Hybrid microdata using microaggregation

Statistical disclosure control (also known as privacy-preserving data mining) of microdata is about releasing data sets containing the answers of individual respondents protected in such a way that: (i) the respondents corresponding to the released records cannot be re-identified; (ii) the released data stay analytically useful. Usually, the protected data set is generated by either masking (i.e. perturbing) the original data or by generating synthetic (i.e. simulated) data preserving some pre-selected statistics of the original data. Masked data may approximately preserve a broad range of distributional characteristics, although very few of them (if any) are exactly preserved; on the other hand, synthetic data exactly preserve the pre-selected statistics and may seem less disclosive than masked data, but they do not preserve at all any statistics other than those pre-selected. Hybrid data obtained by mixing the original data and synthetic data have been proposed in the literature to combine the strengths of masked and synthetic data. We show how to easily obtain hybrid data by combining microaggregation with any synthetic data generator. We show that numerical hybrid data exactly preserving means and covariances of original data and approximately preserving other statistics as well as some subdomain analyses can be obtained as a particular case with a very simple parameterization. The new method is competitive versus both the literature on hybrid data and plain multivariate microaggregation.     

On the disclosure risk of multivariate microaggregation

The aim of data protection methods is to protect a microdata file both minimizing the disclosure risk and preserving the data utility. Microaggregation is one of the most popular such methods among statistical agencies.Record linkage is the standard mechanism used to measure the disclosure risk of a microdata protection method. However, only standard, and quite generic, record linkage methods are usually considered, whereas more specific record linkage techniques can be more appropriate to evaluate the disclosure risk of some protection methods.In this paper we present a new record linkage technique, specific for microaggregation, which obtains more correct links than standard techniques. We have tested the new technique with MDAV microaggregation and two other microaggregation methods, based on projections, that we propose here for the first time. The direct consequence is that these microaggregation methods have a higher disclosure risk than believed up to now.     

An approximate microaggregation approach for microdata protection

Microdata protection is a hot topic in the field of Statistical Disclosure Control, which has gained special interest after the disclosure of 658,000 queries by the America Online (AOL) search engine in August 2006. Many algorithms, methods and properties have been proposed to deal with microdata disclosure. One of the emerging concepts in microdata protection is k-anonymity, introduced by Samarati and Sweeney. k-Anonymity provides a simple and efficient approach to protect private individual information and is gaining increasing popularity. k-Anonymity requires that every record in the microdata table released be indistinguishably related to no fewer than k respondents.In this paper, we apply the concept of entropy to propose a distance metric to evaluate the amount of mutual information among records in microdata, and propose a method of constructing dependency tree to find the key attributes, which we then use to process approximate microaggregation. Further, we adopt this new microaggregation technique to study k-anonymity problem, and an efficient algorithm is developed. Experimental results show that the proposed microaggregation technique is efficient and effective in the terms of running time and information loss.     

Towards the evaluation of time series protection methods

The goal of statistical disclosure control (SDC) is to modify statistical data so that it can be published without releasing confidential information that may be linked to specific respondents. The challenge for SDC is to achieve this variation with minimum loss of the detail and accuracy sought by final users. There are many approaches to evaluate the quality of a protection method. However, all these measures are only applicable to numerical or categorical attributes.In this paper, we present some recent results about time series protection and re-identification. We propose a complete framework to evaluate time series protection methods. We also present some empirical results to show how our framework works.     

A reciprocal framework for spatial K-anonymity

Spatial K-anonymity (SKA) exploits the concept of K-anonymity in order to protect the identity of users from location-based attacks. The main idea of SKA is to replace the exact location of a user U with an anonymizing spatial region (ASR) that contains at least K−1 other users, so that an attacker can pinpoint U with probability at most 1/K. Simply generating an ASR that includes K users does not guarantee SKA. Previous work defined the reciprocity property as a sufficient condition for SKA. However, the only existing reciprocal method, Hilbert Cloak, relies on a specialized data structure. In contrast, we propose a general framework for implementing reciprocal algorithms using any existing spatial index on the user locations. We discuss ASR construction methods with different tradeoffs on effectiveness (i.e., ASR size) and efficiency (i.e., construction cost). Then, we present case studies of applying our framework on top of two popular spatial indices (namely, R*-trees and Quad-trees). Finally, we consider the case where the attacker knows the query patterns of each user. The experimental results verify that our methods outperform Hilbert Cloak. Moreover, since we employ general-purpose spatial indices, the proposed system is not limited to anonymization, but supports conventional spatial queries as well.     

物联网中的隐私保护问题研究

在物联网中的认证和密钥协商过程中,如果用户的身份信息以明文的形式传输,攻击者可能追踪用户的行动轨迹,从而造成信息泄漏。针对大多数基于身份的认证和密钥协商协议不能保护用户隐私的问题,提出一个基于身份的匿名认证和密钥协商协议。在设计的认证和密钥协商方案中,用户的身份信息以密文的形式传输,解决了用户的隐私问题。     

A Bayesian model for disclosure control in statistical databases

The paper proposes a novel approach for on-line max and min query auditing, in which a Bayesian network addresses disclosures based on probabilistic inferences that can be drawn from released data. In the literature, on-line max and min auditing has been addressed with some restrictive assumptions, primarily that sensitive values must be all distinct and the sensitive field has a uniform distribution. We remove these limitations and propose a model able to: provide a graphical representation of user knowledge; deal with the implicit delivery of information that derives from denying the answer to a query; and capture user background knowledge. Finally, we discuss the results of experiments aimed at assessing the scalability of the approach, in terms of response time and size of the conditional probability table, and the usefulness of the auditor system, in terms of probability to deny.     

An analysis of the statistical disclosure attack and receiver-bound cover

Anonymous communications provides an important privacy service by keeping passive eavesdroppers from linking communicating parties. However, an attacker can use long-term statistical analysis of traffic sent to and from such a system to link senders with their receivers. Cover traffic is an effective, but somewhat limited, counter strategy against this attack. Earlier work in this area proposes that privacy-sensitive users generate and send cover traffic to the system. However, users are not online all the time and cannot be expected to send consistent levels of cover traffic; use of inconsistent cover traffic drastically reduces its impact. We propose that the anonymity system generate cover traffic that mimics the sending patterns of users in the system. This receiver-bound cover (RBC) helps to make up for users that aren’t there, confusing the attacker. To study the statistical disclosure attack and different cover traffic methods, we introduce an analytical method to bound the time for an attacker to identify a contact of Alice with high probability. We use these bounds to show that cover traffic sent by Alice greatly increases the time for attacker success, especially as the amount of traffic from other users increases. Further, we show that RBC greatly enhances the defense, forcing the attacker to take additional time proportional to the amount of cover used. We also examine the effectiveness of the attack and cover traffic when the attacker can only observe part of the traffic in the system. We validate our analysis through simulations that extend to realistic social networks. When RBC is used in combination with user generated cover traffic, the attack takes a very long time to succeed.     

基于位置敏感哈希分割的空间K-匿名共匿算法

空间K-匿名技术主要用于隐私保护,防止个人信息泄露。目前的主要方法都基于用户-匿名器-基于位置的服务(location based services,LBS)模型。提出了一种基于位置敏感哈希分割的空间K-匿名共匿算法。这种算法在保距性和共匿性方面都可以满足要求,而且算法具有适度的计算复杂度。最后,针对有效性(最小化匿名空间区域)和效率(构建代价)做了实验,证明所提出的算法具有良好的性能。     

Estimating the number of hosts corresponding to an intrusion alert while preserving privacy

An inherent feature of IP addresses is the aliasing that arises due to dynamic address allocation. This creates a significant barrier to the estimation of the malicious host population from a set of intrusion alerts. In this paper, we propose a method for estimating the number of malicious hosts that may have bound to an alerted address, based on the correlation of different data sets that were collected independently and a probabilistic model of host-to-address bindings. We analysed a two week trace of real-world intrusion alerts along with a global survey of ping responses, and inferred that over 80% of malicious addresses were bound to multiple hosts. Such aliasing effects highlight the inaccuracy of assuming static bindings between hosts and addresses when exact host identification is not possible due to privacy protection. However, our method demonstrates that reliable inferences can still be made when a sufficient overlap exists between the correlated data sets.     

DyDAP: A dynamic data aggregation scheme for privacy aware wireless sensor networks

End-to-end data aggregation, without degrading sensing accuracy, is a very relevant issue in wireless sensor networks (WSN) that can prevent network congestion to occur. Moreover, privacy management requires that anonymity and data integrity are preserved in such networks. Unfortunately, no integrated solutions have been proposed so far, able to tackle both issues in a unified and general environment. To bridge this gap, in this paper we present an approach for dynamic secure end-to-end data aggregation with privacy function, named DyDAP. It has been designed starting from a UML model that encompasses the most important building blocks of a privacy-aware WSN, including aggregation policies. Furthermore, it introduces an original aggregation algorithm that, using a discrete-time control loop, is able to dynamically handle in-network data fusion to reduce the communication load. The performance of the proposed scheme has been verified using computer simulations, showing that DyDAP avoids network congestion and therefore improves WSN estimation accuracy while, at the same time, guaranteeing anonymity and data integrity.     

Analysis of the Univariate Microaggregation Disclosure Risk

Microaggregation is a protection method used by statistical agencies to limit the disclosure risk of confidential information. Formally, microaggregation assigns each original datum to a small cluster and then replaces the original data with the centroid of such cluster. As clusters contain at least k records, microaggregation can be considered as preserving k-anonymity. Nevertheless, this is only so when multivariate microaggregation is applied and, moreover, when all variables are microaggregated at the same time.When different variables are protected using univariate microaggregation, k-anonymity is only ensured at the variable level. Therefore, the real k-anonymity decreases for most of the records and it is then possible to cause a leakage of privacy. Due to this, the analysis of the disclosure risk is still meaningful in microaggregation.This paper proposes a new record linkage method for univariate microaggregation based on finding the optimal alignment between the original and the protected sorted variables. We show that our method, which uses a DTW distance to compute the optimal alignment, provides the intruder with enough information in many cases to to decide if the link is correct or not. Note that, standard record linkage methods never ensure the correctness of the linkage. Furthermore, we present some experiments using two well-known data sets, which show that our method has better results (larger number of correct links) than the best standard record linkage method.     

The dynamic predicate: integrating access control with query processing in XML databases

Recently, access control on XML data has become an important research topic. Previous research on access control mechanisms for XML data has focused on increasing the efficiency of access control itself, but has not addressed the issue of integrating access control with query processing. In this paper, we propose an efficient access control mechanism tightly integrated with query processing for XML databases. We present the novel concept of the dynamic predicate (DP), which represents a dynamically constructed condition during query execution. A DP is derived from instance-level authorizations and constrains accessibility of the elements. The DP allows us to effectively integrate authorization checking into the query plan so that unauthorized elements are excluded in the process of query execution. Experimental results show that the proposed access control mechanism improves query processing time significantly over the state-of-the-art access control mechanisms. We conclude that the DP is highly effective in efficiently checking instance-level authorizations in databases with hierarchical structures.     

一种车载mesh网络漫游匿名接入认证协议

无线mesh网络的特性使它面临着比传统无线网络更大的安全挑战。其安全解决方案必须兼顾安全性和应用环境等因素。用户节点的接入认证与密钥协商是节点漫游时最基本的安全协议,是安全路由等协议的实现基础。在多跳车载mesh网络用户节点接入认证中,用户身份信息的保护非常重要,然而有关车载mesh网络用户节点漫游时的匿名认证的研究较少,为此,在充分考虑无线mesh网络自身特点的基础上,结合基于Hash和Diffie-Hellman算法,提出一种高效的用户节点匿名接入认证与密钥协商协议。分析发现,该协议不仅可以满足安全性需求,在现实应用中也是可行的。     

Hierarchical hippocratic databases with minimal disclosure for virtual organizations

The protection of customer privacy is a fundamental issue in today’s corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. On the basis of the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.This is an expanded and revised version of [20].     

Data mining model-based control charts for multivariate and autocorrelated processes

Process monitoring and diagnosis have been widely recognized as important and critical tools in system monitoring for detection of abnormal behavior and quality improvement. Although traditional statistical process control (SPC) tools are effective in simple manufacturing processes that generate a small volume of independent data, these tools are not capable of handling the large streams of multivariate and autocorrelated data found in modern systems. As the limitations of SPC methodology become increasingly obvious in the face of ever more complex processes, data mining algorithms, because of their proven capabilities to effectively analyze and manage large amounts of data, have the potential to resolve the challenging problems that are stretching SPC to its limits. In the present study we attempted to integrate state-of-the-art data mining algorithms with SPC techniques to achieve efficient monitoring in multivariate and autocorrelated processes. The data mining algorithms include artificial neural networks, support vector regression, and multivariate adaptive regression splines. The residuals of data mining models were utilized to construct multivariate cumulative sum control charts to monitor the process mean. Simulation results from various scenarios indicated that data mining model-based control charts performs better than traditional time-series model-based control charts.     

基于SEAndroid的隐私保护机制研究

随着移动应用的迅猛发展,安卓手机用户群体日益庞大,而随之不断增加的用户数据也使安卓系统成为恶意攻击者的主要目标。通过对安卓4.4系统中加入的SELinux机制进行分析研究,指出了其中对root权限进行细化限制的可能性,并基于此机制提出了一种增强隐私安全的设计,使得用户的隐私数据即使存在于已获得root权限的手机中,也可以得到有效的保护。     

Affect,cognition and reward: Predictors of privacy protection online

This article examined the interplay between cognition and affect in Internet uses for privacy control. A survey of a national sample was conducted to empirically test the relationship between affective concern for and cognitive knowledge of information privacy online. We also tested for the interactive role of reward-seeking as a moderator among these relationships. Findings revealed that concern did not directly play a meaningful role in guiding users’ protective behavior, whereas knowledge was found significant in moderating the role of concern. The interactive role of reward-seeking seems particularly salient in shaping the structure of the relationships. These findings suggest that the intersections between knowledge, reward, and concern can play out differently, depending on the levels of each. Policy implications in relation to users’ cognitive, affective, and reward-seeking rationalities are offered, and future research considerations are discussed.     

面向云端的安全高效的电子健康记录

随着移动设备的发展和普及,基于体域网(Body Area Network,BAN)的电子健康记录正变得越来越流行。人们将从体域网中获取的医疗数据备份到云端,导致几乎任何地方的医疗人员都能够使用移动终端来访问用户的医疗数据。但是对于一些病患来说,这些医疗数据属于个人隐私,他们只想让拥有某些权限的人查看。文中提出了一种高效、安全的细粒度访问控制方案,不仅实现了授权用户对云存储中医疗数据的访问,而且还支持某些特权医生对记录进行修改。为了提高整个系统的效率,加入了先匹配再解密的手段,用于执行解密测试而不解密。此外,该方案将双线性配对操作外包给网关,而不会泄露数据内容,因此在很大程度上消除了用户的解密开销。性能评估显示所提解决方案在计算、通信和存储方面的效率得到了显著提高。     

Mean shifts detection and classification in multivariate process: a neural-fuzzy approach

For monitoring multivariate quality control process, traditional multivariate control charts have been proposed to detect mean shifts. However, a persistent problem is that such charts are unable to provide any shift-related information when mean shifts occur in the process. In fact, the immediate classification of the magnitude of mean shifts can greatly narrow down the set of possible assignable causes, hence facilitating quick analysis and corrective action by the technician before many nonconforming units are manufactured. In this paper, we propose a neural-fuzzy model for detecting mean shifts and classifying their magnitude in multivariate process. This model is divided into training and classifying modules. In the training module, a neural network (NN) model is trained to detect various mean shifts for multivariate process. Then, in the classifying module, the outputs of NN are classified into various decision intervals by using a fuzzy classifier and an additional two-point-in-an-interval decision rule to determine shift status. An example is presented to illustrate the application of the proposed model. Simulation results show that it outperforms the multivariate T²control chart in terms of out-of-control average run length under fixed type I error. In addition, the correct classification percentages are also studied and the general guidelines are given for the proper use of the proposed model.