Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Raheem Beyah

2014-01-01

Abstract:When people utilize social applications and services, their privacy suffers potential serious threat. In this paper, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from on-going de-anonymization results. By analyzing the measurement on real data sets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large scale data without the knowledge on the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well known mobility traces: St Andrews, Infocom06, and Smallblue, and three social data sets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. For instance, utilizing the knowledge of one seed mapping merely, 93.2% of the data in Smallblue can be successfully de-anonymized; utilizing the knowledge of ten seed mappings, August 13, 2014 DRAFT

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.48550/arXiv.1801.05534

2018-01-17

Abstract:It is important to study the risks of publishing privacy-sensitive data. Even if sensitive identities (e.g., name, social security number) were removed and advanced data perturbation techniques were applied, several de-anonymization attacks have been proposed to re-identify individuals. However, existing attacks have some limitations: 1) they are limited in de-anonymization accuracy; 2) they require prior seed knowledge and suffer from the imprecision of such seed information. We propose a novel structure-based de-anonymization attack, which does not require the attacker to have prior information (e.g., seeds). Our attack is based on two key insights: using multi-hop neighborhood information, and optimizing the process of de-anonymization by exploiting enhanced machine learning techniques. The experimental results demonstrate that our method is robust to data perturbations and significantly outperforms the state-of-the-art de-anonymization techniques by up to $10\times$ improvement.

Social and Information Networks

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise.

Zhongzhao Hu,Luoyi Fu,Xiaoying Gan

DOI: https://doi.org/10.1145/3321408.3321577

2019-01-01

Abstract:De-anonymizing social networks has become a direct threat to people's privacy . Actually, It can be boiled down to graph matching problems. The attackers steal users' real information in anonymized social networks by mapping them to secondary cross-domain networks. In particular, when partial node identity in the anonymized network is known, such attacks will become more powerful. Some scholars have studied seeded network de-anonymization. However, there is a lack of consideration for network overlap. We further expand the work of predecessors and consider partially overlapping networks de-anonymization with the aid of seeded nodes. We give a more general form of theoretical results under Erdös - Rényi model(ER model). We also validated our results on both synthetic and real data.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs , ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. The source code and employed datasets are now publicly available at SecGraph [2015].

Honglu Jiang,Jiguo Yu,Chunqiang Hu,Cheng Zhang,Xiuzhen Cheng

DOI: https://doi.org/10.1016/j.procs.2018.03.089

2018-01-01

Procedia Computer Science

Abstract:The data of social networks contains a large amount of personal information, of which may be public or insignificant, but some may be sensitive and private. Once the user privacy leaked, it may bring a variety of troubles for users. Holders of social networking data first conduct anonymization before the data is published. However, the simple anonymity method does not play a very good protection. At present, a number of de-anonymization attacks for the data releasing of social networks have arisen. These de-anonymization attacks are mostly based on the network structure with the use of feature matching and other methods. In this paper, we model the social network as a Structure-Attribute (SA) framework which integrates the structural characteristics of social networks and social node properties, adding some attribute nodes to the social network. The similarity measurement of social network nodes is proposed, with the consideration of the structure similarity and attribute similarity. The accuracy of node matching and de-anonymization is greatly improved. We conduct our de-anonymization based on the realistic dataset to verify the accuracy and efficiency.

Benjie Miao,Shuaiqi Wang,Luoyi Fu,Xiaojun Lin

DOI: https://doi.org/10.1145/3397166.3409127

2020-01-01

Abstract:As the popularity of social networks increases, the privacy of personal information in social networks becomes an issue of great concern. Concealing personal identity in social network is one of the most common methods to protect personal information, but it is insufficient for privacy protection since adversaries may use correlated side information across multiple networks to uncover the identity of anonymous user. Such re-identification process using auxiliary correlated information is called Social Network Deanonymization. The problem is initially proposed by Narayanan and Shimatikov [16]. In the past decades, a large number of works [16][19][14][11][3][13][9][18][24][4][20] have emerged focusing on the de-anonymization problem with different aspect. In this work, our focus is on an important branch of de-anonymization problem: seedless de-anonymization. In seedless de-anonymization, the attacker needs to re-identify the user identity in a published network using an auxiliary network with full identity information. The published network is completely anonymous, where no pre-identified nodes (ie the so-called seeds) are given. The correlation between two networks only lies in the similarity in their topology, since these two networks are supposed to be from the same underlying relationship network. The attacker aims to uncover the identities in this published anonymous network by matching the users in the published network to those in the auxiliary network.Various algorithms for seedless de-anonymization have been proposed [16][19][14][13][9][18][24][4]. Unfortunately, such algorithms may occasionally fail to perfectly de-anonymize the …

Honglu Jiang,Jiguo Yu,Xiuzhen Cheng,Cheng Zhang,Bei Gong,Haotian Yu

DOI: https://doi.org/10.1109/tcss.2021.3082901

2022-01-01

IEEE Transactions on Computational Social Systems

Abstract:Online social networks have gained tremendous popularity and have dramatically changed the way we communicate in recent years. However, the publishing of social network data raises more and more privacy concerns. To protect user privacy, social networking data are usually anonymized before being released. Nevertheless, existing anonymization techniques do not have sufficient protection effects. A large number of deanonymization attacks have arisen, and they mainly make use of either network topology or node attribute information to successfully reidentify anonymized users. In this article, we model a social network as a structure-attribute network (SAN) integrating the structural characteristics and the attribute information associated with social network users. A novel similarity measurement of social network nodes is proposed by considering the structural similarity and attribute similarity. A two-phase scheme is then designed to perform deanonymization by first dividing a social network (graph) into smaller subgraphs based on spectral graph partitioning and then applying the proposed deanonymization algorithm on each matched subgraph pair. We simulate the deanonymization attack with extensive experiments on three real-world datasets, and the experimental results demonstrate that our approach can improve the accuracy and time complexity of deanonymization compared with the state of the art.

Farhad Shirani,Siddharth Garg,Elza Erkip

DOI: https://doi.org/10.48550/arXiv.1710.04163

2017-10-12

Abstract:In this paper, a new mathematical formulation for the problem of de-anonymizing social network users by actively querying their membership in social network groups is introduced. In this formulation, the attacker has access to a noisy observation of the group membership of each user in the social network. When an unidentified victim visits a malicious website, the attacker uses browser history sniffing to make queries regarding the victim's social media activity. Particularly, it can make polar queries regarding the victim's group memberships and the victim's identity. The attacker receives noisy responses to her queries. The goal is to de-anonymize the victim with the minimum number of queries. Starting with a rigorous mathematical model for this active de-anonymization problem, an upper bound on the attacker's expected query cost is derived, and new attack algorithms are proposed which achieve this bound. These algorithms vary in computational cost and performance. The results suggest that prior heuristic approaches to this problem provide sub-optimal solutions.

Information Theory,Cryptography and Security,Social and Information Networks

Xuan Ding,Lan Zhang,Zhiguo Wan,Ming Gu

DOI: https://doi.org/10.1109/CASoN.2010.139

2010-01-01

Abstract:Nowadays, online social network data are increasingly made publicly available to third parties. Several anonymization techniques have been studied and adopted to preserve privacy in the publishing of data. However, recent works have shown that de-anonymization of the released data is not only possible but also practical. In this paper, we present a brief yet systematic review of the existing de-anonymization attacks in online social networks. We unify the models of de-anonymization, centering around the concept of feature matching. We survey the de-anonymization methods in two categories: mapping-based approaches and guessing-based approaches. We discuss three techniques that would potentially improve the surveyed attacks.

Jiapeng Zhang,Luoyi Fu,Huan Long,Guiae Meng,Feilong Tang,Xinbing Wang,Guihai Chen

DOI: https://doi.org/10.1109/infocom41043.2020.9155499

2020-01-01

Abstract:The interaction among users in different social networks raises deep concern on user privacy, as it may facilitate the assailants to identify user identities by matching the anonymized networks with a correlated sanitized one. Prior arts regarding such de-anonymization problem can be primarily divided into a seeded case or a seedless one, depending on whether or not there are a subset of pre-identified nodes. The seedless case is much more complicated since the adjacency matrix representation of one-hop user relations delivers limited structural information. To address this issue, we, for the first time, integrate the multi-hop neighborhood relationships, which exhibit more structural commonness between the anonymized and the sanitized networks, into seedless de-anonymization process. Our aim is to sufficiently leverage these multi-hop neighbors of all nodes and minimize the total disagreements of these multi-hop adjacency matrices, which we call collective adjacency disagreements (CADs), between two networks of different sizes. Theoretically, we demonstrate that CAD enlarges the difference between wrongly matched node pairs and correctly matched pairs, whereby two networks can be correctly matched with high probability even when the network density is below log n. Algorithmically, we adopt the conditional gradient descending method on a collective-form objective, which can efficiently find the minimal CADs for networks with broad degree distributions. Experiments on both synthetic and real-world networks return desirable de-anonymization accuracies thanks to the rich structural information manifested by such collectiveness, since most nodes can be correctly matched with their correspondences, especially in sparse networks where merely utilizing adjacency relations might fail to work.

Hao Fu,Aston Zhang,Xing Xie

DOI: https://doi.org/10.1145/2567948.2577366

2014-01-01

Abstract:Recently, a number of anonymization algorithms have been developed to protect the privacy of social graph data. However, in order to satisfy higher level of privacy requirements, it is sometimes impossible to maintain sufficient utility. Is it really easy to de-anonymize "lightly" anonymized social graphs? Here "light" anonymization algorithms stand for those algorithms that maintain higher data utility. To answer this question, we proposed a de-anonymization algorithm based on a node similarity measurement. Using the proposed algorithm, we evaluated the privacy risk of several "light" anonymization algorithms on real datasets.

Xuan Ding,Lan Zhang,Zhiguo Wan,Ming Gu

DOI: https://doi.org/10.1109/glocom.2011.6133607

2011-01-01

Abstract:Online social network data are increasingly made publicly available to third parties. Recent studies show that it is possible to recover sensitive information from the released data and several anonymization techniques have been proposed to protect individual privacy. However, most of the existing defenses have focused on ``one-time'' releases and do not take into consideration the re- publication of dynamic social network data. Re- publishing data periodically is a natural result of social network evolution and an emerging requirement of dynamic social network analysis. In this paper, we show that by utilizing correlations between sequential releases, the adversary can achieve high precision in de-anonymization of the released data, suppressing the uncertainty of re-identifying each release separately and synthesizing the results afterwards. Besides, we combine structural knowledge with node attributes to compromise graph modification based defenses. With experiments on real data, this work is the first to demonstrate feasibility of de-anonymizing dynamic social networks and should arouse concern for future works on privacy preservation in social network data publishing.

Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Shouling Ji,Weiqing Li,Neil Zhenqiang Gong,Prateek Mittal,Raheem A. Beyah

DOI: https://doi.org/10.14722/ndss.2015.23096

2015-01-01

Abstract:In this paper, we conduct the first comprehensive quantification on the perfect de-anonymizability and partial deanonymizability of real world social networks with seed information in general scenarios, where a social network can follow an arbitrary distribution model. This quantification provides the theoretical foundation for existing structure based de-anonymization attacks (e.g., [1][2][3]) and closes the gap between de-anonymization practice and theory. Besides that, our quantification can serve as a testing-stone for the effectiveness of anonymization techniques, i.e., researchers can employ our quantified structural conditions to evaluate the potential deanonymizability of the anonymized social networks. Based on our quantification, we conduct a large scale evaluation on the de-anonymizability of 24 various real world social networks by quantitatively showing: 1) the conditions for perfect and (1− ε) de-anonymization of a social network, where ε specifies the tolerated de-anonymization error, and 2) the number of users of a social network that can be successfully de-anonymized. Furthermore, we show that, both theoretically and experimentally, the overall structural information based de-anonymization attack is much more powerful than the seed knowledge-only based deanonymization attack, and even without any seed information, a social network can be perfectly or partially de-anonymized. Finally, we discuss the implications of this work. Our findings are expected to shed light on the future research in the structural data anonymization and de-anonymization area, and to help data owners evaluate their structural data vulnerability before data sharing and publishing.

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.5220/0006192501260135

2017-01-01

Abstract:The risks of publishing privacy-sensitive data have received considerable attention recently. Several de-anonymization attacks have been proposed to re-identify individuals even if data anonymization techniques were applied. However, there is no theoretical quantification for relating the data utility that is preserved by the anonymization techniques and the data vulnerability against de-anonymization attacks. In this paper, we theoretically analyze the de-anonymization attacks and provide conditions on the utility of the anonymized data (denoted by anonymized utility) to achieve successful de-anonymization. To the best of our knowledge, this is the first work on quantifying the relationships between anonymized utility and de-anonymization capability. Unlike previous work, our quantification analysis requires no assumptions about the graph model, thus providing a general theoretical guide for developing practical de-anonymization/anonymization techniques. Furthermore, we evaluate state-of-the-art de-anonymization attacks on a real-world Facebook dataset to show the limitations of previous work. By comparing these experimental results and the theoretically achievable de-anonymization capability derived in our analysis, we further demonstrate the ineffectiveness of previous de-anonymization attacks and the potential of more powerful de-anonymization attacks in the future.

Hong Li,Cheng Zhang,Yunhua He,Xiuzhen Cheng,Yan Liu,Limin Sun

DOI: https://doi.org/10.1007/978-3-319-42836-9_30

2016-01-01

Abstract:To protect users' privacy, online social network data are usually anonymized before being sold to or shared with third parities. Various structure-based approaches have been proposed to de-anonymize the social network data. In this paper, we study the limitations of the existing structure-based de-anonymization methods and propose an enhanced de-anonymization algorithm. The basic idea of our algorithm is to leverage the structural transformations of the social graph to de-anonymize the social network data. We also define a new similarity measure that is more robust for de-anonymization. We use the arXiv dataset to evaluate our algorithm, and the experiment results show that our method can significantly improve the de-anonymization rate.

Huaxin Li,Qingrong Chen,Haojin Zhu,Di Ma

DOI: https://doi.org/10.1145/3063955.3063988

2017-01-01

Abstract:To enjoy various utility and services, people are active in multiple social networks nowadays. With tons of data generated on platforms, multiple accounts of the same user in different social networks can be used to de-anonymize the user in a large scale. The aggregation of user profiles poses a threat to user privacy. With a concern of privacy leakage, de-anonymization techniques, including graph based approaches and profile based approaches, are widely studied in recent years. However, few works throw light on the deanonymization between real-world heterogeneous social networks. In this paper, we propose a Hybrid De-anonymization Scheme (HDS) aiming at de-anonymizing heterogeneous social networks. HDS firstly leverages the network graph structure to significantly reduce the size of candidate set, then exploits user profile information to identify the correct mapping users with a high confidence. Performance evaluation on real-world social network datasets shows that HDS has considerable accuracy on de-anonymization and significantly outperforms the prior schemes.

Shouling Ji,Weiqing Li,Neil Zhenqiang Gong,Prateek Mittal,Raheem Beyah

DOI: https://doi.org/10.1109/tifs.2016.2529591

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we implement the first comprehensive quantification of the perfect de-anonymizability and partial de-anonymizability of real-world social networks with seed information under general scenarios, which provides the theoretical foundation for the existing structure-based de-anonymization attacks and closes the gap between de-anonymization practice and theory. Based on our quantification, we conduct a large-scale evaluation of the de-anonymizability of 24 real-world social networks by quantitatively showing the conditions for perfectly and partially de-anonymizing a social network, how de-anonymizable a social network is, and how many users of a social network can be successfully de-anonymized. Furthermore, we show that both theoretically and experimentally, the overall structural information-based de-anonymization attack can be more powerful than the seed-based de-anonymization attack, and even without any seed information, a social network can be perfectly or partially de-anonymized. Finally, we discuss the implications of this paper. Our findings are expected to shed on research questions in the areas of structural data anonymization and de-anonymization and to help data owners evaluate their structural data vulnerability before data sharing and publishing.

Jia-Lin LIU,Shu-Yang SHI,Yue-Mei ZHANG,Ying-Xia SHAO,Bin CUI

DOI: https://doi.org/10.13328/j.cnki.jos.005436

2018-01-01

Abstract:Ever since social networks became the focus of a great number of researches,the privacy risks of published network data have also raised considerable concerns.To evaluate users' privacy risks,researchers have developed methods to de-anonymize graphs and identify same person in different graphs,yet the existing algorithms either requires high-quality seed mappings,or have low accuracy and high expense.In this paper,an effective and efficient seedless de-anonymization algorithm,"RoleMatch" is proposed.This algorithm is based on the network topology and consists of (1) a new cross-graph node similarity measurement "RoleSim++" with fast computation method,and (2) an effective node matching algorithm considering both similarities and feedbacks.In experiments,the algorithm is tested with graphs anonymized in several popular anonymization ways,using the data from LiveJournal.In addition to the traditional symmetric experiments,an asymmetric experiment setting is proposed to mimic closer to real-world application.The results from those experiment show that with the proposed algorithm the de-anonymization work achieves superior performance compared with existing de-anonymization algorithms.