MobiHide: A Mobile Peer-to-Peer System
for Anonymous Location-Based Queries
Gabriel Ghinita, Panos Kalnis, Spiros Skiadopoulos
National University of Singapore
and
University of Peloponnese, Greece
Location-Based Services
LBS users
Location server is NOT
trusted
Mobile devices with GPS
capabilities
NN and Range Queries
“Find closest hospital to
my present location”
Google Maps, Mapquest,
Microsoft Live, etc.
Privacy? Anonymity?
2
Problem Statement
Hide IP address and username
But user location may disclose identity
Triangulation of device signal
Publicly available databases
Physical surveillance
How to preserve query source anonymity?
Even when exact user locations are known
3
K-Anonymity [Swe02]
Quasi-identifier
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
Disease
Name
Flu
AIDS
Cancer
Gastritis
Dyspepsia
Bronchitis
Andy
Bill
Ken
Nash
Mike
Sam
(a) Microdata
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
[Swe02] L. Sweeney. k-Anonymity: A Model for Protecting Privacy. Int. J. of Uncertainty,
Fuzziness and Knowledge-Based Systems, 10(5):557-570, 2002.
4
K-Anonymity (cont.)
Age
42-46
42-46
50-54
50-54
48-56
48-56
ZipCode
Disease
25000-35000
Flu
25000-35000
AIDS
20000-40000 Cancer
20000-40000 Gastritis
50000-55000 Dyspepsia
50000-55000 Bronchitis
(a) 2-anonymous microdata
Name
Andy
Bill
Ken
Nash
Mike
Sam
Age ZipCode
42
46
50
54
48
56
25000
35000
20000
40000
50000
55000
(b) Voting Registration List (public)
5
Anonymizing Spatial Region
Identification probability ≤ 1/K
6
Centralized Anonymizer
Intermediate tier between users and LBS
Bottleneck and single point of
attack/failure
7
MobiHide – Fully Distributed
8
Existing Work: CloakP2P [Chow06]
Find K-1 NN of query source
Source likely to be closest to ASR center
Vulnerable to “center-of-ASR” attack
NOT SECURE !!!
uq
5-ASR
[Chow06] – Chow et al, A Peer-to-Peer Spatial Cloaking Algorithm for Anonymous Locationbased Services, ACM GIS ’06
9
Existing Work: PRIVE [GKS07]
Aq has the reciprocity property iff
i.
ii.
|AS| ≥ K
ui,uj AS, ui ASj uj ASi
[GKS07] – PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems , WWW ‘07
10
PRIVE (cont.)
Based on Hilbert space-filling curve
index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
11
PRIVE (cont.)
Based on Hilbert space-filling curve
index users by Hilbert value of location
partition Hilbert sequence into “K-buckets”
Start
End
12
PRIVÉ Hierarchical Architecture
But requires “global knowledge”
Global rank of query source required
PRIVÉ employs an annotated tree index
13
Motivation
PRIVE
More secure
MobiHide
CloakP2P
Faster
14
MobiHide
Uses Hilbert transformation
Key Idea
Remove the need for global knowledge
Allow random group formation
Scalable DHT infrastructure employed
Chord DHT
15
MobiHide: Group Formation
K
16
MobiHide: Example
17
MobiHide: Privacy
MobiHide is not reciprocal
Privacy guaranty for uniform query
distribution only
But offers strong privacy features in
practice, even for skewed distribution
18
Correlation Attack (K = 4)
27 33 43 56 58 3 5 10 15 18
U6
U5
U8
U6 U7 U8 U9 U10 U1 U2 U3 U4 U5
U7
U4
U9
U3
U10
U1
U2
•4-anonymity not achieved
•However: Difficult attack in
practice
19
MobiHide Implementation
Two-layer Chord DHT
Each Chord node is a cluster of users
Bounded cluster size [,3)
20
User Join/Cluster Split
21
Load Balancing & Fault Tolerance
Load Balancing
Cluster head rotation mechanism
Fault Tolerance
Chord Periodic Stabilization Protocol
Leader election protocol
In case of cluster head failure
22
Experimental Setup
San Francisco Bay Area road network
Network-based Generator of Moving
Objects*
Up to 10000 users
Velocities from 18 to 68 km/h
Uniform and skewed query distribution
* T. Brinkhoff. A Framework for Generating Network-Based Moving Objects. Geoinformatica,
6(2):153–180, 2002.
23
“Center-of-ASR” Attack
24
Correlation Attack
25
ASR Formation Latency
Response Time (sec)
26
Points to Remember
LBS Privacy an important concern
Existing solutions are either not secure …
… or not scalable
MobiHide
Privacy guaranty for uniform query workload
Good best-effort privacy for skewed workload
Excellent scalability inherited from Chord DHT
27
Bibliography on LBS Privacy
http://anonym.comp.nus.edu.sg
28
Bibliography
[Chow06] – Mokbel et al, A Peer-to-Peer Spatial Cloaking
Algorithm for Anonymous Location-based Services, ACM GIS ’06
[Gru03] - Gruteser et al, Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys 2003
[GKS07] – Ghinita G., Kalnis P., Skiadopoulos S., PRIVÉ: Anonymous Location-based Queries in Distributed Mobile Systems,
WWW 2007
[Mok06] – Mokbel et al, The New Casper: Query Processing for
Location Services without Compromising Privacy, VLDB 2006
29
0
