CN113207120A

CN113207120A - Differential privacy method for collecting user real-time position information in mobile crowd sensing

Info

Publication number: CN113207120A
Application number: CN202110338934.6A
Authority: CN
Inventors: 牛晨旭; 吕蒙; 牛鑫; 黄宏宇; 马茜; 时蕾; 牛可; 智雷勇; 王闪闪
Original assignee: Zhengzhou Railway Vocational and Technical College
Current assignee: Zhengzhou Railway Vocational and Technical College
Priority date: 2021-03-30
Filing date: 2021-03-30
Publication date: 2021-08-03

Abstract

The invention relates to a differential privacy method for collecting user real-time position information in mobile crowd sensing, belonging to the technical field of crowd sensing. The privacy method comprises the following steps: s1: judging whether the current position point of the user is a key point or not, calculating the importance of the key point, and calculating the privacy leakage amount of the user track in a sliding window where the current position of the user is located; s2: allocating privacy budgets to the current positions of the users according to the importance of the current positions of the users and the privacy leakage amount; s3: and the user perturbs the current position according to the distributed privacy prediction to obtain a candidate position set, and selects a position point which is satisfied by the user on the privacy leakage amount and the obtained income as a perturbed position to submit to the server. The invention can effectively protect the privacy of the user from the local without a server, and can maximize the benefit obtained by uploading the position information by the user on the basis of ensuring the privacy of the user.

Description

Differential privacy method for collecting user real-time position information in mobile crowd sensing

Technical Field

The invention belongs to the technical field of crowd sensing, relates to privacy protection of user tracks in mobile crowd sensing, and particularly relates to a differential privacy method for collecting user real-time position information in mobile crowd sensing.

Background

In recent years, the related industries have seen a well-blown increase with the spread of mobile smart terminals typified by smartphones, smartwatches, and the like. The continuously developed built-in sensors improve the sensing capability of the intelligent device, and the rapidly growing users lay a foundation for the development of Mobile Crowd Sensing (MCS). As a new data collection paradigm, MCS systems are usually composed of a server and a large number of participants. Specifically, the server first issues a sensory task to the mobile smart device user, who accepts the task and submits data to complete the task if he is willing to participate in the sensory task. However, in the process of data collection, the private information of the participants is often acquired by attackers, and users often quit the perception task due to security considerations, so that it is extremely important to protect the privacy of the participants in the processes of task publishing, data collection and uploading.

Since most MCS tasks are location dependent, the server typically requires the participants to report their location as well as the sensory data. However, the disclosure of participant locations is increasing, which poses a threat of privacy disclosure. In order to protect the location privacy of the participants, differential privacy is a common method for protecting personal privacy in a database environment due to its strong privacy protection capability, and provides a good solution for protecting the user privacy. The differential privacy protection does not need special hypothesis attack, does not care about the background knowledge owned by an attacker, even if the attacker knows all records except one record, the sensitive information of the user can be still protected from being attacked, and meanwhile, provability quantitative analysis is given out.

Currently, the differential privacy technology is usually used to protect the data of the database at the server, but an attacker may also obtain all the data of the user from an untrusted third party or server.

Disclosure of Invention

In view of the above-described deficiencies in the prior art, the present invention provides a differential privacy method for collecting user real-time location information in mobile crowd sensing, which protects the real-time location of a user. The user disturbs the real-time position of the user at a local end and uploads the disturbed position to the server, privacy protection is achieved on the premise that benefits obtained by uploading data of the user are maximized, and meanwhile the intensity of the user in protecting the position privacy is determined by multiple factors.

In order to achieve the purpose, the invention provides the following technical scheme:

a differential privacy method for collecting user real-time position information in mobile crowd sensing can protect the real-time position of a user, and comprises the following steps:

the user activity area is divided into labels.

S1: calculating the residual privacy budget epsilon in the sliding window where the current position point of the user is positioned_rJudging whether the current position point of the user is a key point or not, calculating the importance I, and then calculating the privacy leakage TPL of the user track_w-1；

S2: according to the importance I of the current position point of the user and the privacy leakage TPL_w-1Allocating a privacy budget epsilon to a user's current location point_i；

S3: user based on assigned privacy budget ε_iAnd disturbing the current position point to obtain a candidate position point set A, and selecting a position point which is satisfied by the privacy disclosure amount and the obtained income of the user as a disturbance position to submit to a server.

Further, in step S1, the specific steps are:

s11: calculating the residual privacy budget epsilon in the sliding window where the current position point of the user is positioned_r；

Calculating the residual privacy budget epsilon of the current position point according to the privacy budget consumed by the previous w-1 position points in the sliding window where the current position point of the user is positioned_r：

Wherein epsilon_gFor a global privacy budget, epsilon_kA privacy budget consumed by a k-th position point before the current position point;

s12: judging whether the current position point of the user is a key point or not, and calculating the importance I of the current position point;

assume the previous location point is l_i-1The current position point is l_iThe latter position point is l_i+1And the three position points are continuous;

obtaining a vector

Sum vector

The included angle between the two is [0, pi ]]Internal, if pi/2<Beta is less than or equal to pi, then the current position point l_iThe importance I of the current position point is I ═ cos (beta) |; otherwise, the current location point l_iIs a non-critical point, I is 0;

s13: calculating privacy leakage TPL of a track formed by w-1 disturbance position points before the user according to a sliding window where the current position point of the user is located_w-1；

Wherein, S (l)_k,l_k') true position l_kAnd the disturbance position l_k' similarity between them, parameter σ is the scaling function; d_⊥(l_k,l_k') true position l_kAnd the disturbance position l_k' vertical distance between; d_||(l_k,l_k') true position l_kAnd the disturbance position l_k' horizontal distance between; d_E(l_k,l_k') true position l_kAnd the disturbance position l_k' euclidean distance between.

Further, in step S2, the privacy budget ε_iThe calculation formula of (2) is as follows:

ε_i＝min(max(λε_r,ε_min),ε_max)；

λ＝β₁·I+β₂·TPL_w-1；

wherein epsilon_minMinimum privacy budget to guarantee effectiveness of perturbed trajectories, ∈_maxIn order to ensure the maximum privacy budget of the effectiveness of the disturbance track, lambda is the proportion of the privacy budget allocated to the current position point of the user, and when lambda is determined, beta₁Beta is the ratio of the importance of the position₂The proportion of the privacy leakage amount of the track.

Further, in step S3, the specific steps are:

s31: obtaining a candidate position point set A and the probability of each candidate position point in the candidate position point set A being selected;

s32: and establishing an optimization model, dividing the optimization model into two sub-problems of maximum income obtained by the user and minimum privacy leakage amount, and selecting a disturbance position point from the candidate set, wherein the disturbance position point can ensure the privacy of the user and can enable the user to be satisfied with the income obtained by the user.

Further, in step S31, the specific steps are:

s311: screening out the actual Manhattan distance d from the current position point in the whole activity area of the user_MPosition less than set distance value DPoint, obtaining a candidate position point set A;

manhattan distance d_MThe calculation formula of (2) is as follows:

d_M(l_i,l_j)＝|d_||(l_i,l_j)|+|d_⊥(l_i,l_j)|；

wherein l_iAs the current location point, /)_jThe real position points in the whole activity area are taken;

s312: according to the obtained privacy budget epsilon_iUsing cumulative distribution functions

And obtaining the probability of each candidate position point in the candidate position point set A being selected.

Further, in step S32, the specific steps are:

s321: establishing a subproblem model with the maximum income obtained by a user, namely the subproblem model with the maximum effectiveness of the disturbance track, wherein the subproblem model comprises the following steps:

wherein, P (l)_k|l_k-1) Indicating that the user is from location point l_k-1Move to the location point l_kIs the probability that the location point is selected; m (l)_k'|l_k) Is a differential privacy mechanism; d_M(l_k,l_k') is the user's true location l_kAnd the disturbance position l_k' manhattan distance between; k denotes the subscript of the location point.

S322: establishing a subproblem model with the least privacy disclosure, wherein the subproblem model comprises the following steps:

s323: and fixing one subproblem in the solving process, solving the other subproblem, and bringing the solved result into the fixed subproblem until the results obtained by the two subproblems are the same, wherein the obtained result is the disturbance position point.

The invention has the beneficial effects that: the present invention assumes that the user dynamically submits location information to the server without interruption. Based on the assumption, the method uses the concept of the sliding window, the privacy budget in the whole sliding window is fixed, the appropriate privacy budget is allocated to the current position of the user according to the privacy leakage amount of the disturbance track and the importance of the current position of the user, and then the position point of the user is disturbed to obtain a candidate set and obtain the optimal disturbance position point. The invention can effectively protect the real-time position privacy of the user from the local and does not need a server to protect the privacy of the user.

Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the means of the instrumentalities and combinations particularly pointed out hereinafter.

Drawings

For the purposes of promoting a better understanding of the objects, aspects and advantages of the invention, reference will now be made to the following detailed description taken in conjunction with the accompanying drawings in which:

fig. 1 is a general block diagram of a differential privacy method for collecting user real-time location information in mobile crowd sensing.

Fig. 2 is a geographical area division diagram.

Fig. 3 is a measurement of a user's movement distance.

FIG. 4 is an illustration of keypoints and non-keypoints.

Fig. 5 is a contour diagram of taxi distribution, where a diagram a1 is raw GPS data during a clear time period, a diagram a2 is disturbed GPS data during a clear time period, a diagram b1 is raw GPS data during a peak time period, a diagram b2 is disturbed GPS data during a peak time period, a diagram c1 is raw GPS data during a normal time period, and a diagram c2 is disturbed GPS data during a normal time period.

FIG. 6 is a graph of privacy budget versus MAE and MRE, and FIG. 6a is a graph comparing the change in MAE as it changes from privacy budget 0.5 to 5 under different algorithms; fig. 6b is a graph comparing the MRE change when different algorithms change from privacy budget 0.5 to 5.

FIG. 7 is a relationship between a sliding window and MAE and MRE.

Detailed Description

The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention in a schematic way, and the features in the following embodiments and examples may be combined with each other without conflict.

Before specifically describing the embodiments of the present invention, the 7 concepts related to the embodiments of the present invention are explained, specifically as follows:

(1) the mobile crowd sensing network is characterized in that mobile equipment of a common user is used as a basic sensing unit, conscious or unconscious cooperation is carried out through the mobile internet, sensing task distribution and sensing data collection are achieved, and large-scale and complex social sensing activities are completed.

(2) ε -differential privacy for two data sets D that differ by at most one record₁、D₂Range (M) is the range of the random algorithm M. If the algorithm M is in the data set D₁And D₂Is arbitrarily output as

Can satisfy Pr [ M (D)₁)∈S]≤e^ε×Pr[M(D₂)∈S]The algorithm M is said to satisfy epsilon-difference privacy and is used to represent the privacy protection degree, the smaller epsilon represents the higher the privacy protection degree, otherwise, the lower the privacy protection degree, and generally takes values of 0.01, 0.1, 1, 10, 100, and the like。

(3) W-track differential privacy for any two sub-tracks T containing w location points that differ by at most one location point of the track T₁And T₂Range (M) is the range of the random algorithm M. If the algorithm M is on the sub-track T₁And T₂The output result on can satisfy Pr [ M (T)₁)∈T]≤e^ε×Pr[M(T₂)∈T]Then the algorithm M is said to satisfy w-trace differential privacy.

(4) The geographic region model is, as shown in fig. 2, a geographic region is discretized into m × n squares and labeled, and the number c of the square is used as the position where the user is located at any time_iOr two-dimensional coordinates (x)_i,y_i) To perform the presentation.

(5) The distance between the tracks, as shown in FIG. 3, is given by any two locations l₁And l₂Let us denote the azimuth angle between the two by α, which is in the range of [0,2 π), then l₁And l₂The horizontal distance and the vertical distance between the two are respectively d_||(l₁,l₂)＝d_E(l₁,l₂) cos (π/2- α) and d_⊥(l₁,l₂)＝d_E(l₁,l₂) sin (π/2- α), wherein d_E(l₁,l₂) Is represented by₁And l₂Of the Euclidean distance between, then l₁And l₂The manhattan distance between can be expressed as d_M(l₁,l₂)＝|d_||(l₁,l₂)|+|d_⊥(l₁,l₂)|。

(6) Key points and non-key points, as shown in FIG. 4, for any three consecutive locations l_i，l_i+1And l_i+2We denote the vector by β

Sum vector

The included angle between the two is [0, pi ]]If is pi/2<β≤N, then l_i+1For the key point, we denote its importance by I, then l_i+1The importance of is I ═ cos (β) |. In other cases, if l_i+1Is a non-critical point, then its importance is I ═ 0.

(7) The calculation method of the track privacy leakage amount is as follows:

wherein, S (l)_i,l_i') is a function representing the degree of correlation between two positions, in this context we use the Gaussian kernel function

As a similarity function, the parameter σ is a scaling function to avoid a situation where the correlation between the position points increases rapidly as the distance therebetween decreases.

(8) In order to quantify the gains that a third party or server can obtain from a perturbation trajectory submitted by a user, the gains obtained by the user, we calculate the expected value of the manhattan distance between the perturbation trajectory submitted by the user and the actual trajectory thereof.

First, for a given stochastic algorithm M, we compute the expectation of the Manhattan distance between any two location points by the following method:

wherein, P (l)_i|l_i-1) Representing a user from_i-1Move to_iThe probability of (c).

Next, we calculate the expected value of the Manhattan distance between the two traces

The calculation method is as follows:

a preferred embodiment of the invention: as shown in fig. 1, a differential privacy method for collecting user real-time location information in mobile crowd sensing is provided, where a user locally uses a differential privacy mechanism to disturb its real-time location, and in this process, the user can control the intensity of privacy protection, and at the same time, can ensure the validity of data uploaded by the user.

The differential privacy method provided by the invention is totally divided into three parts, namely a first part which is used for calculating the residual privacy budget in a sliding window where the current position of a user is located, judging whether the current position point of the user is a key point or not and calculating the importance of the key point, and calculating the privacy leakage amount of a track of the user; a second part, allocating privacy budgets to the current position of the user according to the importance of the current position of the user and the privacy leakage amount; and thirdly, the user perturbs the current position according to the distributed privacy budget to obtain a candidate position set, and selects a position point which is satisfied by the user on the privacy leakage amount and the obtained income as a perturbed position to submit to the server, wherein the method specifically comprises the following steps:

Wherein epsilon_gFor a global privacy budget, epsilon_kIs cancelled for the k-th position point before the current position pointA consumed privacy budget.

obtaining a vector

Sum vector

The included angle between the two is [0, pi ]]Internal, if pi/2<Beta is less than or equal to pi, then the current position point l_iThe importance I of the current position point is I ═ cos (beta) |; otherwise, the current location point l_iFor non-critical points, importance I is I ═ 0.

S2: according to the userImportance of current location point I and privacy disclosure amount TPL_w-1Allocating a privacy budget epsilon to a user's current location point_i；

ε_i＝min(max(λε_r,ε_min),ε_max)；

λ＝β₁·I+β₂·TPL_w-1；

s311: screening out the actual Manhattan distance d from the current position point in the whole activity area of the user_MObtaining a candidate position point set A by position points smaller than 10;

manhattan distance d_MThe calculation formula of (2) is as follows:

d_M(l_i,l_j)＝|d_||(l_i,l_j)|+|d_⊥(l_i,l_j)|；

wherein l_iAs the current location point, /)_jAs the true location points within the entire active area.

S321: establishing a subproblem model with the maximum income obtained by a user, namely the subproblem model with the maximum effectiveness of the disturbance track, wherein the model is as follows:

wherein, P (l)_k|l_k-1) Indicating that the user is from location point l_k-1Move to the location point l_kIs the probability that the location point is selected; m (l)_k'|l_k) A differential privacy mechanism; d_M(l_k,l_k') is the user's true location l_kAnd the disturbance position l_k' manhattan distance between; k denotes the subscript of the location point.

Verification of the examples:

during the experiment, the active area in the entire active data set was divided into 80 × 60 cells, each cell being a square with a side of 200 meters. The effectiveness of the proposed invention is first demonstrated visually by way of example before experimental verification of the effectiveness of the proposed right to protect the privacy of the user's trajectory is performed. The time of day is divided into three time periods:

unobstructed time period (00: 00-7: 00);

peak time periods (7: 00-10: 00&17: 00-20: 00);

usual time periods (10: 00-12: 00&13: 00-17: 00).

In order to describe the traffic flow in three time periods, the value of the fixed privacy budget epsilon is 1, the trajectory of a user is disturbed by using the proposed invention, after disturbed GPS data is obtained, contour graphs of original GPS data and the disturbed GPS data are drawn, fig. 5 shows the result, wherein a graph a1 is the original GPS data in a unobstructed time period, a graph b1 is the original GPS data in a peak time period, a graph c1 is the original GPS data in a normal time period, a graph a2 is the disturbed GPS data in the unobstructed time period, a graph b2 is the disturbed GPS data in the peak time period, a graph c2 is the disturbed GPS data in the normal time period, and the deeper color in each graph indicates that the traffic flow at the position is larger. It has been observed that there is a large difference between the contour plot drawn for the original GPS data and the perturbed GPS data, but the street information represented by the perturbed GPS data coincides with the street information represented by the original GPS data.

To evaluate the performance of the invention, two indexes, Mean Absolute Error (MAE) and Mean Relative Error (MRE), were used to evaluate the performance of the invention. Let T ═ { l ═₁,l₂,...,l_nDenotes the user's real track sequence, R ═ R₂,r₂,...,r_nRepresents the sequence of perturbation trajectories submitted by the user to a third party or server.

The MAE and MRE are calculated by assigning the denominator MAE in the formula to reduce the deviation of some too large or too small data from the result.

The values of MAE and MRE depend on two factors: the privacy budget epsilon and the size of the sliding window w defined in the invention. A series of experiments were next performed to verify the effectiveness of the invention.

Firstly, the influence of the privacy budget on the user income is researched, the size of a sliding window w is set to be 5, and the track length is set to be 5. FIG. 6 shows a comparison of user profits for different algorithms when changing between privacy budget 0.5 and 5, where RDCTP is the method of the present invention, FIG. 6a is a graph comparing MAE changes when changing between privacy budget 0.5 and 5 under different algorithms; fig. 6b is a graph comparing the MRE change when different algorithms change from privacy budget 0.5 to 5. It can be seen from the figure that MAE and MRE under the three algorithms both decrease with increasing privacy budget, as the increasing noise gradually decreases. Furthermore, the present invention works better than GNoise and SDD because the method used by the present invention can adaptively allocate privacy budgets.

And finally, researching the influence of the size of the sliding window on the user income, and changing the size of the sliding window w when the value of the fixed privacy budget is 1 and the track length is 15. Fig. 7 shows the variation of MAE and MRE under this invention.

We can observe that as the sliding window increases, both MAE and MRE increase with increasing w. This is because the privacy budget allocated to each location is getting smaller, which indicates an increased privacy protection for the location. Furthermore, MRE is slightly increased because the budget allocation mechanism takes into account the track privacy leakage and the remaining budget to adaptively allocate the privacy budget to the current location. Accordingly, RDCTP is robust to variations in the sliding window w.

By simulating real world traffic data collected by a taxi in the Shanghai, it is verified that the method provides a higher privacy protection level compared with the existing related work, and meanwhile, the effectiveness and practicability of the track are kept.

Finally, the above embodiments are only intended to illustrate the technical solutions of the present invention and not to limit the present invention, and although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all of them should be covered by the claims of the present invention.

Claims

1. A differential privacy method for collecting user real-time position information in mobile crowd sensing is characterized in that the real-time position of a user can be protected, and the method comprises the following steps:

2. The differential privacy method for collecting real-time location information of users in mobile crowd sensing according to claim 1, wherein in step S1, the specific steps are as follows:

obtaining a vector

Sum vector

3. The differential privacy method for collecting real-time location information of users in mobile crowd-sourcing awareness according to claim 1, wherein the privacy budget ε is determined in step S2_iThe calculation formula of (2) is as follows:

ε_i＝min(max(λε_r,ε_min),ε_max)；

λ＝β₁·I+β₂·TPL_w-1；

wherein epsilon_minMinimum privacy budget to guarantee effectiveness of perturbed trajectories, ∈_maxλ is the proportion β of the privacy budget allocated to the current location point of the user to ensure the maximum privacy budget for the validity of the perturbation trajectory₁Beta is the ratio of the importance of the position₂The proportion of the privacy leakage amount of the track.

4. The differential privacy method for collecting real-time location information of users in mobile crowd sensing according to claim 1, wherein in step S3, the specific steps are as follows:

5. The differential privacy method for collecting real-time location information of users in mobile crowd sensing according to claim 4, wherein in step S31, the specific steps are as follows:

s311: screening out the actual Manhattan distance d from the current position point in the whole activity area of the user_MObtaining a candidate position point set A by using position points smaller than the set distance value D;

manhattan distance d_MThe calculation formula of (2) is as follows:

d_M(l_i,l_j)＝|d_||(l_i,l_j)|+|d_⊥(l_i,l_j)|；

s312: according to the obtained privacy budget epsilon_iUsing cumulative distribution function C_εi(d_M(l_i,l_j) Obtain the probability that each candidate position point in the candidate position point set a is selected.

6. The differential privacy method for collecting real-time location information of users in mobile crowd sensing according to claim 4, wherein in step S32, the specific steps are as follows:

wherein, P (l)_k|l_k-1) Indicating that the user is from location point l_k-1Move to the location point l_kIs the probability that the location point is selected; m (l)_k'|l_k) A differential privacy mechanism; d_M(l_k,l_k') is the user's true location l_kAnd the disturbance position l_k' manhattan distance between; k represents a subscript of the location point;