CN113573234A - Position privacy protection method in large indoor position service scene - Google Patents

Position privacy protection method in large indoor position service scene Download PDF

Info

Publication number
CN113573234A
CN113573234A CN202110883750.8A CN202110883750A CN113573234A CN 113573234 A CN113573234 A CN 113573234A CN 202110883750 A CN202110883750 A CN 202110883750A CN 113573234 A CN113573234 A CN 113573234A
Authority
CN
China
Prior art keywords
privacy
dimensional space
discretization
noise
indistinguishability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110883750.8A
Other languages
Chinese (zh)
Other versions
CN113573234B (en
Inventor
闵明慧
崔博言
李孙笑何
胥俊怀
李世银
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Mining and Technology CUMT
Original Assignee
China University of Mining and Technology CUMT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Mining and Technology CUMT filed Critical China University of Mining and Technology CUMT
Priority to CN202110883750.8A priority Critical patent/CN113573234B/en
Publication of CN113573234A publication Critical patent/CN113573234A/en
Application granted granted Critical
Publication of CN113573234B publication Critical patent/CN113573234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/025Services making use of location information using location based information parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/33Services specially adapted for particular environments, situations or purposes for indoor environments, e.g. buildings

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Instructional Devices (AREA)
  • Processing Or Creating Images (AREA)

Abstract

A position privacy protection method in a large indoor position service scene belongs to the field of position service and information safety. The protection method comprises the steps that for position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace plus noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and privacy budget degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction. The advantages are that: the method and the device realize disturbance protection on three dimensions of the position simultaneously based on the geographical indistinguishability in the three-dimensional space of the differential privacy, and provide a strict measurement method and a realization mechanism for the three-dimensional space position privacy protection.

Description

Position privacy protection method in large indoor position service scene
Technical Field
The invention relates to the field of location service and information security, in particular to a location privacy protection method in a large-scale indoor location service scene.
Background
Due to the rapid development of the 5G intelligent communication technology and the increasing high population density in cities, the privacy protection technology research of location data [ D ]. halbin industrial university, 2020] has been widely applied to large indoor buildings, such as large hospitals and large shopping malls. By 2025, the global indoor LBS market size is expected to reach $ 187.4 billion. At the same time, the risk of privacy disclosure of the user location is also increasing. The federal communications commission in the united states proposed a fine of at least 2 billion dollars for four major mobile phone companies in 2020 because they divulged real-time location data for consumers. The problem of privacy protection of locations in three-dimensional spaces, such as various large indoor buildings, is of increasing interest to both academic and industrial circles. At present, most of location privacy protection schemes focus on location privacy protection of a two-dimensional space, and when location data of a user contains high information, the mechanisms cannot deal with location inference attacks performed by an untrusted location server or an eavesdropping attacker by using existing background knowledge.
In recent years, researchers at home and abroad pay much attention to the problem of position privacy disclosure in position service, and K-anonymity [2] Yujuan is adopted, and a privacy protection method based on the position service is used for researching [ D ]. northwest Master university, 2020], mix-zone, encryption, disturbance and other methods for protecting position privacy. However, the encryption-based location privacy protection mechanism completely hides the user location information, and is not suitable for the location service application scenario. In addition, a location privacy protection mechanism based on K-anonymity needs to rely on a trusted third party, and once a server is paralyzed or attacked, the privacy of a user has a leakage threat. The location privacy protection mechanism based on disturbance can be realized locally at the user end, and dependence on a credible and safe server can be avoided.
Two-dimensional Geo-location indistinguishability is an extension of traditional Differential privacy, used to protect the location privacy of a single user in two-dimensional planar space [ [3] M.Andre s, N.Bordenabe, K.Chatzikokolakis, and C.Palamimidesi, Geo-indentinguishability: Difference privacy for location-based systems [ C ]. ACM Conference Computer and Communications Security (CCS),2013: 901-. The mobile user can randomly generate a false position locally by using a perturbation mechanism based on the indistinguishability of the two-dimensional geographic position and distribute the false position to the position server for service request, and the true position is only known by the user. However, when a user is in a three-dimensional space such as a large hospital, the above location privacy protection mechanism for a two-dimensional space cannot effectively prevent a location inference attack due to the introduction of the height location information of the user. For example, if the floor information of a user is leaked, his/her state of illness is exposed to an attacker. Therefore, it is important to research the user location data protection mechanism in the three-dimensional spatial location service.
Disclosure of Invention
The invention aims to provide a position privacy protection method under a large-scale indoor position service scene, which can protect the position data privacy safety under the position service scene in a large-scale indoor three-dimensional space and the like.
The purpose of the invention is realized as follows: a position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget privacy degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction.
The method comprises the following specific steps:
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure BDA0003193193800000021
wherein epsilon is privacy budget and perturbation mechanism
Figure BDA0003193193800000022
All in three-dimensional space
Figure BDA0003193193800000023
Figure BDA0003193193800000024
Satisfies epsilon-geographic indistinguishability, wherein
Figure BDA0003193193800000025
Is a possible set of real positions of the mobile terminal,
Figure BDA0003193193800000026
to perturb the possible set of locations, x1As user position, x' as disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
Step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure BDA0003193193800000027
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1,x2) Is given by x1Radius of the spherical area as the center, A is a normalization coefficient;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1With perturbation position x', expressed as (r, θ, ψ), where ε is the privacy budget and r denotes x1And x', theta is the polar angle, psi is the azimuth angle, and the probability density function in the spherical coordinate system is:
Figure BDA0003193193800000028
defining three variables as radii
Figure BDA0003193193800000029
Polar angle θ, azimuth Ψ, and the edge distribution of the three variables:
Figure BDA00031931938000000210
step 3), sending the disturbance position x' to an LBS server according to the noise distribution function;
in the step 2), the method for obtaining the disturbance position x' includes:
step (1), selecting a random vector U (theta, psi) in a unit sphere;
in the step (2) and the formula (3)
Figure BDA0003193193800000031
Namely the gamma pointThe probability density function of gamma distribution gamma (3, 1/epsilon) determines a radius r according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
And step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure BDA0003193193800000032
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
in step 3, the user true position is x1Generating the disturbance position by the following two steps
Figure BDA0003193193800000033
Step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure BDA0003193193800000034
Step 2),
Figure BDA0003193193800000035
Remap to the nearest location x' in space, this mechanism is denoted as
Figure BDA0003193193800000036
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure BDA0003193193800000037
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.
In step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
In step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
In step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
In step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position within a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the attributes of the geographical position indistinguishability are ensured to be unchanged. Based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
The method has the advantages that by means of the scheme, aiming at the problem that the position privacy is leaked due to the fact that an untrusted server or an attacker eavesdrops in the process of large indoor three-dimensional space position service, strict measurement is carried out on the position privacy based on the geographical position indistinguishability in the three-dimensional space of the differential privacy, and the X, Y and Z coordinates of the position are simultaneously disturbed by the aid of the three-dimensional Laplace noise mechanism, so that the attacker cannot acquire accurate position information of a user. In addition, due to the limited precision of hardware equipment in practical application, the mobile equipment cannot generate any false position based on a continuous noise adding function; moreover, in practical scenarios, the user has limited access space. Therefore, the disturbance position is determined by using a discretization and truncation method, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and the privacy budget degradation caused by discretization is compensated by adding extra noise, so that the noise adding mechanism after discretization and truncation still strictly ensures the differential privacy.
The problem of position privacy disclosure caused by an untrusted server or an eavesdropper in the position service process of a large indoor three-dimensional space is solved, and the purpose of position privacy protection in the position service scene of the large indoor three-dimensional space is achieved.
A geographical indistinguishable mechanism in three-dimensional space, namely that for any position in a given spherical region with radius R, the distribution of the inference result of the true position of the user is similar no matter how much prior knowledge the attacker knows; this means that although an attacker can determine that the user is within the spherical area of radius R, it cannot determine the exact location of the user, and for an attacker who already knows the area where the user is, no more information can be inferred from the location of the user's perturbations, no matter how a priori it has.
Ensuring that for any two geographically close locations in three-dimensional space, i.e. ε d3(x1,x2) Can be seen as a geographic indistinguishable metric: x is the number of1And x2The closer the distance is, the more the disturbance position distribution
Figure BDA0003193193800000041
And
Figure BDA0003193193800000042
the more similar.
Perturbing the X, Y and Z coordinates of the position in the three-dimensional space simultaneously, providing a three-dimensional Laplace noise mechanism to realize geographical indistinguishability in the three-dimensional space in a continuous space, sending a randomly generated perturbed position X' to a server of position service according to a noise distribution function, and when the true position is X1And x2
Figure BDA0003193193800000043
At most, the probability difference of any position in the transfer area is
Figure BDA0003193193800000044
Considering the limited accuracy of hardware devices in practice, the limited accuracy makes the mobile device unable to generate arbitrary false locations based on a continuous noise adding function.
The discretization noise adding mechanism can still ensure the geographic indistinguishability in the three-dimensional space, but can cause the degradation of privacy budget; the discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure BDA0003193193800000045
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.
Since most of the location privacy protection schemes focus on location privacy protection in a two-dimensional space, when the location data of a user contains high information, the mechanisms cannot cope with the location inference attack performed by an untrusted location server or an eavesdropping attacker by using existing background knowledge, and the encrypted location privacy protection mechanisms completely hide the location information of the user, so that the mechanisms are not suitable for location service application scenarios. In addition, some location privacy protection mechanisms, such as K-anonymity, need to rely on trusted third parties, and once a server is down or attacked, there is a threat of revealing user privacy. Therefore, the method adopts the indistinguishable geographic position, determines the disturbance position based on the three-dimensional Laplace noise mechanism, simultaneously considers the position disturbance scheme of the limited equipment precision and the limited user access space in the actual scene and designs the discretization and truncation, so that an attacker cannot acquire the accurate position information of the user, the position inference attack in the three-dimensional space position service environment is resisted, and the position data privacy safety performance in the position service system is improved.
The advantages are that: according to the method, the position height information is taken into consideration, a strict and provable measurement mode for protecting the position privacy of the three-dimensional space is provided, a three-dimensional Laplace noise mechanism is designed, and the position data privacy safety under the position service scene in the large-scale indoor three-dimensional space and the like is protected.
Drawings
FIG. 1 is a scene diagram of a three-dimensional spatial location service system of a large hospital and the like according to the present invention;
FIG. 2 is a flow chart of a location privacy protection method based on a three-dimensional geographic non-partitionable mechanism employed in the present invention;
Detailed Description
A position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget privacy degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction.
The method comprises the following specific steps:
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure BDA0003193193800000051
wherein epsilon is privacy budget and perturbation mechanism
Figure BDA0003193193800000052
All in three-dimensional space
Figure BDA0003193193800000053
Figure BDA0003193193800000054
Satisfies epsilon-geographic indistinguishability, wherein
Figure BDA0003193193800000055
Is a possible set of real positions of the mobile terminal,
Figure BDA0003193193800000056
to perturb the possible set of locations, x1As user position, x' as disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
Step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure BDA0003193193800000057
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1,x2) Is given by x1Radius of the spherical area as the center, A is a normalization coefficient;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1With perturbation position x', expressed as (r, θ, ψ), where ε is the privacy budget and r denotes x1And x', theta is the polar angle, psi is the azimuth angle, and the probability density function in the spherical coordinate system is:
Figure BDA0003193193800000058
defining three variables as radii
Figure BDA0003193193800000059
Polar angle θ, azimuth Ψ, and the edge distribution of the three variables:
Figure BDA00031931938000000510
step 3), sending the randomly generated disturbance position x' to an LBS server according to a noise distribution function;
in the step 2), the method for obtaining the disturbance position x' includes:
step (1), selecting a random vector U (theta, psi) in a unit sphere;
in the step (2) and the formula (3)
Figure BDA0003193193800000061
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
And step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure BDA0003193193800000062
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
in step 3, the user true position is x1Generating the disturbance position by the following two steps
Figure BDA0003193193800000063
Step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure BDA0003193193800000064
Step 2),
Figure BDA0003193193800000065
Remap to the nearest location x' in space, this mechanism is denoted as
Figure BDA0003193193800000066
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure BDA0003193193800000067
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.
In step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
In step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
In step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
In step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position within a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the attributes of the geographical position indistinguishability are ensured to be unchanged. Based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
The technical solution of the present invention is further described below with reference to examples, but the scope of the claims is not limited thereto.
Example 1: a technical method for protecting position privacy in a three-dimensional space under a large indoor position service scene comprises the following specific implementation steps:
step 1: setting a three-dimensional space environment, simultaneously considering a position disturbance mechanism of three dimensions, and designing a three-dimensional Laplace noise mechanism. As shown in FIG. 1, a three-dimensional spatial location service system scene diagram of a large hospital is assumed, the hospital is in a cubic map with a length and width of 600 meters and a height of 60 meters, the map is divided into cubic grids of 30 × 30 × 20, 18000 cubic grids with a length and width of 20 meters and a height of 3 meters are provided, different grids represent different location areas, and the area number is { c1,c2,c3,...}. When a user moves in a hospital, the user sends the current position of the user to a position server to request position service, and at the moment, an untrusted position server or an eavesdropping attacker can utilize the existing background knowledge to deduce and attack the position privacy of the user, and send junk mails or perform fraud and the like to the user. At the moment, by adopting the indistinguishability of the geographic position in the three-dimensional space, the user publishes a disturbed position to the position server, so that an attacker is prevented from stealing the position privacy of the user in a hospital, and the safety performance of the position data privacy of the position service system under the position inference attack is improved.
The position privacy protection method under the large indoor position service scene is mainly divided into four processes of defining a geographical indistinguishable mechanism in a three-dimensional space, generating a disturbed position based on the geographical indistinguishable mechanism in the three-dimensional space, designing a discretization noise mechanism and ensuring the geographical indistinguishable attributes of the three-dimensional space by utilizing a truncation method.
Step 2: defining a geographic indistinguishable mechanism in a three-dimensional space, and providing a strict and provable three-dimensional space position privacy measurement method based on differential privacy, wherein the geographic indistinguishable mechanism in the three-dimensional space is defined as follows:
Figure BDA0003193193800000071
in which the disturbance mechanism
Figure BDA0003193193800000072
All in three-dimensional space
Figure BDA0003193193800000073
Figure BDA0003193193800000074
Satisfies epsilon-geographic indistinguishability, wherein
Figure BDA0003193193800000075
Is a possible set of real positions of the mobile terminal,
Figure BDA0003193193800000076
is a possible set of perturbation positions. This definition ensures that for any two geographically close locations in three-dimensional space, the probability distributions of their perturbed locations are similar, as measured by the privacy budget ε and by the user location x1A radius of d as a center3(x1,x2) Is determined by the spherical area of (a). I.e.. epsilon.d3(x1,x2) Can be seen as a geographic indistinguishable metric: x is the number of1And x2The closer the distance is, the more the disturbance position distribution
Figure BDA0003193193800000077
And
Figure BDA0003193193800000078
the more similar. Since all positions in spherical space will produce an approximate distribution of the location of the perturbationThe true position in space is protected.
And step 3: a disturbance location is generated in three-dimensional space based on a three-dimensional geographically indistinguishable mechanism. In order to make the operation more convenient and efficient, the invention replaces a Cartesian coordinate system with a spherical coordinate system. The user real position is x1The perturbation position is x', which can be expressed as (r, theta, psi), where r represents x1And x', theta is a polar angle, psi is an azimuth angle, and the substitution formula is known for two:
Figure BDA0003193193800000079
defining three variables, respectively radii
Figure BDA00031931938000000710
Polar angle θ, azimuth Ψ, and its edge distribution function:
Figure BDA00031931938000000711
Figure BDA00031931938000000712
Figure BDA00031931938000000713
finally, the perturbation position x' is obtained according to the following two steps: (1) selecting a random vector U (theta, psi) in a unit sphere (2), selecting a radius r according to gamma distribution gamma (3, 1/epsilon), and enabling a disturbance position x' to be subjected to distribution x1+Ur。
And 4, step 4: discretized laplacian mechanism. At the actual position x of the user1Generating the disturbance position by the following two steps
Figure BDA00031931938000000714
Figure BDA00031931938000000715
Is a cubeGrid, hypothesis
Figure BDA00031931938000000716
Has a length of u, a width of v, a height of h, and u > v > h:
1) at x1Generating a disturbance position in a spherical coordinate system by using the Laplace mechanism of the 3 variables in the step 3
Figure BDA00031931938000000717
2) Will be provided with
Figure BDA0003193193800000081
Remapping to distances
Figure BDA0003193193800000082
The nearest position x', i.e.:
Figure BDA0003193193800000083
let the values dr, d θ,
Figure BDA0003193193800000084
respectively, represent the values of r, theta,
Figure BDA0003193193800000085
precision of the apparatus in three directions, B denotes the accuracy in step 1)
Figure BDA0003193193800000086
The resulting set of discrete points. Each point being
Figure BDA0003193193800000087
Is formed from r, r + dr, theta + d theta,
Figure BDA0003193193800000088
the probability of connected regions. Generated in step 1)
Figure BDA0003193193800000089
Has a probability of NB(x')=N(x')∩B。
N (x') and cube
Figure BDA00031931938000000810
Is related to the step size of NB(x') is composed of cubes
Figure BDA00031931938000000811
The step size of (a) and the accuracy of the device affect together. The discretized privacy budget epsilon' is compared to the previous privacy budget epsilon,
Figure BDA00031931938000000812
length u, width v, height h of the device are related to the accuracy of the device. Because the privacy budget epsilon ' is reduced by discretization, the noise required to be added is quantized according to the difference between epsilon ' and epsilon ', and the privacy budget degradation caused by discretization is compensated by adding the extra noise, so that the discretization noise adding mechanism is ensured to still ensure the geographical non-partitionable characteristic in the three-dimensional space.
And 5: the geographical indistinguishability of the discrete laplace mechanism is ensured by means of truncation. Let alpha represent a finite area with a diameter Dα. Order to
Figure BDA00031931938000000813
Is a noise adding mechanism after truncation. Is provided with
Figure BDA00031931938000000814
The phase mechanism is similar to the discrete Laplace mechanism, except that the perturbation positions are remapped
Figure BDA00031931938000000815
I.e. a location outside the space alpha is mapped to a point in space. The method also ensures that the truncated Laplace plus noise mechanism still meets the geographical indistinguishability in the three-dimensional space.

Claims (10)

1. A position privacy protection method under a large indoor position service scene is characterized by comprising the following steps: a position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget privacy degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction.
2. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises:
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure FDA0003193193790000011
wherein epsilon is privacy budget and perturbation mechanism
Figure FDA0003193193790000012
All in three-dimensional space
Figure FDA0003193193790000013
Satisfies epsilon-geographic indistinguishability, wherein
Figure FDA0003193193790000014
Is a possible set of real positions of the mobile terminal,
Figure FDA0003193193790000015
to perturb the possible set of locations, x1As user position, x' as disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
and step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure FDA0003193193790000016
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.
3. The method as claimed in claim 2, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
4. The method as claimed in claim 2, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure FDA0003193193790000017
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1,x2) Is given by x1Radius of the spherical area as the center, A is a normalization coefficient;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1With perturbation position x', expressed as (r, θ, ψ), where ε is the privacy budget and r denotes x1And x', theta is the polar angle, psi is the azimuth angle, and the probability density function in the spherical coordinate system is:
Figure FDA0003193193790000021
defining three variables as radii
Figure FDA0003193193790000022
Polar angle θ, azimuth Ψ, and the edge distribution of the three variables:
Figure FDA0003193193790000023
and step 3), sending the disturbance position x' to an LBS server according to the noise distribution function.
5. The method as claimed in claim 4, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in the step 2), the method for obtaining the disturbance position x' includes:
step (1), selecting a random vector U (theta, psi) in a unit sphere;
in the step (2) and the formula (3)
Figure FDA0003193193790000024
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
6. A large indoor location garment as claimed in claim 2The position privacy protection method under the business scene is characterized by comprising the following steps: in step 3, the user true position is x1The perturbation position x' is generated by the following two steps:
step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure FDA0003193193790000025
Step 2),
Figure FDA0003193193790000026
Remap to the nearest location x' in space, this mechanism is denoted as
Figure FDA0003193193790000027
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure FDA0003193193790000028
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.
7. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
8. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
9. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
10. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position within a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the attributes of the geographical position indistinguishability are ensured to be unchanged. Based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
CN202110883750.8A 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene Active CN113573234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Publications (2)

Publication Number Publication Date
CN113573234A true CN113573234A (en) 2021-10-29
CN113573234B CN113573234B (en) 2022-04-12

Family

ID=78170083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110883750.8A Active CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Country Status (1)

Country Link
CN (1) CN113573234B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117536A (en) * 2021-12-07 2022-03-01 中国矿业大学 Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN114969824A (en) * 2022-06-15 2022-08-30 中国矿业大学 Personalized three-dimensional space position privacy protection method based on differential disturbance

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS
US20200252762A1 (en) * 2018-04-27 2020-08-06 Banjo, Inc. Deriving signal location information removing private information

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
US20200252762A1 (en) * 2018-04-27 2020-08-06 Banjo, Inc. Deriving signal location information removing private information
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP: ""5G System (5GS) Location Services (LCS)"", 《3GPP TS 23.273 V17.01.0》 *
张开宇: "基于多边形构建的差分隐私位置保护方法", 《信息与电脑(理论版)》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117536A (en) * 2021-12-07 2022-03-01 中国矿业大学 Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN114117536B (en) * 2021-12-07 2022-07-01 中国矿业大学 Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN114969824A (en) * 2022-06-15 2022-08-30 中国矿业大学 Personalized three-dimensional space position privacy protection method based on differential disturbance
CN114969824B (en) * 2022-06-15 2023-03-07 中国矿业大学 Personalized three-dimensional space position privacy protection method based on differential disturbance

Also Published As

Publication number Publication date
CN113573234B (en) 2022-04-12

Similar Documents

Publication Publication Date Title
CN113573234B (en) Position privacy protection method in large indoor position service scene
Chatzikokolakis et al. Efficient utility improvement for location privacy
Zhang et al. Enhancing privacy through uniform grid and caching in location-based services
CN108600304B (en) Personalized position privacy protection method based on position k-anonymity
Alanwar et al. PrOLoc: Resilient localization with private observers using partial homomorphic encryption
Wang et al. A differentially k-anonymity-based location privacy-preserving for mobile crowdsourcing systems
CN107770722B (en) Privacy protection method of position service of double invisible areas based on side information constraint
CN114117536B (en) Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
Wu et al. A grid-based secure product data exchange for cloud-based collaborative design
Xu et al. Personalized location privacy protection for location-based services in vehicular networks
Shumskaya et al. Application of digital watermarks in the problem of operating signal hidden transfer in multi-agent robotic system
CN114969824B (en) Personalized three-dimensional space position privacy protection method based on differential disturbance
Zhang et al. Mobile crowdsensing task allocation optimization with differentially private location privacy
Zhu et al. Blockchain‐Enabled Privacy‐Preserving Location Sharing Scheme for LBSNs
CN111465010A (en) Method for protecting vehicle position privacy in cooperative driving
Merdassi et al. Surveying and analyzing security issues in mobile cloud computing
Pham et al. Perceptual encryption based on features of interpolating curve for vector map
Yan et al. Towards achieving geo‐indistinguishability for 3D GPS location: A 3D Laplace mechanism approach
Luo et al. Location Privacy Protection Method for Networked Vehicles Based on K-Means and Shamir
Di et al. CSEP: Circular shifting encryption protocols for location privacy protection
Luo et al. Multilevel declassification method for geographic vector field data: a geometric algebra approach
CN113821577B (en) Geographic indistinguishability-based position blurring method in indoor environment
CN117272367A (en) Vector geographic data controllable decryption method and system based on ellipsoidal space mapping
Man et al. Dynamic rotation medical image encryption scheme based on improved Lorenz chaos
CN115348001B (en) Space distance calculation method and system based on homomorphic encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant