基于属性分类的用电大数据隐私保护方法

针对用电大数据环境下,非交互式差分隐私模型无法提供准确查询结果及计算开销较大的问题,提出一种基于最大信息系数与数据匿名化的差分隐私数据发布方法。从原始数据集中选出部分隐私属性作为特征集,利用最大信息系数选出与此特征集相关性高的数据作为隐私数据集,使用协同隐私保护算法对隐私数据集进行保护,发布满足差分隐私保护的用电大数据集。理论分析与实验结果表明,所提出的方法在提高大数据隐私保护处理效率同时,有效分化查询函数敏感性,提高发布数据可用性。     

一种面向数据流top-k频繁模式发布的差分隐私保护方案

频繁模式挖掘是事务数据分析的常用技术,面向数据流的频繁模式挖掘具有重要的应用价值.然而当事务为敏感信息时,直接发布频繁模式及支持度会导致个体隐私泄露.差分隐私是一种严格且可证明的隐私保护模型,目前虽然已有基于差分隐私的频繁模式发布方案,但它们大都是面向静态数据做一次性发布的隐私保护.本文是面向数据流频繁模式发布的隐私保...     

面向轨迹数据发布的个性化差分隐私保护机制

移动互联网和智能手机的普及大大方便了人们的生活,并由此产生了大量的轨迹数据.通过对发布的轨迹数据进行分析,能够有效提高基于位置服务的质量,进而推动智慧城市相关应用的发展,例如智能交通管理、基础设计规划以及道路拥塞预警与检测.然而,由于轨迹数据中包含用户的敏感信息,直接发布原始的轨迹数据会对个人隐私造成严重威胁.差分隐私作为一种具备严格形式化定义、强隐私性保证的安全机制,已经被广泛应用于轨迹数据的发布中.但是,现有的方法假定用户具有相同的隐私偏好,并且为所有用户提供相同级别的隐私保护,这会导致对某些用户提供的隐私保护级别不足,而某些用户则获得过多的隐私保护.为满足不同用户的隐私保护需求,提高数据可用性,本文假设用户具备不同的隐私需求,提出了一种面向轨迹数据的个性化差分隐私发布机制.该机制利用Hilbert曲线提取轨迹数据在各个时刻的分布特征,生成位置聚簇,使用抽样机制和指数机制选择各个位置聚簇的代表元,进而利用位置代表元对原始轨迹数据进行泛化,从而生成待发布轨迹数据.在真实轨迹数据集上的实验表明,与基于标准差分隐私的方法相比,本文提出的机制在隐私保护和数据可用性之间提供了更好的平衡.     

社会网络数据的k-匿名发布

由于科学研究和数据共享等需要,应该发布社会网络数据。但直接发布社会网络数据会侵害个体隐私,在发布数据的同时要进行隐私保护。针对将邻域信息作为背景知识的攻击者进行目标节点识别攻击的场景提出了基于k-匿名发布的隐私保护方案。根据个体的隐私保护要求设立不同的隐私保护级别,以最大程度地共享数据,提高数据的有效性。设计实现了匿名发布的KNP算法,并在数据集上进行了验证,实验结果表明该算法能够有效抵御部域攻击。     

Geometric data perturbation for privacy preserving outsourced data mining

Data perturbation is a popular technique in privacy-preserving data mining. A major challenge in data perturbation is to balance privacy protection and data utility, which are normally considered as a pair of conflicting factors. We argue that selectively preserving the task/model specific information in perturbation will help achieve better privacy guarantee and better data utility. One type of such information is the multidimensional geometric information, which is implicitly utilized by many data-mining models. To preserve this information in data perturbation, we propose the Geometric Data Perturbation (GDP) method. In this paper, we describe several aspects of the GDP method. First, we show that several types of well-known data-mining models will deliver a comparable level of model quality over the geometrically perturbed data set as over the original data set. Second, we discuss the intuition behind the GDP method and compare it with other multidimensional perturbation methods such as random projection perturbation. Third, we propose a multi-column privacy evaluation framework for evaluating the effectiveness of geometric data perturbation with respect to different level of attacks. Finally, we use this evaluation framework to study a few attacks to geometrically perturbed data sets. Our experimental study also shows that geometric data perturbation can not only provide satisfactory privacy guarantee but also preserve modeling accuracy well.     

基于SOM网络的差分隐私保护研究

差分隐私模型具有强大的隐私保护能力,但是也存在数据效用低等问题。为提高数据可用性并保护数据隐私,提出一种基于SOM网络的差分隐私算法(SOMDP)。首先利用SOM网络模型对数据进行聚类操作;其次,对每个划分好的聚类添加满足差分隐私的拉普拉斯噪声;最后,理论分析算法的可行性,并在真实数据集上评估SOMDP算法性能、算法的数据可用性和隐私性能。实验结果表明,SOMDP在达到差分隐私要求的前提下,可较大程度地提高差分隐私数据发布的效用。     

基于信息增益比例约束的数据匿名方法及其评估机制

针对数据发布中的隐私泄露问题, 分析了对数据集进行匿名保护需要满足的条件, 提出了一种基于信息增益比例约束的数据匿名方法。该方法以凝聚层次聚类为基本原理, 将数据集中的元组划分到若干个等价群中, 然后概化每个等价群中的元组使其具有相同的准标志符值。在聚类过程中, 以信息损失最小、信息增益比例最大的约束条件来控制聚类的合并, 可以使数据匿名结果保持良好的可用性和安全性。对匿名结果的质量评估问题进行了深入的探讨, 提出了匿名结果可用性和安全性的量化计算方法。在UCI知识库提供的Adult数据集上的一系列实验结果表明, 该方法是有效可行的。     

An Iteration-Based Differentially Private Social Network Data Release

Online social networks provide an unprecedented opportunity for researchers to analysis various social phenomena. These network data is normally represented as graphs, which contain many sensitive individual information. Publish these graph data will violate users’ privacy. Differential privacy is one of the most influential privacy models that provides a rigorous privacy guarantee for data release. However, existing works on graph data publishing cannot provide accurate results when releasing a large number of queries. In this paper, we propose a graph update method transferring the query release problem to an iteration process, in which a large set of queries are used as update criteria. Compared with existing works, the proposed method enhances the accuracy of query results. The extensive experiment proves that the proposed solution outperforms two state-of-the-art methods, the Laplace method and the correlated method, in terms of Mean Absolute Value. It means our methods can retain more utility of the queries while preserving the privacy.     

Utility-preserving differentially private data releases via individual ranking microaggregation

Being able to release and exploit open data gathered in information systems is crucial for researchers, enterprises and the overall society. Yet, these data must be anonymized before release to protect the privacy of the subjects to whom the records relate. Differential privacy is a privacy model for anonymization that offers more robust privacy guarantees than previous models, such as k-anonymity and its extensions. However, it is often disregarded that the utility of differentially private outputs is quite limited, either because of the amount of noise that needs to be added to obtain them or because utility is only preserved for a restricted type and/or a limited number of queries. On the contrary, k-anonymity-like data releases make no assumptions on the uses of the protected data and, thus, do not restrict the number and type of doable analyses. Recently, some authors have proposed mechanisms to offer general-purpose differentially private data releases. This paper extends such works with a specific focus on the preservation of the utility of the protected data. Our proposal builds on microaggregation-based anonymization, which is more flexible and utility-preserving than alternative anonymization methods used in the literature, in order to reduce the amount of noise needed to satisfy differential privacy. In this way, we improve the utility of differentially private data releases. Moreover, the noise reduction we achieve does not depend on the size of the data set, but just on the number of attributes to be protected, which is a more desirable behavior for large data sets. The utility benefits brought by our proposal are empirically evaluated and compared with related works for several data sets and metrics.     

结构化数据的隐私与数据效用度量模型

针对隐私保护中数据隐私量和数据效用的量化问题,基于度量空间和范数基本原理提出了一种结构化数据隐私与数据效用度量模型。首先,给出数据数值化处理方法,将数据表转变为矩阵进行运算;其次,引入隐私偏好函数,度量敏感属性随时间的变化;然后,分析隐私保护模型,量化隐私保护技术产生的变化;最后,构建度量空间,给出了隐私量、数据效用和隐私保护程度计算式。通过实例分析,该度量模型能够有效反映隐私信息量。     

Measuring Privacy and Utility in Privacy‐Preserving Visualization

In previous work, we proposed a technique for preserving the privacy of quasi‐identifiers in sensitive data when visualized using parallel coordinates. This paper builds on that work by introducing a number of metrics that can be used to assess both the level of privacy and the amount of utility that can be gained from the resulting visualizations. We also generalize our approach beyond parallel coordinates to scatter plots and other visualization techniques. Privacy preservation generally entails a trade‐off between privacy and utility: the more the data are protected, the less useful the visualization. Using a visually‐oriented approach, we can provide a higher amount of utility than directly applying data anonymization techniques used in data mining. To demonstrate this, we use the visual uncertainty framework for systematically defining metrics based on cluster artifacts and information theoretic principles. In a case study, we demonstrate the effectiveness of our technique as compared to standard data‐based clustering in the context of privacy‐preserving visualization.     

一种基于权重属性熵的分类匿名算法

为了在高效地保护数据隐私不被泄露的同时保证数据效用,提出了一种基于权重属性熵的分类匿名方法(Weight-properties Entropy for Classification Anonymous,WECA)。该方法在数据分类挖掘的特定应用背景下,通过信息熵的概念来计算数据集中不同准标识符属性对敏感属性的分类重要程度,选取分类权重属性熵比率最高的准标识符属性对分类树进行有利的划分,同时构建了分类匿名信息损失度量,在更好地保护隐私数据的前提下确保了数据分类效用。最后,在标准数据集上的实验结果表明,该算法在保证较少的匿名损失的同时具有较高的分类精度,提高了数据可用性。     

面向频繁项集挖掘的本地差分隐私事务数据收集方法

事务数据常见于各种应用场景中,如购物记录、页面浏览历史等.为了提供更好的服务,服务提供商收集用户数据并进行分析,但收集事务数据会泄露用户的隐私信息.为了解决上述问题,基于压缩的本地差分隐私模型,提出一种事务数据收集方法.首先,定义了一种新的候选项集分值函数;其次,基于该函数,将候选项集的样本空间划分为多个子空间;然后,随机选择其中一个子空间,基于该子空间随机生成事务数据并发送给不可信的数据收集者;最后,考虑到隐私参数的设置问题,基于最大后验置信度攻击模型设计启发式隐私参数设置策略.理论分析表明,该方法能够同时保护事务数据的长度与内容,满足压缩的本地差分隐私要求.实验结果表明,与目前最优的工作相比,所收集的数据具有更高的效用性,隐私参数设置更具有语义性.     

大数据环境中非交互式查询差分隐私保护模型

针对大数据环境下,非交互式差分隐私无法准确提供及处理大量范围查询的问题,提出一种基于最大信息系数与机器学习的隐私保护数据查询模型。对原始数据集采用最大信息系数选出相关性低的数据作为训练样本集,然后结合差分隐私的并行组合性质对其进行分块划分得到隐私保护的训练样本集,最后应用线性回归算法训练样本集得到差分隐私保护预测模型,该模型隐私保护的方式回答当前提交和大量未知的查询。实验结果表明,所提出的模型在提升发布数据效用性的同时,也提高了查询处理的效率。     

可穿戴设备数值型敏感数据本地差分隐私保护

针对数据服务器不可信时，直接收集可穿戴设备多维数值型敏感数据有可能存在泄露用户隐私信息的问题，通过引入本地差分隐私模型，提出了一种可穿戴设备数值型敏感数据的个性化隐私保护方案。首先，通过设置隐私预算的阈值区间，用户在区间内设置满足个人隐私需求的隐私预算，同时也满足了个性化本地差分隐私；其次，利用属性安全域将敏感数据进行归一化；最后，利用伯努利分布分组扰动多维数值型敏感数据，并利用属性安全域对扰动结果进行归一化还原。理论分析证明了该算法满足个性化本地差分隐私。实验结果表明该算法的最大相对误差（MRE）明显低于Harmony算法，在保护用户隐私的基础上有效地提高了不可信数据服务器从可穿戴设备收集数据的可用性。     

Multirelational k-Anonymity

k-Anonymity protects privacy by ensuring that data cannot be linked to a single individual. In a k-anonymous data set, any identifying information occurs in at least k tuples. Much research has been done to modify a single-table data set to satisfy anonymity constraints. This paper extends the definitions of k-anonymity to multiple relations and shows that previously proposed methodologies either fail to protect privacy or overly reduce the utility of the data in a multiple relation setting. We also propose two new clustering algorithms to achieve multirelational anonymity. Experiments show the effectiveness of the approach in terms of utility and efficiency.     

社交网络下的不确定图隐私保护算法

社交网络平台的快速普及使得社交网络中的个人隐私泄露问题愈发受到用户的关心,传统的数据隐私保护方法无法满足用户数量巨大、关系复杂的社交网络隐私保护需求.图修改技术是针对社交网络数据的隐私保护所提出的一系列隐私保护措施,其中不确定图是将确定图转化为概率图的一种隐私保护方法.主要研究了不确定图中边概率赋值算法,提出了基于差分隐私的不确定图边概率赋值算法,该算法具有双重隐私保障,适合社交网络隐私保护要求高的场景.同时提出了基于三元闭包的不确定图边概率分配算法,该算法在实现隐私保护的同时保持了较高的数据效用,适合简单的社交网络隐私保护场景.分析与比较表明：与（k,ε）-混淆算法相比,基于差分隐私的不确定图边概率赋值算法可以实现较高的隐私保护效果,基于三元闭包的不确定图边概率分配算法具有较高的数据效用性.最后,为了衡量网络结构的失真程度,提出了基于网络结构熵的数据效用性度量算法,该算法能够度量不确定图与原始图结构的相似程度.     

k-匿名下通过本地差分隐私实现位置隐私保护

针对用户位置隐私保护过程中攻击者利用背景知识等信息发起攻击的问题,提出一种面向移动终端的位置隐私保护方法。该方案通过利用k-匿名和本地差分隐私技术进行用户位置保护,保证隐私和效用的权衡。结合背景知识构造匿名集,通过改进的Hilbert曲线对k-匿名集进行分割,使用本地差分隐私算法RAPPOR扰动划分后的位置集,最后将生成的位置集发送给位置服务提供商获取服务。在真实数据集上与已有的方案从用户位置保护、位置可用性和时间开销方面进行对比,实验结果显示,所提方案在确保LBS服务质量的同时,也增强了位置隐私保护的程度。     

Privacy Preserving Visualization: A Study on Event Sequence Data

The inconceivable ability and common practice to collect personal data as well as the power of data‐driven approaches to businesses, services and security nowadays also introduce significant privacy issues. There have been extensive studies on addressing privacy preserving problems in the data mining community but relatively few have provided supervised control over the anonymization process. Preserving both the value and privacy of the data is largely a non‐trivial task. We present the design and evaluation of a visual interface that assists users in employing commonly used data anonymization techniques for making privacy preserving visualizations. Specifically, we focus on event sequence data due to its vulnerability to privacy concerns. Our interface is designed for data owners to examine potential privacy issues, obfuscate information as suggested by the algorithm and fine‐tune the results per their discretion. Multiple use case scenarios demonstrate the utility of our design. A user study similarly investigates the effectiveness of the privacy preserving strategies. Our results show that using a visual‐based interface is effective for identifying potential privacy issues, for revealing underlying anonymization processes, and for allowing users to balance between data utility and privacy.     

融入兴趣区域的差分隐私轨迹数据保护方法

轨迹数据保护方法是当前隐私保护研究领域的热点问题。现有轨迹数据隐私保护方法多数采取在所有位置点上加噪的策略,这在保护轨迹数据的同时也降低了保护后数据的可用性。为解决该问题,提出了一种融入兴趣区域的差分隐私轨迹数据保护方法。该方法首先将用户长时间停留的相近位置点集合定义为兴趣区域,将兴趣区域的中心点定义为驻留点。然后通过划定阈值的方式,从所有驻留点中挖掘出频繁驻留点,使用驻留点替代原轨迹数据中对应的兴趣区域,精简轨迹数据。最后利用Laplace机制对频繁驻留点进行加噪。该方法仅需要在轨迹数据的局部数据点上进行加噪,即可实现对轨迹数据的差分隐私保护。分别在真实数据集和仿真数据集上进行了实验,实验结果表明该方法在保护轨迹数据隐私的前提下,能够进一步提高数据的可用性。