Jingyu Hua

Differentially private publication of general time-serial trajectory data

Trajectory data, i.e., human mobility traces, is extremely valuable for a wide range of mobile applications. However, publishing raw trajectories without special sanitization poses serious threats to individual privacy. Recently, researchers begin to leverage differential privacy to solve this challenge. Nevertheless, existing mechanisms make an implicit assumption that the trajectories contain a lot of identical prefixes or n-grams, which is not true in many applications. This paper aims to remove this assumption and propose a differentially private publishing mechanism for more general time-series trajectories. One natural solution is to generalize the trajectories, i.e., merge the locations at the same time. However, trivial merging schemes may breach differential privacy. We, thus, propose the first differentially-private generalization algorithm for trajectories, which leverage a carefully-designed exponential mechanism to probabilistically merge nodes based on trajectory distances. Afterwards, we propose another efficient algorithm to release trajectories after generalization in a differential private manner. Our experiments with real-life trajectory data show that the proposed mechanism maintains high data utility and is scalable to large trajectory datasets.

Privacy-Preserving Utility Verification of the Data Published by Non-Interactive Differentially Private Mechanisms

In the problem of privacy-preserving collaborative data publishing, a central data publisher is responsible for aggregating sensitive data from multiple parties and then anonymizing it before publishing for data mining. In such scenarios, the data users may have a strong demand to measure the utility of the published data, since most anonymization techniques have side effects on data utility. Nevertheless, this task is non-trivial, because the utility measuring usually requires the aggregated raw data, which is not revealed to the data users due to privacy concerns. Furthermore, the data publishers may even cheat in the raw data, since no one, including the individual providers, knows the full data set. In this paper, we first propose a privacy-preserving utility verification mechanism based upon cryptographic technique for DiffPart-a differentially private scheme designed for set-valued data. This proposal can measure the data utility based upon the encrypted frequencies of the aggregated raw data instead of the plain values, which thus prevents privacy breach. Moreover, it is enabled to privately check the correctness of the encrypted frequencies provided by the publisher, which helps detect dishonest publishers. We also extend this mechanism to DiffGen-another differentially private publishing scheme designed for relational data. Our theoretical and experimental evaluations demonstrate the security and efficiency of the proposed mechanism.

A Jointly Differentially Private Scheduling Protocol for Ridesharing Services

Ridesharing services have gained tremendous popularity in recent years, benefiting the traffic and environment of cities to a large extent. However, with the demand of ridesharing services increasing sharply, serious privacy concerns (e.g., users’ mobility patterns) of ridesharing have become a major barrier against its further development. In this paper, we study the privacy protection of users’ location information in the scheduling of ridesharing services. Based on a state-of-the-art variant of differential privacy, joint differential privacy, we first propose a scheduling protocol for the purpose of protecting users’ location privacy and minimizing vehicle miles in the system. Then, in order to obtain a practical solution, we investigate several techniques to enhance the proposed protocol from both the privacy and efficiency aspects. The privacy of the proposed scheduling protocol is rigorously proven. Furthermore, we extensively evaluate our proposal based on a real-world data set. The analysis and experimental results show that the proposed protocol can achieve joint differential privacy, satisfactory scheduling performance, and reasonable efficiency.

Traffic engineering in hierarchical SDN control plane

Decoupling of control and data plane in Software Define Networks (SDN) creates significant flexibility in network management. As networks are evolving into a complex multi-domain multi-layer architecture, traffic engineering across multiple domains and layers entails challenges for the control plane, especially when each separate administrative domain does not disclose their network topology and resource information. In this paper, we present a hierarchical controller design over multidomain and multi-layer networks, by adopting a root controller at the top layer. We allow to aggregate network topology and QoS information into a hierarchical Network Information Base (NIB) for the confidentiality concern. Then, we devise a communication protocol, which enables controllers at different layers and domains to work collaboratively on bandwidth allocation by reading to the hierarchical NIB. We also present an improved traffic engineering algorithm by considering bandwidth and delay simultaneously, to maximize the network utilization while respecting max-min fairness. Experiments on a 717-switches 5-domain network topology demonstrate that our proposal could drive the link utilization ratio to more than 85%.

FOUM: A flow-ordered consistent update mechanism for software-defined networking in adversarial settings

Due to the asynchronous and distributed nature of the data plane, consistent configuration updating across multiple switches is a challenging issue in Software-Defined Networking (SDN). The existing version-stamping-based mechanism (VSM) could guarantee per-packet consistency, but this mechanism is designed for non-adversarial settings and can be compromised easily by a malicious attacker. In this paper, we propose an efficient flow-ordered update mechanism that aims to provide per-packet consistency in adversarial settings. Our proposal does not need to stamp data packets with the configuration version, and is robust against both the packet-tampering and packet-dropping attacks. It outperforms a naive mechanism that simply patches VSM using digital signatures in three aspects: First, the switches in this mechanism only need to sign and verify a single control packet, which significantly improves the packet processing time. Second, it avoids keeping both old and new policies on switches during the update, and thus achieves better space efficiency. Third, it reduces the time delay for new policies to come into force. We evaluate our mechanism on a self-constructed SDN testbed and the results demonstrate high efficiency.

Topology-Preserving Traffic Engineering for Hierarchical Multi-Domain SDN

Abstract Decoupling of control and data plane in Software Define Networks (SDN) creates significant flexibility in network management. As networks are evolving into a complex multi-domain multi-layer architecture, traffic engineering across multiple domains and layers entails significant challenges for the control plane, especially when each separate administrative domain is not willing to disclose its network topology and resource information. In this paper, we present the first traffic engineering scheme for a multi-domain SDN by using a hierarchical control plane, in which each domain is managed by a local controller, and they are further controlled by a centralized root controller. To preserve the local topology of each domain, we extend the Network Information Base (NIB) into a hierarchical architecture as well, and the root controller maintains only an abstracted view of the lower-layer networks in its NIB. Then, we devise a communication protocol, which enables controllers at different layers and domains to work collaboratively on bandwidth allocation by reading to the hierarchical NIB. We also present an improved traffic engineering algorithm by considering bandwidth and delay simultaneously, to maximize the network utilization while respecting max-min fairness. Experiments on a 719-switches 5-domain network topology demonstrate that our proposal could drive the link utilization ratio to more than 85%.

Secure Keyboards Against Motion Based Keystroke Inference Attack

Nowadays, attackers seek various covert channels to access the users’ privacy on the mobile devices. Recent research has demonstrated that the built-in motion sensors can be exploited to monitor the users’ screen taps and infer what they have typed. This paper presents several practical and convenient countermeasures against this attack in terms of the soft keyboard. We find that this attack is sensitive to the motion noise of the mobile device and the layout variation of the soft keyboard. We, thus, present two kinds of countermeasures against this attack by introducing vibration noise in sensor readings and dynamics in the keyboard layout, respectively. We implement these countermeasures on Android platform and recruit 20 volunteers to evaluate these countermeasures’ effectiveness and usability on both the smartphones and tablets. The results show that the proposed countermeasures can effectively reduce the attackers’ keystroke inference accuracy without significantly hurting the typing efficiency.

Towards Attack-Resistant Peer-Assisted Indoor Localization

Peer-assisted smartphone localization, which leverages pairwise acoustic ranging among nearby peer phones to refine location estimation, significantly pushes the accuracy limit of WiFi-based indoor localization. Unfortunately, this technique is designed for non-adversarial settings. Dishonest peers may cheat in their distance measurements. Outside attackers may interfere with the acoustic ranging by continually broadcasting interference signals. In this paper, we propose countermeasures against each of these attacks. We first present an algorithm that can identify peers that are not cheating in the current localization, by searching for devices that can be embedded into the same plane according to their pairwise distances. We also design a robust acoustic ranging method exploiting signal modulation, which can defend effectively against intentional interference of outside attackers. Experimental results demonstrate that our countermeasures can greatly improve the robustness of peer-assisted localization.