MobiHide: A Mobile Peer-to-Peer System for Anonymous Location-Based Queries Gabriel Ghinita, Panos Kalnis, Spiros Skiadopoulos National University of Singapore and University of Peloponnese, Greece
2 L ocation- B ased S ervices LBS users Mobile devices with GPS capabilities NN and Range Queries Location server is NOT trusted Google Maps, Mapquest, Microsoft Live, etc. Privacy? Anonymity? “Find closest hospital to my present location”
3 Problem Statement Hide IP address and username But user location may disclose identity Triangulation of device signal Publicly available databases Physical surveillance How to preserve query source anonymity? Even when exact user locations are known
4 K-Anonymity [Swe02] AgeZipCodeDisease Flu AIDS Cancer Gastritis Dyspepsia Bronchitis [Swe02] L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5): , NameAgeZipCode Andy Bill Ken Nash Mike Sam (a) Microdata (b) Voting Registration List (public) Quasi-identifier
5 K-Anonymity (cont.) AgeZipCodeDisease Flu AIDS Cancer Gastritis Dyspepsia Bronchitis (a) 2-anonymous microdata(b) Voting Registration List (public) NameAgeZipCode Andy Bill Ken Nash Mike Sam
6 A nonymizing S patial R egion Identification probability ≤ 1/K
7 Centralized Anonymizer Intermediate tier between users and LBS Bottleneck and single point of attack/failure
8 MobiHide – Fully Distributed
9 Existing Work: CloakP2P [Chow06] Find K-1 NN of query source Source likely to be closest to ASR center Vulnerable to “center-of-ASR” attack [Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location- based Services, ACM GIS ’06 uquq 5-ASR NOT SECURE !!!
10 Existing Work: PRIVE [GKS07] A q has the reciprocity property iff i. |AS| ≥ K ii. u i,u j AS, u i AS j u j AS i [GKS07] – PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems, WWW ‘07
11 PRIVE (cont.) Based on Hilbert space-filling curve index users by Hilbert value of location partition Hilbert sequence into “K-buckets”
12 PRIVE (cont.) Based on Hilbert space-filling curve index users by Hilbert value of location partition Hilbert sequence into “K-buckets” StartEnd
13 PRIVÉ Hierarchical Architecture But requires “global knowledge” Global rank of query source required PRIVÉ employs an annotated tree index
14 Motivation PRIVE CloakP2P MobiHide More secure Faster
15 MobiHide Uses Hilbert transformation Key Idea Remove the need for global knowledge Allow random group formation Scalable DHT infrastructure employed Chord DHT
16 MobiHide: Group Formation K
17 MobiHide: Example
18 MobiHide: Privacy MobiHide is not reciprocal Privacy guaranty for uniform query distribution only But offers strong privacy features in practice, even for skewed distribution
19 Correlation Attack (K = 4) U3U3 U2U2 U6U6 U4U4 U5U5 U9U9 U1U1 U8U8 U 10 U7U U6U6 U7U7 U8U8 U9U9 U 10 U1U1 U2U2 U3U3 U4U4 U5U5 4-anonymity not achieved However: Difficult attack in practice
20 MobiHide Implementation Two-layer Chord DHT Each Chord node is a cluster of users Bounded cluster size [,3)
21 User Join/Cluster Split
22 Load Balancing & Fault Tolerance Load Balancing Cluster head rotation mechanism Fault Tolerance Chord Periodic Stabilization Protocol Leader election protocol In case of cluster head failure
23 Experimental Setup San Francisco Bay Area road network Network-based Generator of Moving Objects * Up to users Velocities from 18 to 68 km/h Uniform and skewed query distribution * T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica, 6(2):153–180, 2002.
24 “Center-of-ASR” Attack
25 Correlation Attack
26 ASR Formation Latency Response Time (sec)
27 Points to Remember LBS Privacy an important concern Existing solutions are either not secure … … or not scalable MobiHide Privacy guaranty for uniform query workload Good best-effort privacy for skewed workload Excellent scalability inherited from Chord DHT
28 Bibliography on LBS Privacy
29 Bibliography [Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06 [Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003 [GKS07] – Ghinita G., Kalnis P., Skiadopoulos S., PRIVÉ: Anony- mous Location-based Queries in Distributed Mobile Systems, WWW 2007 [Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006