Chen Luo,Fei He,Dong Yan,Dan Zhang,Xin Zhou,Bow-Yaw Wang

DOI: https://doi.org/10.1109/ICSE-C.2017.120

2017-01-01

Abstract:Organizations often share business data with third-parties to perform data analytics. However, the business data may contain a lot of customers' private information. One major concern of these organizations is thus to ensure such private information is properly used. In this paper, we present PSpec, a formal language for specifying data usage restrictions in distributed data analytics. Compared with previous works, PSpec specializes in data analytics and provides explicit support for data desensitization and association to balance data privacy and utility. We moreover present redundancy and conflict analysis algorithms to help data owners write PSpec privacy policies. To evaluate PSpec we carry out a case study on TPC-DS benchmark. The results demonstrate applicability and practicality of the PSpec language.

Jinfei Liu,Li Xiong,Jun Luo,Joshua Zhexue Huang

DOI: https://doi.org/10.1145/2320765.2320819

2013-01-01

Abstract:DBSCAN is a well-known density-based clustering algorithm which offers advantages for finding clusters of arbitrary shapes compared to partitioning and hierarchical clustering methods. However, there are few papers studying the DBSCAN algorithm under the privacy preserving distributed data mining model, in which the data is distributed between two or more parties, and the parties cooperate to obtain the clustering results without revealing the data at the individual parties. In this paper, we address the problem of two-party privacy preserving DBSCAN clustering. We first propose two protocols for privacy preserving DBSCAN clustering over horizontally and vertically partitioned data respectively and then extend them to arbitrarily partitioned data. We also provide performance analysis and privacy proof of our solution.

Tsz On Li,Jianyu Jiang,Ji Qi,Chi Chiu So,Jiacheng Ma,Xusheng Chen,Tianxiang Shen,Heming Cui,Yuexuan Wang,Peng Wang

DOI: https://doi.org/10.1109/dsn48063.2020.00064

2020-01-01

Abstract:In the era of big-data, individuals and institutions store their sensitive data on clouds, and these data are often analyzed and computed by MapReduce frameworks (e.g., Spark). However, releasing the computation result on these data may leak privacy. Differential Privacy (DP) is a powerful method to preserve the privacy of an individual data record from a computation result. Given an input dataset and a query, DP typically perturbs an output value with noise proportional to sensitivity, the greatest change on an output value when a record is added to or removed from the input dataset. Unfortunately, directly computing the sensitivity value for a query and an input dataset is computationally infeasible, because it requires adding or removing every record from the dataset and repeatedly running the same query on the dataset: a dataset of one million input records requires running the same query for more than one million times. This paper presents UPA, the first automated, accurate, and efficient sensitivity inferring approach for big-data mining applications. Our key observation is that MapReduce operators often have commutative and associative properties in order to enable parallelism and fault tolerance among computers. Therefore, UPA can greatly reduce the repeated computations at runtime while computing a precise sensitivity value automatically for general big-data queries. We compared UPA with FLEX, the most relevant work that does static analysis on queries to infer sensitivity values. Based on an extensive evaluation on nine diverse Spark queries, UPA supports all the nine evaluated queries, while FLEX supports only five of the nine queries. For the five queries which both UPA and FLEX can support, UPA enforces DP with five orders of magnitude more accurate sensitivity values than FLEX. UPA has reasonable performance overhead compared to native Spark. UPA's source code is available on https://github.com/hku-systems/UPA.

Chenghong Wang,Lina Qiu,Johes Bater,Yukui Luo

2024-04-29

Abstract:Secure collaborative analytics (SCA) enable the processing of analytical SQL queries across multiple owners' data, even when direct data sharing is not feasible. Although essential for strong privacy, the large overhead from data-oblivious primitives in traditional SCA has hindered its practical adoption. Recent SCA variants that permit controlled leakages under differential privacy (DP) show a better balance between privacy and efficiency. However, they still face significant challenges, such as potentially unbounded privacy loss, suboptimal query planning, and lossy processing. To address these challenges, we introduce SPECIAL, the first SCA system that simultaneously ensures bounded privacy loss, advanced query planning, and lossless processing. SPECIAL employs a novel synopsis-assisted secure processing model, where a one-time privacy cost is spent to acquire private synopses (table statistics) from owner data. These synopses then allow SPECIAL to estimate (compaction) sizes for secure operations (e.g., filter, join) and index encrypted data without extra privacy loss. Crucially, these estimates and indexes can be prepared before runtime, thereby facilitating efficient query planning and accurate cost estimations. Moreover, by using one-sided noise mechanisms and private upper bound techniques, SPECIAL ensures strict lossless processing for complex queries (e.g., multi-join). Through a comprehensive benchmark, we show that SPECIAL significantly outperforms cutting-edge SCAs, with up to 80X faster query times and over 900X smaller memory for complex queries. Moreover, it also achieves up to an 89X reduction in privacy loss under continual processing.

Cryptography and Security,Databases

Shufan Zhang,Xi He

2023-09-19

Abstract:Recent years have witnessed the adoption of differential privacy (DP) in practical database systems like PINQ, FLEX, and PrivateSQL. Such systems allow data analysts to query sensitive data while providing a rigorous and provable privacy guarantee. However, the existing design of these systems does not distinguish data analysts of different privilege levels or trust levels. This design can have an unfair apportion of the privacy budget among the data analyst if treating them as a single entity, or waste the privacy budget if considering them as non-colluding parties and answering their queries independently. In this paper, we propose DProvDB, a fine-grained privacy provenance framework for the multi-analyst scenario that tracks the privacy loss to each single data analyst. Under this framework, when given a fixed privacy budget, we build algorithms that maximize the number of queries that could be answered accurately and apportion the privacy budget according to the privilege levels of the data analysts.

Databases

Feng Han,Lan Zhang,Hanwen Feng,Weiran Liu,Xiangyang Li

DOI: https://doi.org/10.1109/icde53745.2022.00176

2022-01-01

Abstract:Many data applications can be facilitated or even spawned by joint analysis on databases held by different owners, but privacy concerns are currently the biggest hindrance. Though a practical privacy-preserving collaborative database analytics system is strongly desired, existing approaches do not support efficient queries for several essential SQL operators such as the general join, especially on large databases. In this paper, we propose, analyze, and implement Scape, a Scalable Collaborative Analytics system on Private databasE with malicious security. In Scape, databases from different parties are secretly shared to three non-colluding computing parties. Users can perform various SQL queries (including fully functional Join, Group by, Aggregation, etc.) on shared databases, and all entities learn nothing beyond their priori knowledge during the whole execution even when they deviate from protocols. At the heart of Scape lies several asymptotically efficient SQL protocols. Particularly, our general join protocol has O (n log 2 n + m) communication/computation cost when joining two tables with o (n) rows to a table with 0 (m) rows, significantly outperforming the state-of-the-art approach with O(n 2 ) cost. The benchmark results confirm the advantages of Scape, which is up to 25 x faster than the baseline.

Guoxiu Liu,Geng Yang,Haiwei Wang,Hua Dai,Qiang Zhou

DOI: https://doi.org/10.3837/tiis.2018.07.021

2018-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the advent of database-as-a-service (DAAS) and cloud computing, more and more data owners are motivated to outsource their data to cloud database in consideration of convenience and cost. However, it has become a challenging work to provide security to database as service model in cloud computing, because adversaries may try to gain access to sensitive data, and curious or malicious administrators may capture and leak data. In order to realize privacy preservation, sensitive data should be encrypted before outsourcing. In this paper, we present a secure and practical system over encrypted cloud data, called QSDB (queryable and secure database), which simultaneously supports SQL query operations. The proposed system can store and process the floating point numbers without compromising the security of data. To balance tradeoff between data privacy protection and query processing efficiency, QSDB utilizes three different encryption models to encrypt data. Our strategy is to process as much queries as possible at the cloud server. Encryption of queries and decryption of encrypted queries results are performed at client. Experiments on the real-world data sets were conducted to demonstrate the efficiency and practicality of the proposed system.

Weibo Wang,Yifeng Zheng,Songlei Wang,Zhongyun Hua,Lei Xu,Yansong Gao

DOI: https://doi.org/10.2139/ssrn.4578349

IF: 5.105

2024-03-09

Computers & Security

Abstract:With the widespread adoption of cloud computing, there has been great popularity of storing and querying databases in the cloud. However, comes with such service outsourcing are critical data privacy concerns, as the cloud providers are generally not in the same trust domain as the data owners/users and could even suffer from data breaches. In this paper, different from most existing works that propose security designs for keyword search, we focus on secure realizations of advanced skyline query processing, which plays an important role in multi-criteria decision support applications. We propose BopSkyline, a new system framework for privacy-preserving skyline query service in cloud computing. BopSkyline is designed to not only ensure the confidentiality of outsourced databases, skyline queries, and query results, but also conceal data patterns (like the dominance relationships among database tuples) and search access patterns that may indirectly lead to data leakages. Notably, through a delicate synergy of key ideas on secure database shuffling and differentially private database padding, BopSkyline achieves a significant performance boost over the state-of-the-art. Extensive experiments demonstrate that compared with the state-of-the-art prior work, BopSkyline is up to 4.7× better in query latency and achieves up to 99.38% cost savings in communication.

computer science, information systems

Daniele Dell'Aglio,Abraham Bernstein

DOI: https://doi.org/10.1145/3366423.3380265

2020-04-19

Abstract:Data often contains sensitive information, which poses a major obstacle to publishing it. Some suggest to obfuscate the data or only releasing some data statistics. These approaches have, however, been shown to provide insufficient safeguards against de-anonymisation. Recently, differential privacy (DP), an approach that injects noise into the query answers to provide statistical privacy guarantees, has emerged as a solution to release sensitive data. This study investigates how to continuously release privacy-preserving histograms (or distributions) from online streams of sensitive data by combining DP and semantic web technologies. We focus on distributions, as they are the basis for many analytic applications. Specifically, we propose SihlQL, a query language that processes RDF streams in a privacy-preserving fashion. SihlQL builds on top of SPARQL and the w-event DP framework. We show how some peculiarities of w-event privacy constrain the expressiveness of SihlQL queries. Addressing these constraints, we propose an extension of w-event privacy that provides answers to a larger class of queries while preserving their privacy. To evaluate SihlQL, we implemented a prototype engine that compiles queries to Apache Flink topologies and studied its privacy properties using real-world data from an IPTV provider and an online e-commerce web site.

Royce J Wilson,Celia Yuxin Zhang,William Lam,Damien Desfontaines,Daniel Simmons-Marengo,Bryant Gipson

DOI: https://doi.org/10.2478/popets-2020-0025

2020-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Differential privacy (DP) provides formal guarantees that the output of a database query does not reveal too much information about any individual present in the database. While many differentially private algorithms have been proposed in the scientific literature, there are only a few end-to-end implementations of differentially private query engines. Crucially, existing systems assume that each individual is associated with at most one database record, which is unrealistic in practice. We propose a generic and scalable method to perform differentially private aggregations on databases, even when individuals can each be associated with arbitrarily many rows. We express this method as an operator in relational algebra, and implement it in an SQL engine. To validate this system, we test the utility of typical queries on industry benchmarks, and verify its correctness with a stochastic test framework we developed. We highlight the promises and pitfalls learned when deploying such a system in practice, and we publish its core components as open-source software.

English Else

Tianpei Lu,Bingsheng Zhang,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2023.3284565

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Privacy concerns often raise when sensitive data are collected, traded, and processed. The data owner typically loses her ultimate control of the data after data-outsourcing. In this work, we present the PrivData Network – a community-controlled privacy-preserving data factory and trading market. It can be viewed as a standalone data ecosystem that enables privacy-preserving data-driven workflows in a controlled environment for orchestrating and automating data movement and data transformation. In particular, we design a data encapsulation mechanism with privacy assurance, which can guarantee data privacy, usage policy compliance and metadata validity. We also design a privacy policy language and utilize a static analysis library that transfers the program to the defined policy language. To ensure the correctness of data processing, we propose a publicly verifiable secure multiparty computation protocol for mixed circuits, which guarantees the output correctness even if all parties are corrupted. Its online efficiency is comparable to conventional semi-honest secret-sharing-based MPC schemes. Finally, we implemented a prototype of our system in C++ and benchmark it on various tasks, such as biometric matching, logistic regression, and decision trees, etc.

Bing Zhang,Vadym Doroshenko,Peter Kairouz,Thomas Steinke,Abhradeep Thakurta,Ziyin Ma,Eidan Cohen,Himani Apte,Jodi Spacek

2024-07-13

Abstract:We design, to the best of our knowledge, the first differentially private (DP) stream aggregation processing system at scale. Our system -- Differential Privacy SQL Pipelines (DP-SQLP) -- is built using a streaming framework similar to Spark streaming, and is built on top of the Spanner database and the F1 query engine from Google. Towards designing DP-SQLP we make both algorithmic and systemic advances, namely, we (i) design a novel (user-level) DP key selection algorithm that can operate on an unbounded set of possible keys, and can scale to one billion keys that users have contributed, (ii) design a preemptive execution scheme for DP key selection that avoids enumerating all the keys at each triggering time, and (iii) use algorithmic techniques from DP continual observation to release a continual DP histogram of user contributions to different keys over the stream length. We empirically demonstrate the efficacy by obtaining at least $16\times$ reduction in error over meaningful baselines we consider. We implemented a streaming differentially private user impressions for Google Shopping with DP-SQLP. The streaming DP algorithms are further applied to Google Trends.

Cryptography and Security,Databases

Ning Cao,Zhenyu Yang,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/ICDCS.2011.84

2011-01-01

Abstract:In the emerging cloud computing paradigm, data owners become increasingly motivated to outsource their complex data management systems from local sites to the commercial public cloud for great flexibility and economic savings. For the consideration of users' privacy, sensitive data have to be encrypted before outsourcing, which makes effective data utilization a very challenging task. In this paper, for the first time, we define and solve the problem of privacy-preserving query over encrypted graph-structured data in cloud computing (PPGQ), and establish a set of strict privacy requirements for such a secure cloud data utilization system to become a reality. Our work utilizes the principle of "filtering-and-verification". We prebuild a feature-based index to provide feature-related information about each encrypted data graph, and then choose the efficient inner product as the pruning tool to carry out the filtering procedure. To meet the challenge of supporting graph query without privacy breaches, we propose a secure inner product computation technique, and then improve it to achieve various privacy requirements under the known-background threat model.

Jeremy Seeman,William Sexton,David Pujol,Ashwin Machanavajjhala

2023-10-19

Abstract:We consider the problem of the private release of statistics (like aggregate payrolls) where it is critical to preserve the contribution made by a small number of outlying large entities. We propose a privacy formalism, per-record zero concentrated differential privacy (PzCDP), where the privacy loss associated with each record is a public function of that record's value. Unlike other formalisms which provide different privacy losses to different records, PzCDP's privacy loss depends explicitly on the confidential data. We define our formalism, derive its properties, and propose mechanisms which satisfy PzCDP that are uniquely suited to publishing skewed or heavy-tailed statistics, where a small number of records contribute substantially to query answers. This targeted relaxation helps overcome the difficulties of applying standard DP to these data products.

Databases,Cryptography and Security

Jianwei Qian,Fudong Qiu,Fan Wu,Na Ruan,Guihai Chen,Shaojie Tang

DOI: https://doi.org/10.1109/tc.2016.2595562

IF: 3.183

2016-01-01

IEEE Transactions on Computers

Abstract:Tons of online user behavior data are being generated every day on the booming and ubiquitous Internet. Growing efforts have been devoted to mining the abundant behavior data to extract valuable information for research purposes or business interests. However, online users’ privacy is thus under the risk of being exposed to third-parties. The last decade has witnessed a body of research works trying to perform data aggregation in a privacy-preserving way. Most of existing methods guarantee strong privacy protection yet at the cost of very limited aggregation operations, such as allowing only summation, which hardly satisfies the need of behavior analysis. In this paper, we propose a scheme PPSA, which encrypts users’ sensitive data to prevent privacy disclosure from both outside analysts and the aggregation service provider, and fully supports selective aggregate functions for online user behavior analysis while guaranteeing differential privacy. We have implemented our method and evaluated its performance using a trace-driven evaluation based on a real online behavior dataset. Experiment results show that our scheme effectively supports both overall aggregate queries and various selective aggregate queries with acceptable computation and communication overheads.

Jeremy Seeman,William Sexton,David Pujol,Ashwin Machanavajjhala

DOI: https://doi.org/10.14778/3681954.3681989

IF: 2.5

2024-07-01

Proceedings of the VLDB Endowment

Abstract:We consider the problem of the private release of statistics (like payroll) where it is critical to preserve the contribution made by a small number of outlying large entities. We propose a privacy formalism, per-record zero concentrated differential privacy (PzCDP), where the privacy loss associated with each record is a public function of that record's value. Unlike other formalisms which provide different privacy losses to different records, PzCDP's privacy loss depends explicitly on the confidential data. We define our formalism, derive its properties, and propose mechanisms which satisfy PzCDP that are uniquely suited to publishing skewed or heavy-tailed statistics, where a small number of records contribute substantially to query answers. This targeted relaxation helps overcome the difficulties of applying standard DP to these data products.

computer science, information systems, theory & methods

Pengfei Wu,Qi Li,Jianting Ning,Xinyi Huang,Wei Wu

DOI: https://doi.org/10.1109/tdsc.2021.3106317

2022-01-01

Abstract:A privacy-preserving data analytics system enables a cloud user to perform the distributed job in a secure manner such that the data privacy can be guaranteed during the cloud-outsourced computation. However, many SGX-based solutions are vulnerable to some side-channel attacks, including the access pattern leakage from both network and memory. Several data-oblivious algorithms with full obliviousness have been proposed in the literature, but they are impractical to be used in the cloud due to the expensive computational overhead. In this article, we propose a DPSpark system with the security defined in a notion of $(\epsilon,\delta)$ -differentially private obliviousness ( $(\epsilon,\delta)$ -DPO), which relaxes full obliviousness to enable an efficiency improvement. Based on this definition, we present a perturbation-shuffle-analysis (PSA) computing architecture and design several typical differentially oblivious operators. In further, we optimize the system efficiency by reducing the number of oblivious shuffles and choosing an appropriate privacy budget. Finally, we benchmark the system in different parameters. The experimental results show that DPSpark significantly outperforms two state-of-the-art solutions, only with 10.1-85.4 percent additional overhead performing an SGX-based data analysis application.

Taeho Jung,Junze Han,Xiang-Yang Li

DOI: https://doi.org/10.1109/tdsc.2016.2577034

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Third-party analysis on private records is becoming increasingly important due to the widespread data collection for various analysis purposes. However, the data in its original form often contains sensitive information about individuals, and its publication will severely breach their privacy. In this paper, we present a novel Privacy-preserving Data Analytics framework PDA, which allows a third-party aggregator to obliviously conduct many different types of polynomial-based analysis on private data records provided by a dynamic sub-group of users. Notably, every user needs to keep only $O(n)$ keys to join data analysis among $O(2^n)$ different groups of users, and any data analysis that is represented by polynomials is supported by our framework. Besides, a real implementation shows the performance of our framework is comparable to the peer works who present ad-hoc solutions for specific data analysis applications. Despite such nice properties of PDA, it is provably secure against a very powerful attacker (chosen-plaintext attack) even in the Dolev-Yao network model where all communication channels are insecure.

Chen Luo,Fei He

DOI: https://doi.org/10.1007/s11704-016-6049-6

IF: 2.6688

2018-01-01

Frontiers of Computer Science

Abstract:Differential privacy enables sensitive data to be analyzed in a privacy-preserving manner. In this paper, we focus on the online setting where each analyst is assigned a privacy budget and queries the data interactively. However, existing differentially private data analytics systems such as PINQ process each query independently, which may cause an unnecessary waste of the privacy budget. Motivated by this, we present a satisfiability modulo theories (SMT)-based query tracking approach to reduce the privacy budget usage. In brief, our approach automatically locates past queries that access disjoint parts of the dataset with respect to the current query to save the privacy cost using the SMT solving techniques. To improve efficiency, we further propose an optimization based on explicitly specified column ranges to facilitate the search process. We have implemented a prototype of our approach with Z3, and conducted several sets of experiments. The results show our approach can save a considerable amount of the privacy budget and each query can be tracked efficiently within milliseconds.

Meikang Qiu,Keke Gai,Hui Zhao,Meiqin Liu

DOI: https://doi.org/10.1002/cpe.4278

2017-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryThe recent booming development of cloud computing has enabled a dramatical revolution for current enterprises to create values. Numerous benefits of utilizing cloud services are enhancing the efficiency of improving or creating new businesses. This trend is also associated with the rapid growth of the wireless networks, such as 5G. However, the great increase of deploying clouds also leads to new concerns in data security. One of the major concerns is private leakage that derives from insiders' malicious operations or attacks. This problem has raised a great restriction for financial firms to execute cloud applications. Focusing on this issue, we propose a new solution, entitled Privacy‐Preserving Smart Storage (PS2) model that targets at solving the privacy leakage problems within the existing threat models. The proposed approach uses a novel distributed data storage method to prevent financial enterprises from insiders' massive data mining‐based attacks.