BES: Differentially private event aggregation for large-scale IoT-based systems

Highlights

• Maximize differential privacy’s utility based on statistics’ aggregation parameters.

• Streaming-based prototype on Apache Flink for fast distributed online analysis.

• Evaluation with real-world AMI data showing excellent accuracy and performance.

• Show differentially-private aggregation can protect from de-anonymization attacks.

Abstract

The emergence of Internet of Things (IoT) offers many advantages, but it also raises significant challenges with respect to efficient and distributed processing of large data and also privacy concerns related to large data disclosure.

We investigate the above problems from a system-perspective and study how differential privacy can be used to complement other privacy-enhancing technologies to allow for controlled large data disclosure. We present a streaming-based framework, Bes, where we leverage the often distributed nature of typical IoT systems for efficient computation of differentially private aggregates. We also propose methods to limit the noise that is commonly introduced for differential privacy in real-world applications, by bounding the outliers based on (differentially private) parameters of the actual system at hand or data from other similar systems.

We also provide a thorough evaluation based on a fully implemented Bes prototype using real-world data from of a concrete IoT system, namely an Advanced Metering Infrastructure (AMI). We show how a large number of events can be aggregated in a private fashion with low processing latency, even when the processing is made by a single-board device, with similar capabilities to the devices deployed in AMIs. Moreover, by implementing a de-pseudonymization attack known from the literature, we also show the strong complementary protection offered by Bes’ differentially private aggregation, compared to other privacy-enhancing technologies.

Introduction

The emergence of the Internet of Things (IoT), with ubiquitous sensors that can measure, compute and communicate with peers, seems to bring advantages to a number of diverse systems ranging from the larger smart city to more constrained environmental sensor networks to support, for example, ecological research [1]. One of the pillars of IoT is arguably the sharing of the collected measurements, either as singular values, as the measurements take place, or as an aggregate over time or over a physical area. This data can then be used to better understand the system under study, or to allow for fine-grained control to increase the system efficiency or save resources.

Even though there are clear advantages of sharing such frequent measurements, there may also be issues with confidentiality and privacy depending on the type of system under study. Take the electrical grid, specifically the Advanced Metering Infrastructure (AMI), as an example. New smart meters have the ability to perform high-frequency measurements of electrical properties at the end points (consumers) of the distribution grid, thus offering support to provide better quality of delivered energy as well as enhanced energy management (e.g., energy consumption forecast or demand–response applications). However, these fine-grained measurements also reveal details of the residents, such as daily routines, what type of appliances they have and when they are used [2]. Researchers have demonstrated that it can be possible to even discover what TV channel is being watched [3].

What makes IoT, and AMI as a specific case study, interesting is that many times the collected data should be shared with possibly untrusted third parties or publicly to allow for the best system performance. However, as such, mature mechanisms such as encryption become less effective. Even though values can be protected during communication, the goal is for controlled disclosure where statistics computed over sensitive data are intentionally shared with the public. Earlier research has suggested privacy-enhancing techniques of such datasets by using anonymization or pseudo-anonymization, but others have demonstrated that there is a high risk that an adversary can break such protection mechanisms and obtain privacy-sensitive data [4].

In the prevention of privacy leaks in such a context, differential privacy [5] has gained compelling interest because of its protection guarantees against strong adversaries. In a nutshell, a method guaranteeing differential privacy can sacrifice the accuracy of a statistic by adding an appropriate level of noise to it, thus preventing the adversary from gaining knowledge about the individual values contributing to the statistic. Although it offers strong guarantees, the adoption of differential privacy in real-world applications is limited by the introduced noise, which might compromise its utility.

Challenges. The following challenges in regards to controlled data disclosure, as well as accuracy and processing-efficiency, must thus be addressed for such infrastructures to reach their potential:

• preservation of the privacy of the individuals behind such statistics,

• maximization of the statistics’ utility given the accuracy degradation introduced by differential privacy, and

• efficient (in throughput) and distributed computation of such statistics, leveraging the heterogeneous embedded devices composing AMIs, coping with the data volumes they generate continuously and providing statistics in a real-time fashion.

Based on these observations, the following question steered our research: how can we achieve a controlled disclosure of statistics in an IoT system, using differential privacy to complement other suggested privacy-enhancing technologies (PETs), while (i) minimizing the degradation from differential privacy and (ii) computing such statistics in an efficient and distributed fashion?

Contributions.

We present Bes,¹ a framework that enables efficient, differential-privacy-conforming processing, possible to deploy on existing infrastructures; moreover, Bes conducts differentially private streaming aggregation (summation) measurements with an error that is both small and tunable. To achieve these in Bes, we propose a decomposition of the problem in two subproblems: (i) calibrating the privacy-preserving noise by computing approximated sums in a differentially private streaming fashion and (ii) making the approximation process itself differentially private. Simply put, the first part of the problem is about how to adjust the added noise while minimizing its disruptiveness, and the second half is about making the adjustment process differentially-private. We will present these two subproblems in detail in Sections 3 The bounding mechanism: privacy and utility trade-offs, 4 Computing differentially private sums in a streaming fashion. This decomposition admits efficient methods for solving each of the two subproblems and combines into a low-error, efficient differentially private computation.

The guarantees of mechanisms preserving privacy through encryption (e.g., mechanisms encrypting the readings transmitted by users or homomorphic encryption schemes that could allow for such readings to be aggregated directly out of the ciphertext by untrusted applications) may not hold when aggregated data is intentionally shared with the rest of the world, as the aggregator may corroborate the decrypted values with external information and attempt to perform de-anonymization [6] . For that reason, we build the protection in Bes on the foundations of differential privacy. In summary, we make the following contributions:

• We provide a method that, based on the trade-offs between the utility maximization and the privacy preservation of data, can maximize the utility of a differentially private statistic by controlling its aggregation parameters. From a broader perspective, this allows for differential privacy to be practically leveraged in existing IoT systems such as AMIs.

• We provide a streaming-based design and implementation of Bes based on Apache Flink [7], a state-of-the-art stream processing engine, which allows for fast distributed online analysis.

• We provide a thorough evaluation, based on a real prototype and conducted with events collected from a real-world advanced metering infrastructure. As shown, Bes allows for accurate privacy-preserving aggregation (with errors that can be lower than 10%) of thousands of events per second, even on inexpensive single-board devices representative of the ones used in IoT systems, such as AMIs.

• We show that differentially-private aggregation can protect against a previously published de-anonymization attack, stressing the importance of combining different preserving enhancing techniques in order to protect customers’ energy data.

The rest of the paper is organized as follows. We introduce the system model, the problem statement and differential privacy in Section 2. We present Bes’ differentially private aggregation mechanism in Section 3. We overview data streaming aggregation and the implementation of Bes in Section 4. In Section 5, we evaluate the system based on three perspective: utility degradation, performance, and reduction of the de-anonymization attack efficiency using our proposed scheme as compared to previous results. Section 6 discusses the related work while Section 7 concludes the paper, discussing also possible continuations that can build on the results of this paper.