Methods to Mitigate Risk of Composition Attack in Independent Data Publications

Abstract

Data publication is a simple and cost-effective approach for data sharing across organizations. Data anonymization is a central technique in privacy preserving data publications. Many methods have been proposed to anonymize individual datasets and multiple datasets of the same data publisher. In real life, a dataset is rarely isolated and two datasets published by two organizations may contain the records of the same individuals. For example, patients might have visited two hospitals for follow-up or specialized treatment regarding a disease, and their records are independently anonymized and published. Although each published dataset poses a small privacy risk, the intersection of two datasets may severely compromise the privacy of the individuals. The attack using the intersection of datasets published by different organizations is called a composition attack. Some research work has been done to study methods for anonymizing data to prevent a composition attack for independent data releases where one data publisher has no knowledge of records of another data publisher. In this chapter, we discuss two exemplar methods, a randomization based and a generalization based approaches, to mitigate risks of composition attacks. In the randomization method, noise is added to the original values to make it difficult for an adversary to pinpoint an individual’s record in a published dataset. In the generalization method, a group of records according to potentially identifiable attributes are generalized to the same so that individuals are indistinguishable. We discuss and experimentally demonstrate the strengths and weaknesses of both types of methods. We also present a mixed data publication framework where a small proportion of the records are managed and published centrally and other records are managed and published locally in different organizations to reduce the risk of the composition attack and improve the overall utility of the data.

Appendices

Appendix

In this appendix, we discuss three measures used in the experiments and the definitions of differential privacy.

A. Metrics

Definition 8.1 (Kullback-Leibler Divergence).

Kullback-Leibler (KL) divergence [19] is a non-symmetric measure of the difference between two probability distributions P and Q. Specifically, KL-divergence is a measure of information loss when Q is used to approximate P. It is denoted by D _KL (P | | Q). If P and Q represent discrete probability distributions, KL-divergence of Q from P is defined as:

$$ \displaystyle{ D_{KL}(P\vert \vert Q) =\sum _{i}P(i)\ln \frac{P(i)} {Q(i)} } $$

In other words, it is the expectation of the logarithmic difference between the probabilities P and Q, where the expectation is taken the probabilities P.

Definition 8.2 (City Block Distance).

City block distance measures the similarity between two objects. If a and b are two objects described by a m-dimensional vector, then the city block distance between a and b is calculated as follows.

$$ \displaystyle{ Distance(a,b) =\sum _{ j=1}^{m}\vert a_{ j} - b_{j}\vert } $$

The city block distance is greater than or equal to zero. The distance is zero for identical objects and high for objects that share little similarity.

Definition 8.3 (Relative Error).

Relative error indicates how accurate a measurement is relative to the actual value of an object being measured. If R _act represents the actual value and R _est represents the estimated value, then the relative error is defined as follows:

$$ \displaystyle{ Error = \frac{\vert R_{act} - R_{est}\vert } {R_{act}} = \frac{\Delta R} {R_{act}} } $$

where \( \Delta R \) represents the absolute error.

B. Differential Privacy

Differential privacy has received significant attention recently because it provides semantic and cryptographically strong guarantees [18]. It ensures that an adversary learns little more about an individual being in the dataset than not [9, 18, 26].

“Differential privacy will ensure that the ability of an adversary to inflict harm (or good, for that matter) of any sort, to any set of people, should be essentially the same, independent of whether any individual opts in to, or opts out of, the dataset. [9]”

The intuition behind this is that the output from a differentially private mechanism is insensitive to any particular record.

Definition 8.4 (Differential Privacy [26]).

A randomized function K is differentially private if for all datasets D and D′ where their symmetric difference contains at most one record (i.e., \( \vert D\Delta D'\vert \leq 1 \)), and for all possible anonymized dataset \( \hat{D} \),

$$ \displaystyle{ Pr[K(D) =\hat{ D}] \leq e^{\epsilon } \times Pr[K(D') =\hat{ D}] } $$

where the probabilities are over the randomness of K.

The parameter ε > 0 is public and set by the data publishers [9]. The lower the value of ε, the stronger the privacy guarantee, whereas a higher value of ε provides more data utility [27]. Therefore, it is crucial to choose an appropriate value for ε to balance data privacy and utility [30, 33, 40].

A standard mechanism to achieve differential privacy is to add random noise to the original output of a function. The added random noise is calibrated according to the sensitivity of the function. The sensitivity of the function is the maximum difference between the values that the function may take on a pair of datasets that differ in only one record [9].

Definition 8.5 (Sensitivity [12]).

For any function \( f: D \rightarrow \mathbf{R}^{d} \), the sensitivity of f is measured as:

$$ \displaystyle{ \Delta f =\max _{D,D'}\vert \vert f(D) - f(D')\vert \vert _{1} } $$

for all D, D′ differing in at most one record.

Dwork et al. [12] suggest the Laplace mechanism to achieve differential privacy. The Laplace mechanism takes a dataset D, a function f and the parameter b to generate noise according to the Laplace distribution with the probability density function \( Pr(x\vert b) = \frac{1} {2b}\exp (-\vert x\vert /b) \) with variance 2b ² and mean 0. Theorem 8.1 connects the sensitivity to the magnitude of the noise that generates the noisy output \( f(\hat{D}) = f(D) + Lap(b) \) to satisfy ε-differential privacy. Note that Lap(b) is a random variable sampled from the Laplace distribution.

Theorem 8.1 ([10]).

For any function \( f: D \rightarrow \mathbf{R}^{d} \) , the randomized function K that adds independently generated noise with distribution \( Lap(\Delta /\epsilon ) \) to each of the outputs guarantees ε-differential privacy.

Therefore, the function f, returns the count value, first computes the original count f(D) and then outputs the noisy answer \( f(\hat{D}) = f(D) + Lap(1/\epsilon ) \).