2 research outputs found
Local Obfuscation Mechanisms for Hiding Probability Distributions
We introduce a formal model for the information leakage of probability
distributions and define a notion called distribution privacy as the local
differential privacy for probability distributions. Roughly, the distribution
privacy of a local obfuscation mechanism means that the attacker cannot
significantly gain any information on the distribution of the mechanism's input
by observing its output. Then we show that existing local mechanisms can hide
input distributions in terms of distribution privacy, while deteriorating the
utility by adding too much noise. For example, we prove that the Laplace
mechanism needs to add a large amount of noise proportionally to the infinite
Wasserstein distance between the two distributions we want to make
indistinguishable. To improve the tradeoff between distribution privacy and
utility, we introduce a local obfuscation mechanism, called a tupling
mechanism, that adds random dummy data to the output. Then we apply this
mechanism to the protection of user attributes in location based services. By
experiments, we demonstrate that the tupling mechanism outperforms popular
local mechanisms in terms of attribute obfuscation and service quality.Comment: Full version of Proc. ESORICS 2019 (with a longer appendix
Optimal Obfuscation Mechanisms via Machine Learning
We consider the problem of obfuscating sensitive information while
preserving utility, and we propose a machine-learning approach inspired
by the generative adversarial networks paradigm. The idea is to set up
two nets: the generator, that tries to produce an optimal obfuscation
mechanism to protect the data, and the classifier, that tries to
de-obfuscate the data. By letting the two nets compete against each
other, the mechanism improves its degree of protection, until an
equilibrium is reached. We apply our method to the case of location
privacy, and we perform experiments on synthetic data and on real data
from the Gowalla dataset. We evaluate the privacy of the mechanism not
only by its capacity to defeat the classifier, but also in terms of the
Bayes error, which represents the strongest possible adversary. We
compare the privacy-utility tradeoff of our method with that of the
planar Laplace mechanism used in geo-indistinguishability, showing
favorable results. Like the Laplace mechanism, our system can be
deployed at the user end for protecting his location