FR3048101A1 - METHOD AND DEVICE FOR EVALUATING THE ROBUSTNESS OF AN ANONYMOUSING OF A SET OF DATA - Google Patents

Abstract

The present invention essentially relates to a method of evaluating the robustness of an anonymization of a data set characterized in that it comprises the following steps: - Acquisition (1000) of an anonymized dataset - Structuring (1010) of the anonymized data set into at least one table, each column of the table corresponding to a property, each row corresponding to a record, a record being a set of values each value corresponding to a property; Structuring (1020) at least one category of properties, such category being a set of properties; - Producing (1030) at least one indicator according to value distributions within a property corresponding to the at least one structured category; Comparing (1040) the at least one indicator with at least one predetermined threshold and, if the comparison fails, producing an alert message.

Description

Method and device for evaluating the robustness of an anonymization of a data set

Technical field of the invention

The field of the invention is that of the manipulation of sensitive data: data capable of identifying an individual to reveal a secret or detrimental information concerning him. They are particularly related to the privacy of individuals or industrial secrets.

More precisely, the field of the invention is that of the exchange of data relating to legal entities, in particular persons, whether physical or moral, and the provision of data presenting personal information or trade secrets. .

Such data is, for example medical data, financial data, commercial data, activity logging data on a network, the list is not exhaustive.

Even more specifically, the field of the invention is that of evaluating the robustness of an anonymization of a data set.

STATE OF THE PRIOR ART The anonymisation of data, a fortiori personal data, consists in modifying the content or the structure of these data in order to make it very difficult or impossible for the "re-identification" of the persons, physical or moral, or more generally entities concerned by the data or the acquisition of new information about an individual Anglophones sometimes also speak of De-Identification (DE-ID).

The choice of anonymizing data is often the result of an ethical, legal and ethical compromise between a desire or an obligation to protect individuals and their personal data. In particular, anonymization is used for the dissemination and sharing of data deemed to be of public interest, such as open data.

However, there are limits to anonymization techniques and data sets can be processed to re-identify an individual: - to link an individual to a record; - find an individual from homogeneous records; - revealing information about an individual; - obtain information (possibly probabilistic) on an individual.

These various risks of attack are known in the literature but this one presents them in the form of example of re-identification and does not include a method making it possible to quantify in a global way the sensitivity of a set of data to these different attacks. These methods are: - the unique, therefore highly distinctive, search for registration, which makes it easy to find the corresponding entity. For example, if we consider the following anonymized table from a health center:

And we also know that this 93-year-old home care center, Bob, is 17 years old, so it will be easy to find that Bob has cancer. - An attack of homogeneity, for example by considering the following anonymized table:

And we also know that this 75-year-old home care center Bob 75, then it will be simple to find that Bob has HIV because all the patients of the care center coming from the 75 and having between 20 and 29 years have HIV. - An attack of probabilistic inferences in which one exploits the information created by the anonymization or any other treatment of the data. For example, in the original data we have 50% of individuals suffering from cancer. After treatment we have created a distribution of individuals in anonymous categories. If in each of these categories one finds again 50% of individuals suffering from the cancer then the anonymisation did not create additional information. On the other hand it is possible that this rate varies for some anonymous categories. So the processing and / or transformation of the data, in this case the anonymization, has created usable information for re-identification.

So we know anonymization technique but we do not know how to industrialize an evaluation of the effectiveness of anonymization. This efficiency is, therefore, at best empirically evaluated during the production of the first set of data, and then it is used for all subsequent data sets.

We are talking about a first dataset because in practice we use live or updated data. Data extraction criteria are therefore defined from a database. A first extraction is carried out to which an anonymization is applied. This anonymization is done by hand and, if satisfactory, the extraction criteria are planned to produce a dataset at regular intervals. This dataset is then anonymized and sent to its recipient. As the original data content changes, the reliability of the anonymization changes as well. In the state of the art this problem is ignored.

DISCLOSURE OF THE INVENTION The invention makes it possible to solve this problem by proposing an automated method of evaluating the robustness of the anonymisation of a data set (quantifying the level of risk of re-identification of an individual and of disclosure of information). The method according to the invention calculates, for predetermined categories of data, one or more indicators. The value of these indicators automates a delivery decision of the anonymized data set. The invention therefore essentially relates to a method of evaluating the robustness of an anonymization of a data set characterized in that it comprises the following steps: - Acquisition of an anonymized dataset - Structuring the game anonymized data in at least one table, each column of the table corresponding to a property, each row corresponding to a record, a record being a set of values each value corresponding to a property; Structuring at least one category of properties, such category being a set of properties; - Producing at least one indicator according to value distributions within a property corresponding to the at least one structured category; - Comparing the at least one indicator to at least one predetermined threshold and, if the comparison fails, producing an alert message. The invention also has the following characteristics to consider according to the technically possible combinations: the evaluation is carried out at each anonymization, its result making it possible to control a transmission of the anonymized data set. a category is part of the group consisting of at least the following elements: explicit identifier: a piece of data whose only knowledge makes it possible to associate the recording with an entity, quasi-identifier: a piece of data that is considered with at least one other item of the item; same category allows registration to be associated with an entity; sensitive attribute: data whose association with an entity could be detrimental to it; non-sensitive attribute: a datum whose association with an entity would not directly harm it. An indicator is an indicator of uniqueness. the uniqueness indicator is calculated from data belonging to the quasi- identifiers category. - an indicator is an indicator of diversity. the diversity indicator is computed from data belonging to the sensitive data category and the quasi-identifier category. - an indicator is a proximity indicator. the proximity indicator is computed from data belonging to the sensitive data category and the quasi-identifier category. - Several indicators are combined to control the production of the alert message.

The present invention also relates to a device for implementing steps of the method according to the invention.

The present invention also relates to a non-transitory storage device on which are recorded codes instructions for implementing the method according to the invention.

BRIEF DESCRIPTION OF THE FIGURES Other features and advantages of the invention will emerge on reading the description which follows, with reference to the appended figures, which illustrate: FIG. 1: an illustration of an infrastructure allowing the implementation of the invention; Figure 2: an illustration of steps of the method according to the invention.

For the sake of clarity, identical or similar elements are marked with identical reference signs throughout the figures unless otherwise specified. The invention will be better understood on reading the description which follows and on examining the figures which accompany it. These are presented as an indication and in no way limitative of the invention.

Detailed description of an embodiment

FIG. 1 shows a robustness evaluation server 100 according to the invention. The robustness evaluation server according to the invention comprises: a microprocessor 110; storage means 120, for example a hard disk, a memory card, or an integrated component, or part of an integrated component, dedicated to data storage, a RAID array. The storage means are local or remote; a communication interface 130, for example a communication card according to the Ethernet protocol. Other protocols are possible as IP. The communication interface may be wired or uncabled;

The microprocessor 110 of the robustness evaluation server, the storage means 120 of the robustness evaluation server and the communication interface 130 of the robustness evaluation server are interconnected by a bus 150.

When an action is taken to a device it is in fact carried out by a microprocessor of the device controlled by instruction codes stored in a memory of the device. If an action is taken to an application, it is actually performed by a microprocessor of the device in a memory of which instruction codes corresponding to the application are recorded. When a device or an application transmits a message, this message is sent via a communication interface of said device or of said application. In these cases, a device is real or virtual.

FIG. 1 shows that the storage means 120 comprise a plurality of zones. Each zone is structured to fulfill a function. Thus the storage means of the terminal according to the invention comprises: a processing zone 120.1 comprising instruction codes corresponding to the implementation of the method according to the invention. That is to say instruction codes resulting from the implementation of a development environment for the implementation of the method according to the invention. A zone 120.2 of categories, that is to say a structured zone for recording the description of a category of data. Such a structure makes it possible to associate a category identifier, for example a name, with description information of the category. It can be a row in a table or a hierarchical structure of type XML. The categories are: o explicit identifier: a piece of data whose only knowledge makes it possible to associate the recording with an entity; o quasi identifier: a datum which, when considered with at least one other datum of the same category, makes it possible to associate the recording with an entity; a quasi identifier is simple or composite. It is simple when it has only one key, it is composite when it comprises at least two keys; o sensitive attribute: a data whose association with an entity could harm it o non-sensitive attribute: a data whose association with an entity would not directly harm it - A 120.3 zone of anonymized data. This is an area that allows to record the data supposedly anonymized. From a conceptual point of view such a zone can be seen as a table in which each line corresponds to a record, and each column to a property of a record. - A 120.4 contract area. This is an area that at least allows to associate an identifier of an indicator with a threshold value. The content of the contract area is therefore used for the determination of the robustness as the relative position of the result of the evaluation of the robustness with respect to the threshold value.

The structure of 120.2 also allows you to associate a category with a list of properties. A property, and especially its value, characterizes a record.

For the data area, if the data is considered to be patient data for a hospital, then a record is a patient. The properties are, for example: - Name, - Postal Code - Age, - Pathology, - Sex, - Number of children,

FIG. 2 shows a step 1000 of acquisition of an anonymized data set. Step 1000 can be implemented by the server for all or part. The server 100 performs at least the updating of the area 120.3 of anonymized data, ie the recording of data to allow their replay. Such a step is a step of transforming a set of original data by implementing the following steps: - Selection or extraction according to predetermined criteria; - Anonymization, for example, by transformation and / or generalization of property values. In general, for a device, the fact of acquiring data indicates the fact that this data is read in a local or remote memory.

In a variant of the invention the anonymization is reduced to the acquisition of an anonymized dataset without performing the actual transformations. At the end of the anonymization step, therefore, in the area 120.3 of anonymized data, there is a set of records, some of whose properties have been anonymised.

In a step 1010, the robustness evaluation server 100 structures these anonymized data by associating with each property a name that makes it possible to designate the property. The steps of anonymization and structuring can be confused, the structure of the anonymized data to be known for the rest of the process. Anonymized data is like a table.

In a step 1020, the server structures at least one category of properties. A definition of such a category is read in zone 120.2 of categories. The category area 120.2 can be updated from the moment the structuring of anonymized data is known. At the moment when the structuring is known one can indeed associate with each property a category among those mentioned above and thus produce a structure of categories. It is also possible that a property does not belong to any category, it will then be ignored by the method according to the invention.

It is noted here that the composition of the categories is a parameter of the process. The composition of categories may therefore vary from one implementation to another.

The server then proceeds to a step 1030 of calculating at least one indicator. The indicator to be calculated is known by acquiring the content of the zone 120.4 which defines thresholds by indicator. If an indicator is associated with a threshold then this indicator must be calculated.

The mode of calculating an indicator is, according to the variants: - Predetermined: an identifier of an indicator is associated with a category of data or more particularly with a property; - Parameterizable: the contract area is used to associate an indicator with a category of data or more particularly with a property.

Indicator calculations are done for equivalence classes. An equivalence class is constituted by a set of records having an identical value of quasi-identifier.

The indicators that can be calculated are: - A unique indicator: it evaluates the level of reduction of details of a quasi-identifier. In one embodiment, this is the minimum cardinality among the cardinality of the equivalence classes constituting the data set, and more particularly for a property in the category of quasi-identifiers. - A diversity indicator: it evaluates the level of the diversity of values of a sensitive attribute. For example: o calculate the minimum number of distinct values taken by a sensitive attribute within the different equivalence classes constituting the dataset, and / or o calculate the minimum entropy of the distribution of the values taken by an attribute sensitive within the different equivalence classes making up the dataset. An indicator of entropy diversity is then obtained. - A proximity indicator: it evaluates the level of fidelity of the values of a sensitive attribute within a class of equivalence to the values of this attribute in the complete dataset. The quantitative evaluation of the proximity can be obtained by different metrics. For example, one can use at least two modes of computation: o calculation of a divergence, for example the maximum Kullback Leiber divergence between the distribution of the values of a sensitive attribute within the equivalence classes and the distribution values of this attribute in the data set, and / or o calculating the maximum difference between the distribution of the values of a sensitive attribute within the equivalence classes and the distribution of the values of this attribute in the database . This indicator is called the inductor tD.

Let us recall that the entropy IE within a class of equivalence Ci is defined by the following equations:

With: - p the probability of distribution of the values of a sensitive attribute within an equivalence class Ci; - This is the set of equivalence classes of the anonymized data set. We also recall the method of calculating the divergence Kullback Leiber:

With: - p the probability of distribution of the values of a sensitive attribute within an equivalence class Ci; - f the probability of distribution of the values of a sensitive attribute within the anonymized data set. The inductor tD is obtained by applying the following formulas:

With the definitions of p and f above.

For a dataset, we obtain as much indicator value as there is an equivalence class in the dataset. The value used to characterize the dataset is the most sensitive value, that is, the one with the lowest robustness.

The calculation of an indicator is therefore done in two steps: - calculation of an indicator value for each equivalence class; - selection of a value from the calculated values.

We have just described 5 indicators and their method of calculation. For a contract one must have at least one indicator associated with a threshold. Once the indicator or indicators have been calculated, the value or values obtained are compared, in a comparison step 1040, with their respective thresholds. If the comparison fails, then the server produces an alert message. Such a message is, for example, an email that is sent to a predetermined recipient. Such a message may also be the update of a value in a local or remote database.

If the transmission of the anonymized file is conditioned on reading the value updated by the method according to the invention, then it is possible to automatically block the delivery of a file whose anonymization would not be sufficiently robust. We thus pilot the emission of anonymized files.

In a variant of the invention, an alert message is in fact a report that is sent regardless of the result of the evaluation of the robustness.

With such a method it is understood that it is easy to integrate it into a controlled automation process of data dissemination. We already know how to automate extraction and anonymization. It is therefore sufficient to add a step according to the invention by giving it control over a transmission step. This ensures that no data set whose anonymization is not robust enough can be issued.

Claims (12)

1. A method for evaluating the robustness of an anonymization of a data set characterized in that it comprises the following steps: - Acquisition (1000) of an anonymized data set - Structuring (1010) of the set of anonymized data in at least one table, each column of the table corresponding to a property, each row corresponding to a record, a record being a set of values each value corresponding to a property; Structuring (1020) at least one category of properties, such category being a set of properties; - Producing (1030) at least one indicator according to value distributions within a property corresponding to the at least one structured category; - Comparing (1040) the at least one indicator to at least one predetermined threshold and, if the comparison fails, producing an alert message. 2. A method for evaluating the robustness of an anonymization according to claim 1, characterized in that the evaluation is performed at each anonymization, its result for controlling a transmission of the anonymized data set. 3. Method for evaluating the robustness of an anonymization according to one of the preceding claims, characterized in that a category is part of the group consisting of at least the following elements: - explicit identifier: a data whose only knowledge is used to associate the record with an entity; - quasi identifier: a data item that considers with at least one other data item of the same category makes it possible to associate the recording with an entity; - sensitive attribute: data whose association with an entity could be detrimental to it; - non-sensitive attribute: a datum whose association with an entity would not cause it direct harm. 4. A method of evaluating the robustness of an anonymization according to one of the preceding claims, characterized in that an indicator is an indicator of uniqueness. 5. A method of evaluating the robustness of an anonymization according to claim 4 characterized in that the uniqueness indicator is calculated from data belonging to the category of quasi-identifiers. 6. A method for evaluating the robustness of an anonymization according to one of the preceding claims, characterized in that an indicator is an indicator of diversity. 7. A method of evaluating the robustness of an anonymization according to claim 6 characterized in that the diversity indicator is calculated from data belonging to the category of sensitive data and the category of quasi-identifier. 8. A method of evaluating the robustness of an anonymization according to one of the preceding claims, characterized in that an indicator is a proximity indicator. 9. A method of evaluating the robustness of an anonymization according to claim 6 characterized in that the proximity indicator is calculated from data belonging to the category of sensitive data and the category of quasi-identifier. 10. A method for evaluating the robustness of an anonymization according to one of the preceding claims characterized in that several indicators are combined to control the production of the alert message. 11. Device 100 for performing a step of a method according to one of the preceding claims. 12. Device (120) for non-transient storage on which are recorded codes instructions for implementing a method according to one of claims 1 to 10.