The mainstream approach to protecting the privacy of mobile users in location-based services (LBSs) is to alter (e.g., perturb, hide, etc.) the users' actual locations in order to reduce the exposed sensitive information. In order to be effective, a location-privacy preserving mechanism must consider both the privacy and utility requirements of each user, as well as their overall exposed locations (which contribute to the adversary's background knowledge).ududIn this paper, we propose a methodology that enables the design of optimal user-centric location obfuscation mechanisms respecting each individual user's service quality requirements, while maximizing the expected error that the optimal adversary incurs in reconstructing the user's actual trace. A key advantage of a user-centric mechanism is that it does not depend on third party proxies or anonymizers, and so it can be directly integrated in the mobile devices that users use to access LBSs. Our methodology is based on the mutual optimization of user/adversary objectives (maximizing location privacy vs. minimizing localization error) formalized as a Stackelberg Bayesian game. This formalization makes our solution robust against any location inference attack, i.e., the adversary cannot decrease the user's privacy by designing a better inference algorithm as long as the obfuscation mechanism is designed according to our privacy games.ududWe develop two linear programs that solve the location privacy game and output the optimal obfuscation strategy and its corresponding optimal inference attack. These linear programs are used to design location privacy-preserving mechanisms that consider the correlation between past, current and future locations of the user, thus can be tuned to protect different privacy objectives along the user's location trace. We illustrate the efficacy of the optimal location privacy-preserving mechanisms obtained with our approach against real location traces, showing their performance in protecting users' different location privacy objectives.
展开▼
机译:在基于位置的服务(LBS)中保护移动用户隐私的主流方法是更改(例如,扰动,隐藏等)用户的实际位置,以减少暴露的敏感信息。为了有效,位置隐私保护机制必须同时考虑每个用户的隐私和实用程序要求,以及他们的总体暴露位置(这有助于对手的背景知识)。 ud ud在本文中,我们提出一种方法,可以设计出尊重每个用户的服务质量要求的最佳以用户为中心的位置混淆机制,同时最大程度地提高最佳对手在重建用户实际踪迹时产生的预期误差。以用户为中心的机制的主要优势在于它不依赖于第三方代理或匿名器,因此可以直接集成到用户用来访问LBS的移动设备中。我们的方法基于基于Stackelberg Bayesian游戏的用户/对手目标的相互优化(最大化位置隐私与最小化定位错误)。这种形式化使我们的解决方案能够抵抗任何位置推理攻击,即,只要根据我们的隐私游戏设计混淆机制,对手就无法通过设计更好的推理算法来降低用户的隐私。 ud ud我们开发了两个线性程序解决位置隐私博弈,输出最优模糊策略及其相应的最优推理攻击。这些线性程序用于设计位置隐私保护机制,该机制考虑了用户过去,当前和将来位置之间的相关性,因此可以进行调整以沿用户位置轨迹保护不同的隐私目标。我们说明了通过我们的方法获得的最佳位置隐私保护机制对真实位置跟踪的功效,显示了它们在保护用户的不同位置隐私目标方面的性能。
展开▼