data anonymization
play

Data Anonymization Graham Cormode Graham Cormode - PowerPoint PPT Presentation

Mar 20, 2023 •435 likes •728 views

Data Anonymization Graham Cormode Graham Cormode graham@research.att.com 1 Why Anonymize? For Data Sharing Give real(istic) data to others to study without compromising privacy of individuals in the data Allows third-parties to try

  1. Data Anonymization Graham Cormode Graham Cormode graham@research.att.com 1

  2. Why Anonymize? ♦ For Data Sharing – Give real(istic) data to others to study without compromising privacy of individuals in the data – Allows third-parties to try new analysis and mining techniques not thought of by the data owner ♦ For Data Retention and Usage – Various requirements prevent companies from retaining customer information indefinitely – E.g. Google progressively anonymizes IP addresses in search logs – Internal sharing across departments (e.g. billing → marketing) 2 2

  3. Models of Anonymization ♦ Interactive Model (akin to statistical databases) – Data owner acts as “gatekeeper” to data – Researchers pose queries in some agreed language – Gatekeeper gives an (anonymized) answer, or refuses to answer ♦ “Send me your code” model ♦ “Send me your code” model – Data owner executes code on their system and reports result – Cannot be sure that the code is not malicious, compiles… ♦ Offline, aka “publish and be damned” model – Data owner somehow anonymizes data set – Publishes the results, and retires – Seems to best model many real releases 3 3

  4. Objectives for Anonymization ♦ Prevent (high confidence) inference of associations – Prevent inference of salary for an individual in census data – Prevent inference of individual’s video viewing history – Prevent inference of individual’s search history in search logs – All aim to prevent linking sensitive information to an individual – All aim to prevent linking sensitive information to an individual ♦ Have to model what knowledge might be known to attacker – Background knowledge: facts about the data set (X has salary Y) – Domain knowledge: broad properties of data (illness Z rare in men) 4 4

  5. Utility ♦ Anonymization is meaningless if utility of data not considered – The empty data set has perfect privacy, but no utility – The original data has full utility, but no privacy ♦ What is “utility”? Depends what the application is… – For fixed query set, can look at max, average distortion – For fixed query set, can look at max, average distortion – Problem for publishing: want to support unknown applications! – Need some way to quantify utility of alternate anonymizations 5 5

  6. Part 1: Syntactic Anonymizations ♦ “Syntactic anonymization” modifies the input data set – To achieve some ‘syntactic property’ intended to make reidentification difficult – Many variations have been proposed: � k-anonymity k-anonymity � l-diversity � t-closeness � … and many many more 6

  7. Tabular Data Example ♦ Census data recording incomes and demographics SSN DOB Sex ZIP Salary 11-1-111 1/21/76 M 53715 50,000 22-2-222 4/13/86 F 53715 55,000 33-3-333 2/28/76 33-3-333 2/28/76 M M 53703 53703 60,000 60,000 44-4-444 1/21/76 M 53703 65,000 55-5-555 4/13/86 F 53706 70,000 66-6-666 2/28/76 F 53706 75,000 ♦ Releasing SSN → Salary association violates individual’s privacy – SSN is an identifier, Salary is a sensitive attribute (SA) 7 7 7

  8. Tabular Data Example: De-Identification ♦ Census data: remove SSN to create de-identified table DOB Sex ZIP Salary 1/21/76 M 53715 50,000 4/13/86 F 53715 55,000 2/28/76 2/28/76 M M 53703 53703 60,000 60,000 1/21/76 M 53703 65,000 4/13/86 F 53706 70,000 2/28/76 F 53706 75,000 ♦ Does the de-identified table preserve an individual’s privacy? – Depends on what other information an attacker knows 8 8 8

  9. Tabular Data Example: Linking Attack ♦ De-identified private data + publicly available data DOB Sex ZIP Salary SSN DOB 1/21/76 M 53715 50,000 11-1-111 1/21/76 4/13/86 F 53715 55,000 33-3-333 2/28/76 2/28/76 2/28/76 M M 53703 53703 60,000 60,000 1/21/76 M 53703 65,000 4/13/86 F 53706 70,000 2/28/76 F 53706 75,000 ♦ Cannot uniquely identify either individual’s salary – DOB is a quasi-identifier (QI) 9 9 9

  10. Tabular Data Example: Linking Attack ♦ De-identified private data + publicly available data DOB Sex ZIP Salary SSN DOB Sex ZIP 1/21/76 M 53715 50,000 11-1-111 1/21/76 M 53715 4/13/86 F 53715 55,000 33-3-333 2/28/76 M 53703 2/28/76 2/28/76 M M 53703 53703 60,000 60,000 1/21/76 M 53703 65,000 4/13/86 F 53706 70,000 2/28/76 F 53706 75,000 ♦ Uniquely identified both individuals’ salaries – [DOB, Sex, ZIP] is unique for majority of US residents [Sweeney 02] 10 10 10

  11. Tabular Data Example: Anonymization ♦ Anonymization through QI attribute generalization DOB Sex ZIP Salary SSN DOB Sex ZIP 1/21/76 M 537** 50,000 11-1-111 1/21/76 M 53715 4/13/86 F 537** 55,000 33-3-333 2/28/76 M 53703 2/28/76 2/28/76 * * 537** 537** 60,000 60,000 1/21/76 M 537** 65,000 4/13/86 F 537** 70,000 2/28/76 * 537** 75,000 ♦ Cannot uniquely identify tuple with knowledge of QI values – E.g., ZIP = 537** → ZIP ∈ {53700, …, 53799} 11 11 11

  12. Tabular Data Example: Anonymization ♦ Anonymization through sensitive attribute (SA) permutation DOB Sex ZIP Salary SSN DOB Sex ZIP 1/21/76 M 53715 55,000 11-1-111 1/21/76 M 53715 4/13/86 F 53715 50,000 33-3-333 2/28/76 M 53703 2/28/76 2/28/76 M M 53703 53703 60,000 60,000 1/21/76 M 53703 65,000 4/13/86 F 53706 75,000 2/28/76 F 53706 70,000 ♦ Can uniquely identify tuple, but uncertainty about SA value – Much more precise form of uncertainty than generalization 12 12 12

  13. k-Anonymization [Samarati, Sweeney 98] ♦ k-anonymity: Table T satisfies k-anonymity wrt quasi-identifiers QI iff each tuple in (the multiset) T[QI] appears at least k times – Protects against “linking attack” ♦ k-anonymization: Table T’ is a k-anonymization of T if T’ is generated from T, and T’ satisfies k-anonymity generated from T, and T’ satisfies k-anonymity DOB Sex ZIP Salary DOB Sex ZIP Salary 1/21/76 M 53715 50,000 1/21/76 M 537** 50,000 4/13/86 F 53715 55,000 4/13/86 F 537** 55,000 2/28/76 M 53703 60,000 2/28/76 * 537** 60,000 → 1/21/76 M 53703 65,000 1/21/76 M 537** 65,000 4/13/86 F 53706 70,000 4/13/86 F 537** 70,000 2/28/76 F 53706 75,000 2/28/76 * 537** 75,000 13 13 13

  14. Homogeneity Attack [Machanavajjhala+ 06] ♦ Issue: k-anonymity requires each tuple in (the multiset) T[QI] to appear ≥ k times, but does not say anything about the SA values – If (almost) all SA values in a QI group are equal, loss of privacy! – The problem is with the choice of grouping, not the data – For some groupings, no loss of privacy DOB DOB Sex Sex ZIP ZIP Salary Salary DOB Sex ZIP Salary 1/21/76 76-86 * * 53715 537** 50,000 50,000 1/21/76 M 53715 50,000 4/13/86 76-86 * * 537** 53715 55,000 55,000 Not Ok! Ok! 4/13/86 F 53715 55,000 2/28/76 76-86 * * 537** 53703 60,000 60,000 2/28/76 M 53703 60,000 → 1/21/76 M 53703 50,000 1/21/76 76-86 * * 537** 53703 50,000 50,000 4/13/86 F 53706 55,000 4/13/86 76-86 * * 537** 53706 55,000 55,000 2/28/76 F 53706 60,000 2/28/76 76-86 * * 537** 53706 60,000 60,000 14 14 14

  15. l -Diversity [Machanavajjhala+ 06] ♦ Intuition: Most frequent value does not appear too often compared to the less frequent values in a QI group ♦ Simplified l -diversity defn: for each group, max frequency ≤ 1/ l 1 – l -diversity((1/21/76, *, 537**)) = ?? DOB Sex ZIP Salary 1/21/76 * 537** 50,000 4/13/86 * 537** 55,000 2/28/76 * 537** 60,000 1/21/76 * 537** 50,000 4/13/86 * 537** 55,000 2/28/76 * 537** 60,000 15 15 15

  16. Simple Algorithm for l -diversity ♦ A simple greedy algorithm provides l -diversity” – Sort tuples based on attributes so similar tuples are close – Start with group containing just first tuple – Keeping adding tuples to group in order until l-diversity met – Output the group, and repeat on remaining tuples – Output the group, and repeat on remaining tuples DOB Sex ZIP Salary DOB Sex ZIP Salary 1/21/76 M 53715 50,000 1/21/76 M 53715 50,000 4/13/86 F 53715 50,000 4/13/86 F 53715 50,000 2-diversity 2/28/76 M 53703 60,000 2/28/76 M 53703 60,000 1/21/76 M 53703 65,000 1/21/76 M 53703 65,000 4/13/86 F 53706 50,000 4/13/86 F 53706 50,000 2/28/76 F 53706 60,000 2/28/76 F 53706 60,000 – Knowledge of the algorithm used can reveal associations! 16

  17. Syntactic Anonymization Summary ♦ Pros: – Provide natural definitions (e.g. k-anonymity) – Keeps data in similar form to input (e.g. as tuples) – Give privacy beyond simply removing identifiers ♦ Cons: ♦ Cons: – No strong guarantees known against arbitrary adversaries – Resulting data not always convenient to work with – Attack and patching has led to a glut of definitions 17

  18. Part 2: Differential Privacy A randomized algorithm K satisfies ε-differential privacy if: Given any pair of “neighboring” data sets, D and D’, and any property S: Pr[ K(D) ∈ S] ≤ e ε Pr[ K(D’) ∈ S] Introduced by Cynthia Dwork, Frank McSherry, Kobbi Nissim, Adam Smith in 2006 18

  19. Differential Privacy for numeric functions • Sensitivity of publishing for a numeric function f: • Sensitivity of publishing for a numeric function f: s = max X,X’ |f(X) – f(X’)|, X, X’ differ by 1 individual s = max X,X’ |f(X) – f(X’)|, X, X’ differ by 1 individual To give ε-differential privacy for a function with sensitivity s: � Add Laplace noise, Lap(ε/s) to the true output answer 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Recap/Taxonomy of Anonymization Microdata anonymization Microaggregation based anonymization Taxonomy of Anonymization Problem

620 views • 59 slides
Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference

Data Privacy Anonymization Li Xiong CS573 Data Privacy and Security Outline Inference control Anonymization problem Anonymization notions and approaches (and how they fail to work!) k-anonymity l-diversity t-closeness

741 views • 51 slides
Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies

Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies

Data Masking and Anonymization for PostgreSQL 1 The Anonymization Challenge 8 Strategies PostgreSQL Anonymizer The Future 2 3 My Story 4 LETS DO THIS ! jailer pgantomizer ARX pgsync anomyze-it anonymizer mat2 Talend open

1.12k views • 77 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Clustering based anonymization (cont) Permutation based anonymization Other privacy principles Microaggregation/Clustering Two steps:

879 views • 52 slides
CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today

CS573 Data Privacy and Security Anonymization methods Anonymization methods Li Xiong Today Permutation based anonymization methods (cont.) Other privacy principles for microdata publishing publishing Statistical databases

986 views • 51 slides
CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics

CS573 Data Privacy and Security Data Anonymization (cont.) Li Xiong Department of Mathematics and Computer Science Emory University Today Cont. Anonymization notions and approaches l-diversity t-closeness Takeaways Attacks on

192 views • 15 slides
Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos

DataCamp Data Privacy and Anonymization in R DATA PRIVACY AND ANONYMIZATION IN R Introduction to Anonymization (I) Claire McKay Bowen Postdoctoral Researcher, Los Alamos National Laboratory DataCamp Data Privacy and Anonymization in R

609 views • 26 slides
Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami

1 Quantifying the Risk of Re-identification in Data Anonymization Competition Takao Murakami (AIST*, Japan) *AIST: National Institute of Advanced Industrial Science & Technology 2 Outline Data Anonymization Mechanism Plays an

543 views • 27 slides
Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October,

Big Data and the application of anonymization techniques Annual Privacy Forum 2015 7-8 October, Luxembourg Giuseppe DAcquisto Garante per la protezione dei dati personali 1 The concept of anonymization My data 1 D.O.F Any person Empty

334 views • 12 slides
Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and

Anonymization Algorithms - Microaggregation and Clustering Li Xiong CS573 Data Privacy and Anonymity Anonymization using Microaggregation or Clustering Practical Data-Oriented Microaggregation for Statistical Disclosure Control,

902 views • 55 slides
An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2

An Automated Social Graph De-anonymization Technique Kumar Sharad 1 George Danezis 2 1 2 November 3, 2014 Workshop on Privacy in the Electronic Society, Scottsdale, Arizona, USA This Talk 1 The Art of Data Anonymization 2 The D4D Challenge 3

527 views • 51 slides
Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption

Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption

Social & Privacy Issues of Data Mining Kyle Borah OutLine Background Data Anonymization Encryption with demo OutLine Background Data Anonymization Encryption with demo Background Companies have your data

468 views • 12 slides
Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We

Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We

Need to Preserve Privacy How to Preserve . . . In Statistical Data . . . Estimating Accuracy . . . Data Anonymization that Towards Optimal . . . Leads to the Most Accurate First Result: . . . We Need to Dismiss . . . Estimates of

700 views • 22 slides
Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald

Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald

Towards Data Anonymization in Data Mining via Meta-Heuristic Approaches Fatemeh Amiri, Gerald Quirchmayr, Peter Kieseberg, Edgar Weippl, and Alessio Bertone University of Vienna, Faculty of Computer Science, Vienna, Austria SBA Research GmbH,

205 views • 17 slides
Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573

Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573

Anonymization Algorithms - Other techniques, metrics, and extended scenarios Li Xiong CS573 Data Privacy and Anonymity So far k-anonymity (protect identity disclosure) Anonymization algorithms Generalization and suppression

549 views • 34 slides
Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline

Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline

Data Anonymization Introduction Li Xiong CS573 Data Privacy and Security Outline Problem definition Principles Disclosure Control Methods Inference Control Access control: protecting information and information systems from

703 views • 52 slides
Measuring the effects of Arctic climate change: CH 4 emissions at the NOAA Point Barrow

Measuring the effects of Arctic climate change: CH 4 emissions at the NOAA Point Barrow

Measuring the effects of Arctic climate change: CH 4 emissions at the NOAA Point Barrow Observatory Colm Sweeney 1,2 , Ed Dlugokencky 2 , Charles Miller 3 , Steve Wofsy 4 , Anna Karion 1,2,* , Steve Dinardo 3 , Rachel Y.-W. Chang 5 , John Miller 2

567 views • 22 slides
Waste-Recycling- Composting Blake Bensman, Brandon Hendricks, John Randolph,

Waste-Recycling- Composting Blake Bensman, Brandon Hendricks, John Randolph,

Waste-Recycling- Composting Blake Bensman, Brandon Hendricks, John Randolph, Annie Pearce, Greg Evanylo, Jody Booze-Daniels, Rob Lowe, Denny Cochrane, 16 member

643 views • 5 slides
ConnectHome Nation Webinar Using HUD Form-50058 for ConnectHomeUSA Data Collection and Reporting

ConnectHome Nation Webinar Using HUD Form-50058 for ConnectHomeUSA Data Collection and Reporting

ConnectHome Nation Webinar Using HUD Form-50058 for ConnectHomeUSA Data Collection and Reporting 1 Agenda Topic 1 Agenda Topic 2 HUD PD&R 1. WebEx Instructions RIHousing Topic 3 2. Introductions Q&A Topic 4 3. HUD Office of

468 views • 30 slides
Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for

Privacy in Machine Learning Fatemehsadat Mireshghallah ICLR2020 Privacy: A Major Concern for Machine Learning Graphics Adopted from The New York Times Privacy Project 2 Famous incidents - Anonymization - A Face Is Exposed for AOL

1.03k views • 7 slides
SUPPLIER BRIEFING DEFIBRILLATORS AND ASSOCIATED CONSUMABLES HPVITS2019-070 Thursday 11 th October

SUPPLIER BRIEFING DEFIBRILLATORS AND ASSOCIATED CONSUMABLES HPVITS2019-070 Thursday 11 th October

SUPPLIER BRIEFING DEFIBRILLATORS AND ASSOCIATED CONSUMABLES HPVITS2019-070 Thursday 11 th October Natalie Sweeney Category Manager Equipment Agenda HPV Overview Project Team Invitation to Supply Timeline o Categories in

435 views • 25 slides
UAS Midwest Business Panel Moderator: Tim Sweeney, Sector Director, Advanced Manufacturing

UAS Midwest Business Panel Moderator: Tim Sweeney, Sector Director, Advanced Manufacturing

UAS Midwest Business Panel Moderator: Tim Sweeney, Sector Director, Advanced Manufacturing and Aerospace August 15, 2018 UAS Global Market Opportunity Global Civil UAS Market for drones estimated at $88.3 billion* over next decade 2018

638 views • 4 slides
A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing

A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing

A Short Tutorial on Differential Privacy Borja Balle Amazon Research Cambridge The Alan Turing Institute January 26, 2018 Outline 1. We Need Mathematics to Study Privacy? Seriously? 2. Differential Privacy: Definition, Properties and Basic

868 views • 75 slides
Detailed R-matrix analysis of 7 Li ( p , ) at 441keV Michael Munch, Oliver Slund Kirsebom,

Detailed R-matrix analysis of 7 Li ( p , ) at 441keV Michael Munch, Oliver Slund Kirsebom,

Detailed R-matrix analysis of 7 Li ( p , ) at 441keV Michael Munch, Oliver Slund Kirsebom, Jacobus Andreas Swartz, Karsten Riisager and Hans Otto Uldall Fynbo Department for Physics and Astronomy, Aarhus University May 24 th 2018, NMNP 8 Be

592 views • 20 slides

More recommend