Privacy: Hiding knowledge of object & query : Hiding knowledge of object & query • Users subscribe to LS’s services Users subscribe to LS’s services locations from LS locations from LS – LS owns a publicly available POI database DB LS owns a publicly available POI database DB • LS is LS is honest honest but but curious curious •Efficiency Efficiency: LS requiring this knowledge for : LS requiring this knowledge for – Database software is trusted Database software is trusted efficient query processing efficient query processing – LS might passively exploit sensitive information LS might passively exploit sensitive information g g p p y y p p Privacy Privacy Efficiency Efficiency • Any entity in the system can be adversarial Any entity in the system can be adversarial Our Contribution Our Contribution – The LS and other clients The LS and other clients Server knowing all Server knowing all Information Information- -theoretic secrecy theoretic secrecy – Slightly different for querying other users Slightly different for querying other users • Privacy against an adversary Privacy against an adversary information about information about with unbounded computational with unbounded computational queries and object queries and object • Secure client/server communication channel Secure client/server communication channel locations locations resources and infinite time resources and infinite time – Any privacy violation should have included LS Any privacy violation should have included LS • Lower communication & Lower communication & • No user location No user location computation bound: linear w.r.t. computation bound: linear w.r.t. privacy possible privacy possible – We focus on LS as the most powerful adversary We focus on LS as the most powerful adversary database size database size /42 5 /42 6 1

  2. 11/24/2009 Related Work Space Encoding Cryptographic Techniques Privacy Privacy Data Owner Offline Process – S. Zhong et al., TR’04 S. Zhong et al., TR’04 Transformed Original Space Encoded Locations Points of Interest – Indyk et al. TCC’06 Indyk et al. TCC’06 Anonymizer Space Space Encoder/Decoder – G. Zhong et al., PET’07 G. Zhong et al., PET’07 Transformation Key No spatial query processing (MPC schemes) No spatial query processing (MPC schemes) Client Query Tim e O(n) computation and/or communication O(n) computation and/or communication Encoded Query User Query Original Query Transformed Our Goal: Avoiding a linear scan of the entire DB g Space Space Encoder/Decoder Encoder/Decoder Actual Query Results Q y Encoded Query Results y Space Space DB DB LS LS K- -anonymity/Cloaking Approaches anonymity/Cloaking Approaches –Kido et al. ICPS' Kido et al. ICPS'05 05 –Gruteser et al. MobiSys’ Gruteser et al. MobiSys’03 03 Transformation Properties: –Gedik et al. ICDCS’ Gedik et al. ICDCS’05 05 –Chow et al. GIS' Chow et al. GIS'06 06 Efficiency Efficiency � Efficiency (locality preserving) –Mokbel et al. VLDB’ Mokbel et al. VLDB’06 06 –Ghinita et al. WWW' Ghinita et al. WWW'07 07& SSTD' & SSTD'07 07 Assuming all users are trustworthy Assuming all users are trustworthy Trusting an Anonymizer Trusting an Anonymizer � Privacy (irreversible) Dependence on other user locations Dependence on other user locations Single point of failure/attack Single point of failure/attack No query processing No query processing Sensitive to number of subscribed users Sensitive to number of subscribed users Our Goal: Complete cloaking and anonymity /42 7 /42 8 Background: Space Filling Curves Hilbert Curves: Proximity Preserving • Passing through (indexing) all Passing through (indexing) all 15 15 12 11 10 12 11 10 points without crossing itself points without crossing itself • Proximity in Hilbert space Proximity in Hilbert space d d 9 9 9 9 14 13 8 14 13 8 1 • Example: <a,b,c,d,e> Example: <a,b,c,d,e> � <0,4,7,9,13> <0,4,7,9,13> • Example: <a,b,c,d,e> Example: <a,b,c,d,e> � <0 0, ,4 4, ,7 7, ,9 9, ,13 13> > 13 13 e 13 13 e 1 Q 7 c 7 c 1 2 7 6 1 2 7 6 H-values H-values • P roximity & distance preserving P roximity & distance preserving i i it & di t it & di t i i a 0 a 0 b b • 2NN(Q)=e because D(Q,e)< D(Q,b) 2NN(Q) NN(Q)=e because D(Q,e)< D(Q,b) NN(Q) b b D(Q D(Q )< D(Q b) )< D(Q b) 0 0 a a b b 4 4 4 4 5 5 0 3 4 0 3 4 N=2 � H:0-15 N=2 � H:0-15 Approximate distance preservation Hilbert Curves Complexity: Constant computation and communication N= 1 N= 2 N= 3 N= 4 •Each node visited contains at least one object ] d � [0 :[0 :[ 0, ,2 2 N N -1 1] 0, ,2 2 Nd Nd -1 1] ] ] 2 � [0 d= d=2 2: :[ : :[0 0, ,2 2 N N -1 1] 0, ,2 2 2N N -1 1] ] /42 9 10 /42 2-Phase kNN Query Processing Hilbert Curves: One-wayness • Offline Space Encoding Offline Space Encoding • Five parameters decide how points are traversed (indexed) Five parameters decide how points are traversed (indexed) 15 12 11 10 • Possible when curve parameters are unknown Possible when curve parameters are unknown – Encoding points of original space Encoding points of original space d 9 – Space Decoding Key Space Decoding Key 14 13 8 9 • Trent chooses SDK Trent chooses SDK SDK={ } SDK={ } Χ 0 ,Y ,Y 0 , , Θ , , Γ , N , N 13 13 e • Trent constructs a lookup table DB Trent constructs a lookup table DB 7 c 6 1 2 7 Q 2 • DB={ DB={ < < a, a,0 0 > > , < < b, b,4 4 > > , < < c, c,7 7 > , < d, d,9 9 > , < e, e,13 13 > } Starting Point| Orientation| Scaling| Order Starting Point| Orientation| Scaling| Order 4 b 4 b • Trent encrypts objects identifiers T Trent encrypts objects identifiers T t t t t bj bj t id t id tifi tifi a a 0 0 5 0 3 4 – Trent uploads DB to LS Trent uploads DB to LS Trent=Data Owner • Online Query Processing Online Query Processing LS= Location Server Alice=User – Alice encodes her query point Q: Alice encodes her query point Q: • Linear increase in N results in exponential increase in H Linear increase in N results in exponential increase in H- -values values N increase in possible H – 3 3* *2 2 2N increase in possible H- -values values – Knowing Knowing H and k, LS computes the result set and k, LS computes the result set • Exponential complexity for LS to reverse the transformation Exponential complexity for LS to reverse the transformation – H=2,k=3 � RS*={0,4,7}={ ( X a , Y a ), ( X b , Y b ), ( X c , Y c )} without the knowledge of SDK without the knowledge of SDK – Knowing SDK, Alice gets Knowing SDK, Alice gets RS RS ={ ={ ( X a , Y a ),( X b , Y b ),( X c , Y c ) } 11 /42 12 /42 2

Recommend


More recommend