OST-Tree: An Access Method for Obfuscating Spatio-Temporal Data ...

More documents

Recommendations

Info

the position of #U135 belongs to, to retrieve the user’s exact position and then obfuscate it. B. Privacy Analysis Adversary model: the adversary tries to manipulate the obfuscated region to infer the user’s exact location. For obfuscation techniques, the relevance [11] is used to measure the location privacy protection. The lower the relevance, the higher the location privacy protection is, and thus the lower the probability an adversary can infer the user’s exact location. So, in order to analyze the location privacy protection of our proposed approach with that of the approach that separates the algorithm from the database level, we will compare the relevance values of the two approaches. For the approach that separates the algorithm from database level, the relevance is: 2 ( Ai ∩ Af ) Rs = AA . i f where Ai is the location measurement [11] and depends completely on the positioning technology, and Af is the obfuscated region created by the privacy-preserving algorithm To calculate the relevance of our proposed approach, we can simply replace Af by ∆s in (5). However, the concept of relevance in [11] only concerns about spatial privacy protection. By taking into account the temporal element, we extend the relevance concept to use for both spatial and temporal privacy protection as follows: 2 ( Ai∩Δs) 1 Rst = . (6) Ai. Δs Δt where ∆s and ∆t are the degree of accuracy of user’s position and time, respectively. From (5) and (6), we can see that Rs ≥ Rst (since Af = ∆s and ∆t ≥ 1), meaning that the degree of privacy protection of our proposed approach is higher than that of approach separating the algorithm from database level. More specific, incorporating the temporal dimension into the relevance concept reduces the probability that an adversary can infer the user’s exact location because the adversary has to guess not only where, but also when the user’s exact position belongs to. C. Performance Analysis In this section, we compare the performance between the TPR-tree and OST-tree in terms of the number of disk accesses. For the analysis, let us suppose that n is the number of moving users; t is the size of each tpbr; d is the disk block size; M is the maximum number of tree pointers in one node; Pb is the size of block pointer pointing to a subtree; Pr is the size of authorization pointer pointing to the list of authorizations; a is the average number of authorization placed in each node; Sa is the size of each authorization α. For the TPR-tree, an internal node contains only timeparameterized bounding rectangles and block pointers; these must fit into a single block: (5) d M ( Pb+ t) ≤ d ⇒ M ≤ P + t So, the number of disk accesses is: Ω (log n) d Pb+ t For the OST-tree, we have two cases: the list of authorizations is pointed by a pointer or embedded directly into the nodes. For the first case, an internal node of OST-tree contains the time-parameterized bounding rectangles, block pointers and an authorization pointer; these must fit into a single block: d − Pa M( Pb + t) + Pa ≤d ⇒ M ≤ Pb + t So, the number of disk accesses is: Ω (log n) d−Pa Pb+ t For the second case, an internal node will have the same number of time-parameterized bounding rectangles and block pointers, but the size of authorization depends on the number of authorization placed in each node. Hence, the order M can be calculated as follows: d − aSa M ( Pb + t) + aSa ≤ d ⇒ M ≤ Pb + t So, the number of disk accesses is: Ω (log n) d−aSa Pb+ t In OST-tree, if the authorization is embedded directly into the node, it will require less disk accesses than that of the first case where the authorization is pointed by a pointer. Also, the above analysis shows that when traversing to leaf nodes is required in two indexes, the TPR-tree has the lower height and requires less disk accesses than that of the OST-tree since the OST-tree has to reserve the space to store the authorization in each node. However, in most cases, we do not have to traverse to the OST-tree leaves to retrieve the result. Because if the pair value of the query’s authorization is matched with that of some internal node, we will stop at this node and return the result without further traversing on the OST-tree. Hence, the OST-tree requires less disk accesses than that of the TPR-tree. Only in the worst case where users are willing to reveal their exact position to service providers, we have to traverse to the leaf node to retrieve the exact result. For example, if the service provider #S101 wants to get position of the user #U134, the query needs visiting only two nodes (root node and N1) instead of three nodes, thereby reducing the number of disk accesses comparing to TPR-trees. V. PERFORMANCE EXPERIMENTS To conduct the experiments, we use the open source implementation of TPR-trees called SaIL [9]. Both TPR-tree b (7) (8) (9)
and OST-tree are implemented in C++, and all the experiments are conducted on a Core 2 Duo Personal Computer with 1 GB of memory. In the experiments, we use uniform data, where object positions are randomly generated and speeds ranging from 0.25 to 1.66 are chosen at random. The effective fill factor is usually close to 70%. The fan-out of internal and leaf nodes is 20 with a 4K page size. The maximum update interval is 20. The number of query is 35 and the horizon time is 20. Since the node of OST-tree contains authorizations, the number of records in each OST-tree’s node is smaller than that of the TPR-tree. So, the OST-tree requires more nodes to contain the same number of moving objects (cf. Fig. 2). Figure 2. Storage cost Figure 3. Relevance By incorporating the time into the privacy model, the average relevance of our proposed approach (Rst) is smaller than that of the obfuscation algorithm (Rs) (cf. Fig. 3). Fig. 4 and Fig. 5 compare the insert cost between the TPRtree and OST-tree in terms of CPU time and number of I/O operations, respectively. The insert cost of OST-tree is higher than that of TPR-tree since we have to spend extra time (or number of I/O operations), besides the time for insertion process, to find appropriate node to overlay authorization. Given the mobility of users, the update cost as shown in Fig. 6 of OST-tree is higher than that of TPR-tree, because OST-tree has to incur the additional cost of updating the authorization (moving α from current node to another node corresponding to the newly updated position of a user). Figure 4. Insert cost (CPU time) Figure 5. Insert cost (I/Os) Figure 6. Update cost Figure 7. Point location query cost Fig. 7 compares the query cost between the two indexes in terms of the number of I/O operations. The query in this case is point location queries, which retrieves the rectangle containing the location of user. In general, the query cost of OST-tree is better than that of TPR-tree since we do not have to traverse to the leaf node to get the result in OST-tree. Only in some cases, where users want to reveal their exact locations to service providers, the OST-tree is not better than TPR-tree, because we have to traverse to the leaf nodes of OST-tree. Hence, OST-tree is better than TPR-tree in cases users just want to reveal a low degree of accuracy of their locations to service providers. VI. CONCLUSION AND FUTURE WORK In this work, we have introduced the OST-tree capable of obfuscating the spatio-temporal data of users. Although the OST-tree requires more storage space and update overhead, it achieves the lower querying cost and higher privacy protection comparing to the TPR-tree. Future work will extend the probability distribution of user’s position so that the probability that a user’s position (x, y) belongs to a region is not uniformly distributed. Because, in real life, the region where a user belongs to depends on many factors related to geography, it is easy for the adversary to infer a user’s exact position in the obfuscated area if the probability distribution of user’s position is uniformly distributed. [1] REFERENCES M. Gruteser, D. Grunwald: “Anonymous Usage of Location-Based Services Through Spatial and Temporal Cloaking”. MOBISYS, 2003. [2] G. Bugra, L. Ling: “Protecting Location Privacy with Personalized k- Anonymity: Architecture and Algorithms”. IEEETMC, 7(1):1–18, 2008. [3] C.A. Ardagna, M. Cremonini, E. Damiani, S.D.C. Vimercati, P. Samarati: “Location-Privacy Protection through Obfuscation-based Techniques”. DBSEC, 2007. [4] F.M. Mohamed: “Privacy in Location-based Services: State-of-the-art and Research Directions”. MDM, 2007. [5] S. Saltenis, C.S. Jensen, S.T. Leutenegger, M.A. Lopez: “Indexing the Positions of Continuously Moving Objects”. ACM SIGMOD, pp. 331– 342, 2000. [6] V. Atluri, H. Shin: “Efficient Security Policy Enforcement in a Location Based Service Environment”. DBSEC, 2007. [7] T.K. Dang, Q.C. To: “An Extensible and Pragmatic Hybrid Indexing Scheme for MAC-based LBS Privacy-Preserving in Commercial DBMSs”. ACOMP, pp. 58–67, 2010. [8] N. Beckmann, H.-P. Kriegel, R. Schneider, B. Seeger: “The R * -tree: An Efficient and Robust Access Method for Points and Rectangles”. ACM SIGMOD, pp. 322–331, 1990. [9] M. Hadjieleftheriou , E. Hoel , V.J. Tsotras: “SaIL: A Spatial Index Library for Efficient Application Integration”. Geoinformatica, 9(4):367–389, 2005. [10] J. H. Jafarian, M. Amini, R. Jalili: “Protecting Location Privacy through a Graph-based Location Representation and a Robust Obfuscation Technique”. ICISC, 2008. [11] C.A. Ardagna, M. Cremonini, S.D.C. Vimercati, P. Samarati: “An Obfuscation-Based Approach for Protecting Location Privacy“. TDSC, 8(1):13-27, 2011. [12] M.F. Mokbel, T.M. Ghanem, W.G. Aref: “Spatio-temporal access methods”. IEEE Data Engineering Bulletin, 26(2):40–49, 2003. [13] V. Atluri, N.R. Adam, M. Youssef: “Towards a unified index scheme for mobile data and customer profiles in a location-based service environment”. NG2I, 2003. [14] M. Cai, P.Z. Revesz: “Parametric R-Tree: An Index Structure for Moving Objects”. COMAD, 2000. [15] A. Guttman: “R-trees: A Dynamic Index Structure for Spatial Searching”. SIGMOD, pp. 47–57, 1984. [16] T.T. Anh, T. Q. Chi, T.K. Dang: “An Adaptive Grid-Based Approach to Location Privacy Preservation”. ACIIDS, pp. 133–144, 2010.
Page 1 and 2: OST-Tree: An Access Method for Obfu
Page 3: Similarly, the probability distribu

OST-Tree: An Access Method for Obfuscating Spatio-Temporal Data ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?