ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P ’12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany
Tracking in the Advertising World Today 2
Tracking in the Advertising World Today 2
Tracking in the Advertising World Today 2
Tracking in the Advertising World Today 2
Tracking in the Advertising World Today 2
Outline Privacy-Preserving Online Behavioral Advertising Online Behavioral Advertising—OBA Privacy-Preserving OBA Goals Private Information Retrieval (PIR) using Trusted Hardware Our Solutions: ObliviAd Performance and Formal Analysis 3
OBA 101 0. Registration 4
OBA 101 1. Page Rendering 4
OBA 101 2. Ad Request 4
OBA 101 3. Ads Auction 4
OBA 101 4. Ad Rendering 4
OBA 101 5. Billing 4
Privacy-Preserving OBA Privacy Goals Profile Privacy. The broker cannot associate any unit of learned information (e.g., clicked ads) with any user Profile Unlinkability. The broker cannot associate separate units of learned information with a single profile 5
Privacy-Preserving OBA Privacy Goals Profile Privacy. The broker cannot associate any unit of learned information (e.g., clicked ads) with any user Profile Unlinkability. The broker cannot associate separate units of learned information with a single profile Systems Goals Client-side Fraud Detection. The likeliness of detection of clients’ malicious behaviors should not decrease Click Success Measures. Computations of success measures such as click-through rate should be possible Performance. Privacy-preserving mechanisms should not hamper the system performance and efficacy 5
OBA with User-side Profiles does not provide the required privacy 6
OBA with User-side Profiles does not provide the required privacy 6
Private Information Retrieval—PIR 7
Private Information Retrieval—PIR [Chor et al., FOCS’95] 7
Private Information Retrieval—PIR [Chor et al., FOCS’95] The existing computational PIR solutions are not much better than downloading the complete database 7
Oblivious RAM [Goldreich, STOC’87] Access privacy with ( O (log k n ) for k > 0 ) communication and computation 8
PIR using ORAM and Trusted Hardware [Williams and Sion, NDSS’08] A secure coprocessor on the server performs ORAM with the database to answer client’s PIR queries 9
ObliviAd : Distribution Phase 10
ObliviAd : Tallying Phase 11
ObliviAd : Tallying Phase 11
ObliviAd : Tallying Phase 11
ObliviAd : Tallying Phase 11
ObliviAd : Features A provably secure privacy-preserving OBA architecture Without any reduction in the precision of ads selection No trusted third party Reasonable performance, which will only improve as the better ORAM constructions are available 12
Prototype Implementation We adopt the binary tree-based ORAM construction by Shi et al. [AsiaCrypt’11] having O (log 2 ( n )) computation - Keyword-based ORAM instead of Index-based ORAM Microbenchmarks: Ad Distribution 1 . 2 Read operation 1 0 . 8 Time in s 0 . 6 0 . 4 0 . 2 0 10 15 20 25 30 Tree depth = log(#Ads) Experiment Setup: Intel i5 quad-core processor with 3.3 GHz and 8 GB RAM. The hard drive speed is 7200 RPM with 16 MB cache. Ad sizes: up to 40KB 13
Performance Other computation and communication delays are not significant An implementation on the latest IBM 4765 PCIe cryptographic coprocessor is in progress 14
Performance Other computation and communication delays are not significant An implementation on the latest IBM 4765 PCIe cryptographic coprocessor is in progress Possible Optimizations Database Replication and Concurrency Modifying Shi et al. scheme for efficiency - Evicting while reading More efficient ORAM constructions are expected in the near future 14
Formal Analysis We modeled our protocol in the applied pi-calculus and used ProVerif to formally prove the correctness and privacy properties: Profile Privacy Profile Unlinkability Billing Correctness 15
Other Possibilities Onion routing (Tor). Privacy through anonymity - What about (click) fraud detections? donottrack.us. Universal Web Tracking Opt Out - It may hamper the ad-world economy - A cat-and-mouse race Privad. Proxy-based Mixing [NSDI’11] - How to implement an honest-but-curious proxy? - Traffic Analysis Adnostic. Download a few (say 20) random ads [NDSS’10] - Quality of OBA 16
Summary Privacy concerns in OBA are receiving an increasing attention Practical privacy-preserving OBA is possible without hampering - the quality ads and - the economic model of the ad network We are developing a complete implementation on IBM 4765 PCIe cryptographic coprocessor Project Webpage: http://www.lbs.cs.uni-saarland.de/obliviad 17
Summary Privacy concerns in OBA are receiving an increasing attention Practical privacy-preserving OBA is possible without hampering - the quality ads and - the economic model of the ad network We are developing a complete implementation on IBM 4765 PCIe cryptographic coprocessor Project Webpage: http://www.lbs.cs.uni-saarland.de/obliviad Thanks! Aniket Kate www.mpi-sws.org/ ∼ aniket 17
Recommend
More recommend