Preventing Denial-of-request Inference Attacks in Location-sharing Services

Kazuhiro MinamiInstitute of Statistical Mathematics

ICMU 2014

Location Sharing Services (LSSs)• Enable users to share their identifiable location

information with others

LSS

Examples: - Google Latitude, - Glympse - Instamapper

RetrieveLocation

data

Mobile Platforms:- iPhone- Android

Publishlocation

dataGPSsignal

Compute GPS coordinates

Raise significant concern on location privacy

Naïve Access Control in LSS

LSSTarget user

Set of private locations

S

Requester

Define

No

Examples: hospitals, drinking bars, etc.

Hospital

Book store

However, just protecting private locations is not enough

Assume that Dave knows Bob’s previous traces

Bob can figure out that Alice is visiting the hospital here

Bob’spath Dave

Bob

Location Predictor based on the Markov Model

SiebelCenter

Unihigh DCL

0.2 0.30.5

Union

SiebelCenter

Unihigh DCL

Union 0.5

0.2 0.3

• Consider locations as states of a user and define a state transition matrix M

• Probability of moving from li to lk in n steps: Mi,k(n)

li lk

n steps

(M, t)-Access control [MBL2011]

MatrixM

Ask if Mi,k(n) < t

LSSTarget user

Requester

Prevent predicting the target user’s visiting a private location with probability higher than a given threshold value t

MatrixM

Set of private locations

S

For every private location lk

However, not publishing location data reveals some information

1.00.5

0.5 Private location

• A user moves l1, l2, and l3 in sequence• A threshold value t = 0.8

✔

✔ ✔

Next location is either l2 or l4

Only l2 is not publishable since the user will surely visit l3 next

If we get a sequence (l1,ε) we learn: 1. The user is currently at l2, and2. The user will visit l3 next✔

Denial-of-request Inferences• If LSS does not publish location data after

publishing li, the requester learns that

li lk

n steps

lj

DENY

Privatelocation

Algorithm for converting the original matrix M to compressed M’

0.20.8 0.10.9

0.40.1

0.5

If we see (l2, ε),we know the user’s at l6

1.0 1.0

S = {l6, l8}S = {l2, l3, l6, l8}If we see (l1, ε), we know the user’seither at l2 or l3

0.80.2

Hospital

Book store

Revisiting the previous examplewith our proposed method

Bob’spath

Comparison of the two access-control methods with the Geolife dataset

• Consider a rectangular region of 39 × 30 kilometers in Beijing, China

• Use top 10 users in terms of data points

• Divide the region into 140 × 140 (=19,600) unit regions

Q: How many more non-releasable locations when we consider denial-of-request inferences?

• GPS dataset published by Microsoft Asia

• 178 users in the period of four years

• Logged every 1 – 5 seconds

Initial private locations S0

1. Pick two locations of an restaurant and a hospital, which was actually visited by users• China-Japan Friendship Hospital （ N. latitude

39.97260, E. longitude 116.42072）• South Beauty Restaurant （ N. latitude 39.99635, E.

longitude 116.40360 ）2. Randomly choose a given number of locations

from the top most frequently visited locations

Dependency on the number of initial private locations

#Fin

al p

rivat

e lo

catio

ns

#Initial private locations

A threshold δ = 0.8. #inference steps = 1.

Dependency on the number of inference attacks

#Fin

al p

rivat

e lo

catio

ns

#Inference steps

A threshold δ = 0.8. #Initial private location = 2

Conclusions• Study a new inference problem concerning a

denial of service request in LSSs• Model an adversary with a compressed state

transition matrix• Experimental results show a considerable in

existing LSSs• Future work includes studying inference

problems based on the hidden Markov model

Thank you!