JP6313944B2 - Anonymization system, anonymization method and anonymization program - Google Patents

Description

  The present invention relates to a technique for using personal information by making it anonymous or diversified.

  With the development of information processing technology, information is collected in many everyday situations, and processing using the collected information is performed. For example, when a consumer purchases a product as a member of a store, the consumer's name, age, gender, address, e-mail address, etc. are often registered at the time of membership registration. When a consumer purchases a product, the store-side system records the consumer and the purchased product information in association with each other. By accumulating and analyzing information on purchased products in this way, it is possible to estimate the consumer's preferences and perform a service such as sending a direct mail when a new product preferred by the consumer is released. it can. Furthermore, by analyzing information of many consumers, information such as products preferred by women in their 20s and products preferred in the Kanto area can be derived and used for marketing and the like.

  Such information has high use value not only for the store but also for the manufacturer of the product and other business operators, and there has been a demand to use it for recommendations such as advertisements and coupons.

  However, the consumer's personal information in the store cannot be provided to others without obtaining the consent of each consumer. For this reason, when providing information related to the consumer to others, it is necessary to anonymize so that individuals cannot be identified.

  For example, if there is only one person 25 years old in the member list in which the age is described, the person can be identified when he / she knows that the 25-year-old acquaintance is the member. That is, if there is only one person with the attribute of a 25-year-old member, there is a high possibility that an individual can be specified by comparing with other information.

  Therefore, if the age description in the member list is abstracted into 10-year breaks, and there are multiple people with the same attribute, such as three in their 20s, who of the three is identified become unable. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

JP 2003-196391 A JP 2003-233551A Japanese Patent Laid-Open No. 2005-100408 JP 2004-086383 A JP 2005-346248 A

  In the situation where multiple stores and businesses are opening and exhibiting, such as shopping malls and exhibitions, there is a demand to use information of visitors for marketing etc. at each store and business. It is being considered to provide personal information collected to other stores and businesses by k-anonymizing.

  However, the k-anonymization process is anonymized, such as which data to use for anonymizing items, such as age, gender, and occupation, and how to abstract these data. After determining the conditions of the anonymization process, it is checked whether k-anonymity is satisfied, and if k-anonymity is not satisfied, anonymization is performed so as to increase the degree of abstraction. Repeat the process under different conditions. For this reason, the k-anonymization process takes time and effort.

  On the other hand, stores and businesses that use anonymous information have different timings that require anonymous information. For example, business operator A needs anonymous information every 10 minutes, business operator B needs anonymous information every hour, and business operator C needs anonymous information every day. In this case, it is desirable to provide anonymization information by performing anonymization processing at the timing required by each business operator, but if the timing of anonymization is different, it will take time and effort to determine appropriate anonymization conditions each time End up. For example, when anonymization is performed every hour, anonymization is performed every 10 minutes even if data having the attribute value “20s, women, coffee purchase” satisfies k-anonymity If the data “20s, women, coffee purchases” does not satisfy k-anonymity, the level of abstraction is increased to “less than 30, women, coffee purchases” or “20s, women purchases”. It is necessary to change the conditions for anonymization, such as reducing the number of items to be adopted, as in “K-anonymization”. That is, if the period to be anonymized is short and the target data is small, the k-anonymized data (anonymous information) becomes schematic data. On the other hand, if anonymization is performed every day, the degree of abstraction is reduced, such as “early 20s, women, regular coffee purchase” or adopted as “early 20s, women, coffee and milk purchase”. Even if the condition of anonymization is changed so as to increase the number of items to be performed, there is a possibility of satisfying k-anonymity. That is, if the period to be anonymized is long and the target data is large, the k-anonymized data (anonymous information) becomes detailed data.

  In this way, the k-anonymization process takes time and effort, and it is not realistic to determine the anonymization conditions for each timing requested by each operator, so it is not realistic, so the predetermined timing For example, anonymization is performed every hour, and this anonymous information is provided to each business operator. In this case, for the business operator A who needs anonymous information every 10 minutes, there is a problem that anonymous information cannot be obtained at a necessary timing, and for the business operator C who needs anonymous information every day, details There was a problem that no anonymous information could be obtained.

  On the other hand, it is conceivable that the information processing apparatus mechanically determines anonymization conditions and performs anonymization at a timing required by each operator.

  However, when abstracting the value of each item so as to satisfy k-anonymity in a conventional information processing device, the data is simply separated so that the same attribute value becomes multiple, so for example k-anonymity Even if the above is satisfied, the data may become useless. For example, when data is used to know a fashion trend, the age item is important. If the age item is excessively abstracted for anonymization, the utility value is lost. Also, for anonymization, if the age items are mechanically separated such as 17 years old or older and less than 22 years old, adults and minors may be mixed in the same group, high school students and adults may be mixed. It becomes difficult to use for marketing and the use value is lost.

  Therefore, the present invention provides a technique for anonymizing data within a period to be anonymized based on a value after abstraction.

In order to solve the above problems, the anonymization system of the present invention is:
A period acquisition unit for acquiring a period for anonymization;
Of the target data including a plurality of items associated with individuals, a data acquisition unit that acquires target data corresponding to the period;
An abstraction unit that generates abstraction candidate data by replacing a word that is a value of an item in the target data with an abstracted word;
A value determination unit that receives the value of the word included in the abstraction candidate data and obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition;
An output unit that outputs the abstraction candidate data selected based on the value as anonymous information.

The anonymization system obtains a plurality of anonymization dictionaries that store the word and the abstracted word in association with each other in order to anonymize the word contained in the target data instead of the abstracted word. When,
Based on the correspondence of each word included in the plurality of anonymization dictionaries, the abstracted word is higher and the word before abstraction is lower, each word included in the plurality of anonymization dictionaries, Corresponds to upper and lower words that exist in the anonymization dictionary, and associates the highest word that does not have a corresponding higher word as a root to the lowest word that does not have a corresponding lower word in a tree shape The tree-like correspondence is set as one dimension, the dimension is obtained for each of the plurality of top words included in the plurality of anonymization dictionaries, and the plurality of dimensions obtained for each top word are determined. An integration part to be an integrated anonymization dictionary;
For each of the dimensions, a priority determination unit that determines the priority based on words included in the dimension;
A dimension selection unit that selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions based on the priority;
The abstraction unit may refer to the integrated anonymization dictionary and generate anonymization candidate data by replacing words that are values of items in the target data with abstracted words.

  The output unit may perform distribution when the anonymous information satisfies a predetermined condition.

In order to solve the above problems, the anonymization method of the present invention is:
Obtaining a period for which anonymization is performed;
Of the target data including a plurality of items associated with an individual, obtaining target data corresponding to the period; and
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of the abstraction candidate data satisfying the test condition;
Outputting abstraction candidate data selected based on the value as anonymous information;
Is executed by the computer.

  Further, the present invention may be an anonymization program for causing a computer to execute the above anonymization method. Further, the anonymization program may be recorded on a computer-readable storage medium.

  Here, the computer-readable storage medium refers to a storage medium that stores information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer. . Examples of such storage media that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card. Further, there are a hard disk, a ROM (read only memory) and the like as a storage medium fixed to the computer.

  The present invention can provide a technique for anonymizing data within a period to be anonymized based on a value after abstraction.

FIG. 1 is an explanatory diagram of anonymization. FIG. 2 is an explanatory diagram of diversification. FIG. 3 is a functional block diagram of the anonymization system. FIG. 4 is a diagram illustrating a hardware configuration of the information processing apparatus. FIG. 5 is an example of personal information acquired from the terminal by the anonymization system. FIG. 6 is a diagram illustrating an example of the target period. FIG. 7 is an explanatory diagram of distribution conditions. FIG. 8 is a diagram illustrating a specific example of the setting information DB that stores the target period and distribution conditions. FIG. 9 is a diagram showing processing for receiving and storing personal information. FIG. 10 is a diagram illustrating processing in the case of performing distribution at a distribution timing using a predetermined time interval and history. FIG. 11 is a diagram showing processing for executing distribution in real time. FIG. 12 is a diagram illustrating anonymization processing. FIG. 13 is an explanatory diagram of candidate patterns. FIG. 14 is a diagram illustrating an example of a part of the age item in the target data. FIG. 15 is a diagram illustrating an example of value data acquired for age. FIG. 16 is a diagram illustrating the value of the age item. FIG. 17 is a table showing the value of the age item. FIG. 18 is a diagram illustrating an example of a part of the age item in the abstraction candidate data. FIG. 19 shows the value data of each word acquired for the age. FIG. 20 is a diagram showing the value of the item of the age. FIG. 21 is a diagram showing the value of the age item. FIG. 22 is a functional block diagram of the anonymization system. FIG. 23 is a diagram illustrating an example of the dictionary DB. FIG. 24 is a diagram illustrating an example of the priority DB. FIG. 25 is a diagram illustrating an example of a common DB. FIG. 26 is a diagram illustrating an example of the personal information DB. FIG. 27 is a diagram illustrating a hardware configuration of the management server 20. FIG. 28 is a diagram illustrating a hardware configuration of the anonymization device. FIG. 29 is a diagram illustrating processing in the case of performing distribution at a distribution timing using a predetermined time interval and history. FIG. 30 is a diagram showing processing for executing distribution in real time. FIG. 31 is a diagram illustrating anonymization processing. FIG. 32 is an explanatory diagram of processing in which the management server 20 creates an integrated anonymization dictionary. FIG. 33 is an explanatory diagram of processing for integrating anonymization dictionaries. FIG. 34 is an explanatory diagram of each dimension created by the process of FIG. FIG. 35 is an explanatory diagram of a plurality of dimensions. FIG. 36 is a diagram showing an example in which each word included in the dimension shown in FIG. 35 is weighted. FIG. 37 is an explanatory diagram of processing for calculating the priority of each dimension by adding up the weights of the respective words. FIG. 38 is an explanatory diagram of an anonymization method executed by the anonymization device using the integrated anonymization dictionary. FIG. 39 is a diagram illustrating an example of anonymization in Company A. FIG. 40 is a diagram illustrating an example of anonymization in the B company. FIG. 41 is a diagram illustrating an example of anonymization of personal information collected at each store of a shopping mall. FIG. 42 is a diagram illustrating an example of anonymizing position information (personal information) of the navigation system. FIG. 43 is a functional block diagram of the anonymization system. FIG. 44 is a diagram illustrating a hardware configuration of the anonymization server. FIG. 45 is a diagram illustrating a hardware configuration of the provider terminal. FIG. 46 is an explanatory diagram of an anonymization method executed by an anonymization server using an integrated anonymization dictionary. FIG. 47 is an explanatory diagram of the anonymization system. FIG. 48 is a diagram illustrating a hardware configuration of the anonymization system.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<Embodiment 1>
§1. Anonymization FIG. 1 is an explanatory diagram of k-anonymization, and FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and sex items.

  As shown in Fig. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, when the 16-year-old woman is found to be this member, the person is identified. it can. That is, if there is only one person with the attribute of 16 years old and female, there is a possibility that an individual can be identified by comparing with other information.

  In FIG. 1 (B), the description of the age in the member list is abstracted and classified by age, such as 0's (under 10 years), 10's, and 20's. However, even in this case, there is only one female teenager, and an individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1 (C), it was further abstracted and the age divisions were changed to those in their teens (under 19 years old) and those in their 20s. In the case of FIG. 1C, there are two women in their teens or less, and the attributes of “10 or less” and [female] are not single. For this reason, even if it turns out that a 16-year-old woman is this member as mentioned above, it cannot be specified which is the data of the 16-year-old woman. In this way, the state where there are more than k people (2 people in this example) with the same attribute is called “k-anonymity”, and processing such data as “k-anonymization” Called.

FIG. 2 is an explanatory diagram of l-diversification, and shows an example in which the data of the used station for each user is abstracted and used as the data of the ward to which the used station for each user belongs.

In the pre-abstraction data, since the station is specified, there is a possibility that the user can be specified by comparing the data such as the residence near Shinjuku Station and the work place near Tokyo Station. For this reason, by abstracting the use station and making it a ward to which the use station belongs, there are a plurality of users who use stations in Shinjuku ward and stations in Chiyoda ward, and the user is not specified. In this way, the state where the attribute value has the possibility of l types, such as “Use stations in Shinjuku ward and Chiyoda ward” is called “I-diversity” and data like that Is called “l-diversification”.

The anonymization system 10 of the first embodiment abstracts the target data so as to satisfy the “k-anonymity” and “l-diversity”, that is, the combination of the values of the data items is one individual of the target data. Anonymization is performed by abstracting so that it is not limited to.

§2. System Configuration FIG. 3 is a functional block diagram of the anonymization system. The anonymization system 10 according to the first exemplary embodiment performs anonymization by collecting personal information collected at each store in a shopping mall where a plurality of business operators (also referred to as stores in this example) open stores. Deliver to terminals 30 of stores and other users.

  As shown in FIG. 3, the anonymization system 10 includes a data acquisition unit 101, an abstraction unit 102, a test unit 103, a selection unit 104, a value determination unit 105, an anonymous information registration unit 106, a value data acquisition unit 107, a word category. An analysis unit 108, a word value calculation unit 109, a data output unit 120, a setting information registration unit 121, a period acquisition unit 122, a prediction unit 123, an anonymization DB (database) 144, a search information accumulation DB 145, and a setting information DB 146 are provided. .

  The setting information registration unit 121 receives setting information such as a period to be anonymized and a distribution condition from the terminal 30 of a user or a business operator (hereinafter also simply referred to as a user), and registers the setting information in the setting information DB 146. In the present embodiment, the setting information DB 146 is a form of the setting information storage unit.

  The period acquisition unit 122 acquires a period for which anonymization is performed. For example, the target period is received together with the request from the user, or the preset target period is read from the setting information DB 146.

  The prediction unit 123 obtains a prediction result based on personal information received from the terminal 30. For example, an attribute value after a predetermined time is obtained as a prediction result based on the transition of the change of the attribute value within a predetermined period. Further, a warning may be used as a prediction result when the attribute value after a predetermined time exceeds a threshold value. Specifically, based on the number of visitors by car per hour (that is, the number of vehicles entering the parking lot) and the average stay time, the number of vehicles received after 2 hours and after 3 hours is obtained as a prediction result. When the number exceeds 70% (threshold value) of the capacity of the parking lot (accommodated number of vehicles), the warning that prompts the placement of guides and the number of vehicles that arrive after 2 or 3 hours are used as the prediction results. In addition, a prediction DB that stores combinations of values of multiple attributes and prediction results in association with each other is obtained, and a prediction result corresponding to a combination of attribute values of personal information received from the terminal 30 is obtained from the prediction DB. Specifically, if the number of women who come to the store outside of the car exceeds 40% and it starts to rain, and the restaurant is crowded after one hour, “40% or more of the women who come to the store outside the car will rain” In association with a combination of attribute values such as this, a message for congestion relief such as “Implementing a time sale targeting women after one hour” is stored in the prediction DB, and the message corresponding to this attribute value is used as a prediction result. Ask.

The data acquisition unit 101 acquires, as target data, information corresponding to the target period among personal information including a plurality of items associated with individuals. For example, the data acquisition unit 101 receives personal information from the terminal 30 of each store, stores it in the anonymization DB 144, and reads data corresponding to the target period from the anonymization DB 144 as target data.

  When the target data is anonymized or diversified, the abstraction unit 102 generates abstract candidate data by replacing words (words) that are values of items in the target data with abstracted words. In this embodiment, a word (word) is a group of words such as a word or a phrase, a numerical value such as location information or a telephone number, identification information such as an e-mail address or an IP address, a symbol having the same meaning as the word, or the like. May be included.

  The value determination unit 105 obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data.

  The test unit 103 performs test on the condition that the combination of the values of items corresponding to one individual of the abstraction candidate data is not single in the abstraction candidate data. For example, the test unit 103 tests whether the abstraction candidate data satisfies k-anonymity or l-diversity.

  The selection unit 104 selects abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition. For example, the selection unit 104 selects a predetermined number of abstraction candidate data satisfying k-anonymity and l-diversity in descending order of value. The selection unit 104 may select abstraction candidate data having the highest value among the abstraction candidate data satisfying k-anonymity and l-diversity.

  The anonymous information registration unit 106 registers the abstraction candidate data selected by the selection unit 104 in the anonymization DB 144 as anonymous information.

  The value data acquisition unit 107 acquires (receives) value data of words included in the abstraction candidate data from the search information accumulation DB 145. Further, the value data acquisition unit 107 makes a request to another device when the value data of the word is not registered in the search information storage DB 145 and registers the acquired value data in the search information storage DB 145 (data request ) Or periodically visit other devices to acquire the latest value data and update the value data registered in the search information storage DB 145 (data crawler). In this embodiment, the statistical information of each word is received from the search engine 70 as this value data. Here, the statistical information of each word includes, for example, an SEM advertising unit price (unit price per click), a click rate, an average ranking, the number of display times per day, the number of clicks per day, and the like. Note that the value acquisition destination is not limited to a search engine, and may be a web page, an SNS, or the like. In this case, for example, the use frequency of each word in a web page or SNS may be used as the value.

  The word category analysis unit 108 analyzes data on a website or the like to obtain a new word or a word (category) obtained by abstracting the word and registers it in the search information storage DB.

  Based on the value of the word acquired by the value data acquisition unit 107, the value calculation unit 19 obtains statistical information on the value of the word, such as an annual average, a monthly average, and a weekly average of the word value. In particular, the value within the target period, for example, the maximum value, the minimum value, or the average value may be used.

  The data output unit 120 reads and outputs anonymous information from the anonymization DB 144. Here, the output of anonymous information includes display output by a display device, print output by a printer, transmission to another computer, writing to a storage medium, and the like.

  In addition, the data output unit 120 according to the first embodiment distributes anonymous information to the terminal 30 such as a store based on the distribution conditions. For example, when the percentage of women exceeds 60%, the number of visitors in their 20s exceeds 100, the percentage of men in their 30s is less than 20%, etc. The distribution condition is that the number of individuals matching the attribute value reaches a predetermined value, and information is distributed when the predetermined value is reached. The information distributed when this distribution condition is satisfied may simply be a notification that the distribution condition is satisfied, or may be anonymous information that satisfies the distribution condition.

  The anonymization DB 144 stores personal information (target data), provides the personal information for verification, and holds anonymous information obtained by anonymizing personal information for each target period.

  The search information storage DB 145 stores the value of the word acquired by the value data acquisition unit 107, the information of the word and category obtained by the word category analysis unit 108, the statistical information of the value obtained by the value calculation unit 19, and the like.

  The setting information DB 146 receives setting information such as a period for which anonymization is performed from the user's terminal 30 and distribution conditions, and stores the setting information in association with the identification information (user ID) of the user.

  In FIG. 1, a search engine 70 is a site (computer) that provides a search function for information existing on a network such as the Internet. That is, when the search engine 70 receives a keyword to be searched from the user terminal, the search engine 70 provides a list such as a URL of a web page including the keyword as a search result, and displays the list on the user terminal.

  In addition, the search engine 70 uses this search function to display an advertisement linked to a keyword in a search result, or to display a link to a sponsor site that has paid an advertising fee according to the keyword. For this reason, the search engine 70 determines the number of searches per day (number of times displayed), the number of times the search result advertisement was clicked (number of clicks), the advertising fee per click (cost per click), etc. Are stored as word statistics.

  Also, based on this information, the search engine 70 determines the click rate obtained by dividing the number of impressions by the number of clicks, the value obtained by multiplying the number of clicks per day by the cost per click (cost per day), the time of application for advertisement (advertisement) Also ask for the ranking of the advertisement according to the cost presented at the time of the auction.

  The search engine 70 stores information related to the word, such as a data output unit 71 that provides information such as the number of clicks, the number of display times, the ranking, the cost of the day, the click rate, the cost per click, etc. to the anonymization system 10. A search word storage DB 72 that stores information on advertisements distributed together with search results.

  FIG. 4 is a diagram illustrating a hardware configuration of the anonymization system 10. The anonymization system 10 is a so-called computer having a CPU 1, a memory 2, a communication control unit 3, a storage device 4, and an input / output interface 5.

  The CPU 1 reads the program from the storage device 4, develops it in the memory 2 and executes it, and executes the above-described abstraction unit 102, value determination unit 105, test unit 103, selection unit 104, anonymous information registration unit 106, data acquisition unit 101. , A value data acquisition unit 107, a word category analysis unit 108, a word value calculation unit 109, a data output unit 120, and a period acquisition unit 122 are provided.

  The memory 2 can also be called a main storage device. The memory 2 stores, for example, a program executed by the CPU 1, data received via the communication control unit 3, data read from the storage device 4, other data, and the like.

  The communication control unit 3 is connected to another device via a network and controls communication with the device. The input / output interface 5 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray (registered trademark) disc. The drive device reads the program from the removable storage medium and stores it in the storage device 4.

The storage device 4 can also be called an external storage device. The storage device 4 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 4 exchanges data with the drive device. For example, the storage device 4 stores an information processing program installed from the drive device. The storage device 4 reads out the program and delivers it to the memory 2. In the present embodiment, the storage device 4 stores the anonymization DB 144 and the search information accumulation DB 145 described above.

  The terminal 30 is a so-called computer having a CPU, a memory, a communication control unit, a storage device, and an input / output interface.

  The CPU of the terminal 30 reads the program from the storage device, expands and executes the program in the memory, receives the distribution information from the anonymization system 10 and the function of transmitting the above-described personal information and setting information to the anonymization system 10, Provides a function to output such as display.

  FIG. 5 is an example of personal information that the anonymization system 10 acquires from the terminal 30 of each store. In the example of FIG. 5, information such as the use date and time, age, sex, purchased product, etc. is acquired from the terminal 30 of each store and stored together with the use store name.

  The use date indicates the time when the consumer uses the store. In the example of FIG. 5, the use date and time are recorded as the use date and time, but when the date is not essential, only the use time (use time) may be used.

  FIG. 6 is a diagram illustrating an example of the target period. As the target period, for example, the target period is set at predetermined intervals such as every 10 minutes, every hour, every day, and every week. Further, the target period is set by a predetermined start time and a predetermined end time such as 10:00 to 12:00, 12: 0 to 14:00, and the like. Further, the target period may be set according to a day of the week, a holiday, a weekday, a holiday, a holiday, a weekend, the beginning of the month, the end of the month, or the like. These may be set in combination such as 10:00 to 18:00 on weekdays, 12:00 to 20:00 on holidays, and 3 days at the end of the month.

  FIG. 7 is an explanatory diagram of distribution conditions. In the example of FIG. 7, the distribution conditions include a distribution pattern, a distribution type, a distribution timing, distribution information, and a distribution destination, and six distribution patterns corresponding to the distribution timing and the distribution information are shown. The distribution type includes regular distribution whose distribution timing is to be distributed periodically at a predetermined time interval, and event distribution whose distribution timing is to be triggered by an event such as acquisition of predetermined information Indicates. In the example of FIG. 7, distribution patterns 1 and 2 are regular distributions, and distribution pattern 3-6 is event distribution.

The distribution timing is information indicating an opportunity for distribution, and a predetermined time interval, an event, and the like are set. The predetermined time interval is set such as every 10 minutes, every hour, every day, every week, as in the above-described target period. The predetermined time interval is 10:00 to 12:00.
, 12:00 to 14:00, etc., may be set by a predetermined start time and a predetermined end time. Furthermore, a predetermined time interval may be set according to a day of the week, a holiday, a weekday, a holiday, a holiday, a weekend, the beginning of the month, the end of the month, or the like. These may be set in combination such as 10:00 to 18:00 on weekdays, 12:00 to 20:00 on holidays, and 3 days at the end of the month.

  In addition, an event that triggers distribution is, for example, when predetermined information is acquired (pattern 3), or when anonymity information deviates by more than a predetermined value from the reference time (pattern 4), and predetermined attributes in anonymous information This is the case when the number of occurrences of the value (predetermined information) and the appearance rate reach a predetermined value (pattern 5), when the rank of the anonymous information changes (pattern 6), and the like.

  In the case of the distribution pattern 1, the ranking of anonymous information or anonymized information is distributed as distribution information at time intervals set in the distribution timing.

  In the case of distribution pattern 2, prediction information based on anonymous information is obtained, and this prediction information is distributed as distribution information at time intervals set at distribution timing.

  In the case of the distribution pattern 3, at the time of acquisition of predetermined information, the order of anonymous information or anonymized information is distributed as distribution information.

  In the case of the distribution pattern 4, when the distribution timing is satisfied, a notification that the distribution information distribution timing is satisfied, that is, a notification that the difference from the history information has deviated by a predetermined value or more, anonymity information, anonymized information Distribute the rank as distribution information.

  In the case of the distribution pattern 5, when the distribution timing is satisfied, a notification that the distribution information distribution timing is satisfied, that is, a notification that the number of appearances and the appearance rate of the anonymous information reach a predetermined value, anonymity information, anonymization The order of the information is distributed as distribution information.

  In the case of the distribution pattern 6, when the distribution timing is satisfied, a notification that the distribution information distribution timing is satisfied, that is, a notification that the rank of the anonymous information has changed, an anonymous information, and the rank of the anonymized information are distributed. Deliver as.

  The distribution destination is information indicating a destination of distribution information such as a mail address of a terminal. Note that the delivery method is not limited to e-mail, and any method can be used as long as information can be transmitted electronically, such as a short message service or a message between messenger software.

  The combination of distribution timing and distribution information is not limited to these six patterns, and any distribution timing that can be determined by a computer or distribution information that can be distributed electronically can be arbitrarily adopted.

  FIG. 8 is a diagram illustrating a specific example of the setting information DB 146 that stores the target period and distribution conditions. In the example of FIG. 8, the setting information DB 146 stores a user ID, a target period, and distribution conditions (distribution pattern, distribution timing, distribution information, distribution destination) in association with each other.

  The user ID is identification information given for each setting information (target period and distribution condition). In this example, the user ID is the identification information of the user who set the setting information. Note that the identification information of the setting information is not limited to the user ID, but may be arbitrary identification information such as identification information (request ID) attached to each request or a serial number.

  As the target period, an arbitrary period set by the user such as every 10 minutes or every week is stored.

Examples of distribution conditions are as follows for distribution patterns 1 to 6.
In the example of distribution pattern 1, anonymous information such as 25 people in their 20s, 48 people in their 30s, etc. is distributed as distribution information to the B store terminal at an hourly distribution timing.

  In the example of the distribution pattern 2, when the prediction process is performed every 15 minutes and the parking lot is predicted to be crowded at 13:00 from the transition of visitors, etc., this prediction information is distributed to the C store terminal as distribution information. Is done.

  In the example of the distribution pattern 3, when predetermined information indicating that the product A has been sold is acquired, the age and gender ranking of the person who purchased the product A is distributed as distribution information to the terminal of the store A.

  In the example of distribution pattern 4, when the number of women in their 40s has decreased by 20% relative to last Saturday, a notification such as “the number of female visitors has decreased compared to last Saturday” will be sent to all stores as distribution information. To the terminal.

  In the example of distribution pattern 5, when there are 100 or more coffee purchasers in their twenties, anonymous information such as 25 women in their twenties, 76 men in their twenties, etc. is distributed as distribution information to the store A terminal. The

  In the example of distribution pattern 6, when the rank of age and gender changes, the ranks such as first female in their 20s and second male in their 30s are distributed as distribution information to the B store terminal.

<Anonymization method>
9 to 12 are explanatory diagrams of the anonymization method executed by the anonymization system 10 in accordance with the anonymization program. FIG. 9 is a diagram illustrating a process of receiving and storing personal information. FIG. FIG. 11 is a diagram illustrating a process for performing distribution at a distribution timing using a time interval and a history, FIG. 11 is a diagram illustrating a process for performing distribution in real time, and FIG. 12 is a diagram illustrating an anonymization process.

  The anonymization system 10 periodically starts the accumulation process shown in FIG. 9 and confirms whether personal information is received from the terminal 30 (step S1010). Here, if the anonymization system 10 has not received personal information (step S1010, No), the process of FIG. 9 is terminated, and if personal information has been received (step S1010, Yes), the received personal information is received. Is registered in the anonymization DB 144 (step S1020), and the accumulation process is terminated. As described above, the anonymization system 10 repeatedly executes the accumulation process of FIG. 9 and registers the received personal information in the anonymization DB 144 as needed.

  Moreover, the anonymization system 10 starts the process shown in FIG. 10 periodically, and first reads the setting information of each user from the setting information DB 146 (step S1030).

Next, the anonymization system 10 determines whether there is a target period in which the read setting information is not processed (step S1035). For example, the anonymization system 10 determines that there is an unprocessed target period when the acquisition of personal information corresponding to the target period is completed and the personal information is not anonymized, and corresponds to the target period. It is determined that there is no unprocessed target period when the acquisition of personal information has not been completed, and only when the personal information has been anonymized. If there is no unprocessed target period (step S1035, No), the anonymization system 10 ends the process of FIG. 10, and if there is an unprocessed target period (step S1035, Yes), it corresponds to the target period. It is determined whether or not the attached distribution information is prediction information, that is, whether or not the distribution pattern associated with the target period is 2 (step S1040). When it determines with the delivery pattern 2 here (step S1040, Yes), the anonymization system 10 calculates | requires the personal information of a target period as object data, performs a prediction process based on this object data etc., and calculates | requires a prediction result ( Step S1045).

  Then, the anonymization system 10 anonymizes personal information corresponding to the target period as the target information (step S1050). For example, when the prediction information includes personal information (target data), the personal information included in the prediction information is anonymized. Moreover, when delivering with prediction information, the object data made into the object of prediction are anonymized.

  On the other hand, when it determines with it not being the delivery pattern 2 by step S1040 (step S1040, No), anonymization of object data is performed without performing a prediction process (step S1050). Details of the anonymization process will be described later.

  After anonymization, the anonymization system 10 determines whether or not the current time corresponds to the distribution timing determined for each predetermined period, that is, whether or not it is the distribution timing of the distribution patterns 1 and 2 (step S1055). When it corresponds to the delivery timing for every predetermined period (step S1055, Yes), the anonymization system 10 delivers delivery information to a delivery destination (step S1060). For example, in the case of distribution pattern 1, the anonymization system 10 distributes rank and anonymous information as distribution information, and in the case of distribution pattern 2, it distributes prediction information and anonymous information.

  If it is determined in step S1055 that it is not the distribution timing of distribution patterns 1 and 2 (No in step S1055), the anonymization system 10 determines whether or not it is a distribution timing using history information, that is, distribution patterns 4-6. It is determined whether or not (step S1065). If the anonymization system 10 determines that the distribution patterns are not 4 to 6 (step S1065, No), the process of FIG. 10 is terminated, and if it is determined that the distribution patterns are 4 to 6 (step). (S1065, Yes), the history information (past anonymous information) is read from the anonymization DB 144 (step S1070), and compared with the anonymous information, it is determined whether the distribution condition is satisfied (step S1075).

  If the distribution condition is not satisfied (step S1075, No), the anonymization system 10 ends the process of FIG. 10, and if the distribution condition is satisfied (step S1075, Yes), distributes notification, ranking, and anonymous information. Distribute as information (step S1080).

  Further, the anonymization system 10 periodically activates the real-time distribution process shown in FIG. 11 and first reads the setting information of each user from the setting information DB 146 (step S1082). Further, the anonymization system 10 determines whether or not predetermined information for performing real-time distribution has been acquired (step S1085).

  When the anonymization system 10 has not acquired the predetermined information (step S1085, No), the process of FIG. 11 is terminated, and when the predetermined information is acquired (step S1085, Yes), the target data is anonymized. (Step S1090).

  After anonymization, the anonymization system 10 distributes anonymous information to the delivery destination terminal 30 in real time (step S1095).

FIG. 12 is an explanatory diagram of the anonymization process in step S1050. The anonymization system 10 reads out and acquires from the anonymization DB 144 personal information corresponding to the target period determined as unprocessed in step S1035 (step S1130). For example, when the target period is set at a predetermined interval such as every 10 minutes, every hour, or every day, the target data is read at every interval from the previous anonymization process. In addition, when a target period is set by a predetermined start time and a predetermined end time, such as 8:00 to 13:00, 13: 0 to 18:00, etc., personal information acquired during the period Is read as target data.

  Next, the anonymization system 10 determines whether or not value data exists in the search information storage DB 145 for each word in the target data (step S1140). The anonymization system 10 proceeds to step S1160 if all word value data exists in the search information storage DB 145 (step S1140, Yes), and if there is insufficient value data (step S1140, No), Word value data is obtained from an external device, in this example, the search engine 70 (step S1150). In addition, the value information of the words existing in the search information storage DB 145 other than the value data acquired from the search engine is acquired from the search information storage DB 145 (step S1160).

  Also, the anonymization system 10 creates abstraction candidate data by replacing each item of the target data with an abstracted word (category) in order to satisfy anonymity (step S1170). When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted. For example, if the target data includes three items A, B, and C and all items can be abstracted, and the abstracted items are A ′, B ′, and C ′, as shown in FIG. Seven candidate patterns can be created, such as A ′, B, and C when only A is abstracted, and A ′, B ′, and C when items A and B are abstracted. Moreover, you may produce the candidate pattern which abbreviate | omitted some items A, B, and C contained in object data. For example, item A, B, item A ′, B, item A, B ′, item A ′, B ′, item B, C, item B ′, C, item B, C ′, item B ′, C ′ Candidates such as item A, C, item A ′, C, item A, C ′, item A ′, C ′ may be created. At this time, items that are not omitted (essential items) may be set in advance, and a candidate pattern may be created in which items other than the essential items are omitted. Note that the anonymization system 10 may determine the number of candidate pattern items according to the length of the target period acquired in step S1125. For example, if the target period is 10 minutes, the number of items is 1 to 3, and if it is 1 hour, the number of items is 2 to 5, and if it is more than one day, the number of items is 5 to 8 for each target period. A range of numbers may be determined and stored in the storage unit, a range of the number of items corresponding to the target period acquired in step S1125 may be read, and a candidate pattern may be created within the range of the number of items.

  Next, the anonymization system 10 calculates the value of the abstraction candidate data of each pattern based on the value data of each word included in the abstraction candidate data (step S1180), and based on the value of this abstraction candidate data. The order of testing is determined (step S1190). For example, the test order is determined in descending order of the value. Although it is desirable to test all candidate patterns, abstract candidate data that is too low in value may be removed from the order based on the value of the abstract candidate data. For example, abstract candidate data less than a predetermined ratio, such as after a predetermined value or less than half, may be removed in order of value. Further, the abstraction candidate data whose value is less than a predetermined ratio with respect to the value of the target data may be excluded. This reduces the number of tests and shortens the processing time.

  In accordance with the order of this test, the anonymization system 10 tests the anonymity of the abstraction candidate data (step S1200). For example, in order to test k-anonymity, the number (existence number) of combinations of values of different items associated with one individual is present in the abstraction candidate data. Alternatively, in order to test 1 diversity, the number (existence number) in which the combination of values of the same item associated with one individual exists in the abstraction candidate data is obtained. Then, the smallest one of the existence numbers is obtained as the minimum number of appearances (k value / l value) (step S1210), and it is determined whether or not the minimum number of appearances exceeds 1 (step S1220). That is, if the k value exceeds 1, k-anonymity is satisfied, and if it is 1, k-anonymity is not satisfied. Similarly, if the l value exceeds 1, l-diversity is satisfied, and if l value is 1, l-diversity is not satisfied.

When the minimum appearance number (k value / l value) does not exceed 1 (step S1220, No), the anonymization system 10 further abstracts the value of at least one item of the abstraction candidate data, that is, Replacing with the abstracted word (step S1230), the process returns to step S1200.

  On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S1220, Yes), the anonymization system 10 calculates the difference between the value of the abstract candidate data and the value of the original target data. Determination (step S1240), this difference, a value based on this difference, for example, the ratio of the difference to the value of the target data, and the ratio of the value of the abstract candidate data to the value of the target data are determined as the value of the abstract candidate data. (Step S1250).

  Further, the anonymization system 10 determines whether there is a candidate pattern that has not been verified (step S1260). If there is a candidate pattern that has not been verified (step S1260, Yes), the anonymization system 10 follows the order determined in step S1190. Then, the next abstraction candidate data is specified (step S1270), and the process returns to step S1200 to test the next abstraction candidate data.

  In this way, when the test is repeated for the abstraction candidate data of each pattern and there is no next candidate pattern (No in step S1260), the anonymization system 10 determines based on the value of each abstraction candidate data in step S1250. Then, abstraction candidate data to be adopted is selected (step S1280), and the selected abstraction candidate data is registered as anonymized information in the anonymization DB 144 in association with the target period acquired in step S1125 (step S1290). Terminate the process.

  Thus, the abstraction candidate data is selected, for example, by selecting the abstraction candidate data having the highest value among all candidate patterns. Further, the anonymization system 10 outputs a plurality of abstraction candidate data in descending order of value from all candidate patterns, and the abstraction candidate data that the operator thinks is appropriate from the output abstraction candidate data May be selected, and the specified abstraction candidate data may be selected.

  Next, the value of data in the present embodiment will be described with reference to FIGS. FIG. 14 is a diagram illustrating an example of a part of the age item in the target data. As shown in FIG. 14, the target data has the number of people ci for each age si. For example, the number of people (c1) at the age of 18 (s1) is 30, and the number of people (c2) at the age of 19 (s2) is 10.

  FIG. 15 shows an example of value data acquired for the age si. The value data in FIG. 15 has a SEM unit price ei for each age si.

  The value of this age si is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is represented by Equation 1.

si = ci × ei (Formula 1)
As shown in FIG. 16, the value of the age item S (e) is the total of each age si, and is expressed by Equation 2. In FIG. 16, n is 5. Accordingly, the value of the age item S (e) is 2446 yen as shown in FIG. The value of the target data is the sum of the values of all items in the target data.

  On the other hand, FIG. 18 is a diagram illustrating an example of a part of the age item in the abstraction candidate data. As shown in FIG. 18, the abstraction candidate data has the number of people ci for each age ki. For example, the number of teenagers (k1) (c1) is 40, and the number of people in their 20s (k2) (c2) is 22.

  FIG. 19 shows an example of value data of each word acquired for the age ki. The value data in FIG. 19 has a SEM unit price ei for each age ki.

  The value of this age ki is a value obtained by multiplying the SEM unit price ei by the number of people ci, and is expressed by Equation 3.

ki = ci × ei (Formula 3)
Then, as shown in FIG. 20, the value of the item S (k) of the age is the total of each age ki, and is expressed by Equation 4. In FIG. 20, n is 2. Therefore, the value of the age item S (k) is 2134 yen as shown in FIG. In other words, the value was lost by 312 yen by abstracting the age item into the age. Further, the sum of the values of all items in the abstraction candidate data is the value of the abstraction candidate data.

  Then, as the value of the abstraction candidate data obtained in step S1250, for example, as shown in Equation 5, an impairment rate M (k that is obtained by dividing the value of the abstraction candidate data by the sum of the value of the abstraction candidate data and the value of the target data. )

M (k) = S (k) / (S (k) + S (e)) (Formula 5)
As described above, the anonymization system 10 according to the first embodiment can evaluate the value of each abstraction candidate data with high accuracy by evaluating the value of each abstraction candidate data based on the value of the abstracted word. Abstraction candidate data having high value can be selected even after conversion.

  Moreover, since the anonymization system 10 of the first embodiment performs anonymization using the personal information within the target period designated by the user as the target data, the degree of abstraction for anonymizing according to the length of the target period Are different. For example, if the target period is as short as 10 minutes, the number of personal information is small, and it is necessary to increase the degree of abstraction in order to satisfy k-anonymity or l-anonymity. A relatively long period such as one day can satisfy k-anonymity or l-anonymity even if the number of personal information is large and the degree of abstraction is low. Thus, even if the degree of abstraction changes depending on the target period specified by the user, according to the anonymization system 10 of the first embodiment, abstraction candidates are selected based on the value after abstraction. And an appropriate anonymization process based on the target period and the value after abstraction can be performed.

<Embodiment 2>
FIG. 22 is a functional block diagram of the anonymization system 100 according to the second embodiment. The anonymization system 100 according to the second embodiment is a system that anonymizes personal information collected by each business operator from an exhibitor at an exhibition where a plurality of business operators exhibit. Or it has the management server 20 which manages the anonymous information anonymized by each provider. In the second embodiment, the same elements as those in the first embodiment are denoted by the same reference numerals, and a part of the description is omitted.

  In the anonymization system 100 of the second embodiment, the management server 20 acquires anonymization dictionaries from the anonymization devices 50 of the respective operators, integrates the anonymization dictionaries of the respective operators, and generates an integrated anonymization dictionary. And distributed to the anonymization device 50 of each business operator. Moreover, the management server 20 receives setting information from each business operator's anonymization device 50, and distributes the received setting information to each business operator's anonymization device 50, respectively. And each company's anonymization device 50 acquires the target data corresponding to the target period of the setting information, anonymizes the target data using an integrated anonymization dictionary common to each company, and makes this information anonymous. By distributing anonymous information based on distribution conditions, other companies can use anonymous information anonymized by each company under desired conditions.

As shown in FIG. 22, the management server 20 includes a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, a dictionary management unit 204, an anonymous information registration unit 205, an anonymous information control unit 206, a dimension selection unit 207, A setting information management unit 208, a distribution unit 209, a dictionary DB 231, a priority DB 232, a common DB 233, and a setting information DB 236 are provided. That is, the management server 20 according to the second embodiment is also a dictionary creation device including a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, and a dimension selection unit 207.

  In order to anonymize the word included in the target data by replacing the word included in the target data with the dictionary acquisition unit 201, the dictionary acquisition unit 201 stores a plurality of anonymization dictionaries storing the word and the abstracted word in association with each operator. Obtained from the anonymization device 50. In this embodiment, the dictionary acquisition part 201 receives the anonymization dictionary transmitted from the anonymization apparatus 50 of each provider, and registers it in the dictionary DB 231.

  The integration unit 202 integrates a plurality of anonymization dictionaries acquired from the anonymization device 50 of each business operator and creates an integrated anonymization dictionary. For example, the integration unit 202 sets the abstracted word as a higher level and the pre-abstraction word as a lower level based on the correspondence between the words included in the plurality of anonymized dictionaries, and each word included in the plurality of anonymized dictionaries And the upper and lower words existing in the plurality of anonymization dictionaries, and the highest word that does not have a corresponding higher word as a root to the lowest word that does not have a corresponding lower word. A dimension of a word having a tree-like correspondence is generated for each top word and stored in the dictionary DB 231 as an integrated anonymization dictionary. The dimension of the tree-like word rooted at each uppermost word constitutes an integrated anonymization dictionary.

  The priority determination unit 203 determines a priority for each dimension constituting the integrated anonymization dictionary based on words included in the dimension. For example, the priority determination unit 203 sets at least one of the number of words included in each dimension, the number of stages having a higher and lower relationship for the words included in each dimension, and the value of the word included in each dimension. Based on the priority, the priority is determined. For example, the priority DB 232 stores a predetermined value for the word, and the priority determination unit 203 refers to the priority DB 232 to determine the priority.

  The dimension selection unit 207 selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions generated by the integration unit 202 based on the priority.

  The dictionary management unit 204 manages the integrated anonymization dictionary created by the integration unit 202. For example, the dictionary management unit 204 reads the integrated anonymization dictionary from the dictionary DB 231 and distributes it to the anonymization device 50 of each business operator.

  The anonymous information registration unit 205 acquires anonymous information from each company's anonymization device 50 and registers it in the common DB 233.

  The anonymous information control unit 206 controls an output process of anonymous information registered in the common DB 233 and the like. For example, when an anonymous information acquisition request is received from an information processing device such as the anonymization device 50, the corresponding anonymous information is distributed to the requesting information processing device. In the second embodiment, the anonymous information control unit 206 is a form of an output unit.

  The setting information management unit 208 receives the setting information from each company's anonymization device 50, stores it in the setting information DB 236, and distributes the received setting information (target period) to the other companies' anonymization device 50. To do. The configuration of data stored in the setting information DB 236 is substantially the same as that in FIG. 8 and includes information such as a user ID, a target period, distribution conditions (distribution pattern, distribution timing, distribution information, distribution destination), and the like. The specific contents are appropriately set according to the contents of the personal information to be processed. In addition, the management server 20 does not need to hold | maintain, after distributing a target period to the other provider among the received setting information, and does not need to memorize | store in setting information DB236.

  The distribution unit 209 distributes distribution information such as anonymous information to a distribution destination such as the anonymization device 50 of each operator based on the distribution conditions of the setting information DB 236.

FIG. 23 is a diagram illustrating an example of the dictionary DB 231. The dictionary DB 231 stores a word before abstraction (hereinafter also referred to as a lower word) and a word after abstraction of the word (hereinafter also referred to as an upper word) in association with each other.

  FIG. 24 is a diagram illustrating an example of the priority DB 232. The priority DB 232 stores a value (value) for determining the priority for each word. In the example of FIG. 24, for each word, there are values used in the SEM such as the number of clicks per day, the number of display times per day, the number of participating companies, the cost per day, the click rate, and the SEM price (acquired price). It is remembered.

  FIG. 25 is a diagram illustrating an example of the common DB 233. The common DB 233 stores anonymous information that has been anonymized using the integrated anonymization dictionary by the anonymization device 50 of each business operator. In the example of FIG. 25, data of items such as a visit booth, age, gender, affiliated company, title, product showing interest, and status are stored. The degree of abstraction of this item and each item is determined by the integrated anonymization dictionary, the result of the test, etc. as will be described later.

  Further, as shown in FIG. 22, each business operator anonymization device 50 includes a data acquisition unit 101, an abstraction unit 102, a test unit 103, a selection unit 104, an anonymous information registration unit 106, a value data acquisition unit 107, A word category analysis unit 108, a word value calculation unit 109, an output control unit 110, a setting information registration unit 121, a period acquisition unit 122, a prediction unit 123, a personal information DB 131, a search information accumulation DB 145, and a setting information DB 146 are provided.

The data acquisition unit 101 acquires data including a plurality of items associated with an individual, that is, personal information, and acquires the personal information corresponding to the target period as target data. For example, the data acquisition unit 101 receives a questionnaire written by a visitor or personal information heard from the visitor from a keyboard or the like and stores it in the personal information DB 131. The personal information DB 131 stores 10 minutes, 1 hour, Personal information corresponding to a target period such as one day is read out as target data. In addition, the data acquisition unit 101 may read items described in the visitor's business cards and questionnaires by OCR (Optical Character Recognition) and store them as personal information, or the visitor's RF-ID tag, IC chip, etc. The personal information of the visitor may be acquired and stored.

  The abstraction unit 102 refers to the integrated anonymization dictionary including the dimensions, and generates anonymization candidate data by replacing words that are values of items in the target data with words abstracted based on the priority. .

  The test unit 103 performs test on the condition that the combination of the item values of the abstraction candidate data is not limited to one individual of the target data. For example, the test | inspection part 103 tests on condition that the combination of the value of the item of abstraction candidate data satisfy | fills k-anonymity or l-diversity.

  The output control unit 110 outputs the abstraction candidate data that satisfies the test condition as anonymous information. For example, the output control unit 110 transmits anonymous information to the management server 20.

The setting information registration unit 121 stores the setting information input by the operator (user) in the setting information DB 146 and transmits the setting information to the management server 20. In addition, the setting information registration unit 121 receives setting information (target period) of other operators distributed from the management server 20 and registers it in the setting information DB 146. Note that the setting information (target period) stored in the setting information DB 146 is the same as the example in FIG.

  The period acquisition unit 122 acquires a period for which anonymization is performed. For example, the period acquisition unit 122 acquires the target period by reading it from the setting information DB 146.

  The prediction unit 123 obtains a prediction result based on the acquired personal information and the like. For example, an attribute value after a predetermined time is obtained as a prediction result based on the transition of the change of the attribute value within a predetermined period. Further, a warning may be used as a prediction result when the attribute value after a predetermined time exceeds a threshold value.

  FIG. 26 is a diagram illustrating an example of the personal information DB 131. The personal information DB 131 stores personal information acquired by the data acquisition unit 101. In the example of FIG. 26, name, mail, company name, title, interest, status, etc. are stored.

  FIG. 27 is a diagram illustrating a hardware configuration of the management server 20. The management server 20 is a so-called computer having a CPU 21, a memory 22, a communication control unit 23, a storage device 24, and an input / output interface 25.

  The CPU 21 executes the program expanded in an executable manner in the memory 22, and the above-described dictionary acquisition unit 201, integration unit 202, priority determination unit 203, dictionary management unit 204, anonymous information registration unit 205, anonymous information control unit 206, a dimension selection unit 207, a setting information management unit 208, and a distribution unit 209.

  The memory 22 can also be called a main storage device. The memory 22 stores, for example, a program executed by the CPU 21, data received via the communication control unit 23, data read from the storage device 24, other data, and the like.

  The communication control unit 23 is connected to another device via a network and controls communication with the device. The input / output interface 25 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 24.

The storage device 24 can also be referred to as an external storage device. The storage device 24 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 24 exchanges data with the drive device. For example, the storage device 24 stores an information processing program installed from the drive device. The storage device 24 reads out the program and delivers it to the memory 22. In the present embodiment, the storage device 24 stores the dictionary DB 231, the priority DB 232, and the common DB 233 described above.

  FIG. 28 is a diagram illustrating a hardware configuration of the anonymization device 50. The anonymization device 50 is a so-called computer having a CPU 51, a memory 52, a communication control unit 53, a storage device 54, and an input / output interface 55.

The CPU 51 executes the program expanded in an executable manner in the memory 52, and the data acquisition unit 101, the abstraction unit 102, the test unit 103, the selection unit 104, the anonymous information registration unit 106, the value data acquisition unit 107, The functions of the word category analysis unit 108, the word value calculation unit 109, the output control unit 110, the setting information registration unit 121, the period acquisition unit 122, and the prediction unit 123 are provided.

  The memory 52 can also be called a main storage device. The memory 52 stores, for example, a program executed by the CPU 51, data received via the communication control unit 53, data read from the storage device 54, other data, and the like.

  The communication control unit 53 is connected to another device via a network and controls communication with the device. The input / output interface 55 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 54.

The storage device 54 can also be called an external storage device. The storage device 54 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 54 exchanges data with the drive device. For example, the storage device 54 stores a program installed from the drive device. The storage device 54 reads out the program and delivers it to the memory 52. In the present embodiment, the storage device 54 stores the personal information DB 131 described above.

§3. Anonymization method Next, the anonymization method of the second embodiment will be described with reference to FIGS.

(3-1) Processing Based on Setting Information The anonymization device 50 periodically starts the processing shown in FIG. 29, and first reads the setting information (target period) from the setting information DB 146 (step S1030).

  Next, the anonymization apparatus 50 determines whether or not there is an unprocessed target period that has been read (step S1035), and if there is no unprocessed target period (step S1035, No), the process of FIG. If there is an unprocessed target period (step S1035, Yes), whether the distribution information associated with the target period is prediction information, that is, the distribution pattern associated with the target period is 2 It is determined whether or not (step S1040). When it determines with the delivery pattern 2 here (step S1040, Yes), the anonymization system 10 calculates | requires the personal information of a target period as object data, performs a prediction process based on this object data etc., and calculates | requires a prediction result ( Step S1045).

  The personal information corresponding to the target period is read out from the anonymization DB 144 as target information (step S1040). And the anonymization system 10 anonymizes prediction information and object data (step S1050). For example, when the prediction information includes personal information (target data), the personal information included in the prediction information is anonymized. Moreover, when delivering with prediction information, the object data made into the object of prediction are anonymized.

  On the other hand, when it determines with it not being the delivery pattern 2 by step S1040 (step S1040, No), anonymization of object data is performed without performing a prediction process (step S1050). Details of the anonymization process will be described later.

After anonymization, the anonymization device 50 transmits anonymous information to the management server 20 (step S1052). In addition, when prediction information is produced | generated by step S45 separately from anonymous information, the anonymization apparatus 50 transmits prediction information to the management server 20 with anonymous information. The management server 20 that has received the anonymous information and the prediction information accumulates in the common DB 233.

  Further, the anonymization device 50 periodically starts the real-time distribution process shown in FIG. 30 and first reads the setting information of each user from the setting information DB 146 (step S1082). Further, the anonymization device 50 determines whether or not predetermined information for performing real-time distribution has been acquired (step S1085).

  When the anonymization apparatus 50 has not acquired the predetermined information (step S1085, No), the process of FIG. 30 is terminated, and when the predetermined information is acquired (step S1085, Yes), the anonymization process of the target data is performed. (Step S1090).

  After anonymization, the anonymization device 50 transmits information indicating real-time delivery to the management server 20 together with the anonymous information (step S1092).

  On the other hand, the management server 20 periodically starts the distribution process shown in FIG. 31, and first reads the setting information of each user from the setting information DB 236 (step S1032). Also, the management server 20 determines whether or not information indicating real-time delivery has been acquired (step S1037). When information indicating real-time distribution is acquired (step S1037, Yes), the management server 20 distributes the anonymous information received together with the information to a distribution destination such as the anonymization device 50 based on the setting information (step S1097).

  If it is determined in step S1037 that information indicating real-time delivery has not been acquired (step S1037, No), the management server 20 corresponds to the delivery timing in which the current time is determined for each predetermined period based on the setting information. It is determined whether or not it is distribution timing of distribution patterns 1 and 2 (step S1055). When it corresponds to the delivery timing for every predetermined period (step S1055, Yes), the management server 20 delivers the delivery information such as anonymous information received from the anonymization device 50 in step S1050 to the delivery destination (step S1060). For example, in the case of the distribution pattern 1, the management server 20 distributes rank and anonymous information as distribution information, and in the case of the distribution pattern 2, the management server 20 distributes prediction information and anonymous information.

  If it is determined in step S1055 that it is not the distribution timing of distribution patterns 1 and 2 (No in step S1055), the anonymization system 10 determines whether or not it is a distribution timing using history information, that is, distribution patterns 4-6. It is determined whether or not (step S1065). If the management server 20 determines that the distribution pattern is not 4 to 6 (No at Step S1065), the management server 20 ends the process of FIG. 31 and determines that the distribution pattern is 4 to 6 (Step S1065). , Yes), the history information is read from the common DB 233 (step S1070), and compared with the anonymous information, it is determined whether or not the distribution condition is satisfied (step S1075).

If the distribution condition is not satisfied (step S1075, No), the anonymization system 10 ends the process of FIG. 31, and if the distribution condition is satisfied (step S1075, Yes), distributes notification, ranking, and anonymous information. Information is distributed to a distribution destination such as the anonymization device 50 (step S1080).
FIG. 32 is an explanatory diagram of processing for creating an integrated anonymization dictionary that the management server 20 executes according to a program.

(3-2) Creation of Integrated Anonymization Dictionary First, the management server 20 receives the anonymization dictionary of each business from the anonymization device 50 of each business (step S10).

  Next, the management server 20 integrates the anonymization dictionary of each business operator (step S20). In addition, the specific process at the time of integrating an anonymization dictionary is mentioned later.

  In addition, the management server 20 determines priorities for the dimensions of the words constituting the integrated anonymization dictionary (step S30), and selects a dimension to be adopted for the integrated anonymization dictionary and a dimension not to be adopted based on this priority. (Step S40).

  And the management server 20 delivers the integrated anonymization dictionary comprised from the dimension selected by step S40 to each anonymization apparatus 50 (step S50).

  FIG. 33 is an explanatory diagram of the process of integrating the anonymization dictionary in step S20. The management server 20 first extracts the lowest word from the dictionary DB 231 storing the anonymization dictionary of each business operator (step S110). For example, in the anonymization dictionary of each company, as shown in FIG. 23, an abstract word of “soft A” is stored as “slip software”, and a word one level higher than “soft A” is stored. It turns out that it is "slip software". Similarly, a word that abstracts “soft Z” is “slip software”, and a word that abstracts “soft B” is “accounting software”.

  In addition, for “slip software” which is a word one level higher than “soft A” and “soft Z”, the word one level higher is stored as “business software”.

  In this way, out of the words stored in the dictionary DB 231 together with the upper / lower relationship, one word that is not associated with the lower word, that is, the lowest word is extracted.

  Next, the management server 20 obtains a word one higher than the word extracted in step S110, and sets one higher level (abstraction level) (step S120). For example, if the word extracted in step S110 is “soft A”, “slip software” is extracted as the upper word.

  The management server 20 extracts a word at the same stage (abstraction level) as the one lower word corresponding to the word extracted in step S120 (step S130). For example, if the word extracted in step S120 is “slip software”, “soft Z” at the same stage as “soft A” is extracted.

  Furthermore, the management server 20 extracts the lower word corresponding to the word extracted in step S130, and repeats the extraction of the lower word until there is no corresponding lower word (step S140).

  When the lower word is exhausted in step S140, the management server 20 determines whether or not the stage set in the immediately preceding step S120 or step S160 is the highest, that is, whether there is a higher word. If it is not the most significant (No in step S150), the word one higher is obtained, the one higher level (abstraction level) is set, and the process returns to step S130 (step S160). For example, if the word set in step S120 is “slip software”, the word “business software” that is one higher level is obtained and set as one level higher.

Then, after returning to step S130 and performing the processing of steps S130 and S140, if it is determined in step S150 that the stage set in the immediately preceding step S120 or step S160 is the highest (step S150, Yes), the plurality of It is determined whether or not all the words included in the anonymization dictionary have been processed (step S170), and if there are remaining words (step S170, No), the process returns to step S110 to repeat the process, If the above process is completed (step S170, Yes), the process of FIG. 33 is terminated.

(3-3) Description of Dimensions FIG. 34 is an explanatory diagram of each dimension created by the process of FIG. In the example of FIG. 34, a dimension having “IT product” as a root is shown. That is, in the dimension of FIG. 34, “IT product” is the word at the highest level.

  In “IT product”, “software” and “hardware” are associated as words in the next lower stage (stage 4 in the example of FIG. 34). “Software” is associated with “business software” and “individual software” as the words at the next lower level (step 3 in the example of FIG. 34).

  In addition, “business software” is associated with “slip software”, “accounting software”, and “customer management software” as the words of the next lower stage (stage 2 in the example of FIG. 34). “Soft A” and “Soft Z” are associated with the words at one lower level (step 1 in the example of FIG. 34, the lowest level). The “individual software” is associated with “soft V” and “soft U” as the words in the lower level, and “hard” is “server D” and “server” as the words in the lower level. E ”.

  As described above, the integration unit of the present embodiment creates a plurality of dimensions as shown in FIG. 34 based on the anonymization dictionary of each business operator. Here, the dimension is a correspondence relationship in which the highest word is rooted and associated with the lowest word in a tree form, and is generated for each highest word. That is, the integration unit integrates the anonymization dictionary by combining all words included in the anonymization dictionary of each business operator into a plurality of dimensions by associating them with a tree. The plurality of dimensions is an integrated anonymization dictionary.

  FIG. 35 is an explanatory diagram of a plurality of dimensions. As shown in FIG. 35, there can be multiple dimensions for abstracting a word. For example, in dimension a in FIG. 35, “software A” is abstracted into “accounting software” and “business software”, and in dimension c, “software A” is abstracted into “a company product” and “package”. Also, the dimension b and dimension d are abstracted into different words.

  In particular, since the integrated anonymization dictionary of this embodiment integrates anonymization dictionaries of a large number of operators, for example, it includes tens to hundreds of dimensions, and abstraction is performed using all dimensions. And the amount of data becomes enormous. For this reason, in this embodiment, the priority of the dimension employ | adopted for abstraction is determined about each dimension of an integrated anonymization dictionary.

(3-4) Description of Priority Next, details of the priority determination process in step S30 will be described with reference to FIGS. FIG. 36 is a diagram showing an example in which each word included in the dimension shown in FIG. 35 is weighted. In the example of FIG. 36, each word included in each dimension is stored in association with the stage of the word, and three types of weighting are performed. Weight 1 indicates the presence / absence of an important flag, weight 2 indicates the number of searches, and weight 3 indicates a SEM (Search Engine Marketing) price. Here, the important flag is a value input as to whether or not the user is important, and is recorded as important for an important word, that is, a word to be used for abstraction (an important flag is set).

  Also, the priority determination unit 203 reads the value of the word from the priority DB 232 shown in FIG. 24 and adds it to the corresponding word as a weight as shown in FIG.

  Then, the number of words in the dimension shown in FIG. 35, the sum of steps, and the weight of each word are totaled for each dimension, and the priority is determined.

  FIG. 37 is an explanatory diagram of processing for calculating the priority of each dimension by adding up the weights of the respective words. In FIG. 37, for each word of dimension a, Table 51A is a summation of the number of words, the sum of the number of steps, weight 1, weight 2, and weight 3. Similarly, a table summarizing dimension b is 51B, and a table summing dimension c is 51C.

  The number of words is the total number of words included in each dimension. In the example of FIG. 37, dimension a is 25, dimension b is 50, and dimension c is 9. If this number of words is large, there will be many variations of abstraction, and it will be difficult to satisfy 1-diversity, that is, safety will be low. Prioritize.

  The sum of the number of stages is obtained by multiplying the number of stages by the number of words belonging to the stage and obtaining a total, for example, (number of stages 5 × number of words 1) + (number of stages 4 × number of words 2). + (Number of stages 3 × number of words 2) + (number of stages 2 × number of words 3) + (number of stages 1 × number of words 9) = 34 If the sum of the number of stages is large, there are many higher-level stages, and there are many options with a high level of abstraction, which can be abstracted at an appropriate level of abstraction and is highly secure. Priority is given to those with a high sum.

  Similarly, for the weights 1 to 3, the total number of important flags, the number of searches, and the SEM price are obtained, and a higher value, that is, a higher value is given priority.

  And about these word number, the sum of the number of steps, and the weights 1-3, the whole appearance rate (ratio with respect to the whole number) is calculated | required based on following Formula.

Overall appearance rate = tf / idf
= Value of dimension a / (value of dimension a + value of dimension b + value of dimension c +...)
Table 52 shows a comparison of the overall appearance rate for each dimension. For each dimension in Table 52, the total priority is determined by summing the number of words, the sum of the number of stages, and the overall appearance rates of weights 1 to 3.

  In this way, the overall priority is obtained for each dimension, and the dimension that the dimension selection unit 207 adopts to the integrated anonymization dictionary and the dimension that is not adopted are selected based on the overall priority. For example, the dimension selection unit 207 refers to the overall priorities in Table 52, adopts a predetermined number of dimensions in descending order of overall priorities, and does not employ other dimensions with lower overall priorities.

  The selection criteria are not only the order of the overall priority, but the dimension including the important flag is adopted, and the dimension not including the important flag is selected such that a predetermined number of dimensions are adopted in descending order of the overall priority. Conditions may be set.

  The selection target may be, for example, all dimensions included in the integrated anonymization dictionary, and a predetermined number of dimensions may be adopted based on the overall priority, or may be selected for each dimension including the same word. And a predetermined number of dimensions may be adopted based on the overall priority.

(3-5) Anonymization Method FIG. 38 is an explanatory diagram of the anonymization process executed by the anonymization device using the integrated anonymization dictionary in step S1050. The anonymization device 50 reads out and acquires personal information corresponding to the target period determined as unprocessed in step S1035 from the personal information DB 131 (step S210), and for each word in the target data, the value data is the search information storage DB 142. (Step S220). The anonymization device 50 proceeds to step S230 when the value data of all words exist in the search information storage DB 142 (step S220, Yes), and when there is insufficient value data (step S220, No), Word value data is obtained from an external device, in this example, a search engine (step S240). And the anonymization apparatus 50 acquires the value information of the word which exists in search information storage DB142 from search information storage DB142 (step S230).

  Further, the anonymization device 50 creates abstraction candidate data by replacing each item of the target data with an abstracted word (category) in order to satisfy anonymity (step S250). When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted.

  For example, if the target data includes three items A, B, and C and all items can be abstracted, and the abstracted items are A ′, B ′, and C ′, as shown in FIG. Seven candidate patterns can be created, such as A ′, B, and C when only A is abstracted, and A ′, B ′, and C when items A and B are abstracted. Moreover, you may create the candidate pattern using some items, such as A ', B, B', and C, without using all items. For example, item A, B, item A ′, B, item A, B ′, item A ′, B ′, item B, C, item B ′, C, item B, C ′, item B ′, C ′ Candidates such as item A, C, item A ′, C, item A, C ′, item A ′, C ′ may be created. At this time, items that are not omitted (essential items) may be set in advance, and a candidate pattern may be created in which items other than the essential items are omitted. Note that the anonymization system 10 may determine the number of candidate pattern items according to the length of the target period acquired in step S1125. For example, if the target period is 10 minutes, the number of items is 1 to 3, and if it is 1 hour, the number of items is 2 to 5, and if it is more than one day, the number of items is 5 to 8 for each target period. A range of numbers may be determined and stored in the storage unit, a range of the number of items corresponding to the target period acquired in step S1125 may be read, and a candidate pattern may be created within the range of the number of items.

  Further, when there are a plurality of dimensions that can be abstracted for one item in the integrated anonymization dictionary, the number of the items is increased to a plurality of dimensions and the abstraction is performed in each dimension. For example, if there is a dimension p that is abstracted to a listed company or unlisted company and a dimension q that is abstracted to a business type such as an IT-related company, an education-related company, or a publishing business, The items are abstracted into the item of the affiliated company (listed / unlisted) whose items are abstracted with dimension p and the item of the affiliated company (business type) abstracted with dimensions q. In other words, when there are two dimensions that can be abstracted for item B among the three items A, B, and C, abstraction is made into four items such as items A, B1 ′, B2 ′, and C. To do. That is, in the example of FIG. 13, seven candidate patterns to be abstracted into items B1 ′ and B2 ′ can be created instead of the item B ′.

  Next, the anonymization device 50 calculates the value of the abstraction candidate data of each pattern based on the value data of each word included in the abstraction candidate data (step S260), and based on the value of this abstraction candidate data. The order of testing is determined (step S270). For example, the test order is determined in descending order of the value. Although it is desirable to test all candidate patterns, abstract candidate data that is too low in value may be removed from the order based on the value of the abstract candidate data. For example, the abstract candidate data whose value order is lower than a predetermined ratio compared to the total number of candidate patterns, such as an order of higher value, the order after the predetermined number, or an order whose value is lower than half of the total number, may be excluded. Further, the abstraction candidate data whose value is less than a predetermined ratio with respect to the value of the target data may be excluded. This reduces the number of tests and shortens the processing time.

In accordance with the order of this test, the anonymization device 50 tests the anonymity of the abstraction candidate data (step S280). For example, in order to test k-anonymity, the number (existence number) of combinations of values of different items associated with one individual is present in the abstraction candidate data. Alternatively, in order to test 1 diversity, the number (existence number) in which the combination of values of the same item associated with one individual exists in the abstraction candidate data is obtained. Then, the smallest of the existence numbers is obtained as the minimum number of appearances (k value / l value) (step S290), and it is determined whether or not the minimum number of appearances exceeds 1 (step S300). That is, if the k value exceeds 1, k-anonymity is satisfied, and if it is 1, k-anonymity is not satisfied. Similarly, if the l value exceeds 1, l-diversity is satisfied, and if l value is 1, l-diversity is not satisfied.

  When the minimum appearance number (k value / l value) does not exceed 1 (step S300, No), the anonymization device 50 further abstracts the value of at least one item of the abstraction candidate data, that is, Replacement with the abstracted word (step S310), the process returns to step S280.

  On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S300, Yes), the anonymization device 50 calculates the difference between the value of the abstraction candidate data and the value of the original target data. Obtaining (step S320), this difference, a value based on this difference, for example, the ratio of the difference to the value of the target data, and the ratio of the value of the abstraction candidate data to the value of the target data are determined as the value of the abstraction candidate data. (Step S330).

  Further, the anonymization device 50 determines whether there is a candidate pattern that has not been verified (step S340). If there is a candidate pattern that has not been verified (step S340, Yes), the anonymization device 50 follows the order determined in step S270. Next, the abstraction candidate data in the next order is specified (step S350), and the process returns to step S280 to test the next abstraction candidate data.

  Thus, when the test is repeated for the abstraction candidate data of each pattern and the next candidate pattern disappears (step S340, No), the anonymization device 50, based on the value of each abstraction candidate data in step S320, The abstraction candidate data to be adopted is selected (step S360), the selected abstraction candidate data is transmitted to the management server 20 as anonymous information (step S370), and the process of FIG. 38 is terminated.

  In the selection of the abstraction candidate data, for example, the abstraction candidate data having the highest value among all candidate patterns is selected. The anonymization device 50 outputs a plurality of abstraction candidate data in descending order of value from all candidate patterns, and the abstraction candidate data that the operator thinks is appropriate from the output abstraction candidate data May be selected, and the specified abstraction candidate data may be selected.

§4. Specific Example of Anonymous Information Next, a specific example of anonymous information will be described with reference to FIGS. 39 and 40. FIG. 39 is a diagram showing an example of anonymization in company A, FIG. 39A shows personal information collected by company A, and FIG. 39B shows personal information in FIG. The figure which shows the example of the anonymous information at the time of anonymizing with an original anonymization dictionary, FIG.39 (c) is an example of the anonymous information at the time of anonymizing the personal information of FIG.39 (a) with an integrated anonymization dictionary. FIG.

  When the anonymization device 50 of company A anonymizes the personal information of FIG. 39 (a) with its own anonymization dictionary, as shown in FIG. 39 (b), the items of name and email address are deleted, and the age In the ages, the company is abstracted as a listed company or unlisted company, and the title is abstracted into a managerial position, employee, or part-time job.

On the other hand, when the anonymization device 50 of company A anonymizes the personal information in FIG. 39 (a) with the integrated anonymization dictionary, as shown in FIG. 39 (c), the name and e-mail address items are displayed. Delete, abstract age to age, affiliated company to listed or unlisted company, and affiliated company to industry. In addition, when the integrated anonymization dictionary is used, company A's anonymization device 50 abstracts the title of the product to the manager or staff, the product that shows interest to the slip software or server, and adds an item for the visit booth. Then, a value “Company A” indicating that it is data of a person who visited Company A is input.

  On the other hand, FIG. 40 is a diagram showing an example of anonymization in company B, FIG. 40A shows personal information collected by company B, and FIG. 40B shows personal information in FIG. The figure which shows the example of the anonymized information at the time of anonymizing with B company original anonymization dictionary, FIG.40 (c) is anonymity information at the time of anonymizing the personal information of Fig.40 (a) with an integrated anonymization dictionary. It is a figure which shows an example.

  When the anonymization device 50 of company B anonymizes the personal information of FIG. 40 (a) with its own anonymization dictionary, as shown in FIG. 40 (b), the items of name and email address are deleted, and the age In the ages, the company is abstracted into the type of business, and the job type is abstracted into development and general affairs.

  On the other hand, when the anonymization device 50 of company B anonymizes the personal information of FIG. 40 (a) with the integrated anonymization dictionary, as shown in FIG. 40 (c), the name and e-mail address items are displayed. Delete, abstract age to age, affiliated company to listed or unlisted company, and affiliated company to industry. In addition, when the anonymization device 50 of Company B uses an integrated anonymization dictionary, it abstracts the type of job into technical jobs and office work, abstracts products that show interest into accounting software and servers, and adds a visit booth item. Then, a value “Company B” indicating that it is data of a person who visited Company B is input.

  As described above, the anonymization device 50 of each business operator abstracts the items of the affiliated company in a plurality of dimensions based on the integrated anonymization dictionary. As mentioned above, the integrated anonymization dictionary uses a high-priority dimension, so it is possible to perform abstraction that is useful for each operator by abstracting the dimension that exists in this integrated anonymization dictionary. it can.

  In addition, by integrating the anonymization dictionary as described above, the correspondence relationship of words at the time of abstraction is reorganized, and unique items such as the positions of company A and company B are also abstracted in a common dimension. Therefore, it can be compared with data from other companies that have similar items.

§5. Advantages of the Embodiment As described above, according to the second embodiment, personal information within the target period specified by the user is anonymized as the target data, so abstraction for anonymizing according to the length of the target period It is possible to perform appropriate anonymization processing based on the target period and the value after abstraction by varying the degree of conversion. Moreover, each provider can use this anonymous information centrally by anonymizing using the common integrated anonymization dictionary which integrated the anonymization dictionary by the anonymization apparatus of a some provider.

  In particular, even if the level of abstraction of anonymized words by each business operator is different, since a common anonymization dictionary is used, the level of abstraction can be set and used for tabulation and the like, which is highly convenient.

  Moreover, the anonymous information anonymized by the integrated anonymization dictionary integrated with the anonymization dictionary used by each company, that is, the anonymous information registered in the common DB 233 is the anonymization used by each company. Since the information is reflected, it is possible to know the trends of other companies from the anonymous information of the common DB 233. For example, in the case of a dimension commonly used in each company's anonymization dictionary, when creating an integrated anonymization dictionary, the words and stages belonging to that dimension are gathered from each company's anonymization dictionary. The priority increases and the dimension is adopted in the integrated anonymization dictionary. For this reason, it turns out that the anonymous information anonymized by the dimension employ | adopted by the integrated anonymization dictionary is information with high utilization in each provider.

Moreover, the opportunity for starting a predetermined | prescribed process based on the whole anonymous information including the anonymous information of another provider can be provided by delivering on the occasion that anonymous information satisfy | filled the predetermined condition. For example, based on anonymous information collected by multiple business operators, appropriately performing processing related to the entire multiple business operators participating in the exhibition, such as conducting campaigns and changing the content displayed on digital signage Can do.

§7. Modification In the above example, an example of anonymization of personal information in an exhibition has been shown. However, the anonymization system 100 of the second embodiment is anonymization of personal information collected at each store in a shopping mall or a shopping street. You may apply to.

  FIG. 41 is a diagram illustrating an example of anonymization of personal information collected at each store of a shopping mall. In the example of FIG. 41, the anonymization devices 50 of the stores (business operators) D to F that open in the same shopping mall anonymize the personal information and register them in the common DB of the management server 20. 41, the method for creating an integrated anonymization dictionary, the anonymization method using the integrated anonymization dictionary, and the distribution method are the same as those in the second embodiment.

  The store D is a restaurant, and registers the customer's email address, gender, and age in advance in the storage unit, and accepts reservations by email and sends email coupons. When the customer presents a reservation email or email coupon when visiting the store, the anonymization device 50 acquires the customer ID or email address from this email, reads the corresponding customer information from the storage unit, and stores the visitor information. Is stored in the storage unit. In order to obtain the customer ID and email address, for example, a two-dimensional barcode is included in the email, and the two-dimensional barcode is read by a reader and transmitted to the anonymization device 50. Further, the person in charge of the store may listen to the customer ID and email address and input them to the anonymization device 50. In addition to the customer information, the number of customers (number of adults, number of children), purchased products, amount of money, etc. may be input to the store visitor information.

  In FIG. 41, D1 represents personal information acquired by the store D, and D2 represents anonymous information obtained by anonymizing the personal information of D1 with the integrated anonymization dictionary. As shown in FIG. 41, the anonymous information D2 has an age, sex, purchased product, and purchase price.

  Store E is a cleaning store, distributes stamp cards to customers, presses stamps according to the cleaning fee, and provides prizes when 10 stamps are collected. When providing the prize, information such as the sex and age of the customer is heard and input to the anonymization device 50. It is to be noted that the anonymization device 50 is used not only when providing a free gift but also when the customer's name, sex, and age are registered in the storage unit when the stamp card is distributed and the customer presents the stamp card when visiting the store. Acquires the customer ID and name, reads the corresponding customer information from the storage unit, and stores it in the storage unit as store visitor information. In order to obtain the customer ID and name, for example, a two-dimensional barcode is attached to a stamp card, and the two-dimensional barcode is read by a reader and transmitted to the anonymization device 50. Further, the person in charge of the store may listen to the customer ID and name and input them to the anonymization device 50. In addition to the customer information, the number of customers (number of adults, number of children), the type of cleaning, the amount of money, and the like may be input as the visitor information.

  In FIG. 41, E1 indicates personal information acquired by the store E, and E2 indicates anonymous information obtained by anonymizing the personal information of E1 with the integrated anonymization dictionary.

The store F is a supermarket, and the customer's e-mail address, name, gender, and age are registered in the storage unit in advance, and a membership card is distributed to the customer. When the customer presents the membership card at the time of payment, the price is discounted by 5%. At this time, the anonymization device 50 acquires the customer ID and name from the membership card, reads the corresponding customer information from the storage unit, and visits the store. Stored in the storage unit as person information. In order to acquire the customer ID and name, for example, a two-dimensional barcode or RFID tag is attached to the membership card, and the two-dimensional barcode or RFID tag is read by a reader and transmitted to the anonymization device 50. . Further, in addition to the customer information, whether or not to bring a child, a purchased product, an amount of money, and the like may be input to the store visitor information.

  In FIG. 41, F1 indicates personal information acquired by the store F, and F2 indicates anonymous information obtained by anonymizing the personal information of F1 using the integrated anonymization dictionary.

  As described above, even in the shopping mall, personal information collected by a plurality of stores is anonymized using a common integrated anonymization dictionary, and the anonymous information is registered in the common DB 233 so that the anonymous information is unified. Can be used.

  For example, if the number of female customers increases as a result of a campaign that preferentially treats women at certain stores, the increase in female customers can be known from the anonymous information in the common DB at other stores, and a menu for women It can be used for marketing to increase the synergistic effect.

  In addition, when the proportion of customers with children is equal to or greater than a predetermined value, processing related to the entire shopping mall can be appropriately performed, such as changing the content displayed on the digital signage for children.

  On the other hand, FIG. 42 is a figure which shows the example which anonymizes the positional information (personal information) of a navigation system. In the example of FIG. 42, the position information is transmitted from the navigation system 61 of each vehicle to the anonymization device 50 of the business operators G to I, and the anonymization devices 50 of the business operators G to I anonymize the personal information, respectively. Register in the common DB of the management server 20. 42, the method for creating an integrated anonymization dictionary, the anonymization method using the integrated anonymization dictionary, and the distribution method are the same as those in the second embodiment.

  The operator G assigns an ID to each driver in advance, and registers the driver's e-mail address, gender, age, and the like together with the driver ID in the storage unit as driver information. And the navigation system 61 mounted in the vehicle periodically transmits the position information of the vehicle to the anonymization device 50 of the operator G together with the driver ID.

  The anonymization device 50 that has received the location information and the driver ID reads out the driver information corresponding to the driver ID from the storage unit and stores it together with the location information. And the anonymization apparatus 50 anonymizes this positional information and driver information using an integrated anonymization dictionary. 42, G1 indicates personal information acquired by the operator G, and G2 indicates anonymous information obtained by anonymizing the personal information of G1 using the integrated anonymization dictionary. In the example of FIG. 42, the position information is abstracted into mesh codes and administrative districts based on the integrated anonymization dictionary. For example, when latitude and longitude are received as the vehicle position information from the navigation system 61, it is abstracted into a mesh code of a standard area mesh including the point indicated by the latitude and longitude, or an administrative district including the point. In FIG. 42, anonymous information D2 has an age, sex, mesh code, and administrative district.

  As with the business operator G, the operator information is registered in advance for the business operators H and I, and when the location information and the driver ID are received from the navigation system 61 of each vehicle, the anonymization device 50 operates the driver. The driver information corresponding to the driver ID is read from the storage unit and stored together with the position information. And the anonymization apparatus 50 anonymizes this positional information and driver information using an integrated anonymization dictionary. In FIG. 42, H1 indicates personal information acquired by the operator H, and H2 indicates anonymous information obtained by anonymizing the personal information of H1 with the integrated anonymization dictionary. Moreover, I1 shows the personal information which the provider I acquired, and I2 shows the anonymous information which anonymized the personal information of I1 by the integrated anonymization dictionary.

  As described above, the position information of the vehicle is also made anonymous by using the common integrated anonymization dictionary for the position information collected by a plurality of business operators, and the anonymous information is registered in the common DB 233. Can be used centrally.

<Embodiment 3>
In the second embodiment described above, an example has been shown in which a plurality of business operators have acquired personal information and anonymized, but the present invention is not limited to this, and the organizer of the exhibition accumulates the personal information in the storage unit. And the structure which anonymizes using an integrated anonymization dictionary may be sufficient. The third embodiment is different from the second embodiment in the configuration in which the personal information is anonymized by the apparatus on the organizer side, and the other configurations are the same. For this reason, configurations different from those of the first and second embodiments will be mainly described, and the same elements will be denoted by the same reference numerals and the description thereof will be omitted.

  FIG. 43 is a functional block diagram of the anonymization system 300 according to the third embodiment. The anonymization system 300 is a system that anonymizes personal information collected from visitors by each company in an exhibition where a plurality of companies exhibit, and creates an integrated anonymization dictionary and anonymization of personal information Distribute anonymous information.

  In the third embodiment, the personal information acquired by each operator is transmitted from the operator terminal 30 to the anonymization system 300, and the personal information acquired by the anonymization system 300 is collectively stored in the storage unit. . That is, the organizer shares the personal information with each business operator who acquired the personal information, and provides the personal information anonymously to other business operators. For example, when providing personal information acquired by the business operator A to other business operators including the business operators B and C, the personal information is made anonymous.

  As shown in FIG. 43, the anonymization system 300 includes a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, an anonymous information control unit 206, a dimension selection unit 207, a distribution unit 209, a data acquisition unit 101, and an abstraction. Conversion unit 102, verification unit 103, selection unit 104, anonymous information registration unit 106, value data acquisition unit 107, word category analysis unit 108, word value calculation unit 109, setting information registration unit 121, period acquisition unit 122, prediction unit 123 , A search information storage DB 145, a setting information DB 146, a dictionary DB 231, a priority DB 232, a common DB 233, and a personal information DB 234. That is, the anonymization system 300 according to the third embodiment is a dictionary creation device that includes a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, and a dimension selection unit 207, and includes an abstraction unit 102, a test unit 103, It is also an anonymization apparatus provided with the anonymous information control part 206. FIG.

  In order to anonymize the word included in the target data by replacing the word included in the target data with the dictionary acquisition unit 201, the dictionary acquisition unit 201 stores a plurality of anonymization dictionaries storing the word and the abstracted word in association with each operator. Obtained from the operator terminal 30. In this embodiment, the dictionary acquisition part 201 receives the anonymization dictionary transmitted from the provider terminal 30 of each provider and registers it in the dictionary DB 231.

  The integration unit 202 integrates a plurality of anonymization dictionaries acquired from the operator terminal 30 of each operator, creates an integrated anonymization dictionary, and stores it in the dictionary DB 231.

  The priority determination unit 203 determines a priority for each dimension constituting the integrated anonymization dictionary based on words included in the dimension. For example, the priority determination unit 203 sets at least one of the number of words included in each dimension, the number of stages having a higher and lower relationship for the words included in each dimension, and the value of the word included in each dimension. Based on the priority, the priority is determined. For example, the priority DB 232 stores a predetermined value for the word, and the priority determination unit 203 refers to the priority DB 232 to determine the priority.

  The dimension selection unit 207 selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions generated by the integration unit 202 based on the priority.

  The data acquisition unit 101 acquires personal information from the operator terminal 30 and stores it in the personal information DB 234. Moreover, the data acquisition part 101 reads the thing applicable to an object period among object information of this personal information DB234 as an object data in the case of anonymization.

  The abstraction unit 102 reads the personal information from the storage unit as target data, and refers to the integrated anonymization dictionary and replaces the word that is the value of the item in the target data with the word abstracted based on the priority. To generate anonymization candidate data.

  The test unit 103 performs test on the condition that the combination of the item values of the abstraction candidate data is not limited to one individual of the target data. For example, the test | inspection part 103 tests on condition that the combination of the value of the item of abstraction candidate data satisfy | fills k-anonymity or l-diversity.

  The anonymous information control unit 206 controls an anonymous information output process and the like. For example, the anonymous information control unit 206 registers the abstraction candidate data satisfying the test condition as anonymous information in the common DB 233, that is, stores the abstract candidate data in the common DB 233. Moreover, when the anonymous information control part 206 receives the acquisition request of anonymous information from information processing apparatuses, such as the provider terminal 30, it distributes applicable anonymous information to the information processing apparatus of the request source. In the third embodiment, the anonymous information control unit 206 is a form of an output unit.

  Further, as shown in FIG. 43, the provider terminal 30 includes a data input unit 311, an anonymous information acquisition unit 312, and a setting information transmission unit 313.

The data input unit 311 acquires data including a plurality of items associated with an individual, that is, personal information. For example, a questionnaire written by a visitor and personal information heard from the visitor are input from a keyboard or the like and transmitted to the anonymization system 300. In addition, the data input unit 31 reads items described in a visitor's business card or questionnaire and obtains it as electronic data by OCR (Optical Character Recognition), or from the visitor's RF-ID tag or IC chip. May be acquired and transmitted to the anonymization system 300.

  The anonymous information acquisition unit 312 acquires anonymous information from the anonymization system 300 and performs output such as display on a display unit or storage in a storage unit.

  The setting information transmission unit 313 transmits setting information such as a target period and distribution conditions input by the user to the anonymization system 300.

  FIG. 44 is a diagram illustrating a hardware configuration of the anonymization system 300. The management server 20 is a so-called computer having a CPU 21, a memory 22, a communication control unit 23, a storage device 24, and an input / output interface 25.

  The CPU 21 executes the program expanded in the memory 22 so as to be executable, and the above-described dictionary acquisition unit 201, integration unit 202, priority determination unit 203, anonymous information control unit 206, dimension selection unit 207, distribution unit 209, Data acquisition unit 101, abstraction unit 102, test unit 103, selection unit 104, anonymous information registration unit 106, value data acquisition unit 107, word category analysis unit 108, word value calculation unit 109, setting information registration unit 121, period acquisition The functions of the unit 122 and the prediction unit 123 are provided.

The memory 22 can also be called a main storage device. The memory 22 stores, for example, a program executed by the CPU 21, data received via the communication control unit 23, data read from the storage device 24, other data, and the like.

  The communication control unit 23 is connected to another device via a network and controls communication with the device. The input / output interface 25 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device.

  The storage device 24 stores information such as programs, personal information, and setting information. Further, the storage device 24 exchanges data with the drive device and the memory 22. In the third embodiment, the storage device 24 stores the aforementioned dictionary DB 231, priority DB 232, common DB 233, personal information DB 234, search information accumulation DB 145, and setting information DB 146.

  FIG. 45 is a diagram illustrating a hardware configuration of the business entity terminal 30. The business entity terminal 30 is a so-called computer having a CPU 31, a memory 32, a communication control unit 33, a storage device 34, and an input / output interface 35.

  The CPU 31 executes the program expanded in the memory 32 and provides the functions of the data input unit 311, the anonymous information acquisition unit 312, and the setting information transmission unit 313.

  The memory 32 can also be called a main storage device. The memory 32 stores, for example, a program executed by the CPU 31, data received via the communication control unit 33, data read from the storage device 34, other data, and the like.

  The communication control unit 33 is connected to another device via a network and controls communication with the device. The input / output interface 35 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray Disc. The drive device reads the program from the removable storage medium and stores it in the storage device 34.

The storage device 34 can also be called an external storage device. The storage device 34 may be an SSD (Solid State Drive), HDD, or the like. The storage device 34 exchanges data with the drive device. For example, the storage device 34 stores an information processing program installed from the drive device.

  Next, the anonymization method according to the third embodiment will be described. The anonymization system 300 periodically starts the accumulation process shown in FIG. 9 and confirms whether or not personal information is received from the operator terminal 30 (step S1010). Here, if the anonymization system 300 has not received personal information (step S1010, No), the process of FIG. 9 is terminated, and if personal information has been received (step S1010, Yes), the received personal information has been received. Is registered in the personal information DB 234 (step S1020), and the accumulation process is terminated. In this way, the anonymization system 300 repeatedly executes the accumulation process of FIG. 9 and registers the personal information received from the terminal 30 of each business operator in the personal information DB 234 as needed.

  Moreover, the anonymization system 300 starts the process shown in FIG. 10 periodically, and first reads the setting information of each user from the setting information DB 146 (step S1030).

Next, the anonymization system 300 determines whether there is a target period in which the read setting information is not processed (step S1035). If there is no unprocessed target period (step S1035, No), the anonymization system 300 ends the process of FIG. 10, and if there is an unprocessed target period (step S1035, Yes), it corresponds to the target period. It is determined whether or not the attached distribution information is prediction information, that is, whether or not the distribution pattern associated with the target period is 2 (step S1040). When it determines with the delivery pattern 2 here (step S1040, Yes), the anonymization system 300 calculates | requires the personal information of a target period as object data, performs a prediction process based on this object data etc., and calculates | requires a prediction result ( Step S1045).

  The personal information corresponding to the target period is read out from the personal information DB 234 as the target information (step S1040). And the anonymization system 300 anonymizes prediction information and object data (step S1050). For example, when the prediction information includes personal information (target data), the personal information included in the prediction information is anonymized. Moreover, when delivering with prediction information, the object data made into the object of prediction are anonymized.

  On the other hand, when it determines with it not being the delivery pattern 2 by step S1040 (step S1040, No), anonymization of object data is performed without performing a prediction process (step S1050). Details of the anonymization process will be described later.

  After anonymization, the anonymization system 300 determines whether or not the current time corresponds to the distribution timing determined for each predetermined period, that is, whether or not it is the distribution timing of distribution patterns 1 and 2 (step S1055). When it corresponds to the delivery timing for every predetermined period (step S1055, Yes), the anonymization system 300 delivers delivery information to a delivery destination (step S1060). For example, in the case of distribution pattern 1, the anonymization system 300 distributes rank and anonymous information as distribution information, and in the case of distribution pattern 2, it distributes prediction information and anonymous information.

  If it is determined in step S1055 that it is not the distribution timing of distribution patterns 1 and 2 (step S1055, No), the anonymization system 300 determines whether or not it is a distribution timing using history information, that is, distribution patterns 4-6. It is determined whether or not (step S1065). Here, when the anonymization system 300 determines that the distribution patterns are not 4 to 6 (No at Step S1065), the process of FIG. 10 is terminated, and when it is determined that the distribution patterns are 4 to 6 (Step S1065). (S1065, Yes), the history information (past anonymous information) is read from the common DB 233 (step S1070), and compared with the anonymous information, it is determined whether the delivery condition is satisfied (step S1075).

  If the distribution condition is not satisfied (step S1075, No), the anonymization system 300 terminates the process of FIG. 10, and if the distribution condition is satisfied (step S1075, Yes), the notification, ranking, and anonymous information are distributed. Distribute as information (step S1080).

  Further, the anonymization system 300 periodically activates the real-time distribution process shown in FIG. 11, and first reads the setting information of each user from the setting information DB 146 (step S1082). Next, the anonymization system 300 determines whether or not predetermined information for performing real-time distribution has been acquired (step S1085).

  When the anonymization system 300 has not acquired the predetermined information (step S1085, No), the process of FIG. 11 is terminated, and when the predetermined information is acquired (step S1085, Yes), the target data is anonymized. (Step S1090).

  After anonymization, the anonymization system 300 delivers anonymous information to the delivery destination terminal 30 in real time (step S1095).

Next, the anonymization process in step S1050 will be described with reference to FIG. The anonymization system 300 of the third embodiment receives the anonymization dictionary of each operator from the operator terminal 30 of each operator and creates an integrated anonymization dictionary. This integration processing is illustrated in FIG. Since the process is the same as that in FIG.

  In the anonymization system 300, the anonymization device 50 reads out and acquires personal information corresponding to the target period determined as unprocessed in step S1035 from the personal information DB 131 (step S610), and values are obtained for each word in the target data. It is determined whether or not the data exists in the search information storage DB 142 (step S620). The anonymization system 300 moves to step S630 when the value data of all words exist in the search information storage DB 142 (step S620, Yes), and when there is insufficient value data (step S620, No), Word value data is obtained from an external device, in this example, a search engine (step S640). And the anonymization system 300 acquires the value information of the word which exists in search information storage DB142 from search information storage DB142 (step S630).

  Further, the anonymization system 300 creates abstraction candidate data by replacing each item of the target data with an abstracted word (category) in order to satisfy anonymity (step S650). When there are a plurality of items that can be abstracted, all patterns are created when each item is abstracted and when it is not abstracted.

  Next, the anonymization system 300 calculates the value of the abstraction candidate data of each pattern based on the value data of each word included in the abstraction candidate data (step S660), and based on the value of this abstraction candidate data. The order of testing is determined (step S670).

  In accordance with the order of this test, the anonymization system 300 tests the anonymity of the abstraction candidate data (step S680). For example, in order to test k-anonymity, the number (existence number) of combinations of values of different items associated with one individual is present in the abstraction candidate data. Alternatively, in order to test 1 diversity, the number (existence number) in which the combination of values of the same item associated with one individual exists in the abstraction candidate data is obtained. Then, the smallest of the existence numbers is obtained as the minimum number of appearances (k value / l value) (step S690), and it is determined whether or not the minimum number of appearances exceeds 1 (step S700). That is, if the k value exceeds 1, k-anonymity is satisfied, and if it is 1, k-anonymity is not satisfied. Similarly, if the l value exceeds 1, l-diversity is satisfied, and if l value is 1, l-diversity is not satisfied.

  When the minimum appearance number (k value / l value) does not exceed 1 (step S700, No), the anonymization system 300 further abstracts the value of at least one item of the abstraction candidate data, that is, Replace with the abstracted word (step S710), and the process returns to step S680.

  On the other hand, when the minimum number of appearances (k value / l value) exceeds 1 (step S700, Yes), the anonymization system 300 calculates the difference between the value of the abstract candidate data and the value of the original target data. Determination (step S720), and the difference, a value based on the difference, for example, the ratio of the difference to the value of the target data, and the ratio of the value of the abstract candidate data to the value of the target data are determined as the value of the abstract candidate data. (Step S730).

  Further, the anonymization system 300 determines whether there is a candidate pattern that has not been verified (step S740). If there is a candidate pattern that has not been verified (step S740, Yes), the anonymization system 300 follows the order determined in step S670. Next, the abstraction candidate data in the next order is specified (step S750), and the process returns to step S680 to test the next abstraction candidate data.

  As described above, when the test is repeated for the abstraction candidate data of each pattern and the next candidate pattern is lost (No in step S740), the anonymization system 300, based on the value of each abstraction candidate data in step S720, Abstraction candidate data to be adopted is selected (step S760), and the selected abstraction candidate data is registered in the common DB 233 as anonymous information (step S770).

  As described above, according to the third embodiment, personal information within the target period designated by the user is anonymized as target data, and therefore the degree of abstraction for anonymization according to the length of the target period is set. Differently, appropriate anonymization processing based on the target period and the value after abstraction can be performed. Moreover, the anonymization system 300 can provide anonymous information suitable for each business operator by performing anonymization using an integrated anonymization dictionary obtained by integrating anonymization dictionaries of a plurality of business operators.

  Moreover, the opportunity for starting a predetermined | prescribed process based on the whole anonymous information including the anonymous information of another provider can be provided by delivering on the occasion that anonymous information satisfy | filled the predetermined condition.

<Embodiment 4>
In the second embodiment described above, a configuration has been described in which a plurality of business operators are each provided with an anonymization device, and an exhibition organizer is provided with a management server (dictionary creation device). The structure provided with the anonymization system containing a dictionary creation apparatus and an anonymization apparatus may be sufficient. Compared with the above-described second embodiment, the fourth embodiment is different in the configuration in which each operator includes the anonymization system 400, and the other configurations are the same. For this reason, configurations different from those of the first and second embodiments will be mainly described, and the same elements will be denoted by the same reference numerals and the description thereof will be omitted.

  As shown in FIG. 47, the anonymization system 400 includes a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, an anonymous information control unit 206, a dimension selection unit 207, a distribution unit 209, a data acquisition unit 101, an abstraction unit. Conversion unit 102, verification unit 103, selection unit 104, anonymous information registration unit 106, value data acquisition unit 107, word category analysis unit 108, word value calculation unit 109, setting information registration unit 121, period acquisition unit 122, prediction unit 123 , A search information storage DB 145, a setting information DB 146, a dictionary DB 231, a priority DB 232, a common DB 233, and a personal information DB 234. That is, the anonymization system 400 according to the fourth embodiment is a dictionary creation device that includes a dictionary acquisition unit 201, an integration unit 202, a priority determination unit 203, and a dimension selection unit 207, as well as a data acquisition unit 101, an abstraction unit, and the like. It is also an anonymization apparatus provided with the part 102, the test | inspection part 103, and the output control part 110.

  The dictionary acquisition unit 201 anonymizes the words included in the target data by replacing the abstracted words with each other, and thus stores a plurality of anonymized dictionaries storing the words and the abstracted words in association with each other. From the anonymization system 400. In this Embodiment 4, the dictionary acquisition part 201 receives the anonymization dictionary transmitted from the anonymization system 400 of another provider, and registers it in dictionary DB231.

  The integration unit 202 integrates the anonymization dictionary acquired from each company's anonymization device 50 and its own anonymization dictionary to create an integrated anonymization dictionary.

  The priority determination unit 203 determines a priority for each dimension constituting the integrated anonymization dictionary based on words included in the dimension.

  The dimension selection unit 207 selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions generated by the integration unit 202 based on the priority.

The dictionary management unit 204 manages the integrated anonymization dictionary created by the integration unit 202. For example, the dictionary management unit 204 reads out the integrated anonymization dictionary from the dictionary DB 231 and transmits it to the anonymization system 400 of another business operator.

  The anonymous information control unit 206 controls an anonymous information output process and the like. For example, the anonymous information is transmitted to the anonymization system 400 of another business. In the fourth embodiment, the anonymous information control unit 206 is a form of an output unit.

  The data acquisition unit 101 acquires data including a plurality of items associated with an individual, that is, personal information as target data.

  The abstraction unit 102 refers to the integrated anonymization dictionary including the dimensions, and generates anonymization candidate data by replacing words that are values of items in the target data with words abstracted based on the priority. .

  The test unit 103 performs test on the condition that the combination of the item values of the abstraction candidate data is not limited to one individual of the target data.

  FIG. 48 is a diagram illustrating a hardware configuration of the anonymization system 400. The anonymization system 400 is a so-called computer having a CPU 21, a memory 22, a communication control unit 23, a storage device 24, and an input / output interface 25.

  The CPU 21 executes the program expanded in the memory 22 so as to be executable, and the above-described dictionary acquisition unit 201, integration unit 202, priority determination unit 203, anonymous information control unit 206, dimension selection unit 207, distribution unit 209, Data acquisition unit 101, abstraction unit 102, test unit 103, selection unit 104, anonymous information registration unit 106, value data acquisition unit 107, word category analysis unit 108, word value calculation unit 109, setting information registration unit 121, period acquisition The functions of the unit 122 and the prediction unit 123 are provided.

  In the anonymization system 400 of this Embodiment 4, an anonymization dictionary is handed over to the operator who exchanges anonymous information, an integrated anonymization dictionary is created, and the personal information of the company is anonymized by the integrated anonymization dictionary, and other operators To provide.

  Note that the process of creating the integrated anonymization dictionary and the process of anonymization using the integrated anonymization dictionary are the same as in the above-described embodiment.

  Thus, by providing each company with the anonymization system 400, anonymity information can be exchanged between companies even if there is no such thing as organizing a plurality of companies like an exhibition organizer.

  Thereby, the personal information of each customer can be anonymized and exchanged between a plurality of business operators, and can be used for business tie-ups and marketing analysis.

<Others>
The present invention is not limited to the illustrated examples described above, and various modifications can be made without departing from the scope of the present invention.

1 CPU
2 memory 4 storage device 5 input / output interface 10 anonymization system 19 value calculation unit 20 management server 22 memory 23 communication control unit 24 storage device 25 input / output interface 30 terminal 31 data input unit 32 memory 33 communication control unit 34 storage device 35 input Output interface 50 Anonymization device 52 Memory 53 Communication control unit 54 Storage device 55 Input / output interface 61 Navigation system 70 Search engine 71 Data output unit 72 Search word storage DB
73 Search advertisement distribution DB
DESCRIPTION OF SYMBOLS 100 Anonymization system 101 Data acquisition part 102 Abstraction part 103 Test part 104 Selection part 105 Value determination part 106 Anonymous information registration part 107 Value data acquisition part 108 Word category analysis part 109 Word value calculation part 110 Output control part 120 Data output part 121 Setting Information Registration Unit 122 Period Acquisition Unit 123 Prediction Unit 131 Personal Information DB
142 Search information storage DB
144 Anonymization DB
145 Search information storage DB
146 Setting information DB
231 Dictionary DB
232 Priority DB
233 common DB
234 Personal Information DB
236 Setting information DB
201 Dictionary acquisition unit 202 Integration unit 203 Priority determination unit 204 Dictionary management unit 205 Anonymous information registration unit 206 Anonymous information control unit 207 Dimension selection unit 208 Setting information management unit 209 Distribution unit 300 Anonymization system 311 Data input unit 312 Anonymous information acquisition Unit 313 setting information transmission unit 400 anonymization system

Claims (4)

A period acquisition unit for acquiring a period for anonymization;
Of the target data including a plurality of items associated with individuals, a data acquisition unit that acquires target data corresponding to the period;
An abstraction unit that generates abstraction candidate data by replacing a word that is a value of an item in the target data with an abstracted word;
A value determination unit that receives the value of the word included in the abstraction candidate data and obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition;
The abstraction candidate data selected based on the value is anonymous information, the timing of distributing the anonymous information, the prediction information based on the target data, the degree of deviation from the reference in the anonymous information, the attribute value in the anonymous information An anonymization system provided with the output part which outputs the said anonymous information, when the appearance number, the appearance rate of the attribute value in the said anonymous information, or the order | rank of the said anonymous information satisfy | fills the conditions set by the user . A period acquisition unit for acquiring a period for anonymization;
Of the target data including a plurality of items associated with individuals, a data acquisition unit that acquires target data corresponding to the period;
An abstraction unit that generates abstraction candidate data by replacing a word that is a value of an item in the target data with an abstracted word;
A value determination unit that receives the value of the word included in the abstraction candidate data and obtains the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
A test unit that tests on condition that a combination of values of items of the abstraction candidate data is not limited to one individual of the target data;
A selection unit that selects the abstraction candidate data based on the value of the abstraction candidate data that satisfies the test condition;
An output unit that outputs the abstraction candidate data selected based on the value as anonymous information;
In order to anonymize the word included in the target data instead of the abstracted word, a dictionary acquiring unit that acquires a plurality of anonymized dictionaries in which the word and the abstracted word are stored in association with each other;
Based on the correspondence of each word included in the plurality of anonymization dictionaries, the abstracted word is higher and the word before abstraction is lower, each word included in the plurality of anonymization dictionaries, Corresponds to upper and lower words that exist in the anonymization dictionary, and associates the highest word that does not have a corresponding higher word as a root to the lowest word that does not have a corresponding lower word in a tree shape The tree-like correspondence is set as one dimension, the dimension is obtained for each of the plurality of top words included in the plurality of anonymization dictionaries, and the plurality of dimensions obtained for each top word are determined. An integration part to be an integrated anonymization dictionary;
For each of the dimensions, a priority determination unit that determines the priority based on words included in the dimension;
A dimension selection unit that selects a dimension to be adopted as the integrated anonymization dictionary and a dimension not to be adopted among the plurality of dimensions based on the priority;
The anonymization system, wherein the abstraction unit refers to the integrated anonymization dictionary and generates anonymization candidate data by replacing the word that is the value of the item in the target data with an abstracted word. Obtaining a period for which anonymization is performed;
Of the target data including a plurality of items associated with an individual, obtaining target data corresponding to the period; and
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of the abstraction candidate data satisfying the test condition;
The abstraction candidate data selected based on the value is anonymous information, the timing of distributing the anonymous information, the prediction information based on the target data, the degree of deviation from the reference in the anonymous information, the attribute value in the anonymous information When the number of appearances, the appearance rate of attribute values in the anonymous information, or the rank of the anonymous information satisfies the conditions set by the user, the step of outputting the anonymous information ;
Anonymization method that the computer performs. Obtaining a period for which anonymization is performed;
Of the target data including a plurality of items associated with an individual, obtaining target data corresponding to the period; and
Generating abstract candidate data by replacing words that are values of items in the target data with abstract words;
Receiving the value of the word included in the abstraction candidate data, and determining the value of the abstraction candidate data based on the value of the word included in the abstraction candidate data;
Testing a condition that a combination of values of the abstraction candidate data items is not limited to one individual of the target data;
Selecting abstraction candidate data based on the value of the abstraction candidate data satisfying the test condition;
The abstraction candidate data selected based on the value is anonymous information, the timing of distributing the anonymous information, the prediction information based on the target data, the degree of deviation from the reference in the anonymous information, the attribute value in the anonymous information When the number of appearances, the appearance rate of attribute values in the anonymous information, or the rank of the anonymous information satisfies the conditions set by the user, the step of outputting the anonymous information ;
Anonymization program to make computer run.

Images