Qian Wang,Zhiwei Xu,Shengzhi Qu

DOI: https://doi.org/10.4304/jsw.6.10.1945-1952

2011-01-01

Journal of Software

Abstract:k-anonymity is an important model in the field of privacy protection and it is an effective method to prevent privacy disclosure in micro-data release. However, it is ineffective for the attribute disclosure by the homogeneity attack. The existing models based on k-anonymity have solved this problem to a certain extent, but they did not distinguish the different values of the sensitive attribute, processed a series of unnecessary generalization and expanded the information loss when they protect the sensitive attribute. Based on k-anonymity, this paper proposed a model based on average leakage probability and probability difference of sensitive attribute value. It is not only an effective method to deal with the problem of attributes disclosure that k-anonymity cannot deal, but also to realize different levels of protection to the various sensitive attribute values. It has reduced the generalization to the data in the most possibility during the procedure and ensures the most effectiveness of quasi-identifier attributes. Greedy generalization algorithm based on the generalization information loss is also proposed in this paper. To choose the generalization attributes, the information loss is considered and the importance of generalization attribute to sensitive attribute is accounted as well. Comparison experiment and performance experiment are made to the proposed model. The experiment results show that the model is feasible.

Guofei Chai,Miao Xu,Wenyuan Xu,Zhiyun Lin

DOI: https://doi.org/10.1155/2012/648058

IF: 1.938

2012-01-01

International Journal of Distributed Sensor Networks

Abstract:Due to the shared nature of wireless communication media, a powerful adversary can eavesdrop on the entire radio communication in the network and obtain the contextual communication statistics, for example, traffic volumes, transmitter locations, and so forth. Such information can reveal the location of the sink around which the data traffic exhibits distinctive patterns. To protect the sink-location privacy from a powerful adversary with a global view, we propose to achieve k-anonymity in the network so that at least k entities in the network are indistinguishable to the nodes around the sink with regard to communication statistics. Arranging the location of k entities is complex as it affects two conflicting goals: the routing energy cost and the achievable privacy level, and both goals are determined by a nonanalytic function. We model such a positioning problem as a nonlinearly constrained nonlinear optimization problem. To tackle it, we design a generic-algorithm-based quasi-optimal (GAQO) method that obtains quasi-optimal solutions at quadratic time. The obtained solutions closely approximate the optima with increasing privacy requirements. Furthermore, to solve k-anonymity sink-location problems more efficiently, we develop an artificial potential-based quasi-optimal (APQO) method that is of linear time complexity. Our extensive simulation results show that both algorithms can effectively find solutions hiding the sink among a large number of network nodes.

Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Aston Zhang,Xing Xie,Kevin Chen-Chuan Chang,Carl A. Gunter,Jiawei Han,XiaoFeng Wang

DOI: https://doi.org/10.5441/002/edbt.2014.53

2014-01-01

Abstract:Anonymized user datasets are often released for research or industry applications. As an example, t.qq.com released its anonymized users’ profile, social interaction, and recommendation log data in KDD Cup 2012 to call for recommendation algorithms. Since the entities (users and so on) and edges (links among entities) are of multiple types, the released social network is a heterogeneous information network. Prior work has shown how privacy can be compromised in homogeneous information networks by the use of specific types of graph patterns. We show how the extra information derived from heterogeneity can be used to relax these assumptions. To characterize and demonstrate this added threat, we formally define privacy risk in an anonymized heterogeneous information network to identify the vulnerability in the possible way such data are released, and further present a new de-anonymization attack that exploits the vulnerability. Our attack successfully de-anonymized most individuals involved in the data—for an anonymized 1,000user t.qq.com network of density 0.01, the attack precision is over 90% with a 2.3-million-user auxiliary network.

Sai Wu,Xiaoli Wang,Sheng Wang,Zhenjie Zhang,Anthony K. H. Tung

DOI: https://doi.org/10.1109/tkde.2013.93

IF: 9.235

2014-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:In crowdsourcing database, human operators are embedded into the database engine and collaborate with other conventional database operators to process the queries. Each human operator publishes small HITs (Human Intelligent Task) to the crowdsourcing platform, which consists of a set of database records and corresponding questions for human workers. The human workers complete the HITs and return the results to the crowdsourcing database for further processing. In practice, published records in HITs may contain sensitive attributes, probably causing privacy leakage so that malicious workers could link them with other public databases to reveal individual private information. Conventional privacy protection techniques, such as K-Anonymity , can be applied to partially solve the problem. However, after generalizing the data, the result of standard K-Anonymity algorithms may render uncontrollable information loss and affects the accuracy of crowdsourcing. In this paper, we first study the tradeoff between the privacy and accuracy for the human operator within data anonymization process. A probability model is proposed to estimate the lower bound and upper bound of the accuracy for general K-Anonymity approaches. We show that searching the optimal anonymity approach is NP-Hard and only heuristic approach is available. The second contribution of the paper is a general feedback-based K-Anonymity scheme. In our scheme, synthetic samples are published to the human workers, the results of which are used to guide the selection on anonymity strategies. We apply the scheme on Mondrian algorithm by adaptively cutting the dimensions based on our feedback results on the synthetic samples. We evaluate the performance of the feedback-based approach on U.S. census dataset, and show that given a predefined $K$ , our proposal outperforms standard K-Anonymity approaches on retaining the effectiveness of crowdsourcing.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_79

2006-01-01

Abstract:Real world traffic traces are important for Internet research, but public available traffic traces are rare for privacy concerns. IP address anonymization may serve to avoid privacy issues. There are many IP address anonymization schemes according to different requirements and trustworthy levels of the expected users. However, anonymized traces often have to address several groups of researchers at the same time, each with a distinct trustworthy level. Previously known IP address anonymization schemes have to be applied separately to form multiple copies each corresponding to a scheme. In this paper, we propose a scheme which will anonymize the original trace into one single trace, and with different knowledge (secret key) users may recover different traces from it.

Xianmang He,HuaHui Chen,Yefang Chen,Yihong Dong,Peng Wang,Zhenhua Huang

DOI: https://doi.org/10.1007/978-3-642-30217-6_34

2012-01-01

Abstract:Privacy is one of major concerns when data containing sensitive information needs to be released for ad hoc analysis, which has attracted wide research interest on privacy-preserving data publishing in the past few years. One approach of strategy to anonymize data is generalization. In a typical generalization approach, tuples in a table was first divided into many QI (quasi-identifier)-groups such that the size of each QI-group is no less than k . Clustering is to partition the tuples into many clusters such that the points within a cluster are more similar to each other than points in different clusters. The two methods share a common feature: distribute the tuples into many small groups. Motivated by this observation, we propose a clustering-based k -anonymity algorithm, which achieves k -anonymity through clustering. Extensive experiments on real data sets are also conducted, showing that the utility has been improved by our approach.

Martin Burkhart,Daniela Brauckhoff,Martin May

DOI: https://doi.org/10.48550/arXiv.0810.1655

2008-10-09

Networking and Internet Architecture

Abstract:The sharing of network traces is an important prerequisite for the development and evaluation of efficient anomaly detection mechanisms. Unfortunately, privacy concerns and data protection laws prevent network operators from sharing these data. Anonymization is a promising solution in this context; however, it is unclear if the sanitization of data preserves the traffic characteristics or introduces artifacts that may falsify traffic analysis results. In this paper, we examine the utility of anonymized flow traces for anomaly detection. We quantitatively evaluate the impact of IP address anonymization, namely variations of permutation and truncation, on the detectability of large-scale anomalies. Specifically, we analyze three weeks of un-sampled and non-anonymized network traces from a medium-sized backbone network. We find that all anonymization techniques, except prefix-preserving permutation, degrade the utility of data for anomaly detection. We show that the degree of degradation depends to a large extent on the nature and mix of anomalies present in a trace. Moreover, we present a case study that illustrates how traffic characteristics of individual hosts are distorted by anonymization.

Jie Hu,Chuang Lin,Xiangyang Li

DOI: https://doi.org/10.1109/icccn.2016.7568566

2016-01-01

Abstract:With the increasing popularity of social applications, people spend plenty of time in online social networking, such as chatting, sharing daily activities, etc. All these online activities are recorded in social applications and leave fingerprinting in network traffics. Both of these two data sources have the risk of leaking privacy. However, previous studies focus on the privacy leakage in social applications while privacy leakage in network traffics attracts less attention. Moreover, the works on privacy leakage in traffics focus on payload information of the traffics. As the internet is becoming more encrypted, in order to propose a general framework to reveal the privacy problem in the traffics, we turn attention to the traffics without payload information. In this paper, we develop a novel methodology to reveal the risk of relationship privacy leakage in network traffics without payload information. We first extract the chatting flows from the network traffics based on $k$-Nearest-Neighbors method. Then we create the ties between users by matching the chatting flows, and chatting patterns are used to verify whether the matched users are chatting with each other. Finally, network traces are used to evaluate the performance of our methodology. The experiments show we can recognize $96.42\%$ of the chatting flows with the precision of $96.96\%$, and we can detect all the ties between users who are chatting with each other.

Zhenlong Yuan,Jie Xu,Yibo Xue,Mihaela van der Schaar

DOI: https://doi.org/10.1109/lcomm.2016.2521837

IF: 3.5529

2016-01-01

IEEE Communications Letters

Abstract:During the past decade, a great number of machine learning (ML)-based methods have been studied for accurate traffic classification. Flow features such as the discretizations of the first five packet sizes (PS) and flow ports (FP) are considered the best discriminators for per-flow classification. For the first time, this letter proposes to treat the first n-bits of a flow (BitFlow) as features and compares its overall performance with the well-known ACAS (automated construction of application signatures) that takes the first n-bytes of a flow (ByteFlow) as features. The results show that BitFlow achieves not only a higher classification accuracy but also 1-3 orders of magnitude faster speed than ACAS in training and classifying. More importantly, this letter also proposes to treat the first n-bits of each of the first few packet payloads (BitPack) as features, which enables a user-adjustable tradeoff between user privacy protection and classification accuracy maximization. The experiments show that BitPack can significantly outperform BitFlow, PS, and FP.

Jianqiang Li,Ji-Jiang Yang,Yu Zhao,Bo Liu

DOI: https://doi.org/10.1080/17517575.2012.688223

2013-01-01

Enterprise Information Systems

Abstract:Data sharing in today's information society poses a threat to individual privacy and organisational confidentiality. k-anonymity is a widely adopted model to prevent the owner of a record being re-identified. By generalising and/or suppressing certain portions of the released dataset, it guarantees that no records can be uniquely distinguished from at least other k-1 records. A key requirement for the k-anonymity problem is to minimise the information loss resulting from data modifications. This article proposes a top-down approach to solve this problem. It first considers each record as a vertex and the similarity between two records as the edge weight to construct a complete weighted graph. Then, an edge cutting algorithm is designed to divide the complete graph into multiple trees/components. The Large Components with size bigger than 2k-1 are subsequently split to guarantee that each resulting component has the vertex number between k and 2k-1. Finally, the generalisation operation is applied on the vertices in each component (i.e. equivalence class) to make sure all the records inside have identical quasi-identifier values. We prove that the proposed approach has polynomial running time and theoretical performance guarantee O(k). The empirical experiments show that our approach results in substantial improvements over the baseline heuristic algorithms, as well as the bottom-up approach with the same approximate bound O(k). Comparing to the baseline bottom-up O(logk)-approximation algorithm, when the required k is smaller than 50, the adopted top-down strategy makes our approach achieve similar performance in terms of information loss while spending much less computing time. It demonstrates that our approach would be a best choice for the k-anonymity problem when both the data utility and runtime need to be considered, especially when k is set to certain value smaller than 50 and the record set is big enough to make the runtime have to be taken into account.

Sin Hong Lin,Ruliang Xiao

DOI: https://doi.org/10.1002/cpe.7226

2022-08-05

Concurrency and Computation: Practice and Experience

Abstract:Summary Anonymization is a practical solution for preserving user's identity privacy before data publishing. There are various anonymity techniques can be applied to maintain data utility of micro‐data and social networks, however these methods lead to a high runtime or low anonymous graph utility. In this article, an efficient, utility‐preserving approach has been proposed to reduce anonymization runtime as well as the amount of information loss incurred by graph anonymization. We craft our anonymization algorithm by combining greedy partition‐based aggregating with multi‐dimensional sorting as main heuristic tools. The proposed algorithm generates a partial order of the vertices so that the vertex at top rank and another vertex at bottom rank can never be aggregated in the same group, the runtime is reduced. Greedy partition‐based aggregating is employed to create k ‐anonymous clusters which minimizing information loss. Experimental results on real‐world datasets show the proposed method has good performance and is superior to the existing methods.

Wanshu Yu,Haonan Shi,Hongyun Xu

DOI: https://doi.org/10.48550/arXiv.2307.16849

2023-08-01

Abstract:As people's daily life becomes increasingly inseparable from various mobile electronic devices, relevant service application platforms and network operators can collect numerous individual information easily. When releasing these data for scientific research or commercial purposes, users' privacy will be in danger, especially in the publication of spatiotemporal trajectory datasets. Therefore, to avoid the leakage of users' privacy, it is necessary to anonymize the data before they are released. However, more than simply removing the unique identifiers of individuals is needed to protect the trajectory privacy, because some attackers may infer the identity of users by the connection with other databases. Much work has been devoted to merging multiple trajectories to avoid re-identification, but these solutions always require sacrificing data quality to achieve the anonymity requirement. In order to provide sufficient privacy protection for users' trajectory datasets, this paper develops a study on trajectory privacy against re-identification attacks, proposing a trajectory K-anonymity model based on Point Density and Partition (KPDP). Our approach improves the existing trajectory generalization anonymization techniques regarding trajectory set partition preprocessing and trajectory clustering algorithms. It successfully resists re-identification attacks and reduces the data utility loss of the k-anonymized dataset. A series of experiments on a real-world dataset show that the proposed model has significant advantages in terms of higher data utility and shorter algorithm execution time than other existing techniques.

Cryptography and Security,Machine Learning

Rachel G. de Jong,Mark P. J. van der Loo,Frank W. Takes

2024-07-02

Abstract:Privacy-aware sharing of network data is a difficult task due to the interconnectedness of individuals in networks. An important part of this problem is the inherently difficult question of how in a particular situation the privacy of an individual node should be measured. To that end, in this paper we propose a set of aspects that one should consider when choosing a measure for privacy. These aspects include the type of desired privacy and attacker scenario against which the measure protects, utility of the data, the type of desired output, and the computational complexity of the chosen measure. Based on these aspects, we provide a systematic overview of existing approaches in the literature. We then focus on a set of measures that ultimately enables our objective: sharing the anonymized full network dataset with limited disclosure risk. The considered measures, each based on the concept of k-anonymity, account for the structure of the surroundings of a certain node and differ in completeness and reach of the structural information taken into account. We present a comprehensive theoretical characterization as well as comparative empirical experiments on a wide range of real-world network datasets with up to millions of edges. We find that the choice of the measure has an enormous effect on aforementioned aspects. Most interestingly, we find that the most effective measures consider a greater node vicinity, yet utilize minimal structural information and thus use minimal computational resources. This finding has important implications for researchers and practitioners, who may, based on the recommendations given in this paper, make an informed choice on how to safely share large-scale network data in a privacy-aware manner.

Social and Information Networks

Xuan Shang,Ke Chen,Lidan Shou,Gang Chen,Tianlei Hu

DOI: https://doi.org/10.1145/1871437.1871614

2010-01-01

Abstract:The challenges with privacy protection of time series are mainly due to the complex nature of the data and the queries performed on them. We study the anonymization of time series while trying to support complex queries, such as range and pattern similarity queries, on the published data. The conventional k-anonymity cannot effectively address this problem as it may suffer severe pattern loss. We propose a novel anonymization model called (k,P)-anonymity for pattern-rich time series. This model publishes both the attribute values and the patterns of time series in separate data forms. We demonstrate that our model can prevent linkage attacks on the published data while effectively support a wide variety of queries on the anonymized data. We also design an efficient algorithm for enforcing (k,P)-anonymity on time series data.

Sashi Gurung,Dan Lin,Wei Jiang,Ali Hurson,Rui Zhang

DOI: https://doi.org/10.1145/2542666

IF: 5

2014-10-01

ACM Transactions on Intelligent Systems and Technology

Abstract:We are experiencing the expanding use of location-based services such as AT&T’s TeleNav GPS Navigator and Intel’s Thing Finder. Existing location-based services have collected a large amount of location data, which has great potential for statistical usage in applications like traffic flow analysis, infrastructure planning, and advertisement dissemination. The key challenge is how to wisely use the data without violating each user’s location privacy concerns. In this article, we first identify a new privacy problem, namely, the inference-route problem, and then present our anonymization algorithms for privacy-preserving trajectory publishing. The experimental results have demonstrated that our approach outperforms the latest related work in terms of both efficiency and effectiveness.

computer science, information systems, artificial intelligence

Dazhou Liu,Younghee Park

DOI: https://doi.org/10.3390/s24072295

IF: 3.9

2024-04-05

Sensors

Abstract:Anonymous networks, which aim primarily to protect user identities, have gained prominence as tools for enhancing network security and anonymity. Nonetheless, these networks have become a platform for adversarial affairs and sources of suspicious attack traffic. To defend against unpredictable adversaries on the Internet, detecting anonymous network traffic has emerged as a necessity. Many supervised approaches to identify anonymous traffic have harnessed machine learning strategies. However, many require access to engineered datasets and complex architectures to extract the desired information. Due to the resistance of anonymous network traffic to traffic analysis and the scarcity of publicly available datasets, those approaches may need to improve their training efficiency and achieve a higher performance when it comes to anonymous traffic detection. This study utilizes feature engineering techniques to extract pattern information and rank the feature importance of the static traces of anonymous traffic. To leverage these pattern attributes effectively, we developed a reinforcement learning framework that encompasses four key components: states, actions, rewards, and state transitions. A lightweight system is devised to classify anonymous and non-anonymous network traffic. Subsequently, two fine-tuned thresholds are proposed to substitute the traditional labels in a binary classification system. The system will identify anonymous network traffic without reliance on labeled data. The experimental results underscore that the system can identify anonymous traffic with an accuracy rate exceeding 80% (when based on pattern information).

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Raheem Beyah

2014-01-01

Abstract:When people utilize social applications and services, their privacy suffers potential serious threat. In this paper, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from on-going de-anonymization results. By analyzing the measurement on real data sets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large scale data without the knowledge on the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well known mobility traces: St Andrews, Infocom06, and Smallblue, and three social data sets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. For instance, utilizing the knowledge of one seed mapping merely, 93.2% of the data in Smallblue can be successfully de-anonymized; utilizing the knowledge of ten seed mappings, August 13, 2014 DRAFT

David Plonka,Arthur Berger

DOI: https://doi.org/10.48550/arXiv.1707.03900

2017-07-13

Abstract:Privacy-minded Internet service operators anonymize IPv6 addresses by truncating them to a fixed length, perhaps due to long-standing use of this technique with IPv4 and a belief that it's "good enough." We claim that simple anonymization by truncation is suspect since it does not entail privacy guarantees nor does it take into account some common address assignment practices observed today. To investigate, with standard activity logs as input, we develop a counting method to determine a lower bound on the number of active IPv6 addresses that are simultaneously assigned, such as those of clients that access World-Wide Web services. In many instances, we find that these empirical measurements offer no evidence that truncating IPv6 addresses to a fixed number of bits, e.g., 48 in common practice, protects individuals' privacy. To remedy this problem, we propose kIP anonymization, an aggregation method that ensures a certain level of address privacy. Our method adaptively determines variable truncation lengths using parameter k, the desired number of active (rather than merely potential) addresses, e.g., 32 or 256, that can not be distinguished from each other once anonymized. We describe our implementation and present first results of its application to millions of real IPv6 client addresses active over a week's time, demonstrating both feasibility at large scale and ability to automatically adapt to each network's address assignment practice and synthesize a set of anonymous aggregates (prefixes), each of which is guaranteed to cover (contain) at least k of the active addresses. Each address is anonymized by truncating it to the length of its longest matching prefix in that set.

Networking and Internet Architecture

Huandong Wang,Yong Li,Chen Gao,Gang Wang,Xiaoming Tao,Depeng Jin

DOI: https://doi.org/10.1109/tmc.2019.2952774

IF: 6.075

2021-03-01

IEEE Transactions on Mobile Computing

Abstract:Human mobility trajectories are increasingly collected by ISPs to assist academic research and commercial applications. Meanwhile, there is a growing concern that individual trajectories can be de-anonymized when the data is shared, using information from external sources (e.g., online social networks). To understand this risk, prior works either estimate the theoretical privacy bound or simulate de-anonymization attacks on synthetically created datasets. However, it is not clear how well the theoretical estimations are preserved in practice. In this article, we collected a large-scale ground-truth trajectory dataset from 2,161,500 users of a cellular network, and two matched external trajectory datasets from a large social network (56,683 users) and a check-in/review service (45,790 users) on the same user population. The two sets of large ground-truth data provide a rare opportunity to extensively evaluate a variety of de-anonymization algorithms (nine in total). We find that their performance in the real-world dataset is far from the theoretical bound. Further analysis shows that most algorithms have under-estimated the impact of spatio-temporal mismatches between the data from different sources, and the high sparsity of user generated data also contributes to the under-performance. Based on these insights, we propose four new algorithms that are specially designed to tolerate spatial or temporal mismatches (or both) and model location contexts and time contexts. Extensive evaluations show that our algorithms achieve more than 17 percent performance gain over the best existing algorithms, confirming our insights. Further, we propose two new location-privacy preserving mechanisms utilizing the spatio-temporal mismatches to better protect users' privacy against the de-anonymization attack. Evaluation results show that our proposed mechanisms can reduce the performance of de-anonymization attacks by over 8.0 percent, demonstrating the effectivene-s of our insights.

computer science, information systems,telecommunications