Post on 23-Feb-2016
description
1
Memorization Property
Definition Single-Issuer Historical Attacks
Query Tracking Attack Maximum Movement Boundary Attack
Multiple-Issuers Historical Attacks Notion of Historical k-Anonymity
2
Memorization PropertyDefinition
k-anonymity property: the spatial cloaking algorithm generates a cloaked area that cover k different users, including the real issuer.
PrivacyMiddleware
r
D E
B
AC
r’
Service Provider
Cloaked area contains k users
IssuerA
3
Memorization PropertyDefinition
k users in the cloaked area are easy to move to different places.Attacker which knowledge of exact location of users, has chance to infer the real issuer from the anonymity set.
D E
B
AC RISK !
4
Memorization PropertyDefinition
memorization property: the spatial cloaking algorithm memorizes the movement history of each user and utilize this information when building cloaked area.
D E
B
AC
Spatial Cloaking Algorithm Processor
movement patterns
cloaked region
5
Memorization PropertyDefinition
Lacking of memorization property the issuer may suffer from the following attacks:
Single-Issuer Historical Attacks: attacker consumes historical movement of single issuer Query Tracking Attack Maximum Movement Boundary Attack
Multiple-Issuers Historical Attacks: attacker use multiple users historical movement Notion of Historical k-Anonymity
6
Memorization PropertyQuery Tracking Attack
Case description: User query is requested
multiple times at ti, ti+1, etc.
Attacker knows exact location of each user.
Attack description: Attacker reveal real issuer by
intersecting the candidate-sets between the query instances
D E
BI
J
A
F
H
K
G
C
At time ti {A,B,C,D,E}
At time ti+1{A,B,F,G,H}
At time ti+2 {A,F,G,H,I}Reveal A
7
Memorization PropertyQuery Tracking Attack
Possible instant solution: Delay request until the cloaked until most of the candidate return
Make new cloaked area, consuming users location history. Etc.
D E
BIA
F
HG
C
At time ti
D
EBIA
F
HG
CAt time ti +k
Risky Delay
D
E
BIAFH
G
C
At time ti+k+m
Safe Forward
8
Memorization PropertyMaximum Movement Boundary Attack
Case description: Consider the movement rate
(speed) of users. Attacker knows exact
location and speed of each user.
Attack description: Attacker limit the real issuer
into the overlap area
Ri
Ri+1
I know you are here!
movement bound area
9
Memorization PropertyMaximum Movement Boundary Attack
Solution must satisfy one of the three cases:
Ri
Ri+1
① The overlapping area satisfies user requirements
Ri
Ri+1
② Ri totally covers Ri+1
Ri
Ri+1
③ The MBB of Ri totally covers Ri+1
9 Possible solutions are Patching and Delaying
10
Memorization PropertyMaximum Movement Boundary Attack
Patching: Combine the current cloaked spatial region with the previous one
Delaying: Postpone the update until the MMB covers the current cloaked spatial region
Ri
Ri+1
Ri
Ri+1
10
11
Memorization PropertyHistorical k-Anonymity
11
If attacker also considers users frequent movement patterns, he has more chance to differ the real issuer with other candidates.
12
Memorization PropertyHistorical k-Anonymity Terminology
12
Quasi-identifier (QID): set of attributes which can be used to identify an individual.
Location-Based QIDs (LBQIDs): Spatio-temporal movement patterns consisting of
Set of elements: <Area, Timestamp> and A recurrence formula: rec1.G1, …, recn.Gn,
Depict frequent user movement patterns <Home, 8am>, <Park, 8:30am>, <Work, 9am>, 1.day, 5.week
Personal History Locations (PHL): Sequence of element (x, y, t) that indicate the location (x, y) of a user U at
time t.
13
Memorization PropertyHistorical k-Anonymity Terminology
13
…
Historical k-anonymity: A set of request R of user U is historical k-anonymity if
there exist k-1 PHLs P1, …, Pk-1for k-1 users other than U, such that each Pi is LS-consistent with R.
14
Memorization PropertyHistorical k-Anonymity Terminology
14
Request: A tuple R = (x, y, t, S), S is service-specific data.
Element matching: User request Ri = (x, y, t, S) matches an element E of an LBQID if Ǝ
(x, y) ϵ E.coord and t ϵ E.timestamp R = (park, 8 :30am) … <Park, 8:30 am>, …
E Request LBQID matching:
A set of user requests R match his/her LBQID iff: Each request matches an element E and All requests satisfy the recurrence formula.
15
Memorization PropertyHistorical k-Anonymity Terminology
15
LT-consistency: A PHL is Location and Time consistent with a set of request R if: Each request ri exists an element in the PHL or Request was sent at a time/location that can be extracted
from consecutive elements of PHL.
When a user U sends a set of request R, (historical) k-anonymity is preserved if at least k-1 user, other than U, have PHLs that are LT-consistent with R.
16
Memorization PropertyHistorical k-Anonymity Algorithm
16
17
Memorization PropertyHistorical k-Anonymity Algorithm
17
18
Memorization PropertyHistorical k-Anonymity Algorithm
18
Input: The ST information (x, y, t) of the request R. The desired level of anonymity (k). The spatial and temporal constraints.
Output: The generalized 3D area. A boolean value b to denote success/failure. A list N of the k-1 neighbors (after execution of the first-element
matching phrase)
19
Memorization PropertyHistorical k-Anonymity Algorithm
19
Problems to considers: LTS has to generate each request when it is issued
without knowledge of future locations and future request of users.
The longer PHL traces require, the more computational costs.
Our approach: PHLs of user are predefined (testing only), not updated
at real time. Only consider short PHL trace.
20
Memorization PropertySummary & Work Flow
20
Memorization is the 2nd property we consider. Memorization property checking is after
Reciprocity property checking. Memorization property checking covers 3 phases:
Check Maximum Movement Boundary Attack. Check Query Tracking Attack. Check Frequent Pattern Attack.
21
Memorization PropertySummary & Work Flow
21
Memorization is the 2nd property we consider.
Memorization property checking is after Reciprocity property checking.
Memorization property checking initially covers 3 phases: P1: Check Maximum Movement Boundary Attack. P2: Check Query Tracking Attack. P3: Check Frequent Pattern Attack. If the request is failed in any phase, the algorithm stops and
report the result to the next property checking.