Jinfei Liu,Jun Luo,Joshua Zhexue Huang

DOI: https://doi.org/10.1109/icdmw.2011.144

2011-01-01

Abstract:Motivated by the insufficiency of the existing framework that could not process multiple attributes with different sensitivity requirements on modeling real world privacy requirements for data publishing, we present a novel method, rating, for publishing sensitive data. Rating releases AT (Attribute Table) and IDT (ID Table) based on different sensitivity coefficients for different attributes. This approach not only protects privacy for multiple sensitive attributes, but also keeps a large amount of correlations of the micro data. We develop algorithms for computing AT and IDT that obey the privacy requirements for multiple sensitive attributes, and maximize the utility of published data as well. We prove both theoretically and experimentally that our method has better performance than the conventional privacy preserving methods on protecting privacy and maximizing the utility of published data. To quantify the utility of published data, we propose a new measurement named classification measurement.

Adrian Tobar Nicolau,Javier Parra-Arnau,Jordi Forné,Adrián Tobar Nicolau

DOI: https://doi.org/10.1109/access.2024.3368852

IF: 3.9

2024-03-19

IEEE Access

Abstract:Continuous data publishing aims to anonymise the next publication of changing microdata while preserving privacy. The microdata can change between publications via additions, deletions, insertions, and updates. There are numerous proposals for different database types, adversaries, attacks, and notions. However, many anonymization algorithms include notions of privacy and adversarial models that are specific to the context, with their own terminology and notation. Unfortunately, these proposals are difficult to generalize or translate them to other contexts complicating their understanding and comparison. To address these issues, we propose a taxonomy of anonymization technologies, compare existing solutions, and develop a unifying framework that not only harmonizes concepts and terminology but also notation and nomenclature. We analyze the current state of the art and recent advances in the literature. The analysis enables us to understand the significance and appropriateness of the various proposals in achieving privacy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chaobin Liu,Shixi Chen,Shuigeng Zhou,Jihong Guan,Yao Ma

DOI: https://doi.org/10.1016/j.ins.2019.06.022

IF: 8.1

2019-01-01

Information Sciences

Abstract:Privacy has received increasing concerns in publication of datasets that contain sensitive information. Preventing privacy disclosure and providing useful information to legitimate users for data mining are conflicting goals. Generalization and randomized response methods were proposed in database community to tackle this problem. However, both of them have postulated the same prior belief for all transactions, which might be wrong modeling and lead to privacy breach. Besides, generalization and randomized response methods usually require a privacy controlling parameter to control the tradeoff between privacy and data quality, which may put the data publishers in a dilemma. In this paper, a novel privacy preserving method for data publication is proposed based on conditional probability distribution and machine learning techniques, which can achieve different prior beliefs for different transactions. A basic cross sampling algorithm and a complete cross sampling algorithm are designed respectively for the settings of single sensitive attribute and multiple sensitive attributes, and an improved complete algorithm is developed by using Gibbs sampling, in order to enhance data utility when data are not sufficient. Our method can offer stronger privacy guarantee, while, as shown in the extensive experiments, retaining better data utility. (C) 2019 The Authors. Published by Elsevier Inc.

Qiong Wei,Yan-sheng Lu,Lei Zou

DOI: https://doi.org/10.1631/jzus.a071595

2008-01-01

Journal of Zhejiang University SCIENCE A

Abstract:This paper presents a novel privacy principle, ɛ-inclusion, for re-publishing sensitive dynamic datasets. ɛ-inclusion releases all the quasi-identifier values directly and uses permutation-based method and substitution to anonymize the microdata. Combined with generalization-based methods, ɛ-inclusion protects privacy and captures a large amount of correlation in the microdata. We develop an effective algorithm for computing anonymized tables that obey the ɛ-inclusion privacy requirement. Extensive experiments confirm that our solution allows significantly more effective data analysis than generalization-based methods.

Joshua Snoke,Aleksandra Slavković

DOI: https://doi.org/10.48550/arXiv.1805.09392

2018-05-24

Abstract:We propose a method for the release of differentially private synthetic datasets. In many contexts, data contain sensitive values which cannot be released in their original form in order to protect individuals' privacy. Synthetic data is a protection method that releases alternative values in place of the original ones, and differential privacy (DP) is a formal guarantee for quantifying the privacy loss. We propose a method that maximizes the distributional similarity of the synthetic data relative to the original data using a measure known as the pMSE, while guaranteeing epsilon-differential privacy. Additionally, we relax common DP assumptions concerning the distribution and boundedness of the original data. We prove theoretical results for the privacy guarantee and provide simulations for the empirical failure rate of the theoretical results under typical computational limitations. We also give simulations for the accuracy of linear regression coefficients generated from the synthetic data compared with the accuracy of non-differentially private synthetic data and other differentially private methods. Additionally, our theoretical results extend a prior result for the sensitivity of the Gini Index to include continuous predictors.

Methodology

Wenjun Lin,Jiahao Qian,Wenwen Liu,Lang Wu

2023-12-19

Abstract:The exponential growth of collected, processed, and shared data has given rise to concerns about individuals' privacy. Consequently, various laws and regulations have been established to oversee how organizations handle and safeguard data. One such method is Statistical Disclosure Control, which aims to minimize the risk of exposing confidential information by de-identifying it. This de-identification is achieved through specific privacy-preserving techniques. However, a trade-off exists: de-identified data can often lead to a loss of information, which might impact the accuracy of data analysis and the predictive capability of models. The overarching goal remains to safeguard individual privacy while preserving the data's interpretability, meaning its overall usefulness. Despite advances in Statistical Disclosure Control, the field continues to evolve, with no definitive solution that strikes an optimal balance between privacy and utility. This survey delves into the intricate processes of de-identification. We outline the current privacy-preserving techniques employed in microdata de-identification, delve into privacy measures tailored for various disclosure scenarios, and assess metrics for information loss and predictive performance. Herein, we tackle the primary challenges posed by privacy constraints, overview predominant strategies to mitigate these challenges, categorize privacy-preserving techniques, offer a theoretical assessment of current comparative research, and highlight numerous unresolved issues in the domain.

Cryptography and Security

Feng Li,Shuigeng Zhou

DOI: https://doi.org/10.48550/arXiv.0806.4703

2008-07-24

Abstract:Most existing anonymization work has been done on static datasets, which have no update and need only one-time publication. Recent studies consider anonymizing dynamic datasets with external updates: the datasets are updated with record insertions and/or deletions. This paper addresses a new problem: anonymous re-publication of datasets with internal updates, where the attribute values of each record are dynamically updated. This is an important and challenging problem for attribute values of records are updating frequently in practice and existing methods are unable to deal with such a situation. We initiate a formal study of anonymous re-publication of dynamic datasets with internal updates, and show the invalidation of existing methods. We introduce theoretical definition and analysis of dynamic datasets, and present a general privacy disclosure framework that is applicable to all anonymous re-publication problems. We propose a new counterfeited generalization principle alled m-Distinct to effectively anonymize datasets with both external updates and internal updates. We also develop an algorithm to generalize datasets to meet m-Distinct. The experiments conducted on real-world data demonstrate the effectiveness of the proposed solution.

Databases

Li Kuang,Yujia Zhu,Shuqi Li,Xuejin Yan,Han Yan,Shuiguang Deng

DOI: https://doi.org/10.1155/2018/3486529

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:With the rapid development of sensor acquisition technology, more and more data are collected, analyzed, and encapsulated into application services. However, most of applications are developed by untrusted third parties. Therefore, it has become an urgent problem to protect users’ privacy in data publication. Since the attacker may identify the user based on the combination of user’s quasi-identifiers and the fewer quasi-identifier fields result in a lower probability of privacy leaks, therefore, in this paper, we aim to investigate an optimal number of quasi-identifier fields under the constraint of trade-offs between service quality and privacy protection. We first propose modelling the service development process as a cooperative game between the data owner and consumers and employing the Stackelberg game model to determine the number of quasi-identifiers that are published to the data development organization. We then propose a way to identify when the new data should be learned, as well, a way to update the parameters involved in the model, so that the new strategy on quasi-identifier fields can be delivered. The experiment first analyses the validity of our proposed model and then compares it with the traditional privacy protection approach, and the experiment shows that the data loss of our model is less than that of the traditional k-anonymity especially when strong privacy protection is applied.

Fragkiskos Koufogiannis,Shuo Han,George J. Pappas

DOI: https://doi.org/10.29012/jpc.v7i2.649

2017-01-12

Journal of Privacy and Confidentiality

Abstract:We introduce the problem of releasing private data under differential privacy when the privacy level is subject to change over time. Existing work assumes that privacy level is determined by the system designer as a fixed value before private data is released. For certain applications, however, users may wish to relax the privacy level for subsequent releases of the same data after either a re-evaluation of the privacy concerns or the need for better accuracy. Specifically, given a database containing private data, we assume that a response y1 that preserves \( \epsilon _1\)-differential privacy has already been published. Then, the privacy level is relaxed to \( \epsilon _2\), with \( \epsilon _2 > \epsilon _1\), and we wish to publish a more accurate response y2 while the joint response (y1,y2) preserves \( \epsilon _2\)-differential privacy. How much accuracy is lost in the scenario of gradually releasing two responses y1 and y2 compared to the scenario of releasing a single response that is \( \epsilon _2\)-differentially private? Our results consider the more general case with multiple privacy level relaxations and show that there exists a composite mechanism that achieves no loss in accuracy. We consider the case in which the private data lies within Rn with an adjacency relation induced by the \( \ell _1\)-norm, and we initially focus on mechanisms that approximate identity queries. We show that the same accuracy can be achieved in the case of gradual release through a mechanism whose outputs can be described by a lazy Markov stochastic process. This stochastic process has a closed form expression and can be efficiently sampled. Moreover, our results extend beyond identity queries to a more general family of privacy-preserving mechanisms. To this end, we demonstrate the applicability of our tool to multiple scenarios including Google’s project RAPPOR, trading of private data, and controlled transmission of private data in a social network. Finally, we derive similar results for the approximated differential privacy.

English Else

Marmar Orooji,Gerald M. Knapp

DOI: https://doi.org/10.48550/arXiv.1901.00716

2019-01-08

Abstract:In Privacy Preserving Data Publishing, various privacy models have been developed for employing anonymization operations on sensitive individual level datasets, in order to publish the data for public access while preserving the privacy of individuals in the dataset. However, there is always a trade-off between preserving privacy and data utility; the more changes we make on the confidential dataset to reduce disclosure risk, the more information the data loses and the less data utility it preserves. The optimum privacy technique is the one that results in a dataset with minimum disclosure risk and maximum data utility. In this paper, we propose an improved suppression method, which reduces the disclosure risk and enhances the data utility by targeting the highest risk records and keeping other records intact. We have shown the effectiveness of our approach through an experiment on a real-world confidential dataset.

Databases,Cryptography and Security

Mingzheng Wang,Zhengrui Jiang,Yu Zhang,Haifang Yang

DOI: https://doi.org/10.1287/ijoc.2017.0791

2018-01-01

Abstract:Privacy-preserving data publishing has received much attention in recent years. Prior studies have developed various algorithms such as generalization, anatomy, and L-diversity slicing to protect individuals’ privacy when transactional data are published for public use. These existing algorithms, however, all have certain limitations. For instance, generalization protects identity privacy well but loses a considerable amount of information. Anatomy prevents attribute disclosure and lowers information loss, but fails to protect membership privacy. The more recent probability L-diversity slicing algorithm overcomes some shortcomings of generalization and anatomy, but cannot shield data from more subtle types of attacks such as skewness attack and similarity attack. To meet the demand of data owners with high privacy-preserving requirement, this study develops a novel method named t-closeness slicing (TCS) to better protect transactional data against various attacks. The time complexity of TCS is log-linear, hence the algorithm scales well with large data. We conduct experiments using three transactional data sets and find that TCS not only effectively protects membership privacy, identity privacy, and attribute privacy, but also preserves better data utility than benchmarking algorithms.The online supplement is available at https://doi.org/10.1287/ijoc.2017.0791 .

Matthieu Meeus,Florent Guépin,Ana-Maria Cretu,Yves-Alexandre de Montjoye

DOI: https://doi.org/10.1007/978-3-031-51476-0_19

2023-09-21

Abstract:Synthetic data is seen as the most promising solution to share individual-level data while preserving privacy. Shadow modeling-based Membership Inference Attacks (MIAs) have become the standard approach to evaluate the privacy risk of synthetic data. While very effective, they require a large number of datasets to be created and models trained to evaluate the risk posed by a single record. The privacy risk of a dataset is thus currently evaluated by running MIAs on a handful of records selected using ad-hoc methods. We here propose what is, to the best of our knowledge, the first principled vulnerable record identification technique for synthetic data publishing, leveraging the distance to a record's closest neighbors. We show our method to strongly outperform previous ad-hoc methods across datasets and generators. We also show evidence of our method to be robust to the choice of MIA and to specific choice of parameters. Finally, we show it to accurately identify vulnerable records when synthetic data generators are made differentially private. The choice of vulnerable records is as important as more accurate MIAs when evaluating the privacy of synthetic data releases, including from a legal perspective. We here propose a simple yet highly effective method to do so. We hope our method will enable practitioners to better estimate the risk posed by synthetic data publishing and researchers to fairly compare ever improving MIAs on synthetic data.

Cryptography and Security,Artificial Intelligence

Boyu Li,Jianfeng Ma,Junhua Xi,Lili Zhang,Tao Xie,Tongfei Shang

2024-03-29

Abstract:We study the anonymization technique of k-anonymity family for preserving privacy in the publication of microdata. Although existing approaches based on generalization can provide good enough protections, the generalized table always suffers from considerable information loss, mainly because the distributions of QI (Quasi-Identifier) values are barely preserved and the results of query statements are groups rather than specific tuples. To this end, we propose a novel technique, called the Mutual Cover (MuCo), to prevent the adversary from matching the combination of QI values in published microdata. The rationale is to replace some original QI values with random values according to random output tables, making similar tuples to cover for each other with the minimum cost. As a result, MuCo can prevent both identity disclosure and attribute disclosure while retaining the information utility more effectively than generalization. The effectiveness of MuCo is verified with extensive experiments.

Cryptography and Security

Honglu Jiang,S M Sarwar,Haotian Yu,Sheikh Ariful Islam

DOI: https://doi.org/10.48550/arXiv.2112.07061

2021-12-14

Abstract:Conventional private data publication mechanisms aim to retain as much data utility as possible while ensuring sufficient privacy protection on sensitive data. Such data publication schemes implicitly assume that all data analysts and users have the same data access privilege levels. However, it is not applicable for the scenario that data users often have different levels of access to the same data, or different requirements of data utility. The multi-level privacy requirements for different authorization levels pose new challenges for private data publication. Traditional PPDP mechanisms only publish one perturbed and private data copy satisfying some privacy guarantee to provide relatively accurate analysis results. To find a good tradeoff between privacy preservation level and data utility itself is a hard problem, let alone achieving multi-level data utility on this basis. In this paper, we address this challenge in proposing a novel framework of data publication with compressive sensing supporting multi-level utility-privacy tradeoffs, which provides differential privacy. Specifically, we resort to compressive sensing (CS) method to project a $n$-dimensional vector representation of users' data to a lower $m$-dimensional space, and then add deliberately designed noise to satisfy differential privacy. Then, we selectively obfuscate the measurement vector under compressive sensing by adding linearly encoded noise, and provide different data reconstruction algorithms for users with different authorization levels. Extensive experimental results demonstrate that ML-DPCS yields multi-level of data utility for specific users at different authorization levels.

Cryptography and Security

Jingyu Hua,An Tang,Yixin Fang,Zhenyu Shen,Sheng Zhong

DOI: https://doi.org/10.1109/tifs.2016.2532839

IF: 7.231

2016-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In the problem of privacy-preserving collaborative data publishing, a central data publisher is responsible for aggregating sensitive data from multiple parties and then anonymizing it before publishing for data mining. In such scenarios, the data users may have a strong demand to measure the utility of the published data, since most anonymization techniques have side effects on data utility. Nevertheless, this task is non-trivial, because the utility measuring usually requires the aggregated raw data, which is not revealed to the data users due to privacy concerns. Furthermore, the data publishers may even cheat in the raw data, since no one, including the individual providers, knows the full data set. In this paper, we first propose a privacy-preserving utility verification mechanism based upon cryptographic technique for DiffPart-a differentially private scheme designed for set-valued data. This proposal can measure the data utility based upon the encrypted frequencies of the aggregated raw data instead of the plain values, which thus prevents privacy breach. Moreover, it is enabled to privately check the correctness of the encrypted frequencies provided by the publisher, which helps detect dishonest publishers. We also extend this mechanism to DiffGen-another differentially private publishing scheme designed for relational data. Our theoretical and experimental evaluations demonstrate the security and efficiency of the proposed mechanism.

Tânia Carvalho,Nuno Moniz,Pedro Faria,Luís Antunes

DOI: https://doi.org/10.48550/arXiv.2201.08120

2022-01-20

Abstract:The exponential growth of collected, processed, and shared microdata has given rise to concerns about individuals' privacy. As a result, laws and regulations have emerged to control what organisations do with microdata and how they protect it. Statistical Disclosure Control seeks to reduce the risk of confidential information disclosure by de-identifying them. Such de-identification is guaranteed through privacy-preserving techniques. However, de-identified data usually results in loss of information, with a possible impact on data analysis precision and model predictive performance. The main goal is to protect the individuals' privacy while maintaining the interpretability of the data, i.e. its usefulness. Statistical Disclosure Control is an area that is expanding and needs to be explored since there is still no solution that guarantees optimal privacy and utility. This survey focuses on all steps of the de-identification process. We present existing privacy-preserving techniques used in microdata de-identification, privacy measures suitable for several disclosure types and, information loss and predictive performance measures. In this survey, we discuss the main challenges raised by privacy constraints, describe the main approaches to handle these obstacles, review taxonomies of privacy-preserving techniques, provide a theoretical analysis of existing comparative studies, and raise multiple open issues.

Cryptography and Security

Zhihui Wang,Yishan Liu,Yuliang Ni

DOI: https://doi.org/10.1007/978-981-97-7241-4_9

2024-01-01

Abstract:Privacy-preserving data publishing is an important problem that has been the focus of extensive study. The state-of-the-art way for this problem is Local Differential Privacy (LDP), which can protect individual user's privacy without relying on a trusted third party. However, the existing LDP-based works perform poorly in the setting of data publishing; even worse, some of them may incur very expensive computational overheads and also reduce greatly the utility of published data. In this paper, we propose a local differential privacy approach, LDPrivBayes, for publishing synthetic data, which improves the previous work and performs consistently better than existing approaches. We conduct extensive experiments on the different datasets. Experimental results demonstrate the effectiveness of our approach over the existing approaches.

Zhiqiang Gao,Yutao Wang,Yanyu Duan,Yun Wang,Zhensheng Peng

DOI: https://doi.org/10.1504/ijica.2018.092587

2018-01-01

International Journal of Innovative Computing and Applications

Abstract:Policedata is an important source of social media data and can be regarded as a technical assistance to increase government accountability and transparency. Notably, it contains large amounts of personal private information that should be preserved deliberately. However, sharing and publishing policedata through private or public cloud infrastructure are still faced with tremendously potential threats and challenges recently. Unfortunately, existing researches regarding privacy preserving data publishing (PPDP) fail to cope with the aforementioned problems. Our work aims to propose a systematic multi-level privacy preserving data publishing (ML-PPDP) architecture. Moreover, a personalised multi-level privacy preserving (pML-PPDP) mechanism that developed from the combination of k-anonymity, l-diversity, t-closeness and differential privacy is designed for policedata publishing. Our solution authorised users with different privileges to different privacy-preserving levels. Experimental results of pML-PPDP mechanism on datasets collected from policedata website are implemented under our proposed ML-PPDP architecture with satisfactory trade-off between privacy and utility.

Mangesh Gupte,Mukund Sundararajan

DOI: https://doi.org/10.48550/arXiv.1001.2767

2010-01-16

Abstract:A scheme that publishes aggregate information about sensitive data must resolve the trade-off between utility to information consumers and privacy of the database participants. Differential privacy is a well-established definition of privacy--this is a universal guarantee against all attackers, whatever their side-information or intent. In this paper, we present a universal treatment of utility based on the standard minimax rule from decision theory (in contrast to the utility model in, which is Bayesian). In our model, information consumers are minimax (risk-averse) agents, each possessing some side-information about the query, and each endowed with a loss-function which models their tolerance to inaccuracies. Further, information consumers are rational in the sense that they actively combine information from the mechanism with their side-information in a way that minimizes their loss. Under this assumption of rational behavior, we show that for every fixed count query, a certain geometric mechanism is universally optimal for all minimax information consumers. Additionally, our solution makes it possible to release query results at multiple levels of privacy in a collusion-resistant manner.

Cryptography and Security,Databases,Data Structures and Algorithms

Xiao Han,Yuncong Yang,Junjie Wu,Hui Xiong

DOI: https://doi.org/10.1109/tkde.2023.3331568

IF: 9.235

2023-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Minimizing privacy leakage while ensuring data utility is a critical problem in a privacy-preserving data publishing task, from which data holders can boost platform engagements or enlarge data values. Most prior research concerned only with either privacy-insensitive or exact private data and resorts to a single obscuring method to achieve a privacy-utility tradeoff, which is inadequate for real-life hybrid data especially when facing machine learning-based inference attacks. This work takes a pilot study on privacy-preserving data publishing when both widely adopted generalization and obfuscation operations are employed for privacy-heterogeneous data protection. Specifically, we first propose novel measures for privacy and utility values quantification and formulate the hybrid privacy-preserving data obscuring problem to account for the joint effect of generalization and obfuscation. We then design a novel protection mechanism called HyObscure, which decomposes the original problem into three sub-problems to cross-iteratively optimize the hybrid operations for maximum privacy protection under a certain data utility guarantee. The convergence of the iterative process and the privacy leakage bound of HyObscure are also provided in theory. Extensive experiments demonstrate that HyObscure significantly outperforms a variety of state-of-the-art baseline methods when facing various inference attacks in different scenarios.

computer science, information systems, artificial intelligence,engineering, electrical & electronic