A privacy-preserving aggregation scheme based on immunological negative surveys for smart meters☆
Introduction
Electricity is a main form of energy, which is also important for the development of industry. As the next generation of power grid, the smart grid has received a lot of attention. The smart meter is one of the basic pieces of equipment for smart grid data collection. It is also the basis of many functions of the smart grid. It plays an important role in load monitoring, charging electricity fee, detecting user behavior patterns, improving electricity efficiency, detecting theft of electricity, anomaly detection and so on [1], [2], [3].
As an important task, load monitoring could improve the efficiency and the security of the power grid, which needs the sum of all user’s power consumption in one area. However, as mentioned in [4], [5], the power consumption data obtained by the smart meter are so fine-grained that an adversary could infer some sensitive information along with the users’ power consumption, such as the customs in daily life, the number of persons in the household, even the information of domestic appliances currently used. Then, the adversary could conduct spam harassment and advertising campaigns according to the sensitive information he obtains. This prospect arouses users’ concern about the privacy of their power consumption data [6]. Although many policies and laws have been proposed to preserve the privacy of power consumption data, users still worry about their privacy. Therefore, it is very important to develop a privacy-preserving aggregation scheme for smart meters. And many researches have been performed to preserve the users’ privacy when smart meters aggregate information from users. There are three primary types of schemes to preserve the privacy when the smart meters aggregate power consumption data from users: the anonymization-based aggregation schemes, the perturbation-based aggregation schemes and the encryption-based aggregation schemes [7]. For the anonymization-based aggregation schemes, they usually require a thrusted third party. For the perturbation-based aggregation schemes, although they are simple and efficient, some of them could not withstand individual failures. And for the encryption-based aggregation schemes, they are time-consuming and could not defend differential attack. Moreover, in order to ensure the security, they usually increase the size of the ciphertext [8]. The details of typical schemes will be reviewed in Section 2.2.
Inspired by human immunological mechanisms, Artificial Immune System was proposed and widely used in optimization [9], computer security [10], data privacy [11] and so on. As a branch of artificial immune system, the negative survey [12] was proposed to collect sensitive information. It could collect the sensitive information while preserving individual privacy. Because it is simple and could preserve privacy without the trusted third party, so the negative survey was used to collect many different kinds of sensitive information [11]. In the negative survey, the participant is just asked to select a category that he does not belong to (called negative category), rather that the category he belongs to (called positive category). And the collector could infer the distribution of positive categories from the distribution of negative categories by some statistical methods (called reconstruction methods), such as NStoPS [12], NStoPS-I [13], and NStoPS-II [13]. However, the traditional negative survey [12] is mainly applied to collecting static data. It does not consider the privacy threat caused by time-series data such as power consumption data.
In this paper, we propose a method based on negative survey for collecting the time-series data from users, and employ it to collect power consumption data. It could provide the aggregated data for the smart grid while preserving the privacy of individual power consumption data. The power consumption is a kind of time-series data. The power consumption will increase/decrease as domestic appliances are turned on/off. Thus, the changes of power consumption highly depend on the users’ behaviors. Our method does not limit the time frame of the time series data, which can work continually. The purpose of our method is to preserve the privacy of users’ power consumption when monitoring the load. The privacy preserved in this paper is the value of user’s power consumption. Because when it is disclosed, the adversary could infer some sensitive information of users, and conduct harassment. For example, the adversary could conduct spam harassment and advertising campaigns according to the information of user’s domestic appliances.
Our contributions in this paper can be summarized as follows.
- (1)
We analyze the privacy-preserving ability of the traditional negative survey when it is used to collect time-series data, and demonstrate that traditional negative survey might disclose the privacy of users’ time-series data.
- (2)
We propose an improved strategy on the negative survey that can be used to collect the time-series data and then apply the improved negative survey to collect the power consumption data. The theoretical analysis demonstrates that our method could preserve the privacy of user’s power consumption data. Besides, the proposed method does not require a trusted third party and could resist differential attacks. Moreover, it is robust, simple and efficient.
- (3)
The experimental results conducted on synthetic and real dataset demonstrate that our method could provide the sum of power consumption data to the smart grid for load monitoring.
The rest of this paper is organized as follows. Some related work is introduced in Section 2. The system model used in this paper is described in Section 3. Section 4 analyzes the privacy of traditional negative survey when it collects time-series data. The details of our method are given in Section 5. The privacy analysis is shown in Section 6. The experimental results and corresponding analysis are given in Section 7. In Section 8, we discuss proposed method. Section 9 gives the conclusion and future work.
Section snippets
Negative survey
As a branch of Artificial Immune System, the negative survey [12] is inspired by the self-nonself discrimination paradigm from human immune systems. In the negative survey proposed in [12], the user just needs to randomly return a category that he does not belong to with the probability , rather than a category he belongs to, where is the number of the categories. In the negative survey, the category which the user belongs to is called positive category, while the categories he does not
System model
Usually the electric current of a smart meter for an endpoint user has a maximum value. Thus the power consumption of each endpoint user also has a maximum value. And we can use this maximum value to determine users’ ranges of power consumption. Then, we split it into small ranges, i.e., categories. For each user, we use a small range of power consumption to represent the exact one. Then, the negative survey could be employed to collect the power consumption range.
For example, support that
The privacy analysis of traditional negative survey
The traditional negative survey mentioned in [12] might compromise the privacy of users when it collects time-series data such as power consumption data. If the adversary knows when the category that a user belongs to remains unchanged, and during this time the user participates the negative survey for many times. Then the adversary could reduce the size of the set that contains the user’s positive category according to a series of negative categories selected by the user. Therefore, if the
The negative categories collecting strategy
From the analysis in Section 4, we see that the traditional negative survey might disclose the privacy when it collects time-series data such as power consumption data. To solve this problem, we make some improvements on the traditional negative survey.
Suppose that small power consumption ranges comprise a set . In our method, when a user participates in the negative survey for the first time, before he selects a negative category, he should randomly select () categories that do
Attack model
Even though the users in our model just send power consumption ranges to the collector, when the size of power consumption ranges are small, the adversary could still infer some sensitive information of users. Therefore, the adversary considered in this paper is the one who wants to uniquely confirm the user’s positive power consumption range. For this purpose, he could collude with the collector and get the information that is sent by users, and the information that is stored by collector. In
Experiments and analysis
Our method proposed in this paper is used to collect the sum of power consumption at each time slice. In Section 6, we have theoretically demonstrated that our method could preserve the privacy of users’ power consumption even collecting users’ power consumption continuously. In this section, we simulate time-series data attack to further test the security of our method. Furthermore, we also use users’ power consumption at one time slice to test the utility of our method.
The privacy of our method
Certainly, for the improved version of our method, the adversary could obtain more information about user’s real power consumption. Because he could obtain the difference between the user’s real power consumption and the mid-value of user’s positive power consumption range. However, since he does not know the positive power consumption range of the user, the adversary could still not get the value of user’s real power consumption, even a close value. Therefore, the improved method could still
Conclusion and future work
Power consumption data are fundamental to the functions of the smart grid. As the data source of load monitoring, the power consumption data are important to improve the efficiency and the security of power grid. However, they contain much sensitive information of users, which causes an increasing number of users worrying about their privacy. For the development of smart meters and smart grids, we must preserve the privacy of users when aggregating the power consumption. In this paper, we
Declaration of Competing Interest
No author associated with this paper has disclosed any potential or pertinent conflicts which may be perceived to have impending conflict with this work. For full disclosure statements refer to https://doi.org/10.1016/j.asoc.2019.105821.
References (46)
- et al.
Recent advances in artificial immune systems: models and applications
Appl. Soft Comput.
(2011) - et al.
Surveys with negative questions for sensitive items
Statist. Probab. Lett.
(2009) - et al.
Estimating positive surveys from negative surveys
Statist. Probab. Lett.
(2013) - et al.
On the dependable level of the negative survey
Statist. Probab. Lett.
(2014) - et al.
Application and analysis of multidimensional negative surveys in participatory sensing applications
Pervasive Mob. Comput.
(2013) - et al.
Multiple-negative survey method for enhancing the accuracy of negative survey-based cloud data privacy: Applications and extensions
Eng. Appl. Artif. Intell.
(2017) - et al.
Udp: Usage-based dynamic pricing with privacy preservation for smart grid
IEEE Trans. Smart Grid
(2013) - et al.
Smart grid technologies: Communication technologies and standards
IEEE Trans. Ind. Inform.
(2011) - et al.
Parq: A privacy-preserving range query scheme over encrypted metering data for smart grid
IEEE Trans. Emerg. Top. Comput.
(2013) - et al.
Towards privacy protection in smart grid
Wirel. Pers. Commun.
(2013)
Smart meter data privacy: A survey
IEEE Commun. Surv. Tutor.
Cost-effective and privacy-preserving energy management for smart meters
IEEE Trans. Smart Grid
Sok: Privacy Technologies for Smart Grids–A Survey of Options
Eppa: An efficient and privacy-preserving aggregation scheme for secure smart grid communications
IEEE Trans. Parallel Distrib. Syst.
Recent advances in clonal selection algorithms and applications
Three branches of negative representation of information: A survey
IEEE Trans. Emerg. Top. Comput. Intell.
A statistical approach to provide individualized privacy for surveys
PLoS One
On location and trace privacy of the moving object using the negative survey
IEEE Trans. Emerg. Top. Comput. Intell.
Limited negative surveys: privacy-preserving participatory sensing
Reconstructing spatial distributions from anonymized locations
A novel negative location collection method for finding aggregated locations
IEEE Trans. Intell. Transp. Syst.
Anonymous data collection in sensor networks
On the reconstruction method for negative surveys with application to education surveys
IEEE Trans. Emerg. Top. Comput. Intell.
Cited by (0)
- ☆
This work is supported by the National Natural Science Foundation of China (No. 61175045) and the open foundation of the Anhui Province Key Laboratory of Intelligent Building & Building Energy Saving (No. IBBE2018KX01ZD).