Embed Size (px)
Citation preview
MobiHide: A Mobile Peer-to-Peer System for Anonymous Location-Based Queries
Gabriel Ghinita, Panos Kalnis, Spiros Skiadopoulos
National University of Singaporeand
University of Peloponnese, Greece
2
Location-Based Services
LBS users Mobile devices with GPS
capabilities NN and Range Queries
Location server is NOT trusted Google Maps, Mapquest,
Microsoft Live, etc.
Privacy? Anonymity?
“Find closest hospital to my present location”
3
Problem Statement
Hide IP address and username
But user location may disclose identity Triangulation of device signal Publicly available databases Physical surveillance
How to preserve query source anonymity? Even when exact user locations are known
4
K-Anonymity [Swe02]
Age ZipCode Disease
42 25000 Flu
46 35000 AIDS
50 20000 Cancer
54 40000 Gastritis
48 50000 Dyspepsia
56 55000 Bronchitis
[Swe02] L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
(a) Microdata (b) Voting Registration List (public)
Quasi-identifier
5
K-Anonymity (cont.)
Age ZipCode Disease
42-46 25000-35000 Flu
42-46 25000-35000 AIDS
50-54 20000-40000 Cancer
50-54 20000-40000 Gastritis
48-56 50000-55000 Dyspepsia
48-56 50000-55000 Bronchitis
(a) 2-anonymous microdata (b) Voting Registration List (public)
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
6
Anonymizing Spatial Region Identification probability ≤ 1/K
7
Centralized Anonymizer
Intermediate tier between users and LBS
Bottleneck and single point of attack/failure
8
MobiHide – Fully Distributed
9
Existing Work: CloakP2P [Chow06]
Find K-1 NN of query source Source likely to be closest to ASR center
Vulnerable to “center-of-ASR” attack
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06
uq
5-ASR
NOT SECURE !!!
10
Existing Work: PRIVE [GKS07]
Aq has the reciprocity property iffi. |AS| ≥ Kii. ui,uj AS, ui ASj uj ASi
[GKS07] – PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems , WWW ‘07
11
PRIVE (cont.)
Based on Hilbert space-filling curve index users by Hilbert value of location partition Hilbert sequence into “K-buckets”
12
PRIVE (cont.)
Based on Hilbert space-filling curve index users by Hilbert value of location partition Hilbert sequence into “K-buckets”
Start End
13
PRIVÉ Hierarchical Architecture But requires “global knowledge”
Global rank of query source required PRIVÉ employs an annotated tree index
14
Motivation
PRIVE
CloakP2P
MobiHide
More secure
Faster
15
MobiHide
Uses Hilbert transformation
Key Idea Remove the need for global knowledge Allow random group formation
Scalable DHT infrastructure employed Chord DHT
16
MobiHide: Group Formation
K
17
MobiHide: Example
18
MobiHide: Privacy
MobiHide is not reciprocal
Privacy guaranty for uniform query
distribution only
But offers strong privacy features in
practice, even for skewed distribution
19
Correlation Attack (K = 4)
U3
U2
U6
U4
U5
U9
U1
U8
U10
U7
27 33 43 56 58 3 5 10 15 18
U6 U7 U8 U9 U10 U1 U2 U3 U4 U5
•4-anonymity not achieved
•However: Difficult attack in practice
20
MobiHide Implementation Two-layer Chord DHT
Each Chord node is a cluster of users Bounded cluster size [,3)
21
User Join/Cluster Split
22
Load Balancing & Fault Tolerance
Load Balancing Cluster head rotation mechanism
Fault Tolerance Chord Periodic Stabilization Protocol Leader election protocol
In case of cluster head failure
23
Experimental Setup
San Francisco Bay Area road network
Network-based Generator of Moving
Objects*
Up to 10000 users Velocities from 18 to 68 km/h
Uniform and skewed query distribution
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,6(2):153–180, 2002.
24
“Center-of-ASR” Attack
25
Correlation Attack
26
ASR Formation Latency
Response Time (sec)
27
Points to Remember
LBS Privacy an important concern Existing solutions are either not secure … … or not scalable
MobiHide Privacy guaranty for uniform query workload Good best-effort privacy for skewed workload Excellent scalability inherited from Chord DHT
28
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
29
Bibliography
[Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Location-based Services, ACM GIS ’06
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking, MobiSys 2003
[GKS07] – Ghinita G., Kalnis P., Skiadopoulos S., PRIVÉ: Anony-mous Location-based Queries in Distributed Mobile Systems, WWW 2007
[Mok06] – Mokbel et al, The New Casper: Query Processing for Location Services without Compromising Privacy, VLDB 2006
