JP5651568B2 - Database disturbance device, system, method and program - Google Patents

Description

  The present invention relates to a technique for performing data mining while protecting privacy.

  A database disturbance technique that satisfies so-called Pk-anonymity is proposed in Patent Document 1 (see, for example, Patent Document 1).

  Pk-anonymity is a property that each record in the database and an individual corresponding to each record cannot be associated with a probability of 1 / k or more.

JP 2011-100116 A

  However, the technique of Patent Document 1 assumes that the attribute value is a so-called category attribute value, and the technique of Non-Patent Document 1 cannot be applied when the attribute value is a so-called numeric attribute value.

  The subject of this invention is providing the database disturbance apparatus, system, method, and program which satisfy | fill Pk-anonymity which can be applied also when an attribute value is a numerical attribute value.

In the database disturbance device according to one aspect of the present invention, the database includes a plurality of records, each record includes a record identifier and at least one attribute value, || · || ₁ is an L1 distance of •, and σ is a predetermined value For each or all of the attribute values included in the database, a disturbance unit that adds a value according to a Laplace distribution with a variance 2σ ² defined by the following equation is provided.

  The present invention can also be applied when the attribute value is a numerical attribute value.

The block diagram for demonstrating the database disturbance system of 1st embodiment. The flowchart for demonstrating the database disturbance system of 1st embodiment. The flowchart for demonstrating the database disturbance system of 2nd embodiment. The block diagram for demonstrating the modification of a database disturbance system. The block diagram for demonstrating the modification of a database disturbance system. The block diagram for demonstrating the modification of a database disturbance system. The figure for demonstrating the example of the database used as the object of disturbance in 1st embodiment. The figure for demonstrating the example of the database used as the object of disturbance in 2nd embodiment.

  Embodiments of the present invention will be described below with reference to the drawings.

[First embodiment]
The database disturbance system of 1st embodiment is provided with the disturbance apparatus 1 and the totaling apparatus 2, as illustrated in FIG.

  The disturbance device 1 includes a database storage unit 11, a disturbance unit 12, and a parameter determination unit 13, for example. In this example, the disturbance unit 12 includes a rearrangement unit 14.

  The counting device 2 includes a counting unit 21, for example.

  The database storage unit 11 stores a database to be disturbed. Information about the database stored in the database storage unit 11 is transmitted to the disturbance unit 12.

  The database is composed of a plurality of records as illustrated in FIG.

  Each record is composed of a record identifier and at least one attribute value. The record identifier is an identifier for identifying an individual and is a so-called record ID. The record identifier is, for example, a name or an ID number corresponding to the name.

  In the first embodiment, each attribute value is a vector included in the subset V of the n-dimensional real vector, and is a so-called numerical attribute value. n is an integer of 1 or more. When n = 1 and the attribute is, for example, “intermediate test score” or “term test score”, the attribute value is any integer from 0 to 100.

The disturbance unit 12 adds a value according to the Laplace distribution of mean μ and variance 2σ ² defined by the following formula for each or all of the attribute values included in the database read from the database storage unit 11. Thus, the database is disturbed (step S1). The disturbed database is transmitted to the rearrangement unit 14. When there are a plurality of attribute values to be disturbed, the plurality of attribute values may be disturbed independently or may be subordinately disturbed.

|| · || ₁ is the so-called L1 distance of, and when is an n-dimensional real vector, it is the sum of the absolute values of the components of the vector. n is an integer of 1 or more.

  For example, μ = 0. In this case, the Laplace distribution used by the disturbance unit 12 is as follows.

  Hereinafter, the “value according to the Laplace distribution” will be described. First, a value according to a general probability density function f including a Laplace distribution will be described.

1. Regarding “value according to probability density function f” (1) When domain and attribute value of probability density function f are one-dimensional (i) Cumulative distribution function F (x) = ∫− _∞ ^x f (x ′) dx ′ Ask.

(Ii) An inverse function F ⁻¹ of the cumulative distribution function F (x) is obtained.

  (Iii) Generate a uniform random number r on the interval [0, 1].

(Iv) F ⁻¹ (r) is output as “a value according to the probability density function f”.

When the cumulative distribution function F (x) or the inverse function F ⁻¹ is obtained by a mathematical formula, F ⁻¹ (r) may be calculated based on the mathematical formula. Otherwise, F ⁻ is calculated by numerical calculation. ¹ (r) may be calculated.

(2) When the domain and the attribute value of the probability density function f are n-dimensional: The following (i) and (ii) are performed for each of i = 0,.

(I) x ₀ to x _i−1 are fixed, x _{i + 1} to x _n−1 are integrated, and a probability density function f _{i in} which only x _i is left as a variable is obtained.

(Ii) Since the domain of the probability density function f _i is one-dimensional, the “probability density” is determined by a method similar to the method described above in “(1) When the domain and attribute value of the probability density function f are one-dimensional”. The value according to the function f _i is calculated.

By calculating “value according to probability density function f _i ” for each of i = 0,..., n−1, n “values according to probability density function f _i ” are obtained.

  Applying the above method when the probability density function is a Laplace distribution is as follows.

2. About “value according to Laplace distribution” (1) When the domain and attribute value of Laplace distribution are one-dimensional (i) Uniform random number r on interval [0, 1], Uniform random number on interval (0, 1) b is generated.

(Ii) (-1) ^b σlogr + μ is output as “value according to Laplace distribution”.

(2) When the domain and attribute value of the Laplace distribution are n-dimensional (i) n in the same manner as the method described in “(1) When the domain and attribute value of the Laplace distribution is one-dimensional” above X ₀ , x ₁ ,..., X _n−1 which are “values according to the Laplace distribution”.

(Ii) These x ₀ , x ₁ ,..., X _n−1 are output as “values according to Laplace distribution”.

  The rearrangement unit 14 rearranges the order of records included in the database disturbed by the disturbance unit 12 (step S2). The database in which the records are rearranged is transmitted to the aggregation device 2.

  The target of rearrangement is all or a part of records included in the database. Records may be rearranged uniformly, randomly, or based on a predetermined rearrangement rule such as ascending or descending order for some or all attribute values. May be.

  When the number of types of attribute value is 1, assuming that the elements of the subset V of the n-dimensional real vector to which the attribute value belongs are u and v, σ satisfies the following formula (1) or (2): Suppose that it is predetermined. | R | is the number of records in the database.

When the number of types of attribute values is 2 or more, assuming that the elements of the subset V _a of the n-dimensional real vector to which each attribute value a belongs are u and v, σ is the following formula (3) or (4) It is assumed that it is predetermined so as to satisfy

  The parameter determination unit 13 may determine σ that satisfies the expressions (1) to (4) based on k determined in advance (step S0). In this case, σ determined by the parameter determination unit 13 is transmitted to the disturbance unit 12.

  The database disturbed in this way satisfies so-called Pk-anonymity. Here, the proof is omitted. Pk-anonymity is a property that each record in the database and an individual corresponding to each record cannot be associated with a probability of 1 / k or more.

  Therefore, the database disturbed in this way is assured of anonymity on the clear basis of Pk-anonymity. Moreover, anonymity can be ensured without using the database before disturbance and the database after disturbance.

  The counting unit 21 performs a counting process using the database disturbed by the disturbing device 1 (step S3). The tabulation unit 21 estimates a tabulation result such as a cross tabulation using, for example, an iterative Bayesian method described in Reference Document 1.

[Reference 1]
University of Igarashi, 2 others, “Efficient privacy protection cross-tabulation applicable to multi-valued attributes”, Computer Security Symposium 2008
[Second Embodiment]
The first embodiment is a database disruption system in the case where all the attribute values of the database are so-called numerical attribute values. On the other hand, 2nd embodiment is a database disturbance system in case the attribute value of a database contains what is called a category attribute value. An example of a database to be disturbed in the second embodiment is shown in FIG.

  The category attribute value is, for example, an attribute value such as gender, and is an attribute value that is limited to several values that the attribute value can take, unlike the numerical attribute value.

  Hereinafter, a description will be given centering on differences from the first embodiment. Description of the same parts as those in the first embodiment is omitted.

  The disturbance part 12 of 2nd embodiment replaces step S1 of FIG. 2, and performs the process of step S10, S1, S11 of FIG.

  First, the disturbance unit 12 determines whether or not each attribute value is a category attribute value for each of some or all of the attribute values included in the database read from the database storage unit 11 (step S10).

  If the attribute value is not a category attribute value, that is, if it is a numerical attribute value, the disturbing unit 12 adds values according to the Laplace distribution by the same method as in the first embodiment (step S1).

  When the attribute value is a category attribute value, the disturbing unit 12 replaces the attribute value with another category attribute value with a predetermined probability (step S11). Specifically, the so-called maintenance probability ρ is maintained and replaced.

  The maintenance-replacement disturbance of the maintenance probability ρ assumes that the maintenance probability ρ is predetermined and maintains the attribute value with the maintenance probability ρ without changing the attribute value. This is a disturbance method that replaces the value. For example, when the attribute is gender and the attribute value is “male”, the replacement with another category attribute value means that the attribute value “male” is replaced with the attribute value “female”. See Patent Document 1 for details of maintenance-replacement disturbance of maintenance probability ρ.

When the number of attribute types is 2 or more, assuming that the elements of the subset V _a of the n-dimensional real vector to which the attribute value of each attribute a belongs are u and v, σ and the maintenance probability ρ ) To be satisfied in advance. For example, the parameter determination unit 13 determines σ and the maintenance probability ρ that satisfy the following expression (5) based on k determined in advance (step S0). | V _a | is the number of possible values of the category attribute value of attribute a.

  The database disturbed in this way satisfies the so-called Pk-anonymity as in the first embodiment. Here, the proof is omitted.

  Therefore, the anonymity of the database disturbed in this way is ensured on the basis of the clear standard of Pk-anonymity, as in the first embodiment. Moreover, anonymity can be ensured without using the database before disturbance and the database after disturbance.

[Modifications, etc.]
The processing of the rearrangement unit 14 may not be performed. In this case, the database records are not rearranged, and the database disturbed by the disturbing unit 12 is transmitted to the counting device 2. The aggregation device 2 performs aggregation processing based on the received database that has not been rearranged.

  As long as the disturbing unit 12 is provided in the disturbing device 1 and the counting unit 21 is provided in the counting device 2, the other units may be provided in any of the devices constituting the database disturbing system.

  For example, as illustrated in FIG. 4, the parameter determination unit 13 may be provided in the counting device 2. In this case, the parameter determined by the parameter determination unit 13 is transmitted to the disturbance device 1.

  Further, for example, as shown in FIG. 5, when the database disturbance system includes a disturbance device 1, a totaling device 2, and a disturbance data server device 3, the parameter determination unit 13 is provided in the disturbance data server device 3. It may be done. In this case, the parameter determined by the parameter determination unit 13 is transmitted to the disturbance device 1, and the database disturbed by the disturbance device 1 is transmitted to the aggregation device 2 via the disturbance data server device 3. Specifically, the data transmitting / receiving unit 31 of the disturbance data server device 3 receives the database disturbed by the disturbance device 1 and transmits it to the counting device 2.

Moreover, as illustrated in FIG. 6, a plurality of disturbance devices 1 and aggregating devices 2 may be provided in the database disturbance system.
Data transmission / reception between the respective units of the database disturbance device may be performed directly or may be performed via a storage unit (not shown). Data transmission / reception between the devices of the database disturbance system may be performed directly, or may be performed via other devices.

  In addition, the present invention is not limited to the above-described embodiment. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  Further, when the above-described configuration is realized by a computer, the processing content of each unit that each device should have is described by a program. Each part is realized on the computer by executing this program on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  Needless to say, other modifications are possible without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 Disturbing device 11 Database storage part 12 Disturbing part 13 Parameter determination part 14 Rearrangement part 21 Totaling part 2 Totaling apparatus

Claims (6)

The database includes a plurality of records, each record includes a record identifier and at least one attribute value, || · || ₁ is an L1 distance of •, and σ is a predetermined value,
For each or all of the attribute values included in the database, a disturbance unit that adds a value according to a Laplace distribution with a variance 2σ ² defined by the following equation:

Database disruptor including. The database disruptor of claim 1,
A rearrangement unit for rearranging the order of the records included in the database disturbed by the disturbance unit;
Database disturbance device. In the database disturbance apparatus of Claim 1 or 2,
When the respective attribute values are category attribute values, the disturbing unit replaces the respective attribute values with other category attribute values with a predetermined probability.
Database disturbance device. A database disruptor according to any one of claims 1 to 3;
A tally processing unit that performs tally processing using a database disturbed by the disturbing unit and a database in which records are rearranged by the rearrangement unit;
Including database disturbance system. The database includes a plurality of records, each record includes a record identifier and at least one attribute value, || · || ₁ is an L1 distance of •, and σ is a predetermined value,
A disturbance step in which the disturbance unit adds a value according to a Laplace distribution of variance 2σ ² defined by the following equation for each of some or all of the attribute values included in the database:

Database disruption method including.   The program for functioning a computer as each part of the database disturbance apparatus in any one of Claim 1 to 3.

Images