advertisement

Journal of Computational Information Systems 7:3 (2011) 924-931 Available at http://www.Jofcis.com Personalized Anonymity Algorithm Using Clustering Techniques Pingshui WANG† College of Management Science and Engineering, Anhui University of Finance & Economics, Bengbu 233030, China Abstract Anonymity is an essential technique to preserve individual privacy information in data releasing setting. However, most existing anonymous methods focus on the universal approach that exerts the same amount of preservation for all individuals. The result is that the released data may offer insufficient protection to a subset of people, while applying excessive privacy control to another subset. In addition, those methods using generalization and suppression techniques suffer from high information loss and low usability mainly due to reliance on pre-defined generalization hierarchies or total order imposed on each attribute domain. To address this issue, we develop a new personalized anonymity algorithm using clustering techniques. Experimental results show that the proposed method can reduce the information loss and improve the usability of the released data while satisfying everybody’s privacy preserving requirements. Keywords: Privacy Preservation; Personalized Anonymity; Clustering 1. Introduction With the rapid development in Internet, data storage and data processing technologies, individual privacy information is being collected by various organizations for research purposes. However, if individuals can be uniquely identified in the released data then their private information would be disclosed. Releasing data about individuals without revealing their sensitive information is an important problem. To avoid the identification of records in released data, uniquely identifying information like names and social security numbers are removed from the table. However, this first sanitization still does not ensure the privacy of individuals in the data. Privacy preservation is the prevention of cross-references and inferences that could reveal confidential information in released data. Anonymity provides a relative guarantee that the identity of individuals cannot be discovered. In recent years, a new definition of privacy called k-anonymity has gained popularity. The k-anonymity model, proposed by Sweeney [1], is a simple and practical privacy-preserving approach and has drawn considerable interest from research community, and a number of effective algorithms have been proposed [2-14]. The k-anonymity model ensures that each record in the table is identical to at least (k-1) other records with respect to the quasi-identifier attributes. Therefore, no privacy related information can be inferred from the k-anonymity protected table with high confidence. The most existing anonymity methods focus on a universal approach that exerts the same amount of preservation for all individuals. The consequence is that the released data may offer insufficient protection to a subset of people, while applying excessive privacy control to another subset. In addition, these methods based on generalization and suppression techniques suffer from high information loss and low usability mainly due to reliance on pre-defined generalization hierarchies or total order imposed on each attribute domain. To address this issue, we develop a new personalized anonymity algorithm using clustering † Corresponding author. Email addresses: [email protected] (Pingshui WANG). 1553-9105/ Copyright © 2011 Binary Information Press March, 2011 925 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 techniques. Experimental results show that our method can reduce the information loss and improve the usability of the released data while satisfying personal privacy preserving requirements. The rest of this paper is organized as follows. In section 2, we introduce the related work. In section 3, we present our method of personalized anonymity using clustering techniques. In section 4, we analyze the performance of our method by extensive experiments. Section 5 contains the conclusions and future work. 2. The Related Work 2.1. k-Anonymity In order to preserve privacy, Sweeney [1] proposed the k-anonymity model which achieves k-anonymity using generalization and suppression techniques, so that, any individual is indistinguishable from at least (k-1) other ones with respect to the quasi-identifier attributes in the released dataset. For example, table 2 is a 2-anonymous table of table 1. Generalization involves replacing a value with a less specific but semantically consistent value. For example, the date of birth could be generalized to a range such as year of birth, so as to reduce the risk of identification. Suppression involves not releasing a value at all. In recent years, numerous algorithms have been proposed for implementing k-anonymity by generalization and suppression. Table 1 Original Table Name Race Birth Sex Zip Disease Alice Blank 1965-3-18 F 02141 gastric ulcer Helen Blank 1965-5-1 F 02142 dyspepsia David Blank 1966-6-10 M 02135 pneumonia Bob Blank 1966-7-15 M 02137 bronchitis Jane White 1968-3-20 F 02139 flu Paul White 1968-4-1 F 02138 cancer Table 2 2-Anonymous Table of Table 1 Race Birth Sex Zip Disease Blank 1965 F 0214* gastric ulcer Blank 1965 F 0214* dyspepsia Blank 1966 M 0213* pneumonia Blank 1966 M 0213* bronchitis White 1968 F 0213* flu White 1968 F 0213* cancer 2.2. Personalized Anonymity The k-anonymity methods mainly focus on a universal approach that exerts the same amount of preservation for all individuals, without catering for their concrete needs. The consequence is that the released data may offer insufficient protection to a subset of people, while applying excessive privacy control to another subset. Motivated by this, Xiao and Tao [8] presented a new generalization framework based on the concept of personalized anonymity which overcomes the above problems. In the following we introduce briefly the principle of the personalized anonymity. The basic idea of the personalized anonymity is that a person can specify the degree of privacy preservation for her/his sensitive values. For example, figure 1 demonstrates a simple taxonomy of attribute Disease. The taxonomy is accessible by the public, and organizes all diseases as leaves of a tree. An intermediate node carries a name summarizing the diseases in its subtree. Each person can decide her/his 926 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 sensitive values appeared in the released data. Their technique performs the minimum generalization for satisfying everybody’s requirements, and thus, retains the largest amount of information from the original data. Table 3 An Example of Guarding Node Record No. Name Race Birth Sex Zip Disease Guarding Node 1 Alice Blank 1965-3-18 F 02141 gastric ulcer stomach disease 2 Helen Blank 1965-5-1 F 02142 dyspepsia dyspepsia 3 David Blank 1966-6-10 M 02135 pneumonia respiratory infection 4 Bob Blank 1966-7-15 M 02137 bronchitis Bronchitis 5 Jane White 1968-3-20 F 02139 flu φ 6 Paul White 1968-4-1 F 02138 cancer other A personal preference can be easily solicited from an individual when s/he is supplying her/his data. In the personalized anonymity approach, a preference is formulated through a “guarding node” in the taxonomy. As an example, for record 1 in Table 3, Alice may specify node stomach-disease (the “guarding node” for her privacy). Thus, nobody should be able to infer that she suffered from any disease (i.e., gastric ulcer, dyspepsia, or gastritis) in the subtree of the node with significant confidence. In other words, in Alice’s opinion, allowing the public to associate her with dyspepsia or gastritis is as serious as revealing her true disease. On the other hand, for record 5 in Table 3, Jane may specify φ , which is an implicit node underneath all the leaves of the taxonomy. The empty-set preference implies that s/he is willing to release her/his actual diagnosis result flu; therefore, record 5 can be released directly. In general, flu may not be “sensitive” for many people, such that it is often not necessary to apply any privacy protection to this value. any illness respiratory infection pneumonia bronchitis stomach disease flu dyspepsia gastritis gastric ulcer other aids … cancer Fig. 1 The Taxonomy of Attribute Disease Let S be a table storing private information about a set of individuals. The attributes in S are classified in 4 categories: (i) an identifier attribute Ai which uniquely identifies a person, and must be removed when S is released to the public, (ii) a sensitive attribute A s (e.g., Disease in Table 3), whose values may be confidential for an individual (subject to her/his preferences), (iii) d quasi-identifier (QI) attributes A1qi , A2qi , , Adqi , whose values can be released, but may reveal a personal identify with the aid of external information (Race, Birth, Sex, Zip in Table 3), and (iv) other attributes that are not relevant to our discussion. All the attributes have finite domains and each categorical attribute is accompanied by a taxonomy, which indicates the publicly-known hierarchy among the possible values of the attribute. The objective is to compute a releasable table S * such that (i) it contains all the attributes of S except i A , (ii) it has a generalized record for every record in S , (iii) it preserves as much information of S as possible, and (iv) its releasing does not cause any privacy breach. To describe the personal privacy requirements, some concepts are defined in the following [8]: Definition 1 ( A s subtree). For any node x in the taxonomy of A s , ST ( x) represents its subtree, which includes x itself, and the part of the taxonomy under it. A record r ∈ S defines an association between an individual o (identified by r. Ai ) and a sensitive value v = r. A s , which is denoted as { o , v }. To formulate her/his privacy preference, o specifies a guarding node as follows: 927 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 Definition 2 (Guarding node). For a record r ∈ S , its guarding node r.GN is a node on the path from the root to r. A s in the taxonomy of A s . Through r.GN , o indicates that she/he does not want the public to associate her/him with any leaf s A value in ST (r.GN ) . Specifically, assume that ST (r.GN ) contains x leaf values v1 , v2 ,..., v x . The privacy requirement of r.GN is breached if an adversary thinks that any of the associations { o , v1 }, ... , { o , v x } exists in S . Definition 3 (Breach probability). For a record r ∈ S , its breach probability Pbreach (r ) equals the probability that an adversary can infer from S * that any of the associations { o , v1 }, ..., { o , v x } exists in S , where v1 , v2 ,..., v x are the leaf values in ST (r.GN ) . The released table S * should guarantee that, for all r ∈ S , Pbreach (r ) is at most pbreach , which is a system parameter specifying the amount of confidentiality control. Table 3 demonstrates the guarding nodes selected by the individuals. Guarding nodes depend entirely on personal preferences, and are not determined by the sensitive values. 3. Personalized Anonymity Algorithm Using Clustering Techniques The key idea underlying our method is that the personalized anonymity problem can be viewed as a clustering problem [10]. Clustering is the problem of partitioning a set of objects into groups such that objects in the same group are more similar to each other than objects in other groups with respect to some defined similarity criteria. 3.1. Personalized k -Member Clustering Problem Typical clustering problems require that a specific number of clusters be found in solutions. However, the personalized anonymity problem does not have a constraint on the number of clusters; instead, it requires that each cluster contains at least k records and each sensitive attribute value satisfies personal privacy requirements. Thus, we pose the personalized anonymity problem as a clustering problem, referred to as personalized k-member clustering problem. Definition 4 (Personalized k -member clustering problem). The personalized k -member clustering problem is to find a set of clusters from a given set of n records such that each cluster contains at least k ( k ≤ n ) data points and that the sum of all intra-cluster distances is minimized. Formally, let S be a set of n records, k be the specified anonymization parameter and pbreach be a system parameter specifying the amount of confidentiality control. Then the optimal solution of the personalized k -member clustering problem is a set of clusters E = {e1 ,..., em } such that: (1) ∀i ≠ j ∈ {1,..., m} , ei ∩ e j = φ ; (2) U i =1,..., m ei = S ; (3) ∀ei ∈ E , ei ≥ k ; (4) Σ l =1,..., m el ⋅ MAX i , j =1,..., el Δ( p(l , i ), p(l , j )) is minimized; (5) ∀r ∈ S , Pbreach (r ) ≤ pbreach ; (6) Each sensitive attribute value satisfies personal privacy requirements. Where e is the size of cluster e , p(l , i ) represents the i -th data point in cluster el , and Δ( x, y ) is the distance between two data points x and y . 3.2. Distance and Cost Functions Distance functions are used to measure the dissimilarities among data points, which are usually determined by the type of data being clustered. The cost function that the clustering problem tries to minimize is 928 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 defined by the specific objective of the clustering problem. In this section, we describe our distance and cost functions which have been specifically tailored for the k -anonymity problem [10]. Definition 5 (Distance between two numeric values). Let D be a finite numeric domain. Then the normalized distance between two values v i , v j ∈ D is defined as: δ N (v i , v j ) = v i − v j / D . (1) Where D is the domain size measured by the difference between the maximum and minimum values in D . For categorical attributes, the difference is no longer applicable as most of the categorical domains cannot be enumerated in any specific order. However, some domains may have some semantic relationships among the values. In such domains, it is desirable to define the distance functions based on the existing relationships. Such relationships can be easily captured in a taxonomy tree. For example, Figure. 1 illustrates a natural taxonomy tree for the Disease attribute. Furthermore, we can specify the level distance taking specific instance into consideration. The distance between lower levels is smaller than the higher ones. We now define the distance function for categorical values as follows: Definition 6 (Distance between two categorical values). Let D be a categorical domain and T D be a taxonomy tree defined for D . We assume that the distance is 1 from bottom to top level of the taxonomy tree. Then the normalized distance between two values vi , v j ∈ D is defined as: δ C (vi , v j ) = W (Λ (vi , v j )) . (2) Where Λ(vi , v j ) is the subtree rooted at the lowest common ancestor of vi and v j , and W ( T ) represents the sum of the distance between levels of tree T . Example 1. Consider attribute Disease and its taxonomy tree in Fig. 1. We assume the distance between level 1 and level 2 equals 0.7, and the distance between level 2 and level 3 is 0.3. Then the distance between dyspepsia and gastritis is 0.3 = 0.3, while the distance between dyspepsia and flu is 0.3+0.7 = 1. Definition 7 (Distance between two records). Let QT = {N1 ,..., N m , C1 ,..., Cn } be the quasi-identifier of table S , where N i (i = 1,..., m) is an attribute with a numeric domain and C j ( j = 1,..., n) is an attribute with a categorical domain, and A s is a sensitive attribute with a categorical domain. The distance of two records r1 , r2 ∈ S is defined as: ∑wδ Δ(r1 , r2 ) = i N ( r1[ N i ], r2 [ N i ]) + i =1,..., m ∑w δ j C ( r1[C j ], r2 [C j ]) + ws δC (r1[ A s ], r2 [ A s ]) . (3) j =1,..., n Where ri [ A] represents the value of attribute A in ri , wi ( w j / ws ) represents the weigh of attribute N i ( C j / A s ) , and ∑ m 1 wi + ∑w n 1 j + ws = 1 . Definition 8 (Information loss). Let e = {r1 , , rc } be a cluster where the quasi-identifier consists of numeric attributes N1 ,..., N m and categorical attributes C1 ,..., Cn . Let TCi be the taxonomy tree defined for the domain of categorical attribute C i . Let MIN N i and MAX N i be the min and max values in e with respect to attribute N i , and let ∪ Ci be the union set of values in e with respect to attribute C i . Let STt k .GN be the subtree of guarding node of the record tk . Then the amount of information loss occurred by generalizing e, denoted by IL(e) , is defined as: ( MAX N i − MIN N i ) IL(e) = e ⋅ ( + Ni i =1,..., m ∑ Where e is the number of records in e , N i ∑ W (Λ (U j =1,..., n Cj ))) + ∑W (ST k =1,..., e t k .GN ) . (4) represents the size of numeric domain N i , Λ(∪ C j ) is the subtree rooted at the lowest common ancestor of every value in ∪ C j , and W ( T ) is the sum of the distance between levels of tree T . 929 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 Definition 9 (Total information loss). Let E be the set of all equivalence classes in the anonymized table S * . Then the amount of total information loss of S * is defined as: Total − IL( S * ) = IL(e) . (5) ∑ e∈E 3.3. Personalized Anonymity Algorithm Using Clustering Techniques Based on the above concepts, we propose an new algorithm for computing a personalized anonymous table S * with small Total − IL( S * ) which guarantees Pbreach (r ) ≤ pbreach for ∀r ∈ S . Our anonymization algorithm includes three steps, as is shown in figure 2. The first phase produces a set of QI-groups denoted by temp through applying clustering on S . Then, the second step produces anonymous QI-groups by applying QI-generalization on temp, using a set of generalization functions G = { f1 , f 2 ,..., f d } on the d QI-attributes, respectively. Finally, the third step produces the final releasable table S * by performing SA-generalization on the resulting QI-groups, employing a specialized generalization function for each QI-group. Hence, the quality of S * depends on (i) the method of clustering, (ii) the choice of generalization functions G , and (iii) the effectiveness of SA-generalization. Please refer to reference [13] for the specific algorithm about SA-generalization. Algorithm Clustering_Personalized_Anonymity Input: a set of records S, a threshold value k, and the guarding nodes of all records. Output: the releasable dataset S*. 1. temp = φ ; r = a randomly picked record from S; 2. while ( |S| ≥ k ) a) r = the furthest record from r; b) S = S – {r}; c) e = {r}; d) while( |e| < k ) i. r = find_best_record(S, e); ii. S = S – {r}; iii. e = e ∪ {r}; e) temp = temp ∪ {e}; while ( |S| ≠ 0 ) a) r = a randomly picked record from S; b) S = S – {r}; c) e = find_best_cluster(temp, r); d) e = e ∪ {r}; temp’ =QI-generalization(temp); S*=SA-generalization (temp’); return S*. 3. 4. 5. 6. Fig. 2 Algorithm for Personalized Anonymity Using Clustering Techniques 4. Experimental Results The main goal of the experiments was to investigate the performance of our algorithm in terms of data quality and execution time. To accurately evaluate our approach, we compared our implementation with another algorithm, namely the generalization algorithm proposed in [8]. 4.1. Experimental Setup The experiments were performed on a machine with Intel(R) Core(TM)2 Duo CPU T5450 1.67GHz,2.0GB RAM, Windows XP, MATLAB7.0, and Visual C + + 6.0. We ran our experiments on the IPUMS database. The dataset contains a relation with 100k records, each storing the information of an American adult. Before the experiments, we removed records with missing values and chose only six original attributes. For k-anonymity, we considered {age, education, gender, P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 930 marital status, and occupation} as the quasi-identifier. Among these, age and education were treated as numeric attributes while the other three attributes were treated as categorical attributes. In addition to that, we also considered income as the sensitive attribute. Taxonomy trees for each attribute are described in Table 4. Records are randomly divided into 3 groups which account for 10%, 30%, and 60% of the dataset, respectively. For each record in the first (or second) group, its guarding node is the parent of its sensitive value (or is φ ). The guarding nodes of the records in the last group are their sensitive values. Table 4 Experimental Data Information Attribute Distinct values Tree level Sensitive? age education gender marital status occupation income 8 15 2 6 8 10 3 3 2 3 3 4 No No No No No Yes 4.2. Data Quality In this section, we report experimental results on our algorithm and the generalization algorithm for data quality. Figure 3 shows the Total-IL costs of the two algorithms for increasing values of k . As the figure illustrating, our algorithm results in lower cost of the Total-IL for k values size from 10 to 100. The superiority of our algorithms over the generalization algorithm results from the fact that the generalization algorithm only anonymizes the dataset by generalization techniques. Fig. 3 k-Value and Information Loss Metric 4.3. Execution Time The Execution Time of the two algorithms for different k values is shown in Figure 4. The Execution time for our algorithm is more than that of generalization algorithm for all k values. The reason is that, our algorithm searches the whole dataset space in generating QI-groups. Even though the execution time for our algorithm is higher than the generalization algorithm, we believe that it is still acceptable in practice as anonymity is often considered an off-line procedure. Fig. 4 k-Value and Execution Time 931 P. Wang. /Journal of Computational Information Systems 7:3 (2011) 924-931 5. Conclusions The existing anonymous methods are inadequate because they cannot guarantee privacy preservation in all cases, and often suffer from unnecessary information loss due to perform excessive generalization. In this paper, we studied the essential principle of personalized anonymity and proposed a new personalized anonymity algorithm by transforming the anonymity problem to the clustering problem. We also defined two important elements of clustering, that is, distance and cost functions, which are specifically tailored for the k-anonymity problem. The proposed personalized anonymity algorithm can support individual to specify her/his privacy preserving preference while protecting sensitive attribute disclosure. The extensive experimental results show that the proposed algorithm is effective and may cause less information loss during the generalization process. However, the proposed algorithm paper is not optimal, in the sense that it does not necessarily achieve the lowest information loss. Finding an approximate optimal solution is our future work [15]. Acknowledgments This work is partially supported by National Natural Science Foundation of China under Grant No. 71071001, and it is also partially supported by Natural Science Foundation of Anhui Province of China under Grant No. 11040606M140. References [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] L. Sweeney. K-anonymity: A Model for Protecting Privacy. International Journal of Uncertainty, Fuzziness and Knowledge-based Systems,10(5): 557-570, 2002. R. Bayardo, R. Agrawal. Data Privacy Through Optimal k-Anonymization. In Proceedings the 21st International Conference on Data Engineering, pages 217-228, 2005. K. Lefevre, J. Dewittd, R. Ramakrishnan. Incognito: Efficient Full-Domain k-Anonymity. In Proceedings of the 2005 ACM SIGMOD International Conference on Management of Data, pages 49-60, 2005. X. K. Xiao, Y. F. Tao. Anatomy: Simple and Effective Privacy Preservation. In Proceedings of Very Large Data Bases (VLDB) Conference, pages 139-150, 2006. A. Machanavajjhala, J. Gehrke, D. Kifer. l-Diversity: Privacy Beyond k-Anonymity. ACM Transactions on Knowledge Discovery from Data,1(1): 24-35, 2007. N.H. Li, T.C. Li. t-Closeness: Privacy beyond k-Anonymity and l-Diversity. In Proceedings of the 23rd International Conference on Data Engineering, pages 106-115, 2007. X.K. Xiao, Y.F. Tao. M-Invariance: Towards Privacy Preserving Re-Publication of Dynamic Datasets. In Proceedings of the ACM Conference on Management of Data (SIGMOD), pages 689-700, 2007. X.K. Xiao, Y.F. Tao. Personalized Privacy Preservation. In Proceedings of the ACM Conference on Management of Data (SIGMOD), pages 229-240, 2006. X.J. Ye, Y.W. Zhang, M. Liu. A Personalized (a,k)-Anonymity Model . In Proceedings of the 9th International Conference on Web-Age Information Management. Piscataway, pages 341-348, 2008. J.W. Byun, A. Kamra, E. Bertino, et al. Efficient k-Anonymization Using Clustering Techniques. In Proceedings of DASFAA 2007, pages 188-200, 2007. G. Loukides, J.H. Shao. An Efficient Clustering Algorithm for k-Anonymisation. International Journal of Computer Science And Technology,23(2):188-202, 2008. J.L. Lin, M.C. Wei. Genetic Algorithm-Based Clustering Approach for k-Anonymization. International Journal of Expert Systems with Applications,36(6):9784-9792, 2009. L.J. Lu, X.J. Ye. An Improved Weighted-Feature Clustering Algorithm for k-Anonymity. In Proceedings of the 5th International Conference on Information Assurance and Security, pages 415-419, 2009. Z.H. Wang, J. Xu, W. Wang, et al. Clustering-Based Approach for Data Anonymization. Chinese Journal of Software,21(4):680-693, 2010. Y.H. Yu, W.Y. Bai. Integrated Privacy Protection and Access Control over Outsourced Database Services. Journal of Computational Information Systems, 6 (8): 2767-2777, 2010.