Location sharing service has become an indispensable part in mobile social networks. However, location sharing may introduce a new class of privacy threats ranging from localizing an individual to profiling and identifying him based on the places he shared. Although users may avoid releasing geocontent in sensitive locations, it does not necessarily prevent the adversary from inferring users’ privacy through space-temporal correlations and historical information. In this paper, we design a Prophet framework, which provides an effective security scheme for users sharing their location information. First, we define fingerprint identification based on Markov chain and state classification to describe the users’ behavior patterns. Then, we propose a novel location anonymization mechanism, which adopts a
With the growing popularity of mobile devices (such as smartphones), millions of applications (or apps for short) with location-based services are available to users from app markets. Users release their location in order to experience personalized/customized services (such as friend-seeker and navigation service). However, location sharing may introduce a new class of privacy threats ranging from localizing an individual to profiling and identifying him based on the places he visits [
Traditionally,
In this paper, we investigate the issue of when and where the user can release his/her geolocation information. The goal of our work is to let user enjoy location sharing service as much as possible while avoiding privacy risk. To this end, we present a context-aware location privacy-preserving scheme, called Prophet, where users’ history location information is used to create statistical fingerprints of behavior patterns. We call a fingerprint as a distinctive feature allowing identification of certain behavior patterns. In this work, a fingerprint corresponds to a first-order homogeneous Markov chain, which represents a sequence of POIs appearing in a single direction flow of user’s locations released. Based on this, Prophet is formalized as how to accurately and efficiently evaluate whether the users’ published location information meets the user’s privacy requirement. Furthermore, consider the real-life requirement that user use the location-based service. We propose a novel metric
We give formal security proof to the correctness and privacy guarantee of our mechanism. Furthermore, the extensive experiments demonstrate the validity and practicality of our scheme.
In summary, the paper makes the following contributions: We first present a context-aware location privacy-preserving scheme, called Prophet, and based on this, we propose a series of novel technologies for accurately and efficiently evaluating the risk of privacy. We propose a novel metric We have implemented our scheme on our simulated testbed, and the extensive experiments demonstrate the validity and practicality of our scheme.
The remainder of the paper is organized as follows. Section
We begin by describing a high-level architecture for Prophet as illustrated in Figure
Architecture of allocating customer applications.
In this framework, a user just sends his location to Prophet, while Prophet is just responsible for analyzing and anonymizing the location information sent by user without knowing the real query requirement. Similarly, when receiving the query with a certain anonymous space region, LBS provider just processes the user’s query without learning the related privacy information from the anonymous space region (ASR for short).
State-of-the-art methods of location privacy protection focus on anonymizing sensitive location information. These methods usually assume that the privacy requirements of users are constant and isolated. However, it is not a solid reason in the real-life location-based service scenario. For example, Bob, suffering from chronic bacterial prostatitis, is convalescing in a certain urology hospital, and he does not want anyone to know he has been to the hospital. To this end, he never checks in at this hospital. However, he may be happy to share his location by MSN to meet his friends at nearby bars or cafes where he thought no location privacy would be divulged. However, when combining Bob’s check-ins and patterns of other users who have the similar behaviors, an adversary still can infer Bob’s privacy. As illustrated in Figure
Architecture of allocating customer applications.
In this subsection, we propose a method based on first-order homogeneous Markov chain to model possible sequences of users’ behavior patterns. The benefits of using the first-order homogeneous Markov chain model are threefold: (1) it is effective enough; (2) it is simple for implementation; (3) it is easy to extend to any higher-order Markov chain model [
As
Moreover, we further assume that the first-order Markov chain is homogeneous; that is, a state transition from time
where
as the Output Probability Distribution (OPD), where
The resulting probability indicates how a given sequence of location information during a state transition chain is close to one user’s behavior pattern, where the larger value means that the behavior trace is closer to the model.
To illustrate the process of the fingerprint creation, consider the examples in Figures
An example of decimal codes for POIs and event type.
An example of the fingerprint for users’ states.
There are 7 different Markov states in the example, as shown in Figure
In this subsection, we describe the state classification technique, which is the preliminary work of the fingerprint identifying.
The released location information is organized in the form of record, where each record contains the whole ordinal published geolocation contents of the corresponding user for one day. Such data is a kind of set-valued data which is sparse and high dimensional. The core idea is to find a set of states which can be used to classify into different clusters.
To this end, we introduce a data structure, named concept [
Specifically, when
Based on this, we can see that the problem of identifying the core states can be reduced into the mapping relation from information concept
Given a concept
There is a fact that if a concept Generate candidate 1-dimensional concept set. Each state constitutes the intension of a candidate 1-dimensional concept. The algorithm scans all of the records in the target cluster, recording the corresponding extension and the size of the extension domain. Generate Generate Jump to Step (3) until
We can see that, given the parameters (
Next, we say that one privacy concept
Given a domain
Based on Definition
To protect user’s location privacy from LBS provider, the Prophet would generate an anonymous space region that contains several POIs located next to the user’s exact location. Normally, in the perspective of the information publisher, the bigger the ASR is, the higher the accuracy loss of the released information is. Unfortunately, this rule is not always true: an adversary can fast narrow it down by eliminating fallacious POIs. Here, we propose a novel
To quantitatively customize the ASR, in this stage, we need to location POIs. de Berg et al. [
Computing the Voronoi diagram for the POIs.
In the view of privacy protection, the covered POIs (containing the selected
Intuitively, since two locations
In the view of information availability, it is obvious that the information availability of the released location relevant content is distance-dependent. That is, given an information loss level
Combining (
Assuming that the adversary has held some auxiliary information
Based on Definition
Obviously, this is a NP-complete problem which can be reduced into the 0-1 knapsack. Therefore, we propose a heuristic algorithm, as follows.
Before describing the details of the proposed algorithm, we first introduce its core idea. When receiving the location sharing requirement, Prophet first checks user’s behavior fingerprint. If the shared location belongs to “the core state set” and the probability of inferring sensitive/privacy location based on the computation of the transition matrix is greater than the preset threshold, Prophet would issue an alarm to the user. After getting the response from the user, Prophet builds the corresponding ASR satisfying the privacy requirement and information availability. The heuristic rule of building the ASR is shown in Algorithm
INPUT: OUTPUT: BuildASR (1) // Step (1) (2) (3) (4) (5) num (6) (7) (8) (9) (10) (11) (12) if (13) record the correspond POIs (14) delete POIs of (15) (16) jump to Step (1); // Step (3) (17) find the points (18) compute the area of ASR ( (19) (20) delete POIs corresponding with (21) (22) jump to Step (1); (23) return ASR;
Due to introducing Prophet as a trusted third party (TTP for short), there is no collusion attack from Prophet and LBS server. Based on right decentralization mechanism, LBS server cannot accurately infer the sensitive location hided by user. Furthermore, against inference attack, Prophet adopts two-stage privacy protection strategy: Markov chain-based reverse inference mechanism (Section
We now evaluate some performance results of our scheme using real-world dataset, Foursquare, made available by Gao et al. [
As mentioned above, transition matrix is the core preliminary work of proposed location anonymization scheme. Hence the overhead in building transition matrix phase directly affects the whole scheme. Now, we begin by estimating the cost in terms of building transition matrix. Suppose that the number of users varies from 100 to 2,000, in steps of 100, in the following experiment. Under this setting, we quantify the cost introduced by the building transition matrix in terms of fingerprint identification as well as state classification, as shown in Figure
The overhead of building transition matrix.
The experimental results in Figure
Specifically, there are only 60.12 seconds in building transition matrix phase for 2000 users. This experimental results demonstrate the effectiveness of proposed state classification phase by concept data structure. In other words, this overhead is acceptable, even for very large number of users. This result demonstrates the basic usability of our scheme for fingerprint identification calculating phase.
As discussed in Section
Figure
The overhead of building ASR on different
On the other side, Figure
The overhead of building ASR on different
In short, the overhead of building ASR does not introduce much more negative impact on the whole scheme by different
Next, we focus on evaluating the performance of our privacy-preserving scheme during the preprocessing and anonymizing procedure. As discussed in Section
Figure
The average error of Prophet on different
The average error of Prophet on different
As previously mentioned, the real sensitive locations are usually hidden by users in our datasets Foursquare. In order to evaluate the location indistinguishability among Prophet, CLPP [
There are two metrics designed to evaluate the accuracy among Prophet, DP, and CLPP: (1) average confidence of hidden location set HL1, denoted as true positive, and (2) average confidence of hidden location set HL2, denoted as false positive [
The experimental results shown in Figures
Performance evaluation on true positive probability.
Performance evaluation on false positive probability.
Privacy-preserving has attached much more attentions in mobile social networks research field areas. Most of current privacy-preserving schemes which focus on sensitive data sharing issues are dependent on anonymization techniques [
Some research works focus on the privacy-preserving of healthcare information in mobile health monitoring environment [
The study of location-based anonymize scheme has gained the great interest from the research community recently, and we briefly review some of them related to our work [
In this paper, we design a context-aware location privacy-preserving scheme in mobile cloud environment, named Prophet, which is an effective security scheme for mobile cloud users to protect the mobile user’s sharing locations. Moreover, we propose a novel location anonymization mechanism, which adopts a
The authors declare that there are no conflicts of interest regarding the publication of this paper.