Xiuwen Liu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.comnet.2022.109507

2022-01-01

SSRN Electronic Journal

Abstract:In mobile crowdsensing systems, the public crowd are required to report data with actual locations under location privacy vulnerabilities. Moreover, even sensing data itself further deepens location privacy breaches. Existing works allow each worker to consider his own privacy, but the accumulated privacy budget will lower down group data privacy of each sensing region. Moreover, multi-region spatial data correlations indicate that multi-group correlated data privacy may be leaked from each other. To this end, we develop a novel MCS framework, called GDA-Crowd(Group effect-based Data Aggregation), which consists of three parts: location obfuscation and aggregation, group effect-based data privacy and aggregation, and incentive mechanism. We start from individual location privacy guarantee and propose a location aggregation method to cluster workers into groups. Then, we exploit intra-group effect, i.e., data privacy interdependence under the judicious selection of workers’ participation, to enhance privacy-accuracy balance. Moreover, multi-group global histogram incorporates inter-group effect, i.e., correlated privacy loss from spatial data correlations, into inter-group data aggregation. Finally, we design a truthful, individually rational and computationally efficient incentive mechanism for participant selection. The synopsis of contributions includes dual privacy protection, dual group effect for desirable privacy-accuracy tradeoff, synergies among incentive mechanism, privacy-preserving data aggregation for approximate optimality. Theoretical analysis and extensive experiments validate our effectiveness and superiority.

Shaowei Wang,Liusheng Huang,Pengzhan Wang,Hou Deng,Hongli Xu,Wei Yang

DOI: https://doi.org/10.1007/978-3-319-42836-9_23

2016-01-01

Abstract:Histogram is one of the fundamental aggregates in crowdsourcing data aggregation. In a crowdsourcing aggregation task, the potential value or importance of each bucket in the histogram may differs, especially when the number of buckets is relatively large but only a few of buckets are of great interests. This is the case weighted histogram aggregation is needed. On the other hand, privacy is a critical issue in crowdsourcing, as data contributed by participants may reveal sensitive information about individuals. In this paper, we study the problem of privacy-preserving weighted histogram aggregation, and propose a new local differential-private mechanism, the bi-parties mechanism, which exploits the weight imbalances among buckets in histogram to minimize weighted error. We provide both theoretical and experimental analyses of the mechanism, specifically, the experimental results demonstrate that our mechanism can averagely reduce \(20\,\%\) of weighted square error of estimated histograms compared to existing approaches (e.g. randomized response mechanism, exponential mechanism).

Haoran Li,Xiaoqian Jiang,Li Xiong,Jinfei Liu

DOI: https://doi.org/10.1145/2806416.2806441

2015-01-01

Abstract:Differential privacy has recently become a de facto standard for private statistical data release. Many algorithms have been proposed to generate differentially private histograms or synthetic data. However, most of them focus on "one-time" release of a static dataset and do not adequately address the increasing need of releasing series of dynamic datasets in real time. A straightforward application of existing histogram methods on each snapshot of such dynamic datasets will incur high accumulated error due to the composibility of differential privacy and correlations or overlapping users between the snapshots. In this paper, we address the problem of releasing series of dynamic datasets in real time with differential privacy, using a novel adaptive distance-based sampling approach. Our first method, DSFT, uses a fixed distance threshold and releases a differentially private histogram only when the current snapshot is sufficiently different from the previous one, i.e., with a distance greater than a predefined threshold. Our second method, DSAT, further improves DSFT and uses a dynamic threshold adaptively adjusted by a feedback control mechanism to capture the data dynamics. Extensive experiments on real and synthetic datasets demonstrate that our approach achieves better utility than baseline methods and existing state-of-the-art methods.

Shaowei Wang,Liusheng Huang,Pengzhan Wang,Yao Shen,Hongli Xu,Wei Yang

DOI: https://doi.org/10.1109/PCCC.2015.7410339

2015-01-01

Abstract:The popularity of mobile devices has far expanded the application scenarios of spatial crowdsensing, due to its ability to provide fine-grained multi dimensional sensor readings associated with location information. Privacy is one of the fundamental issues in crowdsensing, as these location-based sensor readings may reveal identities or activities of participants. In this paper, we adopts the state-of-art location privacy definition geo-indistinguishability, provide an efficient and effective privacy preserving histogram aggregation mechanism BFMM (Bit Flipping Matrix Mechanism) for fine-grained multi dimensional location-based data. Theoretical analyses and experimental results demonstrate the efficiency and effectiveness of our approach for fine-grained multidimensional location-based data. Specifically, the aggregation accuracy of our approach averagely outperforms existing methods by a factor of number of buckets in the histogram.

Mengyuan Zhang,Lei Yang,Shibo He,Ming Li,Junshan Zhang

DOI: https://doi.org/10.1109/tnet.2021.3056490

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:We develop an auction framework for privacy-preserving data aggregation in mobile crowdsensing, where the platform plays the role as an auctioneer to recruit workers for sensing tasks. The workers are allowed to report noisy versions of their data for privacy protection; and the platform selects workers by taking into account their sensing capabilities to ensure the accuracy level of the aggregated result. Observe that when moving the control of data privacy from the data aggregator to the workers, the data aggregator has limited market power in the sense that it can only partially control the noise by judiciously choosing a subset of workers based on workers' privacy preferences. This introduces externalities because the privacy of each worker depends on the total noise in the aggregated result that in turn relies on which workers are selected. Specifically, we first consider a privacy-passive scenario where workers participate if their privacy loss can be adequately compensated by the rewards. We explicitly characterize the externalities and the hidden monotonicity property of the problem, making it possible to design a truthful, individually rational and computationally efficient incentive mechanism. We then extend the results to a privacy-proactive scenario where workers have individual requirements for their perceivable data privacy levels. Our proposed mechanisms for both scenarios can select a subset of workers to (nearly) minimize the cost of purchasing their private sensing data subject to the accuracy requirement of the aggregated result. We validate the proposed scheme through theoretical analysis as well as extensive simulations.

Hao Ren,Hongwei Li,Xiaohui Liang,Shibo He,Yuanshun Dai,Lian Zhao

DOI: https://doi.org/10.3390/s16091463

IF: 3.9

2016-01-01

Sensors

Abstract:With the rapid growth of the health data scale, the limited storage and computation resources of wireless body area sensor networks (WBANs) is becoming a barrier to their development. Therefore, outsourcing the encrypted health data to the cloud has been an appealing strategy. However, date aggregation will become difficult. Some recently-proposed schemes try to address this problem. However, there are still some functions and privacy issues that are not discussed. In this paper, we propose a privacy-enhanced and multifunctional health data aggregation scheme (PMHA-DP) under differential privacy. Specifically, we achieve a new aggregation function, weighted average (WAAS), and design a privacy-enhanced aggregation scheme (PAAS) to protect the aggregated data from cloud servers. Besides, a histogram aggregation scheme with high accuracy is proposed. PMHA-DP supports fault tolerance while preserving data privacy. The performance evaluation shows that the proposal leads to less communication overhead than the existing one.

Yiwen Nie,Wei Yang,Liusheng Huang,Xike Xie,Zhenhua Zhao,Shaowei Wang

DOI: https://doi.org/10.1109/tkde.2018.2841360

IF: 9.235

2018-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Local differential privacy (LDP), as a strong and practical notion, has been applied to deal with privacy issues in data collection. However, existing LDP-based strategies mainly focus on utility optimization at a single privacy level while ignoring various privacy preferences of data providers and multilevel privacy demands for statistics. In this poster, we for the first time propose a framework to optimize the utility of histogram estimation with these two privacy requirements. To clarify the goal of privacy protection, we personalize the traditional definition of LDP. We design two independent approaches to minimize the utility loss: Advanced Combination, which composes multilevel results for utility optimization, and Data Recycle with Personalized Privacy, which enlarges sample size for an estimation. We demonstrate their effectiveness on privacy and utility. Moreover, we embed these approaches within a Recycle and Combination Framework and prove that the framework stably achieves the optimal utility by quantifying its error bounds. On real-world datasets, our approaches are experimentally validated and remarkably outperform baseline methods.

Lei Yang,Mengyuan Zhang,Shibo He,Ming Li,Junshan Zhang

DOI: https://doi.org/10.1145/3209582.3209598

2018-01-01

Abstract:We develop an auction framework for privacy-preserving data aggregation in mobile crowdsensing, where the platform plays the role as an auctioneer to recruit workers for a sensing task. In this framework, the workers are allowed to report privacy-preserving versions of their data to protect their data privacy; and the platform selects workers based on their sensing capabilities, which aims to address the drawbacks of game-theoretic models that cannot ensure the accuracy level of the aggregated result, due to the existence of multiple Nash Equilibria. Observe that in this auction based framework, there exists externalities among workers' data privacy, because the data privacy of each worker depends on both her injected noise and the total noise in the aggregated result that is intimately related to which workers are selected to fulfill the task. To achieve a desirable accuracy level of the data aggregation in a cost-effective manner, we explicitly characterize the externalities, i.e., the impact of the noise added by each worker on both the data privacy and the accuracy of the aggregated result. Further, we explore the problem structure, characterize the hidden monotonicity property of the problem, and determine the critical bid of workers, which makes it possible to design a truthful, individually rational and computationally efficient incentive mechanism. The proposed incentive mechanism can recruit a set of workers to approximately minimize the cost of purchasing private sensing data from workers subject to the accuracy requirement of the aggregated result. We validate the proposed scheme through theoretical analysis as well as extensive simulations.

Xiaojian Zhang,Rui Chen,Jianliang Xu,Xiaofeng Meng,Yingtao Xie

DOI: https://doi.org/10.1137/1.9781611973440.68

2014-01-01

Abstract:Histograms are the workhorse of data mining and analysis. This paper considers the problem of publishing histograms under differential privacy, one of the strongest privacy models. Existing differentially private histogram publication schemes have shown that clustering (or grouping) is a promising idea to improve the accuracy of sanitized histograms. However, none of them fully exploits the benefit of clustering. In this paper, we introduce a new clustering framework. It features a sophisticated evaluation of the trade-off between the approximation error due to clustering and the Laplace error due to Laplace noise injected, which is normally overlooked in prior work. In particular, we propose three clustering strategies with different orders of run-time complexities. We prove the superiority of our approach by theoretical utility comparisons with the competitors. Our extensive experiments over various standard real-life and synthetic datasets confirm that our technique consistently outperforms existing competitors.

Guang Yang,Shibo He,Junshan Zhang,Zhiguo Shi

DOI: https://doi.org/10.1109/tvt.2019.2950907

IF: 6.8

2019-01-01

IEEE Transactions on Vehicular Technology

Abstract:Crowdsensing has been recognized as a promising data collection paradigm, in which a platform outsources sensing tasks to a large number of users. However, requesting users to report raw data may give rise to many practical concerns, such as a significant overhead of communication and central processing, besides users' privacy concerns. In many scenarios (e.g, advertising and recommendation), the data collector directly benefits from statistical aggregation of raw data. Thus motivated, we consider the data collection problem based on user's local histograms, which is intimately related to the fundamental trade-off between the platform's accuracy and users' privacy. Because of users' social relationship, their data are often correlated, indicating that users' privacy may be leaked from others' data. To tackle this challenge, we first utilize Gaussian Markov random fields to model the correlation structure embedded in users' data. The data collection is modeled as a Stackelberg game where the platform decides its reward policy and users decide their noise levels while taking into account the social coupling among users. For the reward policy design, we first establish the relationship between users' Nash equilibrium and the payment mechanism, and then optimize the platform's accuracy under a budget constraint. Further, since the noise levels are users' private information, they may use falsified noise levels to achieve higher payoffs, which in turn impairs the crowdsensing performance. It turns out that with the insight into the correlation structure among users' data, the information asymmetry can be overcome based on peer prediction. We revisit the payment mechanism to guarantee dominant truthfulness of each user's strategy. Theoretical analysis and numerical results demonstrate the effectiveness of the proposed mechanism.

Xin-Yuan Zhang,Liu-Sheng Huang,Shao-Wei Wang,Zhen-Yu Zhu,Hong-Li Xu

DOI: https://doi.org/10.2991/icwcsn-16.2017.45

2016-01-01

Abstract:The aggregation of residents' private data drives improvements in the smart homes, however it comes with compromising on privacy. Hence, privacy preservation has become an increasing requirement for residents. Since users might have different privacy requirements, and their privacy requirements might be sensitive information, smart homes need a privacy preservation scheme to meet their demands. In this scheme, a user preserves the privacy of his/her data and privacy level locally by specifying his own privacy level in confidence, without trusting anyone else in smart homes. In addition, a user replies a single data element to the collector each time, instead of the whole dataset. It makes the scheme more challenging than the traditional centralized situation. In this paper, we propose a novel personalized local differential privacy preservation scheme for smart homes, which retains desirable utility while providing rigorous privacy guarantee.

Xu Zheng,Ke Yan,Jingyuan Duan,Wenyi Tang,Ling Tian

DOI: https://doi.org/10.1155/2021/8886255

2021-01-01

Wireless Communications and Mobile Computing

Abstract:Local differential privacy has been considered the standard measurement for privacy preservation in distributed data collection. Corresponding mechanisms have been designed for multiple types of tasks, like the frequency estimation for categorical values and the mean value estimation for numerical values. However, the histogram publication of numerical values, containing abundant and crucial clues for the whole dataset, has not been thoroughly considered under this measurement. To simply encode data into different intervals upon each query will soon exhaust the bandwidth and the privacy budgets, which is infeasible for real scenarios. Therefore, this paper proposes a highly efficient framework for differentially private histogram publication of numerical values in a distributed environment. The proposed algorithms can efficiently adopt the correlations among multiple queries and achieve an optimal resource consumption. We also conduct extensive experiments on real-world data traces, and the results validate the improvement of proposed algorithms.

Xingfu Yan,Biao Zeng,Xinglin Zhang

DOI: https://doi.org/10.1109/jiot.2022.3168745

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Data aggregation is a fundamental problem in mobile crowdsensing (MCS). However, the existing approaches are still unsatisfactory considering the privacy protection of sensing data and aggregation results. In addition, most existing privacy-preserving data aggregation schemes can only support a single type of aggregation, which limits their application scenarios. To address these issues, we propose a novel privacy-preserving and customization-supported data aggregation scheme that can achieve multiple types of aggregation. Specifically, we utilize additive secret sharing ( $\mathcal {ASS}$ ) to protect the privacy of both sensing data and aggregation results and then propose a simplified secure triplet generation protocol based on $\mathcal {ASS}$ to construct secure aggregation operations. Moreover, we design a secure comparison (SC) algorithm and a secure top- $K$ algorithm to realize customized aggregation (i.e., statistical aggregation over top- $K$ largest or smallest values of sensing data). The formal theoretical analysis demonstrates that the proposed scheme is effective, and the extensive experiments conducted on a real-world data set show that the proposed approach is privacy preserving and efficient.

Hui Li,Jiangtao Cui,Xue Meng,Jianfeng Ma

DOI: https://doi.org/10.1007/s10619-018-07255-6

IF: 0.974

2019-01-02

Distributed and Parallel Databases

Abstract:Differential privacy (DP) is a promising tool for preserving privacy during data publication, as it provides strong theoretical privacy guarantees in face of adversaries with arbitrary background knowledge. Histogram, as the result of a set of count queries, serves as a core statistical tool to report data distributions and is in fact viewed as the fundamental method for many other statistical analysis such as range queries. It is an important form for data publishing. In this paper, we consider the scenario of publishing sensitive histogram data with differential privacy scheme. Existing work in this field has justified that, comparing to directly applying DP techniques (i.e., injecting noise) over the counts in histogram bins, grouping bins before noise injection is more effective (i.e., with higher utility) as it introduces much less error over the sanitized histogram given the same privacy budget. However, state-of-the-art works have not unveiled how the overall utility of a sanitized histogram can be affected by the balance between the privacy budget distributed between grouping and noise injection phases. In this work, we conduct a theoretical study towards how the probability of getting better groups can be improved such that the overall error introduced in sanitized histogram can be further reduced, which directly leads to a higher utility for the sanitized histograms. In particular, we show that the probability of achieving better grouping can be affected by two factors, namely privacy budget assigned in grouping and the normalized utility function used for selecting groups. Motivated by that, we propose a new DP histogram publishing scheme, namely Iterative Histogram Partition, in which we carefully assign privacy budget between grouping and injection phases based on our theoretical study. We also theoretically prove that ϵ\documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$$\epsilon $$\end{document}-differential privacy can be achieved according to our new scheme. Moreover, we also show that, under the same privacy budget, our scheme exhibits less errors in the sanitized histograms comparing with state-of-the-art methods. We also extends the model to multi-dimensional histogram publication cases. Finally, empirical study over four real-world datasets also justifies that our scheme achieves the least error among series of state-of-the-art baseline methods.

computer science, information systems, theory & methods

Yuhan Liu,Ananda Theertha Suresh,Wennan Zhu,Peter Kairouz,Marco Gruteser

2023-06-30

Abstract:We study the problem of histogram estimation under user-level differential privacy, where the goal is to preserve the privacy of all entries of any single user. We consider the heterogeneous scenario where the quantity of data can be different for each user. In this scenario, the amount of noise injected into the histogram to obtain differential privacy is proportional to the maximum user contribution, which can be amplified by few outliers. One approach to circumvent this would be to bound (or limit) the contribution of each user to the histogram. However, if users are limited to small contributions, a significant amount of data will be discarded. In this work, we propose algorithms to choose the best user contribution bound for histogram estimation under both bounded and unbounded domain settings. When the size of the domain is bounded, we propose a user contribution bounding strategy that almost achieves a two-approximation with respect to the best contribution bound in hindsight. For unbounded domain histogram estimation, we propose an algorithm that is logarithmic-approximation with respect to the best contribution bound in hindsight. This result holds without any distribution assumptions on the data. Experiments on both real and synthetic datasets verify our theoretical findings and demonstrate the effectiveness of our algorithms. We also show that clipping bias introduced by bounding user contribution may be reduced under mild distribution assumptions, which can be of independent interest.

Machine Learning,Cryptography and Security

Xue Meng,Hui Li,Jiangtao Cui

DOI: https://doi.org/10.1007/s41650-017-0014-x

2017-01-01

Journal of Communications and Information Networks

Abstract:Differential privacy is a strong notion for protecting individual privacy in data analysis or publication, with strong privacy guaranteeing security against adversaries with arbitrary background knowledge. A histogram is a representative and popular tool for data publication and visualization tasks. Following the emergence and development of data analysis and increasing release demands, protecting the private data and preventing sensitive information from leakage has become one of the major challenges for histogram publication. In recent years, many approaches have been proposed for publishing histograms with differential privacy. This paper explores the problem of publishing histograms with differential privacy, and provides a systematical summarization of existing research efforts in this field, begining with a discussion of the basic principles and characteristics of the technology. Furthermore, we provide a comprehensive comparison of a series of state-of-the-art histogram publication schemes. Finally, we provide possible suggestions for further expansions of future work in this area.

Mengdi Huai,Liusheng Huang,Yu-e Sun,Wei Yang

DOI: https://doi.org/10.1109/bdcloud.2015.54

2015-01-01

Abstract:Mobile crowdsensing applications can learn the aggregate statistics over personal data to produce useful knowledge about the world. Since personal data may be privacy-sensitive, the aggregator should only gain desired statistics without learning anything about the personal data. Differential privacy, the state-of-the-art privacy mechanism, can provide strong protection to ensure parties' privacy in such scenarios. Correspondingly, based on the differential privacy, many collusion-tolerant aggregation schemes have been proposed. However, those collusion-tolerant schemes usually incur high accumulated error and also require the priori knowledge of the fraction of those colluded parties. In this paper, we propose a differential-private collusion-tolerant aggregation protocol, while incurring no additionally error except the noise required for providing the differential privacy guarantee. Another salient characteristic of the proposed protocol is that it need not to have an priori estimation of those colluded parties. In addition, we also design an efficient aggregation encryption scheme to support those mobile crowdsensing applications where large plaintext is required. We also make some extensions to make the proposed protocol more applicable in realities, such as the fault tolerant. The analysis shows that the proposed protocol can achieve desired goals, and the performance evaluation demonstrates the protocol's efficiency in reality.

Fei Yan,Xing Zhang,Chang Li,Wanjie Li,Shuai Li,Fuming Sun

DOI: https://doi.org/10.1109/iciea.2018.8397954

2018-01-01

Abstract:Differential privacy is a prevalent research area that has been widely explored in the data release and analysis in recent decades. So far, we have focused on statistics that are derived from a static dataset. However, numerous applications require continuous publication of statistics, such as real-time disease outbreak discovery. With this consideration, a differentially private histogram publishing method with fractal dimension mining technology was proposed. The work aimed at hiding sensitive information while publishing, improving data utility and processing efficiency for multi-dimensional data. We used the fractal dimension to cluster datasets and counted values of each class. Through adding another algorithm to release the final histogram with Laplace noise, differential privacy is achieved. Extensive experiments with several real datasets confirm that our proposal achieves better privacy protection for dynamic datasets.

Xiaonian Wu,Nian Tong,Zhibo Ye,Yujue Wang

DOI: https://doi.org/10.1007/978-981-15-2777-7_7

2019-01-01

Abstract:The data produced by differential privacy histogram publishing algorithm based on grouping has low usability due to large approximation error and Laplace error. To solve this problem, a histogram publishing algorithm based on roulette sampling sort and greedy partition is proposed. Our algorithm combines the exponential mechanism with the roulette sampling sorting method, arranges the similar histogram bins together with a larger probability by the utility function and the restriction on the number of sampled entity. The greedy clustering algorithm is used to partition the sorted histogram bins into groups, and the error among histogram bins in each group is reduced by optimizing the lower bound error of the grouping. Extensive experimental results show that the proposed algorithm can effectively improve the usability of published data under the premise of satisfying differential privacy.

Hui Li,Jiangtao Cui,Xiaohin Lin,Jianfeng Ma

DOI: https://doi.org/10.1109/bigdata.2016.7840713

2016-01-01

Abstract:Differential privacy (DP) is a promising tool for preserving privacy during data publication, as it provides strong theoretical privacy guarantees in face of adversaries with arbitrary background knowledge. Histogram, as the result of a set of count queries, serves as a core statistical tool to report data distributions and is in fact viewed as the fundamental method for many other statistical analysis such as range queries. It is an important form for data publishing. In this paper, we consider the scenario of publishing sensitive histogram data with differential privacy scheme. Existing work in this field has justified that, comparing to directly applying differential privacy techniques (i.e., injecting noise) over the counts in histogram bins, grouping bins before noise injection is more effective (i.e., with higher utility) as it introduces much less error over the sanitized histogram given the same privacy budget. However, state-of-the-art works have not unveiled how the overall utility of a sanitized histogram can be affected by the balance between the privacy budget distributed between grouping and noise injection phases. In this work, we conducted a theoretical study towards how the probability of getting better groups can be improved such that the overall error introduced in sanitized histogram can be further reduced, which directly leads to a higher utility of the sanitized histogram. In particular, we show that the probability of achieving better grouping can be affected by two factors, namely privacy budget assigned in grouping and the normalized utility function used for selecting groups. Motivated by that, we propose a new DP histogram publishing scheme, namely IHP (Iterative Histogram Partition), in which we carefully assign privacy budget between grouping and injection phases based on our theoretical study. We also theoretically prove that e-differential privacy can be achieved according to our new scheme. Moreover, we also show that, under the same privacy budget, our scheme exhibits less errors in the sanitized histograms comparing with state-of-the-art methods. Finally, empirical study over three real-world datasets also justifies that our scheme achieves the least error among series of state-of-the-art baseline methods.