Zhen Tu,Kai Zhao,Fengli Xu,Yong Li,Li Su,Depeng Jin

DOI: https://doi.org/10.1109/tnsm.2018.2877790

2019-01-01

IEEE Transactions on Network and Service Management

Abstract:Nowadays, human trajectories are widely collected and utilized for scientific research and business purpose. However, publishing trajectory data without proper handling might cause severe privacy leakage. A large body of works is dedicated to merging one's trajectory with others', so as to avoid any individual trajectory being re-identified. Yet their solutions do not provide enough protection since they cannot prevent semantic attack, which means the attackers are able to acquire individual's private information by using the semantics features of frequently visited locations in the trajectory even without re-identification. In this paper, we are the first to recognize the semantic attack, which is another severe privacy problem in publishing trajectory datasets. We propose an algorithm providing strong privacy protection against both the semantic and re-identification attack while reserving high data utility. Extensive evaluations based on two real-world datasets demonstrate that our solution improves the quality of privacy protection by three times, sacrificing only 36% and 10% of spatial and temporal resolution, respectively.

Xumeng Wang,Tianlong Gu,Xiaonan Luo,Xiwen Cai,Tianyi Lao,Wenlong Chen,Yingcai Wu,Jinhui Yu,Wei Chen

DOI: https://doi.org/10.1109/tits.2018.2875021

IF: 8.5

2019-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Visual analysis is widely applied to study human mobility due to the ability of integrating contextual information from multiple data sources. Analyzing trajectory data through visualization improves the efficiency and accuracy of the analysis, yet it may induce exposure of the location privacy. To balance the location privacy and analysis effectiveness, this work focuses on the behaviors of different geo-based contexts in the process of trajectory interpretation. Three types of geo-based contexts are identified after surveying 94 related literatures. We further conduct experiments to investigate their capability by evaluating how they benefit the analysis, and whether they lead to location privacy exposure. Finally, we report and discuss interesting findings, and provide guidelines to the design of privacy-preserving analysis approaches for human periodic trajectories.

Zhen Tu,Kai Zhao,Fengli Xu,Yong Li,Li Su,Depeng Jin

DOI: https://doi.org/10.1109/sahcn.2017.7964921

2017-01-01

Abstract:Nowadays, human trajectories are widely collected and utilized for scientific research and business purpose. However, publishing trajectory data without proper handling might cause severe privacy leakage. A large body of works are dedicated to merging one's trajectory with others', so as to avoid any individual trajectory being re-identified. Yet their solutions do not provide enough protection since they cannot prevent semantic attack, which means the attackers are able to acquire individual's private information by using the semantics features of frequently- visited locations in the trajectory even without re- identification. In this work, we are the first to recognize the semantic attack, which is another severe privacy problem in publishing trajectory datasets. We propose an algorithm providing strong privacy protection against both the semantic and re- identification attack while reserving high data utility. Extensive evaluations based on two real-world datasets demonstrate that our solution improves the quality of privacy protection by 3 times, sacrificing only 36% and 30% of spatial and temporal resolution, respectively.

Huandong Wang,Yong Li,Chen Gao,Gang Wang,Xiaoming Tao,Depeng Jin

DOI: https://doi.org/10.1109/tmc.2019.2952774

IF: 6.075

2021-03-01

IEEE Transactions on Mobile Computing

Abstract:Human mobility trajectories are increasingly collected by ISPs to assist academic research and commercial applications. Meanwhile, there is a growing concern that individual trajectories can be de-anonymized when the data is shared, using information from external sources (e.g., online social networks). To understand this risk, prior works either estimate the theoretical privacy bound or simulate de-anonymization attacks on synthetically created datasets. However, it is not clear how well the theoretical estimations are preserved in practice. In this article, we collected a large-scale ground-truth trajectory dataset from 2,161,500 users of a cellular network, and two matched external trajectory datasets from a large social network (56,683 users) and a check-in/review service (45,790 users) on the same user population. The two sets of large ground-truth data provide a rare opportunity to extensively evaluate a variety of de-anonymization algorithms (nine in total). We find that their performance in the real-world dataset is far from the theoretical bound. Further analysis shows that most algorithms have under-estimated the impact of spatio-temporal mismatches between the data from different sources, and the high sparsity of user generated data also contributes to the under-performance. Based on these insights, we propose four new algorithms that are specially designed to tolerate spatial or temporal mismatches (or both) and model location contexts and time contexts. Extensive evaluations show that our algorithms achieve more than 17 percent performance gain over the best existing algorithms, confirming our insights. Further, we propose two new location-privacy preserving mechanisms utilizing the spatio-temporal mismatches to better protect users' privacy against the de-anonymization attack. Evaluation results show that our proposed mechanisms can reduce the performance of de-anonymization attacks by over 8.0 percent, demonstrating the effectivene-s of our insights.

computer science, information systems,telecommunications

Hua Wang

DOI: https://doi.org/10.48550/arXiv.2212.06600

2022-12-13

Cryptography and Security

Abstract:The current trajectory privacy protection technology only considers the temporal and spatial attributes of trajectory data, but ignores the social attributes. However, there is an intrinsic relationship between social attributes and human activity trajectories, which brings new challenges to trajectory privacy protection, making existing trajectory privacy protection technologies unable to resist trajectory privacy attacks based on social attributes. To this end, this paper first studies the social privacy attack in the trajectory data, builds a social privacy attack model based on the fusion of "space-time" features, and reveals the internal impact of the spatial and temporal features in the trajectory data on social privacy leaks. -Anonymous algorithm and trajectory release privacy protection provide theoretical support. On this basis, integrate social attributes into trajectory privacy protection technology, design trajectory k-anonymity algorithm based on "space-time-social" three-dimensional mobile model, and construct trajectory data based on "space-time-social-semantic" multi-dimensional correlation Publish privacy-preserving models.

Imran Memon,Ling Chen,Qasim Ali Arain,Hina Memon,Gencai Chen

DOI: https://doi.org/10.1002/dac.3437

2017-01-01

International Journal of Communication Systems

Abstract:In road network, vehicles' location may be identified, and their transmissions may even tracked by eavesdrops (eg, safety messages) that contain sensitive personal information such as identity and location of the vehicle. This type of communication leads to breaking the users' trajectory privacy. Frequently changing pseudonyms are widely accepted as a solution that protects the trajectory privacy of users in road networks. However, this solution may become invalid if a vehicle changes its pseudonym at an improper occasion. To cope with this issue, we presented an efficient pseudonym change strategy with multiple mix zones scheme to provide trajectory privacy for road network. In addition, we protected vehicles against linkability attack by cheating mechanism. Henceforth, we constructed a cheating detection mechanism which allows the vehicles to verify whether the pseudonym change process is successful or not and also detect to malicious vehicles. In this way, users' trajectory privacy can be improved. Finally, by taking the anonymity set size (ASS) as the trajectory privacy metric, we exhibit by means of simulations that the proposed scheme is effective in multiple networks scenarios.

Zhirun Zheng,Zhetao Li,Jie Li,Hongbo Jiang,Tong Li,Bin Guo

DOI: https://doi.org/10.1145/3495160

IF: 5

2022-05-11

ACM Transactions on Intelligent Systems and Technology

Abstract:For academic research and business intelligence, trajectory data has been widely collected and analyzed. Releasing trajectory data to a third party may lead to serious privacy leakage, which has spawned considerable researches on trajectory privacy protection technology. However, existing work suffers from several shortcomings. They either focus on point-based location privacy, ignoring the spatio-temporal correlations among locations within a trajectory, or they protect the privacy of each user separately without considering privacy leakage of the social relationship between trajectories of different users. Besides, they fail to balance privacy protection and data utility. Motivated by these limitations, in this article, we propose

computer science, information systems, artificial intelligence

Wanshu Yu,Haonan Shi,Hongyun Xu

DOI: https://doi.org/10.48550/arXiv.2307.16849

2023-08-01

Abstract:As people's daily life becomes increasingly inseparable from various mobile electronic devices, relevant service application platforms and network operators can collect numerous individual information easily. When releasing these data for scientific research or commercial purposes, users' privacy will be in danger, especially in the publication of spatiotemporal trajectory datasets. Therefore, to avoid the leakage of users' privacy, it is necessary to anonymize the data before they are released. However, more than simply removing the unique identifiers of individuals is needed to protect the trajectory privacy, because some attackers may infer the identity of users by the connection with other databases. Much work has been devoted to merging multiple trajectories to avoid re-identification, but these solutions always require sacrificing data quality to achieve the anonymity requirement. In order to provide sufficient privacy protection for users' trajectory datasets, this paper develops a study on trajectory privacy against re-identification attacks, proposing a trajectory K-anonymity model based on Point Density and Partition (KPDP). Our approach improves the existing trajectory generalization anonymization techniques regarding trajectory set partition preprocessing and trajectory clustering algorithms. It successfully resists re-identification attacks and reduces the data utility loss of the k-anonymized dataset. A series of experiments on a real-world dataset show that the proposed model has significant advantages in terms of higher data utility and shorter algorithm execution time than other existing techniques.

Cryptography and Security,Machine Learning

Yan Dai,Jie Shao,Chengbo Wei,Dongxiang Zhang,Heng Tao Shen

DOI: https://doi.org/10.1007/s11280-017-0489-2

2017-08-26

World Wide Web

Abstract:Trajectory data gathered by mobile positioning techniques and location-aware devices contain plenty of sensitive spatial-temporal and semantic information, and can support many applications through data analysing and mining. However, attribute-linkage and re-identification attacks on such data may cause privacy leakage, and lead to unexpected serious consequences. Existing privacy preserving techniques for trajectory data often ignore the different privacy requirements of different moving objects or largely scarify the availability of trajectory data. In view of these issues, we propose an effective personalized trajectory privacy preserving method which can strike a good balance between user-defined privacy requirement and data availability in off-line trajectory publishing scenario. The main idea is to firstly label semantic attributes of all sampling points on the trajectory and build a corresponding taxonomy tree, next extract sensitive stop points, then for different types of sensitive stop points, adopt different strategies to select the appropriate points of user interests to replace while considering user speed and avoiding reverse mutation, and finally publish the reconstructed trajectory. Besides, to make our method more realistic we further consider possible obstacles appeared in the user space environment. In the experiments, average identification possibility, trajectory semantic consistency and trajectory shape similarity are taken as evaluation criteria, and the performance of our method is comprehensively evaluated. The results show that our method can improve the user trajectory availability as much as possible, while effectively achieving the different trajectory privacy requirements.

Fengli Xu,Zhen Tu,Yong Li,Pengyu Zhang,Xiaoming Fu,Depeng Jin

DOI: https://doi.org/10.48550/arXiv.1702.06270

2017-02-21

Computers and Society

Abstract:Human mobility data has been ubiquitously collected through cellular networks and mobile applications, and publicly released for academic research and commercial purposes for the last decade. Since releasing individual's mobility records usually gives rise to privacy issues, datasets owners tend to only publish aggregated mobility data, such as the number of users covered by a cellular tower at a specific timestamp, which is believed to be sufficient for preserving users' privacy. However, in this paper, we argue and prove that even publishing aggregated mobility data could lead to privacy breach in individuals' trajectories. We develop an attack system that is able to exploit the uniqueness and regularity of human mobility to recover individual's trajectories from the aggregated mobility data without any prior knowledge. By conducting experiments on two real-world datasets collected from both mobile application and cellular network, we reveal that the attack system is able to recover users' trajectories with accuracy about 73%~91% at the scale of tens of thousands to hundreds of thousands users, which indicates severe privacy leakage in such datasets. Through the investigation on aggregated mobility data, our work recognizes a novel privacy problem in publishing statistic data, which appeals for immediate attentions from both academy and industry.

Zhen Tu,Fengli Xu,Yong Li,Pengyu Zhang,Depeng Jin

DOI: https://doi.org/10.1109/tnet.2018.2829173

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Human mobility data have been ubiquitously collected through cellular networks and mobile applications, and publicly released for academic research and commercial purposes for the last decade. Since releasing individual's mobility records usually gives rise to privacy issues, data sets owners tend to only publish aggregated mobility data, such as the number of users covered by a cellular tower at a specific timestamp, which is believed to be sufficient for preserving users' privacy. However, in this paper, we argue and prove that even publishing aggregated mobility data could lead to privacy breach in individuals' trajectories. We develop an attack system that is able to exploit the uniqueness and regularity of human mobility to recover individual's trajectories from the aggregated mobility data without any prior knowledge. By conducting experiments on two real-world data sets collected from both the mobile application and cellular network, we reveal that the attack system is able to recover users' trajectories with an accuracy of about 73%similar to 91% at the scale of thousands to ten thousands of mobile users, which indicates severe privacy leakage in such data sets. Our extensive analysis also reveals that by generalization and perturbation, this kind of privacy leakage can only be mitigated. Through the investigation on aggregated mobility data, this paper recognizes a novel privacy problem in publishing statistic data, which appeals for immediate attentions from both the academy and industry.

Lin Yao,Zhenyu Chen,Haibo Hu,Guowei Wu,Bin Wu

DOI: https://doi.org/10.1145/3474839

IF: 5

2022-06-30

ACM Transactions on Intelligent Systems and Technology

Abstract:With the proliferation of location-aware devices, trajectory data have been used widely in real-life applications. However, trajectory data are often associated with sensitive labels, such as users’ purchase transactions and planned activities. As such, inappropriate sharing or publishing of these data could threaten users’ privacy, especially when an adversary has sufficient background knowledge about a trajectory through other data sources, such as social media (check-in tags). Though differential privacy has been used to address the privacy of trajectory data, no existing method can protect the privacy of both trajectory data and sensitive labels. In this article, we propose a comprehensive trajectory publishing algorithm with three effective procedures. First, we apply density-based clustering to determine hotspots and outliers and then blur their locations by generalization. Second, we propose a graph-based model to efficiently capture the relationship among sensitive labels and trajectory points in all records and leverage Laplace noise to achieve differential privacy. Finally, we generate and publish trajectories by traversing and updating this graph until we travel all vertexes. Our experiments on synthetic and real-life datasets demonstrate that our algorithm effectively protects the privacy of both sensitive labels and location data in trajectory publication. Compared with existing works on trajectory publishing, our algorithm can also achieve higher data utility.

computer science, information systems, artificial intelligence

Marco Gramaglia,Marco Fiore,Alberto Tarable,Albert Banchs

DOI: https://doi.org/10.48550/arXiv.1701.02243

2017-01-09

Computers and Society

Abstract:Mobile network operators can track subscribers via passive or active monitoring of device locations. The recorded trajectories offer an unprecedented outlook on the activities of large user populations, which enables developing new networking solutions and services, and scaling up studies across research disciplines. Yet, the disclosure of individual trajectories raises significant privacy concerns: thus, these data are often protected by restrictive non-disclosure agreements that limit their availability and impede potential usages. In this paper, we contribute to the development of technical solutions to the problem of privacy-preserving publishing of spatiotemporal trajectories of mobile subscribers. We propose an algorithm that generalizes the data so that they satisfy $k^{\tau,\epsilon}$-anonymity, an original privacy criterion that thwarts attacks on trajectories. Evaluations with real-world datasets demonstrate that our algorithm attains its objective while retaining a substantial level of accuracy in the data. Our work is a step forward in the direction of open, privacy-preserving datasets of spatiotemporal trajectories.

Haiming Wang,Zhikun Zhang,Tianhao Wang,Shibo He,Michael Backes,Jiming Chen,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2210.00581

2023-01-01

Abstract:Publishing trajectory data (individual's movement information) is very useful, but it also raises privacy concerns. To handle the privacy concern, in this paper, we apply differential privacy, the standard technique for data privacy, together with Markov chain model, to generate synthetic trajectories. We notice that existing studies all use Markov chain model and thus propose a framework to analyze the usage of the Markov chain model in this problem. Based on the analysis, we come up with an effective algorithm PrivTrace that uses the first-order and second-order Markov model adaptively. We evaluate PrivTrace and existing methods on synthetic and real-world datasets to demonstrate the superiority of our method.

Qilong Han,Qianqian Chen,Kejia Zhang,Xiaojiang Du,Nadra Guizani

DOI: https://doi.org/10.48550/arXiv.1804.02052

2018-04-05

Cryptography and Security

Abstract:Collection of user's location and trajectory information that contains rich personal privacy in mobile social networks has become easier for attackers. Network traffic control is an important network system which can solve some security and privacy problems. In this paper, we consider a network traffic control system as a trusted third party and use differential privacy for protecting more personal trajectory data. We studied the influence of the high dimensionality and sparsity of trajectory data sets based on the availability of the published results. Based on similarity point aggregation reconstruction ideas and a prefix tree model, we proposed a hybrid publishing method of differential privacy spatiotemporal trajectory data sets APTB.

Hua Shen,Yu Wang,Mingwu Zhang

DOI: https://doi.org/10.3390/s23249652

2023-12-06

Abstract:With the popularity of location services and the widespread use of trajectory data, trajectory privacy protection has become a popular research area. k-anonymity technology is a common method for achieving privacy-preserved trajectory publishing. When constructing virtual trajectories, most existing trajectory k-anonymity methods just consider point similarity, which results in a large dummy trajectory space. Suppose there are n similar point sets, each consisting of m points. The size of the space is then mn. Furthermore, to choose suitable k- 1 dummy trajectories for a given real trajectory, these methods need to evaluate the similarity between each trajectory in the space and the real trajectory, leading to a large performance overhead. To address these challenges, this paper proposes a k-anonymity trajectory privacy protection method based on the similarity of sub-trajectories. This method not only considers the multidimensional similarity of points, but also synthetically considers the area between the historic sub-trajectories and the real sub-trajectories to more fully describe the similarity between sub-trajectories. By quantifying the area enclosed by sub-trajectories, we can more accurately capture the spatial relationship between trajectories. Finally, our approach generates k-1 dummy trajectories that are indistinguishable from real trajectories, effectively achieving k-anonymity for a given trajectory. Furthermore, our proposed method utilizes real historic sub-trajectories to generate dummy trajectories, making them more authentic and providing better privacy protection for real trajectories. In comparison to other frequently employed trajectory privacy protection methods, our method has a better privacy protection effect, higher data quality, and better performance.

Kaixin Sui,Youjian Zhao,Dapeng Liu,Minghua Ma,Lei Xu,Li Zimu,Dan Pei

DOI: https://doi.org/10.1109/iwqos.2016.7590444

2016-01-01

Abstract:The enterprise Wi-Fi networks enable the collection of large-scale users' mobility information at an indoor level. The collected trajectory data is very valuable for both research and commercial purposes, but the use of the trajectory data also raises serious privacy concerns. A large body of work tries to achieve k-anonymity (hiding each user in an anonymity set no smaller than k) as the first step to solve the privacy problem. Yet it has been qualitatively recognized that k-anonymity is still risky when the diversity of the sensitive information in the k-anonymity set is low. There, however, still lacks a study that provides a quantitative understanding of that risk in the trajectory dataset. In this work, we present a large-scale measurement based analysis of the low-diversity risk over four weeks of trajectory data collected from Tsinghua, a campus that covers an area of 4 km 2 , on which 2,670 access points are deployed in 111 buildings. Using this dataset, we highlight the high risk of the low diversity. For example, we find that even when 5-anonymity is satisfied, the sensitive attributes of 25% of individuals can be easily guessed. We also find that although a larger k increases the size of anonymity sets, the corresponding improvement on the diversity of anonymity sets is very limited (decayed exponentially). These results suggest that diversity-oriented solutions are necessary.

Nicholas D'Silva,Toran Shahi,Øyvind Timian Dokk Husveg,Adith Sanjeeve,Erik Buchholz,Salil S. Kanhere

2024-10-02

Abstract:Once analysed, location trajectories can provide valuable insights beneficial to various applications. However, such data is also highly sensitive, rendering them susceptible to privacy risks in the event of mismanagement, for example, revealing an individual's identity, home address, or political affiliations. Hence, ensuring that privacy is preserved for this data is a priority. One commonly taken measure to mitigate this concern is aggregation. Previous work by Xu et al. shows that trajectories are still recoverable from anonymised and aggregated datasets. However, the study lacks implementation details, obfuscating the mechanisms of the attack. Additionally, the attack was evaluated on commercial non-public datasets, rendering the results and subsequent claims unverifiable. This study reimplements the trajectory recovery attack from scratch and evaluates it on two open-source datasets, detailing the preprocessing steps and implementation. Results confirm that privacy leakage still exists despite common anonymisation and aggregation methods but also indicate that the initial accuracy claims may have been overly ambitious. We release all code as open-source to ensure the results are entirely reproducible and, therefore, verifiable. Moreover, we propose a stronger attack by designing a series of enhancements to the baseline attack. These enhancements yield higher accuracies by up to 16%, providing an improved benchmark for future research in trajectory recovery methods. Our improvements also enable online execution of the attack, allowing partial attacks on larger datasets previously considered unprocessable, thereby furthering the extent of privacy leakage. The findings emphasise the importance of using strong privacy-preserving mechanisms when releasing aggregated mobility data and not solely relying on aggregation as a means of anonymisation.

Cryptography and Security,Machine Learning

Xiaodong Zhao,Dechang Pi,Junfu Chen

DOI: https://doi.org/10.1016/j.eswa.2020.113241

IF: 8.5

2020-07-01

Expert Systems with Applications

Abstract:With the development of location-aware technology, a large amount of location data of users is collected by the trajectory database. If these trajectory data are directly used for data mining without being processed, it will pose a threat to the user's personal privacy. At the moment, differential privacy is favored by experts and scholars because of its strict mathematical rigor, but how to apply differential privacy technology to trajectory clustering analysis is a difficult problem. To solve the problems in which existing trajectory privacy-preserving models have poor data availability or difficulty to resist complex privacy attacks, we devise novel trajectory privacy-preserving method based on clustering using differential privacy. More specifically, Laplacian noise is added to the count of trajectory location in the cluster to resist the continuous query attack. Then, radius-constrained Laplacian noise is added to the trajectory location data in the cluster to avoid too much noise affecting the clustering effect. According to the noise location data and the count of noise location, the noise clustering center in the cluster is obtained. Finally, it is considered that the attacker can associate the user trajectory with other information to form secret reasoning attack, and secret reasoning attack model is proposed. And we use the differential privacy technology to give corresponding resistance. Experimental results using the open data show that the proposed algorithm can not only effectively protect the private information of the trajectory data, but also ensure the data availability in cluster analysis. And compared with other algorithms, our algorithm has good effect on some evaluation indicators.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Shuo Wang,R. Sinnott,S. Nepal

DOI: https://doi.org/10.1109/eScience.2016.7870912

2016-10-01

Abstract:Advanced data analytics have become an integral part of a number of eScience initiatives including the many challenges facing the urban sciences. Understanding the movement of people and their spatial trajectorits would greatly aid the development of policies for sustainable urban living including urban traffic analysis and smart city management. Due to the widespread popularity of mobile devices with location-aware capabilities and the extensive prevalence of location-based social networks, citizens' movements and their trajectories are being produced and gathered at an unprecedented rate. In this context, there are two fundamental issues that need to be addressed: trajectory data hold private information of citizens that require privacy preserving solutions for data release and analysis, and the heterogeneous nature of the trajectory data makes it hard to effectively measure their similarity, which is fundamental to trajectory analysis. In this paper, we address these challenges by proposing an innovative private trajectories calibration model that not only guarantees the privacy of citizens, but also increases the utility. We have conducted comprehensive experiments using real-life user trajectories extracted from Twitter data. The results reveal the effectiveness and efficiency of the proposed approach, which is also reported in this paper.

Computer Science,Environmental Science