Mikhail Fomichev

DOI: https://doi.org/10.1145/3581791.3597510

2023-05-19

Abstract:The massive streams of Internet of Things (IoT) data require a timely analysis to retain data usefulness. Stream processing systems (SPSs) enable this task, deriving knowledge from the IoT data in real-time. Such real-time analytics benefits many applications but can also be used to violate user privacy, as the IoT data collected from users or their vicinity is inherently sensitive. In this paper, we present our systematic look into privacy issues arising from the intersection of SPSs and IoT, identifying key research challenges towards achieving holistic privacy protection in SPSs and proposing the solutions.

Cryptography and Security,Machine Learning

He Gu,Thomas Plagemann,Maik Benndorf,Vera Goebel,Boris Koldehofe

DOI: https://doi.org/10.48550/arXiv.2305.06105

2023-05-11

Abstract:Complex event processing (CEP) is a powerful and increasingly more important tool to analyse data streams for Internet of Things (IoT) applications. These data streams often contain private information that requires proper protection. However, privacy protection in CEP systems is still in its infancy, and most existing privacy-preserving mechanisms (PPMs) are adopted from those designed for data streams. Such approaches undermine the quality of the entire data stream and limit the performance of IoT applications. In this paper, we attempt to break the limitation and establish a new foundation for PPMs of CEP by proposing a novel pattern-level differential privacy (DP) guarantee. We introduce two PPMs that guarantee pattern-level DP. They operate only on data that correlate with private patterns rather than on the entire data stream, leading to higher data quality. One of the PPMs provides adaptive privacy protection and brings more granularity and generalization. We evaluate the performance of the proposed PPMs with two experiments on a real-world dataset and on a synthetic dataset. The results of the experiments indicate that our proposed privacy guarantee and its PPMs can deliver better data quality under equally strong privacy guarantees, compared to multiple well-known PPMs designed for data streams.

Databases,Cryptography and Security

Yuanchun Li,Fanglin Chen,Toby Jia-Jun Li,Yao Guo,Gang Huang,Matthew Fredrikson,Yuvraj Agarwal,Jason I. Hong

DOI: https://doi.org/10.1145/3130941

2017-01-01

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Abstract:Smartphone app developers often access and use privacy-sensitive data to create apps with rich and meaningful interactions. However, it can be challenging for auditors and end-users to know what granularity of data is being used and how, thereby hindering assessment of potential risks. Furthermore, developers lack easy ways of offering transparency to users regarding how personal data is processed, even if their intentions are to make their apps more privacy friendly. To address these challenges, we introduce PrivacyStreams, a functional programming model for accessing and processing personal data as a stream. PrivacyStreams is designed to make it easy for developers to make use of personal data while simultaneously making it easier to analyze how that personal data is processed and what granularity of data is actually used. We present the design and implementation of PrivacyStreams, as well as several user studies and experiments to demonstrate its usability, utility, and support for privacy.

Dan Wang,Ju Ren,Chugui Xu,Juncheng Liu,Zhibo Wang,Yaoxue Zhang,Xuemin Shen

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00180

2019-01-01

Abstract:Differential privacy (DP) has been recognized as a useful technique to achieve the trade-off between privacy guarantee and data utility. However, applying DP on the continuous data stream to protect sensitive inferred information faces two significant challenges. Firstly, directly adding noise into the continuous data stream may significantly reduce the data utility. Secondly, it is difficult to effectively and efficiently sample the data stream since the distribution of the data stream is usually unknown in advance. In this paper, we propose PrivStream, a privacy-preserving IoT data stream analytical framework based on edge computing, to address the two challenges. Specifically, PrivStream is split into two parts distributed at the IoT device and edge server, respectively. The first part, deployed at the device side, adaptively samples the data stream, leverages a tailored autoencoder to conduct data minimization and obfuscates the learnt features by injecting Laplace noise. The second part, deployed at the edge server side, reconstructs the perturbed features into obfuscated data stream for useful inferences without privacy disclosure. Moreover, we present the implementation details of PrivStream on a practical IoT system and theoretically analyze that Privstream can provide provable privacy guarantee. The experimental results based on realistic IoT data stream demonstrate that Privstream can preserve the data utility of useful inferences and mitigate the sensitive inferences simultaneously with efficient system overheads.

M.A.P. Chamikara,P. Bertok,I. Khalil,D. Liu,S. Camtepe

DOI: https://doi.org/10.1016/j.comcom.2021.04.006

IF: 5.047

2021-05-01

Computer Communications

Abstract:<p>Personally identifiable information (PII) can find its way into cyberspace through various channels, and many potential sources can leak such information. Data sharing (e.g. cross-agency data sharing) for machine learning and analytics is one of the important components in data science. However, due to privacy concerns, data should be enforced with strong privacy guarantees before sharing. Different privacy-preserving approaches were developed for privacy preserving data sharing; however, identifying the best privacy-preservation approach for the privacy-preservation of a certain dataset is still a challenge. Different parameters can influence the efficacy of the process, such as the characteristics of the input dataset, the strength of the privacy-preservation approach, and the expected level of utility of the resulting dataset (on the corresponding data mining application such as classification). This paper presents a framework named <u>P</u>rivacy <u>P</u>reservation <u>a</u>s <u>a</u><u>S</u>ervice (PPaaS) to reduce this complexity. The proposed method employs selective privacy preservation via data perturbation and looks at different dynamics that can influence the quality of the privacy preservation of a dataset. PPaaS includes pools of data perturbation methods, and for each application and the input dataset, PPaaS selects the most suitable data perturbation approach after rigorous evaluation. It enhances the usability of privacy-preserving methods within its pool; it is a generic platform that can be used to sanitize big data in a granular, application-specific manner by employing a suitable combination of diverse privacy-preserving algorithms to provide a proper balance between privacy and utility.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic

Dan Wang,Ju Ren,Zhibo Wang,Yaoxue Zhang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1016/j.inffus.2021.11.013

IF: 18.6

2022-01-01

Information Fusion

Abstract:Edge computing combining with artificial intelligence (AI) has enabled the timely processing and analysis of streaming data produced by IoT intelligent applications. However, it causes privacy risk due to the data exchanges between local devices and untrusted edge servers. The powerful analytical capability of AI further exacerbates the risks because it can even infer private information from insensitive data. In this paper, we propose a privacy-preserving IoT streaming data analytical framework based on edge computing, called PrivStream, to prevent the untrusted edge server from making sensitive inferences from the IoT streaming data. It utilizes a well-designed deep learning model to filter the sensitive information and combines with differential privacy to protect against the untrusted edge server. The noise is also injected into the framework in the training phase to increase the robustness of PrivStream to differential privacy noise. Taking into account the dynamic and real-time characteristics of streaming data, we realize PrivStream with two types of models to process data segment with fixed length and variable length, respectively, and implement it on a distributed streaming platform to achieve real-time streaming data transmission. We theoretically prove that Privstream satisfies ε-differential privacy and experimentally demonstrate that PrivStream has better performance than the state-of-the-art and has acceptable computation and storage overheads.

Qingxiu Liu,Qun Huang,Xiang Chen,Sa Wang,Wenhao Wang,Shujie Han,Patrick P. C. Lee

DOI: https://doi.org/10.1109/ICDE60146.2024.00123

2024-01-01

Abstract:Privacy preservation is critical for neural network inference, which often involves collaborative execution of different parties to make predictions on sensitive data based on sensitive neural network models. However, the expensive cryptographic operations of privacy preservation also pose performance chal-lenges to neural network inference. We address this performance-security tension by designing PP-Stream, a distributed stream processing system for high-performance privacy-preserving neural network inference. PP-Stream adopts hybrid privacy-preserving mechanisms for linear and non-linear operations of neural network inference. It treats inference data as real-time data streams, and parallelizes the inference operations across multiple pipelined stages that are executed by multiple servers and threads. It also solves the load-balanced resource allocation across servers and threads as an optimization problem. We prototype PP-Stream and show via testbed experiments that it achieves low inference latencies on various neural network models.

Shuya Feng,Meisam Mohammady,Han Wang,Xiaochen Li,Zhan Qin,Yuan Hong

2024-07-20

Abstract:Streaming data, crucial for applications like crowdsourcing analytics, behavior studies, and real-time monitoring, faces significant privacy risks due to the large and diverse data linked to individuals. In particular, recent efforts to release data streams, using the rigorous privacy notion of differential privacy (DP), have encountered issues with unbounded privacy leakage. This challenge limits their applicability to only a finite number of time slots (''finite data stream'') or relaxation to protecting the events (''event or $w$-event DP'') rather than all the records of users. A persistent challenge is managing the sensitivity of outputs to inputs in situations where users contribute many activities and data distributions evolve over time. In this paper, we present a novel technique for Differentially Private data streaming over Infinite disclosure (DPI) that effectively bounds the total privacy leakage of each user in infinite data streams while enabling accurate data collection and analysis. Furthermore, we also maximize the accuracy of DPI via a novel boosting mechanism. Finally, extensive experiments across various streaming applications and real datasets (e.g., COVID-19, Network Traffic, and USDA Production), show that DPI maintains high utility for infinite data streams in diverse settings. Code for DPI is available at <a class="link-external link-https" href="https://github.com/ShuyaFeng/DPI" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Martin Kabierski,Stephan Fahrenkrog-Petersen,Matthias Weidlich

DOI: https://doi.org/10.48550/arXiv.2103.11740

2021-03-22

Cryptography and Security

Abstract:Process performance indicators (PPIs) are metrics to quantify the degree with which organizational goals defined based on business processes are fulfilled. They exploit the event logs recorded by information systems during the execution of business processes, thereby providing a basis for process monitoring and subsequent optimization. However, PPIs are often evaluated on processes that involve individuals, which implies an inevitable risk of privacy intrusion. In this paper, we address the demand for privacy protection in the computation of PPIs. We first present a framework that enforces control over the data exploited for process monitoring. We then show how PPIs defined based on the established PPINOT meta-model are instantiated in this framework through a set of data release mechanisms. These mechanisms are designed to provide provable guarantees in terms of differential privacy. We evaluate our framework and the release mechanisms in a series of controlled experiments. We further use a public event log to compare our framework with approaches based on privatization of event logs. The results demonstrate feasibility and shed light on the trade-offs between data utility and privacy guarantees in the computation of PPIs.

Bing Zhang,Vadym Doroshenko,Peter Kairouz,Thomas Steinke,Abhradeep Thakurta,Ziyin Ma,Eidan Cohen,Himani Apte,Jodi Spacek

2024-07-13

Abstract:We design, to the best of our knowledge, the first differentially private (DP) stream aggregation processing system at scale. Our system -- Differential Privacy SQL Pipelines (DP-SQLP) -- is built using a streaming framework similar to Spark streaming, and is built on top of the Spanner database and the F1 query engine from Google. Towards designing DP-SQLP we make both algorithmic and systemic advances, namely, we (i) design a novel (user-level) DP key selection algorithm that can operate on an unbounded set of possible keys, and can scale to one billion keys that users have contributed, (ii) design a preemptive execution scheme for DP key selection that avoids enumerating all the keys at each triggering time, and (iii) use algorithmic techniques from DP continual observation to release a continual DP histogram of user contributions to different keys over the stream length. We empirically demonstrate the efficacy by obtaining at least $16\times$ reduction in error over meaningful baselines we consider. We implemented a streaming differentially private user impressions for Google Shopping with DP-SQLP. The streaming DP algorithms are further applied to Google Trends.

Cryptography and Security,Databases

Ying Li,Xiaodong Lee,Botao Peng,Themis Palpanas,Jingan Xue

DOI: https://doi.org/10.1109/jiot.2024.3397908

IF: 10.6

2024-07-27

IEEE Internet of Things Journal

Abstract:Data stream collection is critical to analyze service conditions and detect anomalies in time, especially in Internet of Things. However, it may undermine the individual privacy. Local differential privacy (LDP) has recently become a popular privacy-preserving technique protecting users' privacy. However, most of them are still limited to the assumption of one-item collection, resulting in poor utility when extended to the multi-item collection from a very large domain. This article proposes a private streaming data collection framework, private sketch-based framework (PSF), which takes advantage of sketches. Combining the proposed background information and a decode-first collection-side workflow, the framework improves the utility by reducing the errors introduced by the sketching algorithm and the privacy budget utilization when collecting multiple items. We analytically prove the superior accuracy and privacy characteristics of PSF. In order to support specific computing tasks, we build two private protocols based on PSF, PrivSketch and PrivSketch+, aiming at frequency estimation and mean estimation, respectively. We demonstrate the utility of PrivSketch and PrivSketch+ theoretically, and also evaluate them experimentally. Our evaluation, with several diverse synthetic and real data sets, demonstrates that PrivSketch is 1–3 orders of magnitude better than the competitors in terms of utility in both frequency estimation and frequent item estimation, while being up to ~100x faster. PrivSketch+ performs ~4 orders of magnitude better than advanced solutions, such as piecewise mechanism (PM) and hybrid mechanism (HM), under a limited privacy budget.

computer science, information systems,telecommunications,engineering, electrical & electronic

HS Cheng,DQ Zhang,JG Tan

DOI: https://doi.org/10.1109/itcc.2005.233

2005-01-01

Abstract:In this paper, we present two techniques. The first technique called Privacy Sensitive Information dilUting Mechanism (PSIUM) is able to prevent the misuse of data by a service provider by using a mixture of true and false sensor data. The second technique protects privacy sensitive information from being revealed to an attacker through traffic analysis by using a combination of frequently changing pseudonyms and dummy traffic.

Teng WANG,Xinyu YANG,Xuebin REN,Jun ZHAO

DOI: https://doi.org/10.1360/ssi-2020-0076

2021-01-01

Abstract:The real-time publishing and deep exploitation of data streams in crowdsensing systems have significantly facilitated peoples daily lives. However, it also seriously compromises the private information of participating users. The existing approaches are non-adaptive to dynamic changes of streams, thus are vulnerable to low data utility. To address such concerns, in this paper, we present AdaPub, a data-adaptive mechanism for infinite multi-dimensional stream real-time publishing under $\\omega$-event differential privacy. No longer predefining parameters, AdaPub seamlessly incorporates two modules DimParti and AdaCluster to learn spatial and temporal correlations simultaneously in a data-adaptive manner, thus ensuring data adaptability of privacy-preserving mechanism and greatly improving the data utility of the sanitized streams. Moreover, for hierarchical aggregated streams publishing, we further propose a data-adaptive mechanism HierAdaPub that leverages an optimal privacy budget allocation strategy to minimize the total perturbation errors. Extensive experiments on real-world and synthetic datasets demonstrate that our mechanisms substantially outperform the state-of-the-art solutions in terms of both data utility and data adaptivity while achieving strong privacy guarantees.

Du Nguyen Duy,Ramin Nikzad-Langerodi

2024-01-26

Abstract:Modern manufacturing value chains require intelligent orchestration of processes across company borders in order to maximize profits while fostering social and environmental sustainability. However, the implementation of integrated, systems-level approaches for data-informed decision-making along value chains is currently hampered by privacy concerns associated with cross-organizational data exchange and integration. We here propose Privacy-Preserving Partial Least Squares (P3LS) regression, a novel federated learning technique that enables cross-organizational data integration and process modeling with privacy guarantees. P3LS involves a singular value decomposition (SVD) based PLS algorithm and employs removable, random masks generated by a trusted authority in order to protect the privacy of the data contributed by each data holder. We demonstrate the capability of P3LS to vertically integrate process data along a hypothetical value chain consisting of three parties and to improve the prediction performance on several process-related key performance indicators. Furthermore, we show the numerical equivalence of P3LS and PLS model components on simulated data and provide a thorough privacy analysis of the former. Moreover, we propose a mechanism for determining the relevance of the contributed data to the problem being addressed, thus creating a basis for quantifying the contribution of participants.

Machine Learning,Cryptography and Security

Bo Jiang,Ming Li,Ravi Tandon

DOI: https://doi.org/10.1109/tifs.2024.3378008

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Publishing streaming data in a privacy-preserving manner has been a key research focus for many years. This issue presents considerable challenges, particularly due to the correlations prevalent within the data stream. Existing approaches either fall short in effectively leveraging these correlations, leading to a suboptimal utility-privacy tradeoff, or they involve complex mechanism designs that increase the computation complexity with respect to the sequence length. In this paper, we introduce Sequence Information Privacy (SIP), a new privacy notion designed to guarantee privacy for an entire data stream, taking into account the intrinsic data correlations. We show that SIP provides a similar level of privacy guarantee compared to local differential privacy (LDP), and it also enjoys a lightweight modular mechanism design. We further study two online data release models (instantaneous or batched) and propose corresponding privacy-preserving data perturbation mechanisms. We provide a numerical evaluation of how correlations influence noise addition in data streams. Lastly, we conduct experiments using real-world data to compare the utility-privacy tradeoff offered by our approaches with those from existing literature. The results reveal that our mechanisms achieve better utility-privacy tradeoff than the state-of-the-art LDP-based mechanisms. Notably, the improvements become more significant for small privacy budgets.

computer science, theory & methods,engineering, electrical & electronic

Ryan Hildebrant,Stephan A. Fahrenkrog-Petersen,Matthias Weidlich,Shangping Ren

2023-05-02

Abstract:Anonymization of event logs facilitates process mining while protecting sensitive information of process stakeholders. Existing techniques, however, focus on the privatization of the control-flow. Other process perspectives, such as roles, resources, and objects are neglected or subject to randomization, which breaks the dependencies between the perspectives. Hence, existing techniques are not suited for advanced process mining tasks, e.g., social network mining or predictive monitoring. To address this gap, we propose PMDG, a framework to ensure privacy for multi-perspective process mining through data generalization. It provides group-based privacy guarantees for an event log, while preserving the characteristic dependencies between the control-flow and further process perspectives. Unlike existin privatization techniques that rely on data suppression or noise insertion, PMDG adopts data generalization: a technique where the activities and attribute values referenced in events are generalized into more abstract ones, to obtain equivalence classes that are sufficiently large from a privacy point of view. We demonstrate empirically that PMDG outperforms state-of-the-art anonymization techniques, when mining handovers and predicting outcomes.

Databases,Cryptography and Security

Junqing Le,Di Zhang,Mu Nankun,Xiaofeng Liao,Fan Yang

DOI: https://doi.org/10.1109/tsmc.2018.2872902

2018-01-01

IEEE Transactions on Systems Man and Cybernetics Systems

Abstract:The real-time data generated from various smart devices will be released and shared for public to obtain numerous benefits. However, it will lead to individual privacy leakage because of data mining or analysis. Currently, many existing privacy protection models either fail to be directly applied in real-time data release or are unsatisfactory in terms of data utility and privacy protection. Toward this end, based on m-signature and fuzzy processing, an anonymous privacy protection model, named PMF, is proposed in this paper. Specifically, for the proposed model there are five advantages: 1) PMF defines m-signature for making each bucket with at least m different sensitive values instead of generating any counterfeit tuples, which can not only resist h-difference attack but also improve practical value; 2) the buckets satisfying m-signature are variable over time, and this flexibility of m-signature can improve the efficiency of dynamic update; 3) PMF can effectively insert, delete, and modify real-time data for release; 4) PMF applies fuzzy processing to handle the tuples in the candidate list, which strikes a good balance between the utility of released data and privacy protection; and 5) PMF adopts greedy heuristic algorithm to process update operations, which greatly reduces the information loss of released data. Furthermore, PMF is obviously more secure than the existing models in the real-time data release. Finally, the results of the comparison experiments on real-world and synthetic datasets illustrate that PMF is superior to the existing models in terms of data utility and efficiency.

Ferdinando Fioretto,Pascal Van Hentenryck

DOI: https://doi.org/10.1613/jair.1.11583

2018-10-30

Abstract:Many applications of machine learning and optimization operate on data streams. While these datasets are fundamental to fuel decision-making algorithms, often they contain sensitive information about individuals and their usage poses significant privacy risks. Motivated by an application in energy systems, this paper presents OPTSTREAM, a novel algorithm for releasing differentially private data streams under the w-event model of privacy. OPTSTREAM is a 4-step procedure consisting of sampling, perturbation, reconstruction, and post-processing modules. First, the sampling module selects a small set of points to access in each period of interest. Then, the perturbation module adds noise to the sampled data points to guarantee privacy. Next, the reconstruction module reassembles non-sampled data points from the perturbed sample points. Finally, the post-processing module uses convex optimization over the private output of the previous modules, as well as the private answers of additional queries on the data stream, to improve accuracy by redistributing the added noise. OPTSTREAM is evaluated on a test case involving the release of a real data stream from the largest European transmission operator. Experimental results show that OPTSTREAM may not only improve the accuracy of state-of-the-art methods by at least one order of magnitude but also supports accurate load forecasting on the private data.

Cryptography and Security,Artificial Intelligence,Databases,Data Structures and Algorithms

Xiangqian Dong,Bing Guo,Xuliang Duan,Yuncheng Shen,Hong Zhang,Yan Shen

DOI: https://doi.org/10.1109/ICESS.2016.10

2016-01-01

Abstract:Personal data represents a post-industrial opportunity. In order to release the huge potential of personal data and enhance the rights of possession, use, and disposal, a highly reliable, secure and available infrastructure is required. Regarding the personal data market, current solutions focus on data discovery and passive privacy protection. What's worse is that the data owner loses the right of control. In this paper, we present a prototype of DSPM: an efficient platform we devise to balance the data sharing and privacy protect, enhance the probability of data discovery and the ability of the individual to control the data. It is shown that DSPM is align with the initiative aims of establishing a user-centric framework for identifying the opportunities, risks and collaborative responses in the use of personal data.

Emiliano De Cristofaro,Claudio Soriente

DOI: https://doi.org/10.1109/tifs.2013.2287092

IF: 7.231

2013-12-01

IEEE Transactions on Information Forensics and Security

Abstract:Participatory sensing is emerging as an innovative computing paradigm that targets the ubiquity of always-connected mobile phones and their sensing capabilities. In this paper, a multitude of pioneering applications increasingly carry out pervasive collection and dissemination of information and environmental data, such as traffic conditions, pollution, temperature, and so on. Participants collect and report measurements from their mobile devices and entrust them to the cloud to be made available to applications and users. Naturally, due to the personal information associated to the reports (e.g., location, movements, etc.), a number of privacy concerns need to be considered prior to a large-scale deployment of these applications. Motivated by the need for privacy protection in participatory sensing, this paper presents a privacy-enhanced participatory sensing infrastructure. We explore realistic architectural assumptions and a minimal set of formal requirements aiming at protecting privacy of both data producers and consumers. We propose two instantiations that attain privacy guarantees with provable security at very low additional computational cost and almost no extra communication overhead.

computer science, theory & methods,engineering, electrical & electronic