-
A fast privacy-preserving framework for continuous
location-basedqueries in road networks$
Yong Wang a, Yun Xia a, Jie Hou a, Shi-meng Gao a, Xiao Nie a,
Qi Wang b,n
a School of Computer Science and Engineering, University of
Electronic Science and Technology of China, 611731 Chengdu, Chinab
National computer network emergency response technical
team/coordination center of China, 100190, Beijing, China
a r t i c l e i n f o
Article history:Received 4 December 2013Received in revised
form25 August 2014Accepted 31 January 2015Available online 14 March
2015
Keywords:Privacy-preservationLocation based services (LBS)Road
networksContinuous query
a b s t r a c t
The prevalence of location based services (LBS) gives rise to
personal privacy concerns as users sharetheir locations and queries
to obtain desired services. For continuous queries where users
report theirlocations periodically, attackers can infer more about
users' privacy by analyzing the correlations of theirsnapshot
samples. Traditional privacy-preserving solutions designed in
Euclidean space can be hardlyapplied to the road network
environment because of their ignorance of network topological
properties.In this paper, we propose a novel continuous query
privacy-preserving framework in road networks. Ourframework is
based on the concepts of k-anonymity and l-diversity. To achieve
the quality of service, thedistance limitation is taken into
account. We build an Snet hierarchy based on the density of
users,history traces, and road network topologies to accelerate the
cloaking process performed at theanonymization server. Two types of
cloaking algorithms, for a single user and a batch of users,
aredesigned. The security analysis shows that our framework is
robust to typical attacks. We evaluate ourframework from the
aspects of privacy-preserving ability, quality of service, and
system performance,which indicates that our framework can provide
good privacy protection while ensuring users' quality
ofservice.
& 2015 Elsevier Ltd. All rights reserved.
1. Introduction
Pushed by the widespread use of positioning devices (e.g.,
GPS),location-based services (LBS) have become ubiquitous in
recentyears. With locations (latitudes and longitudes) obtained
from thesedevices, LBS applications can provide users with highly
persona-lized services, through local business searches (e.g.,
searching forrestaurants nearest to a user), e-marketing (e.g.,
sending e-couponsto nearby potential customers), and social
networking (e.g., a batchof friends sharing their geo-tagged
photos), etc. Generally, users cansend two types of queries to LBS
providers: snapshot query, forexample, “Show me the hotels within
one mile”, and continuousquery, for example, “Inform me of the
nearest petrol station every5 min in the next 30 min”. Virtually, a
continuous query consists ofseveral consecutive snapshots, which
are processed with user'sreal-time locations one by one.
However, as locations are reported to a potentially
untrust-worthy LBS provider, attackers may track users by
exploiting their
exposed locations, which may lead to the concern of
locationprivacy. The disclosure of a user's location may reveal
sensitiveinformation, such as health condition and religious faith.
Inparticular, such tracking capabilities of attackers trigger
crimepossibilities, such as vehicle theft and kidnapping. In other
aspects,a user may not want to be identified as the subscriber of a
specificlocation-based service, especially when the service is
sensitive(e.g., querying for the nearest Cancer Treatment Center),
which isconcerned as query privacy. Apparently, privacy-preserving
incontinuous query is more challenging than that in snapshot
querysince an attacker could infer a user's privacy by utilizing
the spatialand temporal correlations of snapshot samples. Hence,
privacy ofcontinuous queries is what we focus on.
Plenty of privacy-preserving techniques (Samarati and
Sweeney,1998; Gruteser and Grunwald, 2003; Liu et al., 2009)
designed forEuclidean space have been proposed, wherein users can
move inarbitrary directions at random speed. However, a user's
movementmay be constrained by the underlying road network. For
example, auser should move along a certain road within the maximum
speedlimitation. Applying these techniques directly to road
networks mayresult in privacy leakage. As shown in Fig. 1(a), u is
anonymized with4 other users, denoted by red points, and his exact
position is blurredinto a gray region with the spatial cloaking
methods (Bamba et al.,2008; Gedik and Liu, 2008; Kainis et al.,
2007). With such a cloaked
Contents lists available at ScienceDirect
journal homepage: www.elsevier.com/locate/jnca
Journal of Network and Computer Applications
http://dx.doi.org/10.1016/j.jnca.2015.01.0041084-8045/& 2015
Elsevier Ltd. All rights reserved.
☆This work was supported by the Joint Funds of the National
Natural ScienceFoundation of China (Grant no. U1230106), and by the
National InformationSecurity 242 Project of China (Grant no.
2013A050).
n Corresponding author.E-mail address: [email protected] (Y.
Wang).
Journal of Network and Computer Applications 53 (2015) 57–73
www.sciencedirect.com/science/journal/10848045www.elsevier.com/locate/jncahttp://dx.doi.org/10.1016/j.jnca.2015.01.004http://dx.doi.org/10.1016/j.jnca.2015.01.004http://dx.doi.org/10.1016/j.jnca.2015.01.004http://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfhttp://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfhttp://crossmark.crossref.org/dialog/?doi=10.1016/j.jnca.2015.01.004&domain=pdfmailto:[email protected]://dx.doi.org/10.1016/j.jnca.2015.01.004
-
region, 5-anonymity is achieved, the attacker can only tell that
umight be somewhere in the gray area. Figure 1(b) shows the
samecase but with the knowledge of underlying road networks. Since
thegray area contains a single road segment, the attacker can infer
that umust be located in the road segment and users being out of
thesegment will be excluded. Hence, 5-anonymity is violated with
onlytwo available users, which may enable attackers to track down
umuch easier. Generally, this kind of attack is impossible to be
appliedin practice by taking underlying road networks into account
whileanonymizing. Furthermore, other road network properties, such
asthe population density, which has a significant impact on the
privacypreservation, should also be concerned.
Currently, several privacy-preserving solutions have been
intro-duced to road networks. Unfortunately, existing approaches
thatapply a traditional cloaking algorithm in road networks incur a
hugetime cost. To avoid such huge time cost in the traditional
approaches,we improve the speed of retrieving users to be cloaked
togetherbased on a hierarchy structure. Furthermore, alternatively,
thecloaking performs faster to process a batch of user
simultaneouslyinstead of processing a single user at one time. We
believe that this isthe first work to propose a fast LBS continuous
query privacypreservation framework in road networks. The query
privacy of auser is preserved even if his location is leaked. The
networktopological properties are deliberated, so that we can
effectivelyprovide privacy preservation for users while lowering
down compu-tation overheads for both of LBS providers and the
privacy-preserving system. The main idea of our solution is to
abstract theunderlying road network into multiple levels. The
abstracted unit isdenoted as an Snet. Correspondingly, we propose
an Snet mergingalgorithm to construct the Snet hierarchical
structure (see Section3.3.1). Based on the Snet hierarchy, our
framework introduces atrusted third party to cloak the query issuer
with others, whichsatisfies his specified privacy requirements (see
Section 3.2). Fromthe view of LBS providers, they can only relate a
set of users to a setof queries instead of a query to a particular
user.
We present two versions of privacy-preserving algorithms,
oneprocesses each query respectively, while the other handles a
batchof queries simultaneously. Our main contributions include:
� The framework can resist the attacks that break k-anonymityby
considering the topological properties of road networks.
Toaccelerate the privacy-preserving process, we abstract the
roadnetwork into a hierarchy structure by considering the densityof
users, history traces, and the connectivity of road segments.
� The whole procedure is divided into three stages:
initializationstage, execution stage, and update stage. The
initialization stagebuilds a hierarchy structure to facilitate the
cloaking process.Based on pre-computed hierarchy structure, the
framework canprovide more efficient privacy preservation services
in theexecution stage. As the underlying network may change
overtime, the update stage enables our framework to adapt
todifferent road conditions and maintain long-term
effectiveness.
� We propose fast cloaking algorithms based on the
hierarchicalstructure for a single user and a batch of users. Each
Snet istreated as a cloaking unit. When users in the sub-Snets
cannotsatisfy cloaking requirements, the cloaking process will
shift tothe parent Snet.
� Users' moving trend, velocity difference, and distance
differenceare taken into consideration, so as to maintain as many
commonusers as possible to resist typical attacks. The attack
resilienceanalysis and performance evaluation indicate that our
frame-work can resist typical attacks and achieve good
performance.
The rest of our paper is organized as follows: in Section 2,
wediscuss related work on privacy preservation. We present
thesystem model in Section 3, and detailed algorithms and the
framework maintenance are shown in Section 4. We analyze
thesecurity of our cloaking algorithms in Section 5. Experiments
andevaluations are presented in Section 6. In Section 7, we draw
somebrief conclusions.
2. Related work
Section 2.1 reviews related work on privacy preservation
inEuclidean space, Section 2.2 surveys the literature on
privacypreservation in road networks, Section 2.3 explains the
privacypreservation techniques based on multiparty computation,
andSection 2.4 discusses privacy preservation against typical
attacks.
2.1. Privacy preservation in Euclidean space
Previous work in Euclidean space can be classified into
twocategories according to the system architecture:
centralizedprivacy-preserving architecture and distributed
privacy-preserving architecture.
2.1.1. Centralized privacy-preserving architectureIn the
centralized privacy preservation architecture, a trusted
third party is involved to blur users' locations into spatial
regions,which guarantees to satisfy the k-anonymity (Samarati
andSweeney, 1998) requirement. Based on the idea of k-anonymity,the
Interval Cloak algorithm (Gruteser and Grunwald, 2003) wasproposed,
which recursively partitions an area into four sub-areasuntil users
in the sub-area are less than k. The centralizedarchitecture has
been applied to continuous queries (Chow andMokbel, 2007; Wang et
al., 2012a,b; Guha et al., 2012). The L2P2scheme was presented by
Wang et al. (2012a), which allows usersto define their dynamic and
diverse privacy requirements forcontinuous queries. Wang et al.
(2012b) proposed a query linkingprivacy-preserving algorithm
(V-DCA) for continuous LBS queries,which considers users'
velocities and acceleration similarities toselect users that can
stay close in the long run.
2.1.2. Distributed privacy-preserving architectureIn the
distributed architecture, users protect their privacy by
working collaboratively (Domingo-Ferrer, 2006) or
autonomously(Olumofin et al., 2010; Huang and Vishwanathan, 2010;
Durr et al.,2011). Domingo-Ferrer (2006) proposed a collaborative
algorithm,in which a user broadcasts his perturbed location to form
a groupwith k�1 neighbors. Olumofin et al. (2010) combined the
cloakingwith Private Information Retrieval (PIR). Durr et al.
(2011) pro-posed a position sharing scheme to hide the exact
locationinformation. For continuous queries, Pingley et al. (2011)
gener-ated dummy queries based on query contexts and motion
modes.Wang et al. (2012c) designed a distributed architecture
withseveral semi-honest anonymizing servers.
Unfortunately, these are designed for Euclidean space andcannot
address the problem faced by road networks. In thisrespect, our
proposed algorithm not only considers personalizedprivacy
requirements and moving characteristics as in Wang et al.(2012b),
but also takes the underlying road networks into account.In
addition, to improve the system efficiency, our algorithm cancloak
for a batch of users simultaneously.
2.2. Privacy preservation in road networks
Several privacy-preserving techniques have been proposed
toprotect users' privacy in road networks. Based on the type
oflocation-based queries, these techniques can be classified into
twocategories: privacy preservation for snapshot location-based
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7358
-
queries and privacy preservation for continuous
location-basedqueries.
2.2.1. Privacy preservation for snapshot location-based
queriesPSNN and PSRQ techniques (Ku et al., 2007) solely rely
on
Casper (Mokbel et al., 2006), which was designed for the
Euclideanspace. As a result, the drawbacks of techniques for
Euclidean spaceare inherited. Kolahdouzan and Shahabi (2004)
partitioned thewhole road network into small Voronoi regions for
anonymization.In Mouratidis and Yiu (2010), the Hilbert-order was
used toanonymize users with their k�1 neighbors. Hence, the
effective-ness of the algorithm depends much on the ordering.
Papadiaset al. (2003) expanded the cloaked road segments until
privacyrequirements are achieved. To balance the processing cost
andprivacy preservation, Wang and Liu (2009) proposed a X-starbased
privacy-preservation framework merging neighboringqueries into a
newly established cloaking star (super-star). Chowet al. (2011)
designed an effective shared execution paradigm. Baoet al. (2009)
proposed a peer-to-peer location privacy-preservingsystem called
Pros, in which a user collaborates with others toform a cloaked
road segment set. However, simply applying thesetechniques into
continuous location-based queries may sufferfrom the attacks
correlating snapshot samples.
2.2.2. Privacy preservation for continuous location-based
queriesPrevious research has mainly focused on breaking the
con-
tinuity of location exposure by utilizing mix-zones to
changeusers' identification. In Freudiger et al. (2009), the mixing
effec-tiveness of possible mix zone locations was employed to
optimizethe placement of mix zones. Mobimix (Palanisamy and Liu,
2011)takes multiple factors into consideration in the placement of
mixzones, such as the statistical behavior of the user
population.However, it pays no consideration to the network
updating, whichmay lead to system unavailability in the long run.
As the place-ment optimization is NP-hard, Liu et al. (2012)
designed twoheuristic algorithms to strategically select mix zone
locations. Ingeneral, although mix-zones protect the privacy of
continuousqueries, they limit the field where users are served,
which may beunacceptable for some users. Hence, our framework
adopts thecloaking-based mechanism for continuous queries privacy
preser-vation, which also considers road networks update.
2.3. PIR based privacy preservation
Methods relying on cryptographic or Private InformationRetrieval
(PIR) are used in location privacy preservation. PrivateInformation
Retrieval (PIR) techniques allow a user to retrieve anelement of a
database without the owner of that database beingable to determine
which element was selected (Chor et al., 1998).Generally, PIR based
techniques do not require a trusted thirdparty. Zhong et al. (2007)
introduced three protocols, namelyLouis, Lester and Pierre, to
provide location privacy when answer-ing K Nearest Neighbor (KNN)
queries. Similarly, Papadopouloset al. (2010) employed secure
hardware-aided PIR to achievestrong location privacy. Ghinita et
al. (2008) proposed a frame-work to support private
location-dependent queries based on PIRtechniques. Their framework
does not need a trusted third partyand can achieve strong privacy
for snapshots of users' locations.Narayanan et al. (2011) proposed
a variety of cryptographicprotocols that support private proximity
testing. They use ”loca-tion tags” generated from the physical
environment to strengthenthe security of proximity testing. Li and
Jung (2013) designed asuite of Privacy-preserving Location Query
Protocol (PLQP) toprotect users' locations privacy under the
application scenario ofsocial network services (SNS).
This category of techniques provides strong privacy
protection.However, its performance, although improved by utilizing
specialhardwares, is still hard applicable in real world. On the
other hand,it remains to be seen if any location-based services
providers willdeploy cryptographic systems in the market.
2.4. Privacy preservation against attacks
Usually, there are four types of attacks faced by
continuousqueries: the homogeneity attack, the query sampling
attack, thereplay attack, and the query tracking attack.
2.4.1. Homogeneity attackHomogeneity attack (Bettini et al.,
2007) is launched in case of
the lack of diversity among users in the anonymizing set
withrespect to locations or queries. To counter the query
homogeneityattack, Liu et al. (2009) defined the query l-diversity
to ensure thatall queries in the same anonymizing set are different
enough sothat a query is hard to be linked to a certain user.
2.4.2. Query sampling attackTo defend against the query sampling
attack (Chow and
Mokbel, 2007; Pan et al., 2012), Chow and Mokbel
(2007)introduced the concept of k-sharing region, i.e., a cloaked
regionnot only covers at least k users but is treated as the
cloaked regionby at least k users.
2.4.3. Replay attackWang and Liu (2009) presented the replay
attack model, which
estimates the likelihood of some locations being a user's
actualpositions by rerunning the anonymizing algorithm. It should
benoted that the resilience to replay attack is correlated with
theanonymizing algorithm itself.
2.4.4. Query tracking attackQuery tracking attack (Chow and
Mokbel, 2007) identifies
potential query issuers by linking consecutive snapshots. To
defendagainst this attack, Chow and Mokbel (2007) utilized the
memor-ization property, which memorizes users in a cloaked region
of acontinuous query at the time when the query is initiated.
In our work, typical attacks faced by continuous queries
areresisted by tailoring the cloaking algorithm for road
networks.Features of moving trend, velocity difference, and
distance differ-ence are considered. To facilitate the cloaking
process, we con-struct a hierarchical structure of road networks
and correspondingmaintenance strategies are provided in case of
road networksupdate.
3. System model
In this section, we formulate the privacy-preserving
problemfirst, then introduce the privacy profile and the
correspondingprivacy-preserving mechanism. Finally, we show the
implementa-tion strategies.
3.1. Problem formulation
We define the underlying road network and the privacyproblem to
be addressed.
3.1.1. The underlying road networkWe consider a space restricted
by the underlying road network,
which is represented by a weighted directed graph G¼ ðV ;
EÞ,
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 59
-
where the vertex set V ¼ fv0; v1;…; vNg stands for road
junctions,and the edge set E¼ fðvi; vjÞjvi; vjAVg represents road
segmentsconnecting two junctions vi and vj. The listed order vivj
indicatesthe direction of the road segment from vi to vj . Note
that in ourmodel, the direction of a user's movement is preserved.
When noconfusion occurs and to simplify, we do not explicitly
mention thedirections of the underlying road network in figures
appearing insubsequent sections.
We use dðvÞ to denote the degree of a vertex v in V.
Specifically,a vertex with dðvÞ ¼ 1 is called end vertex, an
intermediate vertexhas dðvÞ ¼ 2, and an intersection vertices has
dðvÞZ3. Each edge e inE is associated with a non-negative weight
w(e), which representsthe cost of an edge from one vertex to the
other. The cost can bethe travel distance, trip time or toll of a
corresponding road. In oursystem, we weigh edges with the travel
distance and ordervertices in the road network, based on which, we
define themoving direction towards the vertex with a larger number
aspositive, otherwise, it is negative. In our work, all mobile
users areassumed to reside in edges.
Combined with the underlying road network, the trace of auser u
issuing a continuous query is a sequence of connectededges:
Tu¼{ðvs1, ve1), ðvs2, ve2), …, ðvsn, venÞ}, where vsi and veidenote
the start node and the end node, respectively, of the ithedge
passed by u, and vei ¼ vsðiþ1Þ.
3.1.2. Problem settingsIn continuous location-based services, a
query has three statuses:
(1) New: A newly initiated query is called new query. (2)
Active:A query that was created before but not terminated yet is
activequery. (3) Expired: A query reaching its expiring time and
beingterminated is called expired query. For a new query, a mobile
usersends it to a LBS provider in the form of ou; l; T init;
Texp;Con4 ,where u is the identifier of the user, l is the user's
current location(latitude and longitude), Tinit represents the
query initiating time, Texpis the query expiring time, and Con is
query text, such as “Inform meof the nearest petrol station in the
next 30 min”. Once it turns active,the user only needs to update
his location l with his identifier u andsends it to the LBS
provider, because the provider will preserve Conuntil Texp. During
the query lifetime, the LBS provider provides servicefor the user
by answering the query periodically (e.g., every 30 s)with the
updated locations.
Both locations and query contents are exposed to the
LBSproviders, which may be untrustworthy. Considering some LBSneed
users' exact locations for service provision, we try to preservethe
query privacy of a user. In our system, we introduce a trustedthird
party to cloak a user with others into a cloaked user set
Su.Correspondingly, the cloaked segment set Ssg contains the
seg-ments that users in Su reside in, and the queries sent by users
in Suform the cloaked query set Q.
3.1.3. Attack modelIn order to explain our methods accurately,
we establish the
attack model against whom the preservation is placed.
Generally,two characteristics are used to represent an attacker:
backgroundknowledge and attacks. We firstly specify an attacker's
backgroundknowledge and then we demonstrate the attacks he performs
inorder to steal privacy and harm individuals.
We assume that users' location and answers to queries canreveal
nothing about query content, that is, the query issued by auser is
unknown even if his locations are leaked. The backgroundknowledge
BK of an attacker about user is assumed to know:
1. u's exact locations during his query lifetime.2. u's cloaked
user set Su and corresponding query set Q for each
snapshot.
3. The privacy-preserving algorithms.
Given the employed privacy-preserving algorithms, the
users'exact locations and cloaked user and query sets that are
generatedby the privacy-preserving algorithms, the attacker can run
fourtypical attacks, which are most frequently and particularly
imple-mented against continuous queries, namely, the query
samplingattack (Chow and Mokbel, 2007; Pan et al., 2012), query
trackingattack (Chow and Mokbel, 2007), replay attack (Wang and
Liu,2009), and homogeneity attack (Bettini et al., 2007). All of
themaim to find-out associations between users and queries.
Homogeneity attack is due to lack of diversity, we use
queryentropy to measure the diversity of a cloaked query set, which
willbe explained in Section 3.2. With the diversity, homogeneity
attackcan be naturally resisted by the privacy-preserving
algorithms,therefore, we only consider the other three attacks.
Generally, asthe attacker obtains the background knowledge, he
tries to infersome private information of interest about the users'
querycontent, such as linking a user's exact location to a specific
queryand having access to the query content. Nevertheless, users
arecloaked together in a region with the form of a cloaked user
setand queries sent by them are grouped into a cloaked query
set.Therefore, the problem of linking a user's exact location to
hisactual query is probabilistic. The output of the attack can be
aprobability distribution on the possible categories of
attacks.Hence, we define linkability to quantify the vulnerability
of ourframework under the three typical attacks.
Definition 1 (Linkability). The linkability of query q to user u
underBK, denoted as link½u’qjBK�, is the probability that an
attacker caninfer q is issued by u among users in the cloaked user
set Su.
Query sampling attack (Chow and Mokbel, 2007): Query sam-pling
attack means that when the distribution of users' locations isnot
uniform, cloaked user sets overlap with each other. Therefore,some
users can be cloaked into two or more sets, which increasesthe
probability of linking the query to the query issuer.
Query sampling attack can be formalized as follows: supposethere
are three users u1, u2, u3, respectively, issuing queries q1,
q2,q3. Su1 containing u1 and u2 is the cloaked user set of u1 while
Su2containing u2 and u3 is that of u2. An attacker can
inferlink½u1’q1 jBK� ¼ 1, as u1 only belongs to Su1.
Query tracking attack (Chow and Mokbel, 2007): In
continuousqueries, users continuously report their locations to LBS
providers.Query tracking attack can link consecutive time
snapshotstogether to identify a query issuer, although he is
cloaked withother users.
Suppose user u issues query q. At time t1, he is cloaked into a
userset Su1 and the corresponding query set is Q1. Hence, the
Linkabilityis link½u’qjBK� ¼ 1j Q1 j . With time passing by, more
cloaked sets aregenerated, denoted as Sui and Qi for time ti. As
the query issuer mustbe in all the cloaked user sets, an attacker
links the sets and theLinkability is changed to link½u’qjBK� ¼
1jQ1⋂Q2⋂⋯⋂Qn j .
Replay attack (Wang and Liu, 2009): In the replay attack,
weassume that an attacker has full knowledge regarding the
cloakingalgorithm. By rerunning the cloaking algorithmwith an
element inthe cloaked user set assumed to be the query issuer, the
attackerestimates the likelihood of the user to generate the
cloaked set.
An attacker replays the cloaking process as follows: for
eachuser uiASu, (1) re-runs the cloaking algorithm by taking ui
asthe query issuer of query q to generate a cloaked set S0ui,
withjSu j ¼ jS0ui j ; (2) calculates the probability of ui to issue
q, that is,Prob½Su jui;BK� ¼ j Su⋂S
0ui j
j Su j ; and (3) select ui with the largest probabilityvalue as
the query issuer. The linkability is link½u’qjBK� ¼
Prob½Su j u;BK�Pni ¼ 0 Prob½Su j ui ;BK�
� 1j Q j .
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7360
-
In this paper, we aim to prevent linking a continuous
location-based query to a specific user, i.e., low linkability,
under the querysampling attack, query tracking attack, and replay
attack.
3.2. Privacy profile
As mentioned above, Su, Ssg and Q, respectively, signify
thecloaked user set, cloaked segment set, and corresponding
queryset. A road segment is a sequence of edges (v0v1; v1v2;…;
vm�1vm),among which only v0 and vm are intersection vertex or end
vertex.The generated Su, Ssg and Q should satisfy a user's
personalizedprivacy requirements defined in his privacy profile in
the form of(klocal; kglobal; llocal; lglobal; Lmax;Dismax). They
define privacy require-ments mainly from four aspects: k-anonymity,
l-diversity, max-imum length and maximum distance.
3.2.1. k-anonymityA query obeys k-anonymity (Chow and Mokbel,
2007) if it
could be issued by any of k users. In our system, a query issuer
iscloaked with at least k-1 other indistinguishable users to
achievek-anonymity.
klocal and kglobal are requirements of k-anonymity. klocal
ensuresthat the user is cloaked with at least klocal�1 other users
at eachsnapshot. As for kglobal, it indicates that the number of
commonusers in intersection of the cloaked set for consecutive
snapshotsin a continuous query is at least kglobal. The query
tracking attackwould fail as the query issuer is still
indistinguishable fromkglobal�1 other users even if an attacker
links all the cloaked sets.For a continuous query composed of n
snapshots, we maintain that
Sui�� ��ZklocalSu1 \ Su2 \ ⋯ \ Sunj jZkglobal
where Suiði¼ 1;2;…;nÞ is the cloaked user set of the ith
snapshot.
3.2.2. Query l-diversityFor a cloaked query set Q, given an
integer l, it satisfies query l-
diversity if the query entropy of this set is equal to or
greater thanlog ðlÞ.
Similar to yellow pages companies categorizing different
busi-nesses, we classify queries into different categories
according to thePoint of Interests (POIs), such as hospitals and
restaurants. Forexample, a user issuing a query “Report me the
nearest petrol stationevery 5 min in the next 30 min” seems to be
interested in the petrolstation, hence, the query pertains to the
petrol station category. Theset of categories is denoted as C ¼
fc1; c2;…; cng. Suppose that thequery categories are already known,
and the accurate query contentscannot be inferred from these
categories. For a specific query qpertaining to category ci, the
query entropy H is defined as
H ¼ �X
pi log pi
where pi is the percentage of queries pertaining to ci in Q:
pi ¼j fqjqAQ ; q:c¼ cigj
jQ jQuery l-diversity is introduced to resist the homogeneity
attack
(Bettini et al., 2007). Similar to the k-anonymity restriction,
wehave llocal-diversity and lglobal-diversity for each single
cloakedquery set and the intersection of all the sets. So we
have
H Q Suið Þð ÞZ log llocalH Q Su1 \ Su2 \ … \ Sunð Þð ÞZ log
lglobal
where Q ðSuiÞ is the set of cloaked queries issued by users in
Sui, Hð�Þis the entropy function.
3.2.3. Maximum lengthA query fulfills the maximum length
restriction when the total
length of road segments in the cloaked segment set Ssg is
notlarger than the pre-defined maximum value.
In our system, it restricts the total weight of segments in Ssg
toLmax, that is,
L Ssg� �
rLmaxwhere Lð�Þ is the total length of edges in Ssg.
Lmax is introduced to limit the expansion of the cloaked
set,which may raise computation and communication costs withmore
candidate results generated. The maximum length require-ment is
especially important in a coarse area where the populationdensity
is particularly low, because it needs a large cloakedsegment set to
satisfy k-anonymity. While k-anonymity withinthe maximum length
restriction is violated, we can generatedummy queries consistent
with the query context (Pingley et al.,2011). Hence, user's privacy
is preserved as the attacker cannot tellthe real one from dummies.
Generating dummies is another topicin location-based queries
privacy preservation, which is not thefocus of this paper.
3.2.4. Maximum distanceA query satisfies the maximum distance
requirement only if the
distance between the query issuer and any of other cloaked
usersis less than the pre-defined maximum distance, denoted as
Dismaxin our framework. Then for each user uiASu, it holds
Disðu;uiÞrDismaxwhere u is the query issuer, Disðu;uiÞ is the
length of the shortestpath from u to ui. It plays an important role
especially when usersin an area have a high probability of
requesting a certain categoryof queries.
3.3. Privacy-preserving mechanism
First of all, we present the basic concepts in our
privacy-preserving mechanism. Then, we show the qualification for
usersto be cloaked.
3.3.1. Snet and Snet hierarchyIn the road network, a portion
conceptually covered by a
cluster (or community) can represent a potentially cloaked
seg-ment set. Inspired by privacy-preserving techniques
partitioningthe spatial domain into cells in Euclidean space, we
construct sub-graphs of the road network recursively bottom-up.
Each sub-graphis named as an Snet, which is the basic cloaking unit
in our system.
Definition 2 (Snet). For a given road network graph G¼ ðV ; EÞ,
anSnet is a sub-graph of G, which is denoted as Sn¼ðV s;Bs; EsÞ,
whereVs, Bs, and Es respectively denotes vertex set, border vertex
set, andedge set in Sn, besides:
1. EsDE.2. V s ¼ fvj ðv; v0ÞAEs3ðv0; vÞAEsg, where ðv; v0Þ is
the edge linking
v and v0.3. Bs ¼ V s \ fvj ðv; v0ÞAE03ðv0; vÞAE0g, where E0 ¼
E�Es.
Figure 2 shows two Snets (in the dashed frame) of the
roadnetwork graph G (in the solid frame). For the left Snet,
thecorresponding vertex set Vs is {v1; v2; v3}, the edge set Es
containsðv1; v3Þ and ðv2; v3Þ, and the border vertex set Bs is {v3}
because theedge ðv3; v5Þ does not belong to the edge set Es.
Similarly, for theright Snet, the corresponding vertex set V 0s is
{v3; v4; v5}, the edgeset E0s contains ðv3; v5Þ and ðv4; v5Þ, and
the border vertex set B0s is
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 61
-
fv3; v5g because the edges ðv1; v3Þ, ðv2; v3Þ, and ðv5; v7Þ are
not in theedge set E0s. In addition, because the two Snets share
the bordervertex v3, they are called neighboring Snets.
We build the underlying road network into an Snet hierarchy
byconstructing Snets in a bottom-up manner, where Snets at
upperlevels are formed by Snets at lower levels. For simplicity, We
limitthat an Snet is composed of two sub-Snets at most. At each
level,the road network is viewed as a graph of interconnected
Snets.Specifically, each Snet at level 0 represents an original
segment inthe road network. There is only one Snet at the top-level
ht, whichcovers the entire road network.
While constructing an Snet, Snðhþ1; �Þ at level hþ1 with
twosub-Snets, Snðh; iÞ, 1r ir2 at level h, where Snðhþ1; �Þ¼ðV
sðhþ1; �Þ;Bsðhþ1; �ÞÞ; Esðhþ1; �Þ, the following three
conditionsmust be held:
1. Edges of Snets at level h are disjoint, i.e., 8 i 8 j, ia j
-Esðh; iÞ⋂Esðh; jÞ¼∅.
2. Edges in an Snet at level h only connect vertices in the
sameSnet, i.e., 8m8 j, ma j; ðvm; vjÞAEsðh; iÞ-vmAðV sðh; iÞ⋃Bsðh;
iÞÞ4vjA ðV sðh; iÞ⋃Bsðh; iÞÞ.
3. For a Snet at level hþ1 to be constructed, Snðhþ1; �Þ¼ðV
sðhþ1; �Þ;Bsðhþ1; �Þ; Esðhþ1; �ÞÞ, where V sðhþ1; �Þ and Esðhþ1; �Þ
areunions of the corresponding sets in the sub-Snets and Bsðhþ1;
�Þis the union of the corresponding sets of the sub-Snets'
bordervertices, that is,� V sðhþ1; �Þ¼⋃1r ir2V sðh; iÞ;� Esðhþ1;
�Þ¼⋃1r ir2Esðh; iÞ;� Bsðhþ1; �Þ¼⋃1r ir2 Bs ðh; iÞ-fvjvA⋃1r ir2
Bsðh; iÞ3½ðv; v0ÞA Esðhþ1; �Þ 3ðv0; vÞA Es (hþ1, �Þ�g.
Definition 3 (Transition probability). The transition
probabilityfrom edge i to j means the probability that users on
edge i willmove to j. It can be pre-computed by counting the times
that usersin i transfer into j according to history traces.
Transition probabilityis calculated as the count of the transitions
from edge i to edge j isdivided by the total number of transition
from edge i toother edges.
Algorithm 1. Building the Snet hierarchy.
Input G¼(V, E)Output Snð0; �Þ; Snð1; �Þ…Snðht; �Þ.1: h’0, eAE is
denoted by Snð0; jÞ, V inter’∅, Econ’∅,
flagðeÞ ¼ 02: while hoht do3: for vAV do
4: if dðvÞZ3 then5: V inter’V inter⋃fvg6: end if7: end for8: for
vinterAV inter do9: Econ’Econ⋃fð�; vinterÞg⋃fðvinter; �Þg10: if
ð(econAEconÞ&ðflagðeconÞ ¼ 0Þ&ðdðv0Þ ¼ 1Jdðv0Þ ¼ 2Þ,
ðvinter; v0Þ ¼ econ J ðv0; vinterÞ ¼ econ then11: initiation
edge einit’econ12: else13: einit’elargest, where
ðelargestAEconÞ&flowðEconÞ is the
largest14: end if15: Snðhþ1; jÞ’ merge einit with highest
transition
possibility edge etranmax16: if length LðSnðhþ1; jÞÞr2h � DisðEÞ
then17: flagðetranmaxÞ ¼ 1; flagðeinitÞ ¼ 118: else19: flagðeinitÞ
¼ 120: end if21: end for22: for e0AE23: if flagðe0Þ ¼ 0 then24:
Snðhþ1; jÞ’fe0g25: end if26: end for27: each Snðhþ1; jÞ is denoted
by an edge enew, E’fenewg28: h’hþ129: end while30: return Snð0; �Þ;
Snð1; �Þ…Snðht; �Þ
Generally, vertices with larger degrees play more importantroles
in road networks. Hence, we select intersection vertices
andcorresponding edges to initiate the construction process.
Amongall the neighboring edges, we give priority to those connected
toan intermediate vertex or an end vertex. In case there is neither
anintermediate nor an end vertex connected, we select the
edgecarrying the largest historical user flow as the initial edge.
Thenthe edge that users are most likely to transfer into from the
initialedge (i.e., the highest transition possibility) is selected
to form anSnet. The formed Snet is further denoted by an edge at a
higherlevel, which connects with neighboring Snets through the
com-mon border vertices. We recursively perform the Snet
constructionsteps until the underlying road network is merged into
one Snet attop-level ht. For an edge that is not merged with
others, itassembles itself as an Snet at a higher level. To balance
the privacy
Fig. 1. Euclidean space and road networks. (For interpretation
of the references to color in this figure caption, the reader is
referred to the web version of this article.)
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7362
-
preservation and system costs, we restrict the maximum
totallength of edges in an Snet to the value Lmax. Suppose the
averageedge length of the underlying road network is Dis(E), we use
2h �DisðEÞ as the maximum length limitation for Snets at level
h,because there are at most 2h edges in an Snet at level h.
Thedetailed process of building the Snet hierarchy is shown
inAlgorithm 1.
Figure 3 shows an example of building the Snet hierarchy forthe
road network in Fig 2. We use an edge to denote an Snet, theSnets
encircled in the lower level means they will be constructedinto a
parent Snet in the upper level. The blue vertex v5 iselaborately
selected for the Snet construction process. The arrowindicates the
transition direction from edge ðv4; v5Þ to edge ðv5; v3Þ.
In a special case, each edge at level 0 (the raw underlying
roadnetwork) constructs an Snet. For example, ðv1; v3Þ denotes
SnetSnð0;1Þ. Snð1;1Þ represents an Snet formed by ðv1; v3Þ and ðv2;
v3Þ atlevel 0. For the Snet construction, intersection vertex v5 is
selected.We pick ðv5; v4Þ as the initiation edge, because it
connects an endvertex v4. We merge it with ðv3; v5Þ which has the
highesttransition probability from ðv5; v4Þ among neighboring
edges(edges sharing a common border vertex). Thus, we get
SnetSnð1;2Þ at level 1. Similarly, Snets Snð1;2Þ and Snð1;3Þ are
repre-sented by edges at level 1, and their neighboring Snets
Snð1;1Þ,
Snð1;4Þ, and Snð1;5Þ are connected though vertices v3 and v7.
TheSnet hierarchy construction process continues until the entire
roadnetwork is merged into a single Snet Snð4;1Þ at the fourth
level.
3.3.2. Cloaking qualificationsBased on the Snet hierarchy, our
system generates cloaked sets
for users meeting predefined privacy profiles. To satisfy the
klocaland llocal requirements, we expand the cloaked set in a
bottom-upmanner from Snets at level 0. The expansion process is
terminatedwhen the Lmax requirement is violated. Simultaneously, a
userwith a distance to the query issuer longer than Dismax will
bekicked out. As for kglobal and lglobal requirements, we try
tomaintain users staying in the same Snet to remain in the sameset
in the long run.
There are three features that affect which Snet the user
willenter and when he will enter it in the future: transfer
behavior,velocity, and distance to a border vertex. We use moving
trend todescribe the transfer behavior that a user enters a certain
Snetafter leaving the previous one. Users moving into the same Snet
inthe future have the same moving trend. We treat users'
velocitiesas vectors composed of moving directions and speed
magnitudes,velocity difference is used to measure the velocity
variationsbetween users. Users with low velocity difference are
more likelyto stay close in the future. Similarly, we use distance
difference toshow users' difference in distance to the border
vertex that theywill pass through. Users with low distance
difference are prone tostay in the same Snet. Thus, while selecting
candidate users forcloaking, we prefer those with similar moving
trend, low velocitydifference, and low distance difference compared
to the queryissuer.
Moving trend: Users' moving trend can be modeled as MarkovChain
on a set of neighboring Snets of the current Snet Sn. Let P
Sn
be the transition matrix of Sn, the element pSnij , i¼ 1…m, j¼
1…wof PSn is the transition probability of users from edge i of Sn
to Snetj, where m is the edge number of Sn, n is the amount
ofneighboring Snets of Sn.
Figure 4 shows an example of transition matrix. Let PSnð1;2Þ
bethe transition matrix of Snet Snð1;2Þ with edges ðv3; v5Þ and
ðv4; v5Þ.Supposing the first row of PSnð1;2Þ denoted as pSnð1;2Þ1;�
represents the
Fig. 3. An example of Snet hierarchy. (For interpretation of the
references to color in this figure caption, the reader is referred
to the web version of this article.)
Fig. 2. An example of Snet.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 63
-
transition probability of ðv3; v5Þ to neighboring Snets Snð1;1Þ
andSnð1;3Þ respectively, thus correspondingly, pSnð1;2Þ2;� is the
transitionprobability from ðv4; v5Þ to Snð1;1Þ and Snð1;3Þ. User u1
denoted bya red rectangular is moving along edge ðv5; v3Þ in
Snð1;2Þ.Obviously, u1 has a higher probability to enter Snð1;1Þ
after leavingSnð1;2Þ.
Velocity difference: The difference between two users'
velocitiesshould consider both the moving direction and the
magnitude.However, only users having the same moving trend need to
checkthe velocity difference, those with opposite directions will
befiltered out. Thus, we take the magnitude into account
whilecalculating the velocity difference. The velocity difference
VLdiffbetween users ui and uj is defined as
VLdiff ðui;ujÞ ¼ vli�� ��� vlj�� ���� ��
where jvli j and jvlj j are the velocity magnitude of ui and
uj.Users qualified to be cloaked together should follow the
velocity difference restriction ζ:
VLdiff ui;uj� �
rζ
Distance difference: The road network distance dðu; vÞ
betweenuser u and vertex v is defined as the sum of edge weight
along theshortest path from u to v. In our system, u will pass
through vwhile entering the predicted Snet. v is a common border
node ofthe two neighboring Snet. While there are more than one
commonborder nodes, v is the one nearest to u. For ui and uj, they
mayenter the same Snet through different vertices, denoted as vi
andvj. Then the distance difference between users to the vertex
theymay pass through is calculated as
Ddiff ðui;ujÞ ¼ d ui; við Þ�d uj; vj� ��� ��
Thus, users qualified to be cloaked together should
furthersatisfy the distance difference restriction θ in the
equation below:
Ddiff ui;uj� �
rθ
3.4. Framework implementation
In this section, we show the system architecture of our
privacy-preserving framework. Then the storage scheme of the
Snethierarchy is discussed.
3.4.1. System architectureFigure 5 shows the system
architecture, it consists of three
components: mobile users, the trusted Anonymizing Server
(AS),and the LBS provider. A mobile user sends a query through
theprivacy phone agent to the AS with his privacy profile in the
formof ou; l; p; Tq; Texp;Con4 , where u; l; Tq; Texp and Con mean
thesame with those in Section 3.1.2, p denotes the user's
definedprivacy profile oklocal; kglobal; llocal; lglobal;
Lmax;Dismax4 discussedin Section 3.2. l is the user's location
obtained by the positioningdevice. When the AS receives a query
from a mobile user, thecloaking engine generates cloaked sets with
the cloaking algo-rithms presented in Section 4. The AS sends
queries issued by thecloaked users to the LBS provider, which
returns the candidateresults to the AS which follows the users and
keeps track of theirlocations. The results refiner improves the
results based on theuser's accurate locations and forward the
refined results to theprivacy phone agent. The phone agent further
transfers the result
Fig. 6. The storage scheme.
Fig. 5. System architecture.
Fig. 4. An example of transition matrix. (For interpretation of
the references to color in this figure caption, the reader is
referred to the web version of this article.)
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7364
-
to LBS applications. For a query in Active status, the mobile
userperiodically updates his locations until it turns Expired.
3.4.2. Snet storage schemeBecause the Snet at level hþ1 is
formed by two Snets at level h
at most, we use the binary tree T to store the Snet hierarchy,
whichmaintains the parent–child relationship of Snets at each
level. EachSnet consisting of ðV s; Es;BsÞ is kept as a node. For
each node, westore the transition matrix of the Snet discussed in
Section 3.3.2.The total length of segments in the Snet is
precomputed and storedin the node as well.
Figure 6 illustrates the storage structure of the Snet hierarchy
inFig. 3. Let the ith Snet at level h be Snðh; iÞ, LðSnðh; iÞÞ be
the totallength of edges in Snðh; iÞ, PSn be the transition matrix
of Snðh; iÞ. Forour cloaking algorithms, the cloaked users are in
the same treenode. In other words, for a query issuer residing in
Snet Snð0; jÞ, theusers cloaked with him will be those in Snð0; jÞ
or in one of itsancestors in the binary tree T.
4. Cloaking algorithms
We present two types of privacy-preserving algorithms basedon
the Snet hierarchy. The first one consisting of Algorithms 2 and3
is designed for a single user, the other composed of Algorithms
4and 5 is for a batch of users. Recalling that in the Snet
constructionprocess, an edge is merged with the edge that has the
highesttransition probability. Hence, our algorithms treat Snet as
the basiccloaking unit and retrieves the binary tree storing the
Snethierarchy in the bottom-up manner. According to users'
cloakingqualifications discussed in Section 3.3.2, our algorithms
firstretrieve the Snet at level 0, then select users with similar
moving
trend, satisfying the velocity difference and distance
differencerestrictions predefined by our system. The candidate sets
areformed by the selected users, after which, users' privacy
profileswill be checked. If the candidate set cannot fulfill users'
privacyprofiles, the algorithms search its parent Snet. These steps
con-tinues until users' privacy profiles are satisfied, or reach
the top-level of the Snet hierarchy. If no qualified cloaked set is
generated,corresponding queries will be terminated. As all queries
sent tothe LBS providers have to pass through the AS, the queries
will becut from the LBS providers if they are dropped by the AS.
Hence,users' privacy can be preserved.
Compared with the first type of algorithms for a single user,
thesecond type aims to improve the efficiency of our
privacy-preserving framework. It generates a cloaked set for a
batch ofusers simultaneously to decrease the cloaking time. In
addition,the user's privacy is enhanced because the query sampling
attackcan be resisted by sharing the cloaked set among users.
4.1. Algorithms for a single user
We present algorithms for a single user in this section. When
asequence of users arrives, Algorithm 2 finds qualified users in
anSnet at a certain level to form the candidate cloaked set for
eachuser. Algorithm 3 generates the cloaked sets for a single
user.
Algorithm 2. Selecting qualified users.
Input query qou; l; p; Tq; Texp;Con4 , Snet Snðh; iÞ and edge e
ofuser u, binary tree T.
Output candidate cloaked set S1.1: predicting moving trend Snðh;
jÞ of u, Se’∅, S1’∅2: for ðei in Snðh; iÞÞ&ðeiaeÞ do3: if
moving trend of users in ei¼Snðh; jÞ then4: Se’Se⋃feg
Table 3Example of cloaked user set and query set.
User S1 Q1 S2 Q2 S3 Q3
A {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}B {B;C;D} {q1
; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}C {B;C;D} {q1
; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}D {B;C;D} {q1
; q2; q3} {B;C;D} {q1; q2 ; q3} {B;C;D} {q1 ; q2; q3}E {A; E} {q1 ;
q3} {A; E} {q1; q3} {A; E} {q1 ; q3}
Table 2Example of cloaked user set and query set.
User S1 Q1 S2 Q2 S3 Q3
A {A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}B {A;B;D} {q1
; q2; q3} {A;B;D} {q1; q2 ; q3} {A;B; E} {q1 ; q2; q3}C {B;C; E}
{q1 ; q2; q3} {B;C; E} {q1; q2 ; q3} {B;C; E} {q1 ; q2; q3}D
{A;B;D} {q1 ; q2; q3} {A;B;D} {q1; q2 ; q3} {A;B;D} {q1 ; q2; q3}E
{A; E} {q1 ; q3} {A; E} {q1; q3} {A; E} {q1 ; q3}
Table 1Example of privacy profile.
User Query Query category klocal llocal kglobal lglobal
A qA c1 2 2 2 2B qB c2 3 2 2 2C qC c1 3 3 3 2D qD c3 3 3 3 2E qE
c3 2 2 2 2
Table 4Experiment parameters.
Parameters Values Default Unit
Number of users 2000 2000 –Number of snapshots 50 50 –Local
privacy (klocal, llocal) 2–5, 3–6, 4–7, 5–8, 6–9 2–5 /Distance
limit 1, 2, 3, 4, 5, 6 5 km
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 65
-
5: end if6: end for7: for ui residing in Se do8: if ðVLdiff
ðu;uiÞrζÞ&ðDdiff ðu;uiÞrθÞ then9: S1’S1⋃fuig10: end if11: end
for12: return S1
When selecting qualified users at each level, Algorithm 2
firstpredicts the Snet that user u will move into while leaving
theoriginal one (step 1). Then it predicts the moving trend of
usersstaying in the same Snet with u, and picks out those having
thesame moving trend with u (steps 2–6). Among all the users
pickedout, only those satisfying the velocity difference and
distancedifference restrictions will be selected as qualified
cloaked users(steps 7–11).
Algorithm 3. Cloaking for a single user.
Input query qou; l; p; Tq; Texp;Con4 , binary tree T.Output
cloaked set Si of the ith snapshot, 1r irm (totally m
snapshots).1: if q is New then2: map l on edge e, find Snð0; jÞ
containing e in T3: Ctemp ¼ Snð0; jÞ, h’0, S1’∅4: while ðjS1
joklocalÞJ ðHðQ ðS1ÞÞo logllocalÞ do5: S1’ Selecting Qualified
Users ðq;Ctemp; e; TÞ6: Ctemp’Ctemp's parent node, h’hþ17: end
while8: if LðCtempÞ4Lmax then9: suppress the query10: end if11:
return S112: else13: for ujA ðS1⋃S2⋃⋯⋃Si�1Þ do14: if
Distanceðu;ujÞrDismax then15: Si ¼ Si⋃fujg16: end if17: end for18:
if (j Si⋂S1⋂S2⋂⋯⋂Si�1 jZkglobal)&
(HðQ ðSi⋂S1⋂S2⋂⋯⋂Si�1ÞÞZ log ðlglobal)) then19: return Si20:
else21: suppress the query22: end if23: end if
As is shown in Algorithm 3, user u sends a query in the form
ofou, l, p, Tq, Texp, Con4 . When receiving a query q in New
statusfrom user u, the AS maps l into the road network. Algorithm
3treats S(0, j) that containing edge e where u resides as the
initialcloaked set (step 2). S(0, j) is a leaf node in the binary
tree T.The algorithm traverses the binary tree until k-anonymity
andl-diversity requirements of u are fulfilled (steps 3–7). When
the totallength of edges in the cloaked set is larger than Lmax,
the algorithmstops (steps 8–10). If the query is in Active status,
the algorithm checkscommon users in the previous i-1 cloaked sets,
adds those satisfyingthe distance restriction into the cloaked set
(steps 13–17). kglobal andlglobal-diversity requirements are also
checked (steps 18–22).
4.2. Algorithms for a batch of users
As multiple queries may arrive at the AS simultaneously,cloaking
for each respective user is inefficient. Following thereciprocity
principle, we propose an optimized algorithms com-posed of
Algorithms 4 and 5, which generates cloaked sets for abatch of
users at one time. On the other hand, algorithms for asingle user
are vulnerable to the query sampling attack. Therefore,we introduce
the k-sharing method to resist this attack. In oursystem, the
generated cloaked set is shared by all users in it. Thus,while
generating the cloaked set qualified for all users in it, weensure
the strictest privacy requirements of all the users cloaked,i.e.,
klocalmax, kglobalmax, llocalmax, lglobalmax, Lmaxmin, Dismaxmin.
klocalmax,kglobalmax, llocalmax and lglobalmax indicate the maximum
value ofklocal, kglobal, llocal, lglobal defined by the users in
the candidatecloaked set, Lmaxmin and Dismaxmin stand for the
minimum value ofusers defined Lmax and Dismax restrictions. When
the strictestprivacy requirements can't be satisfied, the user
requesting forsuch requirements should be kicked out from the
candidatecloaked set. Similar to the first type of algorithms for a
singleuser, the second type of algorithms for a batch of users
includestwo parts: Algorithm 4 selects the qualified users, and
Algorithm 5generates the cloaked set for a batch of users.
Algorithm 4. Selecting qualified users in batches.
Input query set fqou; l; p; Tq; Texp;Con4g, Snet set fSng,
andbinary tree T.
Output a set of candidate cloaked sets fSig.1: for Snðh; iÞAfSng
do2: fCLg’∅, fSig’∅ 3: if
(uAUðSnðh; iÞÞ)&ðLmaxðuÞoLðSnðh; iÞÞÞ then4: UðSnðh;
iÞÞ’UðSnðh; iÞÞ�fug5: end if6: for uAUðSnðh; iÞÞ do7: predicting
its moving trend Snðh; jÞ8: end for9: fCLg’fCLgfCLjCL’fusers with
the same Snðh; jÞgg10: end for11: for CLiAfCLg do12: put the users
in CLi satisfying ((VLdiff ðui;ujÞrζ) and
(Ddiff ðui;ujÞrθ)) into Si13: end for14: return fSig
For the uncloaked users, Algorithm 4 removes user u violatingits
LmaxðuÞ restriction (steps 2–4). Then it predicts the movingtrend
of all the users and clustered them with the same movingtrend
together (steps 5–8). For each clustered user set, thosefollowing
the velocity difference and distance difference restric-tions are
selected as the qualified users (steps 10–12).
Algorithm 5 maps all users into the road network,
findscorresponding Snets in the binary tree (steps 3–6). It
repeatedlyselects qualified users until the klocalmax and llocalmax
values of allusers in the Snet are fulfilled (steps 9–12). When
there are nocandidates in the cloaked set or the traverse step goes
beyond thetop level, we suppress users with klocalmax or llocalmax
requirements,and traverse back for one level (steps 13–20). The
cloaking set isshared by all users residing in it. For the
following snapshots, foreach cloaked set, we check the maximum
distance limit of all usersresiding in the previous i-1 cloaked
sets (step 28–32), after which,the kglobal and lglobal requirements
will also be checked (steps 33–35).
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7366
-
4.3. The framework maintenance
To maintain the longtime effectiveness of our framework,
wediscuss the maintenance strategy in the presence of
updatingusers' history traces and changing road network
structures.
4.3.1. Users' history traces updateThe population density and
the transition probability of each Snet
are calculated based on users' history traces. For a new user
movingfrom edge a to edge b, only the population of edges a and b,
and thetransition probability from a to b should be increased.
Hence, weupdate the population density of edge a and edge b, and
the transitionmatrix of the Snet containing edge a will also be
updated. Becauseusers' movements have localization properties, the
population densitystays stationary under the influence of users'
history traces in the longrun. Hence, we keep the Snet hierarchy
structure unchanged.
4.3.2. Road network structure updateAs rebuilding the Snet
hierarchy leads to expensive cost, we
prefer to incrementally update the Snet hierarchy when the
roadnetwork structure changes. Because we directly use the
existingmap information, the update frequency of the Snet hierarchy
isconsistent with that of the map, which may be about every six
totwelve months. The road network is modeled as a weighteddirected
graph, therefore, its structural changes are in two ways,i.e.,
change of edge lengths, and change of edge relations.
1. Change of edge lengths: When an edge length changes
(e.g.,travel distance, trip time, or toll cost
increases/decreases), thetotal length of the Snets containing the
edge should be updated.
2. Change of edge relations: When new roads are constructed
orexisting roads are closed, the network topology will be chan-ged.
These changes can be depicted as adding or deleting edgesin the
Snet hierarchy.Adding a new edge: A newly added edge ðv; v0Þ
connects vertex v
Algorithm 5. Cloaking for a batch of users.
Input query set fqou; l; p; Tq; Texp;Con4g, binary tree T.Output
set of the cloaked set fSig of the ith snapshot, 1r irm (totally m
snapshots), SijAfSig1: if fqg is New then2: C’∅, h’0, fS1g’∅3: for
qiAfqg do4: map qi on edge ei, find Snð0; jÞ containing ei in T5: C
¼ C⋃Snð0; jÞ6: end for7: Ctemp’C, fS1g’ selecting qualified users
in batches ðq;C; TÞ8: for S1iAfS1g do9: while ðjS1i joklocalmaxÞJ
ðHðQ ðS1iÞÞo log ðllocalmaxÞÞ do10: S1� temp’ selecting qualified
users in batches ðq;Ctemp; TÞ11: S1i’S1i� temp, Snðh; jÞ’Snðh; jÞ's
parent node, h’hþ1, Ctemp ¼ fSnðh; jÞg12: end while13: if (Snðh; jÞ
¼ Snðht; jÞÞJ ðjS1i j ¼∅) then14: Snðh; jÞ’Snðh; jÞ' child node15:
while (jS1i joklocalmaxÞJ ðHðQ ðS1iÞÞo log ðllocalmaxÞÞ do16: if
ðuAS1iÞ&ððklocal ¼ klocalmaxÞJ ðllocal ¼ llocalmaxÞÞ then17:
S1i’S1i�fug18: end if19: end while20: end if21: fS1g ¼ fS1g⋃S1i22:
end for23: for uAðfqg�fS1gÞ do24: mark u as New25: end for26:
return fS1g27: else28: for uiAðS1j⋃S2j⋃…⋃Sði�1ÞjÞ do29: if
distanceðu;uiÞrDismaxmin then30: Sij ¼ Sij⋃fuig31: end if32: end
for33: if ðjSij⋂S1j⋂S2j⋂…⋂Sði�1Þj jZkglobalmaxÞ&ðHðQ
ðSij⋂S1j⋂S2j⋂…⋂Sði�1ÞjÞÞr log ðlglobalmaxÞÞ then34: fSig ¼
fSig⋃Sij25: end if36: return fSig37: end if
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 67
-
and v0. Let the edge set connecting v be Ev, connecting v0 be
E0v.If all edges in Ev and E0v belong to the same Snet at level 1,
edgeðv; v0Þ is merged with the Snet. Otherwise, ðv; v0Þ is added to
theSnet having most neighboring edges. Snets at the parent levelare
updated recursively.Deleting an existing edge: When removing an
edge ðv; v0Þ fromthe road network, it affects the Snets containing
ðv; v0Þ. As aresult, we only update the Snets containing ðv; v0Þ by
deleting itfrom their edge set.
5. Attack resilience analysis
In this section, we analyze the proposed algorithms' resilience
tothe query sampling attack, query tracking attack, and replay
attack.
5.1. Algorithms for a single user
Replay attack: Under the replay attack (Section 3.1.3),
anattacker repeatedly runs the algorithms to generate S0i with u
asthe input. It can be seen that Si⋂S
0i contains u. The linkability
satisfies 1j S j �jQ j r link½u’qjBK�o 1ððj S j � 1Þj S j þ1Þ�j
Q j . Hence, an attackercan identify the query issuer with the
maximum probability 12 iifjS⋂S0i j ¼ 1 with regard to all S0i.
However, this is practicallyimpossible. Users in the cloaked set
share the same predictedmoving trend, within the velocity
difference and the distancedifference restrictions, i.e., all the
users in the cloaked set tend tostay in nearby road segments, that
is, jS⋂S0i jc1.
Query sampling attack: Under the query sampling attack(Section
3.1.3), an attacker observes the cloaked sets samples
S1; S2;…; Si with the corresponding query sets Q1;Q2;…;Q i.
Hence,the linkability can be calculated as link½u’qjBK� ¼ 1j
Q1⋂Q2⋂…Q i j .
Query tracking attack: By considering the characteristic of
thequery tracking attack (Section 3.1.3), we introduce the
principle ofkglobal and lglobal. The number of common users should
be at leastkglobal and the entropy of the common query set should
not be lessthan log ðlglobalÞ. Consequently, the probability of
identifying aspecific user's query, i.e., the linkability
link½u’qjBK�, is 1j Q1 j atleast and 1lglobal at most.
In addition, an attacker can combine the replay attack,
querysampling attack, and query tracking attack to infer a user's
querycontent. As a result, the linkability changes to link½u’qjBK�
¼
link½Sj u;BK�Pui A S
link½Sj ui ;BK�� 1j Pn
t ¼ 1Pm
i ¼ 1 ⋂Qit j, where Qit represents the query
set Qi containing u at time t, n is the number of snapshots and
m isthe number of set containing u. Accordingly, the linkability to
aspecific user is link½u’qjBK� ¼ 1j Pn
t ¼ 1Pm
i ¼ 1 ⋂Qit j
Example 1. We suppose that there are five users in the
system.Their privacy profiles are partially listed in Table 1. The
cloakeduser set Si and its corresponding query set Qi of each user
forsnapshot i are shown in Table 2. In Table 2, qj means a
querypertaining to category cj.
We suppose that an attacker observes a cloaked user setsample
{A; E} and the corresponding query set sample {q1; q3},but the
attacker does not know for whom the set is generated northe
relations between the queries and the users. Hence theattacker runs
the algorithms respectively with A and E as theinput, gets the same
cloaked results. However, he still doesnot know the query issuer.
The Prob½SjA;BK� is calculated as
Fig. 7. Privacy-preserving ability evaluation.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7368
-
A;Ef g\ A;Ef gj jj fA;Egj ¼ 1, so is Prob½SjE;BK�. Hence, the
linkability of the
replay attack is link A’q1 jBK� �¼ Prob Sj A;BK½ �Prob S j A;BK½
�þProb Sj E;BK½ � � 12¼ 14. It is
because the attacker cannot assure that A is the issuer and
doesnot know A0s query is q1. Under the query sampling attack, if
theattacker observes that A is in {A; E}, {A;B;D} at the first
snapshot,he can infer A0s query must be in {q1; q3} with the
probability of1/2. For the query tracking attack, if the attacker
knows B0s cloakeduser set and cloaked query set during snapshot 1,
2, and 3, he caninfer B0s query with the probability of 1=jQ1 \ Q2
\ Q3 j ¼ 1=3.
5.2. Algorithms for a batch of users
Because a cloaked set is generated for all users in it,
thealgorithms for a batch of users can effectively defend against
thereplay attack and query sampling attack. Therefore, we
onlyanalyze its resilience to the query tracking attack (Section
3.1.3).Similarly, the probability of identifying a specific user's
query,i.e., the linkability link½u’qjBK� is 1lglobal at the most.
The associationbetween all users and queries has at least
Plglobali ¼ 0 �1ð Þi
lglobali
� �lglobal� i� �kglobal kinds of assignments. Hence, the
probability
Fig. 9. Quality of service evaluation.
Fig. 8. Snapshots maintenance evaluation.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 69
-
of an attacker successfully infers the user's query is
1=Xlglobali ¼ 0
�1ð Þi lglobali
lglobal� i� �kglobal
Example 2. Suppose there are five same users as is shown inTable
1. Their cloaked user set Si and corresponding query set Qifor
snapshot i are listed in Table 3. If an attacker knows user
A0scloaked user set and query set during snapshot 1, 2 and 3, he
caninfer A0s query with probability of 1=jQ1 \ Q2 \ Q3 j ¼ 1=2.
6. Experiments and evaluations
In this section, we evaluate the effectiveness of our
proposedalgorithms. As there is no privacy-preserving approach for
con-tinuous queries in road networks according to our knowledge,
wewill do the comparison with another algorithm named V-DCA(Wang et
al., 2012b) designed for Euclidean space. V-DCA is acontinuous
query privacy-preserving approach taking the velocityand
acceleration features of users into consideration while cloak-ing.
However, it does not take the underlying road network
intoconsideration, let alone building the network hierarchy to
facilitatethe cloaking process. The evaluation criteria and metrics
arepresented, followed by the experiments setup description.
Then,the evaluating results are discussed in detail.
6.1. Evaluation criteria and metrics
We evaluate the algorithms from three aspects:
privacy-preserving ability, quality of service and performance.
Cloakingalgorithms generate cloaked sets for users meeting their
privacy
profiles. The predefined parameters, such as kglobal and klocal,
areusers' privacy requirements. However, the effectiveness of
thealgorithms depends on the real achieved values of the cloaked
set.Hence, we use the real archived values as the metrics to
evaluateour framework. Correspondingly, we denote these values as K
local,Kglobal, Llocal, Lglobal, Len, and Dis.
6.1.1. Privacy-preserving abilityFor a continuous query, the
privacy level depends on the
common users and their queries of all the cloaked sets. We
useprivacy to measure the privacy level of a user in a
continuousquery, which can be computed as
privacy¼ Kglobal � LglobalHigher privacy means a better privacy
preservation. Similarly,
we use the number of successfully cloaked snapshots n to
measurethe maintenance of algorithms. A better
privacy-preservingmethod can provide service for a user longer,
that is, larger n.
6.1.2. Quality of serviceWe evaluate the quality of service with
the average distance of
users in a cloaked segment set Ssg as query answers are
moreaccurate within a smaller cloaked region. Hence, a smaller
value ofdistance indicates better quality of service. While
cloaking for asingle user, the average distance Davgðu; SsgiÞ of
the cloakingsegment set Ssgi of the ith snapshot is calculated
as
Davg u; Ssgi� �¼
Pi ¼ 1:to:K local �1D u;uið Þ
K local�1where u is the query issuer, ui represents user i
cloaked with u in
Fig. 10. Success ratio evaluation.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7370
-
Ssgi. The average distance DavgðuÞ of n consecutive snapshots
is
Davg uð Þ ¼X
i ¼ 1:to:nDavg u; Ssgi
� �=n
Meanwhile, for a batch of users, the average distance
Davg U; Ssgi� �¼
Pj ¼ 1:to:K local �1Davg uj; Ssgi
� �K local
where U is the user set, ui represents user i residing in U.
Theaverage distance of n consecutive snapshots is
Davg Uð Þ ¼X
i ¼ 1:to:nDavg U; Ssgi
� �=n
6.1.3. PerformanceWe evaluate the performance of our framework
from two
aspects: cloaking success ratio and cloaking time.
1. Cloaking success ratio: It is the percentage of users that
aresuccessfully cloaked:
SR¼P jSjjU j
where S is the set of successfully cloaked users and U is the
setof all the query issuers. A higher cloaking success
ratiocorresponds to a better performance.
2. Cloaking time: We use ti to represent the cloaking time
forsnapshot i. For a well-performed privacy-preserving mechan-ism,
the cloaking time should be short enough to achieve anenjoyable
user experience.
6.2. Experiment setup
We use Thomas Brinkhoff Network-based Generator of MovingObjects
(Brinkhoff, 2002) on the road map of Oldenburg. 2000mobile users
are generated moving along the road network withmedium speed for 50
snapshots. Users' privacy requirements, suchas klocal and llocal,
are set randomly within a certain range. Forexample, the default
range of klocal and llocal is 2–5. The maximumdistance limit
mentioned in Section 3.2 ranges from 1 km to 6 km.Parameters used
in our experiment are listed in Table 4. Thedefault values are used
if they are not specifically described in thefollowing
experiments.
The simulating experiments are carried out using a PC withDual
Dore 2.13 GHz CPU, 4 GB RAM memory, and Windows 7 �32ultimate
operating system. We implement the algorithms withCþþ . For all the
graphs, SINGLE denotes the proposed cloakingalgorithms for a single
user, correspondingly, Batch is that for abatch of users. We
repeatedly run each experiment for ten timesand take the average
values as the evaluation results. The standarddeviation error bars
are negligible.
6.3. Evaluation results
Figure 7 shows the privacy-preserving abilities of V-DCA andthe
two types of algorithms we proposed. It can be seen from Fig. 7(a)
that our algorithms perform better than V-DCA when thedistance
exceeds 4 km. Specifically, the privacy of SINGLE remainsconstant
until the distance limit exceeds 4 km, while the privacy ofBatch
grows linearly and performs the best among them. Figure 7(b) shows
that the privacy of V-DCA and SINGLE stay nearly stablewith the
change of klocal and llocal (named as local privacy), whilethat of
Batch keeps increasing and stays much higher than V-DCAand SINGLE.
As shown in Fig. 7(c), over time, i.e., with the snapshot
Fig. 11. Cloaking time evaluation.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 71
-
number going up, the privacy of BATCH keeps the highest among
thethree algorithms.
The results of Fig. 7 indicate that BATCH provides the
bestprivacy preservation among the three algorithms.
Generally,SINGLE performs better than V-DCA.
Figure 8 shows that all the three algorithms provide
privacypreservation for more snapshots with the growth of the
distance limitor the increase of the local privacy value (i.e.,
klocal and llocal). In Fig. 8(a),V-DCA performs well with strict
distance limit and maintains arelatively lesser number of snapshots
when the distance limit exceeds3 km. SINGLE performs better than
V-DCA because of its considerationof users' moving trend and
distance relations. BATCH is more easilyinfluenced by the distance
limit because it needs to balance the privacyrequirements, users'
velocities and distance among users in a cloakedregion. It performs
the best and can achieve nearly 50 snapshots with alooser distance
limit. Figure 8(b) shows that local privacy can hardlyaffect the
maintenance of SINGLE or BATCH. They perform pretty welleven if
local privacy is very low. V-DCA can successfully cloak for
50snapshots when local privacy is larger than 4. This is because
moreusers are cloaked for the first snapshot and are candidates to
be choseninto the cloaked sets for the following snapshots. The
results of Fig. 8indicate that a looser distance limit and a higher
local privacy isconducive to the maintenance of queries. However,
the number ofmaintained snapshots grows slowly while distance limit
and localprivacy increase greatly.
We use average distance to measure the quality of service.
Asshown in Fig. 9, BATCH has larger average distance than the
othertwo because it considers all users instead of the centered
user inthe cloaked region to provide an efficient cloaking
function. Weconsider the moving trend and distance difference into
thecloaking process, SINGLE can provide better quality of service
thanV-DCA in the long run. The three algorithms can effectively
selectusers staying together in the following snapshots because of
theirconsideration of users' movement features. In addition, all of
themperform fairly steady with the change of distance limit,
localprivacy and snapshot numbers. Combining with Figs. 7 and 8,
itcan be told that our proposed algorithms have a good
balancebetween privacy and quality of service.
Figure 10 evaluates the success ratio influenced by the
distancelimit and the local privacy. It is obvious that SINGLE and
BATCH canobtain higher success ratio under the same distance limit
and localprivacy requirements than V-DCA, because they take the
underlyingroad network properties into account. Furthermore, BATCH
performsthe best due to the validity of the cloaked set for all the
users withinthe region. Our proposed algorithms can maintain much
more usersthan V-DCA in the long run. Especially, BATCH can
successfullyanonymize for about 45 percent users even to the 50th
snapshot.
Figure 11 shows the average cloaking time for each user with
thesethree algorithms. It can be seen that SINGLE takes
approximately onein ten time of that V-DCA takes, and BATCH only
takes about atwentieth of the time that SINGLE takes except for the
first snapshot.The main reason is that SINGLE and BATCH are based
on the Snethierarchy structure which improves the speed of
retrieving users to becloaked together. Furthermore, BATCH cloaks
for a batch of usersinstead of for a single user at one time, as a
result, it is more efficient.
From all the evaluated results, we can conclude that ourproposed
algorithms can achieve better privacy preservation thanV-DCA while
maintaining quality of service and improving thesuccess ratio. Due
to the initiation process of building the Snethierarchy, the
cloaking time can be decreased.
7. Conclusion
In this paper, we proposed a fast continuous LBS query
privacy-preserving framework in road networks. As shown in the
above
statement, the framework considers the topological properties of
theroad network when providing privacy-preserving mechanisms for
asingle user and a batch of users. The analysis and
experimentalresults indicate that our algorithms can resist typical
attacks andpreserve users' query privacy effectively in road
networks.
References
Bamba B, Liu L, Pesti P, Wang T. Supporting Anonymous Location
Queries in MobileEnvironments with PrivacyGrid. In the 17th
International Conference on WorldWide Web (WWW), 2008 pp.
237-246.
Bao J, Chen H, Ku WS. Pros: a peer-to-peer system for location
privacy protection onroad networks. In: 17th ACM SIGSPATIAL
international conference on advancesin geographic information
systems (GIS); 2009. p. 552–3.
Bettini C, Jajodia S, Pareschi L. Anonymity and diversity in
LBS: a preliminaryinvestigation. In: 5th IEEE international
conference on pervasive computingand communications workshops
(PERCOMW); 2007. p. 577–80.
Brinkhoff T. A framework for generating network-based moving
objects. GeoInfor-matica 2002;6(2):153–80.
Chor B, Kushilevitz E, Goldreich O, Sudan M. Private information
retrieval. J ACM1998;45.
Chow C-Y, Mokbel MF. Enabling private continuous queries for
revealed userlocations. In: Proceedings of 10th international
conference on advances inspatial and temporal databases (SSTD);
2007. p. 258–73.
Chow C-Y, Mokbel MF, Bao J, Liu. X. Query-aware location
anonymization for roadnetworks. Geoinformatica
2011;15(3):571–607.
Domingo-Ferrer J. Microaggregation for database and location
privacy. In: 6thinternational conference on next generation
information technologies andsystems (NGITS); 2006. p. 106–16.
Durr F, Skvortsov P, Rothermel K. Position sharing for location
privacy in non-trusted systems. In: 2011 IEEE international
conference on pervasive computingand communications (PERCOM); 2011.
p. 189–96.
Freudiger J, Shokri R, Hubaux J-P. On the optimal placement of
mix zones. In: 9thinternational symposium on privacy enhancing
technologies (PETS); 2009.p. 216–34.
Gedik B, Liu L. Protecting location privacy with personalized
k-anonymity:architecture and algorithms. IEEE Trans Mob Comput
2008;7(1):1–18.
Ghinita G, Kalnis P, Khoshgozaran A, Shahabi C, Tan K-L. Private
queries in locationbased services: anonymizers are not necessary.
In: Proceedings of the ACMSIGMOD international conference on
management data; 2008.
Gruteser M, Grunwald D. Anonymous usage of location-based
services throughspatial and temporal cloaking. In: 1st
international conference on mobilesystems, applications and
services (MobiSys); 2003. p. 31–42.
Guha S, Jain M, Padmanabhan VN. Koi: a location-privacy platform
for smartphoneapps. In: Proceedings of the NSDI ’12; 2012.
Huang Y, Vishwanathan R. Privacy preserving group nearest
neighbor queries inlocation-based services using cryptographic
techniques. In: Global telecommu-nications conference (GLOBECOM);
2010. p. 1–5.
Kainis P, Ghinita G, Mouratidis K, Papadias D. Preventing
location-based identityinference in anonymous spatial queries. IEEE
Trans Knowl Data Eng 2007;19(12):1719–33.
Kolahdouzan M, Shahabi C. Voronoi-based K nearest neighbor
search for spatialnetwork databases. In: Thirtieth international
conference on very large databases, vol. 30 (VLDB); 2004. p.
840–51.
Ku WS, Zimmermann R, Peng WC, Shroff S. Privacy protected query
processing onspatial networks. In: 2007 IEEE 23rd international
conference on data engi-neering workshop (PDM); 2007. p.
215–20.
Li XY, Jung T. Search Me If you can: privacy-preserving location
query service. In:Proceedings of the IEEE INFOCOM; 2013.
Liu FY, Hua KA, Cai Y. Query l-diversity in location-based
services. In: 2009 tenthinternational conference on mobile data
management: systems, services andmiddleware (MDM); 2009. p.
436–42.
Liu XX, Zhao H, Pan M, Yue H, Li X, Fang Y. Traffic-aware
multiple mix zoneplacement for protecting location privacy. In:
IEEE INFOCOM; 2012. p. 972–80.
Mokbel MF, Chow CY. Aref WG. The new casper: query processing
for locationservices without compromising privacy. In: 32nd
international conference onvery large data bases (VLDB); 2006. p.
763–74.
Mouratidis K, Yiu ML. Anonymous query processing in road
networks. IEEE TransKnowl Data Eng 2010;22(1):2–15.
Narayanan A, Thiagarajan N, Lakhani M, Hamburg M, Boneh D.
Location privacy viaprivate proximity testing. In: Proceedings of
the network distributed systemsecurity conference; 2011.
Olumofin F, Tysowski PK, Goldberg I, Hengartner U. Achieving
efficient queryprivacy for location based services. In: 10th
international conference on privacyenhancing technologies (PETS);
2010. p. 93–110.
Palanisamy B, Liu L. MobiMix: Protecting location privacy with
mix-zones over roadnetworks. In: 2011 IEEE 27th international
conference on data engineering(ICDE); 2011. p. 494–505.
Pan X, Xu J, Meng X. Protecting location privacy against
location-dependent attacksin mobile services. IEEE Trans Knowl Data
Eng 2012;24(8):1506–19.
Papadias D, Zhang J, Mamoulis N, Tao Y. Query processing in
spatial networkdatabases. In: 29th international conference on very
large data bases, vol. 29(VLDB); 2003. p. 802–13.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–7372
http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref4http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref4http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref7http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref7http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref11http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref11http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref16http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref23http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref23http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref27http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref27
-
Papadopoulos S, Bakiras S, Papadias D. Nearest neighbor search
with stronglocation privacy. In: Proceedings of the VLDB endowment;
2010.
Pingley A, Zhang N, Fu XW, Choi H-A, Subramaniam S, Zhao W.
Protection of queryprivacy for continuous location based services.
IEEE INFOCOM 2011:1710–8.
Samarati P, Sweeney L. Protecting privacy when disclosing
information:k-anonymity and its enforcement through generalization
and suppression. TechnicalReport SRI-CSL-98-04. Computer Science
Laboratory, SRI International; 1998.
Wang T, Liu L. Privacy-aware mobile services over road networks.
In: Proceedings ofthe VLDB endowment, vol. 2, issue no. 1; 2009. p.
1042–53.
Wang Y, Xu DB, He X, Zhang C, Li F, Xu B. L2P2: location-aware
location privacyprotection for location-based services. In: IEEE
INFOCOM; 2012. p. 1996–2004.
Wang Y, He HL, Peng J, Zhang TT, Li HZ. Privacy preserving for
continuous query inlocation based services. In: IEEE 18th
international conference on parallel anddistributed systems
(ICPADS); 2012. p. 213–20.
Wang Y, Peng J, He LP, Zhang TT, Li HZ. LBSs privacy preserving
for continuousquery based on semi-honest third parties. In: IEEE
31st international perfor-mance computing and communications
conference (IPCCC); 2012. p. 384–91.
Zhong G, Goldberg I, Hengartner U. Louis Lester and Pierre:
three protocols forlocation privacy. In: Proceedings of the 7th
international conference on privacyenhancing technologies;
2007.
Y. Wang et al. / Journal of Network and Computer Applications 53
(2015) 57–73 73
http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref30http://refhub.elsevier.com/S1084-8045(15)00048-X/sbref30
A fast privacy-preserving framework for continuous
location-based queries in road networksIntroductionRelated
workPrivacy preservation in Euclidean spaceCentralized
privacy-preserving architectureDistributed privacy-preserving
architecture
Privacy preservation in road networksPrivacy preservation for
snapshot location-based queriesPrivacy preservation for continuous
location-based queries
PIR based privacy preservationPrivacy preservation against
attacksHomogeneity attackQuery sampling attackReplay attackQuery
tracking attack
System modelProblem formulationThe underlying road
networkProblem settingsAttack model
Privacy profilek-anonymityQuery l-diversityMaximum lengthMaximum
distance
Privacy-preserving mechanismSnet and Snet hierarchyCloaking
qualifications
Framework implementationSystem architectureSnet storage
scheme
Cloaking algorithmsAlgorithms for a single userAlgorithms for a
batch of usersThe framework maintenanceUsers' history traces
updateRoad network structure update
Attack resilience analysisAlgorithms for a single userAlgorithms
for a batch of users
Experiments and evaluationsEvaluation criteria and
metricsPrivacy-preserving abilityQuality of servicePerformance
Experiment setupEvaluation results
ConclusionReferences