JP6339403B2 - Information processing apparatus, information processing method, and information processing program - Google Patents

Description

  The present invention relates to information processing technology for anonymizing or diversifying personal information.

  With the development of information processing technology, information is collected in many everyday situations, and processing using the collected information is performed. For example, when a consumer purchases a product as a member of a store, the consumer's name, age, gender, address, e-mail address, etc. are often registered at the time of membership registration. When a consumer purchases a product, the store-side system records the consumer and the purchased product information in association with each other. By accumulating and analyzing information on purchased products in this way, it is possible to estimate the consumer's preferences and perform a service such as sending a direct mail when a new product preferred by the consumer is released. it can. Furthermore, by analyzing information of many consumers, information such as products preferred by women in their 20s and products preferred in the Kanto area can be derived and used for marketing and the like.

  In addition, the information can be used not only for the store but also for the manufacturer of the product and other companies for the development of new products and the improvement of safety, and may have value.

  However, the consumer's personal information in the store cannot be provided to others without obtaining the consent of each consumer. For this reason, when providing information related to the consumer to others, it is necessary to anonymize so that individuals cannot be identified.

  For example, if there is only one person 25 years old in the member list in which the age is described, the person can be identified when he / she knows that the 25-year-old acquaintance is the member. That is, if there is only one person with the attribute of a 25-year-old member, there is a high possibility that an individual can be specified by comparing with other information.

  Therefore, if the age description in the member list is abstracted into 10-year breaks, and there are multiple people with the same attribute, such as three in their 20s, who of the three is identified become unable. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

JP 2012-133451 A JP 2011-108195 A JP 2011-128862 A JP 2012-78932 A

  FIG. 19 is a diagram illustrating an example of history data (flow data) recorded on the management server side when a user enters and exits an automatic ticket gate of a station using an IC card and settles a boarding fee. The history data 91 in FIG. 19 is associated with a user ID, use date and time, use station, use contents, fee, and the like. The history data 91 can identify each user of the history data by referring to the user information 92 in which the user ID is associated with the user's last name, age, and gender.

When this history data 91 is provided to other business operators, the user information 92 that associates the user ID with the user's last name is deleted or managed so that it cannot be referred to, so that the individual cannot be identified from the user ID. It can be considered to be in a pseudonymized state.

  However, in the kana conversion state, even if the name cannot be specified from the user ID, if the information such as the use station associated with the user ID is limited to one individual, that is, the other information such as the use station is the same If there is no user to do, there is a possibility that it can be re-identified from information such as the station used. For example, when a user with ID = A001 uses Shinjuku Station, Akihabara Station, and Ningyocho, if there is no other person who uses the station in the same way, a person who knows the behavior of the user with ID = A001. If there is, the user with ID = A001 can be re-identified from the history data.

For example, when n = 4,247,000 users select m = 9262 stations in a uniform distribution, the number of stations s that can be re-identified is calculated by Equation 1,
mS = n (Formula 1)
It becomes S = 2.237, and it can be understood that re-identification is possible if three stations are recorded in the history data.

  In addition, the history data of the IC card may include other shopping information. In this case, the possibility of re-identification is further increased.

  For this reason, it is conceivable that the values of each item are abstracted and anonymized so that the combination of the values of each item is not limited to one individual, but data such as action history tends to be very large in data amount. For example, in the case of so-called big data in the case of the action history of more than 100,000 users, it is not realistic to perform abstraction manually.

  Although abstraction can be performed mechanically, if abstraction is performed mechanically, even if the abstracted result satisfies anonymity, it is not always useful data. For example, if the combination of item values is abstracted until it is not limited to one individual, and the value (word) of the item is so abstract that there is no use value, it does not make sense to satisfy anonymity. For this reason, even when performing abstraction mechanically, the result of the abstraction is confirmed by a person, and if it is not useful data, the setting of changing items to be abstracted is changed and the abstraction process is restarted. Repeated trials.

  However, simply repeating trials is inefficient, especially in the case of big data, it takes a lot of time to process abstraction and anonymity, making it difficult to perform trials sufficiently. It was.

  In addition, in the case of the action history (flow data) as described above, data is inserted as needed along with each user's action, and the number of inserted data is different in timing, so it is difficult to strictly perform anonymity. there were.

  Therefore, the present invention provides a technique that enables anonymity testing of a plurality of user behavior histories.

An information processing apparatus according to the present invention includes:
Data that associates user identification information for identifying a user with information related to the user is used as target data, and a plurality of words included in the target data are extracted, and the plurality of words are based on the number of occurrences of each word. An item candidate generation unit that makes at least a part of the data item candidates;
An item selection unit for selecting a predetermined number of candidates from the data item candidates based on statistical information;
Anonymous candidates that obtain the value of the selected data item from the data associated with the user identification information of the target data and associate the value of the data item with the user identification information as anonymous candidate data A generator,
Is provided.

  The item candidate generation unit abstracts the word extracted from the target data, and based on the number of appearances of the abstracted word, sets the plurality of words and at least a part of the abstracted word as data item candidates. Also good.

  The anonymous candidate generator may generate the anonymous candidate data for each time, region, or predetermined category of the target data.

The information processing apparatus may include a testing unit that tests on condition that a combination of values of items of the anonymous candidate data is not limited to one individual of the target data.

An information processing method according to the present invention includes:
Data that associates user identification information for identifying a user with information related to the user is used as target data, and a plurality of words included in the target data are extracted, and the plurality of words are based on the number of occurrences of each word. Making at least a part of the data item candidates,
Selecting a predetermined number of candidates from the data item candidates based on statistical information;
Obtaining the value of the selected data item from the data associated with the user identification information of the target data, and associating the value of the data item with each user identification information as anonymous candidate data; ,
Is executed by the computer.

  Further, the present invention may be an anonymization program for causing a computer to execute the information processing method. Furthermore, the anonymization program may be recorded on a computer-readable recording medium.

  Here, the computer-readable recording medium refers to a recording medium that accumulates information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from the computer. . Examples of such a recording medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card.

  Further, there are a hard disk, a ROM (read only memory), and the like as a recording medium fixed to the computer.

  INDUSTRIAL APPLICABILITY The present invention can provide a technique that enables anonymity testing for a plurality of user behavior histories.

FIG. 1 is an explanatory diagram of anonymization processing. FIG. 2 is a diagram illustrating an example of a user's behavior history. FIG. 3 is a diagram illustrating a schematic configuration of the anonymization device. FIG. 4 is a diagram illustrating a hardware configuration of the information processing apparatus. FIG. 5 is a diagram illustrating a process of selecting target items by analyzing target data. FIG. 6 is a diagram illustrating a process of generating anonymous candidate data. FIG. 7 is a diagram illustrating a process for testing anonymity. FIG. 8 is a diagram illustrating an example of a process for obtaining the number of appearances of words by analyzing the target data in a natural language. FIG. 9 is a diagram illustrating an example of a process for obtaining the number of occurrences of a word by analyzing the target data in a natural language. FIG. 10 is a diagram illustrating an example of a process for obtaining the number of appearances of a word by analyzing the target data in a natural language. FIG. 11 is a diagram illustrating an example of a process for obtaining the number of occurrences of a word by analyzing the target data in a natural language. FIG. 12 is a diagram showing an example of a process for obtaining the number of appearances of words by analyzing the target data in a natural language. FIG. 13 is a diagram illustrating an example of a process for obtaining the number of appearances of words by analyzing the target data in a natural language. FIG. 14 is a diagram illustrating an example of processing for obtaining the number of appearances of words by analyzing the target data in a natural language. FIG. 15 is a diagram illustrating processing for selecting target items by analyzing target data. FIG. 16 is a diagram illustrating processing for generating anonymous candidate data. FIG. 17 is a diagram illustrating data classified in January and data classified in February. FIG. 18 is a diagram illustrating an example in which anonymized data is created in a plurality of sections. FIG. 19 is a diagram illustrating an example of a user's behavior history.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

<Embodiment 1>
FIG. 1 is an explanatory diagram of anonymization processing. FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and gender items. As shown in Fig. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, when the 16-year-old woman is found to be this member, the person is identified. it can. That is, if there is only one person with the attribute of 16 years old and female, there is a possibility that an individual can be identified by comparing with other information.

  In FIG. 1 (B), the description of the age in the member list is abstracted and classified by age, such as 0's (under 10 years), 10's, and 20's. However, even in this case, there is only one female teenager, and an individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1 (C), it was further abstracted and the age divisions were changed to those in their teens (under 19 years old) and those in their 20s. In the case of FIG. 1C, there are two women in their teens or less, and the attributes of “10 or less” and [female] are not single. For this reason, even if it turns out that a 16-year-old woman is this member as mentioned above, it cannot be specified which is the data of the 16-year-old woman. A state in which there are k or more people having the same attribute in this way is referred to as “k-anonymity” and processing such data is referred to as “k-anonymization”.

  In the data of FIG. 1, the value of each item of information related to the user is associated with each user. In other words, in the data of FIG. 1, the data of each user is recorded in each row, and the value of each item of information relating to the user is recorded in each column. That is, the data in FIG. 1 is spreadsheet-type data including a row for each user and a column for each item.

FIG. 2 is a diagram illustrating an example of a user's behavior history. The data in FIG. 2 associates a user ID (user identification information) for identifying a user with information (behavior data) related to the user. In the example of FIG. 2, the behavior data includes a date, a store, and a content when a user purchases a product. As described above, in the data of FIG. 2, user behavior data is recorded in each row, and values of each item of information related to the user are recorded in each column. That is, the data in FIG. 2 is flow-type data recorded for each user's behavior data.

  In the flow type data shown in FIG. 2, the action data associated with the user ID is added as needed, and the action data associated with the user ID of one user exists in a plurality of rows, and the number of the action data is added. Since the timing is also different, anonymity cannot be tested like the spreadsheet-type data in FIG.

  Therefore, the information processing apparatus (anonymization apparatus) 1 according to the first embodiment enables anonymity test by converting the flow data type target data into a spreadsheet type. Below, this anonymization apparatus 10 is demonstrated.

  FIG. 3 is a diagram illustrating a schematic configuration of the anonymization device 10. As shown in FIG. 3, the anonymization device 10 includes an item candidate generation unit 11, an item selection unit 12, an anonymous candidate generation unit 13, an anonymous test unit 14, and a data output unit 15.

  The item candidate generation unit 11 uses, as target data, data in which user identification information for identifying a user and information related to the user are associated, extracts a plurality of words included in the target data, and determines the number of occurrences of each word. Based on this, at least a part of the plurality of words is set as a data item candidate. In addition, the item candidate generation unit 11 abstracts the words extracted from the target data, and sets a plurality of words and at least a part of the abstracted words as data item candidates based on the number of appearances of the abstracted words.

  The item selection unit 12 selects a predetermined number of candidates from the data item candidates based on statistical information (value data). The item selection unit 12 acquires value data from the search information accumulation DB 42. Further, the item selection unit 12 makes a request to another device when the value data is not registered in the search information storage DB 42 and registers the acquired value data in the search information storage DB 42 (data request), It has a function (data crawler) that periodically visits other devices to acquire the latest value data and updates the value data registered in the search information storage DB 42. In this embodiment, the statistical information of each word is received from the search engine 90 as this value data. Here, the statistical information of each word includes, for example, an SEM advertising unit price (unit price per click), a click rate, an average ranking, the number of display times per day, the number of clicks per day, and the like. Note that the value acquisition destination is not limited to a search engine, and may be a web page, an SNS, or the like. Thus, when using the statistical information of a word as value data, it is good also considering the usage frequency of each word in a web page or SNS as value data, for example.

  The anonymous candidate generating unit 13 obtains the value of the selected data item from the data associated with the user identification information of the target data, and associates the value of the data item for each user identification information to obtain anonymous candidate data.

Anonymous assay portion 14, the combination of the values of items corresponding to a single individual of the anonymous candidate data is assayed under the condition that not a single in the anonymous candidate data. For example, the anonymous testing unit 14 tests whether the anonymous candidate data satisfies k-anonymity or l-diversity. The anonymity of the anonymous candidate data is tested, and the anonymous candidate data that satisfies the anonymity is set as anonymized information.

  The data output unit 15 reads and outputs anonymization information that satisfies anonymity. Here, the output of anonymization information includes display output by a display device, print output by a printer, transmission to another computer, writing to a storage medium, and the like.

  FIG. 4 is a diagram illustrating a hardware configuration of the information processing apparatus. The anonymization device 10 is a so-called computer having a CPU 1, a memory 2, a communication control unit 3, a storage device 4, and an input / output interface 5.

  The CPU 1 executes the program expanded in an executable manner in the memory 2, thereby enabling the functions of the item candidate generation unit 11, item selection unit 12, anonymous candidate generation unit 13, anonymous test unit 14, and data output unit 15. provide.

  The memory 2 can also be called a main storage device (main memory). The memory 2 stores, for example, a program executed by the CPU 1, data received via the communication control unit 3, data read from the storage device 4, other data, and the like.

  A communication control unit (CCU: Communication Control Unit) 3 is connected to another device via a network and controls communication with the device. The input / output interface 5 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as an input / output device for a flash memory card, a USB adapter for connecting a USB memory, or the like. The removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), or a Blu-ray (registered trademark) disc. The drive device reads the program from the removable storage medium and stores it in the storage device 4.

The storage device 4 can also be called an external storage device. The storage device 4 may be an SSD (Solid State Drive), an HDD, or the like. The storage device 4 exchanges data with the drive device. For example, the storage device 4 stores an information processing program installed from the drive device. The storage device 4 reads out the program and delivers it to the memory 2. In the present embodiment, the storage device 4 stores target data, a search information accumulation DB 42, and an anonymization test DB 45.

5 to 7 are explanatory diagrams of an information processing method executed by the anonymization device 10 according to the information processing program of the present embodiment, and FIG. 5 is a diagram illustrating processing for analyzing the target data and selecting an item FIG. 6 is a diagram illustrating a process for generating anonymous candidate data, and FIG. 7 is a diagram illustrating a process for testing anonymity.

  The anonymization device 10 executes the processes of FIGS. 5 and 6 as an anonymization pre-processes periodically or triggered by an operator's instruction or the like. First, the anonymization device 10 acquires target data from another computer or storage device, extracts words included in the target data by morphological analysis, and obtains the number of appearances and the appearance rate of the words (step S10). The extraction of words may be extracted from all target data, but is not limited thereto, and may be extracted from a part of the handling data such as the first 10,000 lines or 5% of the whole.

  Next, the anonymization device 10 abstracts the word extracted in step S10 (step S20), and obtains the number of appearances and the appearance rate of the abstracted word (step S30). Further, the anonymization device 10 deletes item candidates that are less than a predetermined value, for example, less than the k value, for which the number of appearances and the appearance rate are required, and performs a sufficient step (step S35).

Then, the anonymization device 10 uses the word extracted in step S10 and the word abstracted in step S20 as item candidates, acquires value data from the search information accumulation DB 42, and weights each item candidate (step S40). Based on this weighting, a predetermined number of items are selected (step S50). For example, the number of occurrences or the appearance rate of each word is indexed by multiplying the value data (SEM price), and a predetermined number of items are selected in descending order of the index.

Next, the anonymization device 10 executes the process of FIG. 6, reads one line of data from the target data (step S <b> 60), and extracts words included in this line by morphological analysis (step S <b> 70). The anonymization device 10 searches the extracted word for a word corresponding to the value of the item generated in the process of FIG. 5 (step S80), and the user ID of the line from which the value of this item is read in step S60. And stored in the anonymization test DB 45 (step S90). Then, the anonymization device 10 determines whether or not there is a next process (step S100). If there is a next process, the process returns to step S60, reads the data in the next line, and repeats steps S60 to S100. If there is no next process in step S100, the process of FIG. 6 is terminated. Thus in correspondence with the user ID of each row, those stored in the anonymous assay DB45 and extracts the value of the item in each column from the target data, respectively is anonymous candidate data.

Then anonymizing apparatus 10 executes the processing of FIG. 7, reads the anonymous candidate data generated in the process of FIG. 6 DB45 for anonymizing test, the value of the item and the corresponding one individual of anonymous candidate data Is tested under the condition that the number of combinations is not a predetermined number or less, for example, 1 in the anonymous candidate data (step S110). That is, it is determined whether the anonymous candidate data satisfies k-anonymity. Here, if anonymous candidate data meets the anonymity, repeated tests by reading the other anonymous candidate data returns to step S110 (step S110 to S120).

On the other hand, in step S120, anonymizing apparatus 10 if they meet the anonymity, determines whether there is a next process (step S130), the process returns to step S110 if there is a next process, the next anonymous Repeat step S110~ step S130 reads the candidate data, if the next processing is no in step S130, outputs the anonymous candidate data have passed the test as anonymous data (step S140), and terminates the processing in FIG. 7 .

Next, processing for creating the anonymous candidate data will be specifically described with reference to FIGS. 8 to 14.

  FIG. 8 is a diagram illustrating an example of a process for obtaining the number of appearances of words by analyzing the target data in a natural language. In FIG. 8, target data 51 associates a user ID (user identification information) for identifying a user with information (behavior data) relating to the user, and as this behavior data, the date on which the user purchased the product, a store, Has content. In the target data 51, natural language data is recorded as A book-Nakano, B Stroke-Shinjuku, C Restaurant-Shinjuku.

  Data 52 is the result of performing natural language analysis on the target data 51, extracting words included in the target data 51, and determining the number of appearances of the words. The data 52 associates words such as Shinjuku, net, and C restaurant extracted from the target data 51 with their parts of speech and the number of appearances. In the data 52, each word and the number of appearances are associated with each other. However, an appearance rate may be used instead of the number of appearances. For example, when the number of occurrences of a word is n and the total number of words is s, Let the rate Aq be n / s. Alternatively, an appearance ratio (tf (term frequency) / idf (inverse document frequency)) may be used.

  Further, using the abstract dictionary 53 in which the base word is associated with the abstract word (superordinate concept), the extracted word is replaced with the superordinate concept and abstracted. For example, Shinjuku is converted to Tokyo, ramen to Chinese food, and E store to a convenience store. The data 54 is obtained by obtaining the number of appearances of the abstracted word and adding it to the data 52.

When performing morphological analysis, natural language analysis may be performed according to the attribute of the target data 51. For example, as shown in FIG. 9, the data of the store item of the target data 52 is subjected to natural language analysis using a store dictionary in which store names are preferentially registered to obtain data 52 a. The content item data may be subjected to natural language analysis using a purchase content dictionary in which product names are preferentially registered to form data 52b, which may be combined into analysis results 52.

Furthermore, as shown in FIGS. 10 and 11, the store attribute morphological analysis result 52a is abstracted by the store abstract dictionary 53a to create abstract data 55a, and the words of the morphological analysis result 52a and the abstract data 55a Multiply with words. Similarly, the content attribute morpheme analysis result 52b is abstracted by a content abstraction dictionary (not shown) to create abstract data 55b, and the words of the morpheme analysis result 52b and the abstract data 55b are multiplied.
For example,
(1) Store attribute morpheme analysis result 52a and content attribute morpheme analysis result 52b,
(2) Store attribute morphological analysis result 52a and content attribute abstraction result 55b,
(3) Store attribute abstraction result 55a and content attribute abstraction result 55b,
(4) Store attribute morphological analysis result 52a and content attribute morphological analysis result 52b,
4 types of patterns are created. Data 56 is a part of this multiplication result.

  The data 57 (FIG. 12) is a combination of the store attribute morpheme analysis result 52a, the content attribute morpheme analysis result 52b, the store attribute abstraction result 55a, the content attribute abstraction result 55b, and the multiplication result 56. is there.

In the data 57 of FIG. 12, each word is associated with the number of appearances, but the appearance rate may be used instead of the number of appearances. For example, when the number of occurrences of a word is n and the total number of words is s. In addition, the appearance rate Aq is set to n / s. In FIG. 12, the level is the degree of word processing, in other words, the distance from the original data. In this example, level 1 is the original word, level 2 is the abstracted word, and level 3 is the multiplied word. It is.
In the case of a multiplied word,
Number of occurrences of attribute 1 An (1)
Appearance rate of attribute 1 Aq (1)
Number of occurrences of attribute 2 An (1)
Appearance rate of attribute 2 Aq (2)
An (1)> An (2)
It is assumed that An (1) × (An (1) / An (1)).
Alternatively, An (1) × ((An (1) / s) × (Aq (2) / s)) may be used.

  Note that the calculation of the appearance rate is an example, and the present invention is not limited to this.

  The number of appearances of the data 57 including the item candidates indicates the size of the number of appearances in this information group. Therefore, when it is necessary to verify anonymity by combining two or more pieces of information, in order to satisfy k anonymity, it is impossible to combine multiple element choices unless there is at least two occurrences. I understand that. Moreover, even if it is 2 or more, when the number of appearances is small, the possibility of satisfying k-anonymity decreases. Therefore, the necessary value of k is used to create a necessary information group. For example, in the example of FIG. 13, data 58 is obtained by excluding (adding) candidates having a minimum appearance number of 3 or more and an appearance number of less than 3. In addition, an index table 59 is created by multiplying the number of appearances of the data 58 by the value data and indexing it. The value data multiplied by the number of appearances is not limited to the SEM price, but may be POS sales data or a weighting coefficient by a user or an operator.

As shown in the data 61 of FIG. 14, each row of the spreadsheet is used as each user's data.
Item candidates are assigned to each column of the spreadsheet in descending order of the index in the index table 59.

  Then, the morphological analysis is performed on the target data 51 to extract words, and the words are abstracted and input to corresponding items of the data 61. For example, Nakano is extracted from the data of data 51 with ID = A001 A book-Nakano, referring to the abstract dictionary as Tokyo, and the data 61 with ID = A001 in Tokyo is incremented. The value of the item to be input to the data 61 may be input as the number of corresponding data in the target data 51 as it is, or may be input as a flag which is 1 when exceeding a predetermined threshold and 0 otherwise. good. Moreover, you may input in the range of a numerical value like 1-5, 6-10.

  As described above, according to the first embodiment, even if the target data is a flow data type, the anonymization test can be reliably performed by converting the data into spreadsheet type data.

  In addition, according to the first embodiment, the items for conversion to spreadsheet-type data are selected based on the number of occurrences of words and value data. Therefore, even if mechanical conversion is performed, appropriate conversion is performed. Results are obtained.

  Furthermore, when converting to spreadsheet-type data, item candidates can be selected without processing all the target data, and the processing load is reduced.

<< Embodiment 2 >>
Embodiment 2 is different from the first embodiment discussed above mainly constituted created by separating the anonymous candidate data into a plurality of sections is different. Note that the same elements as those in the first embodiment are denoted by the same reference numerals, and the description thereof is omitted.

  The anonymization device 10 executes the processes of FIGS. 15 and 16 as anonymization pre-processes periodically or triggered by an operator's instruction or the like. First, the anonymization device 10 acquires target data from another computer or storage device, extracts words included in the target data by morphological analysis, and obtains the number of appearances and the appearance rate of the words (step S10). The extraction of words may be extracted from all target data, but is not limited thereto, and may be extracted from a part of the handling data such as the first 10,000 lines or 5% of the whole.

  Next, the anonymization device 10 abstracts the word extracted in step S10 (step S20), and obtains the number of appearances and the appearance rate of the abstracted word (step S30). Moreover, the anonymization apparatus 10 deletes the item candidate below k value required, and performs a step (step S35).

  Then, the anonymization device 10 uses the word extracted in step S10 and the word abstracted in step S20 as item candidates, acquires value data from the search information accumulation DB 42, and weights each item candidate (step S40). .

  Next, the anonymization device 10 receives a classification setting by an operator (analyzer) (step S43). For example, a time category such as year / month / day, time, time zone, season, a region category such as a prefecture, a category based on a predetermined category such as food / book, and the like are set.

Further, it is designated whether to add to existing data or create a new process (step S46). For example, if you create the anonymous candidate data of February new, it selects a process such as to add data to the anonymous candidate data that was created in Tokyo of the division in the past.

In accordance with this setting, a predetermined number of items are set in the existing anonymous candidate data or new anonymous candidate data based on the weighting determined in step S40 (step S50). For example, the number of occurrences or the appearance rate of each word is indexed by multiplying value data (SEM price), and a predetermined number of items are set in descending order of the index.

Next, the anonymization device 10 executes the process of FIG. 16, reads one line of data from the target data (step S <b> 60), and extracts words included in this line by morphological analysis (step S <b> 70). Anonymizing apparatus 10 reads out the set classified condition at step S43, determines the anonymous candidate data used (step S76).

The anonymization device 10 searches the extracted word for a word corresponding to the value of the item generated in the process of FIG. 15 (step S80), and the user ID of the row from which the value of this item is read in step S60. And stored in association with each other (step S90). The anonymizing apparatus 10 determines whether there is a next process (step S100), if there is a next process, there are other anonymous candidate data to be written in parallel data of the current row Whether or not (step S103). Here, to determine the anonymous candidate data utilizing the operation proceeds to Step S76 if there is processing of writing to another anonymous candidate data, the process proceeds to step S80.

On the other hand, if there is no process of writing in step S103 to another anonymous candidate data, it repeats the process of step S60~103 returns to step S60. Then, if there is no next processing at step S100, it creates a management table of the anonymous candidate data, and ends the process in FIG. 16.

  FIG. 17 is a diagram showing data 62 classified in January and data 63 classified in February. Since the target data 51 of this embodiment is constantly increasing flow data, for example, when new information is added every month, it is possible to add and manage a table group that ensures consistency with the past. Become.

  Since anonymization processing differs greatly depending on the time, for example, data for one month cannot be anonymized, but there are many cases where it can be anonymized by collecting data for one year. Therefore, by accumulating anonymized data every month, it is possible to obtain long-term knowledge without taking the trouble of calculating the data for one year again.

  Further, the subsequent statistical processing can be simplified by classifying the table according to the region.

  Furthermore, as shown in FIG. 18, for example, anonymized data for January is created, and in February, the item name is used as it is, and the data of each user is input from the target data. It is possible to compare whether the numbers that existed in the past are seasonal or stationary.

Since information that exists regularly has a large number of appearances = high anonymity, it can be finely classified as information. In this embodiment, because it determines the entry of anonymous candidate data based on the number of occurrences of a word, without wastefully abstract the number of occurrences is high word can be properly create anonymous candidate data.

In addition, separately from the anonymous candidate data that was created in January of higher-level, to create the anonymous candidate data by word that appeared in the top in February, it is also to be used, such as the word level of difference comparison of the last month It becomes possible. When the table also exists to manage the anonymous candidate data of such a multi-dimensional, can be a guideline for the anonymity processing.

<Others>
The present invention is not limited to the illustrated examples described above, and various modifications can be made without departing from the scope of the present invention.

2 Memory 3 Communication control unit 4 Storage device 5 Input / output interface 10 Anonymization device 11 Item candidate generation unit 12 Item selection unit 13 Anonymous candidate generation unit 14 Anonymous verification unit 15 Data output unit

Claims (6)

Data that associates user identification information for identifying a user with information related to the user is used as target data, and a plurality of words included in the target data are extracted, and the plurality of words are based on the number of occurrences of each word. An item candidate generation unit that makes at least a part of the data item candidates;
An item selection unit for selecting a predetermined number of candidates from the data item candidates based on statistical information;
Anonymous candidates that obtain the value of the selected data item from the data associated with the user identification information of the target data and associate the value of the data item with the user identification information as anonymous candidate data A generator,
An information processing apparatus comprising:   The item candidate generation unit abstracts the word extracted from the target data, and based on the number of appearances of the abstracted word, the plurality of words and at least a part of the abstracted word are defined as data item candidates. The information processing apparatus according to claim 1.   The information processing apparatus according to claim 1 or 2, wherein the anonymous candidate generation unit generates the anonymous candidate data for each time, region, or predetermined category of the target data. The information processing apparatus according to any one of claims 1 to 3, further comprising a test unit that tests on condition that a combination of values of items of the anonymous candidate data is not limited to one individual of the target data. Data that associates user identification information for identifying a user with information related to the user is used as target data, and a plurality of words included in the target data are extracted, and the plurality of words are based on the number of occurrences of each word. Making at least a part of the data item candidates,
Selecting a predetermined number of candidates from the data item candidates based on statistical information;
Obtaining the value of the selected data item from the data associated with the user identification information of the target data, and associating the value of the data item with each user identification information as anonymous candidate data; ,
An information processing method in which a computer executes. Data that associates user identification information for identifying a user with information related to the user is used as target data, and a plurality of words included in the target data are extracted, and the plurality of words are based on the number of occurrences of each word. Making at least a part of the data item candidates,
Selecting a predetermined number of candidates from the data item candidates based on statistical information;
Obtaining the value of the selected data item from the data associated with the user identification information of the target data, and associating the value of the data item with each user identification information as anonymous candidate data; ,
Processing program for causing a computer to execute.