SABRE: a Sensitive Attribute Bucketization
and REdistribution framework for t-closeness
Authors: Jianneng Cao, Panagiotis Karras, Panos Kalnis, Kian-Lee Tan
Published in VLDB Journal 02/2011
Presented by Hongwei Tian
Outline
• Privacy measure: t-closeness
• Earth Movers’ Distance (EMD)
• SABRE Algorithm
– Bucketization
– REdistribution
• Experiments
2
t-closeness
The published table still suffers
other types of privacy attacks
3
t-closeness
• skewness attack
– SA Particular Virus, overall SA distribution 99% negative
and 1% positive, SA distribution in one EC 50% negative
and 50% positive
• similarity attack
– SA values in one
EC are distinct but
semantically similar
4
t-closeness
• An equivalence class is said to have t-closeness if the distance
between the distribution of a sensitive attribute in this class
and the distribution of the attribute in the whole table is no
more than a threshold t. A table is said to have t-closeness if
all equivalence classes have t-closeness.
• P = (p1, p2, …, pm), Q = (q1, q2, …, qm), D(P,Q) ≤ t
5
Earth Movers’ Distance (EMD)
• Intuitively, it views one distribution as a mass of earth piles spread over a
space, and the other as a collection of holes, in which the mass fits, over
the same space.
• The EMD between the two is defined as the minimum work needed to fill
the holes with earth, thereby transforming one distribution to the other.
• P = (p1, p2, …, pm): distribution of “holes”
Q = (q1, q2, …, qm): distribution of “earth”
dij: ground distance of qi from pj
F=[fij], fij≥0: a flow of mass of earth moved from elements qi to pj
Minimize
6
Earth Movers’ Distance (EMD)
• dij and fij are flexible, thus the EMD problem is NP-hard. If dij is
fixed, the EMD problem becomes deterministic.
• Numerical SA
– Ordered domain (v1, v2, …, vm)
– dij = |i-j| / m-1
– The minimal work for transforming Q to P can be calculated by
sequentially satisfying the earth needs of each hole element, moving
earth from/to its immediate neighbor pile.
– ri = qi – pi
– q1 is moved to fill p1, if q1>p1, the extra r1 earth is moved to fill p2; and
at p2, if q2>p2, the extra r1+r2 earth is moved to fill p3. If q1<p1, it means
p1 needs extra r1 earth to be moved from q2.
7
Earth Movers’ Distance (EMD)
• Categorical SA
–
–
–
–
Generalization hierarchy H
dij = h(vi,vj)/h(H)
h(vi,vj): height of least common ancestor of vi and vj
The minimal work for transforming Q to P can be calculated by moving
extra earth, as much as possible, from/to its sibling pile under least
common ancestor in H.
– Extra earth to move out/in
– For an internal node n
8
Earth Movers’ Distance (EMD)
• Categorical SA (Continued)
– For an internal node n, only min(pose(n), nege(n)) earth is moved in
the subtree rooted at n
– The extra(n) will be moved to/from n’s parent
– The cost of node n
– The total EMD
q1>p1
q2>p2
q3<p3
pos1
pos2
neg
extra(S) extra(P) extra(B)
9
SABRE Algorithm
• SABRE consists of two phases:
– Bucketization: partitions DB into a set of buckets,
such that each SA value appears in only one
bucket
– Redistribution: reallocates tuples from buckets to
ECs
10
SABRE - Bucketization
• Proportionality requirement
– Given a table DB and a bucket partition ϕ, assume that an EC, G, is
formed with xi tuples from bucket Bi ∈ ϕ, i = 1, 2, …, |ϕ|.
– G satisfies the proportionality requirement with respect to ϕ, if and
only if the sizes of xi are proportional to those of Bi , i.e., |x1| : |x2| : ···
: |x|ϕ|| = |B1| : |B2| : ··· : |B|ϕ||
– One bucket partition ϕ’=(B1,B2,…,Bm), each bucket Bi only contains
tuples that have SA value vi. Select xi tuples from bucket Bi, to form an
EC G following the proportionality requirement, then |x1| : |x2| : ··· :
|xm| = |B1| : |B2| : ··· : |Bm| = N1 : N2 : ··· : Nm, thus G’s SA distribution
is same as DB’s SA distribution, that is 0-closeness.
– A complete enforcement of 0-closeness for all ECs would severely
degrade information quality.
11
SABRE - Bucketization
• Consider Buckets of more than one distinct SA
value
– Less buckets
– When pick xi tuples from a bucket Bi to EC following proportionality
requirement, SA values are not discriminated
– And, it is usually not obeyed that |z1| : |z2| : ··· : |zm|= N1 : N2 : ··· : Nm
– Thus, this is not 0-closeness anymore, we need to consider EMD.
12
SABRE - Bucketization
• The questions
– How should we partition SA values into buckets?
– How many buckets should we generate to ensure
t-closeness?
13
SABRE - Bucketization
• Basic idea
– SABRE partitions DB hierarchically, based on the SA values of its tuples,
forming a bucketization tree.
– Each node of this tree denotes a bucket containing tuples having a
certain subset of SA values. (For categorical SA, the subset follows the
SA domain hierarchy; For numerical SA, the subset is determined by
the selected split)
– The leaf nodes of the tree are the buckets that correspond to the
actual bucket partition of DB.
14
SABRE - Bucketization
• Basic idea (Continued)
– The tree starts with a single node, the root, which corresponds to the
entire table with the whole domain of SA
– Then the tree grows in a top-down manner by recursively splitting leaf
nodes.
15
SABRE - Bucketization
• Basic idea (Continued)
– A node is not always valid to be split.
• Suppose we split a node to get new nodes/buckets.
• Consider the new buckets (and all other leaves), if we form an EC
G to pick tuples from these buckets following proportionality
requirement, the EC’s SA distribution Q = (q1, q2, …, qm).
• For one bucket B with distribution (p1, p2, …, pj), we need to
transform (q1, q2, …, qj) to (p1, p2, …, pj), and the cost is CET(B,G).
• For other buckets with distribution like (pj+1, pj+2, …, pm), repeat
the transformations.
• Then the Q=(q1, q2, …, qm) is transformed to P = (p1, p2, …, pm), and
the total cost is ∑CET(B,G) for all B.
16
SABRE - Bucketization
• Basic idea (Continued)
– A node is not always valid to be split.
• But, EC’s distribution is not known when splitting. Fortunately, we
can describe the worst case (CET(B,G) maximized) for EC’s
distribution. That is , Upper-bound cost in a bucket,
• If
≤ t, any EC selecting tuples from buckets following
proportionality requirement satisfies t-closeness.
17
SABRE - Bucketization
• Basic idea (Continued)
– In each iteration, we determine U as the summation of all upper
bounded cost.
– In this way, we select the node that contributes to the largest
reduction of U as the node to be further split.
– This process terminates when U becomes smaller than the closeness
threshold t.
18
SABRE - Redistribution
• The questions
– How many ECs should we generate?
• We need a plan to find number of ECs and size of each
EC.
– How should we choose tuples from each bucket to
form an EC?
19
SABRE - Redistribution
• Basic idea
– Consider the process of dynamically determining the size of an EC, or
deciding how many tuples to take out from each bucket to form an EC.
– First, we consider all tuples of DB (i.e., all the buckets in ϕ) as a single
EC, r.
– Then we split r into two ECs by dichotomizing Bi into Bi1 and Bi2, Bi1 and
Bi2 have approximately the same size.
– The left child c1 of r is composed of Bi1, and the right child c2 of r is
composed of Bi2
20
SABRE - Redistribution
• Basic idea (Continued)
– The leaf nodes are ECs, which indicates how many tuples take out
from each bucket
– If a node follows proportionality requirement, this node (EC) satisfies
t-closeness. For example, [5,4] because of 5/9:4/9 = 10/18:8/18
– But, sometimes, it is impossible to pick tuples from buckets following
proportionality requirement, such as [3,2].
– So, extra work is needed to transform (3/5,2/5) to (5/9,4/9). Notice,
this is not SA distribution, but bucket distribution in EC.
– Define
where Vi is the set of SA values in bucket Bi
21
SABRE - Redistribution
• Basic idea (Continued)
– The extra transformation work can be measured by D=EMD(d(G,φ),d(DB,
φ)). For example, EMD((3/5,2/5), (5/9,4/9))
– In this example, bucket distribution P=(p1,p2)=(5/9,4/9),
Q=(q1,q2)=(3/5,2/5), d11=d22=0, d12=1. Then, move 5/9 from q1 to p1
(at cost 0), move 2/5 from q2 to p2 (at cost 0), move 3/5-5/9=2/45 from
q1 to p2 (at cost 1×2/45=2/45). So, D=EMD(d(G,φ),d(DB, φ)) = 2/45.
– After the transformation, the EC can be considered picking tuples from
buckets following proportionality requirement.
– The total cost for this EC is D+U= EMD(d(G,φ),d(DB, φ)) +
22
SABRE - Redistribution
• Basic idea (Continued)
– A split is allowed only if both EMD(d(c1,φ),d(DB, φ)) + U ≤ t and
EMD(d(c2,φ),d(DB, φ)) + U ≤ t
– The algorithm executes in a recursive way and terminates when no more
node can be split.
– Finally, we get leaf nodes representing the size of possible ECs.
23
SABRE-TakeOut
• For each EC, pick real tuples from buckets according
the ECs’ sizes [a1, a2, …, a| φ |].
• Consider the QI information quality
– Select a random tuple x from a randomly selected bucket B
– SABRE-KNN
• In each bucket Bi, find nearest ai neighbors of x and add them into
G.
– SABRE-AK
• Map multidimensional QI space to one-dimensional Hilbert values.
Each tuple has a Hilbert value.
• Sort all tuples in each bucket in ascending order of their Hilbert
values
• find x’s ai nearest neighbors in bucket Bi.
24
Experiments
• Compare SABRE-KNN, SABRE-AK with
– tIncognito
• Sigmod 2005
– tMondrian
• ICDE 2006
• CENSUS dataset containing 500,000 tuples and 8
attributes.
25
Experiments
26
Experiments
27
• Questions?
Thank you.
28