Preventing Denial-of-request Inference Attacks in Location-sharing Services
description
Transcript of Preventing Denial-of-request Inference Attacks in Location-sharing Services
Preventing Denial-of-request Inference Attacks in Location-sharing Services
Kazuhiro MinamiInstitute of Statistical Mathematics
ICMU 2014
Location Sharing Services (LSSs)• Enable users to share their identifiable location
information with others
LSS
Examples: - Google Latitude, - Glympse - Instamapper
RetrieveLocation
data
Mobile Platforms:- iPhone- Android
Publishlocation
dataGPSsignal
Compute GPS coordinates
Raise significant concern on location privacy
Naïve Access Control in LSS
LSSTarget user
Set of private locations
S
Requester
Define
No
Examples: hospitals, drinking bars, etc.
Hospital
Book store
However, just protecting private locations is not enough
Assume that Dave knows Bob’s previous traces
Bob can figure out that Alice is visiting the hospital here
Bob’spath Dave
Bob
Location Predictor based on the Markov Model
SiebelCenter
Unihigh DCL
0.2 0.30.5
Union
SiebelCenter
Unihigh DCL
Union 0.5
0.2 0.3
• Consider locations as states of a user and define a state transition matrix M
• Probability of moving from li to lk in n steps: Mi,k(n)
li lk
n steps
(M, t)-Access control [MBL2011]
MatrixM
Ask if Mi,k(n) < t
LSSTarget user
Requester
Prevent predicting the target user’s visiting a private location with probability higher than a given threshold value t
MatrixM
Set of private locations
S
For every private location lk
However, not publishing location data reveals some information
1.00.5
0.5 Private location
• A user moves l1, l2, and l3 in sequence• A threshold value t = 0.8
✔
✔ ✔
Next location is either l2 or l4
Only l2 is not publishable since the user will surely visit l3 next
If we get a sequence (l1,ε) we learn: 1. The user is currently at l2, and2. The user will visit l3 next✔
Denial-of-request Inferences• If LSS does not publish location data after
publishing li, the requester learns that
li lk
n steps
lj
DENY
Privatelocation
Algorithm for converting the original matrix M to compressed M’
0.20.8 0.10.9
0.40.1
0.5
If we see (l2, ε),we know the user’s at l6
1.0 1.0
S = {l6, l8}S = {l2, l3, l6, l8}If we see (l1, ε), we know the user’seither at l2 or l3
0.80.2
Hospital
Book store
Revisiting the previous examplewith our proposed method
Bob’spath
Comparison of the two access-control methods with the Geolife dataset
• Consider a rectangular region of 39 × 30 kilometers in Beijing, China
• Use top 10 users in terms of data points
• Divide the region into 140 × 140 (=19,600) unit regions
Q: How many more non-releasable locations when we consider denial-of-request inferences?
• GPS dataset published by Microsoft Asia
• 178 users in the period of four years
• Logged every 1 – 5 seconds
Initial private locations S0
1. Pick two locations of an restaurant and a hospital, which was actually visited by users• China-Japan Friendship Hospital ( N. latitude
39.97260, E. longitude 116.42072)• South Beauty Restaurant ( N. latitude 39.99635, E.
longitude 116.40360 )2. Randomly choose a given number of locations
from the top most frequently visited locations
Dependency on the number of initial private locations
#Fin
al p
rivat
e lo
catio
ns
#Initial private locations
A threshold δ = 0.8. #inference steps = 1.
Dependency on the number of inference attacks
#Fin
al p
rivat
e lo
catio
ns
#Inference steps
A threshold δ = 0.8. #Initial private location = 2
Conclusions• Study a new inference problem concerning a
denial of service request in LSSs• Model an adversary with a compressed state
transition matrix• Experimental results show a considerable in
existing LSSs• Future work includes studying inference
problems based on the hidden Markov model
Thank you!