479 research outputs found
Who Started This Rumor? Quantifying the Natural Differential Privacy of Gossip Protocols
Gossip protocols (also called rumor spreading or epidemic protocols) are widely used to disseminate information in massive peer-to-peer networks. These protocols are often claimed to guarantee privacy because of the uncertainty they introduce on the node that started the dissemination. But is that claim really true? Can the source of a gossip safely hide in the crowd? This paper examines, for the first time, gossip protocols through a rigorous mathematical framework based on differential privacy to determine the extent to which the source of a gossip can be traceable. Considering the case of a complete graph in which a subset of the nodes are curious, we study a family of gossip protocols parameterized by a "muting" parameter s: nodes stop emitting after each communication with a fixed probability 1-s. We first prove that the standard push protocol, corresponding to the case s = 1, does not satisfy differential privacy for large graphs. In contrast, the protocol with s = 0 (nodes forward only once) achieves optimal privacy guarantees but at the cost of a drastic increase in the spreading time compared to standard push, revealing an interesting tension between privacy and spreading time. Yet, surprisingly, we show that some choices of the muting parameter s lead to protocols that achieve an optimal order of magnitude in both privacy and speed. Privacy guarantees are obtained by showing that only a small fraction of the possible observations by curious nodes have different probabilities when two different nodes start the gossip, since the source node rapidly stops emitting when s is small. The speed is established by analyzing the mean dynamics of the protocol, and leveraging concentration inequalities to bound the deviations from this mean behavior. We also confirm empirically that, with appropriate choices of s, we indeed obtain protocols that are very robust against concrete source location attacks (such as maximum a posteriori estimates) while spreading the information almost as fast as the standard (and non-private) push protocol
Who started this rumor? Quantifying the natural differential privacy guarantees of gossip protocols
International audienceGossip protocols are widely used to disseminate information in massive peer-to-peer networks. These protocols are often claimed to guarantee privacy because of the uncertainty they introduce on the node that started the dissemination. But is that claim really true? Can the source of a gossip safely hide in the crowd? This paper examines, for the first time, gossip protocols through a rigorous mathematical framework based on differential privacy to determine the extent to which the source of a gossip can be traceable. Considering the case of a complete graph in which a subset of the nodes are curious, we study a family of gossip protocols parameterized by a ``muting'' parameter s: nodes stop emitting after each communication with a fixed probability 1-s. We first prove that the standard push protocol, corresponding to the case s=1, does not satisfy differential privacy for large graphs. In contrast, the protocol with s=0 achieves optimal privacy guarantees but at the cost of a drastic increase in the spreading time compared to standard push, revealing an interesting tension between privacy and spreading time. Yet, surprisingly, we show that some choices of the muting parameter s lead to protocols that achieve an optimal order of magnitude in both privacy and speed. We also confirm empirically that, with appropriate choices of s, we indeed obtain protocols that are very robust against concrete source location attacks while spreading the information almost as fast as the standard (and non-private) push protocol
Who started this rumor? Quantifying the natural differential privacy guarantees of gossip protocols
Gossip protocols are widely used to disseminate information in massive
peer-to-peer networks. These protocols are often claimed to guarantee privacy
because of the uncertainty they introduce on the node that started the
dissemination. But is that claim really true? Can the source of a gossip safely
hide in the crowd? This paper examines, for the first time, gossip protocols
through a rigorous mathematical framework based on differential privacy to
determine the extent to which the source of a gossip can be traceable.
Considering the case of a complete graph in which a subset of the nodes are
curious, we study a family of gossip protocols parameterized by a ``muting''
parameter : nodes stop emitting after each communication with a fixed
probability . We first prove that the standard push protocol,
corresponding to the case , does not satisfy differential privacy for
large graphs. In contrast, the protocol with achieves optimal privacy
guarantees but at the cost of a drastic increase in the spreading time compared
to standard push, revealing an interesting tension between privacy and
spreading time. Yet, surprisingly, we show that some choices of the muting
parameter lead to protocols that achieve an optimal order of magnitude in
both privacy and speed. We also confirm empirically that, with appropriate
choices of , we indeed obtain protocols that are very robust against
concrete source location attacks while spreading the information almost as fast
as the standard (and non-private) push protocol
On the Inherent Anonymity of Gossiping
Detecting the source of a gossip is a critical issue, related to identifying
patient zero in an epidemic, or the origin of a rumor in a social network.
Although it is widely acknowledged that random and local gossip communications
make source identification difficult, there exists no general quantification of
the level of anonymity provided to the source. This paper presents a principled
method based on -differential privacy to analyze the inherent
source anonymity of gossiping for a large class of graphs. First, we quantify
the fundamental limit of source anonymity any gossip protocol can guarantee in
an arbitrary communication graph. In particular, our result indicates that when
the graph has poor connectivity, no gossip protocol can guarantee any
meaningful level of differential privacy. This prompted us to further analyze
graphs with controlled connectivity. We prove on these graphs that a large
class of gossip protocols, namely cobra walks, offers tangible differential
privacy guarantees to the source. In doing so, we introduce an original proof
technique based on the reduction of a gossip protocol to what we call a random
walk with probabilistic die out. This proof technique is of independent
interest to the gossip community and readily extends to other protocols
inherited from the security community, such as the Dandelion protocol.
Interestingly, our tight analysis precisely captures the trade-off between
dissemination time of a gossip protocol and its source anonymity.Comment: Full version of DISC2023 pape
Privacy-enhancing Aggregation of Internet of Things Data via Sensors Grouping
Big data collection practices using Internet of Things (IoT) pervasive
technologies are often privacy-intrusive and result in surveillance, profiling,
and discriminatory actions over citizens that in turn undermine the
participation of citizens to the development of sustainable smart cities.
Nevertheless, real-time data analytics and aggregate information from IoT
devices open up tremendous opportunities for managing smart city
infrastructures. The privacy-enhancing aggregation of distributed sensor data,
such as residential energy consumption or traffic information, is the research
focus of this paper. Citizens have the option to choose their privacy level by
reducing the quality of the shared data at a cost of a lower accuracy in data
analytics services. A baseline scenario is considered in which IoT sensor data
are shared directly with an untrustworthy central aggregator. A grouping
mechanism is introduced that improves privacy by sharing data aggregated first
at a group level compared as opposed to sharing data directly to the central
aggregator. Group-level aggregation obfuscates sensor data of individuals, in a
similar fashion as differential privacy and homomorphic encryption schemes,
thus inference of privacy-sensitive information from single sensors becomes
computationally harder compared to the baseline scenario. The proposed system
is evaluated using real-world data from two smart city pilot projects. Privacy
under grouping increases, while preserving the accuracy of the baseline
scenario. Intra-group influences of privacy by one group member on the other
ones are measured and fairness on privacy is found to be maximized between
group members with similar privacy choices. Several grouping strategies are
compared. Grouping by proximity of privacy choices provides the highest privacy
gains. The implications of the strategy on the design of incentives mechanisms
are discussed
Cybersecurity issues in software architectures for innovative services
The recent advances in data center development have been at the basis of the widespread
success of the cloud computing paradigm, which is at the basis of models for software based applications and services, which is the "Everything as a Service" (XaaS) model. According to the XaaS model, service of any kind are deployed on demand
as cloud based applications, with a great degree of flexibility and a limited need for investments in dedicated hardware and or software components. This approach opens up a lot of opportunities, for instance providing access to complex and widely
distributed applications, whose cost and complexity represented in the past a significant entry barrier, also to small or emerging businesses. Unfortunately, networking is now embedded in every service and application, raising several cybersecurity issues related to corruption and leakage of data, unauthorized access, etc. However, new service-oriented architectures are emerging in this context, the so-called services enabler architecture. The aim of these architectures is not only to expose and give the resources to these types of services, but it is also to validate them. The validation includes numerous aspects, from the legal to the infrastructural ones e.g., but above all the cybersecurity threats. A solid threat analysis of the aforementioned architecture is therefore necessary, and this is the main goal of this thesis. This work investigate the security threats of the emerging service enabler architectures, providing proof of concepts for these issues and the solutions too, based on several use-cases implemented in real world scenarios
- …