18,432 research outputs found
p-probabilistic k-anonymous microaggregation for the anonymization of surveys with uncertain participation
We develop a probabilistic variant of k-anonymous microaggregation which we term p-probabilistic resorting to a statistical model of respondent participation in order to aggregate quasi-identifiers in such a manner that k-anonymity is concordantly enforced with a parametric probabilistic guarantee. Succinctly owing the possibility that some respondents may not finally participate, sufficiently larger cells are created striving to satisfy k-anonymity with probability at least p. The microaggregation function is designed before the respondents submit their confidential data. More precisely, a specification of the function is sent to them which they may verify and apply to their quasi-identifying demographic variables prior to submitting the microaggregated data along with the confidential attributes to an authorized repository.
We propose a number of metrics to assess the performance of our probabilistic approach in terms of anonymity and distortion which we proceed to investigate theoretically in depth and empirically with synthetic and standardized data. We stress that in addition to constituting a functional extension of traditional microaggregation, thereby broadening its applicability to the anonymization of statistical databases in a wide variety of contexts, the relaxation of trust assumptions is arguably expected to have a considerable impact on user acceptance and ultimately on data utility through mere availability.Peer ReviewedPostprint (author's final draft
Anonymity and Information Hiding in Multiagent Systems
We provide a framework for reasoning about information-hiding requirements in
multiagent systems and for reasoning about anonymity in particular. Our
framework employs the modal logic of knowledge within the context of the runs
and systems framework, much in the spirit of our earlier work on secrecy
[Halpern and O'Neill 2002]. We give several definitions of anonymity with
respect to agents, actions, and observers in multiagent systems, and we relate
our definitions of anonymity to other definitions of information hiding, such
as secrecy. We also give probabilistic definitions of anonymity that are able
to quantify an observer s uncertainty about the state of the system. Finally,
we relate our definitions of anonymity to other formalizations of anonymity and
information hiding, including definitions of anonymity in the process algebra
CSP and definitions of information hiding using function views.Comment: Replacement. 36 pages. Full version of CSFW '03 paper, submitted to
JCS. Made substantial changes to Section 6; added references throughou
Hang With Your Buddies to Resist Intersection Attacks
Some anonymity schemes might in principle protect users from pervasive
network surveillance - but only if all messages are independent and unlinkable.
Users in practice often need pseudonymity - sending messages intentionally
linkable to each other but not to the sender - but pseudonymity in dynamic
networks exposes users to intersection attacks. We present Buddies, the first
systematic design for intersection attack resistance in practical anonymity
systems. Buddies groups users dynamically into buddy sets, controlling message
transmission to make buddies within a set behaviorally indistinguishable under
traffic analysis. To manage the inevitable tradeoffs between anonymity
guarantees and communication responsiveness, Buddies enables users to select
independent attack mitigation policies for each pseudonym. Using trace-based
simulations and a working prototype, we find that Buddies can guarantee
non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for
both short-lived and long-lived pseudonyms.Comment: 15 pages, 8 figure
Studying Maximum Information Leakage Using Karush-Kuhn-Tucker Conditions
When studying the information leakage in programs or protocols, a natural
question arises: "what is the worst case scenario?". This problem of
identifying the maximal leakage can be seen as a channel capacity problem in
the information theoretical sense. In this paper, by combining two powerful
theories: Information Theory and Karush-Kuhn-Tucker conditions, we demonstrate
a very general solution to the channel capacity problem. Examples are given to
show how our solution can be applied to practical contexts of programs and
anonymity protocols, and how this solution generalizes previous approaches to
this problem
Vote buying revisited: implications for receipt-freeness
In this paper, we analyse the concept of vote buying based
on examples that try to stretch the meaning of the concept. Which ex-
amples can still be called vote buying, and which cannot? We propose
several dimensions that are relevant to qualifying an action as vote buy-
ing or not. As a means of protection against vote buying and coercion,
the concept of receipt-freeness has been proposed. We argue that, in or-
der to protect against a larger set of vote buying activities, the concept
of receipt-freeness should be interpreted probabilistically. We propose a
general definition of probabilistic receipt-freeness by adapting existing
definitions of probabilistic anonymity to voting
Trust in Crowds: probabilistic behaviour in anonymity protocols
The existing analysis of the Crowds anonymity protocol assumes that a participating member is either ‘honest’ or ‘corrupted’. This paper generalises this analysis so that each member is assumed to maliciously disclose the identity of other nodes with a probability determined by her vulnerability to corruption. Within this model, the trust in a principal is defined to be the probability that she behaves honestly. We investigate the effect of such a probabilistic behaviour on the anonymity of the principals participating in the protocol, and formulate the necessary conditions to achieve ‘probable innocence’. Using these conditions, we propose a generalised Crowds-Trust protocol which uses trust information to achieves ‘probable innocence’ for principals exhibiting probabilistic behaviour
Information Leakage Games
We consider a game-theoretic setting to model the interplay between attacker
and defender in the context of information flow, and to reason about their
optimal strategies. In contrast with standard game theory, in our games the
utility of a mixed strategy is a convex function of the distribution on the
defender's pure actions, rather than the expected value of their utilities.
Nevertheless, the important properties of game theory, notably the existence of
a Nash equilibrium, still hold for our (zero-sum) leakage games, and we provide
algorithms to compute the corresponding optimal strategies. As typical in
(simultaneous) game theory, the optimal strategy is usually mixed, i.e.,
probabilistic, for both the attacker and the defender. From the point of view
of information flow, this was to be expected in the case of the defender, since
it is well known that randomization at the level of the system design may help
to reduce information leaks. Regarding the attacker, however, this seems the
first work (w.r.t. the literature in information flow) proving formally that in
certain cases the optimal attack strategy is necessarily probabilistic
- …