MobiHide: A Mobile Peer-to-Peer System for Anonymous Location-Based Queries

1
MobiHide A Mobile Peer-to-Peer System for
Anonymous Location-Based Queries
Gabriel Ghinita, Panos Kalnis, Spiros
Skiadopoulos National University of
Singapore and University of Peloponnese, Greece
2
Location-Based Services

• LBS users
• Mobile devices with GPS capabilities
• NN and Range Queries
• Location server is NOT trusted
• Google Maps, Mapquest, Microsoft Live, etc.
• Privacy? Anonymity?

Find closest hospital to my present location
3
Problem Statement

• Hide IP address and username
• But user location may disclose identity
• Triangulation of device signal
• Publicly available databases
• Physical surveillance
• How to preserve query source anonymity?
• Even when exact user locations are known

4
K-Anonymity Swe02
Quasi-identifier
Age ZipCode Disease
42 25000 Flu
46 35000 AIDS
50 20000 Cancer
54 40000 Gastritis
48 50000 Dyspepsia
56 55000 Bronchitis
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000
(a) Microdata
(b) Voting Registration List (public)
Swe02 L. Sweeney. k-Anonymity A Model for
Protecting Privacy. Int. J. of Uncertainty,
Fuzziness and Knowledge-Based Systems,
10(5)557-570, 2002.
5
K-Anonymity (cont.)
Age ZipCode Disease
42-46 25000-35000 Flu
42-46 25000-35000 AIDS
50-54 20000-40000 Cancer
50-54 20000-40000 Gastritis
48-56 50000-55000 Dyspepsia
48-56 50000-55000 Bronchitis
Name Age ZipCode
Andy 42 25000
Bill 46 35000
Ken 50 20000
Nash 54 40000
Mike 48 50000
Sam 56 55000

1. 2-anonymous microdata

(b) Voting Registration List (public)
6
Anonymizing Spatial Region

• Identification probability 1/K

7
Centralized Anonymizer

• Intermediate tier between users and LBS

Bottleneck and single point of attack/failure
8
MobiHide Fully Distributed
9
Existing Work CloakP2P Chow06

• Find K-1 NN of query source
• Source likely to be closest to ASR center
• Vulnerable to center-of-ASR attack

NOT SECURE !!!
uq
5-ASR
Chow06 Chow et al, A Peer-to-Peer Spatial
Cloaking Algorithm for Anonymous Location-based
Services, ACM GIS 06
10
Existing Work PRIVE GKS07

• Aq has the reciprocity property iff
• AS K
• ? ui,uj ? AS, ui ? ASj ? uj ? ASi

GKS07 PRIVÉ Anonymous Location-based Queries
in Distributed Mobile Systems , WWW 07
11
PRIVE (cont.)

• Based on Hilbert space-filling curve
• index users by Hilbert value of location
• partition Hilbert sequence into K-buckets

12
PRIVE (cont.)

• Based on Hilbert space-filling curve
• index users by Hilbert value of location
• partition Hilbert sequence into K-buckets

13
PRIVÉ Hierarchical Architecture

• But requires global knowledge
• Global rank of query source required
• PRIVÉ employs an annotated tree index

14
Motivation
PRIVE
MobiHide
CloakP2P
15
MobiHide

• Uses Hilbert transformation
• Key Idea
• Remove the need for global knowledge
• Allow random group formation
• Scalable DHT infrastructure employed
• Chord DHT

16
MobiHide Group Formation
17
MobiHide Example
18
MobiHide Privacy

• MobiHide is not reciprocal
• Privacy guaranty for uniform query distribution
  only
• But offers strong privacy features in practice,
  even for skewed distribution

19
Correlation Attack (K 4)
27 33 43 56 58 3 5 10 15 18
U6 U7 U8 U9 U10 U1 U2 U3 U4 U5
U6
U8
U5
U7
U4
U9
U3

• 4-anonymity not achieved
• However Difficult attack in practice

U10
U1
U2
20
MobiHide Implementation

• Two-layer Chord DHT
• Each Chord node is a cluster of users
• Bounded cluster size ?,3?)

21
User Join/Cluster Split
22
Load Balancing Fault Tolerance

• Load Balancing
• Cluster head rotation mechanism
• Fault Tolerance
• Chord Periodic Stabilization Protocol
• Leader election protocol
• In case of cluster head failure

23
Experimental Setup

• San Francisco Bay Area road network
• Network-based Generator of Moving Objects
• Up to 10000 users
• Velocities from 18 to 68 km/h
• Uniform and skewed query distribution

T. Brinkhoff. A Framework for Generating
Network-Based Moving Objects. Geoinformatica, 6(2)
153180, 2002.
24
Center-of-ASR Attack
25
Correlation Attack
26
ASR Formation Latency
Response Time (sec)
27
Points to Remember

• LBS Privacy an important concern
• Existing solutions are either not secure
• or not scalable
• MobiHide
• Privacy guaranty for uniform query workload
• Good best-effort privacy for skewed workload
• Excellent scalability inherited from Chord DHT

28
Bibliography on LBS Privacy

• http//anonym.comp.nus.edu.sg

• ?

29
Bibliography

• Chow06 Mokbel et al, A Peer-to-Peer Spatial
  Cloaking Algorithm for Anonymous Location-based
  Services, ACM GIS 06
• Gru03 - Gruteser et al, Anonymous Usage of
  Location-Based Services Through Spatial and
  Temporal Cloaking, MobiSys 2003
• GKS07 Ghinita G., Kalnis P., Skiadopoulos S.,
  PRIVÉ Anony-mous Location-based Queries in
  Distributed Mobile Systems, WWW 2007
• Mok06 Mokbel et al, The New Casper Query
  Processing for Location Services without
  Compromising Privacy, VLDB 2006