1. Published in: IEEE Transactions on Industrial Informatics
Location Privacy Protection based on Differential Privacy Strategy for Big Data in Industrial Internet-of-Things
Published in: IEEE Transactions on Industrial Informatics
Henrique Potter

2. Overview Privacy risks in IoT Privacy protection techniques
k-anonymity
Differential Privacy
How to protect

3. Privacy risks in IoT
General opening on IoT infrastructure Is supposed to make device deployment and application integration fairly easy. This is IoT.
Easiness to

4. Privacy risks in IoT Unauthorized access to private data
Data stored in a remote storage
Personal Devices

5. Privacy risks in IoT Unauthorized access to private data
Data stored in a remote storage
Personal Devices
Infer information based on device/user profiling, messaging patterns and public data
Statistical and Machine Learning techniques

6. Privacy risks in IoT Privacy leaks From the Netflix Prize competition
Released 100M ratings of 480K users over 18K movies
Claimed to have anonymized the data
The competition started in 2006
Netflix claimed that all users were secure and their data was anonymized

7. Privacy risks in IoT Privacy leaks From the Netflix Prize competition
Released 100M ratings of 480K users over 18K movies
Claimed to have anonymized the data
96% of users could be uniquely identified when crossing the data against IMDB data (Narayanan & Shmatikov 2006)
The competition started in 2006

8. Privacy risks in IoT How to protect privacy
Unauthorized access to private data
Infer information based on device/user profiling, messaging patterns and public data

9. Differential Privacy Developed by Cynthia Dwork in 2006
Formal definition of privacy
Offers a framework to develop privacy solutions
Constrained to aggregate data analysis
Anything you can learn from the database should be the same you can learn from auxiliary information. Is unachievable in usefull databases
DP wants to limit the harms a public databases. And the leaked information has the same harm as if any individual is or isn’t in the database.

10. Differential Privacy Developed by Cynthia Dwork in 2006
Formal definition of privacy
Offers a framework to develop privacy solutions
Constrained to aggregate data analysis
Averages
Profiling techniques
Machine Learning models etc.
Adjacent databases

11. Differential Privacy Developed by Cynthia Dwork in 2006
Formal definition of privacy
Offers a framework to develop privacy solutions
Constrained to aggregate data analysis
Assumes that the attacker has maximum auxiliary information about the target

12. Differential Privacy - Scenario Example
Database to compute the avg income of residents

13. Differential Privacy - Scenario Example
Database to compute the avg income of residents
If you knew that Bob is going to move

14. Differential Privacy - Scenario Example
Database to compute the avg income of residents
If you knew that Bob is going to move
Execute the algorithm A to compute the average before and after he moves
D = database state with Bob record
D’ = database state without Bob record

15. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ x 𝐷 𝐷’

16. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ
𝑃𝑟 𝐴 𝐷 ∈𝑆 ≤ exp 𝜀 ×𝑃𝑟 𝐴 𝐷′ ∈𝑆
The algorithm is some query being performed against the database D

17. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ
𝑃𝑟 𝐴 𝐷 ∈𝑆 ≤ exp 𝜀 ×𝑃𝑟 𝐴 𝐷′ ∈𝑆

18. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ
𝑃𝑟 𝐴 𝐷 ∈𝑆 ≤ exp 𝜀 ×𝑃𝑟 𝐴 𝐷′ ∈𝑆
Dwork choose the relation against e to deal with repetitive queries

19. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ
𝑃𝑟 𝐴 𝐷 ∈𝑆 ≤ exp 𝜀 ×𝑃𝑟 𝐴 𝐷′ ∈𝑆
Pr 𝐴 𝐷 ∈𝑆 Pr 𝐴 𝐷 ′ ∈𝑆 ≤ exp 𝜀

20. Differential Privacy Adds a random noise to the answer of A
Make the database D indistinguishable from D’ by a factor of Ꜫ
𝑃𝑟 𝐴 𝐷 ∈𝑆 ≤ exp 𝜀 ×𝑃𝑟 𝐴 𝐷′ ∈𝑆
Pr 𝐴 𝐷 ∈𝑆 Pr 𝐴 𝐷 ′ ∈𝑆 ≤ exp 𝜀
l𝑛 Pr 𝐴 𝐷 ∈𝑆 Pr 𝐴 𝐷 ′ ∈𝑆 ≤𝜀

21. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private y
A(D) = 𝑦 1

22. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private y
A(D) = 𝑦 1

23. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private y
A(D) = 𝑦 1
A(D’) = 𝑦 2

24. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private
Add a random noise n based on an uniform distribution y
A(D) = 𝑦 1 +𝑛
A(D’) = 𝑦 2 +𝑛

25. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private
Add a random noise based on an uniform distribution
A(D)
Range of outputs

26. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜖 – differentially private
A(D)
A(D’)

27. Differential Privacy
For D and D’ that differs in at most in element (sample)
The proportion of the probability of the outputs of P(D) and P(D’)
𝜀 – differentially private
A(D)
𝜀 – differentially private
A(D’)

28. Differential Privacy ln Pr 𝐴 𝐷 ∈𝑆 Pr 𝐴 𝐷 ′ ∈𝑆 ≤𝜀
For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
𝜀 – differentially
ln Pr 𝐴 𝐷 ∈𝑆 Pr 𝐴 𝐷 ′ ∈𝑆 ≤𝜀

29. Differential Privacy For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖

30. Differential Privacy For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
smaller 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖

31. Differential Privacy For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
smaller 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖

32. Less reliable the aggregate information becomes
Differential Privacy
For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
smaller 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖
Less reliable the aggregate information becomes

33. Less reliable the aggregate information becomes
Differential Privacy
For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
bigger 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖
Less reliable the aggregate information becomes

34. More reliable the aggregate information becomes
Differential Privacy
For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
bigger 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖
More reliable the aggregate information becomes

35. More reliable the aggregate information becomes
Differential Privacy
For all choices of D,D’ and S of an Attacker
He can’t tell the difference from D and D’
bigger 𝜀 gets?
𝜀 – differentially
| ln Pr 𝑃 𝐷 ∈𝑆 Pr 𝑃 𝐷 ′ ∈𝑆 )|≤ 𝜖
More reliable the aggregate information becomes
Less privacy you have

36. Differential Privacy How to choose an acceptable 𝜖?
Depends on the application

37. Differential Privacy How to choose an acceptable 𝜖?
Depends on the application
The base line depends on the sensitivity function

38. Differential Privacy - Sensitivity
Sensitivity ∆𝒇 captures the maximum variation in the output of P(D) given that the value that makes the most “impact” is different in D’
∆𝑓= 𝑚𝑎𝑥 𝐷,𝐷′ ||𝐴 𝐷 −𝐴 𝐷 ′ ||

39. Differential Privacy - Theorem
If you add a random Laplacian noise with “width” lambda of ∆𝑓 𝜖 to a function P(D). “It will enjoy e - differential privacy”
Add a random noise
P(D)=y+ Lap( ∆𝑓 𝜖 ) 𝛾

40. Differential Privacy - Mechanisms
Laplacian Mechanism
Adding Laplacian noise bigger then the sensitivity

41. Differential Privacy - Mechanisms
Laplacian Mechanism
Adding Laplacian noise bigger then the sensitivity
Exponential Mechanism
Randomly selects elements to participate in the aggregate analysis

42. LPT-DP-K Algorithm Designed for location data
Adds noise to proportional to most frequently visited locations
Can’t add noise to all data since they defining the position of something

43. Location privacy tree
Number
Location Information
Accessing count

44. Location privacy tree

45. Location privacy tree

46. Weighted Selection
Select K records randomly weighted by their accessing frequency
𝑘=3
Using the exponential mechanism

47. Weighted Selection
Select K records randomly weighted by their accessing frequency
𝑘=3
Using the exponential mechanism

48. Weighted Selection
Select K records randomly weighted by their accessing frequency
𝑘=3

49. Noise Enhancement based on Laplace
Adds noise to the K selected records y

50. Noise Enhancement based on Laplace
Adds noise to the K selected records y +𝑛 +𝑛
n as the random
Laplacian noise +𝑛

51. Measuring the utility True Positive (TP) False Positive (FP) Accuracy
Patterns in both Databases D and D’
False Positive (FP)
False Positive are the unique values in D’
Accuracy
The ratio between what is unique in D’ against the total of D’

52. Experimental Analysis
Check-in data set from Gowalla data set
Location-based social networking website where users share their locations by checking-in

53. Experimental Analysis
Check-in data set from Gowalla data set
Location-based social networking website where users share their locations by checking-in

54. Experimental Analysis
Time to build the tree

55. Experimental Analysis
Time to build the tree
Why not ms?

56. Experimental Analysis
How privacy scales against K

57. Experimental Analysis
Original patterns against Noisy pattern
Original
Noisy

58. Comparing against other techniques
No reference from other techniques

59. Comparing against other techniques
No reference from other techniques

60. Comparing against other techniques
No reference from other techniques

61. Remarks This is not IoT The tree grows exponentially in |D|
They are just using stored data
The tree grows exponentially in |D|

62. References
Cynthia Dwork Differential privacy: a survey of results. In Proceedings of the 5th international conference on Theory and applications of models of computation (TAMC'08), Manindra Agrawal, Dingzhu Du, Zhenhua Duan, and Angsheng Li (Eds.). Springer-Verlag, Berlin, Heidelberg, 1-19.
Dwork, C.: Differential Privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener,I. (eds.) ICALP LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006)

63. Published in: IEEE Transactions on Industrial Informatics
Location Privacy Protection based on Differential Privacy Strategy for Big Data in Industrial Internet-of-Things
Published in: IEEE Transactions on Industrial Informatics
Henrique Potter

64. What is K?

65. Differential Privacy - sensitivity
Probability density function
Pr 𝑥,𝜆 = 1 2𝜆 exp⁡(− |𝑥| 𝜆 )
noise (y) ∝ exp (−|y|/ 𝜆) 𝜆

66. Differential Privacy - sensitivity
Scoring function
Frequency of access in a given pattern ai
𝑀 𝐴,𝑎𝑖 =𝑄(𝑎𝑖)
𝑎i. w=exp⁡(− 𝜀∗𝑀(𝐴,𝑎𝑖) 2∆𝑀 )

67. Location privacy tree