Top Banner
PRIVÉ: Anonymous Location-Based Queries in Distributed Mobile Systems 1 National University of Singapore {ghinitag,kalnis}@comp.nus.edu.sg 2 University of Peloponnese, Greece [email protected] Gabriel Ghinita 1 Panos Kalnis 1 Spiros Skiadopoulos 2
34

PRIVÉ : Anonymous Location-Based Queries in Distributed Mobile Systems

Jan 07, 2016

Download

Documents

magar

PRIVÉ : Anonymous Location-Based Queries in Distributed Mobile Systems. 1 National University of Singapore {ghinitag,kalnis}@comp.nus.edu.sg 2 University of Peloponnese, Greece [email protected]. Location-Based Services (LBS). LBS users Mobile devices with GPS capabilities - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

PRIVÉ: Anonymous Location-Based

Queries in Distributed Mobile Systems

1 National University of Singapore{ghinitag,kalnis}@comp.nus.edu.sg

2 University of Peloponnese, [email protected]

Gabriel Ghinita1 Panos Kalnis1

Spiros Skiadopoulos2

Page 2: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Location-Based Services (LBS) LBS users

Mobile devices with GPS capabilities

Spatial database queries

Queries NN and Range Queries Location server is NOT trusted

“Find closest hospital to my present location”

Page 3: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Problem Statement Queries may disclose sensitive information

Query through anonymous web surfing service

But user location may disclose identity Triangulation of device signal Publicly available databases Physical surveillance

How to preserve query source anonymity? Even when exact user locations are known

Page 4: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Solution Overview Anonymizing Spatial Region (ASR)

Identification probability ≤ 1/K

Minimize overhead Reduce ASR extent

Fast ASR assembly time

Support user mobility

Page 5: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Central Anonymizer Architecture Intermediate tier between users and LBS

Bottleneck and single point of attack/failure

Page 6: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

PRIVÉ Architecture

Page 7: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

K-Anonymity*

Age ZipCode Disease

42 25000 Ulcer

46 35000 Pneumonia

50 20000 Flu

54 40000 Gastritis

48 50000 Dyspepsia

56 55000 Bronchitis

* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

Name Age ZipCode

Andy 42 25000

Bill 46 35000

Ken 50 20000

Nash 54 40000

Mike 48 50000

Sam 56 55000

(a) Microdata (b) Voting Registration List (public)

Page 8: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

K-Anonymity*

Age ZipCode Disease

42-46 25000-35000 Ulcer

42-46 25000-35000 Pneumonia

50-54 20000-40000 Flu

50-54 20000-40000 Gastritis

48-56 50000-55000 Dyspepsia

48-56 50000-55000 Bronchitis

* L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.

(a) 2-anonymous microdata (b) Voting Registration List (public)

Name Age ZipCode

Andy 42 25000

Bill 46 35000

Ken 50 20000

Nash 54 40000

Mike 48 50000

Sam 56 55000

Page 9: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Relational and Spatial Anonymity

42 44 46 48 50 52 54 56

20k

25k

30k

35k

40k

45k

50k

55k

ZipAge

Page 10: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Existing Cloaking Solutions

Page 11: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Redundant Queries Send K-1 redundant queries

Gives away exact location of users Potentially high overhead

Page 12: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

CloakP2P [Chow06]

Find K-1 NN of query source Source likely to be closest to ASR center

Vulnerable to “center-of-ASR” attack

[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06

uq

5-ASR

NOT SECURE !!!

Page 13: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

QuadASR[Gru03, Mok06]

Quad-tree based Fails to preserve anonymity for outliers Unnecessarily large ASR size

u1

u2

u3

u4

A1

A2• u4’s identity is disclosed

• If u4 queries, ASR is A2

• If any of u1, u2, u3 queries,

ASR is A1

• Let K=3

[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003

[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006

NOT SECURE !!!

Page 14: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Secure LocationAnonymization

Page 15: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Reciprocity Consider querying user uq and ASR Aq

Let ASq = {set of users enclosed by Aq}

Aq has the reciprocity property iffi. |AS| ≥ Kii. ui,uj AS, ui ASj uj ASi

Page 16: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

hilbASR Based on Hilbert space-filling curve

index users by Hilbert value of location partition Hilbert sequence into “K-buckets”

Start End

Page 17: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Advantages of hilbASR Guarantees source privacy

K-ASRs have the “reciprocity” property

Reduced ASR size Hilbert ordering preserves locality well K-ASR includes exactly K users (in most cases)

Efficient ASR assembly and user relocation Balanced, annotated index tree User relocation, ASR assembly in O(log #users)

Page 18: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

hilbASR with Annotated Index

K=6 Example

Page 19: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

PRIVÉ

Page 20: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

PRIVÉ Characteristics P2P overlay network

Resembles annotated B+-tree Hierarchical clustering architecture

Bounded cluster size [,3)

S relocates to 60

Page 21: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Relocation

Page 22: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Load Balancing Hierarchical architecture

Inherent imbalance in peer load

Cluster head rotation mechanism Rotation triggered by load Communication cost predominant

Page 23: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Fault Tolerance Soft-state mechanism

Cluster membership periodically updated Recovery facilitated by state replication

Leader election protocol In case of cluster head failure

Page 24: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Experimental Evaluation

Page 25: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Experimental Setup San Francisco Bay Area road network

Network-based Generator of Moving Objects*

Up to 10000 users Velocities from 18 to 68 km/h

Uniform and skewed query distributions

Anonymity degree K in the range [10, 160]

* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,6(2):153–180, 2002.

Page 26: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Anonymity Strength (center-of-ASR)

Page 27: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

ASR Size

Page 28: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Query Efficiency

Page 29: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Relocation Efficiency

Page 30: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Load Balancing

0% 20% 40% 60% 80% 100%Node Fraction

Page 31: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Conclusions LBS Privacy an important concern

Existing solutions have no privacy guarantees Centralized approach has limitations

Poor scalability, legal issues

Contribution Anonymization with privacy guarantees

hilbASR Extension to decentralized systems

Improved scalability and availability No single point-of-attack/failure

Page 32: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Bibliography on LBS Privacy

http://anonym.comp.nus.edu.sg

Page 33: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

Bibliography [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm

for Anonymous Location-based Services, ACM GIS ’06 [Gru03] - Gruteser et al, Anonymous Usage of Location-Based

Services Through Spatial and Temporal Cloaking, MobiSys 2003 [Ged05] – Gedik et al, Location Privacy in Mobile Systems: A

Personalized Anonymization Model, ICDCS 2005 [Mok06] – Mokbel et al, The New Casper: Query Processing for

Location Services without Compromising Privacy, VLDB 2006

Page 34: PRIVÉ :  Anonymous Location-Based Queries in Distributed Mobile Systems

MobiHide Randomized ASR assembly technique:

Also uses Hilbert ordering ASR chosen as random K-user sequence

Advantages No global knowledge required Flat index structure (Chord DHT)

Disadvantages No privacy guarantees for skewed query

distributions but still strong anonymity in practice