Presentation is loading. Please wait.

Presentation is loading. Please wait.

Publishing Microdata with a Robust Privacy Guarantee

Published byAileen Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "Publishing Microdata with a Robust Privacy Guarantee"— Presentation transcript:

1 Publishing Microdata with a Robust Privacy Guarantee
Jianneng Cao, National University of Singapore, now at I2R Panagiotis Karras, Rutgers University

2 Background: QI & SA Table 1. Microdata about patients Table 2. Voter registration list Quasi-identifier (QI): Non-sensitive attribute set like {Age, Sex, Zipcode}, linkable to external data to re-identify individuals Sensitive attribute (SA): Sensitive attribute like Disease, undesirable to be linked to an individual

3 Background: EC & information loss
Table 3. Anonymized data in Table 1 Equivalence class (EC): A group of records with the same QI values QI space 25 28 Female Male 53711 53712 Age Zipcode Sex EC 2 An EC Minimum bounding box (MBR) Smaller MBR; less distortion

4 Background: k-anonymity & l-diversity
Table 3. Anonymized data in Table 1 Equivalence class (EC): A group of records with the same QI values k-anonymity: An EC should contain at least k tuples Table 3 is 3-anonymous Prone to homogeneity attack l-diversity: … at least l “well represented” SA values

5 Background: limitations of l-diversity
(High diversity!) Table 4. A 3-diverse table l-diversity does not consider unavoidable background knowledge: SA distribution in whole table

6 Background: t-closenesss and EMD
t-closeness (the most recent privacy model) [1] : SA = {v1, v2, …, vm} P=(p1, p2, …, pm): SA distribution in the whole table Prior knowledge Q=(q1, q2, …, qm): SA distribution in an EC Posterior knowledge Distance (P, Q) ≤ t Information gain after seeing an EC Earth Mover’s Distance (EMD): P, set of “holes” Q, piles of “earth” EMD is the minimum work to fill P by Q [1] Li et al. t-closeness: Privacy beyond k-anonymity and l-diversity. ICDE, 2007

7 Limitations of t-closeness
Relative individual distances between pj and qj are not clear. t-closeness cannot translate t into clear privacy guarantee

8 t-closeness instantiation, EMD [1]
Case 1: Case 2: By EMD, both cases assume the same privacy However [1] Li et al. t-closeness: Privacy beyond k-anonymity and l-diversity. ICDE, 2007.

9 β-likeness qi ≤ pi Lowers correlation between a person and pi
Privacy enhanced We focus on qi > pi

10 Distance function Attempt 3: Attempt 2: Attempt 1:

11 An observation 0-likeness: 1 EC with all tuples 1-likeness: 2 ECs
Low information quality 1-likeness: 2 ECs Higher information quality Higher privacy loss for β ≥ 1

12 BUREL Step 1: Bucketization Step 2: Reallocation Step 3: Populate ECs
β = 2 3/19 +3/19<f(3/19)≈0.45 B1 2 SARS 3 Pneumonia B2 3 Bronchitis 3 Hepatitis B3 x1 x2 x3 4 Gastric ulcer 4 Intestinal cancer 2/19 +3/19<f(2/19)≈0.31 4/19 +4/19<f(4/19)≈0.54 Tuples drawn proportionally to bucket sizes Step 1: Bucketization Step 2: Reallocation Determines # of tuples each EC gets from each bucket in top-down splitting process approximately obeying proportionality; terminates when eligibility violated Step 3: Populate ECs Process guided by information loss considerations Build partition satisfying this condition by DP

13 More material in paper Perturbation-based scheme.
Arguments about resistance to attacks.

14 Summary of experiments
CENSUS data set: Real, 500,000 tuples, 5 QI attributes, 1 SA SABRE & tMondrian [1]: Under same t-closeness (info loss) BUREL: higher privacy in terms of β-likeness Benchmarks Extended from [2] BUREL: best info quality & fastest [1] Li et al. Closeness: A new privacy measure for data publishing. TKDE, 2010 [2] LeFevre et al. Mondrian Multidimensional K-Anonymity. ICDE 2006

15 (a) Given β and dataset DB (b) Given t and DB
Figure. Comparison to t-closeness (c) Given AIL (average information loss) and DB All schemes have same AIL Comparison in terms of β-likeness (a) Given β and dataset DB BUREL(DB, β)=DBβ, following tβ-closeness All schemes are tβ-closeness Comparison in terms of β-likeness (b) Given t and DB BUREL finds βt by binary search BUREL(DB, βt) follows t-closeness All schemes are t-closeness Comparison in terms of β-likeness

16 LMondrian: extension of Mondrian for β-likeness
DMondrian: extension of δ-disclosure to support β-likeness BUREL clearly outperforms the others

17 Conclusion Robust model for microdata anonymization.
Comprehensible privacy guarantee. Can withstand attacks proposed in previous research.

18 Thank you! Questions?

19 t-closeness instantiation, KL/JS-divergence
Case 1: Case 2: Case 2: (0.0038) Case 1: (0.0073) Privacy: Case 2 is higher than Case 1 But [1] D. Rebollo-Monedero et al. From t-closeness-like privacy to postrandomization via information theory. TKDE 2010. [2] N. Li et al. Closeness: A new privacy measure for data publishing. TKDE 2010.

20 δ-disclosure [1] Clear privacy guarantee defined on individual SA values But: [1] J. Brickell et al. The cost of privacy: destruction of data-mining utility in anonymized data publishing. In KDD, 2008.

Download ppt "Publishing Microdata with a Robust Privacy Guarantee"

Similar presentations

CLOSENESS: A NEW PRIVACY MEASURE FOR DATA PUBLISHING

CLOSENESS: A NEW PRIVACY MEASURE FOR DATA PUBLISHING
Authors: Jianneng Cao, Panagiotis Karras, Panos Kalnis, Kian-Lee Tan

Authors: Jianneng Cao, Panagiotis Karras, Panos Kalnis, Kian-Lee Tan
Simulatability “The enemy knows the system”, Claude Shannon CompSci 590.03 Instructor: Ashwin Machanavajjhala 1Lecture 6 : 590.03 Fall 12.

Simulatability “The enemy knows the system”, Claude Shannon CompSci Instructor: Ashwin Machanavajjhala 1Lecture 6 : Fall 12.
M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.

M-Invariance: Towards Privacy Preserving Re-publication of Dynamic Datasets by Tyrone Cadenhead.
Privacy-Preserving Data Publishing Donghui Zhang Northeastern University Acknowledgement: some slides come from Yufei Tao and Dimitris Sacharidis.

Privacy-Preserving Data Publishing Donghui Zhang Northeastern University Acknowledgement: some slides come from Yufei Tao and Dimitris Sacharidis.
Data Anonymization - Generalization Algorithms Li Xiong CS573 Data Privacy and Anonymity.

Data Anonymization - Generalization Algorithms Li Xiong CS573 Data Privacy and Anonymity.
Anonymizing Healthcare Data: A Case Study on the Blood Transfusion Service Benjamin C.M. Fung Concordia University Montreal, QC, Canada

Anonymizing Healthcare Data: A Case Study on the Blood Transfusion Service Benjamin C.M. Fung Concordia University Montreal, QC, Canada
Personalized Privacy Preservation Xiaokui Xiao, Yufei Tao City University of Hong Kong.

Personalized Privacy Preservation Xiaokui Xiao, Yufei Tao City University of Hong Kong.
1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, 2013 © Ravi Sandhu.

1 Privacy in Microdata Release Prof. Ravi Sandhu Executive Director and Endowed Chair March 22, © Ravi Sandhu.
Anatomy: Simple and Effective Privacy Preservation Xiaokui Xiao, Yufei Tao Chinese University of Hong Kong.

Anatomy: Simple and Effective Privacy Preservation Xiaokui Xiao, Yufei Tao Chinese University of Hong Kong.
Fast Data Anonymization with Low Information Loss 1 National University of Singapore 2 Hong Kong University

Fast Data Anonymization with Low Information Loss 1 National University of Singapore 2 Hong Kong University
Privacy Preserving Data Publication Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong.

Privacy Preserving Data Publication Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong.
Privacy-MaxEnt: Integrating Background Knowledge in Privacy Quantification Wenliang (Kevin) Du, Zhouxuan Teng, and Zutao Zhu. Department of Electrical.

Privacy-MaxEnt: Integrating Background Knowledge in Privacy Quantification Wenliang (Kevin) Du, Zhouxuan Teng, and Zutao Zhu. Department of Electrical.
Probabilistic Inference Protection on Anonymized Data

Probabilistic Inference Protection on Anonymized Data
Privacy Preserving Serial Data Publishing By Role Composition Yingyi Bu 1, Ada Wai-Chee Fu 1, Raymond Chi-Wing Wong 2, Lei Chen 2, Jiuyong Li 3 The Chinese.

Privacy Preserving Serial Data Publishing By Role Composition Yingyi Bu 1, Ada Wai-Chee Fu 1, Raymond Chi-Wing Wong 2, Lei Chen 2, Jiuyong Li 3 The Chinese.
1 On the Anonymization of Sparse High-Dimensional Data 1 National University of Singapore 2 Chinese University of Hong.

1 On the Anonymization of Sparse High-Dimensional Data 1 National University of Singapore 2 Chinese University of Hong.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
Malicious parties may employ (a) structure-based or (b) label-based attacks to re-identify users and thus learn sensitive information about their rating.

Malicious parties may employ (a) structure-based or (b) label-based attacks to re-identify users and thus learn sensitive information about their rating.
L-Diversity: Privacy Beyond K-Anonymity

L-Diversity: Privacy Beyond K-Anonymity
PRIVACY CRITERIA. Roadmap Privacy in Data mining Mobile privacy (k-e) – anonymity (c-k) – safety Privacy skyline.

PRIVACY CRITERIA. Roadmap Privacy in Data mining Mobile privacy (k-e) – anonymity (c-k) – safety Privacy skyline.

Similar presentations

Ads by Google