2 Location-Based Services (LBS) Private Queries in Location-Based Services: “Find closest hospital to � LBS users my present location” � Mobile devices with GPS Anonymizers are Not Necessary capabilities Gabriel Ghinita Gabriel Ghinita 1 Panos Kalnis 1 Panos Kalnis Ali Khoshgozaran 2 Cyrus Shahabi 2 � Queries Kian Lee Tan 1 � NN Queries � Location server is NOT trusted 1 National University of Singapore 2 University of Southern California 3 4 Problem Statement PIR Overview � Queries may disclose sensitive information � Query through anonymous web surfing service � But user location may disclose identity � Triangulation of device signal � Triangulation of device signal � Publicly available databases � Physical surveillance � How to preserve query source anonymity ? � Computationally hard to find i from q(i) � Even when exact user locations are known � Bob can easily find X i from r (trap-door) 5 6 Spatial K-Anonymity � Query issuer “hides” among other K-1 users � Probability of identifying query source ≤ 1/K � Idea: anonymizing spatial regions (ASR) Existing LBS Privacy Existing LBS Privacy Solutions 1
7 8 Casper [Mok06] Reciprocity � Quad-tree based � Fails to preserve anonymity for outliers � Unnecessarily large ASR size u 3 u 3 u 2 u 2 u 1 u 1 • Let K=3 u 2 A 1 1 u 1 u 3 u 5 u 5 • If any of u 1 , u 2 , u 3 queries, u 6 u 6 ASR is A 1 u 4 u 4 NOT SECURE !!! u 4 • If u 4 queries, ASR is A 2 A 2 • u 4 ’s identity is disclosed [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising [KGMP07] – Kalnis P., Ghinita G., Mouratidis K., Papadias D., "Preventing Location-Based Identity Inference Privacy, VLDB 2006 in Anonymous Spatial Queries", IEEE TKDE 2007. 9 10 Hilbert Cloak (HC) Continuous Queries [CM07] � Based on Hilbert space-filling curve � Problems � index users by Hilbert value of location � ASRs grows large � partition Hilbert sequence into “K-buckets” � Query dropped if some user in U disconnects u 1 u 3 u 2 Start End [CM07] C.-Y. Chow and M. Mokbel “Enabling Private Continuous Queries For Revealed User Locations”. In Proc. of SSTD 2007 11 12 Space Encryption [KS07] Motivation � Limitations of existing solutions � Drawbacks Hilbert � Assumption of trusted entities Mapping � answers are approximate � anonymizer and trusted, non-colluding users � makes use of tamper-resistant devices P 2 P 2 P P 1 P P 2 P P 4 P 3 P � Considerable overhead for sporadic benefits C id bl h d f di b fit � may be vulnerable if some POI are known P 4 12 14 19 24 � maintenance of user locations P 1 NN(15)=P 2 Q P 3 � No privacy guarantees 15 � especially for continuous queries [KS07] A. Khoshgozaran, C. Shahabi. Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy , In Proc. Of SSTD 2007 2
13 14 LBS Privacy with PIR � PIR � Two-party cryptographic protocol � No trusted anonymizer required � No trusted users required Our Approach � No pooling of a large user population required � No need for location updates � Location data completely obscured 15 16 PIR Theoretical Foundations PIR Protocol for Binary Data a Let N =q 1 *q 2 , q 1 and q 2 large primes � X 4 X 8 X 12 X 16 z 4 y 1 y 2 y 3 y 4 z 3 X 3 X 7 X 11 X 15 z 2 z X 2 X X X 6 X X 10 X 14 X Get X 10 QNR a=2, b=3 z 1 Quadratic Residuosity Assumption (QRA) � X 1 X 5 X 9 X 13 QR/QNR decision computationally hard � b Essential properties: � QR * QR = QR QR * QNR = QNR 4 ∏ = z 2 =QNR => X 10 =1 ⋅ z X y ⋅ − + i 4 ( j 1 ) i j z 2 =QR => X 10 =0 = 1 j 17 18 Approximate Nearest Neighbor Exact Nearest Neighbor A B C D 4 Z 4 p 1 A3: p 1 , p 2 , p 3 3 p 3 p 4 Z 3 A4: p 1 , --, -- p 1 , , p 4 p 4 p 6 p 6 p 1 p 1 3 Only z 2 p 5 p 8 p 2 2 u Z 2 p 2 u needed p 7 p 9 p 3 Z 1 1 Y 1 Y 2 Y 3 Y 4 � Data organized as a square matrix � Each column corresponds to index leaf QNR � An entire leaf is retrieved – the closest to the user 3
19 20 Avoiding Redundant Computations Parallelize Computation � Values of z can be computed in parallel � Master-slave paradigm � Offline phase: master scatters PIR matrix � Online phase: � Master broadcasts y � Each worker computes z values for its strip � Master collects z results � Data mining � Identify frequent partial products 21 22 Computation/Communication Experimental Settings Overhead (Approximate) � Sequoia dataset + synthetic sets � 10,000 to 100,000 POI � Modulus up to 1280 bits Computation/Communication 23 24 Overhead (Exact) Parallel Execution 4
25 26 Data Mining Optimization Disclosed POI 27 28 Conclusions Discussion � PIR-based LBS privacy � Given the parallelization, compression, multiplication reduction, rectangular shape � No need to trust third-party M, how much is � Secure against any location-based attack communication/computation saved? � Future work � How do you compare the previous two approaches? � Further reduce PIR overhead � What do *you* think is the major � Support more complex queries challenge in achieving privacy-aware LBS? � Include more POI information in the reply Privacy Privacy Efficiency Efficiency 29 30 Reciprocity Continuous Queries [CM07] Consider querying user u q and ASR A q � Extends reciprocity to moving clients � Let AS q = {set of users enclosed by A q } � � Let A 0 be ASR at time t 0 , let U be the users in A 0 A q has the reciprocity property iff � � At time t i , ASR is MBR of U (at new locations) |AS| ≥ K |AS| ≥ K i i. ∀ u i ,u j ∈ AS, u i ∈ AS j ∧ u j ∈ AS i � Problems ii. � ASR grows large u 3 u 3 u 2 u 2 u 1 u 1 � Query dropped if some user in U disconnects u 5 u 5 u 6 u 6 u 4 u 4 [CM07] C.-Y. Chow and M. Mokbel “Enabling Private Continuous Queries For Revealed User Locations”. In [KGMP07] – Kalnis P., Ghinita G., Mouratidis K., Papadias D., "Preventing Location-Based Identity Inference Proc. of SSTD 2007 in Anonymous Spatial Queries", IEEE TKDE 2007. 5
31 32 Space Encryption [KS07] Rectangular PIR Matrix � Does not employ SKA � each POI is mapped to 1-D value (Hilbert) � fractal parameters are kept secret � answers are approximate � makes use of tamper-resistant devices � may be vulnerable if some POI are known [KS07] A. Khoshgozaran, C. Shahabi. Blind Evaluation of Nearest Neighbor Queries Using Space Transformation to Preserve Location Privacy , In Proc. Of SSTD 2007 33 34 Server Computation Overhead Approximation Error 35 Bibliography [KGMP07] – Kalnis P., Ghinita G., Mouratidis K., Papadias D., � "Preventing Location-Based Identity Inference in Anonymous Spatial Queries", IEEE Transactions on Knowledge and Data Engineering (IEEE TKDE), 19(12), 1719-1733, 2007. [GZPK07] – Ghinita G., Zhao K., Papadias D., Kalnis P., Reciprocal � Framework for Spatial K-Anonymity, Technical Report [GKS07a] – Ghinita G., Kalnis P., Skiadopoulos S., "PRIVE: � Anonymous Location-based Queries in Distributed Mobile Systems", Proc. of World Wide Web Conf. (WWW), Banff, Canada, 371-380, 2007. [GKS07b] – Ghinita G., Kalnis P., Skiadopoulos S., "MOBIHIDE: A � Mobile Peer-to-Peer System for Anonymous Location-Based Queries", Proc. of the Int. Symposium in Spatial and Temporal Databases (SSTD), Boston, MA, 221-238, 2007. http://anonym.comp.nus.edu.sg 6
Recommend
More recommend
