Bottom-Up Cell Suppression that Preserves the Missing-at-random Condition

Abstract

This paper proposes a cell-suppression based k-anonymization method which keeps minimal the loss of utility. The proposed method uses the Kullback-Leibler (KL) divergence as a utility measure derived from the notions developed in the literature of incomplete data analysis, including the missing-at-random (MAR) condition. To be more specific, we plug the KL divergence into an bottom-up, greedy procedure for a local recoding k-anonymization as a cost function which is efficiently computed. We focus on classification datasets and experimental results exhibit that the proposed method yields a small degradation of classification performance when combined with naive Bayes classifiers.

Appendix: Derivation of the Proposed Suppression Cost

Here, we complete the derivation of the cost function \(\varGamma _\mathrm{mar}\) by showing how to obtain Eqs. 7 and 9. First, let us note that \(\hat{p}(c)=\hat{q}(c)\) holds since the class label c is initially non-null and will be never suppressed. Equation 7 is then derived as follows:

(13)

(14)

$$\begin{aligned}= & {} \sum _c \hat{p}(c) \sum _{j=1}^M \sum _{x_j}\hat{p}(x_j\mid c)\log \frac{\hat{p}(x_j\mid c)}{\hat{q}(x_j\mid c)} \Bigl (\prod _{j'=1}^{j-1}\sum _{x_{j'}}\hat{p}(x_{j'}\mid c)\Bigr )\Bigl (\prod _{j'=j+1}^M\sum _{x_{j'}}\hat{p}(x_{j'}\mid c)\Bigr ) \nonumber \\= & {} \sum _c \hat{p}(c) \sum _{j=1}^M \sum _{x_j}\hat{p}(x_j\mid c)\log \frac{\hat{p}(x_j\mid c)}{\hat{q}(x_j\mid c)}. \end{aligned}$$

(15)

In Eqs. 13 and 14, we carefully reordered summations and moved irrelevant factors outside the summations wherever possible. Equation 15 was finally derived using \(\sum _{x_{j'}}\hat{p}(x_{j'}\mid c)=1\) since \(\hat{p}\) is a probability function.

On the other hand, for Eq. 9, we have been considering a specific case where the j-th non-null attribute value \(x_j\) of a tuple \(t=({{\varvec{y}}},c)\) is suppressed. We have \(\hat{q}(x_j\mid c)=(N(x_j,c)+\alpha )/(N(\lnot \bot _j,c)+\alpha |\mathcal{V}_j|)\) and \(\hat{q}'(x_j\mid c)=(N(x_j,c)-N({{\varvec{y}}},c)+\alpha )/(N(\lnot \bot _j,c)-N({{\varvec{y}}},c)+\alpha |\mathcal{V}_j|)\) as already mentioned, and additionally, for each value \(x'_j\) of j-th attribute which is not suppressed this time (i.e. \(x'_j\ne x_j\)), we have \(\hat{q}'(x'_j\mid c)=(N(x'_j,c)+\alpha )/(N(\lnot \bot _j,c)-N({{\varvec{y}}},c)+\alpha |\mathcal{V}_j|)\). Substituting these probabilities into Eq. 8 results in Eq. 9 as follows: