Template-Based Privacy Preservation in Classification Problems IEEE ICDM 2005 Benjamin C. M. Fung Simon Fraser University BC, Canada Ke Wang Simon Fraser University BC, Canada Philip S. Yu IBM T.J. Watson Research Center
2 Outline Privacy threats caused by data mining abilities Our method: Progressive Disclosure Algorithm Experimental evaluation Related works Conclusions
3 Privacy Concern Most previous works concern the input of data mining tools where private information is revealed directly by inspection of the data without sophisticated analysis. Our privacy concern is on the output of data mining methods. –The aggregate patterns can be used to infer sensitive information about individuals.
Motivating Example: A data owner wants to release a table to a data mining firm for classification analysis on Rating, but does not want the firm to infer the bankruptcy state Discharged using the attributes Job and Country. This work aims at releasing data with dual goals: –Preserve information for wanted classification analysis. –Limit usefulness of unwanted sensitive inferences.
5 Motivating Example: A data owner wants to release a table to a data mining firm for classification analysis on Rating, but does not want the firm to infer the bankruptcy state Discharged using the attributes Job and Country. Inference: {Trader,UK} Discharged Confidence = 4/5 = 80% An inference is sensitive if its confidence > threshold.
6 Eliminate Low Support Inferences? In data mining, association or classification rules are used to capture general patterns of large populations. –A low support means the lack of statistical significance. In privacy protection, inference rules are used to infer sensitive information about individuals. –Eliminate sensitive inferences of any support. –In fact, a sensitive inference in a small group could present even more threats because individuals in a small group are more identifiable.
7 The Problem Consider a table T(M 1,…,M m, 1, …, n, ) Classification goal: Modeling class attribute Privacy goal: Limit sensitive inferences on i –Specified by one or more templates –IC is a set of attributes containing some masking attributes M j, e.g., IC = {Job, Country} – is a value from some i, e.g., = Discharged –h is a threshold on confidence –ic is an inference, where ic contains values from IC –T satisfies if every matching inference ic has a confidence conf(ic ) ≤ h.
8 Flexibility of Templates Selectively protecting certain values while not protecting other values. Specifying a different threshold h for a different template IC . Specifying multiple inference channels ICs (even for the same ). Specifying templates for multiple sensitive attributes. These flexibilities minimize unnecessary masking, i.e., minimize unnecessary information loss.
9 Achieve goals by suppressing some values on masking attributes M 1,…,M m To eliminate {Trader,UK} Discharged –Suppress Trader and Clerk to Job –Suppress UK and Canada to Country –Reduced confidence = 5/10 = 50%
10 Challenges Incorrect suppression may eliminate some desired classification structures for modeling . Finding an optimal suppression is hard. –For a table with a total of q distinct values on masking attributes, there are 2 q possible suppressed tables. –We present an approximate solution based on a search that iteratively improves the solution and prunes the search whenever no better solution is possible.
11 The Algorithm Progressive Disclosure Algorithm (PDA) iteratively discloses domain values starting from the most suppressed T in which each masking attribute M j in ∪ IC contains only j. Sup j contains all currently suppressed values in M j. In each iteration, disclose one suppressed value w. To disclose a value w from Sup j, we replace j with w in all suppressed records that currently contain j and originally contain w before suppression. This process repeats until no disclosure is possible without violating the set of templates.
12 Progressive Disclosure Algorithm (PDA) 1: suppress every value of M j to j where M j ∪ IC; 2: every Sup j contains all domain values of M j ∪ IC; 3: while there is a candidate in ∪ Sup j do 4: find winner w of highest Score(w) from ∪ Sup j ; 5: disclose w on T and remove w from ∪ Sup j ; 6: update Score(x) and status for x in ∪ Sup j ; 7: end while 8: output the suppressed T and ∪ Sup j ;
Conf = 5 / 24 = 21%Conf = 1 / 4 = 25%
14 Search Criteria: Score Disclosing a value v gains information and loses privacy Score(v) measures the information gain per unit of privacy loss. InfoGain measures the information gain of disclosing v.
15 Search Criteria: Score PrivLoss measures the privacy loss of disclosing v, defined as the average increase of Conf(IC ) over all affected IC . where Conf and Conf v represent the confidence before and after disclosing v. The key to the scalability of our algorithm is incrementally updating Score(v) in each iteration for candidates v in ∪ Sup j. (see paper for details)
16 Cost Analysis At each iteration, the cost can be summarized as two operations. 1.Scan the partitions on Link[ w ] for disclosing the winner w and maintaining some count statistics. 2.Make use of the count statistics to update the score and status of every affected candidate without accessing data records. Thus, each iteration accesses only the records suppressed to w. The number of iterations is bounded by the number of distinct values in the masking attributes.
17 Experimental Evaluation Data quality –Experiment with a broad range of templates. –Use C4.5 classifier. –Measure classification error before and after suppression. Efficiency and Scalability
18 Data sets Japanese Credit Screening (CRX) –Credit card applications –8 categorical attributes and 2 classes –465 recs. for training and 188 recs. for testing Adult –Census data –8 categorical attributes and 2 classes –30162 recs. for training and recs. for testing –Previously used in Bayardo et al. (2005), Fung et al. (2005), Iyengar (2002), and Wang et al. (2004).
Results on CRX TopN sensitive attributes 1,…, N ; an IC includes the remaining masking attributes M 1,…M m. Base Error (BE) for original data = 15.4% Suppression Error (SE) for suppressed data Removal Error (RE) for removed 1,…, N RE-SE measures benefits of suppression Took at most 2 seconds for each experiment
20 Results on Adult Base Error (BE) for original data = 17.6% Took at most 14 seconds for each experiment.
Scalability Replicate the Adult data set and substitute some random data. A time consuming setting: –1 sensitive attribute –Remaining 7 as masking attributes –h=90%
22 Related Works Iyengar (2002) proposed a genetic algorithm to address the problem of k-anonymity for classification. Bayardo et al. (2005) employed generalization and suppression to address a similar problem. Our work concerns over the output of data mining methods, where the threats are caused by what data mining tools can discover.
23 Related Works Clifton (2000) suggested to eliminate sensitive inferences by limiting the data size. Verykios et al. (2004) proposed several algorithms for hiding association rules in a transaction database with minimal modification to the data. –Hide one rule at a time by either decreasing its support or its confidence –Achieved by removing items from transactions. –Our work considers the use of the data for classification analysis and eliminates all sensitive inferences including those with a low support.
24 Related Works Cox (1980) proposed the k%- dominance rule which suppresses a sensitive cell if the attribute values of two or three entities in the cell contribute more than k% of the corresponding SUM statistic. –Such “cell suppression” suppresses the count or other statistics stored in a cell of a statistical table. –Very different from the “value suppression” considered in our work.
25 Conclusions Formulate a template-based privacy preservation problem. Show that suppression is an effective way to eliminate sensitive inferences. Present an effective algorithm based on a search that iteratively improves the solution. Evaluate this method on real life data sets.
26 References 1.R. Agrawal, T. Imielinski, and A. N. Swami. Mining association rules between sets of items in large datasets. In Proc. of the 1993 ACM SIGMOD, pages , R. J. Bayardo and R. Agrawal. Data privacy through optimal k- anonymization. In Proc. of the 21st IEEE ICDE, pages , C. Clifton. Using sample size to limit exposure to data mining. Journal of Computer Security, 8(4): , C. Clifton, M. Kantarcioglu, J. Vaidya, X. Lin, and M. Y. Zhu. Tools for privacy preserving data mining. SIGKDD Explorations, 4(2), L. H. Cox. Suppression methodology and statistical disclosure control. Journal of the American Statistics Association, Theory and Method Section, 75: , 1980.
27 References 6.A. Evfimievski, R. Srikant, R. Agrawal, and J. Gehrke. Privacy preserving mining of association rules. In Proc. of the 8th ACM SIGKDD, pages , C. Farkas and S. Jajodia. The inference problem: A survey. SIGKDD Explorations, 4(2):6-11, B. C. M. Fung, K. Wang, and P. S. Yu. Top-down specialization for information and privacy preservation. In Proc. of the 21st IEEE ICDE, pages , Tokyo, Japan, S. Hettich and S. D. Bay. The UCI KDD Archive, V. S. Iyengar. Transforming data to satisfy privacy constraints. In Proc. of the 8th ACM SIGKDD, M. Kantarcioglu, J. Jin, and C. Clifton. When do data mining results violate privacy? In Proc. of the 2004 ACM SIGKDD, pages , 2004.
28 References 12.J. Kim and W. Winkler. Masking microdata files. In ASA Proc. of the Section on Survey Research Methods, W. Kloesgen. Knowledge discovery in databases and data privacy. In IEEE Expert Symposium: Knowledge Discovery in Databases, J. R. Quinlan. C4.5: Programs for Machine Learning. Morgan Kaufmann, L. Sweeney. Datafly: A system for providing anonymity in medical data. In Proc. of the 11th International Conference on Database Security, pages , L. Sweeney. Achieving k-anonymity privacy protection using generalization and suppression. International Journal on Uncertainty, Fuzziness, and Knowledge-based Systems, 10(5): , 2002.
29 References 17.V. S. Verykios, A. K. Elmagarmid, E. Bertino, Y. Saygin, and E. Dasseni. Association rule hiding. IEEE TKDE, 16(4): , K. Wang, P. S. Yu, and S. Chakraborty. Bottom-up generalization: a data mining solution to privacy protection. In Proc. of the 4th IEEE ICDM, R. W. Yip and K. N. Levitt. The design and implementation of a data level database inference detection system. In Proc. of the 12th International Working Conference on Database Security XII, pages , 1999.
30 FAQ Q: Inference rules with low supports are insignificant anyway, why do we bother eliminating them? A: Keeping those low-support inferences is a relaxation of our current privacy requirement. In other words, the suppression error will be even lower (better) than our current model. If the user prefers, she may introduce another threshold (minimum support). This will further improve the classification quality.