Adaptive Spatial Cloaking Method For Privacy Protection

Published Date: 02 Nov 2017

CHAPTER 4

This chapter focus on privacy issue in location based services. Privacy issues and challenges is first discussed and followed by a few definitions. Then, we divide trajectory privacy into two parts: location anonymization, which refers to user’s private information directly related to their locations; query privacy, which refers to user’s private information related to LBS query attributes. And, finally we present the privacy-preserving activity recognition method.

4.1 Derivation of Trajectory Privacy

This section gives the derivation of trajectory privacy from data privacy, location privacy and trajectory privacy in location-based service.

Although many people clearly consider their privacy a fundamental right, comparatively few can give a precise definition of the term and cannot distinguish it from security. Privacy is defined as the right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others [Error: Reference source not found]. Privacy indicates a specific form of data protection requiring flexible control over the disclosure of personal information. Location-based service facilitates human daily life, however, recorded location data enables intrusive inferences that may reveal personal habits, social customs, and religious that can be used for unauthorized advertisement.

As it is shown in [Figure 4-1], we conclude privacy protection issue with the consideration of spatial and temporal information. Data privacy concerns about privacy preservation problem with independent data at the left bottom. When considering privacy preservation in spatial dimension, each data is attached with geographic location. Thus, how to prevent adversaries from obtaining geographic related activities is the main issue in location privacy. Then we consider temporal features between data from snapshot to continuous. Continuously processed data involved dependency from past to future, which make it possible to infer hidden information behind data. This is concerned as stream privacy. In location-based service, mobile users issue location-based queries to LBS service providers to obtain information based on their geographic location. This is a new challenge to traditional data privacy-preserving techniques due to both temporal and spatial information should be concerned. Furthermore, temporal and spatial information should not be considered separately. Spatio-temporal feature may indicate significant implicit information, which should be protected. In this section, we mainly focus on location privacy and trajectory privacy in both snapshot and continuous LBS environments.

[Figure 4- ] Category of Privacy

In this dissertation, we proposed to use grid based index for fast search trajectories and perform our privacy protection. As it is shown in [Figure 4-2], we proposed to match our segmented trajectory into grid map. Semantic locations are represented as dark area. (i) is a hierarchical inverted semantic location list, which indicate the minimum MBR grids contains a semantic location. (ii) is an inverted trajectory to fast access trajectory from each grid. (iii) indicates all the semantic location in a trajectory. All these three lists are located at trusted anonymization server for cloaking computation. The full trajectories and other information are stored at un-trusted location-based server.

[Figure 4- ] Grid-based Semantic Trajectory

4.2 Privacy Issues

Existing approaches for privacy-aware mobility data sharing aim at publishing an anonymized version of the mobility dataset, operating under the assumption that most of the information in the original dataset can be disclosed without causing any privacy violations [Error: Reference source not found]. Researchers have long been aware of potential privacy threats and proposed a great number of promising schemes against these attacks. However, there are still some remaining problems and challenges need to be solved.

Center-of-Cloaked-Area Attack [Error: Reference source not found], which indicates that the query issuers are generally located at the center of the cloaking area that is easy to be predicted by an adversary. A cloaked area adjustment scheme was proposed in [Error: Reference source not found], however this method is not instinctive solution during cloaking generation phase and it needs an extra processing time to achieve center and cloaked area adjustment.

Query Tracking Attack [Error: Reference source not found] [Error: Reference source not found] [Error: Reference source not found], which indicates that a query issuer is not safe when launching a continuous query. For example, considering a user Up issues two query at time t-1 and t with corresponding cloaking regions CRt-1(Up, Ua, Ub, Uc) and CRt(Up, Ud, Ue), it is easy for an adversary to compare these two regions and find the query issuer Up.

Location-Dependent Attack [Error: Reference source not found] [Error: Reference source not found] [Error: Reference source not found] [Error: Reference source not found], which happens in most algorithms concerning with snapshot user locations only. This problem was first introduced in [Error: Reference source not found] with patching and delaying solutions. The main idea of previous work is enlarging cloaking region size or cache history locations.

User Attack, which indicates that user’ mobile devices can be compromised, thus becoming malicious and actively revealing other’s privacy information. This is critical problem in P2P environment with information share between users. However, most of the previous researches follow a general assumption that only LBS servers are regarded as malicious observers.

Edge User Update, which indicates that user are moving frequently crossing the outer and inner boundary of cloaking region. This is important but barely discussed in previous work. As it is shown in Fig. 1, Up’s movement will cause frequent update of the initial cloaking region {UA, UB, UC, UD, UE, UF, UG} with two new generated cloaking region {Upt, UC, UD, UE, UF, UG} and {Upt, UA, UB, UC, UD, UE, UF, UG}. Frequent update indicates more network consumption and power consumption on user devices. New algorithm with tolerable communication cost should be considered.

[Figure 4- ] Continuous Update Problem

Location Similarity Attack, which indicates that an adversary can infer semantic meanings from cloaking region. This is first studied in [Error: Reference source not found] with a location semantically heterogeneous method to protect location semantics from attacks.

4.2.1 Adversary Model

In conclusion, two main issues need to be considered in privacy-preserving location-based services: (a) Anonymization of personal location, and (b) High quality services on top of anonymized locations, which is privacy-preserving query efficiency. We will discuss these two aspects in detail from the next section.

[Figure 4- ] Adversary Knowledge

4.2.2 Spatial Cloaking Method

Spatial cloaking technique is the most popular privacy preservation method that relies on k-anonymity concept and cloaking granularity, which blurs a user’s location into a cloaked spatial area that satisfies the user’s specified privacy requirements.

A standard spatial cloaking process is described in [Figure 4-5], Q is the query issuer in snapshot LBS with a privacy profile k=5, then it is easy to calculate the cloaking region CR0{B, C, D, E, Q} at time T0. Then user Q issue another query with its updated location and obtain a new cloaking region CR1{I, J, G, H, Q} at time T1. It is easy for an adversary to detect user Q with a comparison between CR0 and CR1. A straightforward method to prevent this attack is to keep all the users in the cloaking region. However, this method may generate a large sized cloaking region as it is shown in [Figure 4-5](C). CR1' is the generated cloaking region in continuous LBS with the consideration of containing all initial members.

[Figure 4- ] Spatial Cloaking

Existing works on spatial cloaking follow the same idea to blur a user’s location into a cloaking region. As it is shown in [Figure 4-6], there are 4 basic method for spatial cloaking.

[Figure 4- ] Location privacy cloaking

For better performance, we expect to generate a minimum cloaking region with lower computation and communication cost while preserving user privacy. We describe our algorithms in the following sections.

4.3 Location Anonymization

In this section, we propose our cloaking algorithm approach in a two phases: single-user cloaking and multi-user cloaking.

4.3.1 Single-user Cloaking Algorithm

While most existing work focuses on how to minimize the sizes of cloaking region, we notice that there is an outstanding feature that semantic locations generally have a Minimum Bounding Rectangle (MBR), which is the minimum cover of semantic interest places. We aim to find the MBR to cover all semantic interest places that satisfy the privacy requirements. As exhibited in [Figure 4-7], the whole area is divided into grid {N1~N9, M1~M6} (X~Y denotes labeled grid from X to Y). User’s precise location is exhibited as a triangle Q and we have a certain privacy profile r. According to existing quad-tree cloaking method, we can identify the cloaking region as a set of dark grids {M1~M5, N2~N7} and {M6, N3~N6}. We proposed to consider semantic interest places that is {A,B,C} totally cover with the privacy requirements. Then, a MBR of {A,B,C} could be easily calculated as CR1, which identify the cloaking region as a smaller set {M1~M4, N2~N6}. It is obvious that we achieve a smaller cloaking region, which is an important criterion for choosing a cloaking region. More important feature is that we obtain a cloaking region against center-of-cloaked-area attack. As it is shown in [Figure 4-7], Q is the original query issuer, while Q’ is the center of cloaked region CR1. We can further improve our method in multi-user cloaking phase against such kind of attack in next section.

[Figure 4- ] Example of MBR-based Cloaking Region

We propose a MBR adaptive method to fast compute a cloaking region with the consideration of semantic locations. As it is shown in [Figure 4-8], user Q initial a query that need to be cloaked in the trusted anonymization server. It first expand in four directions with grid map until if find the first semantic location A. Then we can process fast computation with our proposed inverted semantic location list in [Figure 4-2] to obtain A’s minimum MBR. Thus we have an asymmetric expanding as it is shown in [Figure 4-8](B). We continuous this process until it satisfies the privacy profile defined by Q. It is obvious that during our cloaking expanding phase, it can be asymmetric or symmetry.

[Figure 4- ] Example of MBR-based Cloaking Expanding

After we satisfy the privacy degree in expanding phase, we generate a MBR adaptive cloaking region based on the minimum grid level of semantic locations as it is shown in [Figure 4-9].

[Figure 4- ] Example of MBR Adaptive Cloaking

Then, we consider that a user privacy profile r with l-diversity metric, which means at least l POIs must be included in the cloaking region. We modified the location semantic graph proposed in [Error: Reference source not found] for l-diversity cloaking. A distance between semantic locations to user location is computed with Earth Mover’s Distance (EMD) [Error: Reference source not found], which is proposed originally based on the minimal amount of work needed to transform one distribution into another by moving distribution mass between each other.

Suppose we have two distribution defined as P{p1, p2, … , pn} and Q{q1, q2, … , qn}. The workload cost of the overall work to make two distributions the same is defined as follows.

Following the constraints:

Where we have a flow F={fij} as a flow of mass from element i of P to element j of Q that minimizes the overall workload, dij is the ground distance from element i to j.

According to this definition, we illustrate the location semantic graph in [Figure 4-9] by keeping the same definition in [Error: Reference source not found]. A prior belief is considered as the adversary do not know the cloaking region, which means an adversary’s knowledge is the location semantics of an entire area since he has no idea where a mobile user is located. A posterior belief is considered as the adversary has already known the cloaking region, which means he can obtains more specific location semantics corresponding to the cloaking region. As it is shown in [Figure 4-10], the node represents semantic locations and the edge weight represents EMD between corresponding nodes. The prior belief is represented as a location semantic graph in [Figure 4-10] (2), while the posterior belief is a more elaborated graph upon prior belief shown as [Figure 4-10] (3) and (4).

[Figure 4- ] Location Semantic Graph to Initial Cloaking Region

Note that the triangle Q’ is the query issuer with 4 semantic places {P1, P2, P3, P4} in that area. P1 and P2 are considered of same semantic type, P3 and P4 are of same class. For example, P1 and P2 can be considered with education semantic property, while P3 and P4 are medical related. Now, the issuer Q’ has two choice to initial his own cloaking region represented as CR1{P1, P2} and CR2{P1, P3}. Then we are going to evaluate the safety of each cloaking region.

It is easy to understand that in [Figure 4-10] (2), each semantic place has an average probability 0.25. A node in location semantic graph is converted into a discrete domain in EMD, and an edge weight is converted into a ground distance dij. Then, the numerical computational results of CR1 and CR2 are :

Where PCAk indicates the posterior belief of cloaking region CRk, PE indicates the prior belief. CR1 is considered more secure than CR2 based on DEMD(PCR1, PE) < DEMD(PCR2, PE). However, this method cannot solve location similarity attack, where the adversary can guess that the user can be a student or teacher who always stays around education related POIs. To solve this problem, we proposed to update weight between similar POIs in location semantic graph. The EMD between similar POIs should be reduced which means there is no semantic difference between them. As it is shown in [Figure 4-10] (3) and (4), weight between P1 and P2 is reduced to 0. Then we perform numerical computation again:

Which means CR2 is more secure and should be considered as an initial cloaking region of Q’. This exhibits its efficiency against location similarity attack in our experimental evaluation in Section 5. The pseudo code of single user cloaking algorithm is shown in [ALGORITHM 4-1].

[ALGORITHM 4- ] Initial Single-user Cloaking Region

Input: User exact location q , POIs list P{P1, … , Pn} ,

Grid Map gMap[M × N] , privacy profile k POIs

Mediate: Candidate Cloaking Region CCRi, Candidate POIs list P’{P1’, … , Pn’}

Output: Initialized Cloaking Region CRq

Procedure : InitSingleUserCR(Cid, M)

01 : construct semantic location graph with P{P1, … , Pn};

02 : while ! (k satisfied)

03 : expand(q, P);

04 : end while

05 : for each pair of Pi’ and Pj’

06 : if Pi’.type = Pj’.type then

07 : update weight between Pi’ and Pj’;

08 : end if

09 : end for

10 : for each CCRi

11 : compute EMD;

12 : end for

13 : choose CCRi with smallest EMD value as CRq;

// checking safty of each candidate cloaking region

14 : compute CRq with grid map gMap[M × N];

15 : output CRq with grids;

According to our method, each user initialized his cloaking region with a personal privacy profile guaranteeing both k-anonymity and l-diversity, which means k users and l semantic locations should be blurred in the cloaking region.

4.3.2 Multi-user Cloaking Algorithm

The basic idea of P2P k-anonymity spatial cloaking algorithm is that a mobile user communicates with other peers via multi-hop routing to find at least k-1 peers, which make the query issuer indistinguishable among k users within the cloaked region. Users in P2P environment are assumed to be safety in existing approaches, however this is not true in real environment. An adversary can disguise to be a normal user and obtain others’ privacy information easily. In our approach, we propose to share location information based on semantic location contained in MBR adaptive cloaking region. However, there is a serious update problem while user movement always happens around edge of cloaking region, known as edge user update problem proposed in previous section. [Figure 4-11] exhibits an example of multi-user cloaking procedure against these two problems by illustrating multi-user sharing cloaking region.

[Figure 4- ] Cloaking Region from Multi-Users

As it is shown in [Figure 4-11], we have 4 initial cloaking regions {CR1, CR2, CR3, CR4} from 4 users {U1, U2, U3, U4} around. Then we should obtain the following knowledge:

User U1  Initial Cloaking Region CR1  POIs {A, B} k1 nodes in quad-tree

User U2  Initial Cloaking Region CR2  POIs {B, C}  k2 nodes in quad-tree

User U3  Initial Cloaking Region CR3  POIs {C}  k3 nodes in quad-tree

User U4  Initial Cloaking Region CR4  POIs {B, D}  k4 nodes in quad-tree

Which means each user is first cloaked with in single-user cloaking phase with semantic locations (POIs) and given a link to k nodes containing corresponding POIs. For example, let U4 be a query issuer with its initial cloaking region CR4. Here, we assume that users can also be an adversary, which means CR4 may be disclose his location information if he share location information with neighbors. We start the peer-to-peer searching step with cloaking region CR4 instead of exact location of U4.

1. Initial Step :

a) Notice that there are two semantic locations {B, D} fully included in CR4, then we search with grid table proposed in Fig. 3 to find all the other cloaking region containing {B} or {D}.

b) As CR1 contains {A, B, C}, CR2 contains {B, C}, we should add CR1 and CR2 to our candidate cloaking sets.

2. Expand Step :

Considering current cloaking sets {CR4, CR1, CR2}, we perform expanding with new added semantic location {C}. Then CR3 is found and need to be added to candidate cloaking region sets.

Algorithm stops when there is k users found in candidate cloaking region sets and combine them into CR. With the consideration of both l-diversity metric in single-user phase and k-anonymity metric in multi-user phase, we generate a cloaking region in a P2P environment against both user and LBS server attack. [ALGORITHM 4-2] depicts the pseudo code of our multi-user cloaking algorithm.

[ALGORITHM 4- ] Generating Multi-user Cloaking Region

Input : User initial cloaking region CRq , POIs list P{P1, … , Pn} ,

Grid Map gMap[M × N] , privacy profile k users

Output : Cloaking Region CR, Sharing Cloaking Region SCR,

Tolerant Time for Update Ttol , Edge User List UList

01 : POIList { ∅ }

02 : initial CR with CRq;

03 : POIList  POIs P contained in CRq;

04 : While number of users in CR < k

05 : For each POI Pi in CR

06 : broadcast to CRi which contains Pi;

// CRi can be found easily with grid table

07 : count Pi;

08 : add each Pj in CRi to POIList;

09 : End For

10 : CR = CRi + CR;

11 : End While

12 : compute CR with grid map gMap[M × N];

13 : compute SCR with grid map gMap[M × N];

14 : get all POI Pj in SCR;

15 : Pk = POIList – Pj;

// get all POIs not in SCR

16 : Ttol = minimum { width of Pk’s min grid / max speed of Pk;}

17 : UList = users not in SCR;

18 : output CR with grids;

19 : output SCR with grids;

With the further consideration, semantic location {B} and {C} have top frequency of appearance. Then we define them with corresponding grids as core region. We give the formal definition in the following.

Definition 4-1. [Core Region] Core region is defined as a set of semantic locations with highest frequency of appearance in a cloaking region CR. The corresponding grid nodes of core region are defined as a sharing cloaking region (SCR).

Definition 4-2. [Edge Region] Edge region is defined as a set of semantic locations exist in the cloaking region but not in the core region.

As it is shown in [ALGORITHM 4-2], line 07 and line 13 are used for core region computation, which output as a sharing cloaking region. Semantic locations in a sharing cloaking region stand for a user dense area of the cloaking region CR. We believe that semantic locations in SCR keep stable within a time duration, which is been proved by our experiments in Section 5. Then, we can easily solve frequent update problem of movements in a cloaking region with above definitions.

Then we consider the frequent update problem proposed in previous section. With the previous definitions, it is easy to understand that SCR(or core region) dominate the cloaking region. In other word, if there is a query issuer q with its cloaking region CR and SCR, when q moves for a short time, q may be obtain a new cloaking region however SCR remains. In other word, edge region is the percent of cloaking region that is easily to be changed due to user movement. Thus, we define a tolerant time Ttol avoiding frequent update caused by movement. For example, as it is shown in [Figure 4-12], user Up is moving around the edge of existing cloaking region. It has two initial cloaking regions CR1 at time t and CR2 at time t’. From time t, user Up’s initial cloaking region fully covered semantic location B in existing cloaking region CR, which is belonged to edge region. Then, Ttol is calculated as width of B divide current speed of Up, which means there is no need to update in a time duration Ttol. The algorithm is depicted in [Algorithm 4-5].

[Figure 4- ] Updating of Cloaking Region

[ALGORITHM 4- ] Updating Multi-user Cloaking Region

Input: Query Issuer q and its CRq , POIs list P{P1, … , Pn} ,

Procedure : Cloaking Region CRq’, Sharing Cloaking Region SCRq’

01: if All Pi in CRq contained in CR then

02: Find history cloaking region;

03: else

04: for each Pi in CRq

05: if Pi is contained in CR then

06: Ttol = width of Pi’s min grid / max speed of Pi;

07: end if

08: end for

09: end if

10: recompute CRq;

11: recompute SCRq;

4.3.3 Cache Management for Information Share

In this section, we propose a cache management approach in the trusted anonymizaton server. The main idea of our approach is to periodically pre-fetch or cache potentially useful location related contents and query results. The ultimate goal of our approach is to achieve a compromise in terms of storage, bandwidth, freshness of data and privacy.

A cache stores the results of frequent queries so that queries can be answered frequently by using only the cache without access server or database, thus reducing the amount of computation and communication overhead and improving query latency [Error: Reference source not found]. The main idea of our approach is to periodically pre-fetch or cache potentially useful location related contents and query results. Be aware of that, data stored in mobile devices locally is easy to obtain, however it seldom updates. The un-trusted LBS server contains the latest data, however, computation and communication cost is high if user always performs a query from LBS server. Thus, we propose a cache management approach with the consideration of our proposed multi-user cloaking algorithm.

There are three potential answer sets need to be cached during multiple user phase to improve performance: (1) Real time updated answer sets, (2) Periodic updated answer sets, (3) Seldom update answer sets. For example, parking spots need to be reported in real-time to gurantee that user always obtain the latest and exact answer, this is belonged to (1) category. In the (2) category, people are expected to obtain data periodicly by day or month, e.g. weather forecasts updated daily and movie schedules updated weekly. Maps and POIs need seldom updated that should be consider in category (3).

We mainly focus on real time updated answer sets in our work. The continuous query require a lot of data computation and communication overhead. In order to improve performance while preserving same privacy, we propose to cache some answer set in the trusted anonymization server for future queries. There are two kinds of queries need to be considered: (1) Sub-trajectory overlapping when issue a nearest-neighbor query, (2) similar query issued by other users.

As it is shown in [Figure 4-13], the graph shows trajectories among 10 semantic locations {V1~V10}. There is a user U1 start to move from location V1 with a continuous query issued as "Find the Nearest Gas Station for Me" and it will query againt at location V5. There are other two user U2 start from V4 issued a continuous query as "Find the Nearest School for Me" and U3 start from V3 issued a continuous query as "Find the Nearest Gas Station for Me". In this example, user U1, U2 and U3 share a sub-trajectory overlapping when issuing the same NN query. The overlapping sub-trajectory is {(V3, V5), (V5, V6), (V6, V7)}. Furthermore, user U1 and U3 share a similar query. It is obvious that the location information is public known to everyone, only the issue information are private. We propose to pre-fetech and cache the public information to improve privacy query response in next section. Furthermore, we aim to transform the private issue to public and obtain a trade-off between precise and privacy.

[Figure 4- ] Cache Sharing of Multi-user Cloaking

4.4 Privacy Query Processing

In this section, we address the challenging problem of query privacy in snapshot and continuous LBS beyond the location anonymization. Generally, there are three privacy-aware query types: (1) Private queries over public data, (2) Public queries over private data, (3) Private queries over private data [Error: Reference source not found]. For example, the queries "Where is my nearest coffee shop?", "How many cars within a certain area?" and "Where is my nearest buddy?" correspond to each query type. Traditional query supporting public queries over public data do not have a concern of privacy, which are not discussed here. We aim to perform fast private query with public known knowledge while preserving user privacy. All these three query type shares the same purpose and we only discuss private query over public data. We consider two types of privacy query as follows: snapshot query processing and continuous query processing.

4.4.1 Snapshot Query Processing

In this section, we discuss the privacy-aware query processing for snapshot queries. Due to the privacy preservation concerns in query, exact location information is only known to the query issuer while service provider receives a cloaking area. Then it should generate a candidate answer set and send back to query issuer for further refine. Existing research on snapshot query processing adopt a common consensus that the candidate answer set size should be minimum, which benefit a trade-off between query processing cost and answer optimality. According to our previous definition and construction of trajectory, private data is easily to be transformed into public data by calculating nearby semantic locations. Thus, we propose to convert private data into nearby public data, further private query could also convert into public query.

Although previous approaches can be used to compute a minimal candidate answer set for private queries over public data, the minimal candidate answer set would be expensive to compute due to the large size of cloaking region. As it is shown in Figure 4- 13, Q1 is the query issuer with its MBR adaptive cloaking region CR1. Q1 issue a query to find the nearest gas station marked as J. The user Q1’s location information is not known to the query processor or other parties, but only our trusted anonymization server. On the other hand, the exact locations of all POIs are known. In another words, Q1 issue a private query over public data to find the nearest gas station.

There are two trivial approaches that represent two different extremes for evaluating private nearest-neighbor queries over public data. (I) Un-trusted LBS server computes the nearest object to the center of the cloaked region as the query answer. This approach can minimize the data transmitted between un-trusted LBS server and trusted anonymization server, however, it may output an inaccurate answer when the actual user is not located at the center of cloaked region. (II) Each objects in cloaked region should computes its nearest object, and then send the answer set back to the trusted anonymization server. This approach can obtain the exact answer all the time, however, it will suffer a computation and communication overhead when there is a large size of cloaked region contains a great amount of moving objects, e.g. a plaza.

Our approach is to achieve a compromise between these two extremes. Our main idea is to compute the minimum candidate answer set that includes the exact answer to guarantee both efficiency, precise and enhance utility. Intuitively, moving objects always move and perform activity around semantic location. In the previous section, we proposed to compute cloaking region by semantic locations. It is obvious that semantic locations in our MBR adaptive cloaking region are far less than the moving objects inside. Moving objects are expected to move through one semantic location to another. Hence, we choose semantic location inside the cloaking region as the candidate query to un-trusted LBS server. As it is shown in [Figure 4- 14] (B), trusted anonymization server generate a cloaking region CR1 with the query issuer Q1 and other 6 objects {A, B, C, D, E, F}. The un-trusted LBS server receives all the 7 moving objects and cannot distinguish Q1 from others. Then, the un-trusted LBS server should compute the nearest neighbor gas station from candidates {G, I, J}. Finally, the un-trusted LBS server sends the minimized answer set {A-I, E-I, C-J, D-J, Q1-J, F-J, B-G} to trusted anonymization server. We illustrate our approach in [Figure 4-14] (A), the trusted anonymization server sends POI1 and POI2 to query nearest neighbor gas station to un-trusted LBS server. Then, LBS server finds nearest neighbor by computing with each vertex of POI1 and POI2, and adds candidate target gas station to answer set as {I, J}. Finally, the trusted anonymization server receives the candidate answer set {I, J} and compute the nearest neighbor gas station to Q1.

[Figure 4- ] Private Query over Public Data

[ALGORITHM 4-4] gives the pseudo code for private nearest neighbor queries over public data. Cloaking region CR1 is generated by the trusted anonymization server with the corresponding query issuer Q’. Line 01 to Line 06 is executed on the un-trusted LBS server side that only has knowledge of vertex information of semantic location in cloaking region. According to our weight update semantic graph, it is easy to find out whether there is a target object inside cloaking region. Line 07 adds inside semantic locations to candidate_set. From line 08 to line 11, the trusted anonymization server refine candidate target object and compute distance to each moving objects inside cloaking region. Finally, the nearest neighbor target object is founded and should be sent back to query issuer Q’.

[ALGORITHM 4- ] Private NN Query over Public Data

Input : Query Issuer Q’, Cloaking Region CR1

Output : Nearest Neighbor Target Object Onn

01 : For each semantic locations POIi of CR1

02 : For each vertex vi of POIi

03 : Find nearest target object Oj;

04 : Add Oj to candidate_set CS;

05 : End For

06 : End For

07 : Add inside semantic locations to candidate_set CS;

08 : For each Oj in candidate_set CS;

09 : Compute nearest target object Onn by distance (Q’, Oj);

10 : End For

11 : Output Onn

4.4.2 Continuous Query Processing

In this section, we propose a shared execution with cloaking area that benefits continuous privacy-aware queries. Our ultimate goal is to achieve a trade-off in terms of storage, bandwidth of data. In previous section, we already discussed about potential answer sets that should be cached to improve performance. It also benefit in continuous query processing. In this section, we further consider multi-user cloaking condition to improve system scalability and efficiency.

The computation cost in both trusted location anonymization server and un-trusted location-based server is important to system performance. Users would like to entertain a location-based service with a lower latency while preserving their privacy. Since a numerous number of continuous privacy-aware queries could be lasted for a long time at the un-trusted location-based server, the ultimate method is to reduce the anonymized query and answer set between trusted location anonymization server and un-trusted location-based server as it is shown in [Figure 2-4].

We further consider multi-user cloaking overlapping to improve continuous query. The main idea is to initial a query answer from user Q1, and fast search peer-to-peer cloaking region by overlapping semantic locations. As it is shown in [Figure 4-15], user Q1 initial its cloaking region and search with other users by overlapping semantic locations. Finally, we obtain a sharing region marked in dark area including semantic locations A, G, H, I.

[Figure 4- ] Cache Sharing for Continuous Privacy Query

4.5 Privacy-Preserving Trajectory Publishing

The awareness that privacy protection in data mining is a crucial issue has captured the attention of many researchers and administrators across a large number of application domains. Consequently, privacy-preserving data mining (PPDM), i.e., the study of data mining side effects on privacy, has rapidly become a hot and lively research area.

A straightforward approach to hide a user’s location is to send an imprecise location to LBS instead of the exact location. There is a potential conflict of interest: the knowledge discovery process needs a precise description of trajectory data, while the users want to enjoy the location based service by not disclosing sensitive movements. The objective of a privacy-preserving location-based service is to obtain a trade-off between privacy and precise, which means protecting the privacy of a user’s location while maintaining a high level of LBS accuracy.

We do not want to disclose the whole trajectory information when some independent location has been exposed to adversary. However, publishing original trajectory may cause critical breaches of privacy. We introduce a multi-user cloaking method to maintain the cloaking area size at a constant level and protect whole trajectory privacy. As it is shown in Fig. 7, we have 4 initial cloaking area regions {CR1, CR2, CR3, CR4} from 4 users {U1, U2, U3, U4} around. There are 6 trajectories shown with 3 timestamps T1, T2 and T3. If an adversary can identify the trajectory as the target user, the adversary can obtain extra knowledge to add to the prior knowledge [Error: Reference source not found]. We propose to generate multi-user cloaking among trajectories at time T2, which means each user is first cloaked with in single-user cloaking phase with semantic locations (POIs) and given a link to k nodes containing corresponding POIs.

EMB000019a85ecf

[Figure 4- ] Trajectory Anonymization

Definition 4-3 (Privacy Preservation Semantic Trajectory Episodes) Original semantic places in structured semantic trajectory is replaced with anonymization result from cloaking regions of multi-users around.

As it is shown in [Figure 4-16], we have 4 cloaking regions(CR) from 4 users around. Each user’s trajectory is modeled with privacy preservation to hide sensitive locations. With multi-user anonymization method, we can easily find that B is covered by CR1, CR2 and CR4, than we can use location B as representative semantic place in all these 4 user trajectories. For example, we have a trajectory TR6 {ep1,…, epA, …, epn} that contains a semantic location A at time T2. After our proposed multi-user anonymization based spatial cloaking method, we could get an anonymized trajectory {ep1,…, epB, …, epn}, which represents most user movements around and is expected to has the least misunderstanding of human activity. Then we process all the structured semantic trajectory episodes with trajectory anonymization in previous section. And thus, we use these episodes as N-gram model input and perform privacy-preserving activity recognition. The performance evaluation in Section 5 exhibits the effectiveness of the proposed to obtain a trade-off between precise and privacy.