Presentation is loading. Please wait.

Presentation is loading. Please wait.

Class-based graph anonymization for social network data Shai Peretz DB Seminar (winter 2009)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Class-based graph anonymization for social network data Shai Peretz DB Seminar (winter 2009)"— Presentation transcript:

1 Class-based graph anonymization for social network data Shai Peretz DB Seminar (winter 2009)

2 Example  Such data needs to be anonymized.  Such data needs to be widely available for scientific research.

3 Anonymization and Utility  Let G be an interaction graph over sets V, I and edges E.  Our goal is to produce an anonymized version of G: G’  Give privacy  Give accurate answers on queries that are not privacy revealing From G’ Tolerate less accurate answers in other cases From G’. Tolerate less accurate answers in other cases From G’.

4 Anonymization and Utility  Definitions:  We now distinguish between a node in the graph, v V, and the corresponding entity x X  Each entity x can have a number of attributes, such as age, location, and a unique identifier. We write x(v) to denote the identifier, or “true label” of node v. We write x(v) to denote the identifier, or “true label” of node v.

5 Anonymization and Utility  Utility is judged based on the quality with which various queries can be answered on the anonymized graph

6 Anonymization Methods  We’ll present two methods for anonymizing the rich interaction graphs: Label list Label list Partitioning Partitioning

7 LABEL LISTS  We propose to anonymize interaction graphs using “label lists”: the identifier of each node in the graph is replaced by a list of possible identifiers (or labels). the identifier of each node in the graph is replaced by a list of possible identifiers (or labels).

8 LABEL LISTS (cont.)  We’ll introduce two approaches: Arbitrary List Arbitrary List Uniform List Uniform List

9 Arbitrary List  This is a naïve approach  Pros: Simple approach Simple approach Ease of implementation Ease of implementation

10 Arbitrary List (cont.)  Cons: U7 appears only once, therefore immediately identifiable U7 appears only once, therefore immediately identifiable Only u1,u2,u3,u4 appear in the first 4 nodes, and therefore those nodes must be some permutation of those 4 labels. Only u1,u2,u3,u4 appear in the first 4 nodes, and therefore those nodes must be some permutation of those 4 labels. Because we know that u1-u4 can only be in the first 4 nodes, we can infer that the 5 th node is u5 and the 6 th is u6 Because we know that u1-u4 can only be in the first 4 nodes, we can infer that the 5 th node is u5 and the 6 th is u6

11 Uniform List  We propose an approach to generate sets of lists which are more structured.  As a consequence, they avoid “static” attacks, and retain privacy in the face of attacks based on background knowledge.

12 Uniform List - Dividing the nodes into classes   First, the nodes V are divided into “classes” of size m, for a parameter m   Every node will have a list of label of size k   To guarantee privacy, we must ensure that there is sufficient diversity in the interactions of nodes in the same class.

13 Uniform List - Dividing the nodes into classes (cont.) Suppose entities u1 and u2 are placed together in a class of size 2. Then it is clear that u1 and u2 were friends and emailed each other

14 Uniform List - Dividing the nodes into classes (cont.)  Safety property: A division of nodes V into classes satisfies the Class Safety property if for any node, v participates in interactions with at most one node in any class. v z w i j v z i j Safety property

15 LABEL LISTS - Uniform List, Dividing the nodes into classes (cont.)   Problem?: If there is a single entity which has interactions with every other entity it is not possible to achieve class safety for any m > 1 In real social networks a user typically interacts with only a small fraction of other entities out of the millions of possibilities

16 Uniform List - Dividing the nodes into classes (cont.)   Algorithm :   Here, we take each node v in turn, and insert it in the first class that has fewer than m members, provided that performing this insertion would not violate the safety condition (lines 2–7).

17 Uniform List - Dividing the nodes into classes (cont.)   Problem: Queries which involve selections on entity attributes (say, selecting users located in Japan)   Unsure exactly which nodes these correspond to   Solution: Placing entities that have the same value on this attribute in the same class.   Given a “workload” describing which attributes are seen as most important for querying (say, location is first, followed by age), the input can be sorted under this ordering of attributes.   This sorting step is indicated inline 1 of the Algorithm.

18 Uniform List, Generating and assigning (k,m)-Uniform lists  Prefix patterns: A prefix pattern occurs when the pattern p ={0,1,2,... k−1}.  Full pattern. In the full pattern case k =m and so the only possible pattern is p = {0,1,2,...m−1}

19 Uniform List - Generating and assigning (k,m)-Uniform lists  The two parameters k and m clearly affect the tradeoff between privacy and utility: a (1,1) uniform list associates each node directly with the corresponding entity, allowing full utility but no privacy; a (1,1) uniform list associates each node directly with the corresponding entity, allowing full utility but no privacy; a (|V|, |V|) uniform list associates each node with the list of all possible labels, and represents an extreme of minimal utility and maximal privacy. a (|V|, |V|) uniform list associates each node with the list of all possible labels, and represents an extreme of minimal utility and maximal privacy.

20 Uniform List - Security  Theorem 1: An attacker who has no knowledge about the original data, can correctly guess which entities participate in an interaction with probability at most 1/k  Theorem 2: An attacker who is able to use background knowledge to find the true identity of at most r nodes can guess which other entities participate in an interaction with probability at most 1/(k−r).

21 LABEL LISTS - Uniform List, Security  Problem: If the attacker v has only one friend in Alaska If the attacker v has only one friend in Alaska All the classes containing nodes which share an interaction with v, only one has nodes located in Alaska All the classes containing nodes which share an interaction with v, only one has nodes located in Alaska

22 PARTITIONING APPROACH  To avoid such attacks, we increase the amount of masking of data, at the expense of utility.  Partitioning approach: Instead of releasing the full edge information, only the number of edges between (and within) each subset is released  Thick lines indicate double edges

23 PARTITIONING APPROACH (cont.)  Even if an attacker is somehow able to identify which node represents an entity, he can’t discover his interactions.  We make use of the same safety condition as before In Figure, which does not satisfy the condition, an attacker can infer that since u6 and u7 are in the same class they alone must share the blog2 interaction In Figure, which does not satisfy the condition, an attacker can infer that since u6 and u7 are in the same class they alone must share the blog2 interaction ? ? ? ?

24 PARTITIONING APPROACH (cont.)  COROLLARY : An attacker who has no background knowledge about the original data can correctly guess which entities participate in an interaction with probability at most 1/m.  Theorem 3: An attacker with background knowledge about interactions of an entity, modeled as knowing the true identity of some nodes, and the fact that these nodes participate in certain interactions, can correctly guess which entities participate in interactions about which nothing is known with probability at most 1/m

25 PARTITIONING APPROACH (cont.)  This additional resilience comes at the cost of reducing the utility for answering more complex graph queries

26 EXPERIMENTAL STUDY - Querying Anonymized Data  We’ll present two approaches for answering queries on anonymized data: Sampling Consistent Graphs Sampling Consistent Graphs Deterministic Query Bounds Deterministic Query Bounds

27 Querying Anonymized Data - Sampling Consistent Graphs  A probabilistic approach is for the analyst to randomly sample a graph that is consistent with the anonymized data, and perform the analysis on this graph.  The query can be evaluated over the resulting graph; repeating this several times generates an “expected” answer to the query given the anonymized data.  In the full-list and partition cases, sampling a consistent graph takes time linear in the size of the anonymized data.

28 Querying Anonymized Data - Deterministic Query Bounds  A more costly approach is to search over all possible graphs that are consistent with the anonymized data, and report the range of possible answers to the query.  In general, this could be prohibitively expensive, but for many natural queries, the problem can be broken down. Example: query “how many users in the USA have used application X?” Example: query “how many users in the USA have used application X?”

29 EXPERIMENTAL STUDY – Experimental Framework  Two datasets that vary appreciably in size and graph structure: Xanga network consists of about 780K nodes and 3 million edges. Xanga network consists of about 780K nodes and 3 million edges. Each node in the graph represents a user of Xanga and his corresponding blog.Each node in the graph represents a user of Xanga and his corresponding blog. There are two types of edges between nodes representing the interactions: a subscription (or readership) to another Xanga blog and an explicit friendship relation.There are two types of edges between nodes representing the interactions: a subscription (or readership) to another Xanga blog and an explicit friendship relation. Each user has associated profile information, such as the user’s location, age, and gender, which comprise attributes of the corresponding node in the graph.Each user has associated profile information, such as the user’s location, age, and gender, which comprise attributes of the corresponding node in the graph.

30 EXPERIMENTAL STUDY – Experimental Framework Speed dating dataset has 530 participants, and consists of data about 4150 “dates” arranged between pairs of individuals. Speed dating dataset has 530 participants, and consists of data about 4150 “dates” arranged between pairs of individuals. For each participant, demographic information was collected (age, race, field of study), and their level of interest in a number of hobbies on a scale of 1 to 10.For each participant, demographic information was collected (age, race, field of study), and their level of interest in a number of hobbies on a scale of 1 to 10. Each interaction node represents a “date”, and records information about whether each participant was positive or negative about their counterpart; we call this a “match” if both were positive.Each interaction node represents a “date”, and records information about whether each participant was positive or negative about their counterpart; we call this a “match” if both were positive. Each individual participated in from 6 to 22 dates.Each individual participated in from 6 to 22 dates.

31 EXPERIMENTAL STUDY – Experimental Framework  Kind of queries: Pair Queries. These are single-hop queries of the kind: how many nodes from one subpopulation interact with nodes of another subpopulation. For instance, how many users from US are friends with users from Australia? Pair Queries. These are single-hop queries of the kind: how many nodes from one subpopulation interact with nodes of another subpopulation. For instance, how many users from US are friends with users from Australia? Trio Queries. These queries involve two hops in the graph and query for triples such as, how many Americans are friends with Chinese users who are also friends with Australian users? Trio Queries. These queries involve two hops in the graph and query for triples such as, how many Americans are friends with Chinese users who are also friends with Australian users? Triangle Queries. This type counts triangles of individuals (a.k.a. the transitivity property among nodes, or the clustering coefficient), that is, nodes that have neighbor pairs which are connected. For instance, how many Americans are friends with Chinese and Australians who are friends with each other? Triangle Queries. This type counts triangles of individuals (a.k.a. the transitivity property among nodes, or the clustering coefficient), that is, nodes that have neighbor pairs which are connected. For instance, how many Americans are friends with Chinese and Australians who are friends with each other?  We answer queries by sampling 10 consistent graphs  Both anonymization and query answering algorithms scale well: anonymization took less than a minute for the Xanga data on a standard desktop with 1GB RAM, while queries took under a second each

32 Experimental Results – Uniform List Anonymization  Q1 (pair query, Xanga dataset):“How many Americans in different age groups are friends with residents of Hong Kong with age less than 20?”

33 Experimental Results – Uniform List Anonymization  Q (Speed Dating):“How many pairs with the same attribute had a match?”

34 Experimental Results – Uniform List Anonymization  Work-load of 100 queries

35 Experimental Results – Partition anonymization  To generate a consistent graph, we randomly create N edges between nodes from two connected groups that satisfy the safety condition  Q2: “How many Americans are connected to users with degree greater than 10?

36 Experimental Results – selectivity

37 Experimental Results – Prioritizing Attributes for Utility  Sorting: Age, Gender, Location, Degree (AGLD) Age, Gender, Location, Degree (AGLD) Gender, Age, Location, Degree (GALD) Gender, Age, Location, Degree (GALD) Location, Gender, Age, Degree (LGAD) Location, Gender, Age, Degree (LGAD) Degree, Gender, Location, Age (DGLA) Degree, Gender, Location, Age (DGLA) Q1Q1Q1Q1

38 Experimental Results – Prioritizing Attributes for Utility  Q3 (trio Query): “How many users in the age group 15-20yrs (and varying number of friends) are friends with users in the age group 10-15yrs and also with those in the age group 20-25yrs?”

39 Experimental Results – Prioritizing Attributes for Utility   Sorting on sample pair, trio and triangle queries involving two attributes, primarily age and degree

40 Experimental Results – Prioritizing Attributes for Utility   Queries of the three types (pair, trio, triangle), where each predicate is only over a single attribute   The three queries in Figure (e) are: the pair query “How many users of age 20 are friends with users of age 21?”; the trio query “How many users of age 20 are friends with users of age 21 and with users of age 22?”; and the triangle “How many users of age 20 are friends with users of age 21 and age 22 who are also friends?”

41 Experimental Results – Prioritizing Attributes for Utility   Full workload of 100 queries

42 Summary  We showed that Class-based graph anonymization works, its gives both privacy, and ability to do research  Prioritizing Attributes (Sorting) before doing queries is advised, but can be done only once to ensure privacy  This method for anonymization scales well.

Download ppt "Class-based graph anonymization for social network data Shai Peretz DB Seminar (winter 2009)"

Similar presentations

Bounded Conjunctive Queries Yang Cao 1,2, Wenfei Fan 1,2, Tianyu Wo 2, Wenyuan Yu 3 1 University of Edinburgh, 2 Beihang University, 3 Facebook Inc.

Bounded Conjunctive Queries Yang Cao 1,2, Wenfei Fan 1,2, Tianyu Wo 2, Wenyuan Yu 3 1 University of Edinburgh, 2 Beihang University, 3 Facebook Inc.
1 Decomposing Hypergraphs with Hypertrees Raphael Yuster University of Haifa - Oranim.

1 Decomposing Hypergraphs with Hypertrees Raphael Yuster University of Haifa - Oranim.
Naïve Bayes. Bayesian Reasoning Bayesian reasoning provides a probabilistic approach to inference. It is based on the assumption that the quantities of.

Naïve Bayes. Bayesian Reasoning Bayesian reasoning provides a probabilistic approach to inference. It is based on the assumption that the quantities of.
CrowdER - Crowdsourcing Entity Resolution

CrowdER - Crowdsourcing Entity Resolution
Overcoming Limitations of Sampling for Agrregation Queries Surajit ChaudhuriMicrosoft Research Gautam DasMicrosoft Research Mayur DatarStanford University.

Overcoming Limitations of Sampling for Agrregation Queries Surajit ChaudhuriMicrosoft Research Gautam DasMicrosoft Research Mayur DatarStanford University.
Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.

Size-estimation framework with applications to transitive closure and reachability Presented by Maxim Kalaev Edith Cohen AT&T Bell Labs 1996.
Fast Algorithms For Hierarchical Range Histogram Constructions

Fast Algorithms For Hierarchical Range Histogram Constructions
Λ14 Διαδικτυακά Κοινωνικά Δίκτυα και Μέσα Positive and Negative Relationships Chapter 5, from D. Easley and J. Kleinberg book.

Λ14 Διαδικτυακά Κοινωνικά Δίκτυα και Μέσα Positive and Negative Relationships Chapter 5, from D. Easley and J. Kleinberg book.
Dynamic Planar Convex Hull Operations in Near- Logarithmic Amortized Time TIMOTHY M. CHAN.

Dynamic Planar Convex Hull Operations in Near- Logarithmic Amortized Time TIMOTHY M. CHAN.
Autocorrelation and Linkage Cause Bias in Evaluation of Relational Learners David Jensen and Jennifer Neville.

Autocorrelation and Linkage Cause Bias in Evaluation of Relational Learners David Jensen and Jennifer Neville.
An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.
The number of edge-disjoint transitive triples in a tournament.

The number of edge-disjoint transitive triples in a tournament.
Query Evaluation. An SQL query and its RA equiv. Employees (sin INT, ename VARCHAR(20), rating INT, age REAL) Maintenances (sin INT, planeId INT, day.

Query Evaluation. An SQL query and its RA equiv. Employees (sin INT, ename VARCHAR(20), rating INT, age REAL) Maintenances (sin INT, planeId INT, day.
Clustering short time series gene expression data Jason Ernst, Gerard J. Nau and Ziv Bar-Joseph BIOINFORMATICS, vol. 21 2005.

Clustering short time series gene expression data Jason Ernst, Gerard J. Nau and Ziv Bar-Joseph BIOINFORMATICS, vol
Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.

Using Structure Indices for Efficient Approximation of Network Properties Matthew J. Rattigan, Marc Maier, and David Jensen University of Massachusetts.
Discrete Structures Chapter 5 Relations and Functions Nurul Amelina Nasharuddin Multimedia Department.

Discrete Structures Chapter 5 Relations and Functions Nurul Amelina Nasharuddin Multimedia Department.
Large-Scale Deduplication with Constraints using Dedupalog Arvind Arasu et al.

Large-Scale Deduplication with Constraints using Dedupalog Arvind Arasu et al.
Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)

Anatomy: Simple and Effective Privacy Preservation Israel Chernyak DB Seminar (winter 2009)
Experimental Evaluation

Experimental Evaluation
A Differential Approach to Inference in Bayesian Networks - Adnan Darwiche Jiangbo Dang and Yimin Huang CSCE582 Bayesian Networks and Decision Graphs.

A Differential Approach to Inference in Bayesian Networks - Adnan Darwiche Jiangbo Dang and Yimin Huang CSCE582 Bayesian Networks and Decision Graphs.

Similar presentations

Ads by Google