匿名化隐私保护技术研究综述

随着互联网技术的迅猛发展,隐私保护已成为个人或机构关心的基本问题,各种数据挖掘工具的出现使得隐私泄露问题日益突出.通常移除标识符的方式发布数据是无法阻止隐私泄露的,攻击者仍然可以通过链接操作以很高的概率来获取用户的隐私数据.匿名化是目前数据发布环境下实现隐私保护的主要技术之一.论文简要介绍了匿名化技术的相关概念和基本原理,主要从匿名化原则、匿名化方法和匿名化度量等方面对匿名化技术研究现状进行了深入分析和总结,最后指出匿名化技术的研究难点以及未来的研究方向.     

数据发布中的匿名化技术研究综述

匿名化技术被公认为是解决隐私信息泄漏问题的一个好方法。当前匿名化技术的研究工作大致可以分为匿名策略的研究和匿名实现技术研究两类。分别介绍了这两类研究近年来的主要成果，并对其进行了比较，对其中尚未解决的问题进行了客观的分析。     

匿名通信技术的研究现状和发展趋势

阐述了匿名技术的应用需求，介绍了匿名性的定义，较为全面的论述了匿名通信技术的研究现状，在此基础上对现有匿名通信系统进行分析和归类．指出目前的匿名技术存在的问题。并提出了匿名通信技术进一步的研究趋势。     

匿名技术分析及其抗攻击性比较

对现有的匿名技术进行综述研究,对多种匿名技术进行分类介绍,分析目前匿名技术存在的问题,然后定义几种攻击模型,对现有的多种匿名系统在抵抗攻击性方面进行研究比较,为匿名技术的研究和设计新的匿名系统提供依据。     

视觉身份隐私保护：人脸匿名化研究方法

随着深度学习的广泛应用，身份伪造技术的发展越来越迅猛.各种伪造的图像和视频在社交媒体平台上的传播直接影响了公共隐私安全，人脸身份隐私保护已成为当前研究热点.本文从基于图像和视频两个方面的匿名化方法阐述和归纳了人脸隐私保护研究现状，并将人脸图像匿名化方法从图像语义修改、图像语义保持、视觉可恢复以及深度学习过程中的人脸隐私保护四个方面进行分类，将人脸视频匿名化方法从聚焦面部区域隐私的视频匿名化方法和面向生物特征隐私的视频匿名化方法两个方面进行分类.在此基础上，本文进一步介绍目前广泛使用的数据集及匿名算法评价标准，分析现有人脸匿名技术生成人脸图像的可靠性和实用性，并对此领域的未来研究进行了展望.     

移动自组网匿名通信研究

本文概述了移动自组网络中匿名通信技术的研究意义和发展现状,讨论和分析了不同匿名方法的优缺点,并就将来此领域的发展趋势作了探讨。本文概述了移动自组网络中匿名通信技术的研究意义和发展现状,讨论和分析了不同匿名方法的优缺点,并就将来此领域的发展趋势作了探讨。     

隐私保护中K-匿名模型的综述

K-匿名是近年来隐私保护研究的热点,介绍了K-匿名、K-最小匿名化的基本概念,阐述了泛化与隐匿技术,总结了K-匿名的评估标准,并分析了现有的K-匿名算法。最后对该领域的发展方向作了展望。     

基于需求的图书流通信息匿名发布研究

全国高校图书馆信息共建共享工作进一步拉动了业务信息安全发布的需求。本文针对图书馆图书流通信息安全发布问题,提出了一个基于信息分析需求的数据匿名发布模型。接着进一步分析了流通信息的数据表结构,介绍了数据匿名化方法和一个概化实例,最后提出了一个适合大数据量的数据匿名化改进算法。     

基于聚类的快速数据流匿名方法

为了防止敏感信息的泄漏,保护用户隐私,常采用概化和抑制等技术在共享数据前对其准标识符进行匿名化。与静态数据集不同,数据流具有潜在无限、高度动态等特性,使得数据流匿名需要解决更加复杂的问题,不能直接应用静态数据集的匿名方法。在分析现有数据流匿名方法的基础上,提出一种采用聚类思想进行数据流匿名的方法,通过单遍扫描数据识别和重用满足匿名条件的簇,以实现数据流的快速匿名。真实数据集上的实验结果表明,该方法在满足匿名要求的同时能够降低概化和抑制处理带来的信息损失,并且具有较低的时间和空间复杂度。     

社交网络高效高精度去匿名化算法

自从社交网络成为重要的研究课题,社交网络隐私保护也成为了重要的研究内容,尤其是关于公开发布以供研究的大规模社交网络图数据的隐私保护。为了评估用户的隐私风险,研究者们设计了不同的方法来对图进行去匿名化,在不同的图网络中识别个体的身份。然而,当前的去匿名化算法或者需要高质量的种子匹配,或者在精确度和效率上颇有不足。本文提出了一种高效高精度的无种子去匿名化算法"RoleMatch",基于社交网络的拓扑结构识别个体身份。该算法包括（1）一种新型的可以快速计算的两图结点间相似度度量方法"RoleSim++",和（2）一种有效的结点匹配算法,此法同时考虑了结点间的相似度和中间匹配结果的反馈。在实验部分,利用LiveJournal的数据,拿RoleMatch对比了多种流行的匿名化算法,并根据实际应用情景,在传统实验的基础上增加了局部去匿名化的实验,实验结果验证了本文提出的去匿名化算法的优秀性能。     

A survey of graph-modification techniques for privacy-preserving on networks

Recently, a huge amount of social networks have been made publicly available. In parallel, several definitions and methods have been proposed to protect users’ privacy when publicly releasing these data. Some of them were picked out from relational dataset anonymization techniques, which are riper than network anonymization techniques. In this paper we summarize privacy-preserving techniques, focusing on graph-modification methods which alter graph’s structure and release the entire anonymous network. These methods allow researchers and third-parties to apply all graph-mining processes on anonymous data, from local to global knowledge extraction.     

Permutation anonymization

In data publishing, anonymization techniques have been designed to provide privacy protection. Anatomy is an important techniques for privacy preserving in data publication and attracts considerable attention in the literature. However, anatomy is fragile under background knowledge attack and the presence attack. In addition, anatomy can only be applied into limited applications. To overcome these drawbacks, we propose an improved version of anatomy: permutation anonymization, a new anonymization technique that is more effective than anatomy in privacy protection, and in the meanwhile is able to retain significantly more information in the microdata. We present the detail of the technique and build the underlying theory of the technique. Extensive experiments on real data are conducted, showing that our technique allows highly effective data analysis, while offering strong privacy guarantees.     

Using Visualization to Explore Original and Anonymized LBSN Data

We present GSUVis, a visualization tool designed to provide better understanding of location‐based social network (LBSN) data. LBSN data is one of the most important sources of information for transportation, marketing, health, and public safety. LBSN data consumers are interested in accessing and analysing data that is as complete and as accurate as possible. However, LBSN data contains sensitive information about individuals. Consequently, data anonymization is of critical importance if this data is to be made available to consumers. However, anonymization commonly reduces the utility of information available. Working with privacy experts, we designed GSUVis a visual analytic tool to help experts better understand the effects of anonymization techniques on LBSN data utility. One of GSUVis's primary goals is to make it possible for people to use LBSN data, without requiring them to gain deep knowledge about data anonymization. To inform the design of GSUVis, we interviewed privacy experts, and collected their tasks and system requirements. Based on this understanding, we designed and implemented GSUVis. It applies two anonymization algorithms for social and location trajectory data to a real‐world LBSN dataset and visualizes the data both before and after anonymization. Through feedback from domain experts, we reflect on the effectiveness of GSUVis and the impact of anonymization using visualization.     

数据发布中的个性化隐私匿名技术研究

个性化隐私保护是目前数据发布中隐私泄露控制技术研究的热点问题之一。对这方面的研究现状进行综述。首先,在分析不同类型个性化服务需求的基础上,建立相应的个性化隐私匿名模型;其次,根据采用技术的不同,对已有的个性化隐私保护匿名技术进行总结,并对各类技术的基本原理、特性进行概括性的阐述。同时,根据算法所采用信息度量的差异,给出现有个性化隐私度量的方法与标准。最后,在对比分析已有研究的基础上,总结全文并展望了个性化隐私保护匿名技术的进一步研究方向。     

Flexible data anonymization using ARX—Current status and challenges ahead

The race for innovation has turned into a race for data. Rapid developments of new technologies, especially in the field of artificial intelligence, are accompanied by new ways of accessing, integrating, and analyzing sensitive personal data. Examples include financial transactions, social network activities, location traces, and medical records. As a consequence, adequate and careful privacy management has become a significant challenge. New data protection regulations, for example in the EU and China, are direct responses to these developments. Data anonymization is an important building block of data protection concepts, as it allows to reduce privacy risks by altering data. The development of anonymization tools involves significant challenges, however. For instance, the effectiveness of different anonymization techniques depends on context, and thus tools need to support a large set of methods to ensure that the usefulness of data is not overly affected by risk-reducing transformations. In spite of these requirements, existing solutions typically only support a small set of methods. In this work, we describe how we have extended an open source data anonymization tool to support almost arbitrary combinations of a wide range of techniques in a scalable manner. We then review the spectrum of methods supported and discuss their compatibility within the novel framework. The results of an extensive experimental comparison show that our approach outperforms related solutions in terms of scalability and output data quality—while supporting a much broader range of techniques. Finally, we discuss practical experiences with ARX and present remaining issues and challenges ahead.     

一种保持结点可达性的高效社会网络图匿名算法

为了保护社会网络隐私信息,提出了多种社会网络图匿名化技术.图匿名化目的在于通过图修改操作来防止隐私泄露,同时保证匿名图在社会网络分析和图查询方面的数据可用性.可达性查询是一种基本图查询操作,可达性查询精度是衡量图数据可用性的一项重要指标.然而,当前研究忽略了图匿名对结点可达性的影响,导致较大的可达性信息损失.为了保持匿名图中结点的可达性,提出了可达性保持图匿名化（reachability preserving anonymization,简称RPA）算法,其基本思想是将结点进行分组并采取贪心策略进行匿名,从而减少匿名过程中的可达性信息损失.为了保证RPA算法的实用性,针对其执行效率进行优化,首先提出采用可达区间来高效地评估边添加操作所导致的匿名损失;其次,通过采用候选邻居索引,进一步加速RPA算法对每个结点的匿名过程.基于真实社会网络数据的实验结果表明了RPA算法的高执行效率,同时验证了生成匿名图在可达性查询方面的高精度.     

Optimization algorithm for <Emphasis Type="Italic">k</Emphasis>-anonymization of datasets with low information loss

Anonymization is the modification of data to mask the correspondence between a person and sensitive information in the data. Several anonymization models such as k-anonymity have been intensively studied. Recently, a new model with less information loss than existing models was proposed; this is a type of non-homogeneous generalization. In this paper, we present an alternative anonymization algorithm that further reduces the information loss using optimization techniques. We also prove that a modified dataset is checked whether it satisfies the k-anonymity by a polynomial-time algorithm. Computational experiments were conducted and demonstrated the efficiency of our algorithm even on large datasets.     

Privacy Preserving Visualization: A Study on Event Sequence Data

The inconceivable ability and common practice to collect personal data as well as the power of data‐driven approaches to businesses, services and security nowadays also introduce significant privacy issues. There have been extensive studies on addressing privacy preserving problems in the data mining community but relatively few have provided supervised control over the anonymization process. Preserving both the value and privacy of the data is largely a non‐trivial task. We present the design and evaluation of a visual interface that assists users in employing commonly used data anonymization techniques for making privacy preserving visualizations. Specifically, we focus on event sequence data due to its vulnerability to privacy concerns. Our interface is designed for data owners to examine potential privacy issues, obfuscate information as suggested by the algorithm and fine‐tune the results per their discretion. Multiple use case scenarios demonstrate the utility of our design. A user study similarly investigates the effectiveness of the privacy preserving strategies. Our results show that using a visual‐based interface is effective for identifying potential privacy issues, for revealing underlying anonymization processes, and for allowing users to balance between data utility and privacy.     

Measuring Privacy and Utility in Privacy‐Preserving Visualization

In previous work, we proposed a technique for preserving the privacy of quasi‐identifiers in sensitive data when visualized using parallel coordinates. This paper builds on that work by introducing a number of metrics that can be used to assess both the level of privacy and the amount of utility that can be gained from the resulting visualizations. We also generalize our approach beyond parallel coordinates to scatter plots and other visualization techniques. Privacy preservation generally entails a trade‐off between privacy and utility: the more the data are protected, the less useful the visualization. Using a visually‐oriented approach, we can provide a higher amount of utility than directly applying data anonymization techniques used in data mining. To demonstrate this, we use the visual uncertainty framework for systematically defining metrics based on cluster artifacts and information theoretic principles. In a case study, we demonstrate the effectiveness of our technique as compared to standard data‐based clustering in the context of privacy‐preserving visualization.     

A context sensitive approach to anonymizing public participation GIS data: From development to the assessment of anonymization effects on data quality

Use of Public Participation Geographic Information System (PPGIS) for data collection has been significantly growing over the past few years in different areas of research and practice. With the growing amount of data, there is little doubt that a potentially wider community can benefit from open access to them. Additionally, open data add to the transparency of research and can be considered as an essential feature of science. However, data anonymization is a complex task and the unique characteristics of PPGIS add to this complexity. PPGIS data often include personal spatial and non-spatial information, which essentially require different approaches for anonymization. In this study, we first identify different privacy concerns and then develop a PPGIS data anonymization strategy to overcome them for an open PPGIS data. Specifically, this article introduces a context-sensitive spatial anonymization method to protect individual home locations while maintaining their spatial resolution for mapping purposes. Furthermore, this study empirically evaluates the effects of data anonymization on PPGIS data quality. The results indicate that a satisfactory level of anonymization can be reached using this approach. Moreover, the assessment results indicate that the environmental and home range measurements as well as their intercorrelations are not significantly biased by the anonymization. However, necessary analytical measures such as use of larger spatial units is recommendable when anonymized data is used. In this study, European data protection regulations were used as the legal guidelines. However, adaptation of methods employed in this study may be also relevant to other countries where comparable regulations exist. Although specifically targeted at PPGIS data, what is discussed in this paper can be applicable to other similar spatial datasets as well.