Ying Cai Department of Computer Science Iowa State University Ames IA 50011 Locationbased Services Risks Associated with LBS Exposure of service uses Location privacy Hospital Political Party ID: 240414
Download Presentation The PPT/PDF document "Cloaking and Modeling Techniques for loc..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cloaking and Modeling Techniques for location Privacy protection
Ying Cai
Department of Computer Science
Iowa State University
Ames, IA 50011Slide2
Location-based ServicesSlide3
Risks Associated with LBS
Exposure of service uses
Location privacy
Hospital
Political Party
Nightclub
Stalking….Slide4
Challenge
Restricted space identification
Simply using a pseudonym is not sufficient because anonymous location data may be correlated with restricted spaces such as home and office for subject re-identification
………
identifiedSlide5
Location Depersonalization
Basic idea: reducing location resolution
Report a
cloaking region
, instead of actual locationSlide6
Location Depersonalization
Basic idea: reducing location resolution
Report a
cloaking region
, instead of actual location
Key Issue
E
ach cloaking area must provide a
desired
level of
depersonalization,
and
be
as small as possibleSlide7
Existing Solution
Ensuring each cloaking area contains a certain number of users
[MobiSys’03, ICDCS’05, VLDB’07]Slide8
Problems (1)
The anonymity server needs frequent location update from
all
users
Practicality
Scalability
Difficult to support continuous LBS
Simply ensuring each cloaking region contains K users does not support K-anonymity protectionSlide9
Problems (2)
Guarantee only
anonymous uses of services
, but
not
location privacyAn adversary may not know who requests the service, but knows that the K users are all there at the time when the service is requested
Where you are and whom you are with are closely related with what you are doing …Slide10
The root of the problems
These techniques
cloak a user’s position based
on
his
current neighborsSlide11
Observation
Public areas are naturally depersonalized
A large number of visits by different people
More footprints, more popular
Park
HighwaySlide12
Proposed solution [Infocom’08]
Using
footprints
for location cloaking
A footprint is a historical location sample
Each cloaking region contains at least K different footprints
Location privacy protection
An adversary may be able to identify all these users, but will not know who was there at what timeSlide13
Footprint database
Source of footprints
From wireless service carriers, which provide the communication infrastructure
From the users of LBSs, who need to report location for cloakingSlide14
Footprint database
Source of
footprints
From wireless service carriers, which provide the communication infrastructure
From the users of LBSs, who need to report location for cloaking
Trajectory indexing for efficient retrieval
Partition network domain into cells
Maintain a cell table for each cellSlide15
Cloaking Techniques
Sporadic LBS
Each a cloaking region needs to 1) be as small as possible, 2) contain footprints from at least K different users
Continuous LBS
Each trajectory disclosed must be a K-anonymity trajectory (KAT) Slide16
Privacy Requirement Modeling
K
-anonymity model
To request a desired level of protection, a user needs to specify a value of
K
Problem: choosing an appropriate
K
is difficultPrivacy is about feeling, and it is difficult to scale one’s feeling using a numberA user can always choose a large K
, but this will reduce location resolution unnecessarilySlide17
A feeling-based approach
A user specifies a public region
A spatial region which she feels comfortable that it is reported as her location should she request a service inside it
The public region becomes her privacy requirement
All location reported on her behalf will be at least as popular as the public region she identifies
Proposed Solution
[CCS09]Slide18
Challenge
How to measure the popularity of a spatial region?
More visitors
higher popularity
More even distribution
higher popularity
Given a spatial region R, we defineEntropy E(R) =Popularity P(R) = 2
E(R) Slide19
Cloaking Techniques
Sporadic LBS
Each cloaking region needs to 1) be as small as possible, 2) have a popularity no less than P(R)
Continuous LBS
A sequence of location updates which form a trajectory
The strategy for sporadic LBSs may not work
Adversary may identify the common set of visitorsSlide20
Cloaking Techniques
Sporadic LBS
Each disclosed cloaking region must be as small as possible and have a popularity no less than P(R)
Continuous LBS
The time-series sequence of location samples must form a P-Populous Trajectory (PPT)
A trajectory is a PPT if its popularity is no less than P
The popularity of each cloaking region in the trajectory must be computed
w.r.t. a common set of usersSlide21
Finding a cloaking set
A simple solution is to find the set of users who have footprints closest to the service-user
Resolution becomes worse
There
may exist another
cloaking set
which leads to a finer average resolutionSlide22
Proposed solution
Using populous users for cloaking
Popular users have more footprints spanning in a larger regions
Pyramid footprint indexing
A user is
l
-popular if she has footprints in all cells at level l
Sort
users by the level
l, and choose the most popular ones as the cloaking setSlide23
Simulation
We implement two other strategies for comparison
Naive
cloaks each location independently
Plain
selects cloaking set by finding footprints closest to service user’s start position
Performance metrics
Cloaking area
Protection levelSlide24
Experiment
A Location Privacy Aware Gateway (LPAG)
ePost
-It: a spatial messaging system
[MobiSys’08]Slide25
Concluding Remarks
Exploring historical location samples for location cloaking
Up to date, this is the only solution that can prevent anonymous location data from being correlated with restricted spaces to derive who’s where at what time
A feeling-based approach for users to express their location privacy requirement
K-anonymity model was the only choice
A suite of location cloaking algorithms
Satisfy a required level of protection while resulting in good location resolution
A location privacy-aware gateway prototype has been implemented