JP2013125374A - Information processing method, device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To protect privacy while leaving an inclination of appearance distribution of an original value.SOLUTION: The information processing method includes steps of: determining, for every type of attribute values of a first attribute that is included in a plurality of records and designated as an object of ambiguity, whether or not a distribution of the number of records satisfies a condition representing to have a large deviation, from data stored in a data storage part for storing the number of records in which the attribute values of the first attribute appear, in the plurality of records; and when the distribution of the number of records satisfies the condition representing to have the large deviation, replacing the attribute value of the first attribute of at least one record of the plurality of records, by ambiguity data, and storing them in the data storage part.

Description

  The present technology relates to a technology for anonymizing data.

  When disclosing statistical values of data related to privacy, privacy may be infringed depending on the distribution of data. For example, consider conducting a questionnaire survey of four employees and disclosing the statistical results to the employees.

  FIG. 1 shows an example of a questionnaire result. Four people answered each of the three questions, and the statistical results are shown. Here, it is assumed that each answer is privacy information. That is, for each question, each employee thinks that he / she does not want other employees to know what he / she answered. Each employee also knows who answered this questionnaire.

  At this time, since all of the answers to question 1 are “dissatisfied”, there is a problem that other employees know what each employee answered. Further, since the answer to question 2 is that all but one person is “dissatisfied”, there is a problem that which one of the employees answered “dissatisfied” is known. Note that the answers to question 3 are small in bias, and no employee can uniquely know the answers of other employees unless collusion is made.

  By the way, the anonymization technique called k-anonymization technique is known. The k-anonymization technique is a technique for changing data so that, for example, table data has k or more records having the same attribute values that do not cause much privacy.

  For example, consider a questionnaire survey on questions such as those shown in FIG.

  FIG. 2 shows an example of this questionnaire response. Each record (that is, a row) is the response content of each employee. Each attribute (that is, column) is a survey item, “Department” and “Age” are attributes that do not cause much privacy, and “Reply” content is privacy information. Also, as before, each employee knows who answered this questionnaire.

  Furthermore, this time, when disclosing the questionnaire results, it is assumed that not only the overall statistical values but also the statistical values as detailed as possible are disclosed. As a result, for example, the “development department” may be able to provide a lot of information, such as a high dissatisfaction rate, or a “young person” having a high dissatisfaction rate.

  However, disclosing the data of FIG. 2 as it is has a privacy problem. If it is disclosed as it is, for example, those who know that Taro, 26-year-old Planning Department answered, will know that the first record is Taro, so I know that Taro is dissatisfied End up.

  Therefore, it is conceivable to disclose data changed by the k-anonymization technique. When k-anonymization technology is used, the values of “department” and “age”, which are attributes that do not cause much privacy problems, are changed.

  FIG. 3 shows an example in which data is changed by applying the k-anonymization technique (k = 4). Even if you look at this chart, you can only tell if the record of Taro, 26 years old, is one of the first to fourth. On the other hand, information that the planning department / development department tends to have a high dissatisfaction rate is obtained.

  As described above, it is an effect of the k-anonymization technology that allows any individual (generally not limited to) records to be limited to at least k records while leaving some information. .

  However, just because the k-anonymization technology is applied does not necessarily change to a table that does not have a privacy problem even if disclosed.

  In the example described above, for example, when Jiro who answered “normal” at the planning department 42 years old looks at the data in FIG. 3, his record is second, so the record of Mr. Taro 26 years old at the planning department is It turns out that it is 1st, 3rd, or 4th. Then, it turns out that Taro responded that he was dissatisfied. This is because there is a large bias in the statistical values {dissatisfaction: 3, normal: 1} of responses in the group where (department, age) = (planning department / development department, 25/26/28/42).

  Thus, disclosing a table to which the k-anonymization technique is applied corresponds to disclosing a plurality of statistical values with a small number of records, and a statistical value with a large bias tends to occur.

  Moreover, there is a k-anonymization technique that satisfies l-diversity as a k-anonymization technique that reduces the bias of attribute values that serve as privacy information.

  l-diversity is an attribute statistic that is privacy information for each group created by k-anonymization (records with the same attribute values that do not cause much privacy). It is a property. For example, the data in FIG. 3 satisfies 2-diversity. Because there are two types of responses, dissatisfied and normal, (Department, Age) = (Management Department / Sales Department), (Department, Age) = (Planning Department / Development Department, 25/26/28/42) , 24/35/36/44), there are three types of responses, dissatisfied, normal and satisfied, and there are no other groups.

  The data in FIG. 3 satisfies 2-diversity, but as mentioned above, privacy protection is insufficient. Therefore, it can be said that privacy protection is generally insufficient simply by satisfying 2-diversity.

  Therefore, it is conceivable that l ≧ 3. However, there is a problem that if l is increased, less information can be disclosed.

  FIG. 4 shows an example in which the data shown in FIG. 2 is changed by applying k-anonymization technology (k = 4) that satisfies l-diversity (l = 3). Even if this table is disclosed, no one can uniquely determine who made what other than his own.

  However, from the table in FIG. 4, it is difficult to obtain information that seems to be more meaningful than the overall statistics. For example, the development department cannot get information that the dissatisfaction rate is higher (than the average) or that young people have a high dissatisfaction rate.

  As described above, the k-anonymization technique satisfying l-diversity has a problem that privacy protection may be insufficient when l ≦ 2 although it is desired to reduce l in order to increase the obtained information.

  As another technique, conventionally, there is a disturbance technique in which the value of an attribute that does not cause much privacy is probabilistically changed to a table that does not cause much privacy even if disclosed. However, using such a technique, it is difficult to estimate who answered what, but it is difficult to obtain information that is more meaningful than the overall statistics. In other words, there is no information that the development department has a high dissatisfaction rate or that young people have a high dissatisfaction rate. Although probabilistic information should be obtained, it is difficult to calculate the probability, and even if it can be calculated, it is thought that a lot of information cannot be expected.

JP 2011-128862 A JP 2011-100116 A

L. Sweeney. Achieving k-Anonymity Privacy Protection using Generalization and Suppression.International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, Vol. 10, No. 5, pp. 571-588, 2002. K. LeFevre, D. J. DeWitt, R. Ramakrishnan. Incognito: Efficient Full-Domain k-Anonymity. In Proceedings of the 2005 ACM SIGMOD International Conference on Management of Data, pp. 49-60, 2005. K. LeFevre, D. J. DeWitt, R. Ramakrishnan. Mondrian Multidimensional k-Anonymity. In Proceedings of the 22nd International Conference on Data Engineering, pp. 25-, 2006. A. Machanavajjhala, J. Gehrke, D. Kifer, M. Venkitasubramaniam. L-Diversity: Privacy Beyond k-Anonymity. ACM Transactions on Knowledge Discovery from Data, Vol. 1, Issue 1, Article No. 3, 2007.

  Accordingly, an object of the present technology is, according to one aspect, to provide a technology that protects privacy while leaving a tendency of an appearance distribution of original values.

  The information processing method according to the present technology includes (A) the attribute of the first attribute among the plurality of records for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. A step of determining whether or not the distribution of the number of records satisfies a condition indicating that the deviation is large from data stored in the data storage unit in which the number of records in which the value appears is stored; If the distribution of the number satisfies the condition indicating that the bias is large, the attribute value of the first attribute in at least one of the plurality of records is replaced with the ambiguous data, and the data storage unit And storing in the.

  Privacy protection can be performed while leaving the trend of the appearance distribution of the original values.

FIG. 1 is a diagram for explaining the background art. FIG. 2 is a diagram for explaining the background art. FIG. 3 is a diagram for explaining the background art. FIG. 4 is a diagram for explaining the background art. FIG. 5 is a functional block diagram of the information processing apparatus according to the first embodiment. FIG. 6 is a diagram illustrating an example of a frequency table. FIG. 7 is a diagram illustrating a processing flow of processing according to the first embodiment. FIG. 8 is a diagram illustrating an example of the frequency table after the change. FIG. 9 is a diagram illustrating an example of the record group after the change. FIG. 10 is a functional block diagram of the information processing apparatus according to the second embodiment. FIG. 11 is a diagram illustrating a main processing flow in the second embodiment. FIG. 12 is a diagram illustrating an example of a record group. FIG. 13 is a diagram illustrating an example of a frequency table according to the second embodiment. FIG. 14 is a diagram illustrating a processing flow of the obfuscation processing. FIG. 15 is a diagram illustrating a processing flow of the probability calculation processing. FIG. 16 is a diagram illustrating a processing flow of the obscuring processing. FIG. 17 is a diagram illustrating an example of the changed frequency table. FIG. 18 is a diagram illustrating an example of a record group changed according to the changed frequency table. FIG. 19 is a diagram illustrating another example of the changed frequency table. FIG. 20 is a diagram illustrating an example of a record group changed according to the changed frequency table. FIG. 21 is a diagram illustrating an example of the original data after the change. FIG. 22 is a diagram illustrating a processing flow of the obfuscation processing according to the third embodiment. FIG. 23 is a diagram illustrating an example of data processed in the obfuscation process according to the third embodiment. FIG. 24 is a functional block diagram of a computer.

[Embodiment 1]
FIG. 5 shows a configuration example of the information processing apparatus according to this embodiment. As illustrated in FIG. 5, the information processing apparatus 100 includes a first data storage unit 110, a determination unit 120, an ambiguity processing unit 130, and a second data storage unit 140.

  For example, as shown in FIG. 6, the first data storage unit 110 becomes privacy information for a certain record group, and therefore, for the attribute to be obfuscated, the appearance frequency is stored for each attribute value that appears in the record group. . In the example of FIG. 6, the appearance frequency of the value “unsatisfied” is “3”, and the appearance frequency of the value “normal” is “1”. Such data is called a frequency table. The first data storage unit 110 also stores values of the value type m that can be taken as attribute values.

  Based on the frequency table stored in the first data storage unit 110, the determination unit 120 determines whether there is a bias in the appearance frequency distribution. When the determination unit 120 detects the occurrence of bias, the determination unit 120 instructs the obscuration processing unit 130 to perform processing. In accordance with an instruction from the determination unit 120, the ambiguity processing unit 130 is at least one of a record group (original data of data stored in the first data storage unit 110) stored in the second data storage unit 140. The attribute value of the attribute to be obfuscated in one record is replaced with the obfuscation data, and the replacement result is stored in the second data storage unit 140.

  Next, processing contents of the information processing apparatus 100 according to the present embodiment will be described with reference to FIG. First, the determination unit 120 reads a frequency table for a record to be processed from the first data storage unit 110 (step S1). Then, the determination unit 120 determines whether the appearance frequency distribution is largely biased from the frequency table (step S3).

  For example, when only two types of attribute values appear in the frequency table and the appearance frequency of the attribute value with the lower appearance frequency is 1 or 2, or when only one type of attribute value appears Therefore, it is determined that the distribution of the appearance frequency is largely biased. When the respondent himself / herself sees the result, such a condition is adopted in order to make it impossible to uniquely identify the answers of other respondents. In this case, in step S5, attribute values of at most two records are obscured.

  If there is a premise that the responding person does not see the result, for example, only two types of attribute values appear in the frequency table, and the appearance frequency of the attribute value with the lower appearance frequency is 1. If only one type of attribute value appears, it is determined that the distribution of the appearance frequency is largely biased. In such a case, in step S5, the attribute value of at most one record is obscured.

  In addition to this, a reference is set in advance, and if the index value representing the appearance frequency deviation is equal to or greater than the preset reference, it is determined that the appearance frequency deviation is large.

  If it is not determined that the appearance frequency distribution is largely biased, the process ends. On the other hand, when it is determined that the distribution of appearance frequencies is largely biased, the determination unit 120 instructs the obscuration processing unit 130 to perform processing. In accordance with the instruction from the determination unit 120, the ambiguity processing unit 130 probabilistically obfuscates one or more attribute values in the frequency table in accordance with the appearance frequency bias (step S5). The ambiguity processing unit 130 stores the changed frequency table in the first data storage unit 110.

  For example, in the present embodiment, for example, the appearance frequency is biased (for example, when only two types of attribute values appear and the appearance frequency of the attribute value with the lower appearance frequency is 1, the case is 2) and A plurality of obscuring modes are prepared according to n. And in each obfuscation mode, for example, one of a plurality of patterns that replace the attribute value of 1 or 2 with the obfuscation data according to the probability determined according to the value of m and the sum n of the appearance frequencies. Select. If only one type of attribute value appears, it can be said that the distribution of the appearance frequency is largely biased. However, since only one type of attribute value can be obscured, the attribute value is obscured as it is. Become.

For example, as shown in FIG. 6, when there are two types of attribute values that appear, dissatisfied and normal, and the normal appearance frequency that is the lower appearance frequency is 1, if m = 3 and n = 4 The following obscuration pattern is defined as one obscuration mode.
A: Ambiguity of 1 record of dissatisfaction and 1 record of ordinary with 11% probability B: Disambiguation of 1 record of dissatisfaction with other (89%)

  Therefore, the ambiguity processing unit 130 generates a random number, selects the pattern A or B, and changes the frequency table. For example, when the pattern B is selected, the frequency table is changed as shown in FIG. In the example of FIG. 8, “?” Is used as the ambiguous data. In this way, the attribute value is replaced with data that cannot be specified. However, not only “?” But also the probability distribution information of the original value may be included. Specifically, in this example, the data (dissatisfaction = 57%, normal = 43%) may be included.

  Thereafter, the ambiguity processing unit 130 changes some records of the record group stored in the second data storage unit 140 according to the changed frequency table, and the changed records are stored in the second data storage unit 140. Store (step S7). When changing to the frequency table as shown in FIG. 8, one record with the attribute value “dissatisfied” is selected and replaced with the ambiguous data. In the example described above, since the frequency table for the first to fourth lines in FIG. 3 is processed, the first to fourth lines in FIG. One of the three records having the attribute value “dissatisfied” of the attribute “answer” is randomly selected and replaced with the ambiguous data. For example, the data is changed as shown in FIG. In the example of FIG. 9, as described above, the attribute value “dissatisfied” of the attribute “answer” of the third line of the first to fourth lines of FIG. 3 is “? (Dissatisfaction = 57%, Normal = 43%) ”.

  In this way, even if the respondent sees the result of FIG. 9, it is not possible to uniquely identify how other respondents answered. On the other hand, the “planning department / development department” can also grasp that the number or ratio of dissatisfaction tends to be high. That is, even when the appearance frequency is largely biased, privacy protection can be achieved while maintaining the tendency of the appearance frequency of the original value.

  It should be noted that the attribute value of the attribute to be obfuscated in the direct record may be replaced with the ambiguous data as long as it can be determined in step S7 which attribute value is to be replaced with the ambiguous data without changing the frequency table. .

[Embodiment 2]
FIG. 10 shows a configuration example of the information processing apparatus according to this embodiment. As illustrated in FIG. 10, the information processing device 200 includes a first data storage unit 210, a k-anonymization processing unit 220, a grouping processing unit 230, an output unit 240, an input unit 250, and an ambiguity process. Unit 260 and a second data storage unit 270.

  The first data storage unit 210 stores a group of records to be processed. The k-anonymization processing unit 220 performs a well-known k-anonymization process on the record group stored in the first data storage unit 210.

  The input unit 250 accepts an input of a combination of an attribute that does not matter much in terms of privacy protection and an obfuscation target attribute and the number m of attribute values that the attribute can take, and stores the input in the first data storage unit 210. .

  The grouping processing unit 230 groups records having the same attribute value with no problem in terms of privacy protection for the record group after the k-anonymization processing. The grouping processing unit 230 stores data regarding grouping in the first data storage unit 210.

  The obscuring processing unit 260 performs the obscuring processing for each group, and stores the obscuring processing result in the first data storage unit 210. Note that the obscuration processing unit 260 stores data in the middle of processing such as a frequency table in the second data storage unit 270. The output unit 240 outputs the data stored in the first data storage unit 210 to an output device (such as a display device or a printing device).

  Next, processing contents of the information processing apparatus 200 will be described with reference to FIGS. 11 to 21. The input unit 250 has already received an input from the user of a combination of the attribute to be obfuscated in the record group stored in the first data storage unit 210 and the number m of types of attribute values that the attribute can take. Assume that the data is stored in the data storage unit 210. For example, it is assumed that the department, age, and questionnaire responses 1 and 2 are attributes in the record group, and the department and age are designated as attributes that do not matter much about privacy protection. The obfuscation target attribute which is privacy information is assumed to be answer 1 and answer 2. For the answer 1, there are three possible attribute values of attribute values “dissatisfied”, “normal”, and “satisfied”, and an input such as {answer 1: 3} is made. That is, for answer 1, m = 3. Also, there are three possible attribute values for the answer 2, which are attribute values “dissatisfied”, “normal”, and “satisfied”, and an input such as {answer 2: 3} is made. That is, for answer 2, m = 3.

  Then, the k-anonymization processing unit 220 performs a well-known k-anonymization process on the record group stored in the first data storage unit 210, so that there is not much problem in terms of privacy protection. The attribute value is changed so that the attribute value of the attribute is the same for k records or more, and the changed data is stored in the first data storage unit 210 (FIG. 11: step S11). In this embodiment, it is assumed that data shown in FIG. 12 is stored in the first data storage unit 210 at this stage. In the example of FIG. 12, k = 4, so that the record of the department “manufacturing department” and the age “25-42” becomes four records, and the record of the department “sales department” and the age “24-44” The attribute value of the age attribute is changed so as to be 4 records.

  Thereafter, the grouping processing unit 230 groups the records based on the attribute values of attributes other than the obfuscation target attribute for the record group after the k-anonymization processing stored in the first data storage unit 210 ( Step S13). In the example of FIG. 12, records having the same department and age attribute values are classified into the same group. As described above, the four records of the department “manufacturing department” and age “25-42” and the four records of the department “sales department” and age “24-44” are specified as a group, and data for grouping Is stored in the first data storage unit 210. For example, data indicating that records 1 to 4 are a first group and records 5 to 8 are a second group is stored.

  Thereafter, the ambiguity processing unit 260 identifies one unprocessed group based on the grouping data stored in the first data storage unit 210 (step S15). Furthermore, the obscuration processing unit 260 identifies one unprocessed obscuration target attribute (step S16). Then, the obfuscation processing unit 260 generates a frequency table for the specified group and the obfuscation target attribute, and stores it in the second data storage unit 270 (step S17). For example, when a frequency table is generated for the attribute “answer 1” of the group of records 1 to 4, a frequency table as shown in FIG. 13 is obtained.

  Then, the obscuring processing unit 260 performs the obscuring processing (step S19). The obfuscation process will be described with reference to FIGS.

  The obfuscation processing unit 260 reads the frequency table from the second data storage unit 270, and reads from the first data storage unit 210 the number m of attribute value types that can be taken for the specified group and the attribute to be obfuscated (see FIG. 14: Step S31). Further, the obscuration processing unit 260 sets the total frequency (total appearance frequency) in the frequency table for the variable n (step S33). Then, the ambiguity processing unit 260 determines whether n is 3 or more (step S35). When n is less than 3, that is, 1 or 2, the obscuring processing unit 260 obscures all elements in the frequency table (step S37). Since the total frequency is too low to publish as it is and privacy protection cannot be achieved, any attribute value is replaced with ambiguous data. For example, replace with “?”. Note that probability distribution information may be added. In this case, data with a probability of 1 / m is added for each attribute value. The process proceeds to step S65 in FIG.

  On the other hand, if n is 3 or more, the ambiguity processing unit 260 determines whether the number of records in the frequency table is 2 (step S39). If the number of records in the frequency table is other than 2, the ambiguity processing unit 260 determines whether the number of records in the frequency table is 1 (step S41). When the number of records in the frequency table is other than 1, that is, 3 or more, there is no problem in terms of privacy protection without replacing with obfuscated data. Return.

  On the other hand, if the number of records in the frequency table is 1, the obfuscation processing unit 260 obfuscates two of the appearance frequencies n of the only records in the frequency table (step S43). When only one type appears even though the type of attribute value that can be taken is m in this way, it is determined that there is a large bias in the appearance frequency, and two of the appearance frequencies n are obscured. Replace with data. Then, the appearance frequency of the original attribute value is n-2, and the appearance frequency of the ambiguous data is 2. The ambiguous data is, for example, “? (A = probability P, other than a = (1-P) / (m−1) each)”. a is an attribute value replaced with obfuscated data, and P is 4/7 when n = 4, and 2 / (n + 1) otherwise. This will be described in detail below. Thereafter, the processing shifts to step S65 in FIG.

  If the number of records in the frequency table is 2, the obfuscation processing unit 260 rearranges the records in the frequency table in the order of appearance frequency, and sets a greater number as a and a smaller number as b (step S45). Then, the ambiguity processing unit 260 determines whether the appearance frequency of b is 2 or less (step S47). If the appearance frequency of b is 3 or more, there is no problem in privacy protection even if it is not replaced with obfuscated data, so nothing is done and the process returns to the caller process via terminal C.

  On the other hand, if the appearance frequency of b is 2, the ambiguity processing unit 260 performs a probability calculation process (step S49). In the probability calculation process, probabilities x and p are calculated from m and n. The process proceeds to step S51 in FIG.

  The probability calculation process will be described with reference to FIG. However, the concept in the case of n ≧ 3 will be described before describing specific processing.

  First, when the frequency table is {a: n} (the appearance frequency of the attribute value a is n), in order to prevent a specific person from uniquely determining that a specific person is a, at least two are used. If it becomes ambiguous, there will be no problem in privacy protection. On the other hand, since a lot of information is presented, we want to minimize ambiguity, so {a: n-2,? : 2} should be obscured. “?” Is obfuscated data.

{A: n-2,? : 2} In order to prevent the original frequency table of {2: n} from being determined to be {a: n}, the probabilities x, y, p, and q are determined as follows.
When the frequency table is {a: n-1, b: 1}, {a: n-2,? : 2} is assumed to be x.
When the frequency table is {a: n-1, b: 1}, {a: n-2, b: 1,? : 1} is y.
When the frequency table is {a: n-2, b: 2}, {a: n-2 ,? : 2} is assumed to be p.
When the frequency table is {a: n-2, b: 2}, {a: n-2, b: 1,? : 1} is assumed to be q.
Here, 0 ≦ x, 0 ≦ y, 0 ≦ p, 0 ≦ q, x + y ≦ 1, and p + q ≦ 1.

  At this time, if the appearance probabilities of possible attribute values (such as a and b) are all equal, {a: n−2,? : 2} When the probability that the original frequency table of {a: n} is {a: n-2 ,? : 2} when the probability that the original frequency table of {a: n-1, b: 1} is viewed from the persons B and b {a: n-2, b: 1 ,? : 1}, where C is the probability that the frequency table is {a: n−1, b: 1}, A, B and C are expressed by the following equations. Note that v = m−1.

  At this time, {a: n-2,? : 2} in the original frequency table? The expected value of the number of a corresponding to E, {a: n-2, b: 1,? : 1} in the original frequency table? If the probability that A is a is P, they are as follows.

  In order to maximize privacy protection, consider obtaining x, y, p, and q where A = B = C and the value is minimized. When any one of A, B, and C is 1, it is uniquely determined by the other person that the specific person is a.

  From A = B = C, p is represented by x by the following equation.

  Here, when n ≧ 5, when x + y = p + q = 1, A, B, and C are minimum, and x, A, P, and E are as follows.

When n = 4, when obscuring {a: 2, b: 2}, {a: 2,? : 2} and {b: 2 ,? : 2}, {a: 2, b: 1,? : 1} and {a: 1, b: 2,? : 1} to equalize, respectively, when x + y = 1 and p + q = 1/2, A, B, and C are minimized, and x,
A, P, and E are as follows.

  In the case of n = 3, symmetry is considered in the same manner as in the case of n = 4, x + y + p = 1, q = y, and x, A, P, E are as follows.

  From the above view, the processing as shown in FIG. 15 is performed. That is, the ambiguity processing unit 260 sets v = m−1 (step S61). Then, the ambiguity processing unit 260 determines whether n = 4 (step S63). If n = 4, as described above, the ambiguity processing unit 260 calculates x = 3 / 14v and P = 4/7 (step S67). The process proceeds to step S69. On the other hand, if other than n = 4, as described above, the ambiguity processing unit 260 calculates x = 2 (n−1) / (vn (n + 1)) and P = 2 / (n + 1). (Step S65). Then, the process proceeds to step S69.

Then, the ambiguity processing unit 260 calculates p = 2vnx ² / ((n−1) (2-vnx)) (step S69). Then, the process returns to the calling process.

  In the process of FIG. 14, when the total frequency n is as small as 2 or less, even when n is 3 or more and the number of appearing attribute values is 1, it is uniformly obscured to protect privacy. The obscuration mode is shown.

  Next, the processing after the terminal A will be described with reference to FIG. In FIG. 16, one of a plurality of ambiguities is selected according to the appearance frequency bias and n when the appearance frequency of the attribute value having the lowest appearance frequency is 1 and 2. In the conversion mode, one of a plurality of obscuring patterns is selected stochastically according to the probabilities x and p calculated in FIG.

  That is, the ambiguity processing unit 260 determines whether the appearance frequency of b is 2 (step S51). If the appearance frequency of b is not 2, that is, 1, the obfuscation processing unit 260 determines whether n = 3 (step S53). If n = 3, the obscuring processing unit 260 selects and executes one of the following obscuring patterns using a random number (step S57). That is, (1) obscure a1 and b1 with probability x. In this case, the appearance frequency of b is 1, but this b is also obscured and {a: 1,? : 2}, the probability distribution information is information “a = probability 1/2 (= 2 / (3 + 1)), other than a = probability (1-1 / 2) / v each”. (2) Obscure a2 with probability p. In this case, {b: 1,? : 2}, the probability distribution information is information “b = probability 1/2, other than b = probability (1-1 / 2) / v each”. (3) Otherwise, obscure a1. In this case, {a: 1, b: 1,? 1}, the information is “a = probability ½, b = probability ½ (= 1−1 / 2)”. Then, the process proceeds to step S65.

  On the other hand, when n is not 3 (n = 4 or more), the obscuration processing unit 260 selects and executes one of the following obscuration patterns using a random number (step S55). That is, (1) obscure a1 and b1 with probability x. In this case, the appearance frequency of b is 1, but this b is also obscured and {a: n-2,? Therefore, the probability distribution information is “a = probability 2 / (n + 2), other than a = probability (1-2 / (n + 2)) / v each” if m = 5 or more. Become. If m = 4, the information is “a = probability 4/7, other than a = probability (1-4 / 7) / v”. (2) Otherwise, obscure a1. In this case, {a: n-2, b: 1,? 1}, the probability distribution information is “a = probability 1/2, b = probability 1/2 (= 1−1 / 2)”. Then, the process proceeds to step S65.

  If the appearance frequency of b is 2, the ambiguity processing unit 260 determines whether n = 4 (step S59). If n = 4, the obscuring processing unit 260 selects and executes one of the following obscuring patterns using a random number (step S63). That is, (1) The a2 items are obscured with probability p. In this case, {b: 2 ,? : 2}, the probability distribution information is “b = probability 4/7, other than b = probability (1−4 / 7) / v”. (2) Obscure b2 with probability p. In this case, {a: n-2,? : 2}, the probability distribution information is information “a = probability 4/7, other than a = probability (1-4 / 7) / v”. (3) Obscure a1 with probability 0.5-p. In this case, {a: 1, b: 2,? 1}, the probability distribution information is “b = probability 4/7, a = probability 3/7 (= 1−4 / 7)”. (4) Otherwise, obscure b1. In this case, {a: 2, b: 1,? 1}, the probability distribution information is information “a = probability 4/7, b = probability 3/7 (= 1−4 / 7)”. Then, the process proceeds to step S65.

  On the other hand, when other than n = 4 (n = 5 or more), the obscuration processing unit 260 selects and executes one of the following obscuration patterns using a random number (step S61). That is, (1) b2 items are obscured with probability p. In this case, {a: n-2,? : 2}, the probability distribution information is information that “a = probability 2 / (n + 1), other than a = probability (1-2 / (n + 1)) / v each”. (2) Otherwise, obscure b1. In this case, {a: n-2, b: 1,? 1}, the probability distribution information is “a = probability 2 / (n + 1), b = probability 1-2 (n + 1)”. Then, the process proceeds to step S65.

  Thereafter, the ambiguity processing unit 260 stores the changed frequency table in the second data storage unit 270 (step S65). Then, the process returns to the caller process.

  Returning to the description of the processing in FIG. 11, when the frequency table after the change is stored in the second data storage unit 270, the ambiguity processing unit 260 calculates the difference from the frequency table before the change as the first frequency table. The attribute value of the record group that is stored in the data storage unit 210 and belongs to the group specified in step S15 is changed (step S21). Then, the obscuration processing unit 260 determines whether there is an unprocessed obscuration target attribute (step S22). If there is an unprocessed obfuscation target attribute, the process returns to step S16. On the other hand, when there is no unprocessed obfuscation target attribute, the obfuscation processing unit 260 determines whether there is an unprocessed group (step S23). If there is an unprocessed group, the process returns to step S15. On the other hand, when there is no unprocessed group, the output unit 240 connects the corrected original data stored in the first data storage unit 210 with an output device (for example, a display device, a printing device, or a network). To another computer that is being used (step S25).

  For example, in the example of FIG. 12, when the group is the department “manufacturing department” and the age is “25-42” and the ambiguity target attribute “answer 1” is the processing target, the frequency table as shown in FIG. 13 is obtained. In such a case, since the output frequency of b is “1” and n = 4, the obscuration mode in step S55 is selected. Further, according to the processing flow of FIG. 15, x = 3/28 and p = 3/56. Then, a1 and b1 are obfuscated with probability x, or a1 is obfuscated otherwise. When the latter is selected, the frequency table is changed as shown in FIG. Since a is “dissatisfied”, the appearance frequency of “dissatisfaction” is decreased by 1, and “? (dissatisfaction = 57%, normal = 43%)” is added accordingly. According to the frequency table after such change, the relevant portion of the original data in FIG. 12 is as shown in FIG. In the example of FIG. 18, one record in which “dissatisfied” is a response 1 is selected at random, and is changed to “? (Dissatisfied = 57%, normal = 43%)”.

  On the other hand, when the former is selected, the frequency table is changed as shown in FIG. In this case, the appearance frequency of “unsatisfied” is decreased by 1, and the appearance frequency of “normal” is 1, so the record itself is deleted. According to the frequency table after such change, the relevant portion of the original data in FIG. 12 is as shown in FIG. Since there is only one record whose answer 1 is “normal”, the attribute value of the record is changed to “? (Dissatisfaction = 57%, non-satisfaction = 21% each)”. Further, since there are three records whose answer 1 is “dissatisfied”, one is selected at random and is changed to “? (Dissatisfaction = 57%, non-satisfaction = 21% each)”.

  Note that the entire original data in FIG. 12 is converted into data as shown in FIG. 21, for example, and output in step S25. As for the obfuscation target attribute of the answer “1” of the group “sales department” and age “24-44”, since three types of attribute values appear, they are output without being obfuscated. Also, for the obfuscation target attribute “answer 2” of the group “sales department” and age “24-44”, only one type of attribute value “normal” appears, so two records are selected at random. Are replaced with obfuscated data. For other groups and obscuring target attributes, any obscuring pattern is selected probabilistically.

[Embodiment 3]
In the second embodiment, even if the respondent sees the original data after the change, the answer of other respondents cannot be specified uniquely, but the respondent sees the data after ambiguity. If there is no ambiguity, the obscuring process of FIGS. 14 and 16 may be performed as shown in FIG.

  However, when n is 3 or more, it is considered as follows. In other words, if the frequency table is {a: n} (the appearance frequency of the attribute value a having the higher frequency is n, which is the same as the total frequency), the fact that the specific person is a is not related to the frequency table. In order not to be uniquely determined by a person, at least one is obfuscated. On the other hand, because we want to minimize ambiguity, {a: n-1 ,? : 1} should be obscured.

  {A: n-1,? In order to prevent the original frequency table of 1: 1 from being determined to be {a: n}, the probability x is determined as follows.

  That is, when the frequency table is {a: n-1, b: 1}, {a: n-1,? : 1} is assumed to be x. Here, 0 ≦ x ≦ 1.

  At this time, if the appearance probabilities of possible attribute values (such as a and b) are all equal, {a: n−1,? : 1}, where P is the probability that the original frequency table is {a: n}, this is

  In order to maximize privacy protection, consider finding x that minimizes P. In addition, when P becomes 1, it is uniquely determined by other persons unrelated to the frequency table that the specific person is a.

  Therefore, when n ≧ 3, when x = 1, P is minimum, and P is given by

  In addition, when n = 2, when {a: 1, b: 1} is obscured, {a: 1,? : 1} and {b: 1,? : 1} to equalize the probability, P is minimum when x = 1/2, and P is given by the following equation.

  Based on the above concept, the following processing is implemented.

  First, the ambiguity processing unit 260 reads the frequency table from the second data storage unit 270 (FIG. 22: step S101). Further, the obscuring processing unit 260 sets the total frequency (total appearance frequency) to n (step S103).

  Then, the ambiguity processing unit 260 determines whether the number of records in the frequency table is 2 (step S105). When the number of records in the frequency table is other than 2 (1 or 3 or more), the ambiguity processing unit 260 determines whether the number of records in the frequency table is 1 (step S119). If the number of records in the frequency table is not 1, that is, 3 or more, the process returns to the caller process without ambiguity.

  On the other hand, when the number of records in the frequency table is 1, the ambiguity processing unit 260 obscures one of the appearance frequencies of only one record (step S121). This is the same as step S43. As described above, if n is 3 or more, the probability distribution information is “? (A = probability P, other than a = probability (1-P) / v)”. If m = 3 and n = 4, then P = 1 / (vn + 1) = 1 / ((3-1) * 4 + 1) = 11%. Then, the process proceeds to step S117.

  If the number of records in the frequency table is 2, the ambiguity processing unit 260 rearranges the records in the frequency table in the order of frequency, and sets a greater number to a and a smaller number to b (step S107). Then, the ambiguity processing unit 260 determines whether the frequency of b is 1 (step S109). If the frequency of b is 2 or more, there is no problem under the above assumption, and the process returns to the caller process without ambiguity.

  On the other hand, when the frequency of b is 1, the ambiguity processing unit 260 determines whether n = 2 (step S111). When n is other than 2, the ambiguity processing unit 260 obscures b1 (step S115). In this case, {a: n-1,? 1}, for probability distribution information, if n is 3 or more, “a = probability P (= 1 / (vn + 1)), attribute value other than a = probability ((1−P) / v) ” Then, the process proceeds to step S117.

  If n = 2, the obscuring processing unit 260 selects and executes one of the following obscuring patterns using a random number (step S113). That is, (1) a1 is made ambiguous with probability 1/2. In this case, for probability distribution information, {b: 1,? 1}, the information is “? (B = probability 1 / (v + 1), other than b = probability (1-1 / (v + 1)) / v)”. (2) Otherwise, obscure b1. In this case, for probability distribution information, {a: 1,? 1}, the information is “? (A = probability 1 / (v + 1), other than a = probability (1-1 / (v + 1)) / v each)”. Then, the process proceeds to step S117.

  Thereafter, the ambiguity processing unit 260 stores the changed frequency table in the second data storage unit 270 (step S117).

  For example, when the example shown in FIG. 12 is processed by the processing flow of FIG. 22, data as shown in FIG. 23 is obtained. In other words, the obfuscation target attribute “answer 2” of the group “manufacturing department” and age “25-42” has been obscured in the second embodiment, but is not obscured in the present embodiment. . In addition, regarding the obfuscation target attribute “answer 1” of the group “manufacturing department” and age “25-42”, the attribute value of the record whose answer 1 is “normal” is “? 11%, other than dissatisfaction = 44% each) ”. Further, in the case where the ambiguity target attribute “answer 1” of the group “sales department” and age “24-44” is processed, it is not obscured. When the obfuscation target attribute “answer 2” of the department “sales department” and age “24-44” is processed, it is replaced with obfuscation data in step S121. That is, “? (Dissatisfaction = 11%, non-satisfaction = 44% each”).

  Although the embodiment of the present technology has been described above, the present technology is not limited to this. The functional block configuration is an example, and may not necessarily match the actual program module configuration. As for the processing flow, as long as the processing result does not change, the processing order may be changed or a plurality of steps may be executed in parallel.

  In the embodiment described above, all attribute values are treated equally. However, depending on the attribute value, a value that does not cause much privacy may be treated specially. For example, if there is no problem in disclosing that “answer” is normal for each person, [normal, normal, normal, normal] and [normal, normal, satisfied, normal] etc. are judged to have a large bias. In such a case, an algorithm that does not obfuscate the case may be used.

  The information processing apparatuses 100 and 200 described above are computer apparatuses, and as shown in FIG. 24, a memory 2501, a CPU (Central Processing Unit) 2503, a hard disk drive (HDD: Hard Disk Drive) 2505, A display control unit 2507 connected to the display device 2509, a drive device 2513 for a removable disk 2511, an input device 2515, and a communication control unit 2517 for connecting to a network are connected by a bus 2519. An operating system (OS: Operating System) and an application program for executing the processing in this embodiment are stored in the HDD 2505, and are read from the HDD 2505 to the memory 2501 when executed by the CPU 2503. The CPU 2503 controls the display control unit 2507, the communication control unit 2517, and the drive device 2513 according to the processing content of the application program, and performs a predetermined operation. Further, data in the middle of processing is mainly stored in the memory 2501, but may be stored in the HDD 2505. In an embodiment of the present technology, an application program for performing the above-described processing is stored in a computer-readable removable disk 2511 and distributed, and installed from the drive device 2513 to the HDD 2505. In some cases, the HDD 2505 may be installed via a network such as the Internet and the communication control unit 2517. Such a computer apparatus realizes various functions as described above by organically cooperating hardware such as the CPU 2503 and the memory 2501 described above and programs such as the OS and application programs. .

  The above-described embodiment can be summarized as follows.

  In the information processing method according to the present embodiment, (A) the first attribute of the plurality of records is included for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. Determining whether the distribution of the number of records satisfies a condition indicating that the deviation is large, from data stored in a data storage unit in which the number of records in which the attribute value appears is stored (B ) When the condition indicating that the distribution of the number of records has a large deviation is satisfied, the attribute value of the first attribute in at least one of the plurality of records is replaced with the ambiguous data, and the data is stored. Storing in the section.

  Thus, by replacing the attribute value of the first attribute to be obfuscated with the ambiguous data, privacy protection can be achieved while leaving the tendency of the appearance distribution of the original value.

  Further, in the information processing method according to the present embodiment, (C) a record stored in the data storage unit has an attribute value of a second attribute (or second attribute group) different from the first attribute. The extraction step of extracting a plurality of records by grouping into the same record, and (D) the number of records including the attribute value of the first attribute for each attribute value of the first attribute in the plurality of records And counting and storing in the data storage unit. In this way, the number of records may be calculated for each attribute value of the obfuscation target attribute.

  Further, the obscuration data described above may include data having a probability that the attribute value has the highest frequency among the attribute values of the first attribute. If such probability data is presented, it becomes easier to grasp the tendency of the original value.

  In addition, the extraction step described above may be performed after performing anonymization processing so that the attribute value of the second attribute (or the second attribute group) is equal to k or more. . That is, if the k-anonymization process is performed, basic privacy protection can be realized.

  Further, the above-described condition indicating that the bias is large is that the attribute value of the first attribute appears only in two types and the frequency of the attribute value with the lower frequency is 1 or 2, In some cases, the determination condition satisfies either one of the conditions that the attribute value of the first attribute has only one type. Such a condition is adopted in order to minimize the data to be obscured while making it impossible for the respondent himself / herself to uniquely identify the reply contents of other respondents even when viewing the processing result. In this case, the number of records to be replaced with the ambiguous data is at most two.

  Further, when the number of records of the plurality of records is 2 or less, the ambiguity step may be performed. Thus, when the number of original respondents is small, obfuscation is performed to protect privacy.

  In addition, the ambiguity step described above may include one or two of the plurality of records according to the probability calculated according to the number of records of the plurality of records and the number of types that the attribute value of the first attribute can take. The step of identifying any one of a plurality of obfuscation patterns for obfuscating the attribute value of the first attribute in the record, and replacing the attribute value of the first attribute with the obfuscation data according to the identified obfuscation pattern Steps may be included. When such processing is performed, privacy protection is effectively achieved.

  Further, the above-described condition indicating that the bias is large includes the condition that only two types of attribute values of the first attribute appear and the frequency of the attribute with the lower frequency is 1, In some cases, the determination condition satisfies one of the conditions that only one type of attribute value exists. For example, when the respondent himself does not see the processing result, privacy protection can be achieved even under such conditions. In this case, the number of records replaced with the ambiguous data is 1.

  Furthermore, the attribute value of the first attribute in the plurality of records includes the first attribute value and the second attribute value having a lower frequency than the first attribute value, and the number of records of the plurality of records is n. In this case, for example, the probability described above may be calculated as follows. That is, when (n−2) first attribute values appear and information indicating that two records have been replaced with the obfuscation data is generated, the first attribute value is actually n first. The probability A when it appears, and the fact that (n-2) first attribute values appear from the viewpoint of the person corresponding to the second attribute value, and that two records have been replaced with obfuscation data When information is generated, the probability B in the case where (n−1) first attribute values actually appear and one second attribute appears, and the second attribute value Information indicating that (n-2) first attribute values appear, one second attribute value appears, and one record has been replaced with obfuscation data as viewed from the person corresponding to In practice, (n-1) first attribute values appear and one second attribute appears. Probability C of cases, to satisfy the condition that is equal and minimum, may be the probability mentioned above is calculated. An appropriate probability can be calculated.

  It is possible to create a program for causing a computer to carry out the processing described above, such as a flexible disk, an optical disk such as a CD-ROM, a magneto-optical disk, and a semiconductor memory (for example, ROM). Or a computer-readable storage medium such as a hard disk or a storage device.

  The following supplementary notes are further disclosed with respect to the embodiments including the above examples.

(Appendix 1)
The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. Determining whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from the data stored in the data storage unit,
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And storing in the data storage unit;
An information processing method executed by a computer.

(Appendix 2)
An extraction step of extracting the plurality of records by grouping records stored in the data storage unit into records having the same attribute value of a second attribute different from the first attribute;
For each attribute value of the first attribute in the plurality of records, counting the number of records including the attribute value of the first attribute, and storing in the data storage unit;
The information processing method according to appendix 1, further comprising:

(Appendix 3)
The information processing method according to claim 1 or 2, wherein the obfuscation data includes data having a probability that the attribute value has the highest frequency among the attribute values of the first attribute.

(Appendix 4)
The information processing method according to claim 1 or 2, wherein the extraction step is performed after performing anonymization processing such that k or more attribute values of the second attribute have the same value.

(Appendix 5)
The condition indicating that the bias is large includes a condition that only two types of attribute values of the first attribute appear and the frequency of the attribute value having a lower frequency is 1 or 2, and the first The information processing method according to any one of appendices 1 to 4, wherein the determination condition satisfies any one of a condition that only one type of attribute value of the attribute exists.

(Appendix 6)
The information processing method according to claim 5, wherein the obfuscation step is performed when the number of records of the plurality of records is 2 or less.

(Appendix 7)
The obscuring step comprises:
The attribute of the first attribute in one or two of the plurality of records according to the probability calculated according to the number of records of the plurality of records and the number of types of attribute values of the first attribute Identifying any one of a plurality of obfuscation patterns that obfuscate values;
Replacing the attribute value of the first attribute with the obfuscation data according to the identified obfuscation pattern;
The information processing method according to any one of appendices 1 to 6, including:

(Appendix 8)
The condition indicating that the bias is large includes a condition that only two types of attribute values of the first attribute appear and the frequency of the attribute with the lower frequency is 1, and the first attribute The information processing method according to any one of supplementary notes 1 to 4, which is a determination condition that satisfies any one of a condition that only one type of attribute value exists.

(Appendix 9)
The attribute value of the first attribute in the plurality of records includes a first attribute value and the second attribute value having a frequency lower than that of the first attribute value,
The number of records of the plurality of records is n,
In the case where (n-2) first attribute values appear and information indicating that two records have been replaced with the obfuscation data is generated, the first attribute value is actually n. (N−2) first attribute values appearing from the viewpoint of the person corresponding to the second attribute value and the probability A in the case of appearing, two records were replaced with the obfuscation data. In the case where information indicating that is generated, the probability B in the case where (n−1) first attribute values actually appear and one second attribute appears, From the viewpoint of the person corresponding to the second attribute value, (n−2) first attribute values appear, one second attribute value appears, and one record is replaced with the ambiguous data. In the case where the information indicating that it has been generated is actually generated, (n-1) first attribute values appear. Cage and the probability C of when the second attribute that has emerged one so as to satisfy the condition that is equal and minimum, the information processing method according to Note 7, wherein the probability is calculated.

(Appendix 10)
The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. Determining whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from the data stored in the data storage unit,
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And storing in the data storage unit;
A program that causes a computer to execute.

(Appendix 11)
The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. A determination unit that determines whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from data stored in a data storage unit;
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And an ambiguity processing unit stored in the data storage unit,
An information processing apparatus.

100, 200 Information processing device 110 First data storage unit 120 Determination unit 130 Ambiguization processing unit 140 Second data storage unit 210 First data storage unit 220 k-anonymization processing unit 230 Grouping processing unit 240 Output unit 250 Input unit 260 Ambiguity processing unit 270 Second data storage unit

Claims (9)

The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. Determining whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from the data stored in the data storage unit,
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And storing in the data storage unit;
An information processing method executed on a computer. An extraction step of extracting the plurality of records by grouping records stored in the data storage unit into records having the same attribute value of a second attribute different from the first attribute;
For each attribute value of the first attribute in the plurality of records, counting the number of records including the attribute value of the first attribute, and storing in the data storage unit;
The information processing method according to claim 1, further comprising: The information processing method according to claim 1, wherein the obfuscation data includes data having a probability that the attribute value has the highest frequency among the attribute values of the first attribute. The information processing method according to claim 1 or 2, wherein the extraction step is performed after performing anonymization processing so that attribute values of the second attributes are equal to k or more. The condition indicating that the bias is large includes a condition that only two types of attribute values of the first attribute appear and the frequency of the attribute value having a lower frequency is 1 or 2, and the first The information processing method according to any one of claims 1 to 4, wherein the determination condition satisfies any one of a condition that only one type of attribute value of the attribute exists. The obscuring step comprises:
The attribute of the first attribute in one or two of the plurality of records according to the probability calculated according to the number of records of the plurality of records and the number of types of attribute values of the first attribute Identifying any one of a plurality of obfuscation patterns that obfuscate values;
Replacing the attribute value of the first attribute with the obfuscation data according to the identified obfuscation pattern;
The information processing method according to claim 1, comprising: The condition indicating that the bias is large includes a condition that only two types of attribute values of the first attribute appear and the frequency of the attribute with the lower frequency is 1, and the first attribute The information processing method according to any one of claims 1 to 4, wherein the determination condition satisfies any one of a condition that only one kind of attribute value exists. The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. Determining whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from the data stored in the data storage unit,
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And storing in the data storage unit;
A program that causes a computer to execute. The number of records in which the attribute value of the first attribute appears among the plurality of records is stored for each type of attribute value of the first attribute that is included in the plurality of records and designated as the object to be obfuscated. A determination unit that determines whether or not a condition indicating a large deviation is satisfied in the distribution of the number of records from data stored in a data storage unit;
When the condition indicating that the deviation is large is satisfied in the distribution of the number of records, the attribute value of the first attribute in at least one of the plurality of records is replaced with ambiguous data And an ambiguity processing unit stored in the data storage unit,
An information processing apparatus.

Images