Privacy-Preserving Data Publishing Donghui Zhang Northeastern University Acknowledgement: some...

Privacy-Preserving Data Publishing

Donghui Zhang

Northeastern University

Acknowledgement: some slides come from Yufei Tao and Dimitris Sacharidis.

motivation

• several agencies, institutions, bureaus, organizations make (sensitive) data involving people publicly available– termed microdata (vs. aggregated macrodata) used for analysis– often required and imposed by law

• to protect privacy microdata are sanitized– explicit identifiers (SSN, name, phone #) are removed

• is this sufficient for preserving privacy?

• no! susceptible to link attacks– publicly available databases (voter lists, city directories) can reveal the

“hidden” identity

link attack example

• [Sweeney01] managed to re-identify the medical record of the governor of Massachussetts

– MA collects and publishes sanitized medical data for state employees (microdata) left circle

– voter registration list of MA (publicly available data) right circle

• looking for governor’s record• join the tables:

– 6 people had his birth date– 3 were men– 1 in his zipcode

• regarding the US 1990 census data– 87% of the population are unique based on (zipcode, gender,

dob)

Microdata

Name Age Zipcode DiseaseBob 21 12000 dyspepsia

Alice 22 14000 bronchitisAndy 24 18000 fluDavid 23 25000 gastritisGary 41 20000 fluHelen 36 27000 gastritisJane 37 33000 dyspepsiaKen 40 35000 flu

Linda 43 26000 gastritisPaul 52 33000 dyspepsiaSteve 56 34000 gastritis

Inference Attack

Published table

An adversary

Quasi-identifier (QI) attributes

Age Zipcode Disease21 12000 dyspepsia22 14000 bronchitis24 18000 flu23 25000 gastritis41 20000 flu36 27000 gastritis37 33000 dyspepsia40 35000 flu43 26000 gastritis52 33000 dyspepsia56 34000 gastritis

Name Age ZipcodeBob 21 12000

k-anonymity [Samarati and Sweeney02]• Transform the QI values into less specific forms

generalize

Age Zipcode Disease21 12000 dyspepsia22 14000 bronchitis24 18000 flu23 25000 gastritis41 20000 flu36 27000 gastritis37 33000 dyspepsia40 35000 flu43 26000 gastritis52 33000 dyspepsia56 34000 gastritis

Age Zipcode Disease[21, 22] [12k, 14k] dyspepsia[21, 22] [12k, 14k] bronchitis[23, 24] [18k, 25k] flu[23, 24] [18k, 25k] gastritis[36, 41] [20k, 27k] flu[36, 41] [20k, 27k] gastritis[37, 43] [26k, 35k] dyspepsia[37, 43] [26k, 35k] flu[37, 43] [26k, 35k] gastritis[52, 56] [33k, 34k] dyspepsia[52, 56] [33k, 34k] gastritis

Generalization

• Transform each QI value into a less specific form

A generalized table

An adversary



Graphically…

12000

14000

18000

25000

20000

2600027000

330003400035000

21 22 23 24 36 37 40 41 43 52 56

Bob

Alice

Why not…

12000

14000

18000

25000

20000

2600027000

330003400035000

21 22 23 24 36 37 40 41 43 52 56

How many people with age in [30, 50] contracted flu?

k-anonymity



How many people with age in [30, 50] contracted flu?

generalization with low utility:

answer less accurately: [0..3]

generalization with high utility:

answer queries more accurately: 2.

k-anonymity with utility

• Among all generalizations that enforce k-anonymity, we should maximize utility by minimizing the “rectangle” sizes!

• Several measures. E.g. to minimize the maximal perimeter size of the rectangles.

Mondrian [LDR06]

Recursive half-plane partitioning, alternating dimensions.

let k=2

Mondrian [LDR06]

Unbounded approximation ratio!

let k=4

Our contributions [DXT+07]

• Proved that to find the optimal partitioning is NP-hard.

• Proved that to find a partitioning with approximation ratio less than 1.25 is also NP-hard.

• Provided three algorithms with tradeoffs in complexity and approximation ratio.

Divide-And-Group (DAG)

• Divide the space into square cells with proper size

• Find a set of non-overlapping tiles of 2 x 2 cells to cover the points, such that each tile covers at least k points

• Assign the rest of (uncovered) points to the nearest tile

Min-MBR-Group (MMG)

• For each point p, find the smallest MBR which covers at least k points including p

• Find a set of non-overlapping MBRs from the result of previous step

• Assign the points to the nearest MBR

Nearest-Neighbor-Group (NNG)

• For each point p, find the MBR which covers p and its k-1 nearest neighbors

• Find a set of non-overlapping MBRs from the result of previous step

• Assign the points to the nearest MBR

Analysis

Algorithm Complexity Approximation Ratio

DAG O(3d d n log2n) 8d

MMG O(d n2d+1) 2d+1

NNG O(d n2) 6d

• In a QI group, if many records have the same sensitive attribute value...

Drawback of k-anonymity

Quasi-identifier (QI) attributes Sensitive attribute

Age Sex Zipcode Disease[21, 40] M [10001, 60000] pneumonia[30, 60] M [10001, 60000] dyspepsia[30, 60] M [10001, 60000] dyspepsia[21, 40] M [10001, 60000] pneumonia[61, 65] F [10001, 60000] flu[63, 70] F [10001, 60000] gastritis[61, 65] F [10001, 60000] flu[63, 70] F [10001, 60000] bronchitis

If Bob is in this

group, he must

have

pneumonia.

l-diversity [ICDE06]

• A QI-group with m tuples is l-diverse, iff each sensitive value appears no more than m / l times in the QI-group.

• A table is l-diverse, iff all of its QI-groups are l-diverse.

• The above table is 2-diverse.

2 QI-groups

Quasi-identifier (QI) attributes Sensitive attribute


What l-diversity guarantees

• From an l-diverse generalized table, an adversary (without any prior knowledge) can infer the sensitive value of each individual with confidence at most 1/l


Name Age Sex ZipcodeBob 23 M 11000

A 2-diverse generalized table

A. Machanavajjhala et al. l-Diversity: Privacy Beyond k-Anonymity.

ICDE 2006

Problem with multi-publishing

• A hospital keeps track of the medical records collected in the last three months.

• The microdata table T(1), and its generalization T*(1), published in Apr. 2007.




Microdata T(1)

G. ID Age Zipcode Disease1 [21, 22] [12k, 14k] dyspepsia1 [21, 22] [12k, 14k] bronchitis2 [23, 24] [18k, 25k] flu2 [23, 24] [18k, 25k] gastritis3 [36, 41] [20k, 27k] flu3 [36, 41] [20k, 27k] gastritis4 [37, 43] [26k, 35k] dyspepsia4 [37, 43] [26k, 35k] flu4 [37, 43] [26k, 35k] gastritis5 [52, 56] [33k, 34k] dyspepsia5 [52, 56] [33k, 34k] gastritis

2-diverse Generalization T*(1)


• Bob was hospitalized in Mar. 2007





• One month later, in May 2007




Microdata T(1)


• One month later, in May 2007• Some obsolete tuples are deleted from the microdata.

Microdata T(1)





• Bob’s tuple stays.

Microdata T(1)


David 23 25000 gastritisGary 41 20000 fluJane 37 33000 dyspepsia

Linda 43 26000 gastritisSteve 56 34000 gastritis


• Some new records are inserted.

Microdata T(2)


David 23 25000 gastritisEmily 25 21000 fluJane 37 33000 dyspepsia

Linda 43 26000 gastritisGary 41 20000 fluMary 46 30000 gastritisRay 54 31000 dyspepsia

Steve 56 34000 gastritisTom 60 44000 gastritis

Vince 65 36000 flu


• The hospital published T*(2).





Vince 65 36000 flu

Microdata T(2)

G. ID Age Zipcode Disease1 [21, 23] [12k, 25k] dyspepsia1 [21, 23] [12k, 25k] gastritis2 [25, 43] [21k, 33k] flu2 [25, 43] [21k, 33k] dyspepsia3 [25, 43] [21k, 33k] gastritis3 [41, 46] [20k, 30k] flu4 [41, 46] [20k, 30k] gastritis4 [54, 56] [31k, 34k] dyspepsia4 [54, 56] [31k, 34k] gastritis5 [60, 65] [36k, 44k] gastritis5 [60, 65] [36k, 44k] flu



• Consider the previous adversary.


G. ID Age Zipcode Disease1 [21, 23] [12k, 25k] dyspepsia1 [21, 23] [12k, 25k] gastritis2 [25, 43] [21k, 33k] flu2 [25, 43] [21k, 33k] dyspepsia3 [25, 43] [21k, 33k] gastritis3 [41, 46] [20k, 30k] flu4 [41, 46] [20k, 30k] gastritis4 [54, 56] [31k, 34k] dyspepsia4 [54, 56] [31k, 34k] gastritis5 [60, 65] [36k, 44k] gastritis5 [60, 65] [36k, 44k] flu



• What the adversary learns from T*(1).

• What the adversary learns from T*(2).

• So Bob must have contracted dyspepsia!• A new generalization principle is needed.


G. ID Age Zipcode Disease1 [21, 22] [12k, 14k] dyspepsia1 [21, 22] [12k, 14k] bronchitis

……


G. ID Age Zipcode Disease1 [21, 23] [12k, 25k] dyspepsia1 [21, 23] [12k, 25k] gastritis

……

m-invariance [SIGMOD07]

• A sequence of generalized tables T*(1), …, T*(n) is m-invariant, if and only if– T*(1), …, T*(n) are m-unique, and– each individual has the same signature in every gener

alized table s/he is involved.

• Explanation– m-unique: every QI group contains at least m tuples w

ith different sensitive attributes– signature: all the sensitive attributes in the individual’s

QI group.

m-unique

• A generalized table T*(j) is m-unique, if and only if – each QI-group in T*(j) contains at least m tuples– all tuples in the same QI-group have different sensitive values.


A 2-unique generalized table

Signature

• The signature of Bob in T*(1) is {dyspepsia, bronchitis}

• The signature of Jane in T*(1) is {dyspepsia, flu, gastritis}

Name G.ID Age Zipcode DiseaseBob 1 [21, 22] [12k, 14k] dyspepsia

Alice 1 [21, 22] [12k, 14k] bronchitis… … … … …

Jane 4 [37, 43] [26k, 35k] dyspepsiaKen 4 [37, 43] [26k, 35k] flu

Linda 4 [37, 43] [26k, 35k] gastritis… … … … …

T*(1)

The m-invariance principle

• Lemma: if a sequence of generalized tables {T*(1), …, T*(n)} is m-invariant, then for any individual o involved in any of these tables, we have

risk(o) <= 1/m

The m-invariance principle

• Lemma: let {T*(1), …, T*(n-1)} be m-invariant. {T*(1), …, T*(n-1), T*(n)} is also m-invariant, if and only if {T*(n-1), T*(n)} is m-invariant

• Only T*(n - 1) is needed for the generation of T*(n).

T*(1), T*(2), …, T*(n-2), T*(n-1), T*(n)

Can be discarded

Solution idea

• Goal: Given T(n) and T*(n-1), create T*(n) such that {T*(n-1) and T*(n)} is m-invariant.

• Idea: create counterfeits.

• Optimization goal: to impose as little amount of generalization as possible.

Name Group-ID Age Zipcode DiseaseBob 1 [21, 22] [12k, 14k] dyspepsiac1 1 [21, 22] [12k, 14k] bronchitis

David 2 [23, 25] [21k, 25k] gastritisEmily 2 [23, 25] [21k, 25k] fluJane 3 [37, 43] [26k, 33k] dyspepsiac2 3 [37, 43] [26k, 33k] flu

Linda 3 [37, 43] [26k, 33k] gastritisGary 4 [41, 46] [20k, 30k] fluMary 4 [41, 46] [20k, 30k] gastritisRay 5 [54, 56] [31k, 34k] dyspepsia

Steve 5 [54, 56] [31k, 34k] gastritisTom 6 [60, 65] [36k, 44k] gastritis

Vince 6 [60, 65] [36k, 44k] flu

Counterfeited generalization T*(2)

Group-ID Count

1 13 1

The auxiliary relation R(2) for T*(2)





Vince 65 36000 flu

Microdata T(2)

Name G.ID Age Zipcode DiseaseBob 1 [21, 22] [12k, 14k] dyspepsiac1 1 [21, 22] [12k, 14k] bronchitis




Vince 6 [60, 65] [36k, 44k] flu

Counterfeited Generalization T*(2)

Group-ID Count

1 13 1

The auxiliary relation R(2) for T*(2)


Alice 1 [21, 22] [12k, 14k] bronchitisAndy 2 [23, 24] [18k, 25k] fluDavid 2 [23, 24] [18k, 25k] gastritisGary 3 [36, 41] [20k, 27k] fluHelen 3 [36, 41] [20k, 27k] gastritisJane 4 [37, 43] [26k, 35k] dyspepsiaKen 4 [37, 43] [26k, 35k] flu

Linda 4 [37, 43] [26k, 35k] gastritisPaul 5 [52, 56] [33k, 34k] dyspepsiaSteve 5 [52, 56] [33k, 34k] gastritis

Generalization T*(1)


Name G.ID Age Zipcode DiseaseBob 1 [21, 22] [12k, 14k] dyspepsiac1 1 [21, 22] [12k, 14k] bronchitis




Vince 6 [60, 65] [36k, 44k] flu



Alice 1 [21, 22] [12k, 14k] bronchitisAndy 2 [23, 24] [18k, 25k] fluDavid 2 [23, 24] [18k, 25k] gastritisGary 3 [36, 41] [20k, 27k] fluHelen 3 [36, 41] [20k, 27k] gastritisJane 4 [37, 43] [26k, 35k] dyspepsiaKen 4 [37, 43] [26k, 35k] flu

Linda 4 [37, 43] [26k, 35k] gastritisPaul 5 [52, 56] [33k, 34k] dyspepsiaSteve 5 [52, 56] [33k, 34k] gastritis


• A sequence of generalized tables T*(1), …, T*(n) is m-invariant, if and only if– T*(1), …, T*(n) are m-unique, and– each individual has the same signature in every generalized tabl

e s/he is involved.

In case of corruption…

• If an adversary knows from Alice that she has bronchitis, he can conclude that Bob has dyspepsia.




Microdata


2-diverse Generalization

Anti-corruption publishing [ICDE08]

• We formalized anti-corruption publishing, by modeling the degree of privacy preservation as a function of an adversary’s background knowledge.

• We proposed a solution, by integrating generalization with– perturbation: switch selected records’ sensitive

information.– stratified sampling: sample some records from each

QI group.

Summary

• Introduced the problem of privacy-preserving publishing.

• Two principles:– k-anonymity– l-diversity

• Two extensions:– multi-publishing– corruption

Privacy-Preserving Data Publishing Donghui Zhang Northeastern University Acknowledgement: some...

Documents

Transcript of Privacy-Preserving Data Publishing Donghui Zhang Northeastern University Acknowledgement: some...