3,219 research outputs found
Physical Trajectory Inference Attack and Defense in Decentralized POI Recommendation
As an indispensable personalized service within Location-Based Social
Networks (LBSNs), the Point-of-Interest (POI) recommendation aims to assist
individuals in discovering attractive and engaging places. However, the
accurate recommendation capability relies on the powerful server collecting a
vast amount of users' historical check-in data, posing significant risks of
privacy breaches. Although several collaborative learning (CL) frameworks for
POI recommendation enhance recommendation resilience and allow users to keep
personal data on-device, they still share personal knowledge to improve
recommendation performance, thus leaving vulnerabilities for potential
attackers. Given this, we design a new Physical Trajectory Inference Attack
(PTIA) to expose users' historical trajectories. Specifically, for each user,
we identify the set of interacted POIs by analyzing the aggregated information
from the target POIs and their correlated POIs. We evaluate the effectiveness
of PTIA on two real-world datasets across two types of decentralized CL
frameworks for POI recommendation. Empirical results demonstrate that PTIA
poses a significant threat to users' historical trajectories. Furthermore,
Local Differential Privacy (LDP), the traditional privacy-preserving method for
CL frameworks, has also been proven ineffective against PTIA. In light of this,
we propose a novel defense mechanism (AGD) against PTIA based on an adversarial
game to eliminate sensitive POIs and their information in correlated POIs.
After conducting intensive experiments, AGD has been proven precise and
practical, with minimal impact on recommendation performance
Recommended from our members
A review paper on preserving privacy in mobile environments
Technology is improving day-by-day and so is the usage of mobile devices. Every activity that would involve manual and paper transactions can now be completed in seconds using your fingertips. On one hand, life has become fairly convenient with the help of mobile devices, whereas on the other hand security of the data and the transactions occurring in the process have been under continuous threat. This paper, re-evaluates the different policies and procedures used for preserving the privacy of sensitive data and device location.. Policy languages have been very vital in the mobile environments as they can be extended/used significantly for sending/receiving any data. In the mobile environment users always go to service providers to access various services. Hence, communications between the service providers and mobile handsets needs to be secured. Also, the data access control needs to be in place. A section of this paper will review the communication paths and channels and their related access criteria. This paper is a contribution to the mobile domain, showing the possible attacks related to privacy and the various mechanisms used to preserve the end-user privacy. In addition, it also gives acomparison of the different privacy preserving methods in mobile environments to provide guidance to the readers. Finally, the paper summarises future research challenges in the area of privacy preservation. This paper examines the ‘where’ problem and in particular, examines tradeoffs between enforcing location security at a device vs. enforcing location security at an edge location server. This paper also sketches an implementation of location security solution at both the device and the edge location server and presents detailed experiments using real mobility and user profile data sets collected from multiple data sources (taxicabs, Smartphones)
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
When the signal is in the noise: Exploiting Diffix's Sticky Noise
Anonymized data is highly valuable to both businesses and researchers. A
large body of research has however shown the strong limits of the
de-identification release-and-forget model, where data is anonymized and
shared. This has led to the development of privacy-preserving query-based
systems. Based on the idea of "sticky noise", Diffix has been recently proposed
as a novel query-based mechanism satisfying alone the EU Article~29 Working
Party's definition of anonymization. According to its authors, Diffix adds less
noise to answers than solutions based on differential privacy while allowing
for an unlimited number of queries.
This paper presents a new class of noise-exploitation attacks, exploiting the
noise added by the system to infer private information about individuals in the
dataset. Our first differential attack uses samples extracted from Diffix in a
likelihood ratio test to discriminate between two probability distributions. We
show that using this attack against a synthetic best-case dataset allows us to
infer private information with 89.4% accuracy using only 5 attributes. Our
second cloning attack uses dummy conditions that conditionally strongly affect
the output of the query depending on the value of the private attribute. Using
this attack on four real-world datasets, we show that we can infer private
attributes of at least 93% of the users in the dataset with accuracy between
93.3% and 97.1%, issuing a median of 304 queries per user. We show how to
optimize this attack, targeting 55.4% of the users and achieving 91.7%
accuracy, using a maximum of only 32 queries per user.
Our attacks demonstrate that adding data-dependent noise, as done by Diffix,
is not sufficient to prevent inference of private attributes. We furthermore
argue that Diffix alone fails to satisfy Art. 29 WP's definition of
anonymization. [...
Risk media and the end of anonymity
Whereas threats from twentieth century 'broadcast era' media were characterised in terms of ideology and ‘effects', today the greatest risks posed by media are informational. This paper argues that digital participation as the condition for the maintenance of today's self identity and basic sociality has shaped a new principal media risk of the loss of anonymity. I identify three interrelated key features of this new risk. Firstly, basic communicational acts are archival. Secondly, there is a diminishment of the predictable 'decay time' of media. And, thirdly, both of these shape a new individual and organizational vulnerability of 'emergence' – the haunting by our digital trails.
This article places these media risks in the context of the shifting nature and function of memory and the potential uses and abuses of digital pasts
On the Measurement of Privacy as an Attacker's Estimation Error
A wide variety of privacy metrics have been proposed in the literature to
evaluate the level of protection offered by privacy enhancing-technologies.
Most of these metrics are specific to concrete systems and adversarial models,
and are difficult to generalize or translate to other contexts. Furthermore, a
better understanding of the relationships between the different privacy metrics
is needed to enable more grounded and systematic approach to measuring privacy,
as well as to assist systems designers in selecting the most appropriate metric
for a given application.
In this work we propose a theoretical framework for privacy-preserving
systems, endowed with a general definition of privacy in terms of the
estimation error incurred by an attacker who aims to disclose the private
information that the system is designed to conceal. We show that our framework
permits interpreting and comparing a number of well-known metrics under a
common perspective. The arguments behind these interpretations are based on
fundamental results related to the theories of information, probability and
Bayes decision.Comment: This paper has 18 pages and 17 figure
Recommended from our members
The Limits of Location Privacy in Mobile Devices
Mobile phones are widely adopted by users across the world today. However, the privacy implications of persistent connectivity are not well understood. This dissertation focuses on one important concern of mobile phone users: location privacy.
I approach this problem from the perspective of three adversaries that users are exposed to via smartphone apps: the mobile advertiser, the app developer, and the cellular service provider. First, I quantify the proportion of mobile users who use location permissive apps and are able to be tracked through their advertising identifier, and demonstrate a mark and recapture attack that allows continued tracking of users who hide these identifiers. Ninety-five percent of the 1500 devices we tested were susceptible to this attack. We successfully identified 49% of unlabelled impressions from iOS devices, and 59% from Android, with a budget of only $5 per day, per user. Next, I evaluate an attack wherein a remote server discovers a user\u27s traveled path without permission, simply by analyzing the throughput of the connection to the user over time. In these experiments, a remote attacker can distinguish a user\u27s route among four paths within a University campus with 77% accuracy, and among eight paths surrounding the campus with 83% accuracy. I then propose a protocol for anonymous cell phone usage, which obviates the need for users to trust telecoms with their location, and I evaluate its efficacy against a passive location profiling attack used to infer identity. According to these simulations, even one day is enough to identify one device from among over a hundred with greater than 50% accuracy. To mitigate location profiling attacks, users should change these identifiers every ten minutes and remain offline for 30 seconds, to reduce their identifiability by up to 45%. I conclude by summarizing the key issues in mobile location privacy today, immediate steps that can be taken to improve them, and the inherent privacy costs of remaining constantly connected
Protecting privacy of semantic trajectory
The growing ubiquity of GPS-enabled devices in everyday life has made large-scale collection of trajectories feasible, providing ever-growing opportunities for human movement analysis. However, publishing this vulnerable data is accompanied by increasing concerns about individuals’ geoprivacy. This thesis has two objectives: (1) propose a privacy protection framework for semantic trajectories and (2) develop a Python toolbox in ArcGIS Pro environment for non-expert users to enable them to anonymize trajectory data. The former aims to prevent users’ re-identification when knowing the important locations or any random spatiotemporal points of users by swapping their important locations to new locations with the same semantics and unlinking the users from their trajectories. This is accomplished by converting GPS points into sequences of visited meaningful locations and moves and integrating several anonymization techniques. The second component of this thesis implements privacy protection in a way that even users without deep knowledge of anonymization and coding skills can anonymize their data by offering an all-in-one toolbox. By proposing and implementing this framework and toolbox, we hope that trajectory privacy is better protected in research
The INSESS-COVID19 Project: evaluating the Impact of the COVID19 in social vulnerability while preserving privacy of participants from minority subpopulations
In this paper, the results of the project INSESS-COVID19 are presented, as part of a special call owing to help in the COVID19 crisis in Catalonia. The technological infrastructure and methodology developed in this project allows the quick screening of a territory for a quick a reliable diagnosis in front of an unexpected situation by providing relevant decisional information to support informed decision-making and strategy and policy design. One of the challenges of the project was to extract valuable information from direct participatory processes where specific target profiles of citizens are consulted and to distribute the participation along the whole territory. Having a lot of variables with a moderate number of citizens involved (in this case about 1000) implies the risk of violating statistical secrecy when multivariate relationships are analyzed, thus putting in risk the anonymity of the participants as well as their safety when vulnerable populations are involved, as is the case of INSESS-COVID19. In this paper, the entire data-driven methodology developed in the project is presented and the dealing of the small subgroups of population for statistical secrecy preserving described. The methodology is reusable with any other underlying questionnaire as the data science and reporting parts are totally automatized.Peer ReviewedObjectius de Desenvolupament Sostenible::1 - Fi de la PobresaObjectius de Desenvolupament Sostenible::5 - Igualtat de GènereObjectius de Desenvolupament Sostenible::10 - Reducció de les DesigualtatsObjectius de Desenvolupament Sostenible::3 - Salut i BenestarObjectius de Desenvolupament Sostenible::8 - Treball Decent i Creixement EconòmicPostprint (published version
- …