OB-PWS: Obfuscation-Based Private Web Search Ero Balsa , Carmela - - PowerPoint PPT Presentation

OB-PWS: Obfuscation-Based Private Web Search

Ero Balsa, Carmela Troncoso and Claudia Diaz

ESAT/COSIC, IBBT - KU Leuven

Wednesday, 23 May 2012

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

The Privacy Problem

sports art music

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 2/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

The Privacy Problem

sports art music restaurants in Chicago quit smoking bio products

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 2/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

The Privacy Problem

sports art music HIV treatment Eco Activism cross-dressing restaurants in Chicago quit smoking bio products

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 2/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

The Privacy Problem

sports art music HIV treatment Eco Activism cross-dressing restaurants in Chicago quit smoking bio products

PRIVACY PROBLEM: Individual search queries and/or profiling may reveal sensitive information.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 2/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

The Privacy Problem

sports art music HIV treatment Eco Activism cross-dressing restaurants in Chicago quit smoking bio products

PRIVACY PROBLEM: Individual search queries and/or profiling may reveal sensitive information. Some solutions:

Anonymous communications PIR OB-PWS ⇒ Prevent profiling and provide query deniability.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 2/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions The Privacy Problem Our contribution

Our contribution

General model. Evaluation framework ⇒ with relevant privacy properties (details in the paper). Analysis of 6 existing systems (4 in this talk).

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 3/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An abstract model for OB-PWS

real queries the user

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 4/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An abstract model for OB-PWS

real queries the user semantic classification algorithm real profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 4/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An abstract model for OB-PWS

real queries the user dummy queries dummy generation strategy semantic classification algorithm real profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 4/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An abstract model for OB-PWS

real queries the user dummy queries unclassified queries adversarial semantic classification algorithm

• bserved profile

dummy generation strategy semantic classification algorithm real profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 4/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An abstract model for OB-PWS

real queries the user dummy queries unclassified queries profile filtering algorithm adversarial semantic classification algorithm

• bserved profile

dummy classification algorithm filtered profile queries classified as real queries classified as dummies dummy generation strategy semantic classification algorithm real profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 4/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An Evaluation framework for DGS

A dual analysis is required:

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 5/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An Evaluation framework for DGS

A dual analysis is required: Query-Based Analysis

Exploit vulnerabilities in the DGS to distinguish real from dummy queries.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 5/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Abstract model Evaluation framework

An Evaluation framework for DGS

A dual analysis is required: Query-Based Analysis

Exploit vulnerabilities in the DGS to distinguish real from dummy queries.

Profile-Based Analysis

Exploit vulnerabilities in the DGS to filter

• bserved profile and recover the real profile.
• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 5/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

GooPIR h(k)-Private Information Retrieval

from Privacy-Uncooperative Queryable Databases [1]

.

A k-anonymity inspired approach. Prevents attacks based on: Timing/metadata. Popularity of queries. Statistical disclosure. However does not consider the topic of the queries. ⇒ No dummy indistinguishability.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 6/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PDS Plausibly Deniable Search [2]

Lion

CATS

Leopard

CATS

Tiger

CATS

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 7/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PDS Plausibly Deniable Search [2]

Lion

CATS

Leopard

CATS

S h

• w

e r

(dummy) BATHROOM

S t

• c

k

(dummy) BUSINESS

Tiger

CATS

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 7/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PDS Plausibly Deniable Search [2]

Lion

CATS

Leopard

CATS

S h

• w

e r

(dummy) BATHROOM

S i n k

(dummy) BATHROOM

S t

• c

k

(dummy) BUSINESS

I n v e s t i n g

(dummy) BUSINESS

Tiger

CATS

T

• i

l e t

(dummy) BATHROOM (dummy) BUSINESS

S h a r e s

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 7/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PDS Plausibly Deniable Search [2]

Lion

C A T S

Leopard

C A T S

S h

• w

e r

(dummy) BATHROOM

S i n k

(dummy) BATHROOM

S t

• c

k

(dummy) BUSINESS

I n v e s t i n g

(dummy) BUSINESS

Tiger

C A T S

T

• i

l e t

(dummy) BATHROOM (dummy) BUSINESS

S h a r e s Justin Bieber Disneyland T

• y Story

N a p

• l

e

• n

E i n s t e i n B M W Justin Bieber

M U S I C

T

• y Story

M O V I E S

Disneyland

A M U S E M E N T P A R K S ( d u m m y ) H I S T O R Y ( d u m m y ) ( d u m m y ) P H Y S I C S C A R S

N a p

• l

e

• n

E i n s t e i n B M W Justin Bieber

K I D S

T

• y Story

Disneyland

S C I E N C E C A R S

{ {

K I D S K I D S H I S T O R Y

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 7/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• bserved

profile distance between profiles (depends

• n dummy rate)

high probability region for the real profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• bserved

profile distance between profiles (depends

• n dummy rate)

high probability region for the real profile

Considering prior information Pr[X = X]:

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• bserved

profile distance between profiles (depends

• n dummy rate)

high probability region for the real profile

Considering prior information Pr[X = X]:

high probability region for the real profile

• bserved

profile distance between profiles (depends

• n dummy rate)
• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• bserved

profile distance between profiles (depends

• n dummy rate)

high probability region for the real profile

Considering prior information Pr[X = X]:

high probability region for the real profile

• bserved

profile distance between profiles (depends

• n dummy rate)
• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

PRAW (A PRivAcy model for the Web) [3]

Privacy = Dissimilarity. Dissimilarity ∝ amount of dummy queries.

• bserved

profile distance between profiles (depends

• n dummy rate)

high probability region for the real profile

Considering prior information Pr[X = X]:

high probability regions for the real profile

• bserved

profile distances between profiles (depend

• n dummy rate)
• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 8/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]

Privacy = similarity to population’s average profile. Exploitable features: Known target profile. Amount of dummy queries. Waterfilling-based DGS.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 9/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]

Privacy = similarity to population’s average profile. Exploitable features: Known target profile. Amount of dummy queries. Waterfilling-based DGS. Query-based Analysis: Unpopular queries must be real.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 9/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]

Privacy = similarity to population’s average profile. Exploitable features: Known target profile. Amount of dummy queries. Waterfilling-based DGS. Query-based Analysis: Unpopular queries must be real. Profile-based Analysis:

average population profile b < c < a dummy rate

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 9/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]

Privacy = similarity to population’s average profile. Exploitable features: Known target profile. Amount of dummy queries. Waterfilling-based DGS. Query-based Analysis: Unpopular queries must be real. Profile-based Analysis:

average population profile b < c < a

a = b < c

dummy rate

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 9/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions GooPIR PDS PRAW OQF-PIR

OQF-PIR Optimized Query Forgery for Private Information Retrieval [4]

Privacy = similarity to population’s average profile. Exploitable features: Known target profile. Amount of dummy queries. Waterfilling-based DGS. Query-based Analysis: Unpopular queries must be real. Profile-based Analysis:

average population profile b < c < a

a = b < c

dummy rate

• bserved profile

equal to target profile

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 9/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Systems’ Analysis Summary Open Problems / Future Work Conclusions

Systems’ Analysis Summary

Two main categories of DGS:

Query based. Profile based.

Different definitions of what privacy means:

k-deniability. The (dis)similarity of profiles.

Ad-hoc analyses and evaluations.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 10/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Systems’ Analysis Summary Open Problems / Future Work Conclusions

Open problems and future work

Plausibility of dummy queries, e.g., The dictionary issue. Adversarial modelling, e.g., Adversarial SCA issue.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 11/13

Introduction Modelling OB-PWS Existing OB-PWS Systems Summary, future work and conclussions Systems’ Analysis Summary Open Problems / Future Work Conclusions

Conclusions

Abstract model for OB-PWS systems. Analysis framework ⇒ Definition and formalization of relevant privacy properties. Analysis of 6 existing OB-PWS systems (4 in this talk). Both profile and query based analyses are needed!

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 12/13

Thank you.

Questions?

Main references:

[1] Josep Domingo-Ferrer, Agusti Solanas, and Jordi Castell` a-Roca. h(k)-private information retrieval from privacy-uncooperative queryable databases. Online Information Review, 33(4):720–744, 2009. [2] Mummoorthy Murugesan and Christopher W. Clifton. Plausibly Deniable Search. In Proceedings of the Workshop on Secure Knowledge Management (SKM 2008), November 2008. [3] Bracha Shapira, Yuval Elovici, Adlay Meshiach, and Tsvi Kuflik. PRAW - A PRivAcy model for the Web. JASIST, 56(2):159–172, 2005. [4] David Rebollo-Monedero and Jordi Forn´ e. Optimized query forgery for private information retrieval. IEEE Transactions on Information Theory, 56(9):4631–4642, 2010.

• E. Balsa, C. Troncoso and C. Diaz

Obfuscation-Based Private Web Search 13/13