Shouling Ji,Weiqing Li,Prateek Mittal,Xin Hu,Raheem Beyah

2015-01-01

Abstract:In this paper, we analyze and systematize the state-of-the-art graph data privacy and utility techniques. Specifically, we propose and develop SecGraph (available at [1]), a uniform and open-source Secure Graph data sharing/publishing system. In SecGraph, we systematically study, implement, and evaluate 11 graph data anonymization algorithms, 19 data utility metrics, and 15 modern Structure-based De-Anonymization (SDA) attacks. To the best of our knowledge, SecGraph is the first such system that enables data owners to anonymize data by state-of-the-art anonymization techniques, measure the data's utility, and evaluate the data's vulnerability against modern De-Anonymization (DA) attacks. In addition, SecGraph enables researchers to conduct fair analysis and evaluation of existing and newly developed anonymization/DA techniques. Leveraging SecGraph, we conduct extensive experiments to systematically evaluate the existing graph data anonymization and DA techniques. The results demonstrate that (i) most anonymization schemes can partially or conditionally preserve most graph utilities while losing some application utility; (ii) no DA attack is optimum in all scenarios. The DA performance depends on several factors, e.g., similarity between anonymized and auxiliary data, graph density, and DA heuristics; and (iii) all the state-of-the-art anonymization schemes are vulnerable to several or all of the modern SDA attacks. The degree of vulnerability of each anonymization scheme depends on how much and which data utility it preserves.

Shouling Ji,Tianyu Du,Zhen Hong,Ting Wang,Raheem Beyah

DOI: https://doi.org/10.1109/infocom.2018.8486356

2018-01-01

Abstract:In this paper, we study the correlation of graph da-ta's anonymity, utility, and de-anonymity. Our main contributions include four perspectives. First, to the best of our knowledge, we conduct the first Anonymity-Utility-De-anonymity (AUD) correlation quantification for graph data and obtain close-forms for such correlation under both a preliminary mathematical model and a general data model. Second, we integrate our AUD quantification to SecGraph [31], a recently published Secure Graph data sharing/publishing system, and extend it to Sec-Graph+. Compared to SecGraph, SecGraph+ is an improved and enhanced uniform and open-source system for comprehensively studying graph anonymization, de-anonymization, and utility evaluation. Third, based on our AUD quantification, we evaluate the anonymity, utility, and de-anonymity of 12 real world graph datasets which are generated from various computer systems and services. The results show that the achievable anonymity/de-anonymity depends on multiple factors, e.g., the preserved data utility, the quality of the employed auxiliary data. Finally, we apply our AUD quantification to evaluate the performance of state-of-the-art anonymization and de-anonymization techniques. Interestingly, we find that there is still significant space to improve state-of-the-art de-anonymization attacks. We also explicitly and quantitatively demonstrate such possible improvement space.

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby B. Lee

DOI: https://doi.org/10.1007/978-3-319-93354-2_5

2018-01-01

Abstract:An increasing amount of data are becoming publicly available over the Internet. These data are released after applying some anonymization techniques. Recently, researchers have paid significant attention to analyzing the risks of publishing privacy-sensitive data. Even if data anonymization techniques were applied to protect privacy-sensitive data, several de-anonymization attacks have been proposed to break their privacy. However, no theoretical quantification for relating the data vulnerability against de-anonymization attacks and the data utility that is preserved by the anonymization techniques exists. In this paper, we first address several fundamental open problems in the structure-based de-anonymization research by establishing a formal model for privacy breaches on anonymized data and quantifying the conditions for successful de-anonymization under a general graph model. To the best of our knowledge, this is the first work on quantifying the relationship between anonymized utility and de-anonymization capability. Our quantification works under very general assumptions about the distribution from which the data are drawn, thus providing a theoretical guide for practical de-anonymization/anonymization techniques. Furthermore, we use multiple real-world datasets including a Facebook dataset, a Collaboration dataset, and two Twitter datasets to show the limitations of the state-of-the-art de-anonymization attacks. From these experimental results, we demonstrate the ineffectiveness of previous de-anonymization attacks and the potential of more powerful de-anonymization attacks in the future, by comparing the theoretical de-anonymization capability proposed by us with the practical experimental results of the state-of-the-art de-anonymization methods.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs , ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise. The source code and employed datasets are now publicly available at SecGraph [2015].

Shouling Ji,Prateek Mittal,Raheem Beyah

DOI: https://doi.org/10.1109/comst.2016.2633620

2017-01-01

Abstract:Nowadays, many computer and communication systems generate graph data. Graph data span many different domains, ranging from online social network data from networks like Facebook to epidemiological data used to study the spread of infectious diseases. Graph data are shared regularly for many purposes including academic research and for business collaborations. Since graph data may be sensitive, data owners often use various anonymization techniques that often compromise the resulting utility of the anonymized data. To make matters worse, there are several state-of-the-art graph data de-anonymization attacks that have proven successful in recent years. In this paper, we survey the graph data anonymization, de-anonymization, and de-anonymizability quantification techniques in the past decade. Specifically, we systematically classify, summarize, and analyze state-of-the-art graph data anonymization, de-anonymization, and de-anonymizability quantification techniques. For existing graph data anonymization techniques, we classify them into six categories and analyze their utility performance with respect to 15 fundamental graph utility metrics and seven high-level application utility metrics. For existing de-anonymization attacks, we classify them into two categories and examine their performance with respect to scalability, practicability, robustness, etc. We also analyze the resistance of existing graph anonymization techniques against existing graph de-anonymizaiton attacks. For existing de-anonymizability quantifications, we classify them according to whether they consider seed information or not, and analyze them in terms of their soundness. Our analysis demonstrates that: 1) most anonymization schemes can partially or conditionally preserve most graph utility while losing some application utility and 2) state-of-the-art anonymization schemes are vulnerable to several or all of the emerging structure-based de-anonymization attacks. The actual vulnerability of each anonymization algorithm depends on how much and which data utility it preserves. Based on our summarization and analysis, we discuss the research evolution, future directions, and challenges in the research area of graph data anonymization, de-anonymization, and de-anonymizability quantification.

Shouling Ji,Weiqing Li,Neil Zhenqiang Gong,Prateek Mittal,Raheem A. Beyah

DOI: https://doi.org/10.14722/ndss.2015.23096

2015-01-01

Abstract:In this paper, we conduct the first comprehensive quantification on the perfect de-anonymizability and partial deanonymizability of real world social networks with seed information in general scenarios, where a social network can follow an arbitrary distribution model. This quantification provides the theoretical foundation for existing structure based de-anonymization attacks (e.g., [1][2][3]) and closes the gap between de-anonymization practice and theory. Besides that, our quantification can serve as a testing-stone for the effectiveness of anonymization techniques, i.e., researchers can employ our quantified structural conditions to evaluate the potential deanonymizability of the anonymized social networks. Based on our quantification, we conduct a large scale evaluation on the de-anonymizability of 24 various real world social networks by quantitatively showing: 1) the conditions for perfect and (1− ε) de-anonymization of a social network, where ε specifies the tolerated de-anonymization error, and 2) the number of users of a social network that can be successfully de-anonymized. Furthermore, we show that, both theoretically and experimentally, the overall structural information based de-anonymization attack is much more powerful than the seed knowledge-only based deanonymization attack, and even without any seed information, a social network can be perfectly or partially de-anonymized. Finally, we discuss the implications of this work. Our findings are expected to shed light on the future research in the structural data anonymization and de-anonymization area, and to help data owners evaluate their structural data vulnerability before data sharing and publishing.

Xiaofeng Ding,Cui Wang,Kim-Kwang Raymond Choo,Hai Jin

DOI: https://doi.org/10.1109/tkde.2019.2931903

IF: 9.235

2019-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:The need to efficiently store and query large scale graph datasets is evident in the growing number of data-intensive applications, particularly to maximize the mining of intelligence from these data (e.g., to inform decision making). However, directly releasing graph dataset for analysis may leak sensitive information of an individual even if the graph is anonymized, as demonstrated by the re-identification attacks on the DBpedia datasets. A key challenge in the design of graph sanitization methods is scalability, as existing execution models generally have significant memory requirements. In this paper, we propose a novel $k$<math>k</math>-decomposition algorithm and define a new information loss matrix designed for utility measurement in massively large graph datasets. We also propose a novel privacy preserving framework that can be seamlessly integrated with graph storage, anonymization, query processing, and analysis. Our experimental studies show that the proposed solution achieves privacy-preserving, utility, and efficiency.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Yi Song,Sadegh Nobari,Xuesong Lu,Panagiotis Karras,Stéphane Bressan

DOI: https://doi.org/10.1145/2095536.2095578

2013-01-01

Abstract:You are on Facebook or you are out. Of course, this assessment is controversial and its rationale arguable. It is nevertheless not far, for many of us, from the reason behind our joining social media and publishing and sharing details of our professional and private lives. Not only the personal details we may reveal but also the very structure of the networks themselves are sources of invaluable information for any organization wanting to understand and learn about social groups, their dynamics and their members. These organizations may or may not be benevolent. It is therefore important to devise, design and evaluate solutions that guarantee some privacy. One approach that attempts to reconcile the different stakeholders' requirement is the publication of a modified graph. The perturbation is hoped to be sufficient to protect members' privacy while it maintains sufficient utility for analysts wanting to study the social media as a whole. It is necessarily a compromise. In this paper we try and empirically quantify the inevitable trade-off between utility and privacy. We do so for one state-of-the-art graph anonymization algorithm that protects against most structural attacks, the k-automorphism algorithm. We measure several metrics for a series of real graphs from various social media before and after their anonymization under various settings.

Zhang Cheng,Jiang Honglu,Cheng Xiuzhen,Zhao Feng,Cai Zhipeng,Tian Zhi

DOI: https://doi.org/10.1007/s00779-019-01287-0

2019-01-01

Personal and Ubiquitous Computing

Abstract:Social networks have gained tremendous popularity recently. Millions of people use social network apps to share precious moments with friends and family. Users are often asked to provide personal information such as name, gender, and address when using social networks. However, as the social network data are collected, analyzed, and re-published at a large scale, personal information might be misused by unauthorized third parties and even attackers. Therefore, extensive research has been carried out to protect the data from privacy violations in social networks. The most popular technique is graph perturbation, which modifies the local topological structure of a social network user (a vertex) via various randomization techniques before the social graph data is published. Nevertheless, graph anonymization may affect the usability of the data as random noises are introduced, decreasing user experience. Therefore, a trade-off between privacy protection and data usability must be sought. In this paper, we employ various graph and application utility metrics to investigate this trade-off. More specifically, we conduct an empirical study by implementing five state-of-the-art anonymization algorithms to analyze the graph and application utilities on a Facebook and a Twitter dataset. Our results indicate that most anonymization algorithms can partially or conditionally preserve the graph and application utilities and any single anonymization algorithm may not always perform well on different datasets. Finally, drawing on the reviewed graph anonymization techniques, we provide a brief overview on future research directions and challenges involved therein.

Shouling Ji,Weiqing Li,Neil Zhenqiang Gong,Prateek Mittal,Raheem Beyah

DOI: https://doi.org/10.1109/tifs.2016.2529591

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we implement the first comprehensive quantification of the perfect de-anonymizability and partial de-anonymizability of real-world social networks with seed information under general scenarios, which provides the theoretical foundation for the existing structure-based de-anonymization attacks and closes the gap between de-anonymization practice and theory. Based on our quantification, we conduct a large-scale evaluation of the de-anonymizability of 24 real-world social networks by quantitatively showing the conditions for perfectly and partially de-anonymizing a social network, how de-anonymizable a social network is, and how many users of a social network can be successfully de-anonymized. Furthermore, we show that both theoretically and experimentally, the overall structural information-based de-anonymization attack can be more powerful than the seed-based de-anonymization attack, and even without any seed information, a social network can be perfectly or partially de-anonymized. Finally, we discuss the implications of this paper. Our findings are expected to shed on research questions in the areas of structural data anonymization and de-anonymization and to help data owners evaluate their structural data vulnerability before data sharing and publishing.

Wei-Han Lee,Changchang Liu,Shouling Ji,Prateek Mittal,Ruby Lee

DOI: https://doi.org/10.5220/0006192501260135

2017-01-01

Abstract:The risks of publishing privacy-sensitive data have received considerable attention recently. Several de-anonymization attacks have been proposed to re-identify individuals even if data anonymization techniques were applied. However, there is no theoretical quantification for relating the data utility that is preserved by the anonymization techniques and the data vulnerability against de-anonymization attacks. In this paper, we theoretically analyze the de-anonymization attacks and provide conditions on the utility of the anonymized data (denoted by anonymized utility) to achieve successful de-anonymization. To the best of our knowledge, this is the first work on quantifying the relationships between anonymized utility and de-anonymization capability. Unlike previous work, our quantification analysis requires no assumptions about the graph model, thus providing a general theoretical guide for developing practical de-anonymization/anonymization techniques. Furthermore, we evaluate state-of-the-art de-anonymization attacks on a real-world Facebook dataset to show the limitations of previous work. By comparing these experimental results and the theoretically achievable de-anonymization capability derived in our analysis, we further demonstrate the ineffectiveness of previous de-anonymization attacks and the potential of more powerful de-anonymization attacks in the future.

Jianwei Qian,Xiang-Yang Li,Chunhong Zhang,Linlin Chen

DOI: https://doi.org/10.1109/infocom.2016.7524578

2016-01-01

Abstract:Social network data is widely shared, transferred and published for research purposes and business interests, but it has raised much concern on users' privacy. Even though users' identity information is always removed, attackers can still de-anonymize users with the help of auxiliary information. To protect against de-anonymization attack, various privacy protection techniques for social networks have been proposed. However, most existing approaches assume specific and restrict network structure as background knowledge and ignore semantic level prior belief of attackers, which are not always realistic in practice and do not apply to arbitrary privacy scenarios. Moreover, the privacy inference attack in the presence of semantic background knowledge is barely investigated. To address these shortcomings, in this work, we introduce knowledge graphs to explicitly express arbitrary prior belief of the attacker for any individual user. The processes of de-anonymization and privacy inference are accordingly formulated based on knowledge graphs. Our experiment on data of real social networks shows that knowledge graphs can strengthen de-anonymization and inference attacks, and thus increase the risk of privacy disclosure. This suggests the validity of knowledge graphs as a general effective model of attackers' background knowledge for social network privacy preservation.

Mingxuan Yuan,Lei Chen,Hong Mei

DOI: https://doi.org/10.1016/j.datak.2013.04.006

IF: 1.5

2013-01-01

Data & Knowledge Engineering

Abstract:With the popularity of social networks, the privacy issues related with social network data become more and more important. The connection information between users, as well as their sensitive attributes, should be protected. There are some proposals studying how to publish a privacy preserving graph. However, when the algorithm which generates the published graph is known by the attacker, the current protection models may still leak some connection information. In this paper, we propose a new protection model, named Semi-Edge Anonymity to protect both user's sensitive attributes and connection information even when an attacker knows the publication algorithm. Moreover, Semi-Edge Anonymity model can plug in any state-of-the-art protection model for tabular data to protect sensitive labels. We theoretically prove that on two utilities, the possible world size and the true edge ratio, the Semi-Edge Anonymity model outperforms any clustering based model which protects links. We further conduct extensive experiments on real data sets for several other utilities. The results show that our model also has better performance on these utilities than the clustering based model.

Hanyang Yuan,Jiarong Xu,Cong Wang,Ziqi Yang,Chunping Wang,Keting Yin,Yang Yang

2024-07-26

Abstract:The public sharing of user information opens the door for adversaries to infer private data, leading to privacy breaches and facilitating malicious activities. While numerous studies have concentrated on privacy leakage via public user attributes, the threats associated with the exposure of user relationships, particularly through network structure, are often neglected. This study aims to fill this critical gap by advancing the understanding and protection against privacy risks emanating from network structure, moving beyond direct connections with neighbors to include the broader implications of indirect network structural patterns. To achieve this, we first investigate the problem of Graph Privacy Leakage via Structure (GPS), and introduce a novel measure, the Generalized Homophily Ratio, to quantify the various mechanisms contributing to privacy breach risks in GPS. Based on this insight, we develop a novel graph private attribute inference attack, which acts as a pivotal tool for evaluating the potential for privacy leakage through network structures under worst-case scenarios. To protect users' private data from such vulnerabilities, we propose a graph data publishing method incorporating a learnable graph sampling technique, effectively transforming the original graph into a privacy-preserving version. Extensive experiments demonstrate that our attack model poses a significant threat to user privacy, and our graph data publishing method successfully achieves the optimal privacy-utility trade-off compared to baselines.

Machine Learning,Social and Information Networks

Yongjiao Sun,Ye Yuan,Guoren Wang,Yurong Cheng

DOI: https://doi.org/10.1007/s10115-015-0855-2

IF: 2.7

2015-01-01

Knowledge and Information Systems

Abstract:Large amount of personal social information is collected and published due to the rapid development of social network technologies and applications, and thus, it is quite essential to take privacy preservation and prevent sensitive information leakage. Most of current anonymizing techniques focus on the preservation to privacies, but cannot provide accurate answers to utility queries even at a high price. To solve the problem, a novel anonymizing approach, called splitting anonymization, is introduced in this paper to point against the contradiction of privacy and utility. This approach provides a high-level preservation to the privacy of social network data that is unknown to attackers, which avoids the low utility caused by the enforced noises on knowledge that is already known to the attackers. Social network processed by splitting anonymization can refuse any direct attack, and these strategies are also safe enough to indirect attacks which are usually more dangerous than direct attacks. Finally, strict theoretical analysis and large amount of evaluation results based on real data sets verified the design of this paper.

Shangqi Lai,Xingliang Yuan,Shi-Feng Sun,Joseph K. Liu,Yuhong Liu,Dongxi Liu

DOI: https://doi.org/10.1145/3321705.3329803

2019-05-16

Abstract:In this paper, we propose GraphSE$^2$, an encrypted graph database for online social network services to address massive data breaches. GraphSE$^2$ preserves the functionality of social search, a key enabler for quality social network services, where social search queries are conducted on a large-scale social graph and meanwhile perform set and computational operations on user-generated contents. To enable efficient privacy-preserving social search, GraphSE$^2$ provides an encrypted structural data model to facilitate parallel and encrypted graph data access. It is also designed to decompose complex social search queries into atomic operations and realise them via interchangeable protocols in a fast and scalable manner. We build GraphSE$^2$ with various queries supported in the Facebook graph search engine and implement a full-fledged prototype. Extensive evaluations on Azure Cloud demonstrate that GraphSE$^2$ is practical for querying a social graph with a million of users.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Jianwei Qian,Xiang-Yang Li,Chunhong Zhang,Linlin Chen,Taeho Jung,Junze Han

DOI: https://doi.org/10.1109/tdsc.2017.2697854

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Social network data is widely shared, transferred and published for research purposes and business interests, but it has raised much concern on users’ privacy. Even though users’ identity information is always removed, attackers can still de-anonymize users with the help of auxiliary information. To protect against de-anonymization attack, various privacy protection techniques for social networks have been proposed. However, most existing approaches assume specific and restrict network structure as background knowledge and ignore semantic level prior belief of attackers, which are not always realistic in practice and do not apply to arbitrary privacy scenarios. Moreover, the privacy inference attack in the presence of semantic background knowledge is barely investigated. To address these shortcomings, in this work, we introduce knowledge graphs to explicitly express arbitrary prior belief of the attacker for any individual user. The processes of de-anonymization and privacy inference are accordingly formulated based on knowledge graphs. Our experiment on data of real social networks shows that knowledge graphs can power de-anonymization and inference attacks, and thus increase the risk of privacy disclosure. This suggests the validity of knowledge graphs as a general effective model of attackers’ background knowledge for social network attack and privacy preservation.

Xiang-Yang Li,Chunhong Zhang,Taeho Jung,Jianwei Qian,Linlin Chen

DOI: https://doi.org/10.1109/infocom.2016.7524584

2016-01-01

Abstract:We propose a graph-based framework for privacy preserving data publication, which is a systematic abstraction of existing anonymity approaches and privacy criteria. Graph is explored for dataset representation, background knowledge specification, anonymity operation design, as well as attack inferring analysis. The framework is designed to accommodate various datasets including social networks, relational tables, temporal and spatial sequences, and even possible unknown data models. The privacy and utility measurements of the anonymity datasets are also quantified in terms of graph features. Our experiments show that the framework is capable of facilitating privacy protection by different anonymity approaches for various datasets with desirable performance.

Chaochao Chen,Liang Li,Bingzhe Wu,Cheng Hong,Li Wang,Jun Zhou

DOI: https://doi.org/10.3233/faia200132

2020-01-01

Abstract:Nowadays, privacy preserving machine learning has been drawing much attention in both industry and academy. Meanwhile, recommender systems have been extensively adopted by many commercial platforms (e.g. Amazon) and they are mainly built based on user-item interactions. Besides, social platforms (e.g. Facebook) have rich resources of user social information. It is well known that social information, which is rich on social platforms such as Facebook, are useful to recommender systems. It is anticipated to combine the social information with the user-item ratings to improve the overall recommendation performance. Most existing recommendation models are built based on the assumptions that the social information are available. However, different platforms are usually reluctant to (or cannot) share their data due to certain concerns. In this paper, we first propose a SEcure SOcial RECommendation (SeSoRec) framework which can (1) collaboratively mine knowledge from social platform to improve the recommendation performance of the rating platform, and (2) securely keep the raw data of both platforms. We then propose a Secret Sharing based Matrix Multiplication (SSMM) protocol to optimize SeSoRec and prove its correctness and security theoretically. By applying minibatch gradient descent, SeSoRec has linear time complexities in terms of both computation and communication. The comprehensive experimental results on three real-world datasets demonstrate the effectiveness of our proposed SeSoRec and SSMM.

Shouling Ji,Weiqing Li,Mudhakar Srivatsa,Jing Selena He,Raheem Beyah

DOI: https://doi.org/10.1145/2894760

2016-01-01

ACM Transactions on Information and System Security

Abstract:When people utilize social applications and services, their privacy suffers a potential serious threat. In this article, we present a novel, robust, and effective de-anonymization attack to mobility trace data and social data. First, we design a Unified Similarity (US) measurement, which takes account of local and global structural characteristics of data, information obtained from auxiliary data, and knowledge inherited from ongoing de-anonymization results. By analyzing the measurement on real datasets, we find that some data can potentially be de-anonymized accurately and the other can be de-anonymized in a coarse granularity. Utilizing this property, we present a US-based De-Anonymization (DA) framework, which iteratively de-anonymizes data with accuracy guarantee. Then, to de-anonymize large-scale data without knowledge of the overlap size between the anonymized data and the auxiliary data, we generalize DA to an Adaptive De-Anonymization (ADA) framework. By smartly working on two core matching subgraphs, ADA achieves high de-anonymization accuracy and reduces computational overhead. Finally, we examine the presented de-anonymization attack on three well-known mobility traces: St Andrews, Infocom06, and Smallblue, and three social datasets: ArnetMiner, Google+, and Facebook. The experimental results demonstrate that the presented de-anonymization framework is very effective and robust to noise.