JP2018055612A - Device, method, and program for generating anonymized tables - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an anonymized table generation technique which allows for appropriately determining a sampling fraction in accordance with tolerable identification risk of individuals.SOLUTION: An anonymized table generation device includes: a sampling fraction generator 110 configured to generate a real number p (p<1) that satisfies a predetermined formula involving tolerable individual identification risk ξas a sampling fraction; and a sampling unit 120 configured to generate an anonymized table τ' by uniform-randomly extracting [pn] records from a non-anonymized table τ (n is the number of records in the non-anonymized table τ).SELECTED DRAWING: Figure 1

Description

  The present invention relates to an anonymization technique for protecting personal privacy information, and more particularly to sampling.

  Consider the case of collecting and analyzing data from various entities. At this time, since the personal privacy information may be included in the data, there is a risk that the personal privacy information may be leaked if the data is directly passed to another person. For this reason, research on anonymization technology is underway as a method for processing data so that the risk of leakage of privacy information is reduced.

  One conventional anonymization technique is a method of extracting a record called sampling (Non-Patent Document 1). In sampling, privacy is protected by limiting the disclosure range of a table, which is a set of records, to some records. For example, in anonymizing various census data, 0.01 or 0.03 is used as a sampling rate (ratio of the disclosure range with respect to the entire data) in the UK, Canada, the United States, and the like.

“Current Status of Anonymization Technology”, [online], [searched on September 14, 2016], Internet <URL: http://www.kantei.go.jp/jp/singi/it2/pd/wg/ dai1 / siryou2_3.pdf>

  As described above, in public statistics, values such as 0.01, 0.03, and 0.05 have been empirically used as sampling rates. However, these values are mainly obtained from empirical rules, and by sampling using these values, the risk of individual identification (hereinafter referred to as personal identification risk) can be reduced. It is the current situation that I do not know well.

  In addition, population uniqueness has been evaluated as a study to measure the effect of sampling, but evaluation of population uniqueness does not necessarily mean a reduction in individual identification risk, and individual identification risk It is not obvious how much it has been reduced.

  Therefore, an object of the present invention is to provide an anonymization table generation technique that appropriately determines a sampling rate in accordance with an allowable personal identification risk.

In one aspect of the present invention, τ is a pre-anonymization table, n is the number of records in the pre-anonymization table τ, n ₀ is the number of records that an attacker is supposed to know about the pre-anonymization table τ, and ξ _allowable Is an anonymization table generating device that generates an anonymization table τ ′ from the pre-anonymization table τ, wherein [x] represents an allowable personal identification risk, and [x] represents a maximum integer not exceeding x with respect to a real number x. Te, a sampling rate generator for generating a real p (p <1) as the sampling rate satisfies the following formula with respect to the acceptable personal identification risk xi] _allowable,

And a sampling unit that generates the anonymization table τ 'by uniformly and randomly extracting [pn] records from the pre-anonymization table τ.

  According to the present invention, when the anonymization table is generated by sampling, the sampling rate can be appropriately determined according to the allowable personal identification risk.

The block diagram which shows the structure of the anonymization table production | generation apparatus 100. FIG. The flowchart which shows operation | movement of the anonymization table production | generation apparatus 100. FIG.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

<Definition and Notation>
For set A, | A | represents the number of elements in set A. In addition, for a real number x, [x] represents the maximum integer not exceeding x.

  Data is expressed in record format, and a set of records is called a table. In addition, sampling at a sampling rate p (where p is a real number satisfying p <1) is to extract [pn] records uniformly at random when the table is composed of n records. .

  Hereinafter, a definition for discussing anonymization for a table will be described.

  Let Τ and τ be a random variable and an instance of a table before anonymization (hereinafter referred to as a table before anonymization), respectively. That is, τ is a pre-anonymization table.

  Let ′ ′ and τ ′ be a random variable and an instance of a table after anonymization (hereinafter referred to as anonymization table), respectively. That is, τ ′ is an anonymization table.

  Let R and R ′ be the record set of the pre-anonymization table and the record set of the anonymization table, respectively. That is, R is a set composed of all the records in the pre-anonymization table τ, and R ′ is a set composed of all the records in the anonymization table τ ′.

  Let V and V ′ be a set of combinations of attribute values that can be taken by the record in the pre-anonymization table, and a set of combinations of attribute values that can be taken by the record in the anonymization table.

  Let Δ and δ be random variables and an instance of anonymization processing (anonymization algorithm), respectively.

  確 率 and π are sampling random variables with the domain R and the range R'∪ {φ} (where | R '| ≦ | R |, φ is a special symbol indicating that sampling was not performed) and Let that instance. That is, π is a sampling of R → R′∪ {φ}.

  Here, the pre-anonymization table τ, the anonymization table τ ′, and the anonymization process δ are τ: R → V, τ ′: R ′ → V ′, and δ: (R → V) → (R → V ′, respectively. It can also be regarded as a function.

  δ is anonymization processing means that for sampling π: R → R ′, τ is an arbitrary anonymization table, τ ′ is an arbitrary anonymization table, and δ (τ) = τ ′ · π is Say that it holds. This formula indicates that the table that has been subjected to the data protection process on the pre-anonymization table and shuffled the record is the anonymization table.

  In the following, let us consider the case where the same expression Δ (Τ) = Τ ′ · Π holds when Τ, Π, and Δ are independent as probability events.

<Significance of background knowledge>
We consider the relationship between the background knowledge of the anonymized table held by the attacker and the reduction of personal identification risk by sampling.

  First, consider a case where an attacker knows (part of) an attribute value of a person's record and tries to identify that person from the anonymization table. At this time, even if there is only one record with attribute values that the attacker knows in the anonymized table after sampling, there may be multiple records in the pre-anonymized table . This makes it harder for an attacker to see if one sample is the individual that the attacker is trying to identify when sampling than when not sampling. That is, it can be said that the personal identification risk is reduced by sampling.

  Next, consider the case where the attacker knows all the values in the pre-anonymization table. For example, if such an attacker wants to identify an individual who has only one attribute value in the pre-anonymization table, when that individual is sampled, which record in the anonymization table is surely the corresponding individual It can be identified. Therefore, the individual identification risk cannot be reduced by sampling.

To summarize the above considerations, if sampling can reduce the personal identification risk, it is considered that there is uncertainty in the pre-anonymization table sampled by the attacker. In other words, if there is uncertainty in the pre-anonymization table to be sampled, there may be more than one record in the pre-anonymization table even if there is only one record with an attribute value in the anonymization table Individual identification becomes difficult. The following two cases can be considered as situations where such uncertainty occurs.
Case (1): A case where background knowledge about the table before anonymization of an attacker is limited.
Case (2): A case where processing (not known by the attacker) is performed before sampling.

  In the first embodiment described below, the case (1) is handled. That is, when the background knowledge about the attacker's pre-anonymization table is limited, the relationship between the sampling rate and the personal identification risk is derived.

<First embodiment>
Hereinafter, the index of personal identification risk, the assumption about the attacker (attacker model), and the evaluation of the personal identification risk will be described in order.

[Indicator of personal identification risk]
There exists Pk-anonymity (reference nonpatent literature 1) as an evaluation index of the personal identification risk at the time of performing probabilistic anonymization.
(Reference Non-Patent Document 1) D. Ikarashi, R. Kikuchi, K. Chida, and K. Takahashi, “k-anonymous microdata release via post randomisation method”, Advances in Information and Computer Security-10th International Workshop on Security, IWSEC 2015, Volume 9241 of the series Lecture Notes in Computer Scienc, pp.225-241, 2015.

  However, since Pk-anonymity assumes an arbitrary attacker (that is, an attacker with no background knowledge is also assumed), as described above, if case (1) is assumed, Pk -We cannot proceed with discussion using anonymity. Therefore, here we define a new risk index based on Pk-anonymity as an index of personal identification risk for attackers with limited background knowledge.

Anonymization process Δ and anonymization table τ ′ are an arbitrary pre-anonymization table τ, an arbitrary record r∈R included in the pre-anonymization table τ, and an arbitrary record r′∈R included in the anonymization table τ ′. If an attacker f _T having a certain background knowledge satisfies the following equation, the personal identification risk is ξ for the attacker f _T.

[Assumption about the attacker (attacker model)]
Consider the case where an attacker has knowledge of a part of the pre-anonymization table. For example, when collecting patient information in each prefecture and making it anonymous, workers in Kanagawa Prefecture know about patient information in Kanagawa, but are unknown about information in prefectures nationwide other than Kanagawa. It corresponds to the case that there is.

Therefore, the following attacker is assumed.
Assumption (1): The value of the pre-anonymization table τ ₀ composed of n ₀ records, which is a part of the pre-anonymization table τ composed of n records, is known.
Assumption (2): The attacker assumes that the distribution of record values that he / she does not know is the same as the distribution of records he / she currently knows.

Since the attacker has no knowledge other than the table before partial anonymization τ ₀ composed of n ₀ records, the assumption (2) is also compared to assuming that the values of the unknown records are uniform. It is considered realistic.

[Evaluation of personal identification risk]
Sampling is considered as an anonymization method. In other words, when n is the number of records that make up the pre-anonymization table, the number of records after sampling is [pn] (p is the sampling rate). Think about extracting.

  In the following, we evaluate how much individual identification risk is reduced by sampling for attackers with background knowledge defined in the attacker model (attackers who satisfy assumption (1) and assumption (2)). For the sake of simplicity, the explanation will be given as pn = [pn], but generality is not lost.

Let n ^ = nn _0- (pn-1). In addition, the number of records having the attribute value v in the pre-anonymization table τ is expressed as # _τ (v). That is, # _τ (v) = | τ ⁻¹ ({v}) |.

The personal identification risk ξ satisfying the equation (1) for any attacker satisfying the attacker model, that is, the maximum value of the personal identification risk ξ is referred to as the maximum personal identification risk ξ _max .

At this time, when pn records are sampled with respect to the pre-anonymization table τ in which the number of records is n, the arbitrary partial pre-anonymization table τ ₀ (the number of records is n ₀ ), the anonymization table τ ′ The maximum personal identification risk ξ _max is expressed by the following equation.

  However, i and j are integers of 1 or more,

とする。

And

Hereinafter, the derivation of Equation (2) for the maximum individual identification risk ξ _max will be described.

In order to obtain the maximum individual identification risk ξ _max that is the maximum probability that an individual is identified, first, a table before partial anonymization τ that is background knowledge about an optimal table before anonymization for an attacker that satisfies the above attack model Consider ₀ and the anonymization table τ ′. As a partial pre-anonymization table τ ₀ and an anonymization table τ ′ that are most advantageous for an attacker when specifying a certain record r,

In other words, the record r that is unique in the table before partial anonymization τ ₀ becomes a unique record even in the anonymization table τ ′.

(However, R ₀ is a set consisting of all the records of the table before partial anonymization τ ₀ ), that is, the records other than unique records of the anonymization table τ ′ are not included in the table before partial anonymization τ _0. Think about the case. Equation (4) is a condition derived from minimizing the number of records unknown to the attacker, because the probability of appearing in the anonymization table is small if the record r is unique. At this time, if it is noted that the number of records unknown to the attacker is n ^, the attacker who satisfies the equations (4) and (5)

Here, Τ _i in the formula (a) indicates a random variable of the i-th partial pre-anonymization table.

  From the above, it can be seen that equation (2) holds.

Further, the following formula (2) ′ obtained by generalizing the formula (2) also holds. When [pn] records are sampled with respect to the pre-anonymization table τ such that the number of records is n, the arbitrary pre-anonymization table τ ₀ (the number of records is n ₀ ) and the anonymization table τ ′ The maximum individual identification risk ξ _max is expressed by the following equation.

[Anonymization table generator]
Hereinafter, the anonymization table generation device 100 of the first embodiment will be described with reference to FIGS. FIG. 1 is a block diagram illustrating a configuration of the anonymization table generation device 100. FIG. 2 is a flowchart showing the operation of the anonymization table generation device 100.

  As shown in FIG. 1, the anonymization table generation device 100 includes a sampling ratio generation unit 110, a sampling unit 120, and a recording unit 190. The recording unit 190 is a component that records information necessary for the processing of the anonymization table generating device 100.

The anonymization table generating apparatus 100 includes a pre-anonymization table τ composed of n records, a record number n ₀ considered to be known by the attacker about the pre-anonymization table τ, and an allowable individual. An anonymization table τ ′ is generated by inputting an identification risk (hereinafter referred to as an allowable individual identification risk) ξ _allowable . Incidentally, the record number n ₀ the attacker knows an acceptable personal identification risk xi] _Allowable can leave given beforehand, or than is recorded in the recording unit 190.

  Hereinafter, the operation of the anonymization table generating apparatus 100 will be described with reference to FIG.

Sampling ratio generation unit 110, and a record number n of anonymized before table tau, an attacker can record the number n ₀ which will know of anonymized before table tau, the acceptable personal identification risk xi] _Allowable, the following A real number p (where p <1) that satisfies the equation is generated as a sampling rate (S110).

Since the value on the right side of the above equation is monotonically increasing with respect to p, it can be calculated efficiently using the bisection method.

  The sampling unit 120 calculates [pn] using the sampling rate p generated in S110, and generates anonymization table τ ′ by uniformly extracting [pn] records from the pre-anonymization table τ. (S120).

  According to the invention of this embodiment, when there is an attacker who knows the values of some records of the pre-anonymization table τ, when generating the anonymization table by sampling, depending on the allowable personal identification risk An appropriate sampling rate can be determined. As a result, it is possible to execute anonymization by sampling in consideration of an acceptable personal identification risk.

<Modification>
The present invention is not limited to the above-described embodiment, and it goes without saying that modifications can be made as appropriate without departing from the spirit of the present invention. The various processes described in the above embodiment may be executed not only in time series according to the order of description, but also in parallel or individually as required by the processing capability of the apparatus that executes the processes or as necessary.

<Supplementary note>
The apparatus of the present invention includes, for example, a single hardware entity as an input unit to which a keyboard or the like can be connected, an output unit to which a liquid crystal display or the like can be connected, and a communication device (for example, a communication cable) capable of communicating outside the hardware entity. Can be connected to a communication unit, a CPU (Central Processing Unit, may include a cache memory or a register), a RAM or ROM that is a memory, an external storage device that is a hard disk, and an input unit, an output unit, or a communication unit thereof , A CPU, a RAM, a ROM, and a bus connected so that data can be exchanged between the external storage devices. If necessary, the hardware entity may be provided with a device (drive) that can read and write a recording medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device of the hardware entity stores a program necessary for realizing the above functions and data necessary for processing the program (not limited to the external storage device, for example, reading a program) It may be stored in a ROM that is a dedicated storage device). Data obtained by the processing of these programs is appropriately stored in a RAM or an external storage device.

  In the hardware entity, each program stored in an external storage device (or ROM or the like) and data necessary for processing each program are read into a memory as necessary, and are interpreted and executed by a CPU as appropriate. . As a result, the CPU realizes a predetermined function (respective component requirements expressed as the above-described unit, unit, etc.).

  The present invention is not limited to the above-described embodiment, and can be appropriately changed without departing from the spirit of the present invention. In addition, the processing described in the above embodiment may be executed not only in time series according to the order of description but also in parallel or individually as required by the processing capability of the apparatus that executes the processing. .

  As described above, when the processing functions in the hardware entity (the apparatus of the present invention) described in the above embodiments are realized by a computer, the processing contents of the functions that the hardware entity should have are described by a program. Then, by executing this program on a computer, the processing functions in the hardware entity are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only). Memory), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magneto-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

  The program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to the computer but has a property that defines the processing of the computer).

  In this embodiment, a hardware entity is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

100 Anonymization Table Generation Device 110 Sampling Ratio Generation Unit 120 Sampling Unit 190 Recording Unit

Claims (4)

τ is the pre-anonymization table, n is the number of records in the pre-anonymization table τ, n ₀ is the number of records that the attacker is supposed to know about the pre-anonymization table τ, ξ _allowable is an acceptable personal identification risk, Let [x] represent the largest integer that does not exceed x for a real number x,
An anonymization table generating device for generating an anonymization table τ ′ from the anonymization table τ,
A sampling rate generator for generating a real p (p <1) that satisfies the following expression with respect to the acceptable personal identification risk xi] _Allowable as the sampling rate,

An anonymization table generating device including: a sampling unit that generates the anonymization table τ ′ by uniformly and randomly extracting [pn] records from the pre-anonymization table τ. The anonymization table generating device according to claim 1,
The sampling ratio generation unit is an anonymization table generation apparatus that calculates the sampling ratio p using a bisection method. τ is the pre-anonymization table, n is the number of records in the pre-anonymization table τ, n ₀ is the number of records that the attacker is supposed to know about the pre-anonymization table τ, ξ _allowable is an acceptable personal identification risk, Let [x] represent the largest integer that does not exceed x for a real number x,
The anonymization table generation device is an anonymization table generation method for generating an anonymization table τ ′ from the table before anonymization τ,
A sampling rate generating step of generating a real p (p <1) that satisfies the following expression with respect to the acceptable personal identification risk xi] _Allowable as the sampling rate,

A sampling step of generating the anonymization table τ ′ by uniformly extracting [pn] records from the pre-anonymization table τ.   The program for functioning a computer as an anonymization table production | generation apparatus of Claim 1 or 2.

Images