JP5860116B2 - Reduction coefficient calculation device, anonymous processing device, method and program using the same - Google Patents

Description

  The present invention relates to information processing technology for anonymizing or diversifying personal information.

  With the development of information processing technology, information is collected in many everyday situations, and processing using the collected information is performed. For example, when a consumer purchases a product as a member of a store, the consumer's name, age, gender, address, e-mail address, etc. are often registered at the time of membership registration. When a consumer purchases a product, the store-side system records the consumer and the purchased product information in association with each other. By accumulating and analyzing information on purchased products in this way, it is possible to estimate the consumer's preferences and perform a service such as sending a direct mail when a new product preferred by the consumer is released. it can. Furthermore, by analyzing information of many consumers, information such as products preferred by women in their 20s and products preferred in the Kanto area can be derived and used for marketing and the like.

  In addition, the information can be used not only for the store but also for the manufacturer of the product and other companies for the development of new products and the improvement of safety, and may have value.

  However, the consumer's personal information in the store cannot be provided to others without obtaining the consent of each consumer. For this reason, when providing information related to the consumer to others, it is necessary to anonymize so that individuals cannot be identified.

  For example, if there is only one person 25 years old in the member list in which the age is described, the person can be identified when he / she knows that the 25-year-old acquaintance is the member. That is, if there is only one person with the attribute of a 25-year-old member, there is a high possibility that an individual can be specified by comparing with other information.

  Therefore, if the age description in the member list is abstracted into 10-year breaks, and there are multiple people with the same attribute, such as three in their 20s, who of the three is identified become unable. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

  Various anonymization standards and methods have been proposed. For example, l-diversity, Pk anonymization, and t-closeness (see Non-Patent Document 1) are known.

JP 2012-133451 A JP 2011-108195 A JP 2011-128862 A JP 2012-78932 A JP 2014-102643 A

Yuji Nakagawa, “Privacy Protection Data Mining”, [Search May 23, 2014], Internet <URL: http://www.r.dl.itc.u-tokyo.ac.jp/~nakagawa/labintro /2010PPDM-summary.pdf>

FIG. 22 is a diagram illustrating an example of history data (flow data) recorded on the management server side when a user enters and exits an automatic ticket gate of a station using an IC card and settles a boarding fee. The history data 91 in FIG. 22 is associated with a user ID, use date and time, use station, use contents, fee, and the like. The history data 91 can identify each user of the history data by referring to the user information 92 in which the user ID is associated with the user's last name, age, and gender.

  When this history data 91 is provided to other business operators, the user information 92 that associates the user ID with the user's last name is deleted or managed so that it cannot be referred to, so that the individual cannot be identified from the user ID. It can be considered to be in a pseudonymized state.

  However, in the kana conversion state, even if the name cannot be specified from the user ID, if the information such as the use station associated with the user ID is limited to one individual, that is, the other information such as the use station is the same If there is no user to do, there is a possibility that it can be re-identified from information such as the station used. For example, when a user with ID = A001 uses Shinjuku Station, Akihabara Station, and Ningyocho, if there is no other person who uses the station in the same way, a person who knows the behavior of the user with ID = A001. If there is, the user with ID = A001 can be re-identified from the history data.

For example, when n = 4,247,000 users select m = 9262 stations in a uniform distribution, the number of stations that can be re-identified is calculated by Equation 1,
mS = n (Formula 1)
It becomes S = 2.237, and it can be understood that re-identification is possible if three stations are recorded in the history data.

  In this way, if the data item is a station and the number of options (attribute type) is very large as 9262 stations, the usage history can include 3 stations, that is, there are only 3 data items (attributes). , Even if the parameter is very large with 42.47 million people, it becomes impossible to anonymize.

  In addition, the history data of the IC card may include other shopping information. If the information including a large number of choices such as purchased product names and store names is further included, re-identification may be performed. The possibility is even higher.

  For this reason, it is conceivable that the values of each item are abstracted and anonymized so that the combination of the values of each item is not limited to one individual, but data such as action history tends to be very large in data amount. For example, in the case of so-called big data that exceeds 100,000 people, it is not realistic to perform abstraction manually.

  Although abstraction can be performed mechanically, if abstraction is performed mechanically, even if the abstracted result satisfies anonymity, it is not always useful data. For example, if the combination of item values is abstracted until it is not limited to one individual, and the value (word) of the item is so abstract that there is no use value, it does not make sense to satisfy anonymity. For this reason, even when performing abstraction mechanically, the result of the abstraction is confirmed by a person, and if it is not useful data, the setting of changing items to be abstracted is changed and the abstraction process is restarted. Repeated trials.

  However, simply repeating trials is inefficient, especially in the case of big data, it takes a lot of time to process abstraction and anonymity, making it difficult to perform trials sufficiently. It was.

  Then, this invention provides the technique which makes it possible to improve the efficiency of anonymization processing by performing anonymization processing with the number of divisions with high possibility of satisfy | filling anonymity based on a reduction coefficient.

The reduction coefficient calculation apparatus according to the present invention is:
Anonymous information acquisition unit that acquires anonymous information obtained by anonymizing personal information;
The number of occurrences for obtaining the number of divisions for each type of words that can be attributed to the anonymous information, obtaining the minimum number of occurrences of each word, and
A coefficient calculation unit for obtaining a reduction coefficient indicating a decrease amount of the minimum occurrence number when the number of divisions is increased based on a combination of the plurality of division numbers and the minimum occurrence number different from each other. It was.

  The reduction coefficient calculation device may obtain the reduction coefficient as a linear approximation formula, a polynomial approximation formula, an exponential approximation formula, or a power approximation formula.

The anonymous processing device according to the present invention is:
A number-of-sections acquisition unit that acquires the number of sections when anonymizing personal information to be anonymized,
A coefficient acquisition unit for acquiring a reduction coefficient calculated by the reduction coefficient calculation device;
Based on the reduction coefficient and the number of categories, a possibility determination unit that determines the possibility that the amount of decrease in the minimum number of appearances when the personal information is anonymized by the number of categories exceeds a predetermined reference value;
Anonymizing the personal information when the possibility is high, and anonymizing the anonymization of the personal information when the possibility is low,
Equipped with.

The anonymous processing device according to the present invention is:
A reception unit that accepts personal information to be anonymized;
A coefficient acquisition unit for acquiring a reduction coefficient calculated by the reduction coefficient calculation device;
Based on the reduction coefficient and the total number of personal information, the number-of-segments calculation unit for obtaining the number of categories in which the amount of decrease in the minimum number of appearances when the personal information is anonymized does not exceed a predetermined reference value;
An anonymization unit that anonymizes the personal information by the number of divisions;
Equipped with.

The reduction coefficient calculation method according to the present invention is:
Acquiring anonymous information obtained by anonymizing personal information;
A step of obtaining the number of divisions for each type of words that can be attributed to the anonymous information, and obtaining the minimum number of occurrences of each word;
Obtaining a reduction coefficient indicating a decrease amount of the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of the number of divisions and the minimum number of occurrences of which the number of divisions is different;
Is executed by the computer.

The anonymous processing method according to the present invention is:
Obtaining the number of sections when anonymizing personal information to be anonymized,
Obtaining a reduction coefficient calculated by the reduction coefficient calculation device;
Determining the possibility that the amount of decrease in the minimum number of occurrences when the personal information is anonymized by the number of categories based on the decrease coefficient and the number of categories exceeds a predetermined reference value;
Performing anonymization of the personal information when the possibility is high, and stopping anonymization of the personal information when the possibility is low;
Is executed by the computer.

The anonymous processing method according to the present invention is:
Receiving personal information to be anonymized;
Obtaining a reduction coefficient calculated by the reduction coefficient calculation device;
Based on the reduction coefficient and the total number of personal information, obtaining a number of divisions in which the amount of decrease in the minimum number of appearances when anonymizing the personal information does not exceed a predetermined reference value;
Anonymizing the personal information by the number of sections;
Is executed by the computer.

The present invention may be a program for causing a computer to execute the above method. Furthermore, before Kipu program, the computer may be recorded in a recording medium readable.

  Here, the computer-readable recording medium refers to a recording medium that accumulates information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer. . Examples of such a recording medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card.

  Further, there are a hard disk, a ROM (read only memory), and the like as a recording medium fixed to the computer.

  This invention can provide the technique which makes it possible to improve the efficiency of anonymization processing by performing anonymization processing by the number of divisions with high possibility of satisfy | filling anonymity based on a reduction coefficient.

FIG. 1 is an explanatory diagram of anonymization processing. FIG. 2 is an explanatory diagram of the diversification process. FIG. 3 is a schematic configuration diagram of an anonymization system according to the embodiment. FIG. 4A is a diagram illustrating an example of personal information. FIG. 4B is a diagram illustrating an example of anonymous information. FIG. 5 is an explanatory diagram of classification. FIG. 6 is a diagram illustrating an example of anonymous data stored in the anonymous result DB. FIG. 7 is a diagram illustrating a hardware configuration of the anonymous processing device and the reduction coefficient calculating device. FIG. 8 is an explanatory diagram of the anonymization process. FIG. 9 is an explanatory diagram of a process for acquiring the number of appearances. FIG. 10 is a diagram illustrating an example of an attribute pattern. FIG. 11 is an explanatory diagram of the reduction coefficient calculation process. FIG. 12 is an explanatory diagram of the reduction coefficient calculation process. FIG. 13 is an explanatory diagram of processing for obtaining the appearance frequency. FIG. 14 is an explanatory diagram of anonymization processing using a reduction coefficient. FIG. 15 is an explanatory diagram of anonymization processing using a reduction coefficient. FIG. 16 is a diagram illustrating a modification of the anonymization process of FIG. FIG. 17 is an explanatory diagram of the reduction coefficient calculation process. FIG. 18 is an explanatory diagram of an example approximated by a power approximation formula. FIG. 19 is an explanatory diagram of anonymization processing using a reduction coefficient. FIG. 20 is an explanatory diagram of anonymization processing using a reduction coefficient. FIG. 21 is an explanatory diagram of the reduction coefficient calculation process. FIG. 22 is a diagram illustrating an example of a user's behavior history.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<Embodiment 1>
FIG. 1 is an explanatory diagram of anonymization processing, and FIG. 2 is an explanatory diagram of diversification processing. FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and gender items. As shown in Fig. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, when the 16-year-old woman is found to be this member, the person is identified. it can. That is, if there is only one person with the attribute of 16 years old and female, there is a possibility that an individual can be identified by comparing with other information.

  In FIG. 1 (B), the description of the age in the member list is abstracted and classified by age, such as 0's (under 10 years), 10's, and 20's. However, even in this case, there is only one female teenager, and an individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1 (C), it was further abstracted and the age divisions were changed to those in their teens (under 19 years old) and those in their 20s. In the case of FIG. 1C, there are two women in their teens or less, and the attributes of “10 or less” and [female] are not single. For this reason, even if it turns out that a 16-year-old woman is this member as mentioned above, it cannot be specified which is the data of the 16-year-old woman. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

  FIG. 2 shows an example in which the data of the use stations for each user is abstracted and used as data for the ward to which the use station for each user belongs. In the pre-abstraction data, since the station is specified, there is a possibility that the user can be specified by comparing the data such as the residence near Shinjuku Station and the work place near Tokyo Station. For this reason, by abstracting the use station and making it a ward to which the use station belongs, there are a plurality of users who use stations in Shinjuku ward and stations in Chiyoda ward, and the user is not specified. The abstraction that attribute values have l types of possibilities, such as “use stations in Shinjuku ward and stations in Chiyoda ward” is called l-diversification.

  FIG. 3 is a schematic configuration diagram of the anonymization system 10 in the present embodiment. As shown in FIG. 1, the anonymization system 10 includes an anonymization processing device 1 and a reduction coefficient calculation device 2.

  The anonymity processing device 1 includes a data reception unit 11, a classification number acquisition unit 12, a coefficient acquisition unit 13, a possibility determination unit 14, an anonymization unit 15, a test unit 16, a column registration unit 17, a data output unit 18, and an anonymous result. A DB (database) 31 and an anonymous information column DB 32 are provided.

  The data reception unit 11 receives target data (personal information) including a plurality of items associated with an individual, anonymization conditions, an anonymization command, and the like. The reception of personal information and anonymization conditions may be received via a network such as the Internet, read from a storage medium, or input from an input means such as a keyboard. FIG. 4 is a diagram showing an example of personal information. The example shown in FIG. 4 has information such as ID, last name, age, sex, purchased product, and purchase place for each user.

The number-of-sections acquisition unit 12 acquires the number of sections when anonymizing personal information to be anonymized. The number of divisions is the number of types of attribute values (words) that can be taken by the attributes included in the anonymous information, in other words, the number of divisions when the attribute values are divided for the same attribute values. FIG. 5 is an explanatory diagram of classification. For example, when the attribute is sex, the attribute value is divided into two categories, male and female. In addition, when the attribute is age, the attribute value is classified into 3 categories of minors, adults, and elderly people, 5 categories of 20s or less, 30s, 40s, 50s, 60s or more, 0s, 10s, There are 9 categories, 20s, 30s, 40s, 50s, 60s, 70s, 80s and over. In addition, when the attribute is an area such as an address or purchase location, the attribute value is divided into two categories: West Japan and East Japan, Hokkaido, Tohoku, Kanto, Chubu, Kinki, China, Shikoku, Kyushu, Okinawa, 9 categories, Hokkaido, Aomori 47 prefectures such as prefecture, Iwate prefecture ... Tokyo ... Osaka prefecture.

  The number-of-sections acquisition unit 12 reads, for example, the words registered in the anonymization dictionary as words (attribute values) that are input by an operator instructing anonymization processing, read from past history, and abstract the attributes of the target data. Get the number of categories by counting.

  The coefficient acquisition unit 13 acquires the decrease coefficient calculated by the decrease coefficient calculation device 2. The decrease coefficient is, for example, a decrease number of the minimum number of appearances when the number of classifications is increased when anonymizing target data, or a ratio of the decrease number to the total number.

  The possibility determination unit 14 determines, based on the decrease coefficient and the number of sections, the possibility that the amount of decrease in the minimum number of appearances when the personal information is anonymized by the number of sections exceeds a predetermined reference value.

  When the anonymization unit 15 anonymizes or diversifies the target data, the anonymization unit 15 performs anonymization by replacing the word (word) that is the value of the item in the target data with an abstracted word, and the target data is anonymized candidates Data. In this embodiment, a word (word) is a group of words such as a word or a phrase, a numerical value such as location information or a telephone number, identification information such as an e-mail address or an IP address, a symbol having the same meaning as the word, or the like. May be included. The anonymization unit 15 of the present embodiment performs anonymization of the target data when the possibility determination unit 14 determines that the possibility of satisfying anonymity is high, and determines that the possibility of satisfying anonymity is low. In this case, the anonymization of the target data is stopped.

  The test | inspection part 16 tests on condition that the combination of the value of the item corresponding to one individual of anonymous candidate data is not single in the said anonymous candidate data. For example, the test unit 16 tests whether the anonymous candidate data satisfies k-anonymity or l-diversity. That is, the test unit 16 determines that the k value (minimum number of occurrences) of the anonymous candidate data is equal to or greater than the reference value and satisfies k-anonymity, or the l value of the anonymous candidate data is equal to or greater than the reference value and the l-diversity is determined. Test whether it meets. The test | inspection part 16 memorize | stores the anonymous candidate data which satisfy | filled anonymity as a result of this test in anonymous result DB31 as anonymous information.

  FIG. 4A is a diagram illustrating an example of target data, and FIG. 4B is a diagram illustrating an example of anonymous data stored in the anonymous result DB 31. The anonymous data shown in FIG. 4B is obtained by changing the ID for each user to the ID for anonymous information in the target data shown in FIG. 4A, deleting the last name, and abstracting information on age, purchased product, and purchase place. . In addition, since ID for anonymous information has attached | subjected ID different from ID of object data, it cannot identify an individual from ID for anonymous information. In addition, a correspondence table between the ID for anonymous information and the ID of the target data may be stored together with the target data so that the anonymous information and the target data can be associated with each other.

The column registration unit 17 divides anonymous information for each attribute and registers the anonymous information in the column in the anonymous information column DB 32. In the anonymous result DB 31 of FIG. 4B, attributes for each user such as age, sex, purchased product, and purchase place are registered in the row direction, whereas in the anonymous information column DB 32 of FIG. Each record and a combination of these attributes are divided as separate records and registered in columns. For example, in the anonymous result DB 31 in FIG. 4A, attributes such as “17 years old”, “male”, “Shinjuku”, and “ramen” are registered in the record with ID X, whereas in the anonymous information column DB 32 in FIG. Is “17 years old” in the record with Z001, “male” in the record with ID Z004, “Shinjuku” in the record with ID X001, “ramen” in the record with ID Y001, and “17 years old in the record with ID Y008” Each record is registered in a separate record, such as “Shinjuku-Ramen”, etc.

  The data output unit 18 reads out the anonymized information from the anonymous information column DB 32 and outputs it. Here, the output of anonymization information includes, for example, display output by a display device, print output by a printer, transmission to another computer, writing to a storage medium, and the like.

  Based on the reduction coefficient and the total number of personal information, the number-of-segments calculation unit 19 obtains the number of categories in which the amount of decrease in the minimum number of appearances when the personal information is anonymized does not exceed a predetermined reference value.

  The reduction coefficient calculation device 2 includes an anonymous information acquisition unit 21, an appearance number acquisition unit 22, a coefficient calculation unit 23, a frequent pattern DB 33, and a reduction coefficient DB 34.

  The anonymous information acquisition unit 21 acquires anonymous information from the anonymous information column DB 32 in which personal information is anonymized.

  The number-of-appearance acquisition unit 22 obtains the number of divisions by classifying each type of words that can be attributed to the anonymous information, and obtains the minimum number of occurrences of each word. For example, the words included in the anonymous information are the same words. The number of divisions is obtained for each division, and the minimum number of words in each division is obtained.

  The coefficient calculation unit 23 may reduce the minimum number of occurrences or the ratio of the reduction number to the total number when the number of divisions is increased based on a combination of the plurality of divisions and the minimum number of appearances having different numbers of divisions. Is obtained as a reduction coefficient and stored in the reduction coefficient DB 34.

  FIG. 7 is a diagram illustrating a hardware configuration of the anonymous processing device 1 and the reduction coefficient calculation device 2. The anonymous processing device 1 and the reduction coefficient calculation device 2 are so-called computers having a CPU 101, a memory 102, a communication control unit 103, a storage device 104, and an input / output interface 105.

  The CPU 101 executes a program that is loaded in the memory 102 so as to be executable. Thereby, CPU101 of the anonymous processing apparatus 1 is the above-mentioned data reception part 11, the classification number acquisition part 12, the coefficient acquisition part 13, the possibility determination part 14, the anonymization part 15, the test | inspection part 16, the column registration part 17, The function of the data output unit 18 is provided. Further, the CPU 101 of the reduction coefficient calculation device 2 provides the functions of the above-described anonymous information acquisition unit 21, appearance number acquisition unit 22, and coefficient calculation unit 23.

  The memory 102 can also be called a main storage device. The memory 102 stores, for example, a program executed by the CPU 101, data received via the communication control unit 103, data read from the storage device 104, other data, and the like.

  The communication control unit 103 is connected to another device via a network and controls communication with the device. The input / output interface 105 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray (registered trademark) disc. The drive device reads the program from the removable storage medium and stores it in the storage device 104.

The storage device 104 can also be called an external storage device. As the storage device 104, SS
D (Solid State Drive), HDD, etc. may be sufficient. The storage device 104 exchanges data with the drive device. For example, the storage device 104 stores an information processing program installed from the drive device. Further, the storage device 104 reads the program and delivers it to the memory 102. In the present embodiment, the storage device 104 of the anonymous processing device 1 stores the anonymous result DB 31 and the anonymous information column DB 32 described above. Further, the storage device 104 of the reduction coefficient calculation device 2 stores a frequent pattern DB 33 and a reduction coefficient DB 34.

  Next, the anonymous processing method and the reduction coefficient calculation method which the anonymous processing apparatus 1 and the reduction coefficient calculation apparatus 2 of the anonymization system 10 in this embodiment perform according to a program are demonstrated. FIG. 8 is an explanatory diagram of the anonymization process. The anonymous processing device 1 first receives target data from another computer or storage device (step S10). The anonymity processing device 1 of the present embodiment has a plurality of anonymization algorithms so that an operator can arbitrarily select them. The multiple anonymization algorithms include, for example, algorithms specialized for anonymization of medical information, algorithms specialized for anonymization of flow data such as purchase history, and specific industries such as fashion, education, and the restaurant industry. Algorithm. In addition, this algorithm may select not only an anonymization method but also an anonymization dictionary, a preprocessing method, a filtering method, and the like. That is, the operator inputs information for selecting these algorithms together with the anonymization target data.

Next, the anonymous processing device 1 anonymizes the target data with the selected algorithm (step S20), and performs anonymity test depending on whether the minimum number of appearances exceeds the reference value (step S30).

  After the test, the anonymous processing device 1 accumulates anonymous information in the anonymous result DB 31 (step S40). In FIG. 8, data pattern A is an example of anonymized information obtained by anonymizing the age of the target data in 5 categories. As a result of the test, 4 categories of 16, 17, 18, and 20 are the reference value 10. Anonymity is satisfied beyond people (indicated by a circle in the figure), and one category of 15 years or younger is below the reference value of 10 and does not satisfy anonymity (indicated by x in the figure). Similarly, the data pattern B is an example of anonymous information obtained by anonymizing the age of the target data in three categories, and the data pattern C is an example of anonymous information obtained by anonymizing the age of the target data in two categories. .

And the anonymous processing apparatus 1 reads anonymous information periodically from the anonymous result DB31, and registers it in the anonymous information column DB32 in a column (step S50). In FIG. 8, column anonymous information 8
1 is a diagram illustrating an example of anonymous information registered in the anonymous information column DB 32, and stores a data pattern, a row number, an attribute, an existence number, and an anonymous reference value for each data pattern in association with each other. (Step S60)

FIG. 9 is an explanatory diagram of a process for acquiring the number of appearances. As shown in FIG. 9, the reduction coefficient calculation device 2 first acquires anonymous data for each data pattern from the anonymous information column DB 32 (step S110).

Next, the reduction coefficient calculation device 2 acquires the number of divisions and the number of existence for each data pattern (step S120), and sets the attribute value having the existence number equal to or greater than a predetermined value as the frequent pattern 82.
3 and the number of divisions and the minimum number of appearances for each attribute are registered in the reduction coefficient DB 34 as the attribute pattern 83 (step S130). As shown in FIG. 10, the attribute pattern 83 may further include information such as date and time, company name, and number of uses.

Then, the reduction coefficient calculation device 2 determines whether or not there is a next data pattern. If there is a next data pattern, the process returns to step S110, and if there is no next data pattern, the process ends.
Step S140).

  FIG. 11 is an explanatory diagram of the reduction coefficient calculation process. As shown in FIG. 10, the reduction coefficient calculation device 2 first acquires the attribute pattern 83 from the reduction coefficient DB 34 (step S150).

  Next, the reduction coefficient calculation apparatus 2 uses the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of division numbers having different division numbers and the minimum number of appearances for each attribute in the acquired attribute pattern 83. The reduction number or the ratio of the reduction number to the total number is obtained as a reduction coefficient (step S160), and the reduction coefficient 84 for each attribute is stored in the reduction coefficient DB 34.

  As shown in FIG. 12, when the total number is 20000 and the number of sections is 2, the minimum number of appearances is 10000, when the number of sections is 7, the minimum number of appearances is 1000, and when the number of sections is 11, the minimum number of appearances is 500. When the regression line 86 is obtained for the combination 85 of the number of divisions and the minimum number of occurrences, y = −95.905x + 877.9. From the slope of the regression line, it can be seen that when the number of segments increases by 1, the minimum number of appearances decreases by about 95. That is, the reduction constant is 95.905. Here, since the total number is 20000, the rate of decrease is 95.905 / 20000≈0.47%.

  In the present embodiment, the reduction coefficient is obtained for each attribute. However, the present invention is not limited to this, and a reduction coefficient may be obtained by merging a plurality of attributes. For example, an attribute with 2 divisions (attribute type) and an attribute with 3 divisions may be merged and used as 6 divisions to calculate the reduction coefficient. Also, the abstraction level of the same attribute may be changed and used for calculating the reduction coefficient as a plurality of different attributes. Furthermore, since it is more accurate to calculate the reduction factor based on similar attributes, prioritize the attributes used for anonymization, and use a predetermined number of attributes in descending order of priority. A coefficient may be obtained. Further, the attribute may be classified into a predetermined genre (for example, region, time, music, fashion, etc.), and the reduction coefficient may be calculated using the attribute classified into the same genre. Further, the reduction coefficient may be obtained based on data for each company name such as the age of company A, the purchase location of company A, and the like.

  Then, the reduction coefficient calculation device 2 determines whether or not there is next data. If there is next data, the process returns to step S150, and if there is no next data, the process ends (step S180).

FIG. 13 is an explanatory diagram of processing for obtaining the appearance frequency. As shown in FIG. 13, the reduction coefficient calculation apparatus 2 first acquires the frequent pattern 82 from the frequent pattern DB 33 (step S21).
0). The reduction coefficient calculation device 2 calculates the average number of existence for each attribute value from the frequent pattern 82,
The ratio (appearance rate) of the existence number to the total number is obtained as statistical information (step S220), and is registered in the frequent pattern DB 33 (step S230).

  Then, the reduction coefficient calculation device 2 determines whether or not there is next data. If there is next data, the process returns to step S210, and if there is no next data, the process ends (step S240).

  FIG. 14 is an explanatory diagram of anonymization processing using a reduction coefficient. The anonymity processing device 1 first receives an anonymization request together with target data from another computer (step S310). At this time, for example, a request for the number of categories designated by the operator is received, such as 2 categories of men and women × 8 categories of age = 16 categories. Although omitted in FIG. 14, the anonymous processing device 1 has a plurality of anonymization algorithms and can be arbitrarily selected by the operator, as in FIG. 8 described above.

  Next, the anonymous processing device 1 acquires a reduction coefficient for each attribute of the target data to be anonymized from the reduction coefficient DB 34 (step S320). When the reduction coefficient is stored in association with the company name, the reduction coefficient that matches the company name is acquired. That is, the reduction coefficient calculated | required from the anonymous data which the said company used in the past is acquired.

  And the anonymous processing apparatus 1 is based on the acquired reduction coefficient and the number of divisions, and when there is a high possibility that the amount of decrease in the minimum number of appearances when the target data is anonymized by the number of divisions exceeds a predetermined reference value Is determined (step S330). For example, if the rate of decrease is 10% and the number of categories is 16, it is 16 categories × 10% = 160%, which exceeds 100% (reference value), so it is determined that the possibility of satisfying anonymity is low. On the other hand, if the number of sections is 8, it is 8 sections × 10% = 80%, and does not exceed 100% (reference value), so it is determined that there is a high possibility of satisfying anonymity. Further, if the reduction constant is 8 and the number of sections is 16, the number of sections is 16 × 8 = 128, which exceeds the total number 100 (reference value), so it is determined that the possibility of satisfying anonymity is low. On the other hand, if the number of sections is 8, it is 8 sections × 8 = 64 and does not exceed 100 (reference value), so it is determined that there is a high possibility of satisfying anonymity.

  If it is determined that there is a high possibility of satisfying the anonymity, the anonymous processing device 1 anonymizes the target data with the selected algorithm (step S340), and the anonymity depends on whether the minimum number of appearances exceeds the reference value. A test is performed (step S350). Moreover, after the test, the anonymous processing device 1 accumulates anonymous information in the anonymous result DB 31 (step S360).

  On the other hand, if it is determined in step S330 that the possibility of satisfying anonymity is low, the anonymous processing device 1 stops the anonymization process and ends the process (step S370).

  As described above, according to the process of FIG. 14, if the possibility of satisfying anonymity is low, the anonymization process is not performed. Therefore, the anonymization process is not tried unnecessarily, and the efficiency of the anonymization process can be improved.

  FIG. 15 is an explanatory diagram of anonymization processing using a reduction coefficient. The anonymous processing device 1 first receives target data from another computer (step S410). Although omitted in FIG. 15, the anonymous processing device 1 has a plurality of anonymization algorithms and can be arbitrarily selected by the operator as in FIG. 8 described above.

Next, the anonymous processing device 1 acquires a reduction coefficient for each attribute of the target data to be anonymized from the reduction coefficient DB 34 (step S420). Further, the anonymous processing device 1 acquires a frequent pattern for each attribute of the target data to be anonymized from the frequent pattern DB 33 (step S43).
0). In addition, when the decrease coefficient and the frequent pattern are stored in association with the company name,
A reduction coefficient and a frequent pattern with the same company name are acquired. That is, the reduction coefficient and the frequent pattern obtained from the anonymous data used by the company in the past are acquired.

  Moreover, the anonymous processing apparatus 1 calculates | requires the number of divisions with high possibility of satisfy | filling anonymity, when object data is anonymized based on the acquired reduction coefficient and the whole number of object data (step S440). For example, when the decrement rate is 10% and the total number is 100, the number of divisions is obtained as 100 × 10% = 10 divisions. On the other hand, when the reduction constant is 12 and the total number is 100, 100 / 12≈8.3, so 8 divisions are set.

And the anonymous processing apparatus 1 performs the anonymization process using the classification included in the frequent pattern acquired at step S430 and the number of classifications calculated at step S440 (step S450), and the minimum number of appearances is the reference value. Anonymity is tested depending on whether or not it exceeds (step S460). Moreover, after the test, the anonymous processing device 1 accumulates anonymous information in the anonymous result DB 31 (step S470).

As described above, according to the processing of FIG. 15, the number of divisions is determined based on the reduction coefficient and the total number of target data so that the reduction amount when anonymization is performed does not exceed the total number. The anonymization process is not tried and the anonymization process can be made more efficient. In addition, anonymization is performed based on frequent patterns, and anonymization is avoided because the minimum number of appearances when anonymization processing is performed becomes too small and anonymity is not satisfied. Processing efficiency can be improved.

<Modification>
FIG. 16 is a diagram illustrating a modification of the anonymization process of FIG. In the process of FIG. 14, when it is determined in step S330 that the possibility of satisfying anonymity is low, the process is interrupted. However, in the process of FIG. 16, in step S330, the possibility of satisfying anonymity is low. If it is determined, the process of FIG. 15 is executed (step S390), and anonymization is performed with the number of sections based on the reduction coefficient and the total number. Since other configurations are the same, the description thereof will be omitted.

  As described above, according to the present modification, anonymization is performed with the number of divisions that are highly likely to satisfy anonymity based on the decrease coefficient and the total number even when the number of divisions requested in step S310 is low. Therefore, the efficiency of the anonymization process can be further improved.

<Embodiment 2>
In the above-described first embodiment, the reduction constant and the reduction rate obtained by the linear approximation formula are used as the reduction coefficient. However, the present invention is not limited to this, and the second embodiment uses a power approximation formula as the reduction coefficient. Indicates. The second embodiment is different from the first embodiment in the configuration using the power approximation formula, and the other configurations are the same. Therefore, the same elements are denoted by the same reference numerals and the description thereof is omitted. To do.

In the second embodiment, the coefficient calculation unit 23 of the reduction coefficient calculation device 2 performs the minimum occurrence when the number of divisions is increased based on a combination of the plurality of divisions and the minimum number of appearances having different numbers of divisions. A power approximation formula is obtained as a reduction coefficient indicating the amount of reduction of the number.
For example, the coefficient calculation unit 23 obtains the following power approximation equation 1 based on the minimum number of appearances when the number of categories is increased. In the power approximation equation 1, y indicates an anonymous level (k value), and x indicates the number of sections.

And the possibility determination part 14 of the anonymous processing apparatus 1 in this Embodiment 2 is the minimum appearance number at the time of anonymizing personal information with the said division number based on the power approximation formula 1 and the division number which anonymizes. The possibility that the decrease amount exceeds a predetermined reference value is determined.
For example, the possibility determination unit 14 expands the power approximation expression 1 as the following expression 2 to estimate the minimum number of appearances, and determines whether the estimated value x of the minimum number of appearances exceeds the reference value. Determine. In the following expression, the anonymous level y is k.

Since the k value does not converge to 0, 1 may be added to Equation 1 to obtain Equation 3, and Equation 3 may be expanded and used as Equation 4.

  FIG. 17 is an explanatory diagram of the reduction coefficient calculation process. As shown in FIG. 10, the reduction coefficient calculation device 2 first acquires the attribute pattern 83 from the reduction coefficient DB 34 (step S150).

  Next, the reduction coefficient calculation device 2 obtains a combination of a plurality of division numbers and minimum appearance numbers having different numbers for each attribute in the acquired attribute pattern 83 (step S160A), and the division number and the minimum appearance number. Based on the above, the power approximation formula 1 is obtained as a reduction coefficient, and this reduction coefficient is stored in the reduction coefficient DB 34 (step S170A).

As shown in FIG. 18, when the total number is 20000 and the number of sections is 2, the minimum number of appearances is 10000, when the number of sections is 7, the minimum number of appearances is 1000, and when the number of sections is 11, the minimum number of appearances is 500. In the case of the combination 85 of the number of divisions and the minimum number of appearances, when the power approximation expression 1 is obtained, y = 114659x− ^1.414 . From this power approximation formula 1, it is possible to know the decrease in the minimum number of appearances when the number of sections in each section increases by one. For example, when this reduction number is 95.905, the total number is 20000, and the reduction rate is 95.905 / 20000≈0.47%.

  Then, the reduction coefficient calculation device 2 determines whether or not there is next data. If there is next data, the process returns to step S150, and if there is no next data, the process ends (step S180).

FIG. 19 is an explanatory diagram of anonymization processing using a reduction coefficient. The anonymity processing device 1 first receives an anonymization request together with target data from another computer (step S310). At this time, for example, a request for the number of categories designated by the operator is received, such as 2 categories of men and women × 8 categories of age = 16 categories. Although omitted in FIG. 19, the anonymous processing device 1 has a plurality of anonymization algorithms and can be arbitrarily selected by the operator as in FIG. 8 described above.

  Next, the anonymous processing device 1 acquires a reduction coefficient (power approximation formula 1) from the reduction coefficient DB 34 for each attribute of the target data to be anonymized (step S320). When the reduction coefficient is stored in association with the company name, the reduction coefficient that matches the company name is acquired. That is, the reduction coefficient calculated | required from the anonymous data which the said company used in the past is acquired.

  And the anonymous processing apparatus 1 expand | deploys the acquired reduction coefficient like Formula 2, and based on the number of divisions, the amount of reduction | decrease of the minimum appearance number at the time of anonymizing object data by the said number of divisions is a predetermined reference value. It is determined whether or not there is a high possibility of exceeding (k value) (step S330A).

  If it is determined that there is a high possibility of satisfying the anonymity, the anonymous processing device 1 anonymizes the target data with the selected algorithm (step S340), and the anonymity depends on whether the minimum number of appearances exceeds the reference value. A test is performed (step S350). Moreover, after the test, the anonymous processing device 1 accumulates anonymous information in the anonymous result DB 31 (step S360).

  On the other hand, if it is determined in step S330 that the possibility of satisfying anonymity is low, the anonymous processing device 1 stops the anonymization process and ends the process (step S370).

  As described above, according to the process of FIG. 19, if there is a low possibility of satisfying the anonymity, the anonymization process is not performed. Therefore, the anonymization process is not used unnecessarily, and the efficiency of the anonymization process can be improved.

  FIG. 20 is an explanatory diagram of anonymization processing using a reduction coefficient. The anonymous processing device 1 first receives target data from another computer (step S410). Although omitted in FIG. 20, the anonymous processing device 1 has a plurality of anonymization algorithms and can be arbitrarily selected by the operator, as in FIG.

  Next, the anonymous processing device 1 acquires a reduction coefficient (power approximation formula 1) for each attribute of the target data to be anonymized from the reduction coefficient DB 34 (step S420). Further, the anonymous processing device 1 acquires a frequent pattern for each attribute of the target data to be anonymized from the frequent pattern DB 33 (step S430). If a decrease coefficient or a frequent pattern is stored in association with a company name, a decrease coefficient or a frequent pattern that matches the company name is acquired. That is, the reduction coefficient and the frequent pattern obtained from the anonymous data used by the company in the past are acquired.

Moreover, the anonymous processing apparatus 1 calculates | requires the number of divisions with high possibility of satisfy | filling anonymity, when object data is anonymized based on the acquired reduction coefficient and the whole number of object data (step S440).
A).

And the anonymous processing apparatus 1 performs the anonymization process using the classification included in the frequent pattern acquired at step S430 and the number of classifications calculated at step S440 (step S450), and the minimum number of appearances is the reference value. Anonymity is tested depending on whether or not it exceeds (step S460). Moreover, after the test, the anonymous processing device 1 accumulates anonymous information in the anonymous result DB 31 (step S470).

As described above, according to the processing of FIG. 20, the number of categories is determined based on the reduction coefficient and the total number of target data so that the amount of reduction when anonymization is performed does not exceed the total number. The anonymization process is not tried and the anonymization process can be made more efficient. In addition, anonymization is performed based on frequent patterns, and anonymization is avoided because the minimum number of appearances when anonymization processing is performed becomes too small and anonymity is not satisfied. Processing efficiency can be improved.

<Embodiment 3>
In the third embodiment, an example is shown in which anonymization is performed with a uniform number of divisions in order to compare anonymous information among a plurality of business operators. The third embodiment is different from the second embodiment in the configuration for anonymization with a uniform number of divisions, and the other configurations are the same. The description of is omitted.
When comparing data between multiple operators, it must be anonymized with the same attributes, but since it does not know what personal information each other owns, how many divisions are common I didn't know if it was possible to anonymize with the attributes. For this reason, trials were repeated unnecessarily, and the efficiency of the anonymization process was poor. Therefore, the reduction coefficient calculation apparatus 2 according to the third embodiment estimates the number of divisions that are likely to be anonymized with a common attribute based on anonymous information from a plurality of operators and notifies each operator.

  FIG. 21 is an explanatory diagram of the reduction coefficient calculation process. The reduction coefficient calculation device 2 first acquires anonymous information from a plurality of business operators (step S150B).

  Next, the reduction coefficient calculation apparatus 2 obtains a combination of a plurality of division numbers and minimum appearance numbers having different numbers for each attribute in the acquired attribute pattern 83 (step S160B), and the division number and the minimum appearance number. Based on this, the power approximation formula 1 is obtained as a reduction coefficient, and based on this power approximation formula 1, the lower limit value of the number of divisions whose minimum occurrence number is equal to or greater than the reference value is obtained and stored in the reduction coefficient DB 34 (step S170B).

Further, the reduction coefficient calculation device 2 determines whether or not there is the next data (step S180 ) . If there is the next data, the process returns to step S150B. Among the lower limit values, the smallest division number is set to the common division number, that is, the division number that is highly likely to be anonymized with a common attribute (step S190B), and is notified to the terminal of each operator (step S200B).

And each provider can perform anonymization without repeating trials unnecessarily by performing the above-mentioned anonymization with the notified number of divisions.
Thus, according to the third embodiment, anonymization can be efficiently performed with a common attribute based on anonymous information from a plurality of business operators.

<Others>
The present invention is not limited to the illustrated examples described above, and various modifications can be made without departing from the scope of the present invention. For example, in the second and third embodiments, the power approximation formula is used as the reduction coefficient, but an approximation formula such as a polynomial approximation formula or an exponential approximation formula may be used instead.

DESCRIPTION OF SYMBOLS 1 Anonymous processing apparatus 2 Decrease coefficient calculation apparatus 10 Anonymization system 11 Data reception part 12 Division number acquisition part 13 Coefficient acquisition part 14 Possibility determination part 15 Anonymization part 16 Test part 17 Column registration part 18 Data output part 21 Anonymity information acquisition Unit 22 Appearance count acquisition unit 23 Coefficient calculation unit 31 Anonymous result DB
32 Anonymous Information Column DB
33 Frequent pattern DB
34 Reduction factor DB

Claims (9)

Anonymous information acquisition unit that acquires anonymous information obtained by anonymizing personal information;
The number of occurrences for obtaining the minimum number of occurrences of the word for a plurality of the number of divisions different from the number of divisions, for each of the types of words that can be attributed to the attribute constituting anonymous information
A coefficient calculation unit for obtaining a reduction coefficient indicating a reduction amount of the minimum occurrence number when the number of divisions is increased based on a combination of the plurality of division numbers and the minimum occurrence number different from each other;
A number-of-sections acquisition unit that acquires the number of sections when anonymizing personal information to be anonymized ,
Based on the reduction coefficient and the number of classifications when anonymizing, there is a possibility that the amount of decrease in the minimum number of appearances when anonymizing the personal information with the number of classifications when anonymizing exceeds a predetermined reference value. A possibility determination unit;
Anonymizing the personal information when the possibility is high, and anonymizing the anonymization of the personal information when the possibility is low,
An anonymous processing device comprising: Anonymous information acquisition unit that acquires anonymous information obtained by anonymizing personal information;
The number of occurrences for obtaining the minimum number of occurrences of the word for a plurality of the number of divisions different from the number of divisions, for each of the types of words that can be attributed to the attribute constituting anonymous information
A coefficient calculation unit for obtaining a reduction coefficient indicating a reduction amount of the minimum occurrence number when the number of divisions is increased based on a combination of the plurality of division numbers and the minimum occurrence number different from each other;
A reception unit that accepts personal information to be anonymized;
Based on the reduction coefficient and the total number of personal information, the number-of-segments calculation unit for obtaining the number of categories in which the amount of decrease in the minimum number of appearances when the personal information is anonymized does not exceed a predetermined reference value;
An anonymization unit that anonymizes the personal information by the number of divisions;
An anonymous processing device comprising: The anonymous processing apparatus according to claim 1, wherein the reduction coefficient is obtained as a linear approximation formula, a polynomial approximation formula, an exponential approximation formula, or a power approximation formula. Acquiring anonymous information obtained by anonymizing personal information;
A step of obtaining the number of divisions for each type of words that can be attributed to the anonymous information, and obtaining the minimum number of occurrences of each word;
A step of obtaining a reduction coefficient indicating a decrease amount of the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of the number of divisions and the minimum number of occurrences having different numbers of the divisions and storing them in a storage unit When,
Obtaining the number of sections when anonymizing personal information to be anonymized,
Based on the decrease coefficient stored in the storage means and the number of sections when the anonymization is performed, the amount of decrease in the minimum number of appearances when the personal information is anonymized by the number of sections when anonymized is a predetermined reference Determining the possibility of exceeding the value;
Performing anonymization of the personal information when the possibility is high, and stopping anonymization of the personal information when the possibility is low;
Anonymous processing method that the computer executes. Acquiring anonymous information obtained by anonymizing personal information;
A step of obtaining the number of divisions for each type of words that can be attributed to the anonymous information, and obtaining the minimum number of occurrences of each word;
A step of obtaining a reduction coefficient indicating a decrease amount of the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of the number of divisions and the minimum number of occurrences having different numbers of the divisions and storing them in a storage unit When,
Receiving personal information to be anonymized;
Based on the reduction coefficient stored in the storage means and the total number of the personal information, obtaining the number of divisions in which the reduction amount of the minimum number of appearances when the personal information is anonymized does not exceed a predetermined reference value;
Anonymizing the personal information by the number of sections;
Anonymous processing method that the computer executes. The anonymous processing method according to claim 4 or 5, wherein the reduction coefficient is obtained as a linear approximation formula, a polynomial approximation formula, an exponential approximation formula, or a power approximation formula. Acquiring anonymous information obtained by anonymizing personal information;
A step of obtaining the number of divisions for each type of words that can be attributed to the anonymous information, and obtaining the minimum number of occurrences of each word;
A step of obtaining a reduction coefficient indicating a decrease amount of the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of the number of divisions and the minimum number of occurrences having different numbers of the divisions and storing them in a storage unit When,
Obtaining the number of sections when anonymizing personal information to be anonymized,
Based on the decrease coefficient stored in the storage means and the number of sections when the anonymization is performed, the amount of decrease in the minimum number of appearances when the personal information is anonymized by the number of sections when anonymized is a predetermined reference Determining the possibility of exceeding the value;
Performing anonymization of the personal information when the possibility is high, and stopping anonymization of the personal information when the possibility is low;
Anonymity processing program to make computer execute. Acquiring anonymous information obtained by anonymizing personal information;
A step of obtaining the number of divisions for each type of words that can be attributed to the anonymous information, and obtaining the minimum number of occurrences of each word;
A step of obtaining a reduction coefficient indicating a decrease amount of the minimum number of occurrences when the number of divisions is increased based on a combination of a plurality of the number of divisions and the minimum number of occurrences having different numbers of the divisions and storing them in a storage unit When,
Receiving personal information to be anonymized;
Based on the reduction coefficient stored in the storage means and the total number of the personal information, obtaining the number of divisions in which the reduction amount of the minimum number of appearances when the personal information is anonymized does not exceed a predetermined reference value;
Anonymizing the personal information by the number of sections;
Anonymity processing program to make computer execute. The anonymous processing program according to claim 7 or 8, wherein the reduction coefficient is obtained as a linear approximation formula, a polynomial approximation formula, an exponential approximation formula, or a power approximation formula.

Images