Download presentation

Presentation is loading. Please wait.

Published byIvan Hascall Modified about 1 year ago

1
SABRE: a Sensitive Attribute Bucketization and REdistribution framework for t-closeness Authors: Jianneng Cao, Panagiotis Karras, Panos Kalnis, Kian-Lee Tan Published in VLDB Journal 02/2011 Presented by Hongwei Tian

2
Outline Privacy measure: t-closeness Earth Movers’ Distance (EMD) SABRE Algorithm – Bucketization – REdistribution Experiments 2

3
t-closeness The published table still suffers other types of privacy attacks 3

4
t-closeness skewness attack – SA Particular Virus, overall SA distribution 99% negative and 1% positive, SA distribution in one EC 50% negative and 50% positive similarity attack – SA values in one EC are distinct but semantically similar 4

5
t-closeness An equivalence class is said to have t-closeness if the distance between the distribution of a sensitive attribute in this class and the distribution of the attribute in the whole table is no more than a threshold t. A table is said to have t-closeness if all equivalence classes have t-closeness. P = (p 1, p 2, …, p m ), Q = (q 1, q 2, …, q m ), D(P,Q) ≤ t 5

6
Earth Movers’ Distance (EMD) Intuitively, it views one distribution as a mass of earth piles spread over a space, and the other as a collection of holes, in which the mass fits, over the same space. The EMD between the two is defined as the minimum work needed to fill the holes with earth, thereby transforming one distribution to the other. P = (p 1, p 2, …, p m ): distribution of “holes” Q = (q 1, q 2, …, q m ): distribution of “earth” d ij : ground distance of q i from p j F=[f ij ], f ij ≥0: a flow of mass of earth moved from elements q i to p j Minimize 6

7 Earth Movers’ Distance (EMD) d ij and f ij are flexible, thus the EMD problem is NP-hard. If d ij is fixed, the EMD problem becomes deterministic. Numerical SA – Ordered domain (v 1, v 2, …, v m ) – d ij = |i-j| / m-1 – The minimal work for transforming Q to P can be calculated by sequentially satisfying the earth needs of each hole element, moving earth from/to its immediate neighbor pile. – r i = q i – p i – q 1 is moved to fill p 1, if q 1 >p 1, the extra r 1 earth is moved to fill p 2 ; and at p 2, if q 2 >p 2, the extra r 1 +r 2 earth is moved to fill p 3. If q 1

8
Earth Movers’ Distance (EMD) Categorical SA – Generalization hierarchy H – d ij = h(v i,v j )/h(H) – h(v i,v j ): height of least common ancestor of v i and v j – The minimal work for transforming Q to P can be calculated by moving extra earth, as much as possible, from/to its sibling pile under least common ancestor in H. – Extra earth to move out/in – For an internal node n 8

9 Earth Movers’ Distance (EMD) Categorical SA (Continued) – For an internal node n, only min(pos e (n), neg e (n)) earth is moved in the subtree rooted at n – The extra(n) will be moved to/from n’s parent – The cost of node n – The total EMD q 1 >p 1 pos1 extra(S) q 2 >p 2 pos2 extra(P) q 3

10
SABRE Algorithm SABRE consists of two phases: – Bucketization: partitions DB into a set of buckets, such that each SA value appears in only one bucket – Redistribution: reallocates tuples from buckets to ECs 10

11
SABRE - Bucketization Proportionality requirement – Given a table DB and a bucket partition ϕ, assume that an EC, G, is formed with x i tuples from bucket B i ∈ ϕ, i = 1, 2, …, |ϕ|. – G satisfies the proportionality requirement with respect to ϕ, if and only if the sizes of x i are proportional to those of B i, i.e., |x 1 | : |x 2 | : ··· : |x |ϕ| | = |B 1 | : |B 2 | : ··· : |B |ϕ| | – One bucket partition ϕ’=(B 1,B 2,…,B m ), each bucket B i only contains tuples that have SA value v i. Select x i tuples from bucket B i, to form an EC G following the proportionality requirement, then |x 1 | : |x 2 | : ··· : |x m | = |B 1 | : |B 2 | : ··· : |B m | = N 1 : N 2 : ··· : N m, thus G’s SA distribution is same as DB’s SA distribution, that is 0-closeness. – A complete enforcement of 0-closeness for all ECs would severely degrade information quality. 11

12
SABRE - Bucketization Consider Buckets of more than one distinct SA value – Less buckets – When pick x i tuples from a bucket B i to EC following proportionality requirement, SA values are not discriminated – And, it is usually not obeyed that |z 1 | : |z 2 | : ··· : |z m |= N 1 : N 2 : ··· : N m – Thus, this is not 0-closeness anymore, we need to consider EMD. 12

13
SABRE - Bucketization The questions – How should we partition SA values into buckets? – How many buckets should we generate to ensure t-closeness? 13

14
SABRE - Bucketization Basic idea – SABRE partitions DB hierarchically, based on the SA values of its tuples, forming a bucketization tree. – Each node of this tree denotes a bucket containing tuples having a certain subset of SA values. (For categorical SA, the subset follows the SA domain hierarchy; For numerical SA, the subset is determined by the selected split) – The leaf nodes of the tree are the buckets that correspond to the actual bucket partition of DB. 14

15
SABRE - Bucketization Basic idea (Continued) – The tree starts with a single node, the root, which corresponds to the entire table with the whole domain of SA – Then the tree grows in a top-down manner by recursively splitting leaf nodes. 15

16
SABRE - Bucketization Basic idea (Continued) – A node is not always valid to be split. Suppose we split a node to get new nodes/buckets. Consider the new buckets (and all other leaves), if we form an EC G to pick tuples from these buckets following proportionality requirement, the EC’s SA distribution Q = (q 1, q 2, …, q m ). For one bucket B with distribution (p 1, p 2, …, p j ), we need to transform (q 1, q 2, …, q j ) to (p 1, p 2, …, p j ), and the cost is CET(B,G). For other buckets with distribution like (p j+1, p j+2, …, p m ), repeat the transformations. Then the Q=(q 1, q 2, …, q m ) is transformed to P = (p 1, p 2, …, p m ), and the total cost is ∑CET(B,G) for all B. 16

17
SABRE - Bucketization Basic idea (Continued) – A node is not always valid to be split. But, EC’s distribution is not known when splitting. Fortunately, we can describe the worst case (CET(B,G) maximized) for EC’s distribution. That is, Upper-bound cost in a bucket, If ≤ t, any EC selecting tuples from buckets following proportionality requirement satisfies t-closeness. 17

18
SABRE - Bucketization Basic idea (Continued) – In each iteration, we determine U as the summation of all upper bounded cost. – In this way, we select the node that contributes to the largest reduction of U as the node to be further split. – This process terminates when U becomes smaller than the closeness threshold t. 18

19
SABRE - Redistribution The questions – How many ECs should we generate? We need a plan to find number of ECs and size of each EC. – How should we choose tuples from each bucket to form an EC? 19

20
SABRE - Redistribution Basic idea – Consider the process of dynamically determining the size of an EC, or deciding how many tuples to take out from each bucket to form an EC. – First, we consider all tuples of DB (i.e., all the buckets in ϕ) as a single EC, r. – Then we split r into two ECs by dichotomizing B i into B i1 and B i2, B i1 and B i2 have approximately the same size. – The left child c 1 of r is composed of B i1, and the right child c 2 of r is composed of B i2 20

21
SABRE - Redistribution Basic idea (Continued) – The leaf nodes are ECs, which indicates how many tuples take out from each bucket – If a node follows proportionality requirement, this node (EC) satisfies t-closeness. For example, [5,4] because of 5/9:4/9 = 10/18:8/18 – But, sometimes, it is impossible to pick tuples from buckets following proportionality requirement, such as [3,2]. – So, extra work is needed to transform (3/5,2/5) to (5/9,4/9). Notice, this is not SA distribution, but bucket distribution in EC. – Define where V i is the set of SA values in bucket B i 21

22
SABRE - Redistribution Basic idea (Continued) – The extra transformation work can be measured by D=EMD(d(G,φ),d(DB, φ)). For example, EMD((3/5,2/5), (5/9,4/9)) – In this example, bucket distribution P=(p 1,p 2 )=(5/9,4/9), Q=(q 1,q 2 )=(3/5,2/5), d11=d22=0, d12=1. Then, move 5/9 from q1 to p1 (at cost 0), move 2/5 from q2 to p2 (at cost 0), move 3/5-5/9=2/45 from q1 to p2 (at cost 1×2/45=2/45). So, D=EMD(d(G,φ),d(DB, φ)) = 2/45. – After the transformation, the EC can be considered picking tuples from buckets following proportionality requirement. – The total cost for this EC is D+U= EMD(d(G,φ),d(DB, φ)) + 22

23
SABRE - Redistribution Basic idea (Continued) – A split is allowed only if both EMD(d(c 1,φ),d(DB, φ)) + U ≤ t and EMD(d(c 2,φ),d(DB, φ)) + U ≤ t – The algorithm executes in a recursive way and terminates when no more node can be split. – Finally, we get leaf nodes representing the size of possible ECs. 23

24
SABRE-TakeOut For each EC, pick real tuples from buckets according the ECs’ sizes [a 1, a 2, …, a | φ | ]. Consider the QI information quality – Select a random tuple x from a randomly selected bucket B – SABRE-KNN In each bucket B i, find nearest a i neighbors of x and add them into G. – SABRE-AK Map multidimensional QI space to one-dimensional Hilbert values. Each tuple has a Hilbert value. Sort all tuples in each bucket in ascending order of their Hilbert values find x’s a i nearest neighbors in bucket B i. 24

25
Experiments Compare SABRE-KNN, SABRE-AK with – tIncognito Sigmod 2005 – tMondrian ICDE 2006 CENSUS dataset containing 500,000 tuples and 8 attributes. 25

26
Experiments 26

27
Experiments 27

28
Questions? Thank you. 28

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google