location privacy protection for location-based services
DESCRIPTION
Location Privacy Protection for Location-based Services. Ying Cai Department of Computer Science Iowa State University Ames, Iowa, 50011 http://www.cs.iastate.edu/~yingcai. Location-based Services (LBS). Dilemma. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/1.jpg)
Location Privacy Protection for Location-based Services
Ying Cai
Department of Computer ScienceIowa State UniversityAmes, Iowa, 50011
http://www.cs.iastate.edu/~yingcai
![Page 2: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/2.jpg)
Location-based Services (LBS)
![Page 3: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/3.jpg)
Dilemma To use an LBS, a user needs to disclose her
location, but a person’s whereabouts may imply sensitive private information
Hospital Political Party Nightclub Stalking….
![Page 4: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/4.jpg)
Location Privacy Protection Policy-based approaches
Legislation governs the collection and distribution of personal location data
Personal location management lets users determine when and whom to release location information
These schemes cannot prevent location data from being abused by insiders
Internet::::
LBS Server
::::
Com3
Com3
LBS Server
Network
Users
Other companies
![Page 5: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/5.jpg)
Challenge Simply using pseudonym is not
sufficient because a user’s location itself may reveal her real-world identity e.g., correlate with restricted spaces
such as home address and office
![Page 6: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/6.jpg)
Location Depersonalization Basic idea: reducing location resolution
Report a cloaking area, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
![Page 7: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/7.jpg)
Location Depersonalization Basic idea: reducing location resolution
Report a cloaking area, instead of actual location
Location &Request
Answer Answer
Cloaked region& Request
BaseStation
AnonymityServer
LBS Server
Cellular Infrustructures
Internet ::::
Users
Com3
Com3
::::
LBS Server
Research issue: each cloaking area must provide a desired level of depersonalization, and be as small as possible
![Page 8: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/8.jpg)
The state of the art Ensuring each cloaking area contains a certain
number of users A cloaking area with K users provides K-anonymity
protection
Service Users
K = 4 K = 6
K = 5
![Page 9: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/9.jpg)
Problem 1 The anonymity server requires frequent location
updates from all users
Practicality
Scalability
Service User
Users not engaged in LBSs may not be willing to help protect others’ anonymity
![Page 10: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/10.jpg)
Problem 2 In the case of continuous LBSs, simply ensuring each
cloaking area contains at least K users does NOT guarantee K-anonymity protection
![Page 11: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/11.jpg)
Problem 2 In the case of continuous LBSs, simply ensuring each
cloaking area contains at least K users does NOT guarantee K-anonymity protection
New threats1. Location resolution
refinement2. Trace attack
![Page 12: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/12.jpg)
Problem 3 A cloaking area guarantees service anonymity, but
NOT location privacy An adversary does not know who requests the service, but
knows that the requestor was inside the area, and in particular, she was with some other people there
Where you are and whom you are with are closely related with what you are doing …
![Page 13: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/13.jpg)
The root of the problems All existing techniques cloak a user’s position
based on her current neighbors
Service Users
K = 4 K = 6
K = 5
![Page 14: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/14.jpg)
Observation Public areas are naturally depersonalized
A large number of visits by different people More footprints, more popular
Park Highway
![Page 15: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/15.jpg)
Basic Idea Using footprints for location depersonalization
Each cloaking area contains at least K different footprints
Neighboring users Footprints
vs.Location privacy protection
An adversary may be able to identify all these users, but will not know who was there at what time
![Page 16: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/16.jpg)
Trajectory database Source of historical location data
From wireless service carriers, which provide the communication infrastructure
From the users of LBSs, who need to report location for cloaking
![Page 17: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/17.jpg)
Trajectory database
::
::
uid tlink c1, c2, …, cn
database domaincell table
trajectories
Source of historical location data From wireless service carriers, which provide the
communication infrastructure From the users of LBSs, who need to report location for
cloaking Trajectory indexing for efficient retrieval
Partition network domain into cells Maintain a cell table for each cell
![Page 18: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/18.jpg)
Sporadic LBS A client reports server
p: its current location K: its desired privacy level
Server computes a circular region containing p and K-1
footprints, each from a different user
needs to be as small as possible
![Page 19: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/19.jpg)
Sporadic LBS A client reports server
p: its current location K: its desired privacy level
Server computes a circular region containing p and K-1
footprints, each from a different user
needs to be as small as possible
Cmin
N
Cknn
Cbound
![Page 20: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/20.jpg)
Continuous LBSs A client reports
a base trajectory T0 = {c1,c2,…,cn} the desired anonymity level K
Server computes a new trajectory T = { B1,B2,…,Bn }
c1c2
c3 c4
base trajectory
![Page 21: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/21.jpg)
Continuous LBSs A client reports
a base trajectory T0 = {c1,c2,…,cn} the desired anonymity level K
The server computes a K-anonymity trajectory (KAT) T = { B1,B2,…,Bn }
When the user arrives at ci, server reports Bi for LBS
c1c2
c3 c4
base trajectory
c1c2
c3 c4
B1B2 B3 B4
additivetrajectory
![Page 22: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/22.jpg)
K-Anonymity Trajectory (KAT)
Problem
How to find the KAT with the best resolution?
K=3c1c2
c3 c4
B1B2 B3 B4
additivetrajectory
base trajectory
![Page 23: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/23.jpg)
Challenges Given a database of N trajectories, there are
sets of trajectories with size K-1
Given a fixed set of addictive trajectories, different orders of cloaking result in different KATs
Exhaustive search: expensive
NKC 1
![Page 24: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/24.jpg)
A Heuristic Approach
Cloak T0 with one trajectory
Cloak T0 with a set of K-1 trajectories
Select additive trajectory candidates
![Page 25: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/25.jpg)
Cloaking One Additive Trajectory Cloaking T0 with additive trajectory Ta
To = {c1,c2,…,cn}; Ta = {a1,a2,…,am}, where n ≤ m T = { B1,B2,…,Bn } is the cloaking result
Goal: minimize T ’s resolution
c1 c3
a8a1 a2 a3
a4a5
a6
a7
c2c3 c4
B1 B2B3 B4
T=Cloak(To,Ta)
To
Ta
![Page 26: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/26.jpg)
Cloaking with a Set of Additive Trajectories Different order of cloaking can have vastly
different results
T0+T1+T2 = T0+T2+T1?
T0
T1
T2
![Page 27: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/27.jpg)
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
![Page 28: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/28.jpg)
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
Cloak(To, Ta) is called s + K – 1 times
![Page 29: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/29.jpg)
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
![Page 30: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/30.jpg)
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
![Page 31: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/31.jpg)
Approach 1: Linear(T0,S)1. Sort the trajectories based on their distances to T0 2. Cloak with T0 in order of their distance
T0
T2
bs,3bs,1
T1
T3 K=3. Linear cloaks T0 with
T1 and T2 But cloaking with T1 and T3
have a better result.
Cloak(To, Ta) is called s + K – 1 times
Limit of Linear
![Page 32: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/32.jpg)
Quadratic(T0,S) Once an additive trajectory is cloaked
Set the cloaking result as T For the rest trajectories, compare the
distance to T, instead of T0
In the worst case, Cloak(T0,Ta) is called (K-1)(s-K/2+1) times
T0
T2
bs,3bs,1
T1
T3
1. T1 is closest to T0, so T = Cloak(T0,Ta) 2. T3 is closest to T, so T = Cloak(T,Ta)
![Page 33: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/33.jpg)
Select Additive Trajectory Candidates Only those trajectories close to the base trajectory
should be considered Searching algorithm
T0
bs,3bs,1
![Page 34: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/34.jpg)
Performance Study Simulate mobile nodes movement
on the real road map.
Extract four types of roads
Speed changes at intersection.
Generate a footprints database containing certain number of trajectories with random assigned user ID.
![Page 35: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/35.jpg)
Experiments Performance metric
Cloaking range: the average radius of the cloaking circles
Single location cloaking Neighboring nodes vs. footprints
Trajectory cloaking Linear, Quadratic, and BaseLine
Baseline: cloaking using neighboring mobile users
![Page 36: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/36.jpg)
Trajectory Cloaking
Generate a set of LBS requests, each containing A User ID The start and destination
Randomly selected in the map The fastest path as the user’s expected route Select a location sample every 100 meters along
the route Required degree of privacy protection
![Page 37: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/37.jpg)
Effective of Anonymity Level (a) shows cloaking range of different algorithms
Cloaking range increases as K increases (b) shows the cloaking range on different roads
Popular roads have a large number of footprints Unpopular roads are sensitive to the change of K
![Page 38: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/38.jpg)
Concluding Remarks We explore historical location data for
location depersonalization Each reported location/trajectory has been
visited by at least K different people We develop a suite of novel location cloaking
algorithms for Sporadic LBSs Continuous LBSs
Up to date, this is the only solution that can support location privacy protection
![Page 39: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/39.jpg)
Thanks and Some Key References
1. M. Gruteser and D. Grunwald. “Anonymous Usage of Location-based Services through Spatial and Temporal Cloaking”, ACM MobiSys'03.
2. B. Gedik and L. Liu, “A Customizable k-Anonymity Model for Protecting Location Privacy”, IEEE ICDCS'05.
3. M. F. Mokbel, C. Y. Chow, and W. G. Aref. “The New Casper: Query Processing for Location Services without Compromising Privacy”, VLDB’06.
4. T. Xu and Y. Cai. “Exploring Historical Location Data for Anonymity Preservation in Location-based Services”. IEEE Infocom'08.
![Page 40: Location Privacy Protection for Location-based Services](https://reader034.vdocument.in/reader034/viewer/2022051219/568163ee550346895dd5625f/html5/thumbnails/40.jpg)
Future Work Additive trajectories selection
Similar moving speeds
Similar time spans
On-the-fly cloaking Users do not have to submit a base trajectory
before a travel
7am - 5pm