Mahshad Shariatnasab,Farhad Shirani,Elza Erkip

DOI: https://doi.org/10.48550/arXiv.2106.04766

2021-06-09

Abstract:This work considers active deanonymization of bipartite networks. The scenario arises naturally in evaluating privacy in various applications such as social networks, mobility networks, and medical databases. For instance, in active deanonymization of social networks, an anonymous victim is targeted by an attacker (e.g. the victim visits the attacker's website), and the attacker queries her group memberships (e.g. by querying the browser history) to deanonymize her. In this work, the fundamental limits of privacy, in terms of the minimum number of queries necessary for deanonymization, is investigated. A stochastic model is considered, where i) the bipartite network of group memberships is generated randomly, ii) the attacker has partial prior knowledge of the group memberships, and iii) it receives noisy responses to its real-time queries. The bipartite network is generated based on linear and sublinear preferential attachment, and the stochastic block model. The victim's identity is chosen randomly based on a distribution modeling the users' risk of being the victim (e.g. probability of visiting the website). An attack algorithm is proposed which builds upon techniques from communication with feedback, and its performance, in terms of expected number of queries, is analyzed. Simulation results are provided to verify the theoretical derivations.

Social and Information Networks,Information Theory

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Raheem Beyah

2014-01-01

Abstract:When people utilize social applications and services, their privacy suffers potential serious threat. In this paper, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from on-going de-anonymization results. By analyzing the measurement on real data sets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large scale data without the knowledge on the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well known mobility traces: St Andrews, Infocom06, and Smallblue, and three social data sets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. For instance, utilizing the knowledge of one seed mapping merely, 93.2% of the data in Smallblue can be successfully de-anonymized; utilizing the knowledge of ten seed mappings, August 13, 2014 DRAFT

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.5220/0006192501260135

2017-01-01

Abstract:The risks of publishing privacy-sensitive data have received considerable attention recently. Several de-anonymization attacks have been proposed to re-identify individuals even if data anonymization techniques were applied. However, there is no theoretical quantification for relating the data utility that is preserved by the anonymization techniques and the data vulnerability against de-anonymization attacks. In this paper, we theoretically analyze the de-anonymization attacks and provide conditions on the utility of the anonymized data (denoted by anonymized utility) to achieve successful de-anonymization. To the best of our knowledge, this is the first work on quantifying the relationships between anonymized utility and de-anonymization capability. Unlike previous work, our quantification analysis requires no assumptions about the graph model, thus providing a general theoretical guide for developing practical de-anonymization/anonymization techniques. Furthermore, we evaluate state-of-the-art de-anonymization attacks on a real-world Facebook dataset to show the limitations of previous work. By comparing these experimental results and the theoretically achievable de-anonymization capability derived in our analysis, we further demonstrate the ineffectiveness of previous de-anonymization attacks and the potential of more powerful de-anonymization attacks in the future.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs , ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. The source code and employed datasets are now publicly available at SecGraph [2015].

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.48550/arXiv.1801.05534

2018-01-17

Abstract:It is important to study the risks of publishing privacy-sensitive data. Even if sensitive identities (e.g., name, social security number) were removed and advanced data perturbation techniques were applied, several de-anonymization attacks have been proposed to re-identify individuals. However, existing attacks have some limitations: 1) they are limited in de-anonymization accuracy; 2) they require prior seed knowledge and suffer from the imprecision of such seed information. We propose a novel structure-based de-anonymization attack, which does not require the attacker to have prior information (e.g., seeds). Our attack is based on two key insights: using multi-hop neighborhood information, and optimizing the process of de-anonymization by exploiting enhanced machine learning techniques. The experimental results demonstrate that our method is robust to data perturbations and significantly outperforms the state-of-the-art de-anonymization techniques by up to $10\times$ improvement.

Social and Information Networks

Sjouke Mauw,Yunior Ramírez-Cruz,Rolando Trujillo-Rasua

DOI: https://doi.org/10.1007/s10618-019-00631-5

2018-11-27

Abstract:In order to prevent the disclosure of privacy-sensitive data, such as names and relations between users, social network graphs have to be anonymised before publication. Naive anonymisation of social network graphs often consists in deleting all identifying information of the users, while maintaining the original graph structure. Various types of attacks on naively anonymised graphs have been developed. Active attacks form a special type of such privacy attacks, in which the adversary enrols a number of fake users, often called sybils, to the social network, allowing the adversary to create unique structural patterns later used to re-identify the sybil nodes and other users after anonymisation. Several studies have shown that adding a small amount of noise to the published graph already suffices to mitigate such active attacks. Consequently, active attacks have been dubbed a negligible threat to privacy-preserving social graph publication. In this paper, we argue that these studies unveil shortcomings of specific attacks, rather than inherent problems of active attacks as a general strategy. In order to support this claim, we develop the notion of a robust active attack, which is an active attack that is resilient to small perturbations of the social network graph. We formulate the design of robust active attacks as an optimisation problem and we give definitions of robustness for different stages of the active attack strategy. Moreover, we introduce various heuristics to achieve these notions of robustness and experimentally show that the new robust attacks are considerably more resilient than the original ones, while remaining at the same level of feasibility.

Social and Information Networks

Xuan Ding,Lan Zhang,Zhiguo Wan,Ming Gu

DOI: https://doi.org/10.1109/CASoN.2010.139

2010-01-01

Abstract:Nowadays, online social network data are increasingly made publicly available to third parties. Several anonymization techniques have been studied and adopted to preserve privacy in the publishing of data. However, recent works have shown that de-anonymization of the released data is not only possible but also practical. In this paper, we present a brief yet systematic review of the existing de-anonymization attacks in online social networks. We unify the models of de-anonymization, centering around the concept of feature matching. We survey the de-anonymization methods in two categories: mapping-based approaches and guessing-based approaches. We discuss three techniques that would potentially improve the surveyed attacks.

Gábor György Gulyás,Benedek Simon,Sándor Imre

DOI: https://doi.org/10.1145/2994620.2994632

2016-10-13

Abstract:Releasing connection data from social networking services can pose a significant threat to user privacy. In our work, we consider structural social network de-anonymization attacks, which are used when a malicious party uses connections in a public or other identified network to re-identify users in an anonymized social network release that he obtained previously. In this paper we design and evaluate a novel social de-anonymization attack. In particular, we argue that the similarity function used to re-identify nodes is a key component of such attacks, and we design a novel measure tailored for social networks. We incorporate this measure in an attack called Bumblebee. We evaluate Bumblebee in depth, and show that it significantly outperforms the state-of-the-art, for example it has higher re-identification rates with high precision, robustness against noise, and also has better error control.

Cryptography and Security,Social and Information Networks

Xuan Ding,Lan Zhang,Zhiguo Wan,Ming Gu

DOI: https://doi.org/10.1109/glocom.2011.6133607

2011-01-01

Abstract:Online social network data are increasingly made publicly available to third parties. Recent studies show that it is possible to recover sensitive information from the released data and several anonymization techniques have been proposed to protect individual privacy. However, most of the existing defenses have focused on ``one-time'' releases and do not take into consideration the re- publication of dynamic social network data. Re- publishing data periodically is a natural result of social network evolution and an emerging requirement of dynamic social network analysis. In this paper, we show that by utilizing correlations between sequential releases, the adversary can achieve high precision in de-anonymization of the released data, suppressing the uncertainty of re-identifying each release separately and synthesizing the results afterwards. Besides, we combine structural knowledge with node attributes to compromise graph modification based defenses. With experiments on real data, this work is the first to demonstrate feasibility of de-anonymizing dynamic social networks and should arouse concern for future works on privacy preservation in social network data publishing.

Honglu Jiang,Jiguo Yu,Chunqiang Hu,Cheng Zhang,Xiuzhen Cheng

DOI: https://doi.org/10.1016/j.procs.2018.03.089

2018-01-01

Procedia Computer Science

Abstract:The data of social networks contains a large amount of personal information, of which may be public or insignificant, but some may be sensitive and private. Once the user privacy leaked, it may bring a variety of troubles for users. Holders of social networking data first conduct anonymization before the data is published. However, the simple anonymity method does not play a very good protection. At present, a number of de-anonymization attacks for the data releasing of social networks have arisen. These de-anonymization attacks are mostly based on the network structure with the use of feature matching and other methods. In this paper, we model the social network as a Structure-Attribute (SA) framework which integrates the structural characteristics of social networks and social node properties, adding some attribute nodes to the social network. The similarity measurement of social network nodes is proposed, with the consideration of the structure similarity and attribute similarity. The accuracy of node matching and de-anonymization is greatly improved. We conduct our de-anonymization based on the realistic dataset to verify the accuracy and efficiency.

Jiapeng Zhang,Luoyi Fu,Huan Long,Guiae Meng,Feilong Tang,Xinbing Wang,Guihai Chen

DOI: https://doi.org/10.1109/infocom41043.2020.9155499

2020-01-01

Abstract:The interaction among users in different social networks raises deep concern on user privacy, as it may facilitate the assailants to identify user identities by matching the anonymized networks with a correlated sanitized one. Prior arts regarding such de-anonymization problem can be primarily divided into a seeded case or a seedless one, depending on whether or not there are a subset of pre-identified nodes. The seedless case is much more complicated since the adjacency matrix representation of one-hop user relations delivers limited structural information. To address this issue, we, for the first time, integrate the multi-hop neighborhood relationships, which exhibit more structural commonness between the anonymized and the sanitized networks, into seedless de-anonymization process. Our aim is to sufficiently leverage these multi-hop neighbors of all nodes and minimize the total disagreements of these multi-hop adjacency matrices, which we call collective adjacency disagreements (CADs), between two networks of different sizes. Theoretically, we demonstrate that CAD enlarges the difference between wrongly matched node pairs and correctly matched pairs, whereby two networks can be correctly matched with high probability even when the network density is below log n. Algorithmically, we adopt the conditional gradient descending method on a collective-form objective, which can efficiently find the minimal CADs for networks with broad degree distributions. Experiments on both synthetic and real-world networks return desirable de-anonymization accuracies thanks to the rich structural information manifested by such collectiveness, since most nodes can be correctly matched with their correspondences, especially in sparse networks where merely utilizing adjacency relations might fail to work.

Shouling Ji,Weiqing Li,Neil Zhenqiang Gong,Prateek Mittal,Raheem A. Beyah

DOI: https://doi.org/10.14722/ndss.2015.23096

2015-01-01

Abstract:In this paper, we conduct the first comprehensive quantification on the perfect de-anonymizability and partial deanonymizability of real world social networks with seed information in general scenarios, where a social network can follow an arbitrary distribution model. This quantification provides the theoretical foundation for existing structure based de-anonymization attacks (e.g., [1][2][3]) and closes the gap between de-anonymization practice and theory. Besides that, our quantification can serve as a testing-stone for the effectiveness of anonymization techniques, i.e., researchers can employ our quantified structural conditions to evaluate the potential deanonymizability of the anonymized social networks. Based on our quantification, we conduct a large scale evaluation on the de-anonymizability of 24 various real world social networks by quantitatively showing: 1) the conditions for perfect and (1− ε) de-anonymization of a social network, where ε specifies the tolerated de-anonymization error, and 2) the number of users of a social network that can be successfully de-anonymized. Furthermore, we show that, both theoretically and experimentally, the overall structural information based de-anonymization attack is much more powerful than the seed knowledge-only based deanonymization attack, and even without any seed information, a social network can be perfectly or partially de-anonymized. Finally, we discuss the implications of this work. Our findings are expected to shed light on the future research in the structural data anonymization and de-anonymization area, and to help data owners evaluate their structural data vulnerability before data sharing and publishing.

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby B. Lee

DOI: https://doi.org/10.1007/978-3-319-93354-2_5

2018-01-01

Abstract:An increasing amount of data are becoming publicly available over the Internet. These data are released after applying some anonymization techniques. Recently, researchers have paid significant attention to analyzing the risks of publishing privacy-sensitive data. Even if data anonymization techniques were applied to protect privacy-sensitive data, several de-anonymization attacks have been proposed to break their privacy. However, no theoretical quantification for relating the data vulnerability against de-anonymization attacks and the data utility that is preserved by the anonymization techniques exists. In this paper, we first address several fundamental open problems in the structure-based de-anonymization research by establishing a formal model for privacy breaches on anonymized data and quantifying the conditions for successful de-anonymization under a general graph model. To the best of our knowledge, this is the first work on quantifying the relationship between anonymized utility and de-anonymization capability. Our quantification works under very general assumptions about the distribution from which the data are drawn, thus providing a theoretical guide for practical de-anonymization/anonymization techniques. Furthermore, we use multiple real-world datasets including a Facebook dataset, a Collaboration dataset, and two Twitter datasets to show the limitations of the state-of-the-art de-anonymization attacks. From these experimental results, we demonstrate the ineffectiveness of previous de-anonymization attacks and the potential of more powerful de-anonymization attacks in the future, by comparing the theoretical de-anonymization capability proposed by us with the practical experimental results of the state-of-the-art de-anonymization methods.

Rachel G. de Jong,Mark P. J. van der Loo,Frank W. Takes

2024-09-24

Abstract:In this paper we introduce a general version of the anonymization problem in social networks, in which the goal is to maximize the number of anonymous nodes by altering a given graph. We define three variants of this optimization problem, being full, partial and budgeted anonymization. In each, the objective is to maximize the number of k-anonymous nodes, i.e., nodes for which there are at least k-1 equivalent nodes, according to a particular anonymity measure of structural node equivalence. We propose six new heuristic algorithms for solving the anonymization problem which we implement into the reusable ANO-NET computational framework. As a baseline, we use an edge sampling method introduced in previous work. Experiments on both graph models and 17 real-world network datasets result in three empirical findings. First, we demonstrate that edge deletion is the most effective graph alteration operation. Second, we compare four commonly used anonymity measures from the literature and highlight how the choice of anonymity measure has a tremendous effect on both the achieved anonymity as well as the difficulty of solving the anonymization problem. Third, we find that the proposed algorithms that preferentially delete edges with a larger effect on nodes at a structurally unique position consistently outperform heuristics solely based on network structure. With similar runtimes, our algorithms retain on average 17 times more edges, ensuring higher data utility after full anonymization. In the budgeted variant, they achieve 4.4 times more anonymous nodes than the baseline. This work lays important foundations for future development of algorithms for anonymizing social networks.

Social and Information Networks

Zhongzhao Hu,Luoyi Fu,Xiaoying Gan

DOI: https://doi.org/10.1145/3321408.3321577

2019-01-01

Abstract:De-anonymizing social networks has become a direct threat to people's privacy . Actually, It can be boiled down to graph matching problems. The attackers steal users' real information in anonymized social networks by mapping them to secondary cross-domain networks. In particular, when partial node identity in the anonymized network is known, such attacks will become more powerful. Some scholars have studied seeded network de-anonymization. However, there is a lack of consideration for network overlap. We further expand the work of predecessors and consider partially overlapping networks de-anonymization with the aid of seeded nodes. We give a more general form of theoretical results under Erdös - Rényi model(ER model). We also validated our results on both synthetic and real data.

Xinzhe Fu,Zhongzhao Hu,Zhiying Xu,Luoyi Fu,Xinbing Wang

DOI: https://doi.org/10.1109/glocom.2017.8254107

2017-01-01

Abstract:A crucial privacy-driven issue nowadays is re- identifying ano-nymized social networks by mapping them to correlated cross-domain auxiliary networks. Prior works are typically based on modeling social networks as random graphs representing users and their relations, and subsequently quantify the quality of mappings through cost functions that are proposed without sufficient rationale. Also, it remains unknown how to algorithmically meet the demand of such quantifications, i.e., to find the minimizer of the cost functions. We address those concerns in a more realistic social network modeling parameterized by community structures that can be leveraged as side information for de- anonymization. By Maximum A Posteriori (MAP) estimation, our first contribution is new and well justified cost functions, which, when minimized, enjoy superiority to previous ones in finding the correct mapping with the highest probability. The feasibility of the cost functions is then for the first time algorithmically characterized. While proving the general multiplicative inapproximability, we are able to propose two heuristics, which, respectively, enjoy an ε-additive approximation and a conditional optimality in carrying out successful user re- identification. Our theoretical findings are empirically validated,with a notable dataset extracted from rare true cross-domain networks that reproduce genuine social network de-anonymization.

Honglu Jiang,Jiguo Yu,Xiuzhen Cheng,Cheng Zhang,Bei Gong,Haotian Yu

DOI: https://doi.org/10.1109/tcss.2021.3082901

2022-01-01

IEEE Transactions on Computational Social Systems

Abstract:Online social networks have gained tremendous popularity and have dramatically changed the way we communicate in recent years. However, the publishing of social network data raises more and more privacy concerns. To protect user privacy, social networking data are usually anonymized before being released. Nevertheless, existing anonymization techniques do not have sufficient protection effects. A large number of deanonymization attacks have arisen, and they mainly make use of either network topology or node attribute information to successfully reidentify anonymized users. In this article, we model a social network as a structure-attribute network (SAN) integrating the structural characteristics and the attribute information associated with social network users. A novel similarity measurement of social network nodes is proposed by considering the structural similarity and attribute similarity. A two-phase scheme is then designed to perform deanonymization by first dividing a social network (graph) into smaller subgraphs based on spectral graph partitioning and then applying the proposed deanonymization algorithm on each matched subgraph pair. We simulate the deanonymization attack with extensive experiments on three real-world datasets, and the experimental results demonstrate that our approach can improve the accuracy and time complexity of deanonymization compared with the state of the art.

Luoyi Fu,Xinzhe Fu,Zhongzhao Hu,Zhiying Xu,Xinbing Wang

DOI: https://doi.org/10.48550/arXiv.1703.09028

2017-07-27

Abstract:A crucial privacy-driven issue nowadays is re-identifying anonymized social networks by mapping them to correlated cross-domain auxiliary networks. Prior works are typically based on modeling social networks as random graphs representing users and their relations, and subsequently quantify the quality of mappings through cost functions that are proposed without sufficient rationale. Also, it remains unknown how to algorithmically meet the demand of such quantifications, i.e., to find the minimizer of the cost functions. We address those concerns in a more realistic social network modeling parameterized by community structures that can be leveraged as side information for de-anonymization. By Maximum A Posteriori (MAP) estimation, our first contribution is new and well justified cost functions, which, when minimized, enjoy superiority to previous ones in finding the correct mapping with the highest probability. The feasibility of the cost functions is then for the first time algorithmically characterized. While proving the general multiplicative inapproximability, we are able to propose two algorithms, which, respectively, enjoy an \epsilon-additive approximation and a conditional optimality in carrying out successful user re-identification. Our theoretical findings are empirically validated, with a notable dataset extracted from rare true cross-domain networks that reproduce genuine social network de-anonymization. Both theoretical and empirical observations also manifest the importance of community information in enhancing privacy inferencing.

Social and Information Networks,Cryptography and Security,Networking and Internet Architecture

Jiapeng Zhang,Shan Qu,Qi Li,Huquan Kang,Luoyi Fu,Haisong Zhang,Xinbing Wang,Guihai Chen

DOI: https://doi.org/10.1109/tkde.2021.3124559

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:A crucial privacy-driven issue nowadays is re-identifying anonymized social networks by mapping them to correlated cross-domain auxiliary networks. Prior works are typically based on modeling social networks as random graphs representing users and their relations, and subsequently quantify the quality of mappings through varied cost functions. However, many cost functions are empirically proposed without sufficient theoretical support. For some other works probing the theoretical bound, it remains unknown how to algorithmically meet the demand of such quantifications, i.e., to minimize the cost functions. Besides, only few prior works have discussed the de-anonymization of social networks with communities. We address those concerns in a social network modeling parameterized by community structures that can be leveraged as side information for de-anonymization. Based on the Maximum A Posteriori (MAP) estimation, our first contribution is a series of MAP-based cost functions, which, when minimized, enjoy superiority to previous ones in finding the correct mapping with the highest probability. The feasibility of the cost functions is then for the first time algorithmically characterized. We prove the general multiplicative inapproximability and thus propose two heuristics, which, respectively, enjoy an $\epsilon$ε-additive approximation and a conditional optimality in carrying out successful user re-identification. Our theoretical findings are also empirically validated under classical synthetic and real-wrold social networks. Both theoretical and empirical observations manifest the importance of community in enhancing privacy inferencing.

computer science, information systems, artificial intelligence,engineering, electrical & electronic