Elsevier

Knowledge-Based Systems

Volume 103, 1 July 2016, Pages 19-27
Knowledge-Based Systems

Location privacy-preserving k nearest neighbor query under user’s preference

https://doi.org/10.1016/j.knosys.2016.03.016Get rights and content

Abstract

Location-based services can provide users’ surroundings anywhere and anytime. While this service brings convenience for users, the disclosure of user’s location becomes the main concerns. Most current practices fall into K-anonymity model, in parallel with location cloaking. This schema commonly suffers from the following constraints. (1) K-anonymity cannot support users’ preferential query requirements effectively. (2) location cloaking commonly assumes that there exists a trusted third party to serve as anonymizer, which is inclined to be the bottleneck of the query. Concerning these problems, a novel location privacy model (s, ε)-anonymity is devised from perspective of minimum inferred region and candidate answer region, which present location protection strength and scale of intermediate results, respectively. Particularly, user’s preferential query requirements on privacy protection strength and query efficiency can be presented in a more convenient and effective way by setting parameters s and ε rather than K-anonymity model does. A thin server solution is developed to realize the model, which pushes most workload originated from user’s preferential requirement down to client side leveraging false query technology without any trusted third parties’ intervention. Furthermore, an entropy based strategy is devised to construct candidate answer region, which boosts privacy protection strength and query efficiency simultaneously. Theoretical analysis and empirical studies demonstrate our implementation delivers well trade-off among location protection, query performance and query user’s privacy preference.

Introduction

Location-based services (LBS in short) in parallel with various applications of location-aware devices (e.g.,GPS devices) have gained tremendous popularity [1], [2]. k nearest neighbor (kNN) query is an important class of LBSs, which periodically returns the k nearest neighbors, say point of interests (POIs in short), in relation to query user’s current location. For example, a tourist may query the k nearest restaurants while exploring a city. While LBSs provide conventional services to query users, it threatens user’s privacy as users are forced sharing their location with service provider [3], [4]. Hence, how to provide location-based services while protecting user’s location privacy has recently become a hot topic.

Existing solutions fall into three categories, namely, spatial cloaking [5], [6], [7], [8], [9] space transformation [10], [11], [12], [13] or location obstruction [14], [15], [16]. The common of these schemes trade-offs among query performance, protection strength and query accuracy. In recent years, region cloaking [5], [6], [7], [8], [9], [17], [18], [19], [20], [21], [22], [23], [24], [26] witnesses its wide prosperity. In detail, when a user initiates a kNN query, she sends her location and privacy requirement to a trusted third party instead of the service provider. At the trusted third party, user’s location coordinates are replaced with a cloaking region which encloses the user and satisfies privacy requirement such as spatial K-anonymity (SKA) and the minimum inferred region (MIR in short) [6], [9], [10], namely the minimum bound of the range that the user’s possible location can be derived by attackers. Subsequently, the third party submits a cloaking region based kNN query to the service provider and receives the returned candidate answers. Finally, the actual answer can be pinpointed by the trusted third party or the user itself. Although, region cloaking based solutions afford well protection, they suffer from the following constraints.

  • 1.

    Most current practices fall into K-anonymity based location privacy model. K-anonymity based model deeply relies on users’ dynamic distribution and cannot support users’ preferential query requirements effectively.

  • 2.

    A trusted third party is requisite for most cloaking based solutions to act as anonymizer. All users must trust the anonymizer, which becomes a single point of attack;

  • 3.

    Complex server-side query processing is needed to determine candidate answers. This deteriorates query performance seriously.

These problems highlight the needs of designing novel location privacy model and privacy preserving scheme, which abandons brute-force enlarging way that region cloaking method adopted, as well as intervention of online trusted third party. In this paper, a location privacy model (s,ε)-anonymity is defined from view of MIR and RCA.

Existing cloaking based solutions commonly deploy the work of generating MIR at trusted third party and regulate the relation between RCA and MIR in a brute-force way. Our model continues to use MIR to present user’s privacy protection requirement but generates it at client side in an implicitly user-controllable way. Besides, area ratio parameter between RCA and MIR is used to regulate user’s requirement about query efficiency. The query process consists of two rounds; at the first round, a detecting query is initiated to get local POI information at server side. It generates a circle from the returned answers to cover both the targeted POIs and the user’s preferred inferred region; at the second round, query users resend optional blurred regions and receive all POIs inside it. The targeted POIs can be immediately pinpointed out at client side. Further, to improve location protection strength, a rigorous initial region creation solution is proposed by initiating an extended detecting query, in parallel with an entropy based strategy to specifying center of RCA. Our solution can afford well location protection and good query performance, simultaneously.

Our main contributions can be summarized as follows.

  • 1.

    A novel location privacy model (s, ε)-anonymity is proposed from perspective of minimum inferred region and region of candidate answers, which abandons heavy dependence on users’ real-time distribution. It can incorporate privacy preference into privacy protection nearest neighbor querying well.

  • 2.

    A cloaking and location obstruction based solution is devised to realize our privacy model in a thin-server way. It pushes most workload down to client side to overcome query scalability problem originated from preferences. An entropy based strategy is deployed for specifying center of RCA to improve location privacy protecting strength.

  • 3.

    Empirical studies suggest that our location privacy model is effective and the proposed solution is highly performant.

The rest of the paper is organized as follows. Section 2 presents overview of related work. Section 3 gives the definition of our novel location privacy model and proposes a user-controllable framework AnPNN to realize it. Section 4 illustrates the algorithm AnPNN and discusses its potential risk of privacy leakage. In Section 5, to improve privacy protection strength, a rigorous version RAPNN is devised. Section 6 demonstrates the experimental results of our solution. Finally, Section 7 concludes and identifies research directions.

Section snippets

Related work

There has been a plethora of techniques to deal with location protection. Current practices fall into the following ways. (1) Location obstruction [14], [15]. The idea is that a user first sends a query along with a false location to the server, and the server keeps sending back the list of nearest POIs to the reported false location until the received POIs satisfy user’s query accuracy requirements. (2) Space transformation [10], [11], [12], [25], [27]. This approach converts the original

(s, ε)-anonymity model and problem statement

We first give a descriptive definition to user’s privacy preference, and then introduce our novel location privacy model (s, ε)-anonymity.

Definition 1

user’s privacy preference. In a scenario of privacy-preserving k nearest neighbor query, user’s privacy preference denotes the ability that query user can manage his requirements on location protecting strength and query efficiency.

Definition 2

(s, ε)-anonymity. For given snap-shot k nearest neighbor query, if the following conditions hold, we say the query satisfies

Algorithm AnPNN

This section demonstrates algorithm AnPNN. The user initiate a kNN query with location privacy model (s, ε)-anonymity. Algorithm 1 presents process details of our model at client.

Client-side and server-side processing. Two handshakes exist between client and server. First, client sends the anchor point to the server for retrieving k nearest POIs to the anchor. Second, the client sends the generated RCA to the server and retrieves all POIs located inside the region. To improve time efficiency at

RAPNN

RAPNN behaves similarly with AnPNN but some difference at first round of the false query. RAPNN takes the farthest POI attack into consideration and surmounts it from view of destroying necessary conditions of the attack.

In essence, farthest POI attack depends on an exclusivly distinguished POI ∈ kNN(p′), which can be easily identified from all other POIs ∈ kNN(p′), serving as center of RCA, e.g. o is the farthest POI ∈ kNN(p′) to p. Obviously, destroying this condition can avoid farthest POI

Empirical evaluation

Our work is most related with cloaking based solutions, we focus on the comparison between them. These cloaking based solutions commonly consist of two main components, the location anonymizer and the privacy-aware query processor. The main differences among them lie in strategies adopted in location anonymizers, which are deeply influenced by real-time density of mobile users. Our privacy model does not require the knowledge of all users’ real-time location distribution, which is hard to

Conclusion

This paper concerns the location privacy protection under user privacy preferences for location-based kNN queries. Most of existing cloaking based solutions realize location privacy preserving kNN queries in a brute-force way with high workload and poor scalability. We define a location privacy model (s, ε)-anonymity, which facilitates query users a convenient way to express their location privacy preferences from view of minimum inferred region and candidate answer region. Subsequently,

References (27)

  • M. Gruteser et al.

    Privacy-aware location sensor networks

    Proceedings of the 9th Workshop on Hot Topics in Operating Systems (HotOS 2003), Hawaii, USA

    (2003)
  • A.R. Beresford et al.

    Location privacy in pervasive computing

    IEEE Pervasive Comput.

    (2008)
  • XiaoZ. et al.

    Quality aware privacy protection for location-based services

    Proceedings of the 12th International Conference on Database Systems for Advanced Applications (DASFAA 2007), Bangkok, Thailand

    (2007)
  • C. Bettini et al.

    Protecting privacy against location-based personal identification

    Proceedings of the 2th VLDB Workshop on Secure Data Management (SDM 2005), Trondheim, Nor-way

    (2005)
  • M.F. Mokbel et al.

    The new casper: query processing for location services without compromising privacy

    Proceedings of the 32th International Conference on Very Large Data Bases (VLDB 2006), Seoul, Korea

    (2006)
  • P.Y. Li et al.

    A cloaking algorithm based on spatial networks for location privacy

    Proceedings of IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC 2008), Taichung, Taiwan

    (2008)
  • M. Duckham et al.

    A formal model of obfuscation and negotiation for location privacy

    Proceedings of the 3th International Conference on Perva-sive Computing (Pervasive 2005), Munich, Ger-many

    (2005)
  • P. Kalnis et al.

    Preventing location-based identity inference in anonymous spatial queries

    IEEE Trans. Knowl. Data Eng

    (2007)
  • G. Ghinita et al.

    PRIVE: anonymous location-based queries in distributed mobile systems

    Proceedings of the 16th International Conference on World Wide Web (WWW 2007), Banff, Alberta, Canada

    (2007)
  • P. Indyk et al.

    Polylogarithmic private approximations and efficient matching

    Proceedings of the 3th Theory of Cryptography Conference (TCC 2006), New York, NY, USA

    (2006)
  • A. Khoshgozaran et al.

    Blind evaluation of nearest neighbor queries using space transformation to preserve location privacy

    Proceedings of the 10th International Symposium on Large SpatioTemporal Databases (SSTD 2007), Boston, MA, USA

    (2007)
  • X. Yi et al.

    Practical k nearest neighbor queries with location privacy

    ICDE

    (2014)
  • S. Papadopoulos et al.

    Nearest neighbor search with strong location privacy

    VLDB 2010

    (2010)
  • Cited by (46)

    • Novel trajectory privacy-preserving method based on prefix tree using differential privacy

      2020, Knowledge-Based Systems
      Citation Excerpt :

      Previously, private information in trajectory data was primarily protected by location confusion, which includes generalization [1], suppression [2], and perturbation [3,4]. The k-anonymity model [5] as well as various improvements thereof, such as the t-proximity [6] and l-diversity models [7], are widely used for privacy protection. However, they have considerable limitations and defects, depend on specific semantics, are vulnerable to background-knowledge [8] and consistency attacks [9], and cannot provide an effective and rigorous method for proving the privacy protection level, as they lack a sound theoretical basis.

    • TSRAM: A time-saving k-degree anonymization method in social network

      2019, Expert Systems with Applications
      Citation Excerpt :

      In addition, new measures were introduced to evaluate the quality of the anonymous graph which include information loss and disclosure risk measures. Ni et al. (Ni, Gu, & Chen, 2016) introduced the (s, ε)-anonymity model for location privacy in social media which considers k's nearest neighbor query under user privacy preferences. In 2015, Bredereck et al. (Bredereck et al., 2015) proposed a method for anonymizing the graph which adds some nodes along with the edges between them to the graph.

    View all citing articles on Scopus
    View full text