purdue university purdue e-pubs multirelational k-anonymity
TRANSCRIPT
Purdue University Purdue University
Purdue e-Pubs Purdue e-Pubs
Department of Computer Science Technical Reports Department of Computer Science
2008
MultiRelational k-Anonymity MultiRelational k-Anonymity
N. Ercan Nergiz
Chris Clifton Purdue University, [email protected]
A. Erhan Nergiz
Report Number: 08-002
Nergiz, N. Ercan; Clifton, Chris; and Nergiz, A. Erhan, "MultiRelational k-Anonymity" (2008). Department of Computer Science Technical Reports. Paper 1692. https://docs.lib.purdue.edu/cstech/1692
This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact [email protected] for additional information.
MULTIRELATIONAL K-ANONYMITY
M. Ercan Nergu Chris Clifton
A. Erhan Nergu
CSD TR #08-002 January 2008
MULTIRELATIONAL K·ANONYMITY
M. Ercan NergizChris Clifton
A. Erhan Nergiz
CSD TR #08-002January 2008
M. Ercan Nerg iz , Student Membel; IEEE, Chris Cli f ton, Senior Membel; IEEE, and
A. Erhan Nergiz
Abstract
k-Anonymity protects privacy by ensuring that data can- not be linked to a single individual. In a k-anonymous dataset, any ident~fying information occurs in at least k tuples. Much research has been done to modify a single table dataset to satisfy anonymity constraints. This paper extends the dejinitions of k-anonymity to multiple relations and shows that previously proposed methodologies either fail to protect privacy, or overly reduce the utility of the data, in a multiple relation setting. We also propose m o new clustering algorithms to achieve multirelational anonymity. Experiments show the effectiveness of the approach in terms of utility and efficiency.
Index Terms-Privacy, Relational database, Security, in- tegrity, and protection
Note to reviewers: A preliminary version of this pa- per appeared as a Jive page poster paper at ICDE 2007: http://dx.doi.org/l0.1109/lCDE.2007.369025 This submission includes additional discussion of the problems of single-table anonymization approaches, proofs of correctness, complexity discussion, a more efficient approximation evaluation, and empirical evaluation that did not appear in the ICDE poster paper:
I. Introduction
The tension between the value of using personal data for research, and concern over individual privacy, is ever- increasing. Simply removing uniquely identifying informa- tion (SSN, name) from data is not sufficient to prevent identification because partially identifying information (quasi- identifiers; age, sex, city . . .) can still be mapped to individ- uals using publicly available knowledge [19]. Table I shows one such example where an attacker, by using a public dataset, can map the names of the students to the sensitive GPA information, even though the released private table does not
This material is based upon work supported by the National Science Foundation under Grant No. 0428168.
disclose the names of the students. (E.g., a student with age "18", sex "M" and city "Lafayette" has GPA "2.34". Luke is the only person with these attributes in the public dataset.)
k-Anonymity[l6] is one technique to protect against the linkage and identification of records. In a k-anonymous table, each distinct tuple in the projection over quasi-identifier attributes occurs at least k times. Private tables are k- anonymized by the use of generalizations and suppressions, with the result having two key properties:
In the anonymous dataset, an individual can only be linked to a group of at least k private entities.
Every tuple of the anonymous dataset correctly repre- sents a unique tuple in the private dataset (There is no false or noisy information.)
Table I shows a 2-anonymization of the above mentioned private table. Given the 2-anonymized table, an attacker can at best link Luke into GPAs "3.72" and "2.34".
k-Anonymity does not enforce diversity on the sensitive information of equivalence classes (set of tuples with the same identifying attributes in k-anonymous dataset). This has lead to extended privacy definitions [6], [13]. However if all sensitive attributes in the private table are unique, k- anonymity ensures that linkage will only be possible to groups of k-distinct sensitive values.
To achieve k-anonymity in single-table datasets, numer- ous generalization (replacing data values with more general values) and suppression algorithms have been proposed [I 71, [7], [a], [lo], [4], [ l l ] , [3], [5], [15]. These algorithms assume each private entity is stored as one row in a single attribute-value table. When information about a private entity is contained in multiple tables, and not easily represented in a single table, the existing definitions and algorithms are insufficient. In Section 11, this paper extends the k-anonymity definitions to a multi-Relational setting; Section 111 discusses why multiR anonymity (multirelational k-anonymity) is a new problem that is not solved by previous k-anonymity algorithms.
Single dimensional k-anonymity algorithms were designed to specify generalization mappings (or complete suppression
MultiRelational k-Anonymity
M. Ercan Nergiz, Student Member, IEEE,Chris Clifton, Senior Member, IEEE, and
A. Erhan Nergiz
Abstract
k-Anonymity protects privacy by ensuring that data cannot be linked to a single individual. In a k-anonymousdataset, any identifying information occurs in at least ktuples. Much research has been done to modify a singletable dataset to satisfy anonymity constraints. This paperextends the definitions of k-anonymity to multiple relationsand shows that previously proposed methodologies either failto protect privacy, or overly reduce the utility of the data, in amultiple relation setting. We also propose two new clusteringalgorithms to achieve multirelational anonymity. Experimentsshow the effectiveness of the approach in terms of utility andefficiency.
Index Terms-Privacy, Relational database, Security, integrity, and protection
Note to reviewers: A preliminary version of this paper appeared as a five page poster paper at ICDE 2007:http://dx.doi.org/10.1109/ICDE.2007.369025 This submissionincludes additional discussion of the problems of single-tableanonymization approaches, proofs of correctness, complexitydiscussion, a more efficient approximation evaluation, andempirical evaluation that did not appear in the ICDE posterpaper.
I. Introduction
The tension between the value of using personal datafor research, and concern over individual privacy, is everincreasing. Simply removing uniquely identifying information (SSN, name) from data is not sufficient to preventidentification because partially identifying information (quasiidentifiers; age, sex, city ... ) can still be mapped to individuals using publicly available knowledge [19]. Table I showsone such example where an attacker, by using a public dataset,can map the names of the students to the sensitive GPAinformation, even though the released private table does not
This material is based upon work supported by the National ScienceFoundation under Grant No. 0428168.
disclose the names of the students. (E.g., a student with age"18", sex "M" and city "Lafayette" has GPA "2.34". Luke isthe only person with these attributes in the public dataset.)
k-Anonymity[ 16] is one technique to protect against thelinkage and identification of records. In a k-anonymous table,each distinct tuple in the projection over quasi-identifierattributes occurs at least k times. Private tables are kanonymized by the use of generalizations and suppressions,with the result having two key properties:
• In the anonymous dataset, an individual can only belinked to a group of at least k private entities.
• Every tuple of the anonymous dataset correctly represents a unique tuple in the private dataset (There is nofalse or noisy information.)
Table I shows a 2-anonymization of the above mentionedprivate table. Given the 2-anonymized table, an attacker canat best link Luke into GPAs "3.72" and "2.34".
k-Anonymity does not enforce diversity on the sensitiveinformation of equivalence classes (set of tuples with thesame identifying attributes in k-anonymous dataset). Thishas lead to extended privacy definitions [6], [13]. Howeverif all sensitive attributes in the private table are unique, kanonymity ensures that linkage will only be possible to groupsof k-distinct sensitive values.
To achieve k-anonymity in single-table datasets, numerous generalization (replacing data values with more generalvalues) and suppression algorithms have been proposed [17],[7], [8], [10], [4], [11], [3], [5], [15]. These algorithmsassume each private entity is stored as one row in a singleattribute-value table. When information about a private entityis contained in multiple tables, and not easily representedin a single table, the existing definitions and algorithms areinsufficient. In Section II, this paper extends the k-anonymitydefinitions to a multi-Relational setting; Section III discusseswhy multiR anonymity (multirelational k-anonymity) is anew problem that is not solved by previous k-anonymityalgorithms.
Single dimensional k-anonymity algorithms were designedto specify generalization mappings (or complete suppression
of values) for data values in the dataset to optimize against a certain metric. Some of such algorithms used pruning methods to reduce the size of the search space for optimal k-anonymity [lo], [4]. However in a multiR anonymity setting, the search space is much bigger and simple modifications won't be as efficient unless the original optimality is sacrificed by using other assumptions. In [15], [ l l] , [5 ] , it was shown that although not optimal, a multidimensional approach to k-anonymity can offer more flexibility in anonymizations. Among this family of algorithms, the clustering based ap- proach is more suitable to the multiR setting due to the ease in explicit identification of the entity being protected (anonymized) in the dataset. In Section IV, protected entities and associated relations will be abstracted by trees and a mod- ification of a previously proposed clustering algorithm will be presented to provide multiR anonymity on snowflake schemas. Section V will present experimental results evaluating the new approach in terms of precision and execution time.
11. MultiR Anonymity
We now define notations and k-anonymity for the multiR setting. Given a table T, T[c][r] refers to the value of column c, row r of T . T[c] is the projection of column c
Definition I (Person specific table): A table P T is said to be person specific w.r.t. some population U if and only if it contains a primary key attribute (or set of attributes) vzp such that each value of vip uniquely corresponds to an individual in U.
Definition 2 (MultiR schema): A set of tables S U and a set of functional dependencies SF corresponds to a multiR schema if S U is a dependency preserving, lossless join decomposition w.r.t. SF and there exists one person specific table P T E S U where each row corresponds to an individual in population U. We say a database with such a schema has the transcript MR(SF, U, P T , ST , vip), where vzp is the unique identifier in P T and S T = SU - {PT).
Table I1 shows an example for a multiR database with transcript MR(SF , U, T,, {TI, Tz), Sid) where SF={Sid -, GPA, SCid + {Sid, Course, Grade) ) and U is the set of students. The schema is in BCNF and dependency preserving.
The following quasi-identifier definition is a reformulation of the definition in [18].
Definition 3 (Quasi-identifier): Let MR(SF, U, P T , {TI, . . . , T,), vzp) be a multiR database, and J T = P T w Tl w . . . w T,. Let fc : U -, J T and fg : J T --t U', where U U'. A quasi-identifier of MR, written QMR, is a subset of attributes of J T where 3pi E U such that fg(fc(pi)[QMR]) = pi, and an adversary knows the values of QMR for pi.
Informally a quasi-identifier for a schema is the set of attributes in JT that can be used to externally link or identify a given tuple in P T . In Table 11, Course and Book attributes can be considered quasi-identifiers since colleagues of a student may know this information about their friend. The attributes
2
TABLE IV. Notations for a given database M R i table
vipZ private entity attribute in M R Z the person specific table of M R Z
z L (vipZ is the primary key) the set of all tables in M R 2
excluding PTi SUz the set of all tables in M R Z JTZ join of all tables in M R Z
Q M R i set of quasi identifier attributes Snn Ri set of sensitive attributes
GPA, Grade, Price are the sensitive attributes of the private entity Sid. An attacker knows the quasi-identifiers about an entity and tries to discover other (sensitive) information in the data. E.g., in Table 11, we assume the attacker knows that some individual George in U takes the courses 'History' and 'Religion' and uses the text book 'American History' for the 'History' course. The attacker wants to discover George's (sensitive) GPA or his grade in the 'History' course. If the data is released as it is, even though George's name is hidden, the attacker can easily link George to student S4 and GPA '4.00' or SCid SClO and grade '98'. We also have other join keys in Table I1 like the vip attribute Sid or SCid that are not part of the quasi-identifier set.
For the rest of the paper, we will use the notation given in Table IV. From now on, if not mentioned otherwise, we will use superscripts to name different multiR databases (e.g., MR1, MR2, . . . ). Superscript for other notations will show membership to the associated multiR database (e.g., vipl is vip of MR1.). We will use superscript * for multiR anonymizations. Subscripts will distinguish different elements of the same multiR database (e.g., T:, T: E ST^ of M R ~ ) .
Definition 4 (Structurally Equivalent): Two databases M R ~ and MR2 have structurally equivalent schemas if and only if vipl = vip2, PT' has the same set of attributes as PT', and there exist bijective mapping between the set of tables ST^ and ST^ such that tables mapped have the same set of attributes. Structurally equivalent schemas have the same functional dependencies, population, QI, sensitive and non-QI joining attribute sets.
The MultiR databases given in Tables I1 and 111 are an example of structural equivalence.
Definition 5 (k-anonymity for multiR databases): Let M R and M R * be two multiR databases with the same set of QI QMR and set of sensitive attributes SMR We say MR* is a k-anonymization of M R if and only if Vv(JT*), (views on JT*) the following properties hold:
I) anonymized: any query of the type II,tt(v(JT*)) where att E SMR returns either zero tuples or at least k (not necessarily distinct)' tuples,
'k-anonymity allows sensitive attribute values to be the same over the set of tuples with the same QI attributes. Other approaches like &diversity and t-closeness enforce constraints over the distribution of such groups of sensitive values.
2
private entity attribute in M R i
the person specific table of M R'(vipi is the primary key)
TABLE IV. Notations for a given database M R i
table
the set of all tables in M R'excluding PTi
join of all tables in M R'
set of sensitive attributes
the set of all tables in M R'
set of quasi identifier attributesJT'BU'
GPA, Grade, Price are the sensitive attributes of the privateentity Sid. An attacker knows the quasi-identifiers about anentity and tries to discover other (sensitive) information inthe data. E.g., in Table II, we assume the attacker knowsthat some individual George in V takes the courses 'History'and 'Religion' and uses the text book 'American History' forthe 'History' course. The attacker wants to discover George's(sensitive) GPA or his grade in the 'History' course. If the datais released as it is, even though George's name is hidden, theattacker can easily link George to student S4 and GPA '4.00'or SCid SClO and grade '98'. We also have other join keysin Table II like the vip attribute Sid or SCid that are not partof the quasi-identifier set.
For the rest of the paper, we will use the notation givenin Table IV. From now on, if not mentioned otherwise,we will use superscripts to name different multiR databases(e.g., M R I , M R 2 , ... ). Superscript for other notations willshow membership to the associated multiR database (e.g.,vip l is vip of M R I.). We will use superscript * for multiRanonymizations. Subscripts will distinguish different elementsof the same multiR database (e.g., TI, Ti E STI of MRI).
Definition 4 (Structurally Equivalent): Two databasesM R I and M R2 have structurally equivalent schemas if andonly if vipl = vip2
, PTI has the same set of attributes asPT2
, and there exist bijective mapping between the set oftables ST I and ST2 such that tables mapped have the sameset of attributes. Structurally equivalent schemas have thesame functional dependencies, population, QI, sensitive andnon-QI joining attribute sets.
The MultiR databases given in Tables II and III are anexample of structural equivalence.
Definition 5 (k-anonymity for multiR databases): LetM Rand M R* be two multiR databases with the same set ofQI QMR and set of sensitive attributes SMR. We say MR*is a k-anonymization of MR if and only if Vv(JT*), (viewson JT*) the following properties hold:
1) anonymized: any query of the type IIatt(v(JT*)) whereaU E SM R returns either zero tuples or at least k (notnecessarily distinct)t tuples,
1k-anonymity allows sensitive attribute values to be the same over theset of tuples with the same QI attributes. Other approaches like i-diversityand t-closeness enforce constraints over the distribution of such groupsof sensitive values.
of values) for data values in the dataset to optimize against acertain metric. Some of such algorithms used pruning methodsto reduce the size of the search space for optimal k-anonymity[10], [4]. However in a multiR anonymity setting, the searchspace is much bigger and simple modifications won't beas efficient unless the original optimality is sacrificed byusing other assumptions. In [15], [11], [5], it was shownthat although not optimal, a multidimensional approach tok-anonymity can offer more flexibility in anonymizations.Among this family of algorithms, the clustering based approach is more suitable to the multiR setting due to theease in explicit identification of the entity being protected(anonymized) in the dataset. In Section IV, protected entitiesand associated relations will be abstracted by trees and a modification of a previously proposed clustering algorithm will bepresented to provide multiR anonymity on snowflake schemas.Section V will present experimental results evaluating the newapproach in terms of precision and execution time.
II. MuitiR Anonymity
We now define notations and k-anonymity for the multiRsetting. Given a table T, T[c][r] refers to the value of columnc, row r of T. T[c] is the projection of column c
Definition 1 (Person specific table): A table PT is said tobe person specific w.r.t. some population V if and only if itcontains a primary key attribute (or set of attributes) vip suchthat each value of vip uniquely corresponds to an individualin V.
Definition 2 (MultiR schema): A set of tables SV and aset of functional dependencies SF corresponds to a multiRschema if SV is a dependency preserving, lossless joindecomposition w.r.t. SF and there exists one person specifictable PT E SV where each row corresponds to an individualin population V. We say a database with such a schemahas the transcript M R(SF, V, PT, ST, vip), where vip is theunique identifier in PT and ST = SV - {PT}.
Table II shows an example for a multiR database withtranscript M R(SF, V, Tp , {TI, T2}, Sid) where SF={Sid ->
GPA, SCid -> {Sid, Course, Grade} } and V is the set ofstudents. The schema is in BCNF and dependency preserving.
The following quasi-identifier definition is a reformulationof the definition in [18].
Definition 3 (Quasi-identifier): LetM R(SF, V, PT, {Tl,'" , Tn}, vip) be a multiR database,and JT = PT M TI M ... M Tn. Let fe : V -> JT andfg : JT -> V', where V ~ V'. A quasi-identifier of M R,written QM R, is a subset of attributes of JT where 3Pi E Vsuch that fg(fe(Pi)[QMR]) = Pi, and an adversary knowsthe values of QMR for Pi.
Informally a quasi-identifier for a schema is the set ofattributes in JT that can be used to externally link or identify agiven tuple in PT. In Table II, Course and Book attributes canbe considered quasi-identifiers since colleagues of a studentmay know this information about their friend. The attributes
3
TABLE I. An example public table (university registration database), private table (university alumni database) and an anonymization of the private table where k = 2
table
Public Dataset
Luke Lafayette Padme Lafayette
Private Dataset
Lafayette 2.34 27 Lafayette 3.12 25 M W. Lafayette 4.00
Anonymized Dataset
10-20 Indiana 20-30 G. Lafayette 3.12 20-30 * G . Lafayette 4.00
TABLE II. T,:Student has GPA; Tl:Student takes courses; T2:Books bought by student for course table
1 Sid 1 GPA 1 lSCidlSidl CourselGradei SCid l Book I Price / S1 1 3.72 1 I SCI I S1 I Math 1 93 1 w
TP Tl 7'2
TABLE Ill. One anonymization of Table II where k = 2 table
2) anonymized w.r.t. individuals: any query of the type nvip(v(JT*)) returns either zero tuples or at least k distinct tuples, and
3) correct: tuples in JT and JT* can be ordered such that for all possible j, JT* [att:l(j] is equal to or some gener- alization of JT[att]b] if att E QMn and JT*[att]b] is equal to JT[att] [j] if att E SMn
The part 'k not necessarily distinct tuples' in requirement 1 can be changed to 'k distinct tuples' if we assume all sensitive information in the M R is unique. M R and the k-anonymous MR* need not be structurally equivalent, however, we will
see that equivalence eases the anonymization process and can improve utility of the dataset.
The example in Table I1 is clearly not k-anonymous even for k = 2, as Insid (~~ourse='Histor~f~~ook='~m.Hist'(JT))I = I{S4}I = 1. Table 111 shows a 2-anonymization of Table I1 using generalizations from the domain generalization hierarchies given in Figure 1; the same query on Table 111 returns no tuples.
Theorem I: Let M R be a k-anonymous multiR database where ST = {TI, . . . , T,} and k 2 2. Then for every vip value v p , there exist some e 2 k-1 distinct vip values vpl, . . .
TABLE I. An example public table (university registration database), private table (university alumnidatabase) and an anonymization of the private table where k = 2
table
Public DatasetName Age Sex CityChris 19 M IndianapolisLuke 18 M Lafayette
Padme 27 F LafayetteGeorge 25 M W. Lafayette
Private DatasetAge Sex City GPA19 M Indianapolis 3.7218 M Lafayette 2.3427 F Lafayette 3.1225 M W. Lafayette 4.00
Anonymized DatasetAge Sex City GPA
10-20 M Indiana 3.7210-20 M Indiana 2.3420-30 * G. Lafayette 3.1220-30 * G. Lafayette 4.00
TABLE II. Tp:Student has GPA; T1:Student takes courses; T2:Books bought by student for coursetable
~ n nTABLE III. One anonymization of Table II where k = 2
table
T:p T{ T';
2) anonymized W.r.t. individuals: any query of the typeIIvip(v(JT*» returns either zero tuples or at least kdistinct tuples, and
3) correct: tuples in JT and JT* can be ordered such thatfor all possible j, JT* [attlij] is equal to or some generalization of JT[att][j] if att E QMR and JT*[att][j] isequal to JT[att][j] if att E SMR
The part' k not necessarily distinct tuples' in requirement Ican be changed to 'k distinct tuples' if we assume all sensitiveinformation in the M R is unique. M R and the k-anonymousMR* need not be structurally equivalent, however, we will
see that equivalence eases the anonymization process and canimprove utility of the dataset.
The example in Table II is clearly notk-anonymous even for k 2, as IIISid
(acourse='History'flBook='Am,Hisu(JT» I = I{S4}1 = 1.Table III shows a 2-anonymization of Table II usinggeneralizations from the domain generalization hierarchiesgiven in Figure 1; the same query on Table III returns notuples.
Theorem 1: Let M R be a k-anonymous multiR databasewhere ST = {Tl,'" , Tn} and k :2: 2. Then for every vipvalue vp, there exist some f :2: k-l distinct vip values VPl, .,.
4 anonymization for PT in terms of classical k-anonymity
Science G?
Fig. 1. Course, Book DGH structures figure
upe such that for every view u possible if up E l Iuip(u(JT)) then upl, up',. . . upe E l Ivip(u(JT)) . We say the set Sup = {up, upl, up2, . . . upe) is the equivalence class of up and write E C M R ( ~ P ) = Sup.
PROOF. Suppose this is not the case and let the set of views Vup = {uilup E l Ivip(ui(JT)) . Since there are no common k - 1 vip values (other than up) over all views then we have I RuiP(ui(JT))I < k. Constructing the view un = nu,Ev,,ui gives IlIVip(un(~T))I 5 k and up E r I u i p ( u n ( ~ ~ ) ) , violating the k-anonymity constraint. This gives a contradiction.
The MR database in Table 111, has two equivalence classes: {S1,S2) and {S3,S4). (e.g., ECMR(S1) = { S l , 52 ) )
Theorem 1 can be modified for only sensitive attributes if we have unique sensitive values. Every sensitive value s in the data belongs to a set ECMR(s) of at least k sensitive values such that if s is in a query result then every element in ECMR(s) is also in that query result. (e.g., in Table IU, E C ~ ~ ( 3 . 7 2 ) = {3.72,2.34))
The k-anonymity definition for a multiR database is not arbitrary. If an attacker faces the same set of private en- tities in every possible set of queries, it can only map its external knowledge to that set. Requirement 3 for k- anonymity prevents false information being included in the anonymization of the original database. (Otherwise there would be trivial solutions for k-anonymization such as repli- cation of tuples. This requirement holds also for classi- cal, single-table k-anonymity, although it was not included explicitly in its definition.) Note that the definitions and concepts given here subsume the definitions of single-table k- anonymity. In classical k-anonymity, we have one private table PT(A1 , . . . , A,) without any dependencies corresponding to a population U . Since every tuple in PT belongs to an individual, we can add a unique identifier attribute to PT to form PTp (A,, Al , . . . , A,). PTp becomes a person specific table with vip attribute A,. In that case an anonymization for MR({Au + { A l , . . . , A,)), U, PTp, {), A,) is also an
definitions. We now define two operators that will be used in the
following sections for multiR databases: Definition 6 (Union): For structurally equivalent MR1,
MR' and MRU, MRU + MR1 u MR' if and only if PTU =
P T ~ u P T ~ , (T? E ST^) = (T; E ST^) u (T; E ST'). Definition 7 (Concatenation): M R I I + M R ~ I I MR' if and
only if PTll = P T ~ , = ST~U{PT' )UST' , and uipll = uipl
Many different cost metrics were used in the literature [8], [4], [15], [9] to measure utility of anonymized datasets. We redefine two of these cost metrics, LM[8] and DM[4], for the multiR setting, and use them in our experiments. Different variations that may better fit to relational databases can be formalized. (Discussion on such a formulation is beyond the scope of this paper.) Algorithms in the coming sections are independent of the cost metric being used and discussions apply no matter what cost metric is being used.
Definition 8 (LM): f (u) be a function that given a cat- egorical [continuous] data cell value u returns the number of distinct values [value interval +1] that cell value stands for, and g(att) be a function that returns the number of distinct values [value range +1] in from the domain of a given categorical [continuous] attribute att. Assuming g(att) > 1, the general loss metric for a multiR database MR*
- T E S U *
LM metric can be defined on individual data cells. It penalizes the value of each data cell in the anonymized dataset depending on how general it is (how many leaves are below it on the DGH tree). (e.g., LM("ScienceW) = ~ ' ( ~ ~ ~ ~ : : , ' ~ : = g) LM for the multiR dataset normalizes the total cost to get a number between 0 and 1.
Definition 9 (DM): Let MR* be an anonymization of M R and let GMR* (up) be the set of vips in MR* indistinguishable from a given vip up E MR. Then
DM(MR*) = 1 (GMR- (up11 vpEMR
As in the LM metric, smaller the number returned by DM metric, better the anonymization.
111. Single Table Algorithms for MultiR Anonymity
We now explore some obvious approaches to achieving multiR anonymity using single table k-anonymity algorithms. The main idea is to convert the multiR database into one or more single tables and anonymize these. For each approach, we describe why it does not give satisfactory results; the
Fig. 1. Course, Book DGH structuresfigure
vp£ such that for every view v possible if vp E IIvip(v(JT))then VPI, VP2,'" vp£ E IIvip(v(JT)). We say the set Svp ={vp, VPI, VP2, ... vpd is the equivalence class of vp and writeECMR(VP) = Svp.
PROOF. Suppose this is not the case and let the set ofviews Vvp = {vilvp E IIvip(Vi(JT)). Since there are nocommon k - 1 vip values (other than vp) over all viewsthen we have I nv,EVvp IIvip(Vi(JT))1 < k. Constructingthe view vn = nViEVvpVi gives IIIvip(vn(JT)) I ::; k andvp E IIvip(Vn(JT)), violating the k-anonymity constraint.This gives a contradiction. D
The MR database in Table III, has two equivalence classes:{SI,S2} and {S3,S4}. (e.g., ECMR(Sl) = {Sl,S2})
Theorem 1 can be modified for only sensitive attributes ifwe have unique sensitive values. Every sensitive value s inthe data belongs to a set ECM R (s) of at least k sensitivevalues such that if s is in a query result then every elementin ECMR(S) is also in that query result. (e.g., in Table III,ECMR (3.72) = {3.72,2.34})
The k-anonymity definition for a multiR database is notarbitrary. If an attacker faces the same set of private entities in every possible set of queries, it can only mapits external knowledge to that set. Requirement 3 for kanonymity prevents false information being included in theanonymization of the original database. (Otherwise therewould be trivial solutions for k-anonymization such as replication of tuples. This requirement holds also for classical, single-table k-anonymity, although it was not includedexplicitly in its definition.) Note that the definitions andconcepts given here subsume the definitions of single-table kanonymity. In classical k-anonymity, we have one private tablePT(AI,' .. , An) without any dependencies corresponding toa population U. Since every tuple in PT belongs to anindividual, we can add a unique identifier attribute to PT toform PTp(Au , AI,'" , An). PTp becomes a person specifictable with vip attribute Au. In that case an anonymizationfor MR({Au --> {AI,'" , An}},U, PTp, {},Au ) is also an
4anonymization for PT in terms of classical k-anonymitydefinitions.
We now define two operators that will be used in thefollowing sections for multiR databases:
Definition 6 (Union): For structurally equivalent MR I,MR2 and MR u , MR u
¢= MR I U MR2 if and only if PTu =
PTI UPT2, (TjU E STU) = (Tl E STI) U (TJ E ST2).
Definition 7 (Concatenation): MRII ¢= MR I IIMR2 if andonly if PTII = PTl, STII = ST IU{PT2}UST2, and vipll =vipl
Many different cost metries were used in the literature [8],[4], [15], [9] to measure utility of anonymized datasets. Weredefine two of these cost metrics, LM[8] and DM[4], for themultiR setting, and use them in our experiments. Differentvariations that may better fit to relational databases can beformalized. (Discussion on such a formulation is beyond thescope of this paper.) Algorithms in the coming sections areindependent of the cost metric being used and discussionsapply no matter what cost metric is being used.
Definition 8 (LM): f(v) be a function that given a categorical [continuous] data cell value v returns the numberof distinct values [value interval +I] that cell value standsfor, and g(att) be a function that returns the number ofdistinct values [value range +1] in from the domain of a givencategorical [continuous] attribute att. Assuming g(att) > I,the general loss metric for a multiR database M R*
L L £ f(T[qi][j]) - 1*' '_ g(qi) - 1
LM(MR*) = TESU qlEQITJ-I
L ITI·IQIrITESU*
LM metric can be defined on individual data cells. Itpenalizes the value of each data cell in the anonymized datasetdepending on how general it is (how many leaves are belowit on the DOH tree). (e.g. LM("Science") = f("Science")-1
, g("Course")-1
t i) LM for the multiR dataset normalizes the total cost toget a number between 0 and I,
Definition 9 (DM): Let M R* be an anonymization of M Rand let GM R* (vp) be the set of vips in M R* indistinguishablefrom a given vip vp E MR. Then
DM(MR*) = L IGMR*(Vp)1vpEMR
As in the LM metric, smaller the number returned by DMmetric, better the anonymization.
III. Single Table Algorithms for MuitiRAnonymity
We now explore some obvious approaches to achievingmultiR anonymity using single table k-anonymity algorithms.The main idea is to convert the multiR database into one ormore single tables and anonymize these. For each approach,we describe why it does not give satisfactory results; the
TABLE V. The universal table for T, and T1 along with 2 anonymizations of it where k = 2 table
TABLE VI. Local anonymizations for T, and TI where k = 2 table
I Sid I Course Grade SI I Scicncc 1 93
I I / SI I Science 1 91 1 1 I I I
S1 I Physics / mi {S2,S4) Religion
I I S3 I History I s 3 i social i 75 1 mi fS2.S3) I Phvsics 77 I
TABLE VII. Bitmap version of M R without some of the sensitive attributes and its 2-anonymization, attribute T in each course shows whether the student has taken that course or not. This reduces the info loss in the anonymization to some degree
table
TABLE V. The universal table for Tp and Tl along with 2 anonymizations of it where k = 2table
Sid Course GPASI Math 3.72
I
SI Physics 3.72SI History 3.72S2 CS 2.34S2 Physics 2.34S2 Religion 2.34S3 History 3.12S3 Religion 3.12S3 Physics 3.12S4 History 4.00S4 Religion 4.00
JT
Sid Course GPASI Science 3.72SI Science 3.72SI History 3.72S2 Science 2.34S2 Physics 2.34S2 Religion 2.34S3 History 3.12S3 Religion 3.12S3 Physics 3.12S4 History 4.00S4 Religion 4.00
Sid Course GPASI Science 3.72SI Science 3.72
{SI,S4} History 3.72
* * 2.34{S2,S3} Physics 2.34{S2,S4} Religion 2.34
S3 Social 3.12 I
S3 Social 3.12{S2,S3} Physics 3.12{SI,S4} History 4.00{S2,S4} Religion 4.00
ATz
tableTABLE VI. Local anonymizations for Tp and T1 where k = 2
Sid GPASI 3.72S2 2.34S3 3.12S4 4.00
Sid GPA{SI,S2} 3.72{S I,S2} 2.34{S3,S4} 3.12{S3,S4} 4.00
Sid CourseSI ScienceSI ScienceSI HistoryS2 ScienceS2 PhysicsS2 ReligionS3 HistoryS3 ReligionS3 PhysicsS4 HistoryS4 Religion
Sid Course GradeSI Science 93SI Science 91
{SI,S4} History 85
* * 78{S2,S3} Physics 62{S2,S4} Religion 42
S3 Social 85S3 Social 75
{S2,S3} Physics 77{SI,S4} History 98{S2,S4} Religion 96
Sid Course I
SI ScienceSI PhysicsSI SocialS2 ScienceS2 PhysicsS2 SocialS3 HistoryS3 Religion
* *S4 HistoryS4 Religion
TABLE VII. Bitmap version of M R without some of the sensitive attributes and its 2-anonymization,attribute T in each course shows whether the student has taken that course or not. This reduces theinfo loss in the anonymization to some degree
tableSid Math Physics CS History Religion GPA
T Di T Ca Dyn T Di T RH Ot AH T YoSI 1 1 1 1 1 0 0 I 1 0 0 0 0 3.72S2 0 0 1 0 I 1 1 0 0 0 0 1 1 2.34S3 0 0 1 1 0 0 0 1 0 1 0 1 1 3.12S4 0 0 0 0 0 0 0 1 0 0 1 1 0 4.00
SI * * 1 * 1 * * * * 0 0 * * 3.72 I
S2 * * 1 * 1 * * * * 0 0 * * 2.34 I,
S3 0 0 * * 0 0 0 1 0 * * 1 * 3.12 I
S4 0 0 * * 0 0 0 1 0 * * 1 * 4.00 I
insights are useful in understanding the algorithm we will give in Section IV.
A. Universal Anonymization
One solution might be to construct the universal relation from the multiR database and run a single-table anonymiza- tion algorithm on this relation. Table J T in Table V shows the universal table for the database MR(SF, U, Tp, {TI), Sid). (the attribute SCid is removed but this does not affect the discussion.) To run an anonymity algorithm, we need to identify the attributes that need to be modified. We have two choices at this point. The first approach is to modify only the quasi-identifier attributes (attribute Course in J T ) leaving the others untouched. Dataset ATl in Table V is one possible 2- anonymization of J T . However, we see that ATl obviously does not provide anonymity when an attacker knows all or some of the courses taken by a student. E.g., if an attacker knows that Chris is taking History, Math and Physics, then it will map Chris to S1 since S1 is the only one taking two science courses and a history course.
A second approach would be to modify join keys (NDGH generalizations [15]) along with the quasi-identifiers (e.g., attributes Course and Sid in JT) . Dataset AT2 in Table V is such a 2-anonymization of J T , but still fails to satisfy privacy constraints.
The main reason anonymization of a universal relation fails is that multiple tuples belong to a single person and the anonymization process does not take this into account. It becomes possible that tuples belonging to the same entity are anonymized with each other, making the relation "k- anonymous" but failing to protect individual identity. One way of resolving this would be to suppress all the data in the joining attributes (e.g., Sid). But in that case, the dataset would lose its relational structure and the valuable information in the I-N or N-N relations (e.g., the information that a student taking Math, Physics and History has GPA 3.72 would be lost). This universal approach also suffers from inference channels due to the redundancy in representation when the adversary knows functional dependencies for the schema, e.g., in AT2, given Sid + G P A holds, the attacker will discover the third tuple is actually Sid S1 since the first two tuples imply the student with GPA 2.71 is S1. A related work [21] worth mentioning here was on checking k-anonymity on views over a universal dataset. The work was not based on table generalizations and did not propose a k-anonymization algorithm to create anonymous views.
B. Local Anonymization
Another way to anonymize the dataset would be to k- anonymize each table independently. The most basic way of doing that is shown in T; and T: of Table VI. This set of tables suffers from the same problems mentioned in Section 111-A (e.g., disclosure of Chris's GPA.)
6 A second approach again would be to use NDGH general-
izations on non-QI join keys as shown in T; and T?. In this case, for this particular MR database, GPA information seems to be 2-anonymous. However, sensitive Grade information is not protected. The attacker will still be able to map S1 to Chris and learn that he has received "93" and "91" in two science courses (although not which course each score belongs to.) This is a violation of anonymity requirement 2, since Chris is not anonymous with respect to another student. Another downside of the approach is that modifying join keys introduces many incorrect join paths, decreasing the usability of the data.
The main reason why local anonymizations fail is that use of independent and arbitrary mappings for generalization of one table can create inference channels with respect to mappings used by other tables. A multiR anonymity algorithm should use consistent mappings throughout datasets (e.g., by Theorem 1; if S1 and S2 are anonymized with each other in one table, their courses should also be anonymized with each other in the other table.) Tables T; and T? show a valid 2-anonymization that enforces consistent mapping. Anonymization should also decide which mapping to use for anonymization. Clearly a multiR anonymity algorithm needs to view data globally to come up with close mappings between private entities while maintaining precision and usefulness of the output data. The multiR anonymity algorithm given in Section IV will take all these observations into account and give global decisions for anonymization mappings.
C. Bitmap Anonymization
Some multiR databases can be converted to a boolean vector "bitmap" format with every private entity as a single row, and distinct attributes used to reflect different values.
Bitmap conversion is done by assigning the value "1" for attributes that the private entity possess in the MR database. Handling the other attributes that the entity does not possess is done differently for different types of MR databases. In complete databases, non-existing tuples in the db (negative tuples) implies that the individual does not possess the corresponding attribute. Thus non-existent tuples also constitute in the information content of the database. (e.g., University Registration Database, Voters Database, . . . In Tl of Table 11, S I taking "Religion" course is missing implying Chris definitely did not take the "Religion" course.) In bitmap versions of complete databases, "0" is used for non-existent attributes of the entities. On the other hand, in incomplete databases, negative tuples imply uncertainty and they do not add into the information content. (e.g., hospital databases, business databases that share customers, . . . Having a patient not having a particular disease in a hospital database does not necessarily imply that patient did not have the disease. It is always possible that full records of a patient are contained in multiple hospitals.) In bitmap versions of incomplete databases, value "*" is used for non-
insights are useful in understanding the algorithm we willgive in Section IV.
A. Universal Anonymization
One solution might be to construct the universal relationfrom the multiR database and run a single-table anonymization algorithm on this relation. Table JT in Table V shows theuniversal table for the database M R(SF, U, Tp , {TI}, Sid).(the attribute SCid is removed but this does not affect thediscussion.) To run an anonymity algorithm, we need toidentify the attributes that need to be modified. We have twochoices at this point. The first approach is to modify only thequasi-identifier attributes (attribute Course in JT) leaving theothers untouched. Dataset ATI in Table V is one possible 2anonymization of JT. However, we see that ATI obviouslydoes not provide anonymity when an attacker knows all orsome of the courses taken by a student. E.g., if an attackerknows that Chris is taking History, Math and Physics, thenit will map Chris to Sl since Sl is the only one taking twoscience courses and a history course.
A second approach would be to modify join keys (NDGHgeneralizations [15]) along with the quasi-identifiers (e.g.,attributes Course and Sid in JT). Dataset AT2 in Table V issuch a 2-anonymization of JT, but still fails to satisfy privacyconstraints.
The main reason anonymization of a universal relationfails is that multiple tuples belong to a single person andthe anonymization process does not take this into account. Itbecomes possible that tuples belonging to the same entityare anonymized with each other, making the relation "kanonymous" but failing to protect individual identity. Oneway of resolving this would be to suppress all the data inthe joining attributes (e.g., Sid). But in that case, the datasetwould lose its relational structure and the valuable informationin the I-N or N-N relations (e.g., the information that astudent taking Math, Physics and History has GPA 3.72 wouldbe lost). This universal approach also suffers from inferencechannels due to the redundancy in representation when theadversary knows functional dependencies for the schema, e.g.,in AT2, given Sid ---t GPA holds, the attacker will discoverthe third tuple is actually Sid Sl since the first two tuplesimply the student with GPA 2.71 is Sl. A related work[21] worth mentioning here was on checking k-anonymity onviews over a universal dataset. The work was not based ontable generalizations and did not propose a k-anonymizationalgorithm to create anonymous views.
B. Local Anonymization
Another way to anonymize the dataset would be to kanonymize each table independently. The most basic way ofdoing that is shown in TJ and Tl of Table VI. This set oftables suffers from the same problems mentioned in SectionIII-A (e.g., disclosure of Chris's GPA.)
A second approach again would be to use NDGH general~izations on non-QI join keys as shown in T; and Tt. In thiscase, for this particular MR database, GPA information seemsto be 2-anonymous. However, sensitive Grade informationis not protected. The attacker will still be able to map S Ito Chris and learn that he has received "93" and "91" intwo science courses (although not which course each scorebelongs to.) This is a violation of anonymity requirement 2,since Chris is not anonymous with respect to another student.Another downside of the approach is that modifying join keysintroduces many incorrect join paths, decreasing the usabilityof the data.
The main reason why local anonymizations fail is thatuse of independent and arbitrary mappings for generalizationof one table can create inference channels with respect tomappings used by other tables. A multiR anonymity algorithmshould use consistent mappings throughout datasets (e.g., byTheorem 1; if Sl and S2 are anonymized with each otherin one table, their courses should also be anonymized witheach other in the other table.) Tables T; and T{ showa valid 2-anonymization that enforces consistent mapping.Anonymization should also decide which mapping to use foranonymization. Clearly a multiR anonymity algorithm needsto view data globally to come up with close mappings betweenprivate entities while maintaining precision and usefulness ofthe output data. The multiR anonymity algorithm given inSection IV will take all these observations into account andgive global decisions for anonymization mappings.
C. Bitmap Anonymization
Some multiR databases can be converted to a booleanvector "bitmap" format with every private entity as a singlerow, and distinct attributes used to reflect different values.
Bitmap conversion is done by assigning the value "I"for attributes that the private entity possess in the MRdatabase. Handling the other attributes that the entity doesnot possess is done differently for different types of MRdatabases. In complete databases, non-existing tuples in thedb (negative tuples) implies that the individual does notpossess the corresponding attribute. Thus non-existent tuplesalso constitute in the information content of the database.(e.g., University Registration Database, Voters Database, ...In TI of Table II, S1 taking "Religion" course is missingimplying Chris definitely did not take the "Religion" course.)In bitmap versions of complete databases, "0" is used fornon-existent attributes of the entities. On the other hand,in incomplete databases, negative tuples imply uncertaintyand they do not add into the information content. (e.g.,hospital databases, business databases that share customers,. " Having a patient not having a particular disease in ahospital database does not necessarily imply that patient didnot have the disease. It is always possible that full recordsof a patient are contained in multiple hospitals.) In bitmapversions of incomplete databases, value "*,, is used for non-
existent attributes of the entities to express uncertainty.
Table VII shows the bitmap version of the complete MR database given in Table I1 and its 2-anonymization. Classical k-anonymity algorithms can be run on such datasets. The anonymized data will then satisfy both multiR anonymity requirements for certain types of relations, however:
1) Not every multiR database is bitmap convertible. Schemas containing tables that map one entity to another entity an arbitrary number of times cannot be converted to bitmap format without information loss. (E.g., a student taking n different Physic classes where n is arbitrarily large cannot be readily expressed. This is a serious drawback for datasets that are updated frequently. Updates on certain individuals can trigger changes in the schema of the anonymized dataset.)
2) For incomplete databases, anonymization would only be through suppression, as generalizing "S1 is taking a Math course and S2 is taking a CS course" into "S1 and S2 are both taking a Science course" would correspond to merging columns in the schema rather than generalization of data. So anonymizations cannot take advantage of user supplied generalization hierarchies or total ordering assumptions for the attribute domains (for the sake of both utilization and incorporating domain knowledge).
3) For complete databases, anonymizations would addi- tionally preserve common negative information (e.g., "S3 is not taking a CS course and S4 is not taking a CS course", anonymization would preserve "neither S3 nor S4 is taking a CS course") However it is still impossible to incorporate domain knowledge through generalization hierarchies or total ordering assumptions. (e.g., generalizing a student taking "CS" with another student taking "Math" is as costly as generalizing two students taking "CS' and "Religion" respectively, even though the former could be a better generalization.)
Suppression in the bitmap setting removes certainty about the number of tuples corresponding to a given entity. (e.g., "SI is taking a Math course and S2 is taking a CS course" could safely be generalized into "S1 and S2 are both taking at least one ("Science") course". Bitmap anonymization would imply "Sl and S2 are taking two courses in total".)
Bitmap anonymizations do not consider possible similar- ities of two private entities in the tail of a nested relation. (E.g., in the multiR database in Table 11, S1 is taking a
points are skewed over the whole possible space, thig does not introduce further problems regarding the curse of dimensionality. However, k-anonymity algorithms do not take into account the existence of 'invalid points' (e.g., a point with Math-T:O, Math-Di:l would be an invalid point implying student has not taken 'Math' but used the 'Discrete' book for the 'Math' course. Heuristics would need to be used that would ignore invalid points to speed up the anonymization.
7) Most real world data is stored as relational tables rather than bitmap tables. Conversion to such a bitmap costs additional execution time and storage, not to mention the cost of converting applications designed for the original schema.
8) Many real world relational databases contain correlations within relations and this may make certain heuristics for improving efficiency possible. (e.g., a student taking a 'science' course is more likely to buy a 'science' or 'math' book than a 'religion' book. It is possible to design fast and reasonably precise algorithms that decide anonymizations only on courses without consid- ering book information.) It may be difficult to exploit such correlations without considering the structure of the data. A single table k-anonymity algorithm on a bitmap database will be unaware of the underlying structure and thus the correlation.
IV. Clustering-based MultiR Anonymity
We now develop a multiR anonymity algorithm that over- comes the shortcomings of the approaches described in the previous section, although it places certain (reasonable) re- strictions on the schemas supported. Algorithms for arbitrary schemas are left as future work.
A. Assumptions and Properties
We aim to preserve certain properties of the database, and in doing so accept certain limitations on the databases that can be anonymized by our algorithm. These properties and assumptions are given here.
Schema Preservation: The schemas of the input database M R and the k-anonymous output MR* will be structurally equivalent (Definition 4).
Dependency Preservation: The anonymized database pre- serves functional dependencies of the original database, so that:
Math course, buys the Discrete book for the course and 1) the semantics of the data are better preserved, and
S2 is taking a CS course and buvs the same book. Given " that course information is generalized (or suppressed), 2) inference attacks, by an adversary who knows a func-
the book information can safely be preserved without vi- tional dependency that fails to hold in the anonymized
olating privacy. Bitmap anonymization would not retain data, are prevented.
only the book information.) We require that the schema be normalized to enforce de- 6) Conversion to bitmap format produces datasets of high pendencies; this obviates the need to provide dependencies
dimensionality. Since distribution of produced data separately as input to the anonymization algorithm.
existent attributes of the entities to express uncertainty.
Table VII shows the bitmap version of the complete MRdatabase given in Table II and its 2-anonymization. Classicalk-anonymity algorithms can be run on such datasets. Theanonymized data will then satisfy both multiR anonymityrequirements for certain types of relations, however:
1) Not every multiR database is bitmap convertible.Schemas containing tables that map one entity to anotherentity an arbitrary number of times cannot be convertedto bitmap format without information loss. (E.g., astudent taking n different Physic classes where n isarbitrarily large cannot be readily expressed. This is aserious drawback for datasets that are updated frequently.Updates on certain individuals can trigger changes in theschema of the anonymized dataset.)
2) For incomplete databases, anonymization would onlybe through suppression, as generalizing "SI is takinga Math course and S2 is taking a CS course" into"S I and S2 are both taking a Science course" wouldcorrespond to merging columns in the schema rather thangeneralization of data. So anonymizations cannot takeadvantage of user supplied generalization hierarchies ortotal ordering assumptions for the attribute domains (forthe sake of both utilization and incorporating domainknowledge).
3) For complete databases, anonymizations would additionally preserve common negative information (e.g.,"S3 is not taking a CS course and S4 is not takinga CS course", anonymization would preserve "neitherS3 nor S4 is taking a CS course") However it is stillimpossible to incorporate domain knowledge throughgeneralization hierarchies or total ordering assumptions.(e.g., generalizing a student taking "CS" with anotherstudent taking "Math" is as costly as generalizing twostudents taking "CS" and "Religion" respectively, eventhough the former could be a better generalization.)
4) Suppression in the bitmap setting removes certaintyabout the number of tuples corresponding to a givenentity. (e.g., "SI is taking a Math course and S2 is takinga CS course" could safely be generalized into "SI and S2are both taking at least one ("Science") course". Bitmapanonymization would imply "S I and S2 are taking twocourses in total".)
5) Bitmap anonymizations do not consider possible similarities of two private entities in the tail of a nested relation.(E.g., in the multiR database in Table II, SI is taking aMath course, buys the Discrete book for the course andS2 is taking a CS course and buys the same book. Giventhat course information is generalized (or suppressed),the book information can safely be preserved without violating privacy. Bitmap anonymization would not retainonly the book information.)
6) Conversion to bitmap format produces datasets of highdimensionality. Since distribution of produced data
points are skewed over the whole possible space, thi~does not introduce further problems regarding the curseof dimensionality. However, k-anonymity algorithms donot take into account the existence of 'invalid points'(e.g., a point with Math-T:O. Math-Di:1 would be aninvalid point implying student has not taken 'Math'but used the 'Discrete' book for the 'Math' course.Heuristics would need to be used that would ignoreinvalid points to speed up the anonymization.
7) Most real world data is stored as relational tables ratherthan bitmap tables. Conversion to such a bitmap costsadditional execution time and storage, not to mention thecost of converting applications designed for the originalschema.
8) Many real world relational databases contain correlationswithin relations and this may make certain heuristicsfor improving efficiency possible. (e.g., a student takinga 'science' course is more likely to buy a 'science'or 'math' book than a 'religion' book. It is possibleto design fast and reasonably precise algorithms thatdecide anonymizations only on courses without considering book information.) It may be difficult to exploitsuch correlations without considering the structure of thedata. A single table k-anonymity algorithm on a bitmapdatabase will be unaware of the underlying structure andthus the correlation.
IV. Clustering-based MuitiR Anonymity
We now develop a multiR anonymity algorithm that overcomes the shortcomings of the approaches described in theprevious section, although it places certain (reasonable) restrictions on the schemas supported. Algorithms for arbitraryschemas are left as future work.
A. Assumptions and Properties
We aim to preserve certain properties of the database, andin doing so accept certain limitations on the databases thatcan be anonymized by our algorithm. These properties andassumptions are given here.
Schema Preservation: The schemas of the input databaseMR and the k-anonymous output MR* will be structurallyequivalent (Definition 4).
Dependency Preservation: The anonymized database preserves functional dependencies of the original database, sothat:
1) the semantics of the data are better preserved, and
2) inference attacks, by an adversary who knows a functional dependency that jails to hold in the anonymizeddata, are prevented.
We require that the schema be normalized to enforce dependencies; this obviates the need to provide dependenciesseparately as input to the anonymization algorithm.
Student took
QI: Course
Sensitive: Grade E L Student bought Books for Course
QI: Book
Studenl had Advisors and gave Evaluation
Non 01 PK:
QI: Advisor
Sensitive: Evaluatlon
Student had Projects for Course with Grade
Non QI FK: SCld
01: Project
Sensitive: PGrade 3 Fig. 2. Schema graph
figure
Snowflake Schema: The algorithm we present is limited to schemas satisfying the following constraints:
1) No connection keys (primarylforeign keys) between ta- bles in MR are quasi-identifiers. (It is possible to replace such quasi-identifiers with non-identifying keys to pre- serve connections.)
2) Every table in S T contains only one foreign key. Table P T does not contain a foreign key.
3) We say a table T2 belongs to the family of Tl and write T2 E F(Tl) if T2 has a foreign key attribute which is a primary key attribute either in Tl or in another family member of TI. We restrict ourselves to schemas with F(PT) = ST.
Schemas with these constraints are similar to snowflake relations where the fact table is the table P T (see Figure 2), although we do support one to many relationships between PT and other tables. Any table in the schema can contain sensitive attributes; anonymity constraint 1 will hold for all of them. This family of schemas is expressive enough for many database applications (XML, some spatio-temporal databases, data warehouses, ...)
Join Key Atomicity: The algorithm presented in the next section will preserve the atomicity of join keys. (The assumption that join keys are not quasi-identifiers makes it possible to follow this approach in all cases.) This ensures one true join path as opposed to multiple paths (as in {T~,T?) of Table VI) in each connection and improves utility of the anonymization (a query on the anonymized dataset is "true", in the sense that the result is a generalization of the result on the underlying dataset.)
B. MultIRelAtional CLustEring ( ~ i ~ a ~ l e j Anonymization Algorithm
We now present a MiRaCle anonymization algorithm that anonymizes a given multiR database under the assumptions given in the previous section. We first give a higher level description of the algorithm to make the formal explanation easy to follow.
I ) Informal Description: MiRaCle is a clustering-based anonymity algorithm; any distance-based clustering k- anonymity algorithm [5], [IS], [ l ] can be used as a basic skeleton for MiRaCle anonymizations. The main observation is that all clustering based anonymity algorithms make use of two basic operations on private entities: anonymization and calculation of the distance between two entities. The latter can be generally defined as the cost of the anonymization of two entities. As an example basic skeleton, in the next section, we present a trivial modification of CDGH clustering algorithm [15] for MiRaCle. Here we turn our attention to the real question: How to anonymize two entities?
The assumptions given in the previous section enables us to abstract entities of a multiR databases as trees where each level of a given entity tree corresponds to levels of the nested relation for a particular vip entity. (Figure 3 gives an example.) The challenge is to anonymize two trees of similar structure with respect to each other.
Algorithm 1 anonymize(tree(sl), tree(s2)) Require: For a tree node s; tree(s) returns the tree rooted
from s and us returns the QI attribute values associated with node s. For two values of the same domain vl and 212, gen(vl, v2) returns the lowest cost generalization of vl and vz w.r.t. a dgh.
I: VC, , vc2 = gen(vcl, vc2) 2: let C1 be the set of child nodes of node s l 3: let C2 be the set of child nodes of node s2 4: find a low cost pairing of nodes in C1 and C2 5: for all matching pairs of nodes (cl E Cl, c2 E C2) do 6: anonymize(tree (cl ), tree(c2)) 7: for all nodes c E (C1 u C2) unmatched do 8: suppress every value in nodes of tree(c)
Algorithm 1 shows how to anonymize two entity trees. Anonymization occurs top-down. First QI attributes for tree roots are anonymized with each other. Each tree root has a set of child nodes. (In Figure 3, children of S1 and S2: Cl={"Math", "Physics", "History"), C2={"CS", "Physics", "Religion").) The algorithm chooses pairings of nodes be- tween these sets to minimize the local cost in the current level or the overall cost of the anonymized trees. (In Figure 3, "Math" is paired with "CS", "Physics" with "Physics", and "History" with "Religion", producing the set of nodes {"Science", "Physics", "Social") which is the least costly set in terms of the cost metric used (e.g., LM.) Since each pair is composed of two trees to be anonymized and function is
Snowflake Schema: The algorithm we present is limitedto schemas satisfying the following constraints:
Schemas with these constraints are similar to snowflakerelations where the fact table is the table PT (see Figure 2),although we do support one to many relationships betweenPT and other tables. Any table in the schema can containsensitive attributes; anonymity constraint 1 will hold for all ofthem. This family of schemas is expressive enough for manydatabase applications (XML, some spatio-temporal databases,data warehouses, ...)
(MiRaClejB. MultIRelAtional CLustEringAnonymization Algorithm
Algorithm 1 anonymize(tree(sl), tree(s2)
Require: For a tree node s; tree(s) returns the tree rootedfrom sand Vs returns the QI attribute values associatedwith node s. For two values of the same domain VI andV2, gen(VI, V2) returns the lowest cost generalization ofVI and V2 w.r.t. a dgh.
1: vel l VC2 = gen(Vel' VC2 )
2: let Cl be the set of child nodes of node SI
3: let C2 be the set of child nodes of node S2
4: find a low cost pairing of nodes in C 1 and C2
5: for all matching pairs of nodes (C1 E Cl, C2 E C2) do6: anonymize(tree(cI), tree(c2)7: for all nodes c E (C1 U C2) unmatched do8: suppress every value in nodes of tree(c)
We now present a MiRaCle anonymization algorithm thatanonymizes a given multiR database under the assumptionsgiven in the previous section. We first give a higher leveldescription of the algorithm to make the formal explanationeasy to follow.
1) Informal Description: MiRaCle is a clustering-basedanonymity algorithm; any distance-based clustering kanonymity algorithm [5], [IS], [I] can be used as a basicskeleton for MiRaCle anonymizations. The main observationis that all clustering based anonymity algorithms make use oftwo basic operations on private entities: anonymization andcalculation of the distance between two entities. The lattercan be generally defined as the cost of the anonymizationof two entities. As an example basic skeleton, in the nextsection, we present a trivial modification of CDGH clusteringalgorithm [15] for MiRaCle. Here we tum our attention to thereal question: How to anonymize two entities?
The assumptions given in the previous section enables usto abstract entities of a multiR databases as trees where eachlevel of a given entity tree corresponds to levels of the nestedrelation for a particular vip entity. (Figure 3 gives an example.)The challenge is to anonymize two trees of similar structurewith respect to each other.
Algorithm 1 shows how to anonymize two entity trees.Anonymization occurs top-down. First QI attributes for treeroots are anonymized with each other. Each tree root hasa set of child nodes. (In Figure 3, children of 51 and 52:Cl={"Math", "Physics", "History"}, C2 ={"CS", "Physics","Religion"}.) The algorithm chooses pairings of nodes between these sets to minimize the local cost in the currentlevel or the overall cost of the anonymized trees. (In Figure3, "Math" is paired with "CS", "Physics" with "Physics",and "History" with "Religion", producing the set of nodes{"Science", "Physics", "Social"} which is the least costly setin terms of the cost metric used (e.g., LM.) Since each pairis composed of two trees to be anonymized and function is
Student hadAdvisors andgave Evaluation
Non 01 PK:Sid
01: Advisor
Sensitive:Evaluation
Student hadProjects for Coursewith Grade
Non 01 FK: SCld
01: Project
Sensitive: PGrade
/
Fig. 2. Schema graph
Student tookCourses with Grade
01: Course
Non 01 PK: SCid
Non 01 FK: Sid
Sensitive: Grade
Student boughtBooks for Coursepaying Price
Non 01 FK: SCid
01: Book
Sensitive: Price
figure
1) No connection keys (primary/foreign keys) between tables in MR are quasi-identifiers. (It is possible to replacesuch quasi-identifiers with non-identifying keys to preserve connections.)
2) Every table in 5T contains only one foreign key. TablePT does not contain a foreign key.
3) We say a table T2 belongs to the family of Tl and writeT2 E F(T1) if T2 has a foreign key attribute which is aprimary key attribute either in T 1 or in another familymember of Tl. We restrict ourselves to schemas withF(PT) = 5T.
Join Key Atomicity: The algorithm presented in thenext section will preserve the atomicity of join keys. (Theassumption that join keys are not quasi-identifiers makes itpossible to follow this approach in all cases.) This ensures onetrue join path as opposed to multiple paths (as in {Ti, Tf}of Table VI) in each connection and improves utility of theanonymization (a query on the anonymized dataset is "true",in the sense that the result is a generalization of the result onthe underlying dataset.)
Fig. 3. Anonymization of students S1 and S2 from the example MR database in Table II
figure
called on the subtrees. (In Figure 3, a second call is made on (tree("Math"), tree("CSn)). "Math" and "CS" values are changed to "Science" as a result of the second call . Unpaired nodes are suppressed (e.g., node "Calc.")
2) Formal Description: We first show in Algorithm 2 how to modify the CDGH clustering algorithm [15] to anonymize a given multiR database. Each cluster has a representative that holds the anonymization of the entities it contains. For each vip value v, the algorithm finds, in line 5, a suitable cluster to put v into. Suitability is measured by a distance function dist which we will define shortly. If there is no suitable cluster, in line 7. v defines a new one. Then in line 9, the cluster representative of the closest cluster is updated to be the anonymization of v and the former representative by calling the function anon. When a cluster is full, the identifying information in the tuples in the cluster (including tuples linked to in other tables) is replaced with the cluster representative; these generalized tuples are placed into the anonymized database and the cluster is deleted. In lines 13- 20, leftover clusters are combined. Leftover tuples in the last cluster (< k) are suppressed.
As also mentioned in the previous section, the real chal- lenge is to define the distance between the two points (e.g., private entities such as students). If we know how to produce anonymizations of two points with respect to each other, we can derive the distance between them by calculating the cost of their anonymization w.r.t. any precision/cost metric. Here are formal details regarding how MiRaCle defines the anonymization and distance functions between two private entities (vips) vl E MR' and v2 E MR':
Algorithm 2 MiRaCle(MR, k, th, climit, anon, dist, cost) ''
Require: An input database MR with S T = {TI, . . . , T,), k constraint, a threshold value th, a cluster limit climit; an anonymization function anon that can anonymize two private entities; a distance function dist that can calculate the distance of two private entities; a cost metric function cost defined over anonymized MR databases; We begin with an empty set of clusters C. vip v,, is the cluster representative of cluster ci, MR,, is the database that contains v,, and EC,, holds the set of private entities in c, .
Ensure: MR* is a k-anonymization of MR I: MR* +- null 2: for all vip value vj in PT do 3: if C is empty then 4: go to line 7 5: find i s.t. di = dist(vj, v,, , MR, MR,, ) is minimum 6: if (4 > th) A ( ( C ( 5 climit) then 7: make a new cluster cn,,, set cluster representative
8: go to step 2 to process the next vip in MR 9: MR,, = anon(v,,, vj, MRc,, MR).
10: ECc ,=ECc ,U{v j ) 11: if the number of elements in c" becomes more than k
then 12: MR* = MR* U MR,,; C = C - c, (remove Q)
13: for all cluster c+ left in C do 14: find j # i s.t. d, = dist(v,., v,,, MRcj, MR,,) is min. 15: MR,, = anon(vc,, v,, , MA,, , MR,, ). 16: EC,, = EC,, U EC,, ; C = C - c, (remove cj) 17: if the number of elements in c, becomes more than k
then 18: C = C - c+ (remove G); MR' = MR* U MR,, 19: else 20: go to line 14 to find another suitable j. 21: MR* now contains only one vip vi data for each equivalence
class, add the anonymizations for other vips by using EC,, sets created in the process.
22: suppress the remaining vips in C and add to MR* 23: return MR*
For each entity in the input M R db, MiRaCle makes one call to function Anonymize per cluster representative. Since the number of cluster representative is bounded by the input parameter climit, MiRaCle calls Anonymize O(c1imit. I M R ( ) times. The efficiency of the algorithm depends on the efficiency of the Anonymize function.
Function " ~ n o n ~ m i z e ( t ' , t ~ , M R ~ , M R ~ ) " produces an anonymization for two tuples t1 E P T ~ and t2 E pT2 . (ti
anon(Vl,V2,MR\MR2) =
Anonymize(O"vipl=Vl PT1
, O"Vi p2=V2 PT2 , MR1
, MR2
)
dist(Vl,V2,MR\MR2
) =
cost( anon(vl, V2, MR1, MR2))
Algorithm 2 MiRaCle(MR, k, th, climit, anon, dist, cost) 9
Require: An input database MR with ST = {T1 ,· .. ,Tn}, kconstraint, a threshold value th, a cluster limit climit;an anonymization function anon that can anonymize twoprivate entities;a distance function dist that can calculate the distance oftwo private entities;a cost metric function cost defined over anonymized MRdatabases;We begin with an empty set of clusters G. vip vc , is thecluster representative of cluster Ci, MR c, is the databasethat contains Vc, and EGci holds the set of private entitiesin Ci •
Ensure: MR' is a k-anonymization of MR1: MR' +- null2: for all vip value Vj in PT do3: if G is empty then4: go to line 75: find i S.t. di = dist(Vj, VCi , MR, MRci ) is minimum6: if (d; > th) /\ (IGI ~ climit) then7: make a new cluster Cnew, set cluster representative
Vcnew = Vj, MRcnew = MR, G = G U {cnew },EGci = {Vj}
8: go to step 2 to process the next vip in MR9: MRci = anon(vc.,vj,MRc;,MR).
10: EGci = EGci U { Vj}11: if the number of elements in Ci becomes more than k
then12: MR' = MR' U MRc,; G = G - Ci (remove Ci)13: for all cluster Ci left in G do14: find j =- i S.t. d i = dist(vCi.' vc" MRcj , MRc.) is min.15: MRc; - anon(vc"vCj ' MHc" MRc;J.16: EGc, = EGci U EGcj ; G = G - Cj (remove Cj)17: if the number of elements in Ci becomes more than k
then18: G = G - Ci (remove Ci); MR' = MR' U MRc,19: else20: go to line 14 to find another suitable j.21: MR' now contains only one vip Vi data for each equivalence
class, add the anonymizations for other vips by using EGcjsets created in the process.
22: suppress the remaining vips in G and add to MR'23: return MR'
:p.34 ~ :p.3452 ~ 52
78 / 62 ~ 42 78 / 62 ~ 42
~s [PhyrS] [R\iOn] [SC.:.:.•.·.·:1~1'~ [PhyrS).".,~,~;@i:>;$,."">.> .., ='"""=
65$ 51$ 38$ 65$ 51$ 38$
[DiSC.] [Dyn.] [VOda.] [DiSC.] [Dyn.] ~l~~~~i~
Fig. 3. Anonymization of students 81 and 82from the example MR database in Table II
figure
called on the subtrees. (In Figure 3, a second call is madeon (tree("Math"), tree("CS"». "Math" and "CS" values arechanged to "Science" as a result of the second call. Unpairednodes are suppressed (e.g., node "Calc.")
2) Formal Description: We first show in Algorithm 2 howto modify the CDGH clustering algorithm [15] to anonymizea given multiR database. Each cluster has a representativethat holds the anonymization of the entities it contains. Foreach vip value v, the algorithm finds, in line 5, a suitablecluster to put v into. Suitability is measured by a distancefunction dist which we will define shortly. If there is nosuitable cluster, in line 7. v defines a new one. Then in line9, the cluster representative of the closest cluster is updatedto be the anonymization of v and the former representativeby calling the function anon. When a cluster is full, theidentifying information in the tuples in the cluster (includingtuples linked to in other tables) is replaced with the clusterrepresentative; these generalized tuples are placed into theanonymized database and the cluster is deleted. In lines 1320, leftover clusters are combined. Leftover tuples in the lastcluster « k) are suppressed.
As also mentioned in the previous section, the real challenge is to define the distance between the two points (e.g.,private entities such as students). If we know how to produceanonymizations of two points with respect to each other,we can derive the distance between them by calculating thecost of their anonymization w.r.t. any precision/cost metric.Here are formal details regarding how MiRaCle defines theanonymization and distance functions between two privateentities (vips) VI E MR I and V2 E MR2
:
For each entity in the input M R db, MiRaCle makesone call to function Anonymize per cluster representative.Since the number of cluster representative is bounded by theinput parameter climit, MiRaCle calls Anonymize O(climit·
1MRI) times. The efficiency of the algorithm depends on theefficiency of the Anonymize function.
Function "Anonymize(tl, t 2, MRl, MR2
)" produces ananonymization for two tuples t l E PTI and t 2 E PT2
. (t i
Algorithm 3 ~nonvmizef t l , t2. MR', MR2)
Require: Tuple t i belongs to table pT i . All M R ~ are struc- turally equivalent, Function gen(v1, v2) returns the common parent of values vl, v2 on the dgh structure of the associated domain.
Ensure: MR* is an anonymization of t1 and t2 I: T* e NULL 2: Let MR* be a database with transcript (., ., T*, {), vipl) 3: for all att, of PT1 do 4: if atti is a QI attribute then {Just anonymize) 5: T'[atti:l[l] e gen(tl [att,], t2[atti]) 6: if atti is a non-QI non-key or a foreign key then {Copy) 7: T * [attil[l] e t1 [atti]; 8: if atti is a primary key for a join with another table then
{Ensure anonymized across join) 9: for all pairs of tables T i , Tk2 in MR', MR' where atti
is a foreign key do 10: Let MR3, be the database with transcript
{., ., T i , F (T~) , a t t i ) 11: MR* e MR*lI AnonymizeSets ( u a t t i = t ~ ( a t t i l ~ i .
~ ~ t t ~ = t z [ ~ t t ~ ~ T k Z ~ MRk, MR:) 12: T*[attil[ll e tl[atti] 13: return MR' -
Algorithm 4 ~ n o n ~ r n i z e ~ e t s ( C ' = {ti , t i , . . . t k ) , C2 = {t:',t;, . . .t;), MR', M R ~ )
Require: Sets of tuples Ci belongs to tables PT'. All M R ~ are structurally equivalent. 1 < m 5 n
Ensure: MR* is a painvise anonymization of C1 and C2 1: Let MR* be an empty database, structurally eq. to MRZ. 2: for al l t i E C1 do 3: for al l t: E C 2 do 4: tempMRj e Anonymize(t:, t:, MR1, MR2) 5: costMRj e cost(tempMRj) 6: minCost j e arg min . w s t M R j 7: MR* e MR* U t e m p ~ ~ m i n c o s t j 8: C 2 -+ C2 - tmincostj 9: Suppress rest of the tuples in C2 and add them to P T *
10: return MR*
may be considered as a root node of a tree structure stored in database M R ~ , e.g., Figure 3) The function classifies and processes each attribute one by one. Processing of primary key attributes is important since they serve as connections to other tables. Attribute evaluation can be summarized as follows:
Lines 4-7: for non-key attributes and foreign key at- tributes, behave as in single table anonymity: anonymize QI attributes w.r.t. dgh structures, leave the rest (sensitive attributes and foreign keys) as they are.
Lines 8-12: for a primary key attribute att, find all pairs of tables (Ti E ST~,T; E ST') where att is a foreign key. We will have two sets of tuples C1 = {t i , . . . , tk) and C 2 = {t:, . . . , t&) in T i and T: respectively where each t t[att] = t l[att] and each t:[att] = t2[att]. Call "anonymize~ets(C1, C2, ., ., .))' to find suitable one-to- one matchings between tf s and t is . Suitability of a given
10 matching depends on the effect of the generalization on all of the connected tables (This is ensured by recursive calls to the anonymization function in Line 4.) Anonymize matched tuples with each other, suppressing any unmatched tuples.
Given sets of tuples C' and C2, and assuming n = Ic' 1 = IC21 there are O(n!) possible pairwise matchings. It is costly to search such a big space to find a cost optimal matching. Because of this, algorithm anonymizesets uses the following matching heuristic. Each node in C1 is matched optimally with a node in C 2 one by one. (e.g., t i is matched with a tuple in C2, then t i is matched with another, . . . ) This way complexity reduces to 0 (n2) painvise matchings.
The algorithm can use any incremental cost metric that can be defined on a database. For the experiments, we will use the LM metric defined in Section 11.
Table 111 shows the output of MiRaCle on the MR input given in Table I1 for k = 2. vip S1 and S2, and vip S3 and S4 anonymized with each other. Figure 3 shows how S1 and S2 are anonymized. The algorithm first ensures the tuples are anonymous w.r.t. QI attributes. Since Tp does not contain any QI attributes, no change is done (the root nodes in Figure 3). However, the primary key of Tp, Sid, occurs in Tl as a foreign key, so algorithm AnonymizeSets is called on the sets of tuples us id=~~sl~/Ti and u ~ ~ ~ = ~ ~ ~ ~ , , T I (the nodes on the second level of the trees). A one-to-one matching of tuples is done according to how costly the anonymization of the matched tuples will be. Anonymization in this level also takes into account table T2 (Books table), since T2 and Tl share SCid as a joining key. First, the "Math" node is matched with the "CS" node since they can be anonymized as "Science" and they have a common node in the third level (in table Tz). The "Physics" node is matched with "Physics", the anonymization here triggers a call of AnonymizeSets on the sets of nodes {"Calc", "Dyn") and {"Dyn"). Node "Dyn" is matched with node "Dyn". No match is found for the node "Calc" so it is suppressed. The last nodes in the second level . -
are anonymized similarly. If we take the function gen as the basic operation, function
anonymize (and thus the algorithm MiRaCle) turns out to be expensive. Assuming n = lC1l = IC21, for every call to anonymizesets(C1, c 2 , ., .), 0 ( n 2 ) generalizations are performed. Note that the anonymize function (thus function anonymizeSets) is recursively called for every level in the relation (roughly speaking for every table in the MR data- base). Given that we have [ levels (tables) in M R , complexity function is defined as f(e) = n2 . f (e - 1). This gives us a complexity of 0(nZe) for function anonymize. So MiRaCle is an O(c1imit . lMRl . nZe) algorithm.
C. MiRaCle Extension: MiRaCleX
As mentioned in the previous sections, a multiR anonymization algorithm can make use of the relational structure of the database to come up with more efficient
Algorithm 3 Anonymize(t l , t2, MR 1, MR2)
Require: Tuple t i belongs to table PT;. All MR i are structurally equivalent, Function gen (Vl ,V2) returns the commonparent of values Vl, V2 on the dgh structure of the associateddomain.
Ensure: MR' is an anonymization of t l and t 2
1: T' ¢= NULL2: Let MR' be a database with transcript (.,., T', n, vipl)3: for all atti of PTl do4: if att; is a QI attribute then {Just anonymize}5: T' [attil [1] ¢= gen(t l [atti], t 2[attiJ)6: if atti is a non-QI non-key or a foreign key then {Copy}7: T'[attil[l] ¢= tl[atti];8: if atti is a primary key for a join with another table then
{Ensure anonymized across join}9: for all pairs of tables Tl;, T'f in MR l , MR2 where atti
is a foreign key doJ0: Let MRj, be the database with transcript
{.,., Tk, F(Tk), att;}11: MR' ¢= MR"I AnonymizeSets (aatti=tl[att<lTl;,
aatti=t2[attiIT'f, MRL MR%)12: T'[atti ][l] ¢= tl[atti]13: return MR'
Algorithm 4 AnonymizeSets(C l = {tLt§, .. ·tin}, C 2 ={ti, t~, ... t;'}, MRl, MR 2)
Require: Sets of tuples C i belongs to tables PT i. All MR i are
structurally equivalent. 1 ~ m ~ nEnsure: MR' is a pairwise anonymization of C l and C 2
1: Let MR' be an empty database, structurally eq. to MRt.2: for all t} E C l do3: for all tJ E C 2 do4: tempMRj ¢= Anonymize(t}, tJ, MR l , MR2)5: costMRj ¢= cost(tempMRj)6: minCostj ¢= arg mint <;ostMRj7: MR' ¢= MR' u tempM RminCostj8: C 2
¢= C2- tminCostj
9: Suppress rest of the tuples in C 2 and add them to PT'10: return MR'
may be considered as a root node of a tree structure storedin database MR i , e.g., Figure 3) The function classifies andprocesses each attribute one by one. Processing of primarykey attributes is important since they serve as connectionsto other tables. Attribute evaluation can be summarized asfollows:
• Lines 4-7: for non-key attributes and foreign key attributes, behave as in single table anonymity: anonymizeQI attributes w.r.t. dgh structures, leave the rest (sensitiveattributes and foreign keys) as they are.
• Lines 8-12: for a primary key attribute att, find all pairsof tables (T~ E STl,Tf E ST2) where att is a foreignkey. We will have two sets of tuples C l = {d, ... ,tA}and C 2 = {tI,'" , t;,} in T~ and Tf respectively whereeach t{[att] = tl[att] and each t~[att] = t 2[att]. Call"anonymizeSets(Cl, C2
,.,., .)" to find suitable one-toone matchings between tts and t;s. Suitability of a given
10matching depends on the effect of the generalizationon all of the connected tables (This is ensured byrecursive calls to the anonymization function in Line 4.)Anonymize matched tuples with each other, suppressingany unmatched tuples.
Given sets of tuples C l and C2 , and assuming n = IC1, =
IC21 there are O(n!) possible pairwise matchings. It is costly
to search such a big space to find a cost optimal matching.Because of this, algorithm anonymizeSets uses the followingmatching heuristic. Each node in C l is matched optimallywith a node in C 2 one by one. (e.g., d is matched with atuple in C 2 , then t§ is matched with another, ... ) This waycomplexity reduces to O(n2
) pairwise matchings.The algorithm can use any incremental cost metric that can
be defined on a database. For the experiments, we will usethe LM metric defined in Section II.
Table III shows the output of MiRaCle on the MR inputgiven in Table II for k = 2. vip S 1 and S2, and vip S3and S4 anonymized with each other. Figure 3 shows howSl and S2 are anonymized. The algorithm first ensures thetuples are anonymous w.r.t. QI attributes. Since Tp does notcontain any QI attributes, no change is done (the root nodesin Figure 3). However, the primary key of Tp , Sid, occurs inTl as a foreign key, so algorithm AnonymizeSets is called on
the sets of tuples asid="Sl"Tl and asid="S2"Tl (the nodeson the second level of the trees). A one-to-one matching oftuples is done according to how costly the anonymizationof the matched tuples will be. Anonymization in this levelalso takes into account table T2 (Books table), since T2 andTl share SCid as a joining key. First, the "Math" node ismatched with the "CS" node since they can be anonymizedas "Science" and they have a common node in the third level(in table T2). The "Physics" node is matched with "Physics",the anonymization here triggers a call of AnonymizeSets onthe sets of nodes {"Calc", "Dyn"} and {"Dyn"}. Node "Dyn"is matched with node "Dyn". No match is found for the node"Calc" so it is suppressed. The last nodes in the second levelare anonymized similarly.
If we take the function gen as the basic operation, functionanonymize (and thus the algorithm MiRaCle) turns out tobe expensive. Assuming n = ICll = IC2 1, for every callto anonymizeSets(Cl, C2,., .), O(n2) generalizations areperformed. Note that the anonymize function (thus functionanonymizeSets) is recursively called for every level in therelation (roughly speaking for every table in the MR database). Given that we have f. levels (tables) in M R, complexityfunction is defined as j(f.) = n 2 . j(f. - 1). This gives us acomplexity of O(n2i ) for function anonymize. So MiRaCleis an O(climit . 1MRI . n 2i ) algorithm.
C. MiRaCle Extension: MiRaCleX
As mentioned in the previous sections, a multiRanonymization algorithm can make use of the relationalstructure of the database to come up with more efficient
heuristics. We present one example of such a heuristic in this section.
The MiRaCle anonymization process given in Section IV- B.2 considers the whole sibling subtrees when deciding on a suitable matching of sibling nodes. (in other words, subtree matching is done rather than node matching.) This is an effective way of achieving an anonymization with maximum precision. However, it is costly in terms of execution time since the Anonymize function has to be called for each potentially matched subtree pair (even for pairs that are not matched at the end of the anonymization process).
MiRaCle extension, MiRaCleX, makes use of the follow- ing observation: If QI values for two root nodes are similal; then QI values for their children are likely to be similar too. (If two students are both taking "Math" course, it is probable that they are both using a "Math" book.) This observation can be generalized for most relational databases. (The tail of the relations is correlated with the root of the relation.) An algorithm may produce anonymizations with reasonable precision much faster by just looking at the QI attribute similarities of the upper level nodes of the relation and not considering lower level nodes. Given this, pairing of sibling nodes in the AnonymizeSets function of MiRaCleX can be rewritten as in Algorithm 5. By this, the recursive call to the Anonymize function is moved outside of the innermost loop and the complexity function for function anonymize becomes f ( e ) = n . f (e - 1) + n2. This gives us a complexity of O(ne+') for function anonymize. So MiRaCleX is an O(climit . I M R ( . ne+') algorithm.
In Figure 3, to find a matching be- tween {"~ath","~h~sics~","~istory") and { " ~ ~ " , " ~ h ~ s i c s ~ " , " ~ e l i ~ i o n " ) in the second level, MiRaCleX Anonymize function only considers QI attributes in the Course table TI, ignoring information in the Books table T2. Once matching is done on the second level (e.g., " ~ h ~ s i c s ' " to "Physics2"), QI attributes in the Books table specify the matching on the third level (e.g., a matching between {"Calc","Dyn") and {"Dyn")).
D. Proof of k-Anonymity for MiRaCle Anonymiza - t i o n A l g o r i t h m
Now we prove that MiRaCle produces k-anonymous data- bases'. Since the algorithm preserves the structure of the data and all changes are based on either generalizations or suppressions, the third requirement for k-anonymity trivially holds. The following theorems prove the first requirement (sensitive information protection). The proof for the second requirement is similar. Since k-anonymity ensures total pro- tection against sensitive information disclosure only when sensitive information is unique for every tuple, throughout the proof, we assume such constraint is enforced in the dataset and prove sensitive information is k-anonymous in the output
2~iscussion also applies for MiRaCleX
Algorithm 5 ~ n o n ~ m i z e ~ e t s ~ ( ~ ' = {t i , t i , . . . t k} , c2 lt? , tZ. . . . t ? ~ . M R ~ . M R ~ )
Require: Sets of tuples ci belongs to tables PT~. All M R ~ are structurally equivalent. 1 < m 5 n
Ensure: MR* is a painvise anonymization of c1 and C 2 1: let MR* be an empty database, structurally eq. to MR'. 2: for all t: E C1 do 3: for all t: E C 2 do 4: for all attribute a t t of t: do 5: if at t is a QI attribute then 6: t; [att] -+ gen(t! [att], t?[att]) 7: else 8: t; [att] -+ t: [att] 9: minCost j -+ argrninj cost(t;)
10: tempMR -+ Anonymize(t:, tkinCostj, MR', MR2) 11: MR* -+ MR* U tempMR 12: c2 -+ C2 - tLinCostj 13: suppress rest of the tuples in c2 and add them to P T * 14: return MR*
dataset. We assume the schemas satisfy the assumptions given in Section IV-A.
We start by showing that anonymization of two private entities is correctly carried out by the function Anonymize. The function Anonymize given in Algorithm 3 produces one representation of the anonymization as opposed to multiple copies of it. For each equivalence class, copies are produced from the representation at the end of MiRaCle given in Algorithm 2. It is trivial to modify the function Anonymize to output the necessary copies. The proofs below will assume copies exist in the Anonymize output. Since the algorithm structure is recursive, we first prove the base case:
Lemma 2: Let MR1 and M R ~ have structurally equiva- lent schemas with ST^ = {). Let ti be a tuple in P T ~ . Then function " ~ n o n ~ m i z e ( t l , t2, MR', MR2)" produces a 2- anonymization for the tuples t1 and t2.
PROOF. Since there are no tables connected to P T ~ , Anonymize only applies basic generalizations to QI attributes of ti as in the single table k-anonymization process. This ensures each QI in the two anonymized tuples is the same. Therefore any subset of the QI occurs in at least two tuples; with no links to other tables, 2-anonymity holds.3
We now prove, in a bottom up fashion, the recursive step to prove that k-anonymity property is propagated through connected tables: If we take a set of k-anonymous databases, and add another k-anonymous table where the join keys for each set of private entities join (only) with an equivalence class in the table, and vice-versa, then the combined set of tables is k-anonymous.
Lemma 3: Let MR', . . . , MRi, . . . , MRt be t structurally equivalent k-anonymous databases with set of sensitive at- tributes S, QI attributes Q = {qil,. . . , qil) and a common
3 ~ h e algorithm behaves exactly like CDGH anonymization algorithm [I51 in this case.
heuristics. We present one example of such a heuristic in thissection.
The MiRaCle anonymization process given in Section IVB.2 considers the whole sibling subtrees when deciding on asuitable matching of sibling nodes. (in other words, subtreematching is done rather than node matching.) This is aneffective way of achieving an anonymization with maximumprecision. However, it is costly in terms of execution timesince the Anonymize function has to be called for eachpotentially matched subtree pair (even for pairs that are notmatched at the end of the anonymization process).
MiRaCle extension, MiRaCleX, makes use of the following observation: If Q/ values for two root nodes are similar,then Q/ values for their children are likely to be similar too.(If two students are both taking "Math" course, it is probablethat they are both using a "Math" book.) This observationcan be generalized for most relational databases. (The tailof the relations is correlated with the root of the relation.)An algorithm may produce anonymizations with reasonableprecision much faster by just looking at the QI attributesimilarities of the upper level nodes of the relation and notconsidering lower level nodes. Given this, pairing of siblingnodes in the AnonymizeSets function of MiRaCleX can berewritten as in Algorithm 5. By this, the recursive call tothe Anonymize function is moved outside of the innermostloop and, the complexity function for function anonymizebecomes f(e) = n· f(e -1) +n2 • This gives us a complexityof O(nl+ 1
) for function anonymize. So MiRaCleX is anO(cJ.imit ·IMR\· nl+1
) algorithm.In Figure 3, to find a matching be-
tween {"Math","Physics1","History"} and{"CS","Physics2","Religion"} in the second level, MiRaCleXAnonymize function only considers QI attributes in the Coursetable Tl, ignoring information in the Books table T2. Oncematching is done on the second level (e.g., "Physics1"
to "Physics2 ,,), QI attributes in the Books table specifythe matching on the third level (e.g., a matching between{"Calc","Dyn"} and {"Dyn"}).
D. Proofof k-Anonymity for MiRaCle Anonymization Algorithm
Now we prove that MiRaCle produces k-anonymous databases2
• Since the algorithm preserves the structure of thedata and all changes are based on either generalizations orsuppressions, the third requirement for k-anonymity triviallyholds. The following theorems prove the first requirement(sensitive information protection). The proof for the secondrequirement is similar. Since k-anonymity ensures total protection against sensitive information disclosure only whensensitive information is unique for every tuple, throughout theproof, we assume such constraint is enforced in the datasetand prove sensitive information is k-anonymous in the output
2Discussion also applies for MiRaCleX
1 IIAlgorithm 5 AnonymizeSetsX(C l = {tL t~, ... t m }, C 2
{ti ,t~" .. t~}, MRl, MR 2)
Require: Sets of tuples Ci belongs to tables PTi. All MRi arestructurally equivalent. 1 :S m :S n
Ensure: MR' is a pairwise anonymization of C1 and C 2
1: let MR' be an empty database, structurally eq. to MRi.2: for all t} E C 1 do3: for all t; E C 2 do4: for all attribute att of t} do5: if att is a QI attribute then6: tj [att] ¢= gen(tHatt], t; [att])7: else8: tj [att] ¢= tHatt]9: minCostj ¢= argminj cost(tj)
10: tempMR ¢= Anonymize(t}, t;'inCostj, MR1, MR 2
)
11: MR' ¢= MR' UtempMR12: C 2
¢= C2- t;'inCostj
13: suppress rest of the tuples in C 2 and add them to PT'14: return MR'
dataset. We assume the schemas satisfy the assumptions givenin Section IV-A.
We start by showing that anonymization of two privateentities is correctly carried out by the function Anonymize.The function Anonymize given in Algorithm 3 produces onerepresentation of the anonymization as opposed to multiplecopies of it. For each equivalence class, copies are producedfrom the representation at the end of MiRaCle given inAlgorithm 2. It is trivial to modify the function Anonymize tooutput the necessary copies. The proofs below will assumecopies exist in the Anonymize output. Since the algorithmstructure is recursive, we first prove the base case:
Lemma 2: Let MR 1 and MR 2 have structurally equivalent schemas with STi = n. Let t i be a tuple in PTi .
Then function "Anonymize(t1, t 2 , MR 1 , MR 2)" produces a 2
anonymization for the tuples t 1 and t2.
PROOF. Since there are no tables connected to PT i ,
Anonymize only applies basic generalizations to QI attributesof t i as in the single table k-anonymization process. Thisensures each QI in the two anonymized tuples is the same.Therefore any subset of the QI occurs in at least two tuples;with no links to other tables, 2-anonymity holds.3 0
We now prove, in a bottom up fashion, the recursive stepto prove that k-anonymity property is propagated throughconnected tables: If we take a set of k-anonymous databases,and add another k-anonymous table where the join keys foreach set of private entities join (only) with an equivalenceclass in the table, and vice-versa, then the combined set oftables is k-anonymous.
Lemma 3: Let MR 1 , . .. , MR i , ... , MRt be t structurallyequivalent k-anonymous databases with set of sensitive attributes S, QI attributes Q = {qil,'" ,qid and a common
3The algorithm behaves exactly like CDGH anonymization algorithm[15] in this case.
vip attribute vip. Suppose P T ~ S contain a key pri. Let ECMRi(pri') returns the set o f pri values that belong to the equivalence class of the pri value pri' in MRi. Also suppose for any value pri', ECMRa (pri') = ECMRb ( ~ r i ' ) if pri' E PTa, P T ~ . That means equivalence classes of attribute pri are the same in all M R ~ . Let ~ ~ ~ ~ ( ~ r i ' ) return this universal equivalence class o f pri'.
Let MRToot be another k-anonymous db with transcript (., ., T , {) ,pri) . Suppose T has attributes (pi , attl , . . . , attm, senl, . . . , senn). By definition pri is the primary key, attis are QI attributes , and senjs are sensitive attributes. (Note that T should be also k- anonymous.) and also suppose ~ C ~ ( p r i ' ) = ~ C ~ ~ ( p r i ' ) for every possible pri'. Then MR = MRToot 1 l(Ui MRi) is also k-anonymous.
As an example for Lemma 3, in Ta- ble 111, MR1={.,.,a~ourse=~~~ciencell~i>
{ ~ s c ~ ~ = s c ~ v s c ~ ~ = s c ~ T ~ * ) , SCid), MR2={.,.,acourse=ll~hysicsll~;,
{ascid=sc2vscid=scsT~}, SCid). The pri attribute above corresponds to the attribute Sid and MRroot =
{., . , T ' , 0, Sid).
PROOF. Suppose this is not the case and there exists a query Q on the join JT where 0 < I&(Q(JT))I < k for some sensitive s which is an attribute either in S or in table T . We will look at each case separately. First suppose s E S and some sf E &(Q(JT)) . This implies that there exists at least one tuple t(pri = p, attl ..., = a1 ...,, vip = v , qil...e =
ql ...e, s = s f ) E JT (otherwise s f has no connection with T and we get a contradiction from the k-anonymity o f the MRi), and (pri = p, attl ..., = a1 ...,) E T . Now suppose sf occurs in MRa (1 5 a 5 j ) and (vip = v,pri = p, s =
s f , qi ,...e = ql ...e) E JTa. Since MRa is k-anonymous, (vip = vj,pri = pj, s = sj,qi ,...e = ql ...e) E JTa also holds, for every pj E ECMR(p) and for distinct sj. By the definition o f T , if (pri = p,attl ..., = a1 ...,) E T , also (pri = pj, attl ..., = a1 ...,) E T holds for the same set o f pjs. However, in that case (pri = pj,attl ..., =
a1 ...,, vip = v,qi l...e = ql ...e, s = s j ) E JT. This means we have at least k - 1 other s values with the same QI attributes as s f . (e.g., consider table Tp in Figure 3, p=S1 and one MRa is the two generalization trees with s =
93,78 respectively and both rooted from "Science" node with ECTp(Sl) = ECMRa(S1)={S1,S2). AS S1 is connected to one tree, S2 is connected to the other. This is true for all other MRas: two MR dbs rooted from "Physics" and "Social" nodes respectively. It is impossible to distinguish S1 from S2 by using only QI attributes.) Then if s f E IIs(Q(JT)) , sj E &(Q(JT) ) meaning Ins (Q(JT))I 2 k.
The proof is similar when s is an attribute from T . Suppose again sf E IIs(Q(JT)) and (pri = p, attl ..., = a1 ...,, vip =
v,qi ,...e = ql ...e, s = s f ) E JT. In this case, p may occur in more than one MRa but since equivalence class o f p is the same in each o f them, discussion is still valid. In this
1 case, we have (pri = p,attl ..., = a1 ...,, s = s f ) E T and (vip = v,pri = p,qi l...e = q1 ...e) E JTa. Since MRa is k-anonymous, (vip = vj ,pri = pj, qil...e = ql ...e) E JTa also holds, for every pj E ECMR(p). By the definition o f T , (pri = pj, s = sj,att l... , = a1 ...,) E T holds for same pjs and distinct sj. Again we will have, (vip = v j , ~ i =
pj, attl ..., = a1 ...,,q il...e = ql ...e, s = s j ) E JT and sj E
n s ( Q ( J T ) ) .
Theorem 4: Let MR1 and MR2 have structurally equiva- lent schemas with ST^ = {T!, . . . ,T:} and tuple ti E P T ~ . Then function " ~ n o n ~ m i z e ( t l , t2 , MR1, MR2)" produces 2- anonymization for the tuples t1 and t2 in some MultiR db MR*.
PROOF. Without loss of generality, suppose only T ~ S di- rectly joins with P T ~ S . In Lines 4-7, the algorithm first generalizes t1 and t2 with each other. This provides 2- anonymity for t1 and t2 locally in PT*. ( I f we create a MR db for the anonymous t1 and t2 , it will refer to the 2-anonymous MRroot in Lemma 3.) Next, in line 4 of the anonymizeSets algorithm, the anonymization function is called on each pair o f their connections in T: and T:. (Databases returned from these calls correspond to 2-anonymous MRa databases of Lemma 3.) Returned anonymous dbs are first merged in line 7 of anonymizeSets and then concatenated with the anonymous tuples in line 1 1 as in Lemma 3. (MR* = M R ~ O O ~ J J (Ui MRi ) ) Since operations are propagated through those tuples of T: and T: joined with t1 and t2 , equivalence classes are explicitly matched through the connected tables. The final output is 2-anonymous by Lemma 3.
Theorem 5: MiRaCle, when given an input database MR and appropriate parameters, produces a k-anonymous data- base MR*.
PROOF. The skeleton of MiRaCle is a clustering-based k-anonymity algorithm. The only change MiRaCle introduces is to call Anonymi~e (a , ,~~z=~~ PT', avip2=vz P T ~ , MR1, MR2) lines 9 and 15 for the anonymization of two private trees rooted at vl and vg. Here each private tree is actually a cluster representative for multiple trees. Nodes in each representative tree may have values from higher domains in the given dgh structure (values such as "Science", "Social"). However, such difference does not have any effect on the execution o f the anonymize function since the generalization function gen is well-defined also on higher domains (gen("Science","Math")="Science"). The MR* database returned by the anonymization function will still be anonymous with respect to both trees. Specifically i f vl E MR1 and v2 E MR2 are m and n anonymous vip representations respectively then vg E MR*=anonymize(vl, v2, MR1, M R ~ ) is an m + n anonymous representation. At the end of the MiRaCle algorithm, every cluster C has more than k elements and the associated cluster representative uc is a ICI-anonymous
vip attribute vip. Suppose PTis contain a key pri. LetECMR' (pri') returns the set of pri values that belong tothe equivalence class of the pri value pri' in MRi . Alsosuppose for any value pri', ECMRa(pri') = ECMRb(pri') ifpri' E PTa, PTb. That means equivalence classes of attributepri are the same in all MRi . Let ECMR(pri') return thisuniversal equivalence class of pri'.
Let M R TOOt be another k-anonymous db withtranscript (.,., T, {},pri). Suppose T has attributes(pri, attI,' .. , attm , senI,'" , senn). By definition priis the primary key, attis are QI attributes , and senjsare sensitive attributes. (Note that T should be also kanonymous.) and also suppose ECT(pri') = ECMR(pri')for every possible pd'. Then MR = MRTootll(Ui MRi ) isalso k-anonymous.
As an example for Lemma 3, in Ta-ble III, MRI={.,.,crCouTse="Science"Ti,{crSCid=SCIVSCid=SC4T5}, SCid},M R2={o,o,O'Course= "Physics"Tt,
{crSCid=SC2VSCid=ScsTn, SCid}. The pri attributeabove corresponds to the attribute Sid and M R TOOt =
{.,., T;, {}, Sid}.
PROOF. Suppose this is not the case and there exists aquery Q on the join JT where 0 < IIIs(Q(JT)) I < k forsome sensitive s which is an attribute either in S or in tableT. We will look at each case separately. First suppose s E Sand some s' E IIs(Q(JT)). This implies that there exists atleast one tuple t(pri = p, attl ...m = al ...m ,vip = v, qil ...e =
ql ...e, s = s') E JT (otherwise s' has no connection withT and we get a contradiction from the k-anonymity of theMRi), and (pri = p, attl ...m = al ...m ) E T. Now suppose s'occurs in MR a (1 ::; a ::; j) and (vip = v,pri = p, s =s', qil ...e = ql ...e) E JTa. Since MRa is k-anonymous,(vip = vj,pri = Pj,S = sj,qil ...e = ql ...e) E JTa alsoholds, for every Pj E ECMR(P) and for distinct Sj' Bythe definition of T, if (pri = p, attl ...m = al ...m ) E T,also (pri = Pj,attl ...m = al ...m ) E T holds for the sameset of Pjs. However, in that case (pri = Pj, attl ...m =
al ...m,vip = v,qi l ...e = ql ...e,s = Sj) E JT. This meanswe have at least k - 1 other S values with the same QIattributes as s'. (e.g., consider table Tp in Figure 3, p=SIand one MRa is the two generalization trees with s =
93, 78 respectively and both rooted from "Science" node withECTp(SI) = ECMRa(SI)={SI,S2}. As SI is connected toone tree, S2 is connected to the other. This is true for allother MRas: two MR dbs rooted from "Physics" and "Social"nodes respectively. It is impossible to distinguish S I fromS2 by using only QI attributes.) Then if s' E IIs(Q(JT)),Sj E IIs(Q(JT)) meaning IIIs(Q(JT))1 ~ k.
The proof is similar when s is an attribute from T. Supposeagain s' E IIs(Q(JT)) and (pri = p, attl' ..m = al ...m ,vip =
v, qil ...e = ql ...e, s = s') E JT. In this case, p may occurin more than one MRa but since equivalence class of p isthe same in each of them, discussion is still valid. In this
-------_._--------
. , ~case, we have (pr2 = p, attl ...m = al ...m , s = s ) E T an(vip = v,pri = p, qil ...e = ql ...e) E JTa. Since MRa isk-anonymous, (vip = vj,pri = Pj, qi l ...e = ql ...e) E JTa
also holds, for every Pj E ECMR(P). By the definition ofT, (pri = Pj, s = Sj, attl ...m = al ...m ) E T holds for samePjS and distinct Sj. Again we will have, (vip = vj,pri =
Pj, attl .. ·m = al .. ·m , qil ...e = ql ...e, S = Sj) E JT and Sj EIIs(Q(JT)). 0
Theorem 4: Let MR I and MR 2 have structurally equivalent schemas with STi = {T{, ... , TA} and tuple tiE PTi.Then function "Anonymize(t l , t2, MR I , MR2)" produces 2anonymization for the tuples t l and t2 in some MultiR dbMR'.
PROOF. Without loss of generality, suppose only T{s directly joins with PTis. In Lines 4-7, the algorithm firstgeneralizes t l and t2 with each other. This provides 2anonymity for t l and t2 locally in PT'. (If we create aMR db for the anonymous t l and t2 , it will refer to the2-anonymous MR TOOt in Lemma 3.) Next, in line 4 of theanonymizeSets algorithm, the anonymization function is calledon each pair of their connections in Tl and Tf. (Databasesreturned from these calls correspond to 2-anonymous MRa
databases of Lemma 3.) Returned anonymous dbs are firstmerged in line 7 of anonymizeSets and then concatenated withthe anonymous tuples in line II as in Lemma 3. (MR' =M R Toot II CUi M Ri ) Since operations are propagated throughthose tuples of Tl and Tf joined with t l and t2
, equivalenceclasses are explicitly matched through the connected tables.The final output is 2-anonymous by Lemma 3. 0
Theorem 5: MiRaCle, when given an input database MRand appropriate parameters, produces a k-anonymous database MR'.
PROOF. The skeleton of MiRaCle is aclustering-based k-anonymity algorithm. Theonly change MiRaCle introduces is to callAnonymize(crVipl=Vl PTI , crVip2=V2 PT2, MR I , MR2)lines 9 and 15 for the anonymization of two private treesrooted at VI and V2. Here each private tree is actuallya cluster representative for multiple trees. Nodes in eachrepresentative tree may have values from higher domainsin the given dgh structure (values such as "Science","Social"). However, such difference does not have anyeffect on the execution of the anonymize function sincethe generalization function gen is well-defined alsoon higher domains (gen("Science","Math")="Science").The M R' database returned by the anonymizationfunction will still be anonymous with respect to bothtrees. Specifically if VI E MR I and V2 E MR2 are m
and n anonymous vip representations respectively thenV3 E MR'=anonymize(vl,v2,MRl,MR2) is an m+nanonymous representation. At the end of the MiRaClealgorithm, every cluster C has more than k elements andthe associated cluster representative Vc is a ICI-anonymous
0 m N m m rm im ~ r o 160 rso m
k Value
Fig. 4. LM cost for varying k figure
0 8
0 L1 0 2 0 3 4 (1-1 0 8 07
Threshold
Fig. 5. LM Cost for varying threshold figure
representative. v~ for each C is reproduced for every entity within C (so that they form an equivalence class). This ensures k-anonymity. So Theorem 4 also implies the correctness of Theorem 5.
V. Experiments
To compare the flexibility of MiRaCle, MiRaCleX and single-tabIe (bitmap) approach, we conducted experiments on synthetic data structured as in Table 11. We created 1000 random students; to each student we assigned 1 obligatory, 2 or 3 technical elective, and 2 or 3 non-technical electives from 22 courses. Each course had 2, 3 or 4 textbooks to choose from. The distribution of courses and books to students was designed to match Bilkent University's undergraduate program requirements. We ran MiRaCle and MiRaCleX on the original database and the CDGH anonymization algorithm [15] on a bitmap transformation of the database. We fixed the cluster limit to be 150. To evaluate the utility of the
k Value
Fig. 6. DM cost for incomplete data figure
m
0 m w rn so tm ?m 160 ?so ?so m
k Value
Fig. 7. DM cost for complete data figure
anonymizations, we used the adaptations of the LM and DM cost metrics defined in Section 11.
To observe how MiRaCle and MiRaCleX algorithms ad- dress weaknesses given in items 2 and 5 of Section 111-C, we first assumed that the dataset is incomplete as described in Section 111-C. In Figure 4, we graph the change in LM costs of three anonymizations with respect to different k. Both MiRaCle and MiRaCleX are 30-40% less costly than the Bitmap algorithm. Figure 5 supports the same relation for a fixed k = 50 but with varying threshold (clustering input parameter). Figure 6 shows the DM costs for the algorithms. MiRaCle and MiRaCleX slightly outperform the Bitmap algorithm on the DM metric.
We next conducted experiments assuming that the dataset is complete. LM is not a suitable metric for comparison here since it does not take into account tuples that are not in the dataset. Figure 7 shows the DM cost results. We see that all three algorithms have similar costs and there is no obvious winner. The MiRaCle algorithm loses its flexibility advantage discussed in item 3 of Section 111-C. This is due
13
0.7···········/·········· .
0.'··················································· .
-+-BllInillp___ MIRler,x
"-'<:'··MIR.CI.
.00000o
100000o
;;o0,00000o,.C
-+-Bflmap-..-MIR.CloX""<;,~MIRICI.
0.'
~ ~ ~ ~ 100 1~ 1~ 1~ 1~ ~
k Value~ ~ ~ ~ 100 1~ 1~ 1~ 1~ ~
k Value
Fig. 4. LM cost for varying kfigure
Fig. 6. OM cost for incomplete datafigure
-..-----...._------+---...
0.5
.......................... -+-Bltmap
-..-MIRaCleX
"""''''MIRaCle...................................
-+-BIIIl'lflP___ MIR.Old:
'\--'MIRaClll .
0.2
Threshold0.7 ~ ~ 00 00 100 1~ 1~ 1~ 1~ ~
k Value
Fig. 5. LM Cost for varying threshold Fig. 7. OM cost for complete datafigure figure
representative. va for each C is reproduced for everyentity within C (so that they form an equivalence class).This ensures k-anonymity. So Theorem 4 also implies thecorrectness of Theorem 5. D
v: Experiments
To compare the flexibility of MiRaCle, MiRaCleX andsingle-table (bitmap) approach, we conducted experiments onsynthetic data structured as in Table II. We created 1000random students; to each student we assigned I obligatory,2 or 3 technical elective, and 2 or 3 non-technical electivesfrom 22 courses. Each course had 2, 3 or 4 textbooks tochoose from. The distribution of courses and books to studentswas designed to match Bilkent University's undergraduateprogram requirements. We ran MiRaCle and MiRaCleX onthe original database and the CDGH anonymization algorithm[15] on a bitmap transformation of the database. We fixedthe cluster limit to be 150. To evaluate the utility of the
anonymizations, we used the adaptations of the LM and DMcost metrics defined in Section II.
To observe how MiRaCle and MiRaCleX algorithms address weaknesses given in items 2 and 5 of Section III-C,we first assumed that the dataset is incomplete as describedin Section III-C. In Figure 4, we graph the change in LMcosts of three anonymizations with respect to different k.Both MiRaCle and MiRaCleX are 30-40% less costly thanthe Bitmap algorithm. Figure 5 supports the same relationfor a fixed k = 50 but with varying threshold (clusteringinput parameter). Figure 6 shows the DM costs for thealgorithms. MiRaCle and MiRaCleX slightly outperform theBitmap algorithm on the DM metric.
We next conducted experiments assuming that the datasetis complete. LM is not a suitable metric for comparison heresince it does not take into account tuples that are not inthe dataset. Figure 7 shows the DM cost results. We seethat all three algorithms have similar costs and there is noobvious winner. The MiRaCle algorithm loses its flexibilityadvantage discussed in item 3 of Section III-C. This is due
14 [2] M. Atzori, "Weak -anonymity: A low-distortion model for protect-
ing privacy." in ISC, 2006, pp. 6&7 1. [3] K. W. B. Fung and P. Yu, "Top-down specialization for information
and privacy preservation," in Proc. of the 21st Int'l Conf: on Data Engineering, 2005.
[4] R. Bayardo and R. Agrawal, "Data privacy through optimal k- anonymization," in Proc. of the 21st Int'l Conf: on Data Engineer- ina, 2005.
-a-Btlmw (51 J . ~ o m i n ~ o - ~ e r r e r and V. Torra. "Ordinal, continuous and heteroge- +YIRaCL.X
--A-YIRaCIo neous k-anonymity through microaggregation," Data Min. Knowl. Discov., vol. 11, no. 2, pp. 195-212, 2005.
161 A. 0. hm and L. Ohno-Machado, "Using boolean reasoning
to anonvmize databases." Artificial Intelliaence in Medicine.
0 10 40 60 BD lm 110 140 160 180 1DO
k Value
Fig. 8. Execution Time figure
to the fact that entity anonymizations of MiRaCle are not optimal which means there are cases where Bitmap approach is better w.r.t. precision. However, in Figure 8, we plot the execution time required to run both algorithms on a 1.66GHz Intel Core Duo machine. Consistent with the disscusion in items 6 and 8 of Section 111-C, MiRaCleX outperforms both algorithms by a factor of at least 3 (This is true even though we ignored the time spent to convert the dataset to the bitmap format for bitmap anonymizations.) It should be noted that execution times in all conducted experiments show similar behavior. One important observation here is that MiRaCleX have better or comparable utilization when compared to MiRaCle and itm map algorithms in all of the experiments however MiRaCleX is much faster than both algorithms. This implies that underlying heuristic works for the experimental dataset.
VI. Conclusions
We have shown that in a full database setting, single table k-anonymity algorithms either fail to protect privacy, or overly reduce the utility of the data. We proposed a more flexible anonymity algorithm for snowflake schemas. Support for arbitrary schemas with multiple private entities can be considered as future work. Other proposed extensions to k-anonymity such as weak k-anonymity [2], &diversity [13], t-closeness [12], 6-presence [I41 application specific k- anonymity [3], distributed k-anonymity [22], and personalized anonymity [20] face similar challenges when considering multi-relational k-anonymity.
References
[ l ] G. Agrawal, T. Feder, K. Kenthapadi, S. Khuller, R. Panigrahy, D. Thomas, and A. Zhu, "Achieving anonymity via clustering," in PODS '06: Pmc. of the 25th ACM SIGMOD-SIGACTSIGART symposirrm on Principles of database systems, Chicago, IL, USA, June 26-28 2006, pp. 153-162.
vol. 15, no. 3, pp. 235-254, ~ a i 1999. http://dx.doi.org/10.1016/ SO933-3657(98)ooO56-6
[7] A. Hundepool and L. Willenborg, "p and t-argus: software for statistical disclosure control," in Third International Seminar on Statistical Confdentiality, 1996.
181 V. Iyengar, "Transforming data to satisfy privacy constraints," in Proc., the Eigrh ACM SIGKDD Int'l Conf: on Knowledge Discovery and Data Mining, 2002, pp. 279-288.
1191 D. Kifer and J. Gehrke, "Injecting utility into anonymized datasets," in SIGMOD '06: Proceedings of the 2006 ACM SIGMOD interna- tional conference on Management of data. New York, NY, USA: ACM Press. 2006. pp. 217-228.
[lo] K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Incognito: Efficient full-domain k-anonymity." in Proc. of the 2005 ACM SIGMOD Int'l Conf: on Management of Data, Baltimore, MD, June 13-16 2005.
[I I] K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Multidimensional k-anonymity," University of Wisconsin, Madison, Tech. Rep. 1521, June 2005. http://www.cs.wisc.edu/techreport~/2005~Rl52l.pdf
[I21 N. Li and T. Li, "t-closeness: Privacy beyond k-anonymity and I- diversity:' in Proceedings of the 23nd International Conference on Data Engineering (ICDE '07), Istanbul, Turkey, Apr. 16-20 2007.
[13] A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubrama- niam, "1-diversity: Privacy beyond k-anonymity," in Pmc. of the 22nd IEEE Int'l Con$ on Data Engineering (ICDE 2006), Atlanta Georzia. Aor. 2006. - .
[14] M. E. Nergiz, M. Atzori, and C. Clifton, "Hiding the presence of individuals in shared databases," in SIGMOD '07: Proceedings of the 2007 ACM SIGMOD international conference on Management of data, Beijing, China, June 11-14 2007.
[15] M. E. Nergiz and C. Clifton, "Thoughts on k-anonymization," in ICDEW '06: Pmc. of the 22nd Int'l Conf: on Data Engineering Workshops. Washington, DC, USA: IEEE Computer Society, 2006, p. 96.
[I61 P. Samarati, "Protecting respondents' identities in microdata re- lease:' IEEE Transactions on Knowledge and Data Engineering, vol. 13, no. 6, pp. 101&1027, 2001.
[I71 L. Sweeney, "Guaranteeing anonymity when sharing medical data, the datafly system," in Proc., Journal of the American Medical Informatics Association. Hanley & Belfus, Inc., 1997.
[I81 L. Sweeney, "Achieving k-anonymity privacy protection using gen- eralization and suppression," International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, vol. 10, no. 5, 2002.
[19] L. Sweeney, "k-anonymity: a model for protecting privacy." Int. J. Uncertain. Fuuiness KnowL-Based Syst., vol. 10, no. 5, pp. 557- 570, 2002.
[20] X. Xiao and Y. Tao, "Personalized privacy preservation," in SIG- MOD '06: Proc. of the 2006 ACM SIGMOD Int'l Conf: on Man- agement of data. New York, NY, USA: ACM Press, 2006, pp. 229-240.
[21] C. Yao, X. S. Wang, and S. Jajodia, "Checking for k-anonymity violation by views." in VLDB '05: Proc. of the 31st Int'l Conf: on Very large data bases. VLDB Endowment, 2005, pp. 910-921.
1221 S. Zhong. Z. Yang, and R. N. Wright. "Privacy-enhancing k- anonymization of customer data," in PODS '05: Proc. of the 24th ACM SIGMOD-SIGACTSIGART symposium on Principles of database systems. New York, NY, USA: ACM Press, 2005, pp. 139-147.
k Value
Fig. 8. Execution Timefigure
to the fact that entity anonymizations of MiRaCle are notoptimal which means there are cases where Bitmap approachis better w.r.t. precision. However, in Figure 8, we plot theexecution time required to run both algorithms on a 1.66GHzIntel Core Duo machine. Consistent with the disscusion initems 6 and 8 of Section III-C, MiRaCleX outperforms bothalgorithms by a factor of at least 3 (This is true even thoughwe ignored the time spent to convert the dataset to the bitmapformat for bitmap anonymizations.) It should be noted thatexecution times in all conducted experiments show similarbehavior. One important observation here is that MiRaCleXhave better or comparable utilization when compared toMiRaCle and Bitmap algorithms in all of the experimentshowever MiRaCleX is much faster than both algorithms. Thisimplies that underlying heuristic works for the experimentaldataset.
VI. Conclusions
We have shown that in a full database setting, singletable k-anonymity algorithms either fail to protect privacy,or overly reduce the utility of the data. We proposed amore flexible anonymity algorithm for snowflake schemas.Support for arbitrary schemas with multiple private entitiescan be considered as future work. Other proposed extensionsto k-anonymity such as weak k-anonymity [2], i-diversity[13], t-closeness [12], a-presence [14] application specific kanonymity [3], distributed k-anonymity [22], and personalizedanonymity [20] face similar challenges when consideringmulti-relational k-anonymity.
References
[I J G. Agrawal, T. Feder, K. Kenthapadi, S. Khuller, R. Panigrahy,D. Thomas, and A. Zhu. "Achieving anonymity via clustering,"in PODS '06: Proc. of the 25th ACM SIGMOD-SIGACT-SIGARTsymposium on Principles of database systems. Chicago, IL, USA,June 26-28 2006, pp. 153-162.
14[2J M. Atzori, "Weak -anonymity: A low-distortion model for protect
ing privacy." in ISC, 2006, pp. 60-71.[3J K. w. B. Fung and P. Yu. "Top-down specialization for information
and privacy preservation," in Proc. of the 21st Int'l Can! on DataEngineering. 2005.
[4J R. Bayardo and R. Agrawal, "Data privacy through optimal kanonymization," in Proc. of the 21st Int'l Can! on Data Engineering, 2005.
[5] J. Domingo-Ferrer and V. Torra, "Ordinal, continuous and heterogeneous k-anonymity through microaggregation," Data Min. Knowl.Discov.• vol. II, no. 2, pp. 195-212, 2005.
[6J A. O. hm and L. Ohno-Machado, "Using boolean reasoningto anonymize databases," Artificial Intelligence in Medicine,vol. 15, no. 3, pp. 235-254, Mar. 1999. hnp:!!dx.doLorg/10.1016!S0933-3657(98)00056-6
[7] A. Hundepool and L. Willenborg, "/-' and t-argus: software forstatistical disclosure control," in Third International Seminar onStatistical Confidentiality, 1996.
[8J V. Iyengar, "Transforming data to satisfy privacy constraints," inProc., the Eigth ACM SIGKDD Int'l Corif. on Knowledge Discoveryand Data Mining. 2002, pp. 279-288.
[9] D. Kifer and J. Gehrke, "Injecting utility into anonymized datasets,"in SIGMOD '06: Proceedings of the 2006 ACM SIGMOD international conference on Management of data. New York, NY, USA:ACM Press, 2006, pp. 217-228.
[I OJ K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Incognito: Efficientfull-domain k-anonymity," in Proc. of the 2005 ACM SIGMOD Int'lCorif. on Management of Data, Baltimore, MD, June 13-162005.
[IIJ K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Multidimensionalk-anonymity," University of Wisconsin, Madison, Tech. Rep. 1521,June 2005. http://www.cs.wisc.edu/techreports/2005ITRI521.pdf
[12] N. Li and T. Li, "t-c1oseness: Privacy beyond k-anonymity and 1-diversity," in Proceedings of the 23nd International Conference onData Engineering (ICDE '07), Istanbul, Turkey, Apr. 16-202007.
[13J A. Machanavajjhala, J. Gehrke, D. Kifer, and M. Venkitasubramaniam, "I-diversity: Privacy beyond k-anonymity," in Proc. of the22nd IEEE Int'l Corif. on Data Engineering (ICDE 2006), AtlantaGeorgia, Apr. 2006.
[14J M. E. Nergiz, M. Atzori, and C. Clifton, "Hiding the presence ofindividuals in shared databases," in SIGMOD '07: Proceedings ofthe 2007 ACM SIGMOD international conference on Managementof data, Beijing, China, June 11-142007.
[15J M. E. Nergiz and C. Clifton, "Thoughts on k-anonymization," inICDEW '06: Proc. of the 22nd Int'l Corif. on Data EngineeringWorkshops. Washington, DC, USA: IEEE Computer Society, 2006,p.96.
[16] P. Samarati, "Protecting respondents' identities in microdata release," IEEE Transactions on Knowledge and Data Engineering,vol. 13, no. 6, pp. 1010-1027, 2001.
[17J L. Sweeney, "Guaranteeing anonymity when sharing medical data,the datafly system," in Proc., Journal of the American MedicalInformatics Association. Hanley & Belfus, Inc., 1997.
[18J L. Sweeney, "Achieving k-anonymity privacy protection using generalization and suppression," International Journal on Uncertainty,Fuzziness and Knowledge-based Systems, vol. 10, no. 5, 2002.
[19J L. Sweeney, "k-anonymity: a model for protecting privacy," Int. J.Uncertain. Fuzziness Knowl.-Based Syst., vol. 10, no. 5, pp. 557570,2002.
[20J X. Xiao and Y. Tao, "Personalized privacy preservation," in SIGMOD '06: Proc. of the 2006 ACM SIGMOD In!'1 Corif. on Management of data. New York, NY, USA: ACM Press, 2006, pp.229-240.
[21] C. Yao, X. S. Wang, and S. Jajodia, "Checking for k-anonymityviolation by views," in VLDB '05: Proc. of the 31st In!'1 Corif. onVery large data bases. VLDB Endowment, 2005, pp. 910-921.
[22J S. Zhong, Z. Yang, and R. N. Wright, "Privacy-enhancing kanonymization of customer data," in PODS '05: Proc. of the24th ACM SIGMOD-SIGACT-SIGART symposium on Principles ofdatabase systems. New York, NY, USA: ACM Press, 2005, pp.139-147.