Xiaojun Ye

Achieving k-anonymity via a density-based clustering method

The key idea of our k-anonymity is to cluster the personal data based on the density which is measured by the k-Nearest-Neighbor (KNN) distance. We add a constraint that each cluster contains at least k records which is not the same as the traditional clustering methods, and provide an algorithm to come up with such a clustering. We also develop more appropriate metrics to measure the distance and information loss, which is suitable in both numeric and categorical attributes. Experiment results show that our algorithm causes significantly less information loss than previous proposed clustering algorithms.

A Personalized (a,k)-Anonymity Model

One important privacy principle is that an individual has the freedom to decide his/her own privacy preferences, which should be taken into account when data holders release their privacy preserving micro data. Nevertheless, current related k-anonymity model research focuses on protecting individual private information by using pre-defined constraint parameters specified by data holders. This paper introduces a personalized (alpha, k) model by introducing a vector for describing individual personalized privacy requirements corresponding to each value in the domain of sensitive attributes by data respondents, and propose an efficiency anonymization algorithm which combines the top down specialization for quasi-identifier anonymization and the local recoding technique for the sensitive attribute generalization based on its attribute taxonomy tree. Experimental results show that this approach can meet better personalized privacy requirements and keep the information loss low.

Towards an anti-inference (k, ℓ)-anonymity model with value association rules

As a privacy-preserving microdata publication model, K-Anonymity has some application limits, such as (1) it cannot satisfy the individual-defined k mechanism requirement, and (2) it is attached with a certain extent potential privacy disclosure risk on published microdata, i.e. existing high-probability inference violations under some prior knowledge on k-anonymized microdata that can surely result in personal private information disclosure. We propose the (k, l)-anonymity model with data generalization approach to support more flexible and anti-inference k-anonymization on a tabular microdata, where k indicates the anonymization level of an identifying attribute cluster and l refers to the diversity level of a sensitive attribute cluster on a record. Within the model, k and l are designed on each record and they can be defined subjectively by the corresponding individual. Beside, the model can prevent two kinds of inference attacks for microdata publication, (1) inferring identifying attributes values when their value domains are known; (2) inferring sensitive attributes values with respect to some value associations in the microdata. Further, we propose an algorithm to describe the k-anonymization process in the model. Finally, we take a scenario to illustrate its feasibility, flexibility, and generality.

Towards a more reasonable generalization cost metric for k-anonymization

A k-anonymity model contains an anonymity cost metric mechanism, which is critical for the whole k-anonymization process. The existing metrics cannot sufficiently identify the real cost on tabular microdata anonymization. We define a new cost metric that can be used for k-anonymization with the data generalization approach. The metric is more reasonable than the existing ones as it considers generalization range and range ratio rather than generalization height or height ratio, and the contribution of an attribute to the whole tuple rather than the amount of suppression cells. It can be used in most k-anonymity models for computing more precise anonymity costs.

Resource management continuity with constraint inheritance relation

Resource management continuity is indispensable against illegal resource dissemination and usage in open environment, which should be guaranteed by an effective constraint management mechanism. In detail, it includes two requirements, (1) guaranteeing resource dissemination continuability and purpose-consistency on the dissemination topology, and (2) allowing more-to-more dissemination relation with multiple dissemination policies available on the extended topology for more complicated applications. As we observed, the existed work cannot capture them satisfyingly. We propose constraint inheritance relation (CIR) on a dynamic dissemination topology to specify the continuity of constraint management to capture the first requirement while extend the previous one-to-one dissemination to capture the second. The policy compatibility is maintained while multiple policies are available. We take it into secure resource management (SRM) model for managing the complicated dissemination and usage constraints on diverse resources in dynamic dissemination transaction context. The result proves its feasibility and efficiency.

Privacy preservation and protection by extending generalized partial indices

Privacy violation has attracted more and more attention from the public, and privacy preservation has become a hot topic in academic communities, industries and societies. Recent research has been focused on purpose-based techniques and models with little consideration on balancing privacy enhancement and performance. We propose an efficient Privacy Aware Partial Index (PAPI) mechanism based on both the concept of purposes and the theory of partial indices. In the PAPI mechanism, all purposes are independent from each other and organized in a flatten purpose tree(

FGAC-QD: fine-grained access control model based on query decomposition strategy

mathcal{FPT}

Synthesizing: art of anonymization

). Thus, security administrators can update the flatten purpose tree by adding or deleting purposes. Intended purposes are maintained in PAPI directly. Furthermore, based on the PAPI mechanism, we extend the existing query optimizer and executor to enforce the privacy policies. Finally, the experimental results demonstrate the feasibility and efficiency of the PAPI mechanism.

Role-based peer-to-peer model: capture global pseudonymity for privacy protection

Applications require fine-grained access control (FGAC) supported by DBMSs themselves. Though much literature has referred to the FGAC, its key problems still remain open. Thus, we develop a FGAC-QD model based on query decomposition strategy with incorporating two notions of authorization rule and predicate transitive rule. In our model, users’ queries are decomposed into a set of one-variable queries (OVQ). For each OVQ, its validity is checked against the corresponding authorization rule; if all the OVQs are valid, the query is inferred to be valid and will be executed without any modification; otherwise the query has illegal access, and will be partially evaluated or rejected directly, according to the feature of applications. Finally, the results of experiments demonstrate the feasibility of FGAC-QD.

Dynamic Purpose-Based Access Control

Although there are a number of anonymization techniques in the microdata publication, two problems remain: (1) the privacy breaches with auxiliary knowledge; (2) the large information losses during the anonymization. We establish the requirement of presence anonymity and propose the two-step process of synthesizing, consisting of learning a model from the original data, and then sampling a published version with it, which has the similar statistical characteristics and includes fake records. The advantage is that it prevents the auxiliary knowledge attacks as well as enables researchers get correct or approximately correct conclusions. Furthermore, its effectiveness is proved through extensive experiments.