Title: MobiHide: A Mobile Peer-to-Peer System for Anonymous Location-Based Queries
1MobiHide A Mobile Peer-to-Peer System for
Anonymous Location-Based Queries
Gabriel Ghinita, Panos Kalnis, Spiros
Skiadopoulos National University of
Singapore and University of Peloponnese, Greece
2Location-Based Services
- LBS users
- Mobile devices with GPS capabilities
- NN and Range Queries
- Location server is NOT trusted
- Google Maps, Mapquest, Microsoft Live, etc.
- Privacy? Anonymity?
Find closest hospital to my present location
3Problem Statement
- Hide IP address and username
- But user location may disclose identity
- Triangulation of device signal
- Publicly available databases
- Physical surveillance
- How to preserve query source anonymity?
- Even when exact user locations are known
4K-Anonymity Swe02
Quasi-identifier
Age ZipCode Disease
42 25000 Flu
46 35000 AIDS
50 20000 Cancer
54 40000 Gastritis
48 50000 Dyspepsia
56 55000 Bronchitis
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
(a) Microdata
(b) Voting Registration List (public)
Swe02 L. Sweeney. k-Anonymity A Model for
Protecting Privacy. Int. J. of Uncertainty,
Fuzziness and Knowledge-Based Systems,
10(5)557-570, 2002.
5K-Anonymity (cont.)
Age ZipCode Disease
42-46 25000-35000 Flu
42-46 25000-35000 AIDS
50-54 20000-40000 Cancer
50-54 20000-40000 Gastritis
48-56 50000-55000 Dyspepsia
48-56 50000-55000 Bronchitis
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
- 2-anonymous microdata
(b) Voting Registration List (public)
6Anonymizing Spatial Region
- Identification probability 1/K
7Centralized Anonymizer
- Intermediate tier between users and LBS
Bottleneck and single point of attack/failure
8MobiHide Fully Distributed
9Existing Work CloakP2P Chow06
- Find K-1 NN of query source
- Source likely to be closest to ASR center
- Vulnerable to center-of-ASR attack
NOT SECURE !!!
uq
5-ASR
Chow06 Chow et al, A Peer-to-Peer Spatial
Cloaking Algorithm for Anonymous Location-based
Services, ACM GIS 06
10Existing Work PRIVE GKS07
- Aq has the reciprocity property iff
- AS K
- ? ui,uj ? AS, ui ? ASj ? uj ? ASi
GKS07 PRIVÉ Anonymous Location-based Queries
in Distributed Mobile Systems , WWW 07
11PRIVE (cont.)
- Based on Hilbert space-filling curve
- index users by Hilbert value of location
- partition Hilbert sequence into K-buckets
12PRIVE (cont.)
- Based on Hilbert space-filling curve
- index users by Hilbert value of location
- partition Hilbert sequence into K-buckets
13PRIVÉ Hierarchical Architecture
- But requires global knowledge
- Global rank of query source required
- PRIVÉ employs an annotated tree index
14Motivation
PRIVE
MobiHide
CloakP2P
15MobiHide
- Uses Hilbert transformation
- Key Idea
- Remove the need for global knowledge
- Allow random group formation
- Scalable DHT infrastructure employed
- Chord DHT
16MobiHide Group Formation
17MobiHide Example
18MobiHide Privacy
- MobiHide is not reciprocal
- Privacy guaranty for uniform query distribution
only - But offers strong privacy features in practice,
even for skewed distribution
19Correlation Attack (K 4)
27 33 43 56 58 3 5 10 15 18
U6 U7 U8 U9 U10 U1 U2 U3 U4 U5
U6
U8
U5
U7
U4
U9
U3
- 4-anonymity not achieved
- However Difficult attack in practice
U10
U1
U2
20MobiHide Implementation
- Two-layer Chord DHT
- Each Chord node is a cluster of users
- Bounded cluster size ?,3?)
21User Join/Cluster Split
22Load Balancing Fault Tolerance
- Load Balancing
- Cluster head rotation mechanism
- Fault Tolerance
- Chord Periodic Stabilization Protocol
- Leader election protocol
- In case of cluster head failure
23Experimental Setup
- San Francisco Bay Area road network
- Network-based Generator of Moving Objects
- Up to 10000 users
- Velocities from 18 to 68 km/h
- Uniform and skewed query distribution
T. Brinkhoff. A Framework for Generating
Network-Based Moving Objects. Geoinformatica, 6(2)
153180, 2002.
24Center-of-ASR Attack
25Correlation Attack
26ASR Formation Latency
Response Time (sec)
27Points to Remember
- LBS Privacy an important concern
- Existing solutions are either not secure
- or not scalable
- MobiHide
- Privacy guaranty for uniform query workload
- Good best-effort privacy for skewed workload
- Excellent scalability inherited from Chord DHT
28Bibliography on LBS Privacy
- http//anonym.comp.nus.edu.sg
-
29Bibliography
- Chow06 Mokbel et al, A Peer-to-Peer Spatial
Cloaking Algorithm for Anonymous Location-based
Services, ACM GIS 06 - Gru03 - Gruteser et al, Anonymous Usage of
Location-Based Services Through Spatial and
Temporal Cloaking, MobiSys 2003 - GKS07 Ghinita G., Kalnis P., Skiadopoulos S.,
PRIVÉ Anony-mous Location-based Queries in
Distributed Mobile Systems, WWW 2007 - Mok06 Mokbel et al, The New Casper Query
Processing for Location Services without
Compromising Privacy, VLDB 2006