Upload
imogen-tabitha-hodge
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
The New Casper: Query Processing for The New Casper: Query Processing for Location Services without Location Services without
Compromising PrivacyCompromising Privacy
Mohamed F. MokbelUniversity of Minnesota
Chi-Yin ChowUniversity of Minnesota
Walid G. ArefPurdue University
2VLDB 2006
Major Privacy ThreatsMajor Privacy Threats
“New technologies can pinpoint your location at any time and place. They promise safety and convenience but threaten privacy and security”
Cover story, IEEE Spectrum, July 2003
YOU ARE TRACKED…
!!!!
3VLDB 2006
Major Privacy ThreatsMajor Privacy Threats
4VLDB 2006
WHY location-detection devices?WHY location-detection devices?
Location-based Database Server
Location-based store finders Location-based traffic reports Location-based advertisements
With all its privacy threats, why do users still use location-detection devices?
Wide spread of location-based services
Location-based services rely on the implicit assumption that users agree on revealing their private user locations
Location-based services trade their services with privacy
5VLDB 2006
Service-Privacy Trade-offService-Privacy Trade-off
Example: Where is my nearest bus
Service
100%
100%
0%Privacy0%
6VLDB 2006
The Casper ArchitectureThe Casper Architecture
Location-based Database Server
Location Location AnonymizerAnonymizer
Privacy-aware Privacy-aware Query Query
ProcessorProcessor
1: Query + Location Information
2: Query + blurredblurred Spatial
Region
3: Candidate Answer
4: Candidate/Exact Answer
Third trusted party that is responsible on blurring the exact location information.
7VLDB 2006
System Users: Privacy ProfileSystem Users: Privacy Profile
Each mobile user has her own privacy-profile that includes: K. A user wants to be k-anonymous Amin. The minimum required area of the blurred area
Multiple instances of the above parameters to indicate different privacy profiles at different times
Time k Amin
8:00 AM -
5:00 PM -
10:00 PM -
1
100
1000
___
1 mile
5 miles
8VLDB 2006
Location Anonymizer: Grid-based Location Anonymizer: Grid-based Pyramid StructurePyramid Structure The entire system area is divided into grids. The Location Anonymizer incrementally keeps track the number
of users residing in each grid.
8x8 Grid Structure
The Entire System Area
4x4 Grid Structure
2x2 Grid Structure
UID CID
...
Hash Table
...
...
...
... ...
... ...
... ...
... ...
(level 0)
(level 1)
(level 2)
(level 3)
Grid-based Pyramid Structure
Traverse the pyramid structure from the bottom level to the top level, until a cell satisfying the user privacy profile is found.
Disadvantages:① High location update
cost.② High searching cost,
9VLDB 2006
Adaptive Location Adaptive Location AnonymizerAnonymizer
Each sub-structure may have a different depth that is adaptive to the environmental changes and user privacy requirements.
UID CID
...
Hash Table
...
...
...
... ...
... ...
... ...
... ... 8x8 Grid Structure
The Entire System Area
4x4 Grid Structure
2x2 Grid Structure
(level 0)
(level 1)
(level 2)
(level 3)
Adaptive Grid-based Pyramid Structure
Cell Splitting: A cell cid at level i needs to be split into four cells at level i+1 if there is at least one user u in cid with a privacy profile that can be satisfied by some cell at level i+1.
Cell Merging: Four cells at level i are merged into one cell at a higher level i-1 only if all users in the level i cells have strict privacy requirements that cannot be satisfied within level i.
10VLDB 2006
The Privacy-aware QueryThe Privacy-aware Query ProcessorProcessor
Embedded inside the location-based database server
Process queries based on cloaked spatial regions rather than exact location information
Two types of data:① Public data. Gas stations, restaurants, police cars
② Private data. Personal data records
11VLDB 2006
Privacy-aware QueryPrivacy-aware Query Processor: Query Processor: Query TypesTypes
1. Private queries over public data What is my nearest gas station
2. Public queries over private data How many cars in the downtown area
3. Private queries over private data Where is my nearest friend
12VLDB 2006
Private Queries over Public Data: Private Queries over Public Data:
Naive ApproachesNaive Approaches Complete privacy
The Database Server returns all the target objects to the Location Anonymizer.
High transmission cost Shifting the burden of query processing
work onto the mobile user
Nearest target object to center of the spatial query region Simple but NOT accurate
T1
T6
T19
T10
T14
T23
T30T29T28
T31
T27
T32
T2
T3
T16
T7
T4
T8
T5
T9
T18T13T12
T17
T21
T11
T20 T22
T24 T25
T15
T26
T12
Location Anonymizer(The correct NN object is T13.)
13VLDB 2006
Private Queries over Private Queries over Public Data Public Data
Step 1: Locate four filters The NN target object for
each vertex
Step 2 : Find the middle points The furthest point on the
edge to the two filters
Step 3: Extend the query range
Step 4: Candidate answer
T2
T3
T16
T7
T4
T8
T5
T9
T18T13T12
T17
T21
T11
T20 T22
T24T25
T15
T26
v1 v2
v3 v4
m12
m24
m34
m13
14VLDB 2006
Private Queries over Public Data: Private Queries over Public Data: Proof of CorrectnessProof of Correctness Theorem 1
Given a cloaked area A for user u located anywhere within A, the privacy-aware query processor returns a candidate list that includes the exact nearest target to u.
Theorem 2 Given a cloaked area A for a user u and a set of filter target object t1 to t4, the
privacy-aware query processor issues the minimum possible range query to get the candidate list.
(a) ti=tj (b) ti≠tj
vi vj
t
vi vj
ti tj
mij
15VLDB 2006
Private Queries over Private Private Queries over Private DataData
Step 1: Locate four filters The NN target object for
each vertex
Step 2: Find the middle points The furthest point on the
edge to the two filters
Step 3: Extend the query range
Step 4: Candidate answer
v1 v2
v3
v4
t3
t4
t2t1
m12
m24m34
m13
16VLDB 2006
Private Queries over Private Private Queries over Private Data: Proof of CorrectnessData: Proof of Correctness Theorem 3
Given a cloaked area A for user u located anywhere within A and a set of target objects represented by their cloaked regions, the privacy-aware query processor returns a candidate list that includes the exact nearest target to u.
Theorem 4 Given a cloaked area A for a user u and a set of filter target object t1
to t4 represented by their cloaked areas, the privacy-aware query processor issues the minimum possible range query to get the candidate list.
(a) ti=tj (b) ti≠tj
vi vj
tijvi vjmij
tjti
17VLDB 2006
Experimental SettingsExperimental Settings
We use the Network-based Generator of Moving Objects to generate a set of moving objects and moving queries.
The input to the generator is the road map of Hennepin County, MN, USA.
Compare the performance between Basic Location Anonymizer and Adaptive Location Anonymizer
Study the performance of Casper on processing Private queries over public data Private queries over private data
The Casper end-to-end performance
18VLDB 2006
Location Anonymizer: Number of Location Anonymizer: Number of Moving UsersMoving Users
Parameter settings: k = [10, 50] Amin=[0.005, 0.1]% of the
system area Pyramid height = 9
Basic LA and Adaptive LA are scalable to the number of moving users.
Adaptive LA outperforms Basic LA in terms of the cloaking CPU time and the maintenance cost.
Maintenance Cost vs. Number of Moving Objects
0
2
4
6
8
10
12
14
1 5 10 15 20 30 40 50
Number of Moving Objects (K)
Mai
nten
ance
Cos
t (M
)
Basic
Adaptive
Cloaking CPU Time vs. Number of Moving Objects
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
1 5 10 15 20 30 40 50
Number of Moving Objects (K)
Clo
akin
g C
PU
Tim
e (m
s)
Basic
Adaptive
19VLDB 2006
Location Anonymizer: Location Anonymizer: Effect of k Effect of k Privacy RequirementPrivacy Requirement Parameter settings:
Amin=0
Pyramid height = 9
Basic LA and Adaptive LA are salable to the value of k.
Adaptive LA also outperforms Basic LA, as the value of k gets larger.
Cloaking CPU Time vs. k Ranges
0.05
0.1
0.15
0.2
0.25
0.3
1-10 10-50 50-100 100-150 150-200k Ranges
Clo
akin
g C
PU
Ti
me
(ms)
Basic
Adaptive
Maintenance Cost vs. k Ranges
6
8
10
12
14
1-10 10-50 50-100 100-150 150-200
k Ranges
Ma
inte
na
nce
Co
st (
M)
Basic
Adaptive
20VLDB 2006
Privacy-aware Query Processor: Privacy-aware Query Processor: Number of Public Target ObjectsNumber of Public Target Objects
Parameter settings: k = [10, 50] Amin=[0.005, 0.1]% of the
system area # of moving users = 50K
The case of 4 filters outperforms the case of 1 filter and 2 filters in terms of query processing CPU time and candidate answer size
Processing CPU Time vs. Number of Target Objects
0
0.1
0.2
0.3
0.4
0.5
1 2 4 6 8 10
Number of Target Objects (K)
Pro
cess
ing
CP
U T
ime
(m
s)
1 filter
2 filters
4 filters
Candidate List Size vs. Number of Target Objects
0
50
100
150
200
250
1 2 4 6 8 10
Number of Target Objects (K)
Ca
nd
ida
te A
nsw
er
Siz
e1 filter
2 filters
4 filters
21VLDB 2006
0
1
2
3
4
5
6
7
8
9
10Transmission Cost
Casper Time
k Ranges
Que
ry R
espo
nse
Tim
e (in
ms)
1-10 10-50 50-100 100-150 150-200
4 fil
ters
1 fil
ter
414
1 4
1 4
1
The Casper End-to-End The Casper End-to-End PerformancePerformance Parameter settings:
Amin= 0
# of moving users = 10K # of target objects 5K Bandwidth = 20 Mbps
Using 4 filters gives much better performance than that of using 1 filter The bottleneck is moved to be the transmission time.
Public Data Private Data
0
1
2
3
4
5
6
7
8
9
10Transmission Cost
Casper Time
k Ranges
Que
ry R
espo
nse
Tim
e (in
ms)
1-10 10-50 50-100 100-150 150-200
4 fil
ters
1 fil
ter
41
4
14
1 4
1
22VLDB 2006
SummarySummary
Addressing a major privacy threat to the user in location-based service environment
Casper Location Anonymizer Privacy-aware Query Processor
Experiment results depict that Casper is Scalable Accurate Efficient
23VLDB 2006
Related Work (1/2)Related Work (1/2)
Adaptive-Interval Cloaking Algorithm Divide the entire system area into quadrants of equal area iteratively,
until the quadrant includes the user and other k-1 users
Drawbacks Not scalable to the number of users Not consider minimum required resolution of the cloaked region Not support query processing
Compared with Casper Flexibility Efficiency Quality Accuracy
M. Gruteser and D. Grunwald. Anonymous usage of location-based services through spatial and temporal cloaking, MobiSys, 2003
24VLDB 2006
Related Work (2/2)Related Work (2/2)
Clique-Cloak Algorithm Each user has her own k-anonymity requirement. A clique graph is constructed to search for a minimum bounding rectangle
that includes the user’s message and other k-1 messages. Drawbacks
Not scalable to k Not consider minimum required resolution of the cloaked region Not support query processing An adversary can guess the location information of the users lying on the
rectangle boundary with high probability. Compared with Casper
Flexibility Efficiency Quality Accuracy
B. Gedik and L. Liu. Location Privacy in Mobile Systems: A Personalized Anonymization Model. ICDCS, 2005.
25VLDB 2006
Location Anonymizer: Pyramid Location Anonymizer: Pyramid HeightHeight Parameter settings:
k = [10, 50] Amin=[0.005, 0.1]% of the
system area # of moving users = 50K
Cloaking CPU time and maintenance cost get higher with increasing pyramid height
Adaptive LA performs better than Basic LA, as the pyramid height increases
Maintenance Cost vs. Pyramid Height
0
2
4
6
8
10
12
14
4 5 6 7 8 9Pyramid Height
Ma
inte
na
nce
Co
st (
M)
Basic
Adaptive
Cloak CPU Time vs. Pyramid Height
0
0.05
0.1
0.15
0.2
0.25
4 5 6 7 8 9Pyramid Height
Clo
akin
g C
PU
Tim
e (m
s) Basic
Adaptive
26VLDB 2006
Privacy-aware Query Processor: Privacy-aware Query Processor: Number of Private Target ObjectsNumber of Private Target Objects Parameter settings:
k = [10, 50] Amin=[0.005, 0.1]% of the
system area # of moving users = 50K
The case of 4 filters outperforms the case of 1 filter and 2 filters in terms of query candidate answer size
The case of 4 filters performs better than the case of 1 filter and 2 filters in terms of query processing CPU time when number of target object is over 8K
Processing CPU Time vs. Number of Target Objects
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1 2 4 6 8 10
Number of Target Objects (K)
Pro
cess
ing
CP
U T
ime
(ms)
1 filter
2 filters
4 filters
Candidate Answer Size vs. Number of Target Objects (K)
0
50
100
150
200
250
300
1 2 4 6 8 10
Number of Target Objects (K)
Can
dida
te A
nsw
er S
ize
1 filter
2 filters
4 filters