Qian Wang,Zhiwei Xu,Shengzhi Qu

DOI: https://doi.org/10.4304/jsw.6.10.1945-1952

2011-01-01

Journal of Software

Abstract:k-anonymity is an important model in the field of privacy protection and it is an effective method to prevent privacy disclosure in micro-data release. However, it is ineffective for the attribute disclosure by the homogeneity attack. The existing models based on k-anonymity have solved this problem to a certain extent, but they did not distinguish the different values of the sensitive attribute, processed a series of unnecessary generalization and expanded the information loss when they protect the sensitive attribute. Based on k-anonymity, this paper proposed a model based on average leakage probability and probability difference of sensitive attribute value. It is not only an effective method to deal with the problem of attributes disclosure that k-anonymity cannot deal, but also to realize different levels of protection to the various sensitive attribute values. It has reduced the generalization to the data in the most possibility during the procedure and ensures the most effectiveness of quasi-identifier attributes. Greedy generalization algorithm based on the generalization information loss is also proposed in this paper. To choose the generalization attributes, the information loss is considered and the importance of generalization attribute to sensitive attribute is accounted as well. Comparison experiment and performance experiment are made to the proposed model. The experiment results show that the model is feasible.

Yalong Dong,Zude Li,Xiaojun Ye

DOI: https://doi.org/10.1007/978-3-540-78849-2_28

2008-01-01

Abstract:In k-anonymity modeling process, it is widely assumed that a relational table of microdata is published with a single sensitive attribute. This assumption is too simple and unreasonable. We observe that multiple sensitive attributes in one or more tables may incur privacy inference violations that are not visible tinder the single sensitive attribute assumption. In this paper, a new (k, l)-anonymity model is introduced beyond the existed e-diversity mechanism, which is an improved microdata publication model that can effectively prevent these multiple-attributed privacy violations. The (k, e)-anonymity process consists of two phases: k-anonymization on identifying attributes and e-diversity on sensitive attributes. The related (k, l)-anonymity algorithms are proposed and the data generalization metric is provided for minimizing the anonymization cost. A running example illustrates this technique in detail, which also convinces its effectiveness.

Xiaojun Ye,Zude Li,Yongnian Li

DOI: https://doi.org/10.1007/978-3-540-71703-4_57

2007-01-01

Abstract:General k-anonymity models cannot fully prevent individual re-identification on released microdata since intruders can capture various prior information to recognized individual identities with enough precision, ultimately, to precisely associate these identities with some sensitive attribute values. We propose the privacy inference logic to specify the k-anonymity method and emphasize the nature of privacy inference attacks on k-anonymized microdata in a more rigorous way (than the previous work, including e-diversity), which can be used as a guideline and a predictor for efficient privacy disclosure control during k-anonymization process on a pre-published microdata set. Based on this theory, we uncover and define several main inference attacks classes in aspect of the various "knowledge" used by intruders. In experiments, we successfully implement the probabilistic inference risks evaluation as factors considered in an anonymization cost metric as a more effective anti-inference k-anonymity solution.

Xiaojun Ye,Yawei Zhang,Ming Liu

DOI: https://doi.org/10.1109/WAIM.2008.22

2008-01-01

Abstract:One important privacy principle is that an individual has the freedom to decide his/her own privacy preferences, which should be taken into account when data holders release their privacy preserving micro data. Nevertheless, current related k-anonymity model research focuses on protecting individual private information by using pre-defined constraint parameters specified by data holders. This paper introduces a personalized (α, k) model by introducing a vector for describing individual personalized privacy requirements corresponding to each value in the domain of sensitive attributes by data respondents, and propose an efficiency anonymization algorithm which combines the top down specialization for quasi-identifier anonymization and the local recoding technique for the sensitive attribute generalization based on its attribute taxonomy tree. Experimental results show that this approach can meet better personalized privacy requirements and keep the information loss low.

Zhen Li,Xiaojun Ye

DOI: https://doi.org/10.1007/978-3-540-77048-0_11

2007-01-01

Abstract:In recent years, a privacy model called k-anonymity has gained popularity in the microdata releasing. As the microdata may contain multiple sensitive attributes about an individual, the protection of multiple sensitive attributes has become an important problem. Different from the existing models of single sensitive attribute, extra associations among multiple sensitive attributes should be invested. Two kinds of disclosure scenarios may happen because of logical associations. The Q&S Diversity is checked to prevent the foregoing disclosure risks, with an α Requirement definition used to ensure the diversity requirement. At last, a two-step greedy generalization algorithm is used to carry out the multiple sensitive attributes processing which deal with quasi-identifiers and sensitive attributes respectively. We reduce the overall distortion by the measure of Masking SA.

Jin Qian,Haoying Jiang,Ying Yu,Hui Wang,Duoqian Miao

DOI: https://doi.org/10.1016/j.eswa.2023.122343

IF: 8.5

2023-11-08

Expert Systems with Applications

Abstract:K-anonymity is a widely used privacy-preserving technique which defends against linking attacks by suppression and generalization. The existing k-anonymity algorithms prevent attackers from illegally obtaining private information by constraining at least k records in an equivalence group. However, this unified anonymity method ignores individual differences and leads to a large amount of information loss. To this end, we introduce sequential three-way decisions into k-anonymity, using a dynamic k-value sequence instead of the fixed k-value to achieve personalized k-anonymity. Specifically, we first construct a hierarchical decision table for k-anonymity by attribute generalization trees and sensitive decision values provided with users. Then, we propose a multi-level personalized k-anonymity privacy-preserving model based on sequential three-way decisions, where we anonymize the partitioning granular data with a dynamic k-value sequence, respectively. Furthermore, we present three practical algorithms to implement the proposed model and discuss the differences between them. Finally, the experimental results demonstrate that the proposed model not only provides a more flexible anonymization method to achieve personalized anonymity, but greatly reduces the information loss. This study provides a complete framework for multi-level privacy protection and enriches the application of sequential three-way decisions.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xianmang He,HuaHui Chen,Yefang Chen,Yihong Dong,Peng Wang,Zhenhua Huang

DOI: https://doi.org/10.1007/978-3-642-30217-6_34

2012-01-01

Abstract:Privacy is one of major concerns when data containing sensitive information needs to be released for ad hoc analysis, which has attracted wide research interest on privacy-preserving data publishing in the past few years. One approach of strategy to anonymize data is generalization. In a typical generalization approach, tuples in a table was first divided into many QI (quasi-identifier)-groups such that the size of each QI-group is no less than k . Clustering is to partition the tuples into many clusters such that the points within a cluster are more similar to each other than points in different clusters. The two methods share a common feature: distribute the tuples into many small groups. Motivated by this observation, we propose a clustering-based k -anonymity algorithm, which achieves k -anonymity through clustering. Extensive experiments on real data sets are also conducted, showing that the utility has been improved by our approach.

Sai Wu,Xiaoli Wang,Sheng Wang,Zhenjie Zhang,Anthony K. H. Tung

DOI: https://doi.org/10.1109/tkde.2013.93

IF: 9.235

2014-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:In crowdsourcing database, human operators are embedded into the database engine and collaborate with other conventional database operators to process the queries. Each human operator publishes small HITs (Human Intelligent Task) to the crowdsourcing platform, which consists of a set of database records and corresponding questions for human workers. The human workers complete the HITs and return the results to the crowdsourcing database for further processing. In practice, published records in HITs may contain sensitive attributes, probably causing privacy leakage so that malicious workers could link them with other public databases to reveal individual private information. Conventional privacy protection techniques, such as K-Anonymity , can be applied to partially solve the problem. However, after generalizing the data, the result of standard K-Anonymity algorithms may render uncontrollable information loss and affects the accuracy of crowdsourcing. In this paper, we first study the tradeoff between the privacy and accuracy for the human operator within data anonymization process. A probability model is proposed to estimate the lower bound and upper bound of the accuracy for general K-Anonymity approaches. We show that searching the optimal anonymity approach is NP-Hard and only heuristic approach is available. The second contribution of the paper is a general feedback-based K-Anonymity scheme. In our scheme, synthetic samples are published to the human workers, the results of which are used to guide the selection on anonymity strategies. We apply the scheme on Mondrian algorithm by adaptively cutting the dimensions based on our feedback results on the synthetic samples. We evaluate the performance of the feedback-based approach on U.S. census dataset, and show that given a predefined $K$ , our proposal outperforms standard K-Anonymity approaches on retaining the effectiveness of crowdsourcing.

Raymond Chi-Wing Wong,Yubao Liu,Jian Yin,Zhilan Huang,Ada Wai-Chee Fu,Jian Pei

DOI: https://doi.org/10.1007/978-3-540-72524-4_75

2007-01-01

Abstract:Privacy-preserving data publication for data mining is to protect sensitive information of individuals in published data while the distortion to the data is minimized. Recently, it is shown that (α, k )- anonymity is a feasible technique when we are given some sensitive attribute(s) and quasi-identifier attributes. In previous work, generalization of the given data table has been used for the anonymization. In this paper, we show that we can project the data onto two tables for publishing in such a way that the privacy protection for (α, k )-anonymity can be achieved with less distortion. In the two tables, one table contains the undisturbed non-sensitive values and the other table contains the undisturbed sensitive values. Privacy preservation is guaranteed by the lossy join property of the two tables. We show by experiments that the results are better than previous approaches.

Min Wu,Xiaojun Ye

DOI: https://doi.org/10.1109/WI-IATW.2006.135

2006-01-01

Abstract:Privacy preservation is an important and challenging problem in microdata release. As a de-identification model, k-anonymity has gained much attention recently. While focusing on identity disclosures, k-anonymity does not well resolve attribute disclosures. In this paper we focus on the sensitive attribute disclosures in k-anonymity and propose an ordinal distance based sensitivity aware diversity metric. We assume the more diversity the sensitive attribute assumes in an equivalence class in a k-anonymized table, the less inference channel there is in the equivalence class

Jian Pei,Jian Xu,Zhibin Wang,Wei Wang,Ke Wang

DOI: https://doi.org/10.1109/ssdbm.2007.16

2007-01-01

Abstract:K-anonymity is a simple yet practical mechanismto protect privacy against attacks of re-identifying individuals by joining multiple public data sources. All existing methods achieving k-anonymity assume implicitly that the data objects to be anonymized are given once and fixed. However, in many applications, the real world data sources are dynamic. In this paper, we investigate the problem of maintaining k-anonymity against incremental updates, and propose a simple yet effective solution. We analyze how inferences from multiple releases may temper the k-anonymity of data, and propose the monotonic incremental anonymization property. The general idea is to progressively and consistently reduce the generalization granularity as incremental updates arrive. Our new approach guarantees the k-anonymity on each release, and also on the inferred table using multiple releases. At the same time, our new approach utilizes the more and more accumulated data to reduce the information loss.

Xiaojun Ye,Lei Jin,Bin Li

DOI: https://doi.org/10.1109/isecs.2008.113

2008-01-01

Abstract:For improving the usability of the anonymous result, it is important to comply with the hierarchical structure when generalizing quasi-identifying attributes with hierarchical characteristics. We propose an unrestricted multi-dimensional anonymization model which combines global recoding and local recoding methods. The bottom-up anonymization algorithm with the minimal coverage subgraph constraint and the anonymization metric are proposed. The experiment results justify the effectiveness and scalability of this model.

Abigail Goldsteen,Gilad Ezov,Ron Shmelkin,Micha Moffie,Ariel Farkash

DOI: https://doi.org/10.1007/978-3-030-93944-1_8

2021-08-02

Abstract:There is a known tension between the need to analyze personal data to drive business and privacy concerns. Many data protection regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), set out strict restrictions and obligations on the collection and processing of personal data. Moreover, machine learning models themselves can be used to derive personal information, as demonstrated by recent membership and attribute inference attacks. Anonymized data, however, is exempt from the obligations set out in these regulations. It is therefore desirable to be able to create models that are anonymized, thus also exempting them from those obligations, in addition to providing better protection against attacks. Learning on anonymized data typically results in significant degradation in accuracy. In this work, we propose a method that is able to achieve better model accuracy by using the knowledge encoded within the trained model, and guiding our anonymization process to minimize the impact on the model's accuracy, a process we call accuracy-guided anonymization. We demonstrate that by focusing on the model's accuracy rather than generic information loss measures, our method outperforms state of the art k-anonymity methods in terms of the achieved utility, in particular with high values of k and large numbers of quasi-identifiers. We also demonstrate that our approach has a similar, and sometimes even better ability to prevent membership inference attacks as approaches based on differential privacy, while averting some of their drawbacks such as complexity, performance overhead and model-specific implementations. This makes model-guided anonymization a legitimate substitute for such methods and a practical approach to creating privacy-preserving models.

Cryptography and Security,Machine Learning

Jianqiang Li,Ji-Jiang Yang,Yu Zhao,Bo Liu

DOI: https://doi.org/10.1080/17517575.2012.688223

2013-01-01

Enterprise Information Systems

Abstract:Data sharing in today's information society poses a threat to individual privacy and organisational confidentiality. k-anonymity is a widely adopted model to prevent the owner of a record being re-identified. By generalising and/or suppressing certain portions of the released dataset, it guarantees that no records can be uniquely distinguished from at least other k-1 records. A key requirement for the k-anonymity problem is to minimise the information loss resulting from data modifications. This article proposes a top-down approach to solve this problem. It first considers each record as a vertex and the similarity between two records as the edge weight to construct a complete weighted graph. Then, an edge cutting algorithm is designed to divide the complete graph into multiple trees/components. The Large Components with size bigger than 2k-1 are subsequently split to guarantee that each resulting component has the vertex number between k and 2k-1. Finally, the generalisation operation is applied on the vertices in each component (i.e. equivalence class) to make sure all the records inside have identical quasi-identifier values. We prove that the proposed approach has polynomial running time and theoretical performance guarantee O(k). The empirical experiments show that our approach results in substantial improvements over the baseline heuristic algorithms, as well as the bottom-up approach with the same approximate bound O(k). Comparing to the baseline bottom-up O(logk)-approximation algorithm, when the required k is smaller than 50, the adopted top-down strategy makes our approach achieve similar performance in terms of information loss while spending much less computing time. It demonstrates that our approach would be a best choice for the k-anonymity problem when both the data utility and runtime need to be considered, especially when k is set to certain value smaller than 50 and the record set is big enough to make the runtime have to be taken into account.

LIN Xin,LI Shan-ping,YANG Zhao-hui

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.12.002

2009-01-01

Abstract:K-anonymization cannot effectively protect anonymity of continuous queries in location-based service (LBS). A continuous query issuing model aimed at the problem was proposed. The model incorpo-rated a query issuing interval model and a consecutive queries relationship model. An attacking algorithm aimed at the k-anonymization algorithm was presented based on the model. The algorithm associated a series of snapshots related to continuous queries in order to calculate the probability of each user in the an-onymity-set. Then the true query sender was identified by choosing the user with the highest probability. K-anonymized queries were re-identified with different continuity arguments and cardinalities of anonymity-set. Experiments demonstrate that the algorithm has high success rate (85%)in identifying query senders when the continuous queries have strong relationship, which is 1.5 times higher than the success rate without the attacking algorithm and severely undermines the anonymity of the queries.

Zude Li,Guoqiang Zhan,Xiaojun Ye

DOI: https://doi.org/10.1007/11788911_25

2006-01-01

Abstract:A k-anonymity model contains an anonymity cost metric mechanism, which is critical for the whole k-anonymization process. The existing metrics cannot sufficiently identify the real cost on tabular microdata anonymization. We define a new cost metric that can be used for k-anonymization with the data generalization approach. The metric is more reasonable than the existing ones as it considers generalization range and range ratio rather than generalization height or height ratio, and the contribution of an attribute to the whole tuple rather than the amount of suppression cells. It can be used in most k-anonymity models for computing more precise anonymity costs.

Zude Li,Xiaojun Ye

DOI: https://doi.org/10.4018/jisp.2008100101

2008-01-01

International Journal of Information Security and Privacy

Abstract:This article introduces a formal study on access-unrestricted data anonymity. It includes four aspects: (1) analyzes the impacts of anonymity on data usability; (2) quantitatively measures privacy disclosure risks in practical environment; (3) discusses the factors resulting in privacy disclosure; and (4) proposes the improved anonymity solutions within typical k-anonymity model, which can effectively prevent privacy disclosure that is related with the published data properties, anonymity principles, and anonymization rules. With the experiments, the authors have proven the existence of these potential privacy inference violations as well as the enhanced privacy effect by the new anti-inference policies for access-unrestricted data publication.

Sheng Zhong,Zhiqiang Yang,Rebecca N. Wright

DOI: https://doi.org/10.1145/1065167.1065185

2005-01-01

Abstract:In order to protect individuals' privacy, the technique of k -anonymization has been proposed to de-associate sensitive attributes from the corresponding identifiers. In this paper, we provide privacy-enhancing methods for creating k -anonymous tables in a distributed scenario. Specifically, we consider a setting in which there is a set of customers, each of whom has a row of a table, and a miner, who wants to mine the entire table. Our objective is to design protocols that allow the miner to obtain a k -anonymous table representing the customer data, in such a way that does not reveal any extra information that can be used to link sensitive attributes to corresponding identifiers, and without requiring a central authority who has access to all the original data. We give two different formulations of this problem, with provably private solutions. Our solutions enhance the privacy of k -anonymization in the distributed scenario by maintaining end-to-end privacy from the original customer data to the final k -anonymous results.

Claudio Bettini,X. Sean Wang,Sushil Jajodia

DOI: https://doi.org/10.48550/arXiv.cs/0611035

2006-11-08

Databases

Abstract:The concept of k-anonymity, used in the recent literature to formally evaluate the privacy preservation of published tables, was introduced based on the notion of quasi-identifiers (or QI for short). The process of obtaining k-anonymity for a given private table is first to recognize the QIs in the table, and then to anonymize the QI values, the latter being called k-anonymization. While k-anonymization is usually rigorously validated by the authors, the definition of QI remains mostly informal, and different authors seem to have different interpretations of the concept of QI. The purpose of this paper is to provide a formal underpinning of QI and examine the correctness and incorrectness of various interpretations of QI in our formal framework. We observe that in cases where the concept has been used correctly, its application has been conservative; this note provides a formal understanding of the conservative nature in such cases.

YANG Haifang,ZHANG Lingling,WANG Mingzheng,HU Xiangpei

DOI: https://doi.org/10.13587/j.cnki.jieem.2023.05.012

2023-01-01

Abstract:In the era of big data,personal data has become one of the important resources in every field of scientific research,business analysis,medical services,social computing and so on.The sharing and application of personal data can produce great economic or social value.However,the improper use of personal data is easy to disclose personal privacy information.How to solve the contradiction between data application and personal privacy has become one of the current research hotspots.When personal data is shared and used,it is necessary to delete the explicit identifier attributes like name of the individuals in advance,but the attacker can still reveal the identity privacy or some sensitive information of individuals,through one or more non-sensitive values of the quasiidentifier attributes（QI）,such as gender,age,and region,or some values of the sensitive attributes（SA）,such as salary and disease,in this data set.Most current data privacy studies often assume that the data set has simply one-to-one relationship between individuals and records,which is called single-record data.In order to protect personal privacy in single-record data,scholars have come up with a variety of typical privacy anonymous models,such as k-anonymity,l-diversity,（α,k）-anonymity,t-closeness andβ-likelihood,etc.But in practice,there are a large number of data sets in which one individual may correspond to multiple records,short for multi-record data.If these above privacy models are directly applied on the multi-record data,it may cause some new privacy risks.To protect the privacy of Individuals in multi-record data,several scholars have proposed Identity-reversed（IR） privacy models like IR k-anonymity,IR l-diversity and IR（α,β）-anonymity,as well as enhanced privacy models such as EIR（α,β）-diversity and EIR l-diversity,when considering that the background knowledge related to only QI information is known to the attacker;and a few numbers of scholars have developed（k,k m ）-anonymity and（k,l）-diversity models,supposing that the attacker may know the background knowledge of either QI information or SA information.However,all of these models cannot provide adequate protection for the privacy of individuals in multi-record data.This research analyzes the privacy disclosure problem in the situation of multi-record data when an attacker has more stronger background knowledge,and proposes a new privacy-preserving model as well as the corresponding algorithm to satisfy the stricter privacy needs in applications of multi-record data.In the first part,it discusses all kinds of the privacy risks in the situations that an attacker knows the background knowledge related to either one of and both of the QI and SA information and indicates the defects of the current privacy models.Also,it presents a new privacy disclosure problem named unclosed itemset fingerprint attack（UCIFA）,which is based on the attacking by using strong background knowledge.In the second part,to overcome the UCIFA problem,it requires each person’ s whole sensitive values expressed as the form of an itemset should be closed.If an individual’s SA itemset cannot satisfy the closure constraint by partitioning the records of individuals into several groups,then this itemset should be further processed by the mean of cracking.Based on these,a new privacy model named closure and enhanced identity-reserved l-diversity（CEIR l-diversity） is present,which requires that the QI values and the SA values of each individual should satisfy EIR l-diversity and the closure constraint respectively.In the third part,it develops an algorithm called data anonymization based on closure and enhanced l-diversity（DACEL） to make the multi-record data satisfy CEIR l-diversity.It consists of three core steps:firstly,dividing the records in a multi-record dataset into several QI-groups,so that the records of individuals in each group have similar QI-values and satisfy the constraint of EIR l-diversity;secondly,in each QI-group,cracking the sensitive itemset of each individual that contains non-closed subsets into several small itemsets,each of which must satisfy the closure constraint;finally,in each QI-group,generalizing the QI-values of all records to make the anonymized data table satisfy CEIR l-diversity.In the fourth part,the proposed privacy model and its corresponding algorithm,referring as CEL-method,is compared with two kinds of leading-edge methods on two public multi-record data sets.The results show that the CEL-method has robust performance on efficiently achieving the highest level of privacy protection for multi-record data at the cost of small information loss.In summary,in the practice of personal data application,attackers may have different levels of background knowledge to disclose personal privacy information.The privacy-preserving method proposed in this research is of universal significance for the application of multi-record data privacy protection in practice.