Qian Wang,Zhiwei Xu,Shengzhi Qu

DOI: https://doi.org/10.4304/jsw.6.10.1945-1952

2011-01-01

Journal of Software

Abstract:k-anonymity is an important model in the field of privacy protection and it is an effective method to prevent privacy disclosure in micro-data release. However, it is ineffective for the attribute disclosure by the homogeneity attack. The existing models based on k-anonymity have solved this problem to a certain extent, but they did not distinguish the different values of the sensitive attribute, processed a series of unnecessary generalization and expanded the information loss when they protect the sensitive attribute. Based on k-anonymity, this paper proposed a model based on average leakage probability and probability difference of sensitive attribute value. It is not only an effective method to deal with the problem of attributes disclosure that k-anonymity cannot deal, but also to realize different levels of protection to the various sensitive attribute values. It has reduced the generalization to the data in the most possibility during the procedure and ensures the most effectiveness of quasi-identifier attributes. Greedy generalization algorithm based on the generalization information loss is also proposed in this paper. To choose the generalization attributes, the information loss is considered and the importance of generalization attribute to sensitive attribute is accounted as well. Comparison experiment and performance experiment are made to the proposed model. The experiment results show that the model is feasible.

Zude Li,Guoqiang Zhan,Xiaojun Ye

DOI: https://doi.org/10.1007/11827405_86

2006-01-01

Abstract:As a privacy-preserving microdata publication model, K-Anonymity has some application limits, such as (1) it cannot satisfy the individual-defined k mechanism requirement, and (2) it is attached with a certain extent potential privacy disclosure risk on published microdata, i.e. existing high-probability inference violations under some prior knowledge on k-anonymized microdata that can surely result in personal private information disclosure. We propose the (k, ℓ)-anonymity model with data generalization approach to support more flexible and anti-inference k-anonymization on a tabular microdata, where k indicates the anonymization level of an identifying attribute cluster and ℓ refers to the diversity level of a sensitive attribute cluster on a record. Within the model, k and ℓ are designed on each record and they can be defined subjectively by the corresponding individual. Beside, the model can prevent two kinds of inference attacks for microdata publication, (1) inferring identifying attributes values when their value domains are known; (2) inferring sensitive attributes values with respect to some value associations in the microdata. Further, we propose an algorithm to describe the k-anonymization process in the model. Finally, we take a scenario to illustrate its feasibility, flexibility, and generality.

Zhen Li,Xiaojun Ye

DOI: https://doi.org/10.1007/978-3-540-77048-0_11

2007-01-01

Abstract:In recent years, a privacy model called k-anonymity has gained popularity in the microdata releasing. As the microdata may contain multiple sensitive attributes about an individual, the protection of multiple sensitive attributes has become an important problem. Different from the existing models of single sensitive attribute, extra associations among multiple sensitive attributes should be invested. Two kinds of disclosure scenarios may happen because of logical associations. The Q&S Diversity is checked to prevent the foregoing disclosure risks, with an α Requirement definition used to ensure the diversity requirement. At last, a two-step greedy generalization algorithm is used to carry out the multiple sensitive attributes processing which deal with quasi-identifiers and sensitive attributes respectively. We reduce the overall distortion by the measure of Masking SA.

Xiaojun Ye,Zude Li,Yongnian Li

DOI: https://doi.org/10.1007/978-3-540-71703-4_57

2007-01-01

Abstract:General k-anonymity models cannot fully prevent individual re-identification on released microdata since intruders can capture various prior information to recognized individual identities with enough precision, ultimately, to precisely associate these identities with some sensitive attribute values. We propose the privacy inference logic to specify the k-anonymity method and emphasize the nature of privacy inference attacks on k-anonymized microdata in a more rigorous way (than the previous work, including e-diversity), which can be used as a guideline and a predictor for efficient privacy disclosure control during k-anonymization process on a pre-published microdata set. Based on this theory, we uncover and define several main inference attacks classes in aspect of the various "knowledge" used by intruders. In experiments, we successfully implement the probabilistic inference risks evaluation as factors considered in an anonymization cost metric as a more effective anti-inference k-anonymity solution.

Ying-ying KAN,Tian-jie CAO

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.21.042

2010-01-01

Abstract:K-anonymity is a popular model used in microdata publishing to protect individual privacy.This paper finds that there are privacy disclosure problems on the current K-anonymity models.A new K-anonymity model called(α,L)-diversity K-anonymity is proposed to solve the existing problems.It is also validated by a local-recoding generalization algorithm.

Min Wu,Xiaojun Ye

DOI: https://doi.org/10.1109/WI-IATW.2006.135

2006-01-01

Abstract:Privacy preservation is an important and challenging problem in microdata release. As a de-identification model, k-anonymity has gained much attention recently. While focusing on identity disclosures, k-anonymity does not well resolve attribute disclosures. In this paper we focus on the sensitive attribute disclosures in k-anonymity and propose an ordinal distance based sensitivity aware diversity metric. We assume the more diversity the sensitive attribute assumes in an equivalence class in a k-anonymized table, the less inference channel there is in the equivalence class

Jin Qian,Haoying Jiang,Ying Yu,Hui Wang,Duoqian Miao

DOI: https://doi.org/10.1016/j.eswa.2023.122343

IF: 8.5

2023-11-08

Expert Systems with Applications

Abstract:K-anonymity is a widely used privacy-preserving technique which defends against linking attacks by suppression and generalization. The existing k-anonymity algorithms prevent attackers from illegally obtaining private information by constraining at least k records in an equivalence group. However, this unified anonymity method ignores individual differences and leads to a large amount of information loss. To this end, we introduce sequential three-way decisions into k-anonymity, using a dynamic k-value sequence instead of the fixed k-value to achieve personalized k-anonymity. Specifically, we first construct a hierarchical decision table for k-anonymity by attribute generalization trees and sensitive decision values provided with users. Then, we propose a multi-level personalized k-anonymity privacy-preserving model based on sequential three-way decisions, where we anonymize the partitioning granular data with a dynamic k-value sequence, respectively. Furthermore, we present three practical algorithms to implement the proposed model and discuss the differences between them. Finally, the experimental results demonstrate that the proposed model not only provides a more flexible anonymization method to achieve personalized anonymity, but greatly reduces the information loss. This study provides a complete framework for multi-level privacy protection and enriches the application of sequential three-way decisions.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Xiaojun Ye,Yawei Zhang,Ming Liu

DOI: https://doi.org/10.1109/WAIM.2008.22

2008-01-01

Abstract:One important privacy principle is that an individual has the freedom to decide his/her own privacy preferences, which should be taken into account when data holders release their privacy preserving micro data. Nevertheless, current related k-anonymity model research focuses on protecting individual private information by using pre-defined constraint parameters specified by data holders. This paper introduces a personalized (α, k) model by introducing a vector for describing individual personalized privacy requirements corresponding to each value in the domain of sensitive attributes by data respondents, and propose an efficiency anonymization algorithm which combines the top down specialization for quasi-identifier anonymization and the local recoding technique for the sensitive attribute generalization based on its attribute taxonomy tree. Experimental results show that this approach can meet better personalized privacy requirements and keep the information loss low.

Raymond Chi-Wing Wong,Yubao Liu,Jian Yin,Zhilan Huang,Ada Wai-Chee Fu,Jian Pei

DOI: https://doi.org/10.1007/978-3-540-72524-4_75

2007-01-01

Abstract:Privacy-preserving data publication for data mining is to protect sensitive information of individuals in published data while the distortion to the data is minimized. Recently, it is shown that (α, k )- anonymity is a feasible technique when we are given some sensitive attribute(s) and quasi-identifier attributes. In previous work, generalization of the given data table has been used for the anonymization. In this paper, we show that we can project the data onto two tables for publishing in such a way that the privacy protection for (α, k )-anonymity can be achieved with less distortion. In the two tables, one table contains the undisturbed non-sensitive values and the other table contains the undisturbed sensitive values. Privacy preservation is guaranteed by the lossy join property of the two tables. We show by experiments that the results are better than previous approaches.

Fei Liu,Yan Jia,Weihong Han

DOI: https://doi.org/10.1109/CIT.2012.157

2012-01-01

Abstract:While k-anonymity algorithm has been used widely to prevent privacy disclosure in datasets published with single sensitive attribute. We improve k-anonymity algorithm to protect privacy in multiple sensitive attributes. Based on greedy strategy, we sort sensitive attributes and tuples first. We distribute tuples to equivalence classes evenly according to sensitive values in high degree. We use statistic information to cut off association among sensitive attributes to prevent positive and negative privacy disclosure. Information entropy is introduced as metric of diversity. Experiments on real dataset showed that our algorithm is effective and efficient.

Qiyuan Gong,Junzhou Luo,Ming Yang,Weiwei Ni,Xiao-Bai Li

DOI: https://doi.org/10.1016/j.knosys.2016.10.012

IF: 8.139

2016-01-01

Knowledge-Based Systems

Abstract:Preserving privacy and utility during data publishing and data mining is essential for individuals, data providers and researchers. However, studies in this area typically assume that one individual has only one record in a dataset, which is unrealistic in many applications. Having multiple records for an individual leads to new privacy leakages. We call such a dataset a 1:M dataset. In this paper, we propose a novel privacy model called (k, l)-diversity that addresses disclosure risks in 1:M data publishing. Based on this model, we develop an efficient algorithm named 1:M-Generalization to preserve privacy and data utility, and compare it with alternative approaches. Extensive experiments on real-world data show that our approach outperforms the state-of-the-art technique, in terms of data utility and computational cost.

Xianmang He,HuaHui Chen,Yefang Chen,Yihong Dong,Peng Wang,Zhenhua Huang

DOI: https://doi.org/10.1007/978-3-642-30217-6_34

2012-01-01

Abstract:Privacy is one of major concerns when data containing sensitive information needs to be released for ad hoc analysis, which has attracted wide research interest on privacy-preserving data publishing in the past few years. One approach of strategy to anonymize data is generalization. In a typical generalization approach, tuples in a table was first divided into many QI (quasi-identifier)-groups such that the size of each QI-group is no less than k . Clustering is to partition the tuples into many clusters such that the points within a cluster are more similar to each other than points in different clusters. The two methods share a common feature: distribute the tuples into many small groups. Motivated by this observation, we propose a clustering-based k -anonymity algorithm, which achieves k -anonymity through clustering. Extensive experiments on real data sets are also conducted, showing that the utility has been improved by our approach.

YANG Haifang,ZHANG Lingling,WANG Mingzheng,HU Xiangpei

DOI: https://doi.org/10.13587/j.cnki.jieem.2023.05.012

2023-01-01

Abstract:In the era of big data,personal data has become one of the important resources in every field of scientific research,business analysis,medical services,social computing and so on.The sharing and application of personal data can produce great economic or social value.However,the improper use of personal data is easy to disclose personal privacy information.How to solve the contradiction between data application and personal privacy has become one of the current research hotspots.When personal data is shared and used,it is necessary to delete the explicit identifier attributes like name of the individuals in advance,but the attacker can still reveal the identity privacy or some sensitive information of individuals,through one or more non-sensitive values of the quasiidentifier attributes（QI）,such as gender,age,and region,or some values of the sensitive attributes（SA）,such as salary and disease,in this data set.Most current data privacy studies often assume that the data set has simply one-to-one relationship between individuals and records,which is called single-record data.In order to protect personal privacy in single-record data,scholars have come up with a variety of typical privacy anonymous models,such as k-anonymity,l-diversity,（α,k）-anonymity,t-closeness andβ-likelihood,etc.But in practice,there are a large number of data sets in which one individual may correspond to multiple records,short for multi-record data.If these above privacy models are directly applied on the multi-record data,it may cause some new privacy risks.To protect the privacy of Individuals in multi-record data,several scholars have proposed Identity-reversed（IR） privacy models like IR k-anonymity,IR l-diversity and IR（α,β）-anonymity,as well as enhanced privacy models such as EIR（α,β）-diversity and EIR l-diversity,when considering that the background knowledge related to only QI information is known to the attacker;and a few numbers of scholars have developed（k,k m ）-anonymity and（k,l）-diversity models,supposing that the attacker may know the background knowledge of either QI information or SA information.However,all of these models cannot provide adequate protection for the privacy of individuals in multi-record data.This research analyzes the privacy disclosure problem in the situation of multi-record data when an attacker has more stronger background knowledge,and proposes a new privacy-preserving model as well as the corresponding algorithm to satisfy the stricter privacy needs in applications of multi-record data.In the first part,it discusses all kinds of the privacy risks in the situations that an attacker knows the background knowledge related to either one of and both of the QI and SA information and indicates the defects of the current privacy models.Also,it presents a new privacy disclosure problem named unclosed itemset fingerprint attack（UCIFA）,which is based on the attacking by using strong background knowledge.In the second part,to overcome the UCIFA problem,it requires each person’ s whole sensitive values expressed as the form of an itemset should be closed.If an individual’s SA itemset cannot satisfy the closure constraint by partitioning the records of individuals into several groups,then this itemset should be further processed by the mean of cracking.Based on these,a new privacy model named closure and enhanced identity-reserved l-diversity（CEIR l-diversity） is present,which requires that the QI values and the SA values of each individual should satisfy EIR l-diversity and the closure constraint respectively.In the third part,it develops an algorithm called data anonymization based on closure and enhanced l-diversity（DACEL） to make the multi-record data satisfy CEIR l-diversity.It consists of three core steps:firstly,dividing the records in a multi-record dataset into several QI-groups,so that the records of individuals in each group have similar QI-values and satisfy the constraint of EIR l-diversity;secondly,in each QI-group,cracking the sensitive itemset of each individual that contains non-closed subsets into several small itemsets,each of which must satisfy the closure constraint;finally,in each QI-group,generalizing the QI-values of all records to make the anonymized data table satisfy CEIR l-diversity.In the fourth part,the proposed privacy model and its corresponding algorithm,referring as CEL-method,is compared with two kinds of leading-edge methods on two public multi-record data sets.The results show that the CEL-method has robust performance on efficiently achieving the highest level of privacy protection for multi-record data at the cost of small information loss.In summary,in the practice of personal data application,attackers may have different levels of background knowledge to disclose personal privacy information.The privacy-preserving method proposed in this research is of universal significance for the application of multi-record data privacy protection in practice.

Jinyan Wang,Kai Du,Xudong Luo,Xianxian Li

DOI: https://doi.org/10.1007/s10115-018-1237-3

IF: 2.7

2018-01-01

Knowledge and Information Systems

Abstract:Many approaches have been proposed for publishing useful information while preserving data privacy. Among them, the privacy models of identity-reserved (k, l)-anonymity and identity-reserved \((\alpha , \beta )\)-anonymity have been proposed to handle the situation where an individual could have multiple records. However, the two models fail to prevent attribute disclosure. To this end, we propose two new privacy models: enhanced identity-reserved l-diversity and enhanced identity-reserved \((\alpha , \beta )\)-anonymity. Moreover, to implement the two privacy models we design a general anonymization algorithm, called DAnonyIR, with clustering technique by calling different decision functions, which can decrease the information loss caused by generalization. Further, we compare DAnonyIR concerning our two privacy models with existing generalization method GeneIR concerning identity-reserved (k, l)-anonymity and identity-reserved \((\alpha , \beta )\)-anonymity, respectively. The experimental results show that our two approaches provide stronger privacy preservation, and their information loss and relative error ratio of query answering are less than those of GeneIR.

Tiancheng Li,Ninghui Li

DOI: https://doi.org/10.1016/j.datak.2007.06.015

IF: 1.5

2008-01-01

Data & Knowledge Engineering

Abstract:When releasing microdata for research purposes, one needs to preserve the privacy of respondents while maximizing data utility. An approach that has been studied extensively in recent years is to use anonymization techniques such as generalization and suppression to ensure that the released data table satisfies the k-anonymity property. A major thread of research in this area aims at developing more flexible generalization schemes and more efficient searching algorithms to find better anonymizations (i.e., those that have less information loss).

Xiaojun Ye,Lei Jin,Bin Li

DOI: https://doi.org/10.1109/isecs.2008.113

2008-01-01

Abstract:For improving the usability of the anonymous result, it is important to comply with the hierarchical structure when generalizing quasi-identifying attributes with hierarchical characteristics. We propose an unrestricted multi-dimensional anonymization model which combines global recoding and local recoding methods. The bottom-up anonymization algorithm with the minimal coverage subgraph constraint and the anonymization metric are proposed. The experiment results justify the effectiveness and scalability of this model.

Raymond Chi-Wing Wong,Yubao Liu,Jian Yin,Zhilan Huang,Ada Wai-Chee Fu,Jian Pei

2007-01-01

Abstract:Privacy-preserving data publication for data mining is to protect sensitive information of individuals in published data while the distortion to the data is minimized. Recently, it is shown that (a, k)anonymity is a feasible technique when we are given some sensitive attribute(s) and quasi- identifier attributes. In previous work, generalization of the given data table has been used for the anonymization. In this paper, we show that we can project the data onto two tables for publishing in such a way that the privacy protection for (a, k)-anonymity can be achieved with less distortion. In the two tables, one table contains the undisturbed non-sensitive values and the other table contains the undisturbed sensitive values. Privacy preservation is guaranteed by the lossy join property of the two tables. We show by experiments that the results are better than previous approaches.

Jinling Song,Liming Huang,Gang Wang,Yan Kang,Haibin Liu

DOI: https://doi.org/10.3303/cet1546031

2015-01-01

Abstract:Even if k-anonymity model can prevent publishing data from disclosing privacy effectively and efficiently, due to the uneven distribution of the sensitive data, ordinary k-anonymization method cannot guarantee each tuple satisfying the personalized privacy requirement of it's data owner although the publishing table has been satisfied k-anonymity constraint. The reason which k-anonymity table fails to satisfy personalized privacy requirement is analyzed firstly, then Correlate degree of Sensitive Values, Leakage Collection, privacy disclosure metric and data quality metric are presented. At last an anonymization method satisfying personalized privacy requirements is presented, in which a utility-driven adaptive clustering method is proposed to partition tuples with similar best data quality.

Qian WANG,Gangjing ZHANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1306-0317

2015-01-01

Abstract:Traditional k-anonymity methods cannot resist homogeneity attack and background knowledge attack. In order to solve this problem, this paper proposes a sensitive attribute diversity micro-aggregation algorithm, the algorithm groups l nearest tuples to cluster center into one group, which has l different sensitive values. It extends this cluster based on satis-fying the l-diversity, so the anonymous table l-diversity yield by the algorithm satisfies sensitive attribute l-diversity can resist homogeneity attack and background knowledge attack. Experimental results show that the algorithm can generate anonymity table to satisfy the needs of sensitive attribute diversity, and to ensure the availability of anonymous table.

Jin Qian,Mingchen Zheng,Ying Yu,Chuanpeng Zhou,Duoqian Miao

DOI: https://doi.org/10.1016/j.ins.2024.121316

IF: 8.1

2024-01-01

Information Sciences

Abstract:Data anonymization is one of the common techniques for ensuring data security and privacy. However, the existing anonymization techniques often suffer lower execution efficiency and unnecessary information loss when dealing with complex data. Therefore, we propose a dynamic anonymity privacy-preserving model based on hierarchical sequential three-way decisions. Specifically, we first divide the data into multiple granularity spaces by attributes and dynamically process the data in the granularity spaces. Then, in a single granularity space, we construct a generalization hierarchy for the data based on the attributes generalization trees and divide it into the positive, negative and boundary regions based on anonymous parameter. Next, we can acquire the positive and boundary regions by generalization and dynamically update the processed data at the next granularity. After that, we suppress the data in the final negative and boundary regions while releasing the positive region. To further improve data availability, we combine the idea of differential privacy by adding noise data to the final boundary region enabling its release and propose an enhanced anonymity model. Finally, we compare our proposed algorithms with other methods on six datasets. Experimental results show that our method effectively reduces processing costs, improves data usability and protects data privacy.