1 / 40

Location Privacy Protection for Location-based Services

Location Privacy Protection for Location-based Services. Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai. Location-based Services (LBS) . Dilemma.

tavita
Download Presentation

Location Privacy Protection for Location-based Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Location Privacy Protection for Location-based Services Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai

  2. Location-based Services (LBS)

  3. Dilemma • To use an LBS, a user needs to disclose her location, but a person’s whereabouts may imply sensitive private information Stalking…. Nightclub Hospital Political Party

  4. Location Privacy Protection • Policy-based approaches • Legislation governs the collection and distribution of personal location data • Personal location management lets users determine when and whom to release location information • These schemes cannot prevent location data from being abused by insiders

  5. Challenge • Simply using pseudonym is not sufficient because a user’s location itself may reveal her real-world identity • e.g., correlate with restricted spaces such as home address and office

  6. Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking area, instead of actual location

  7. Location Depersonalization • Basic idea: reducing location resolution • Report a cloaking area, instead of actual location • Research issue: each cloaking area must • provide a desired level of depersonalization, and • be as small as possible

  8. The state of the art • Ensuring each cloaking area contains a certain number of users • A cloaking area with K users provides K-anonymity protection

  9. Problem 1 • The anonymity server requires frequent location updates from all users • Practicality • Scalability Users not engaged in LBSs may not be willing to help protect others’ anonymity

  10. Problem 2 • In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection

  11. Problem 2 • In the case of continuous LBSs, simply ensuring each cloaking area contains at least K users does NOT guarantee K-anonymity protection New threats Location resolution refinement Trace attack

  12. Problem 3 • A cloaking area guarantees service anonymity, but NOT location privacy • An adversary does not know who requests the service, but knows that the requestor was inside the area, and in particular, she was with some other people there Where you are and whom you are with are closely related with what you are doing …

  13. The root of the problems • All existing techniques cloak a user’s position based on her current neighbors

  14. Observation • Public areas are naturally depersonalized • A large number of visits by different people • More footprints, more popular Highway Park

  15. Basic Idea • Using footprints for location depersonalization • Each cloaking area contains at least K different footprints Location privacy protection An adversary may be able to identify all these users, but will not know who was there at what time

  16. Trajectory database • Source of historical location data • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking

  17. Trajectory database • Source of historical location data • From wireless service carriers, which provide the communication infrastructure • From the users of LBSs, who need to report location for cloaking • Trajectory indexing for efficient retrieval • Partition network domain into cells • Maintain a cell table for each cell

  18. Sporadic LBS • A client reports server • p: its current location • K: its desired privacy level • Server computes a circular region • containing p and K-1 footprints, each from a different user • needs to be as small as possible

  19. Sporadic LBS • A client reports server • p: its current location • K: its desired privacy level • Server computes a circular region • containing p and K-1 footprints, each from a different user • needs to be as small as possible

  20. Continuous LBSs • A client reports • a base trajectory T0 = {c1,c2,…,cn} • the desired anonymity level K • Server computes a new trajectory T = { B1,B2,…,Bn }

  21. Continuous LBSs • A client reports • a base trajectory T0 = {c1,c2,…,cn} • the desired anonymity level K • The server computes a K-anonymity trajectory (KAT) T = { B1,B2,…,Bn} When the user arrives at ci, server reports Bi for LBS

  22. K-Anonymity Trajectory (KAT) K=3 Problem How to find the KAT with the best resolution?

  23. Challenges • Given a database of N trajectories, there are sets of trajectories with size K-1 • Given a fixed set of addictive trajectories, different orders of cloaking result in different KATs • Exhaustive search: expensive

  24. A Heuristic Approach • Cloak T0 with one trajectory • Cloak T0 with a set of K-1 trajectories • Select additive trajectory candidates

  25. B2 B1 B3 B4 Cloaking One Additive Trajectory • Cloaking T0 with additive trajectory Ta • To = {c1,c2,…,cn}; Ta = {a1,a2,…,am}, where n ≤ m • T = { B1,B2,…,Bn} is the cloaking result • Goal: minimize T ’s resolution T=Cloak(To,Ta) To Ta

  26. Cloaking with a Set of Additive Trajectories • Different order of cloaking can have vastly different results T0 T1 T2 ? T0+T1+T2 = T0+T2+T1

  27. Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance

  28. Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times

  29. Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.

  30. Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.

  31. Approach 1: Linear(T0,S) • Sort the trajectories based on their distances to T0 • Cloak with T0 in order of their distance Cloak(To, Ta) is called s + K – 1 times Limit of Linear • K=3. Linear cloaks T0 with T1 and T2 • But cloaking with T1 and T3 have a better result.

  32. Quadratic(T0,S) • Once an additive trajectory is cloaked • Set the cloaking result as T • For the rest trajectories, compare the distance to T, instead of T0 • In the worst case, Cloak(T0,Ta) is called (K-1)(s-K/2+1) times T1 is closest to T0, so T = Cloak(T0,Ta) T3is closest to T, so T = Cloak(T,Ta)

  33. Select Additive Trajectory Candidates • Only those trajectories close to the base trajectory should be considered • Searching algorithm

  34. Performance Study • Simulate mobile nodes movement on the real road map. • Extract four types of roads • Speed changes at intersection. • Generate a footprints database containing certain number of trajectories with random assigned user ID.

  35. Experiments • Performance metric • Cloaking range: the average radius of the cloaking circles • Single location cloaking • Neighboring nodes vs. footprints • Trajectory cloaking • Linear, Quadratic, and BaseLine • Baseline: cloaking using neighboring mobile users

  36. Trajectory Cloaking • Generate a set of LBS requests, each containing • A User ID • The start and destination • Randomly selected in the map • The fastest path as the user’s expected route • Select a location sample every 100 meters along the route • Required degree of privacy protection

  37. Effective of Anonymity Level • (a) shows cloaking range of different algorithms • Cloaking range increases as K increases • (b) shows the cloaking range on different roads • Popular roads have a large number of footprints • Unpopular roads are sensitive to the change of K

  38. Concluding Remarks • We explore historical location data for location depersonalization • Each reported location/trajectory has been visited by at least K different people • We develop a suite of novel location cloaking algorithms for • Sporadic LBSs • Continuous LBSs • Up to date, this is the only solution that can support location privacy protection

  39. Thanks and Some Key References • M. Gruteserand D. Grunwald. “Anonymous Usage of Location-based Services through Spatial and Temporal Cloaking”, ACM MobiSys'03. • B. Gedikand L. Liu, “A Customizable k-Anonymity Model for Protecting Location Privacy”, IEEE ICDCS'05. • M. F. Mokbel, C. Y. Chow, and W. G. Aref. “The New Casper: Query Processing for Location Services without Compromising Privacy”, VLDB’06. • T. Xu and Y. Cai. “Exploring Historical Location Data for Anonymity Preservation in Location-based Services”. IEEEInfocom'08.

  40. Future Work • Additive trajectories selection • Similar moving speeds • Similar time spans • On-the-fly cloaking • Users do not have to submit a base trajectory before a travel

More Related