CN113573234B - Position privacy protection method in large indoor position service scene - Google Patents

Position privacy protection method in large indoor position service scene Download PDF

Info

Publication number
CN113573234B
CN113573234B CN202110883750.8A CN202110883750A CN113573234B CN 113573234 B CN113573234 B CN 113573234B CN 202110883750 A CN202110883750 A CN 202110883750A CN 113573234 B CN113573234 B CN 113573234B
Authority
CN
China
Prior art keywords
privacy
dimensional space
noise
discretization
disturbance
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110883750.8A
Other languages
Chinese (zh)
Other versions
CN113573234A (en
Inventor
闵明慧
崔博言
李孙笑何
胥俊怀
李世银
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Mining and Technology CUMT
Original Assignee
China University of Mining and Technology CUMT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Mining and Technology CUMT filed Critical China University of Mining and Technology CUMT
Priority to CN202110883750.8A priority Critical patent/CN113573234B/en
Publication of CN113573234A publication Critical patent/CN113573234A/en
Application granted granted Critical
Publication of CN113573234B publication Critical patent/CN113573234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/025Services making use of location information using location based information parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/33Services specially adapted for particular environments, situations or purposes for indoor environments, e.g. buildings

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Processing Or Creating Images (AREA)
  • Instructional Devices (AREA)

Abstract

A position privacy protection method in a large indoor position service scene belongs to the field of position service and information safety. The protection method comprises the steps that for position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace plus noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and privacy budget degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction. The advantages are that: the method and the device realize disturbance protection on three dimensions of the position simultaneously based on the geographical indistinguishability in the three-dimensional space of the differential privacy, and provide a strict measurement method and a realization mechanism for the three-dimensional space position privacy protection.

Description

Position privacy protection method in large indoor position service scene
Technical Field
The invention relates to the field of location service and information security, in particular to a location privacy protection method in a large-scale indoor location service scene.
Background
Due to the rapid development of the 5G intelligent communication technology and the increasing high population density in cities, the privacy protection technology research of location data [ D ]. halbin industrial university, 2020] has been widely applied to large indoor buildings, such as large hospitals and large shopping malls. By 2025, the global indoor LBS market size is expected to reach $ 187.4 billion. At the same time, the risk of privacy disclosure of the user location is also increasing. The federal communications commission in the united states proposed a fine of at least 2 billion dollars for four major mobile phone companies in 2020 because they divulged real-time location data for consumers. The problem of privacy protection of locations in three-dimensional spaces, such as various large indoor buildings, is of increasing interest to both academic and industrial circles. At present, most of location privacy protection schemes focus on location privacy protection of a two-dimensional space, and when location data of a user contains high information, the mechanisms cannot deal with location inference attacks performed by an untrusted location server or an eavesdropping attacker by using existing background knowledge.
In recent years, researchers at home and abroad pay much attention to the problem of position privacy disclosure in position service, and K-anonymity [2] Yujuan is adopted, and a privacy protection method based on the position service is used for researching [ D ]. northwest Master university, 2020], mix-zone, encryption, disturbance and other methods for protecting position privacy. However, the encryption-based location privacy protection mechanism completely hides the user location information, and is not suitable for the location service application scenario. In addition, a location privacy protection mechanism based on K-anonymity needs to rely on a trusted third party, and once a server is paralyzed or attacked, the privacy of a user has a leakage threat. The location privacy protection mechanism based on disturbance can be realized locally at the user end, and dependence on a credible and safe server can be avoided.
Two-dimensional Geo-location indistinguishability is an extension of traditional Differential privacy, used to protect the location privacy of a single user in two-dimensional planar space [ [3] M.Andre s, N.Bordenabe, K.Chatzikokolakis, and C.Palamimidesi, Geo-indentinguishability: Difference privacy for location-based systems [ C ]. ACM Conference Computer and Communications Security (CCS),2013: 901-. The mobile user can randomly generate a false position locally by using a perturbation mechanism based on the indistinguishability of the two-dimensional geographic position and distribute the false position to the position server for service request, and the true position is only known by the user. However, when a user is in a three-dimensional space such as a large hospital, the above location privacy protection mechanism for a two-dimensional space cannot effectively prevent a location inference attack due to the introduction of the height location information of the user. For example, if the floor information of a user is leaked, his/her state of illness is exposed to an attacker. Therefore, it is important to research the user location data protection mechanism in the three-dimensional spatial location service.
Disclosure of Invention
The invention aims to provide a position privacy protection method under a large-scale indoor position service scene, which can protect the position data privacy safety under the position service scene in a large-scale indoor three-dimensional space and the like.
The purpose of the invention is realized as follows: a position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget privacy degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction.
The method comprises the following specific steps:
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure GDA0003513269620000021
wherein epsilon is privacy budget and perturbation mechanism
Figure GDA0003513269620000022
All in three-dimensional space
Figure GDA0003513269620000023
Satisfies epsilon-geographic indistinguishability, wherein
Figure GDA0003513269620000024
Is a possible set of real positions of the mobile terminal,
Figure GDA0003513269620000025
to perturb the possible set of locations, x1As user position, x' as disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
Step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure GDA0003513269620000026
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1,x2) Is given by x1Radius of the spherical area as the center, A is a normalization coefficient;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1With perturbation position x', expressed as (r, θ, ψ), where ε is the privacy budget and r denotes x1And x', theta is the polar angle, psi is the azimuthal angle,the probability density function in the spherical coordinate system is:
Figure GDA0003513269620000027
defining three variables as radii
Figure GDA0003513269620000028
Polar angle θ, azimuth Ψ, and the edge distribution of the three variables:
Figure GDA0003513269620000029
step 3), sending the disturbance position x' to an LBS server according to the noise distribution function;
in the step 2), the method for obtaining the disturbance position x' includes:
step (1), selecting a random vector U (theta, psi) in a unit sphere;
in the step (2) and the formula (3)
Figure GDA00035132696200000210
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
And step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure GDA0003513269620000031
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
in step 3, the user true position is x1Generating the disturbance position by the following two steps
Figure GDA0003513269620000032
Step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure GDA0003513269620000033
Step 2),
Figure GDA0003513269620000034
Remap to the nearest location x' in space, this mechanism is denoted as
Figure GDA0003513269620000035
Figure GDA0003513269620000036
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure GDA0003513269620000037
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.
In step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
In step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
In step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
In step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position within a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the attributes of the geographical position indistinguishability are ensured to be unchanged. Based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
The method has the advantages that by means of the scheme, aiming at the problem that the position privacy is leaked due to the fact that an untrusted server or an attacker eavesdrops in the process of large indoor three-dimensional space position service, strict measurement is carried out on the position privacy based on the geographical position indistinguishability in the three-dimensional space of the differential privacy, and the X, Y and Z coordinates of the position are simultaneously disturbed by the aid of the three-dimensional Laplace noise mechanism, so that the attacker cannot acquire accurate position information of a user. In addition, due to the limited precision of hardware equipment in practical application, the mobile equipment cannot generate any false position based on a continuous noise adding function; moreover, in practical scenarios, the user has limited access space. Therefore, the disturbance position is determined by using a discretization and truncation method, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and the privacy budget degradation caused by discretization is compensated by adding extra noise, so that the noise adding mechanism after discretization and truncation still strictly ensures the differential privacy.
The problem of position privacy disclosure caused by an untrusted server or an eavesdropper in the position service process of a large indoor three-dimensional space is solved, and the purpose of position privacy protection in the position service scene of the large indoor three-dimensional space is achieved.
A geographical indistinguishable mechanism in three-dimensional space, namely that for any position in a given spherical region with radius R, the distribution of the inference result of the true position of the user is similar no matter how much prior knowledge the attacker knows; this means that although an attacker can determine that the user is within the spherical area of radius R, it cannot determine the exact location of the user, and for an attacker who already knows the area where the user is, no more information can be inferred from the location of the user's perturbations, no matter how a priori it has.
Ensuring that for any two geographically close locations in three-dimensional space, i.e. ε d3(x1,x2) Can be seen as a geographic indistinguishable metric: x is the number of1And x2The closer the distance is, the more the disturbance position distribution
Figure GDA0003513269620000041
And
Figure GDA0003513269620000042
the more similar.
Perturbing the X, Y and Z coordinates of the position in the three-dimensional space simultaneously, providing a three-dimensional Laplace noise mechanism to realize geographical indistinguishability in the three-dimensional space in a continuous space, sending a randomly generated perturbed position X' to a server of position service according to a noise distribution function, and when the true position is X1And x2
Figure GDA0003513269620000043
At most, the probability difference of any position in the transfer area is
Figure GDA0003513269620000044
Considering the limited accuracy of hardware devices in practice, the limited accuracy makes the mobile device unable to generate arbitrary false locations based on a continuous noise adding function.
The discretization noise adding mechanism can still ensure the geographic indistinguishability in the three-dimensional space, but can cause the degradation of privacy budget; the discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure GDA0003513269620000045
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.
Since most of the location privacy protection schemes focus on location privacy protection in a two-dimensional space, when the location data of a user contains high information, the mechanisms cannot cope with the location inference attack performed by an untrusted location server or an eavesdropping attacker by using existing background knowledge, and the encrypted location privacy protection mechanisms completely hide the location information of the user, so that the mechanisms are not suitable for location service application scenarios. In addition, some location privacy protection mechanisms, such as K-anonymity, need to rely on trusted third parties, and once a server is down or attacked, there is a threat of revealing user privacy. Therefore, the method adopts the indistinguishable geographic position, determines the disturbance position based on the three-dimensional Laplace noise mechanism, simultaneously considers the position disturbance scheme of the limited equipment precision and the limited user access space in the actual scene and designs the discretization and truncation, so that an attacker cannot acquire the accurate position information of the user, the position inference attack in the three-dimensional space position service environment is resisted, and the position data privacy safety performance in the position service system is improved.
The advantages are that: according to the method, the position height information is taken into consideration, a strict and provable measurement mode for protecting the position privacy of the three-dimensional space is provided, a three-dimensional Laplace noise mechanism is designed, and the position data privacy safety under the position service scene in the large-scale indoor three-dimensional space and the like is protected.
Drawings
FIG. 1 is a scene diagram of a three-dimensional spatial location service system of a large hospital and the like according to the present invention;
FIG. 2 is a flow chart of a location privacy protection method based on a three-dimensional geographic non-partitionable mechanism employed in the present invention;
Detailed Description
A position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget privacy degradation caused by discretization is compensated by adding extra noise; the method and the device can deal with the leakage of the position privacy of the three-dimensional space position service environment, and improve the safety performance of the position data privacy of the position service system under the attack of position deduction.
The method comprises the following specific steps:
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure GDA0003513269620000051
wherein epsilon is privacy budget and perturbation mechanism
Figure GDA0003513269620000052
All in three-dimensional space
Figure GDA0003513269620000053
Satisfies epsilon-geographic indistinguishability, wherein
Figure GDA0003513269620000054
Is a possible set of real positions of the mobile terminal,
Figure GDA0003513269620000055
to perturb the possible set of locations, x1As user position, x' as disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) Determines the true position in spaceIs protected.
Step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure GDA0003513269620000056
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1,x2) Is given by x1Radius of the spherical area as the center, A is a normalization coefficient;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1With perturbation position x', expressed as (r, θ, ψ), where ε is the privacy budget and r denotes x1And x', theta is the polar angle, psi is the azimuth angle, and the probability density function in the spherical coordinate system is:
Figure GDA0003513269620000057
defining three variables as radii
Figure GDA0003513269620000058
Polar angle θ, azimuth Ψ, and the edge distribution of the three variables:
Figure GDA0003513269620000059
step 3), sending the randomly generated disturbance position x' to an LBS server according to a noise distribution function;
in the step 2), the method for obtaining the disturbance position x' includes:
step (1), selecting a random vector U (theta, psi) in a unit sphere;
in the step (2) and the formula (3)
Figure GDA00035132696200000510
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
And step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure GDA0003513269620000061
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
in step 3, the user true position is x1Generating the disturbance position by the following two steps
Figure GDA0003513269620000062
Step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure GDA0003513269620000063
Step 2),
Figure GDA0003513269620000064
Remap to the nearest location x' in space, this mechanism is denoted as
Figure GDA0003513269620000065
Figure GDA0003513269620000066
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure GDA0003513269620000067
Step size and accuracy of the equipment, and backThe normalized privacy budget is compensated by adding extra noise;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.
In step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
In step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
In step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
In step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position within a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the attributes of the geographical position indistinguishability are ensured to be unchanged. Based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
The technical solution of the present invention is further described below with reference to examples, but the scope of the claims is not limited thereto.
Example 1: a technical method for protecting position privacy in a three-dimensional space under a large indoor position service scene comprises the following specific implementation steps:
step 1: setting upAnd in a three-dimensional space environment, a position disturbance mechanism of three dimensions is considered at the same time, and a three-dimensional Laplacian noise mechanism is designed. As shown in FIG. 1, a three-dimensional spatial location service system scene diagram of a large hospital is assumed, the hospital is in a cubic map with a length and width of 600 meters and a height of 60 meters, the map is divided into cubic grids of 30 × 30 × 20, 18000 cubic grids with a length and width of 20 meters and a height of 3 meters are provided, different grids represent different location areas, and the area number is { c1,c2,c3,...}. When a user moves in a hospital, the user sends the current position of the user to a position server to request position service, and at the moment, an untrusted position server or an eavesdropping attacker can utilize the existing background knowledge to deduce and attack the position privacy of the user, and send junk mails or perform fraud and the like to the user. At the moment, by adopting the indistinguishability of the geographic position in the three-dimensional space, the user publishes a disturbed position to the position server, so that an attacker is prevented from stealing the position privacy of the user in a hospital, and the safety performance of the position data privacy of the position service system under the position inference attack is improved.
The position privacy protection method under the large indoor position service scene is mainly divided into four processes of defining a geographical indistinguishable mechanism in a three-dimensional space, generating a disturbed position based on the geographical indistinguishable mechanism in the three-dimensional space, designing a discretization noise mechanism and ensuring the geographical indistinguishable attributes of the three-dimensional space by utilizing a truncation method.
Step 2: defining a geographic indistinguishable mechanism in a three-dimensional space, and providing a strict and provable three-dimensional space position privacy measurement method based on differential privacy, wherein the geographic indistinguishable mechanism in the three-dimensional space is defined as follows:
Figure GDA0003513269620000071
in which the disturbance mechanism
Figure GDA0003513269620000072
All in three-dimensional space
Figure GDA0003513269620000073
Satisfies epsilon-geographic indistinguishability, wherein
Figure GDA0003513269620000074
Is a possible set of real positions of the mobile terminal,
Figure GDA0003513269620000075
is a possible set of perturbation positions. This definition ensures that for any two geographically close locations in three-dimensional space, the probability distributions of their perturbed locations are similar, as measured by the privacy budget ε and by the user location x1A radius of d as a center3(x1,x2) Is determined by the spherical area of (a). I.e.. epsilon.d3(x1,x2) Can be seen as a geographic indistinguishable metric: x is the number of1And x2The closer the distance is, the more the disturbance position distribution
Figure GDA0003513269620000076
And
Figure GDA0003513269620000077
the more similar. Since all positions in the spherical space will generate an approximate distribution of the perturbed positions, the true position in the space is protected.
And step 3: a disturbance location is generated in three-dimensional space based on a three-dimensional geographically indistinguishable mechanism. In order to make the operation more convenient and efficient, the invention replaces a Cartesian coordinate system with a spherical coordinate system. The user real position is x1The perturbation position is x', which can be expressed as (r, theta, psi), where r represents x1And x', theta is a polar angle, psi is an azimuth angle, and the substitution formula is known for two:
Figure GDA0003513269620000078
defining three variables, respectively radii
Figure GDA0003513269620000079
Polar angle θ, azimuth Ψ, and its edge distribution function:
Figure GDA00035132696200000710
Figure GDA00035132696200000711
Figure GDA00035132696200000712
finally, the perturbation position x' is obtained according to the following two steps: (1) selecting a random vector U (theta, psi) in a unit sphere (2), selecting a radius r according to gamma distribution gamma (3, 1/epsilon), and enabling a disturbance position x' to be subjected to distribution x1+Ur。
And 4, step 4: discretized laplacian mechanism. At the actual position x of the user1Generating the disturbance position by the following two steps
Figure GDA00035132696200000713
Figure GDA00035132696200000714
For cubic grids, suppose
Figure GDA00035132696200000715
Has a length of u, a width of v, a height of h, and u > v > h:
1) at x1Generating a disturbance position in a spherical coordinate system by using the Laplace mechanism of the 3 variables in the step 3
Figure GDA00035132696200000716
2) Will be provided with
Figure GDA00035132696200000717
Remapping to distances
Figure GDA00035132696200000718
The nearest position x', i.e.:
Figure GDA00035132696200000719
let the values dr, d θ,
Figure GDA00035132696200000720
respectively, represent the values of r, theta,
Figure GDA00035132696200000721
precision of the apparatus in three directions, B denotes the accuracy in step 1)
Figure GDA00035132696200000722
The resulting set of discrete points. Each point being
Figure GDA00035132696200000723
Is formed from r, r + dr, theta + d theta,
Figure GDA00035132696200000724
the probability of connected regions. Generated in step 1)
Figure GDA00035132696200000725
Has a probability of NB(x')=N(x')∩B。
N (x') and cube
Figure GDA00035132696200000726
Is related to the step size of NB(x') is composed of cubes
Figure GDA00035132696200000727
The step size of (a) and the accuracy of the device affect together. The discretized privacy budget epsilon' is compared to the previous privacy budget epsilon,
Figure GDA0003513269620000081
length u, width v, height h of the device are related to the accuracy of the device. Since the discretization reduces the privacy budget ε ', the noise that needs to be added is quantified according to the difference between ε' and ε, and the additional noise added compensates for the discretizationThe privacy budget of (1) is degraded, thereby ensuring that the discretized noise mechanism still guarantees the geographical non-partitionable characteristic in the three-dimensional space.
And 5: the geographical indistinguishability of the discrete laplace mechanism is ensured by means of truncation. Let alpha represent a finite area with a diameter Dα. Order to
Figure GDA0003513269620000082
Is a noise adding mechanism after truncation. Is provided with
Figure GDA0003513269620000083
Figure GDA0003513269620000084
The phase mechanism is similar to the discrete Laplace mechanism, except that the perturbation positions are remapped
Figure GDA0003513269620000085
I.e. a location outside the space alpha is mapped to a point in space. The method also ensures that the truncated Laplace plus noise mechanism still meets the geographical indistinguishability in the three-dimensional space.

Claims (7)

1. A position privacy protection method under a large indoor position service scene is characterized by comprising the following steps: a position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget degradation caused by discretization is compensated by adding extra noise; the position privacy of the three-dimensional space position service environment is revealed, and the position data privacy security performance of the position service system under the position inference attack is improved;
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure FDA0003513269610000011
wherein epsilon is privacy budget and perturbation mechanism
Figure FDA0003513269610000012
So that all real positions x in the three-dimensional space1,
Figure FDA0003513269610000013
Location of disturbance
Figure FDA0003513269610000014
Satisfies epsilon-geographic indistinguishability, wherein
Figure FDA0003513269610000015
Is a possible set of real positions of the mobile terminal,
Figure FDA0003513269610000016
to perturb the possible set of locations, x1For the user's true position, x' is the disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
and step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure FDA0003513269610000017
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure FDA0003513269610000018
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1X') is x1Radius of the spherical area as the center, A is a normalization coefficient; the formula is represented by x1A three-variable laplace function centered;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1The disturbance position is x' and is expressed as
Figure FDA0003513269610000019
Where ε is the privacy budget and r represents x1And x', theta is the polar angle,
Figure FDA00035132696100000110
is the azimuth, in a spherical coordinate system, at a true position x1The probability density function of the centered three-variable laplace is:
Figure FDA00035132696100000111
defining three random variables as radii
Figure FDA00035132696100000112
The polar angle Θ, the azimuth angle Φ, and the edge distribution of three random variables are:
Figure FDA00035132696100000113
step 3), sending the disturbance position x' to an LBS server according to the noise distribution function, wherein the LBS in the LBS server is Location Based Services, namely the position-Based service;
in step 3, the user true position is x1The perturbation position x' is generated by the following two steps:
step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure FDA0003513269610000021
Step 2) mixing
Figure FDA0003513269610000022
Remapping to nearest disturbance locations
Figure FDA0003513269610000023
This mechanism is described as
Figure FDA0003513269610000024
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure FDA0003513269610000025
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.
2. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
3. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in the step 2), which is a specific step, the method for obtaining the disturbance position x' includes:
step (1) selecting a random vector in a unit ball
Figure FDA0003513269610000026
In the step (2) and the formula (3)
Figure FDA0003513269610000027
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
4. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
5. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
6. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
7. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position in a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the indistinguishable attribute of the geographical position is ensured to be unchanged; based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
CN202110883750.8A 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene Active CN113573234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Publications (2)

Publication Number Publication Date
CN113573234A CN113573234A (en) 2021-10-29
CN113573234B true CN113573234B (en) 2022-04-12

Family

ID=78170083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110883750.8A Active CN113573234B (en) 2021-08-03 2021-08-03 Position privacy protection method in large indoor position service scene

Country Status (1)

Country Link
CN (1) CN113573234B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117536B (en) * 2021-12-07 2022-07-01 中国矿业大学 Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN114969824B (en) * 2022-06-15 2023-03-07 中国矿业大学 Personalized three-dimensional space position privacy protection method based on differential disturbance

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10904720B2 (en) * 2018-04-27 2021-01-26 safeXai, Inc. Deriving signal location information and removing private information from it

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"5G System (5GS) Location Services (LCS)";3GPP;《3GPP TS 23.273 V17.01.0》;20210608;全文 *
基于多边形构建的差分隐私位置保护方法;张开宇;《信息与电脑(理论版)》;20200225(第04期);全文 *

Also Published As

Publication number Publication date
CN113573234A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
CN113573234B (en) Position privacy protection method in large indoor position service scene
CN108600304B (en) Personalized position privacy protection method based on position k-anonymity
Alanwar et al. PrOLoc: Resilient localization with private observers using partial homomorphic encryption
Peng et al. Multidimensional privacy preservation in location-based services
Ngo et al. Location privacy via differential private perturbation of cloaking area
Wang et al. A differentially k-anonymity-based location privacy-preserving for mobile crowdsourcing systems
CN107770722B (en) Privacy protection method of position service of double invisible areas based on side information constraint
Liu et al. Accurate range query with privacy preservation for outsourced location-based service in IOT
CN114117536B (en) Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
Kachore et al. Location obfuscation for location data privacy
Min et al. 3D geo-indistinguishability for indoor location-based services
Wu et al. A grid-based secure product data exchange for cloud-based collaborative design
CN117220865A (en) Longitude and latitude encryption method, longitude and latitude verification device and readable storage medium
Li et al. Location privacy protection scheme for LBS in IoT
CN114969824B (en) Personalized three-dimensional space position privacy protection method based on differential disturbance
CN106713245A (en) Safety transmission method for geographic data
Yin et al. Location privacy protection based on improved-value method in augmented reality on mobile devices
Zhu et al. Blockchain‐Enabled Privacy‐Preserving Location Sharing Scheme for LBSNs
Ling et al. Decentralized location privacy protection method of offset grid
Zhang et al. Mobile crowdsensing task allocation optimization with differentially private location privacy
Parmar et al. Privacy‐preserving enhanced dummy‐generation technique for location‐based services
Yang et al. Location privacy protection scheme based on location services
Zhang et al. A privacy-preserving proximity testing using private set intersection for vehicular ad-hoc networks
CN109862507B (en) Large-range vehicle density detection method and system
Merdassi et al. Surveying and analyzing security issues in mobile cloud computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant