Presentation is loading. Please wait.

Presentation is loading. Please wait.

TELE3119: Trusted Networks Week 4

Published byYngve Sørensen Modified over 5 years ago

Similar presentations

Presentation on theme: "TELE3119: Trusted Networks Week 4"— Presentation transcript:

1 TELE3119: Trusted Networks Week 4
Course Coordinator: Prof. Aruna Seneviratne, Room EE 312 Course web-page:

2 Basic View of Cryptography
Access & Availability Confidentiality Integrity Authentication Cryptography Symmetric Asymmetric Applications Stream Ciphers Block Ciphers Trusted Networks

3 Privacy cont. Protection of individual data subjects from identification Consider a database as made up from a number of rows representing a single, unique individual, with columns showing attributes Counts, averages, histogram queries, etc. All databases are not like this, but it’s useful for mechanism design and gives sufficient generality Two application scenarios Querying the data (Differential Privacy) Releasing data (k-anonymity, l-diversity, ….) Releasing Data First thought: anonymize the data

4 Model How? Is this enough? Problems arise with quasi-identifiers
Remove “personally identifying information” (PII) Name, Social Security number, phone number, , address… what else? Anything that identifies the person directly Is this enough? Problems arise with quasi-identifiers Combinations of record values that uniquely identify individuals These can be difficult to specify or even detect Exacerbated by the fact that data from external sources may combine with the database to form a quasi-identifier

5 Re-identification by Linking
Microdata Voter registration data ID Name Alice Betty Charles David Emily Fred QID SA Zipcode Age Sex Disease 47677 29 F Ovarian Cancer 47602 22 47678 27 M Prostate Cancer 47905 43 Flu 47909 52 Heart Disease 47906 47 Name Zipcode Age Sex Alice 47677 29 F Bob 47983 65 M Carol 22 Dan 47532 23 Ellen 46789 43

6 Latanya Sweeney’s Attack (1997)
Massachusetts hospital discharge dataset Public voter dataset

7 K-anonymity One of the most well-known anonymizing mechanisms applied to data is k-anonymity Each unique set of records in a database should be combined with (1 - k) other records in the database Any given record therefore describes at least k people The probability that you are identified by that record is 1/k

8 Classification of Attributes
Sensitive attributes Medical records, salaries, etc. These attributes is what the researchers need, so they are always released directly Key Attribute Quasi-identifier Sensitive attribute Name DOB Gender Zipcode Disease Andre 1/21/76 Male 53715 Heart Disease Beth 4/13/86 Female Hepatitis Carol 2/28/76 53703 Brochitis Dan Broken Arm Ellen 53706 Flu Eric Hang Nail

9 K-Anonymity: Intuition
The information for each person contained in the released table cannot be distinguished from at least (k-1) individuals whose information also appears in the release Example: you try to identify a man in the released table, but the only information you have is his birth date and gender. There are k men in the table with the same birth date and gender Any quasi-identifier present in the released table must appear in at least k records

10 K-Anonymity Protection Model
Private table Released table: RT Attributes: A1, A2, …, An Quasi-identifier subset: Ai, …, Aj

11 Generalization Goal of k-Anonymity
Each record is indistinguishable from at least (k-1) other records These k records form an equivalence class Generalization: replace quasi-identifiers with less specific, but semantically consistent values 476** 47677 47678 47602 2* 29 27 22 Male Female * ZIP code Age Sex

12 Achieving k-Anonymity
Generalization Replace specific quasi-identifiers with less specific values until get k identical values Partition ordered-value domains into intervals Suppression When generalization causes too much information loss This is common with “outliers” Lots of algorithms in the literature Aim to produce “useful” anonymizations … usually without any clear notion of utility

13 Example of a k-Anonymous Table

14 Example of Generalization (1)
Released table External data Source Name Birth Gender ZIP Race Andre 1964 m 02135 White Beth f 55410 Black Carol 90210 Dan 1967 02174 Ellen 1968 02237 By linking these 2 tables, you still don’t learn Andre’s problem

15 Example of Generalization (2)
Microdata Generalized table QID SA Zipcode Age Sex Disease 47677 29 F Ovarian Cancer 47602 22 47678 27 M Prostate Cancer 47905 43 Flu 47909 52 Heart Disease 47906 47 QID SA Zipcode Age Sex Disease 476** 2* * Ovarian Cancer Prostate Cancer 4790* [43,52] Flu Heart Disease !! Released table is 3-anonymous If the adversary knows Alice’s quasi-identifier (47677, 29, F), he still does not know which of the first 3 records corresponds to Alice’s record

16 Curse of Dimensionality
Generalization fundamentally relies on spatial locality Each record must have k close neighbors Real-world datasets are very sparse Many attributes (dimensions) Netflix Prize dataset: 17,000 dimensions Amazon customer records: several million dimensions “Nearest neighbor” is very far Projection to low dimensions loses all info  k-anonymized datasets are useless [Aggarwal VLDB ‘05]

17 Limitations of k-Anonymity
Syntactic Focuses on data transformation, not on what can be learned from the anonymized dataset “k-anonymous” dataset can leak sensitive information “Quasi-identifier” fallacy Assumes a priori that attacker will not know certain information about his target Relies on locality Destroys utility of many real-world datasets

18 Beyond k-anonymity k-anonymity gives a basic level of anonymization that prevents an individual being simply re-identified from their published attributes There are, naturally, more subtle issues We may still be able to infer sensitive information about a person, even if we can’t directly identify them

19 Attacks on k-Anonymity
k-Anonymity does not provide privacy if Sensitive values in an equivalence class lack diversity The attacker has background knowledge A 3-anonymous patient table Homogeneity attack Zipcode Age Disease 476** 2* Heart Disease 4790* ≥40 Flu Cancer 3* Bob Zipcode Age 47678 27 Background knowledge attack Carl Zipcode Age 47673 36

20 l-Diversity Sensitive attributes must be “diverse” within each
[Machanavajjhala et al. ICDE ‘06] Caucas 787XX Flu Shingles Acne Asian/AfrAm 78XXX Sensitive attributes must be “diverse” within each quasi-identifier equivalence class

21 Distinct l-Diversity Each equivalence class has at least l well-represented sensitive values Doesn’t prevent probabilistic inference attacks 8 records have HIV 10 records 2 records have other values

22 Other Versions of l-Diversity
Probabilistic l-diversity The frequency of the most frequent value in an equivalence class is bounded by 1/l Entropy l-diversity The entropy of the distribution of sensitive values in each equivalence class is at least log(l) Recursive (c,l)-diversity r1<c(rl+rl+1+…+rm) where ri is the frequency of the ith most frequent value Intuition: the most frequent value does not appear too frequently

23 Neither Necessary, Nor Sufficient
Original dataset Anonymization A Anonymization B Cancer Flu Q1 Flu Cancer Q2 Q1 Flu Cancer Q2 99% cancer  quasi-identifier group is not “diverse” …yet anonymized database does not leak anything 50% cancer  quasi-identifier group is “diverse” This leaks a ton of information 99% have cancer

24 Limitations of l-Diversity
Example: sensitive attribute is HIV+ (1%) or HIV- (99%) Very different degrees of sensitivity! l-diversity is unnecessary 2-diversity is unnecessary for an equivalence class that contains only HIV- records l-diversity is difficult to achieve Suppose there are records in total To have distinct 2-diversity, there can be at most 10000*1%=100 equivalence classes

25 Summary Possible way of providing provable privacy guarantees
Differential Privacy Trusted Networks

Download ppt "TELE3119: Trusted Networks Week 4"

Similar presentations

CLOSENESS: A NEW PRIVACY MEASURE FOR DATA PUBLISHING

CLOSENESS: A NEW PRIVACY MEASURE FOR DATA PUBLISHING
Jeremiah Blocki CMU Ryan Williams IBM Almaden ICALP 2010.

Jeremiah Blocki CMU Ryan Williams IBM Almaden ICALP 2010.
Differentially Private Recommendation Systems Jeremiah Blocki Fall 2009 18739A: Foundations of Security and Privacy.

Differentially Private Recommendation Systems Jeremiah Blocki Fall A: Foundations of Security and Privacy.
Simulatability “The enemy knows the system”, Claude Shannon CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 6 : 590.03 Fall 12.

Simulatability “The enemy knows the system”, Claude Shannon CompSci Instructor: Ashwin Machanavajjhala 1Lecture 6 : Fall 12.
21-1 Last time Database Security  Data Inference  Statistical Inference  Controls against Inference Multilevel Security Databases  Separation  Integrity.

21-1 Last time Database Security  Data Inference  Statistical Inference  Controls against Inference Multilevel Security Databases  Separation  Integrity.
M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.

M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.
The End of Anonymity Vitaly Shmatikov. Tastes and Purchases slide 2.

The End of Anonymity Vitaly Shmatikov. Tastes and Purchases slide 2.
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, 2013 © Ravi Sandhu.

1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.

1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 11 April 10, 2013 Information Privacy (Contributed by.
Anatomy: Simple and Effective Privacy Preservation Xiaokui Xiao, Yufei Tao Chinese University of Hong Kong.

Anatomy: Simple and Effective Privacy Preservation Xiaokui Xiao, Yufei Tao Chinese University of Hong Kong.
1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, 2013 © Ravi.

1 Privacy Preserving Data Publishing Prof. Ravi Sandhu Executive Director and Endowed Chair March 29, © Ravi.
UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
Privacy Preserving Serial Data Publishing By Role Composition Yingyi Bu 1, Ada Wai-Chee Fu 1, Raymond Chi-Wing Wong 2, Lei Chen 2, Jiuyong Li 3 The Chinese.

Privacy Preserving Serial Data Publishing By Role Composition Yingyi Bu 1, Ada Wai-Chee Fu 1, Raymond Chi-Wing Wong 2, Lei Chen 2, Jiuyong Li 3 The Chinese.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.

C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Data Privacy October 30, 2008.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
L-Diversity: Privacy Beyond K-Anonymity

L-Diversity: Privacy Beyond K-Anonymity
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
k-Anonymity and Other Cluster-Based Methods

k-Anonymity and Other Cluster-Based Methods

Similar presentations

Ads by Google