JP6610334B2 - Leakage risk providing apparatus, leakage risk providing method, and leakage risk providing program - Google Patents

Description

  The present invention relates to a leakage risk providing apparatus, a leakage risk providing method, and a leakage risk providing program.

  There is a demand for converting individual vote data storing individual information in each row so that much information remains while considering privacy. Such conversion of individual vote data is called anonymization. Anonymized individual vote data can be used for a wider range of use, for example, by being sold to a third party in consideration of privacy. However, the highly useful individual vote data with a wide utilization range has a trade-off relationship between anonymity and usefulness, and therefore privacy leakage risk (hereinafter also simply referred to as risk) increases.

  In order to ensure sufficient anonymity while keeping usability as high as possible, the provider of the individual vote data determines the information amount of the individual vote data by evaluating the risk. In the risk evaluation, for example, a leakage personal information value can be calculated as a monetary amount using a model for calculating damages due to a personal information leakage case called a JO model. As another risk evaluation, there is a method called k-anonymity, which uses a frequency distribution and uses the minimum value k of the frequency as a risk index, and the smaller the k, the smaller the risk.

"NPO Japan Network Security Association" Survey Report on Information Security Incident 2003 ", March 31, 2004", [Online], [Search February 5, 2016], Internet <http: //www.jnsa .org / active / 2003 / active2003_1a.html> Latanya Sweeney.k-anonymity: a model for protecting privacy.Int.J.Uncertain.Fuzziness Knowl.-Based Syst., Vol.10, October 2002, pp.557-570.

  However, in the risk assessment method described above, if the provider determines that the risk is too high based on the result of the assessment, the provider will consider further anonymization. It is difficult to consider what should be done. For this reason, in the above-mentioned risk evaluation method, it is difficult to obtain specific information for anonymization so that sufficient anonymity can be ensured while keeping usefulness high.

  In one aspect, the present invention is to provide a leakage risk providing apparatus, a leakage risk providing method, and a leakage risk providing program that can improve the accuracy of determination of leakage risk.

  In one aspect, the leakage risk providing apparatus includes a storage unit, an attribute extraction unit, an entry extraction unit, an influence degree calculation unit, and a risk information creation unit. The storage unit stores the sensitivity of each of the attributes in the individual vote data, which is a set of entries given a plurality of attributes. The attribute extraction unit calculates a leakage risk for each combination of the attributes based on the sensitivity, and extracts a combination of attributes for which the leakage risk satisfies a predetermined condition. The entry extraction unit extracts, for each extracted combination, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition. The influence degree calculation unit calculates the influence degree of attributes other than the attributes included in the extracted combination in the extracted entry based on the sensitivity. The risk information creation unit associates the extracted combination with an attribute whose influence degree satisfies a predetermined condition.

  The accuracy of determination of leakage risk can be increased.

FIG. 1 is a block diagram illustrating an example of the configuration of the leakage risk providing apparatus according to the embodiment. FIG. 2 is a diagram illustrating an example of individual vote data. FIG. 3 is a diagram illustrating an example of anonymization of individual vote data. FIG. 4 is a diagram illustrating an example of risk information. FIG. 5 is a diagram illustrating another example of risk information. FIG. 6 is a diagram illustrating an example of the individual vote data storage unit. FIG. 7 is a diagram illustrating an example of the priority information storage unit. FIG. 8 is a diagram illustrating an example of the risk information storage unit. FIG. 9 is a flowchart illustrating an example of the risk providing process according to the embodiment. FIG. 10 is a diagram illustrating an example of processing in the risk information storage unit. FIG. 11 is a diagram illustrating an example of a computer that executes a leakage risk providing program.

  Hereinafter, embodiments of a leakage risk providing apparatus, a leakage risk providing method, and a leakage risk providing program disclosed in the present application will be described in detail based on the drawings. The disclosed technology is not limited by the present embodiment. Further, the following embodiments may be appropriately combined within a consistent range.

  FIG. 1 is a block diagram illustrating an example of the configuration of the leakage risk providing apparatus according to the embodiment. The leakage risk providing apparatus 100 shown in FIG. 1 accepts individual vote data, priority information, and a threshold group. The leakage risk providing apparatus 100 stores the received individual vote data, priority information, and threshold value group in the storage unit 120. That is, in the leakage risk providing apparatus 100, a table that associates the sensitivity with each attribute in the individual vote data that is a set of entries given a plurality of attributes is stored in the storage unit 120 based on the priority information. The leakage risk providing apparatus 100 calculates a leakage risk for each combination of attributes based on the sensitivity, and extracts a combination of attributes for which the leakage risk satisfies a predetermined condition. For each extracted combination, the leakage risk providing apparatus 100 extracts an entry in which the number of entries specified by the value of the attribute included in the combination satisfies a predetermined condition. The leakage risk providing apparatus 100 calculates the influence degree of attributes other than the attributes included in the extracted combination in the extracted entry based on the sensitivity. The leakage risk providing apparatus 100 associates the extracted combination with an attribute whose degree of influence satisfies a predetermined condition. Thereby, the leakage risk providing apparatus 100 can improve the accuracy of the determination of the leakage risk.

  Here, anonymization of the individual vote data and risk information will be described with reference to FIGS. FIG. 2 is a diagram illustrating an example of individual vote data. As shown in FIG. 2, the individual slip data 20 is a two-dimensional table in which personal information is stored in each row. In the example of FIG. 2, the individual slip data 20 includes items indicating attributes such as “patient ID (IDentifier)”, “birth year”, “gender”, “nationality”, and “diagnosis result”. The line numbers are given for explanation. When the individual vote data 20 is anonymized, for example, information on each attribute is generalized. For example, in the generalization of the attribute “birth year”, “<20” indicating that the value “11” is a numerical value less than 20, “1?” Using “?” Indicating an unknown one-character number, “1?”, Unknown Conversion such as “*” using “*” representing a simple character string is performed. In this embodiment, it is assumed that false data such as converting the value “11” into “2?” Is not included. In generalization, generalizing all lines to “*” for a certain attribute may be substantially the same as deleting the attribute information, so attribute deletion is also a form of generalization. .

  FIG. 3 is a diagram illustrating an example of anonymization of individual vote data. The individual form data 21 shown in FIG. 3 is an example in which the attribute “patient ID” is deleted from the individual form data 20 shown in FIG. In the individual slip data 21, the attribute “birth year” is generalized to “<20” when the value is less than 20, and the first digit of the numerical value is generalized to “?” When the value is 20 or more. Is. In this way, the individual vote data 21 cannot use the information of “patient ID”, and the “birth year” can be determined only in units of 10 years, and the amount of information is smaller than that of the individual vote data 20. . In general, anonymization reduces the amount of information and reduces risk.

  For example, the risks in the individual vote data 20 and the individual vote data 21 are compared. In the individual data 20, the attacker knows that there is only one person of {birth year: 11} in the population, and knows the person with the attribute, but knows the “diagnosis result” of the person. There may not be. In this case, there is a risk that an attacker can know that the person corresponds to the line number “1” and that the person is {diagnosis result: hepatitis} by looking at the individual vote data 20. is there. Note that {birth year: 11} indicates that the value of the attribute “birth year” is “11”. Further, {diagnosis result: hepatitis} indicates that the attribute “diagnosis result” is “hepatitis”. Hereinafter, the attribute and the value may be described in the same manner.

  On the other hand, in the individual vote data 21, since the attribute “birth year” is generalized, the possibility of uniquely identifying a person is reduced. For example, when there are a plurality of people of {birth year: <20} in the population, the overall risk is reduced. However, when the individual vote data 21 is used, it is not necessary to know the information of a specific individual, so there is no problem even if the attribute “patient ID” is deleted. In addition, the information of the attribute “birth year” may obtain useful knowledge even in units of 10 years, and there may be a situation in which the individual vote data 21 is also valuable. The anonymization that minimizes the risk is to delete all the attributes. In this case, the risk is eliminated, but the possibility of secondary utilization is also eliminated.

  FIG. 4 is a diagram illustrating an example of risk information. The risk information 22 shown in FIG. 4 is an example of risk information when the individual vote data 20 shown in FIG. 2 is input. As illustrated in FIG. 4, the risk information 22 includes items such as “attribute combination”, “number of rows”, “row number”, “specific information”, and “influence information”. The “attribute combination” indicates a combination of attributes that can specify a row for the individual slip data 20. “Number of rows” indicates the number of rows that can be specified by the attribute combination. The “line number” indicates an exemplary line number by taking, as an example, lines that are less than a predetermined number of lines that can be specified. “Specific information” indicates an attribute value for specifying the exemplified line number among the lines that can be specified. In other words, the “specific information” is information of the minimum necessary attribute for specifying the line having the exemplified line number. The “influence information” indicates an attribute value of an attribute that is determined by specifying a line among other attributes excluding the attribute used for attribute combination in the line of the exemplified line number. The “influence information” may be displayed with priority given to attribute values with high sensitivity among the attribute values of the identified attributes.

  In the example of the first and second lines in FIG. 4, when the attribute combination is “patient ID”, the number of lines is “1000”, and 1000 lines can be identified by the value of the attribute “patient ID” alone. . Since the individual vote data 20 has 1000 rows in total, all rows can be specified by the value of the attribute “patient ID” alone. The line number “3” can be specified by the specific information {patient ID: 103}, and the influence information is {diagnosis result: dysphagia, nationality: China}.

  Further, in the example of the third row, one row can be identified by the attribute combination of the combination of “birth year” and “gender”. Furthermore, it can be seen that the specified line number “1” is specific information {birth year: 11, sex: male}, influence information {diagnosis result: hepatitis, nationality: Japan}. At this time, if the attacker knows that there is one person in the population with specific information {birth year: 11, gender: male}, the influence information of the person {diagnosis result: hepatitis, nationality: Japan } Will be known. That is, in the individual slip data 20 shown in FIG. 2, it is estimated that the attribute “patient ID” and the attribute “birth year” are highly specific and effective as an anonymization target based on the risk information 22 shown in FIG. it can.

  FIG. 5 is a diagram illustrating another example of risk information. The risk information 23 shown in FIG. 5 is an example of risk information when the individual vote data 21 shown in FIG. 3 is input. In the risk information 23, the number of lines that can be identified as compared with the risk information 22 is reduced to two lines. In the example of the first line of the risk information 23, specific information {birth year: 7? , Gender: male, nationality: Japan}. However, for example, if the provider determines that there are sufficiently many persons having such attribute values in the population, the provider may decide that this risk is acceptable. Similarly, in the example of the second line, the line can be specified by the specific information {diagnosis result: dysphagia}. For example, when the provider determines that the influence information {nationality: China} is information having a small influence. , You may decide that this risk is acceptable.

  Next, returning to the description of FIG. 1, the configuration of the leakage risk providing apparatus 100 will be described. As illustrated in FIG. 1, the leakage risk providing apparatus 100 includes an input unit 110, a display unit 111, an operation unit 112, a storage unit 120, and a control unit 130. The leakage risk providing apparatus 100 may include various functional units included in known computers, for example, functional units such as various input devices and audio output devices, in addition to the functional units illustrated in FIG. As an example of the leakage risk providing apparatus 100, a stationary personal computer can be employed. As the leakage risk providing apparatus 100, not only the stationary personal computer but also a portable personal computer can be adopted as the leakage risk providing apparatus 100. In addition, the leakage risk providing apparatus 100 can employ, for example, a tablet terminal as a portable terminal in addition to the portable personal computer described above.

  The input unit 110 is realized by a medium access device for an external storage medium such as an optical disk, a USB (Universal Serial Bus) memory, and an SD memory card, for example. The input unit 110 reads the individual vote data T, priority information S, and threshold value group P stored in the external storage medium, and outputs the read individual vote data T, priority information S, and threshold value group P to the control unit 130. To do.

  The display unit 111 is a display device for displaying various information. The display unit 111 is realized by, for example, a liquid crystal display as a display device. The display unit 111 displays various screens such as an output screen input from the control unit 130.

  The operation unit 112 is an input device that accepts various operations from the user of the leakage risk providing apparatus 100. The operation unit 112 is realized by, for example, a keyboard or a mouse as an input device. The operation unit 112 outputs an operation input by the user to the control unit 130 as operation information. Note that the operation unit 112 may be realized by a touch panel or the like as an input device, and the display device of the display unit 111 and the input device of the operation unit 112 may be integrated.

  The storage unit 120 is realized by a storage device such as a RAM (Random Access Memory), a semiconductor memory element such as a flash memory, a hard disk, or an optical disk, for example. The storage unit 120 includes an individual vote data storage unit 121, a priority information storage unit 122, a threshold storage unit 123, and a risk information storage unit 124. In addition, the storage unit 120 stores information used for processing in the control unit 130.

  The individual vote data storage unit 121 stores individual vote data to be provided as a leakage risk. The individual slip data is a set of entries given a plurality of attributes. FIG. 6 is a diagram illustrating an example of the individual vote data storage unit. As illustrated in FIG. 6, the individual slip data storage unit 121 includes items such as “line number”, “birth year”, “nationality”, and “diagnosis result”. The “line number” may be added if it is not in the original individual slip data, or may not be an item as long as the “line number” can be identified. The individual slip data storage unit 121 stores, for example, one record for each entry.

  The “line number” is information indicating the entry number of the individual slip data, that is, the record number. “Birth year” is information indicating the birth year of the person corresponding to the entry of the individual vote data. “Nationality” is information indicating the nationality of the person corresponding to the entry of the individual vote data. “Diagnosis result” is information indicating the examination result of the person corresponding to the entry of the individual vote data. In the example of the first line in FIG. 6, the person with the line number “1” indicates that his / her year of birth is “4?”, Nationality “Japan”, and examination result “lung cancer”.

  Returning to the description of FIG. 1, the priority information storage unit 122 stores information on the sensitivity of the attribute of the individual vote data used for the priority. In other words, the priority information storage unit 122 is a table that associates the sensitivity with each attribute in the individual vote data that is a set of entries to which a plurality of attributes are given. FIG. 7 is a diagram illustrating an example of the priority information storage unit. As illustrated in FIG. 7, the priority information storage unit 122 includes an attribute table 122a indicating the sensitivity of an attribute and an attribute value table 122b indicating the sensitivity of an attribute value. The attribute table 122a includes items such as “attribute”, “sensitivity”, and “attribute value sensitivity information”.

  “Attribute” is information indicating the attribute of the individual vote data. “Sensitivity” is information indicating the sensitivity of the attribute. “Sensitivity” is a positive number, and the greater the value, the more sensitive. “Sensitivity” is information obtained by quantifying sensitivity in a range of 1 to 100, for example. An arbitrary range can be used for the numerical range. The “attribute value sensitivity information” is information indicating a pointer to the attribute value table 122b indicating the sensitivity of each attribute value, for example, when the attribute value further has sensitivity. The “attribute value sensitivity information” is indicated by “x”, for example, when the attribute value has no further sensitivity.

  The attribute value table 122b has items such as “attribute value” and “sensitivity”. “Attribute value” is information indicating an attribute value corresponding to the attribute. “Sensitivity” is information indicating the sensitivity of the attribute value. In the priority information storage unit 122, in order to match the scale of the attribute sensitivity and the attribute value sensitivity, the maximum value of the attribute value sensitivity is the attribute sensitivity. In the example of FIG. 7, in the attribute table 122a, the attribute “birth year” is the sensitivity “2” and the attribute value sensitivity information “x”. Further, the maximum value of the sensitivity of the attribute “diagnosis result” is “100” which is the maximum value of the sensitivity of the attribute value, and the sensitivity value information of the attribute value is a pointer to the attribute value table 122b. In the example of FIG. 7, in the attribute value table 122b, for example, the attribute value “cold” has a sensitivity “2”, and the attribute value “hepatitis” has a sensitivity “80”.

  Returning to the description of FIG. 1, the threshold storage unit 123 stores the threshold group P. The threshold storage unit 123 stores thresholds such as thresholds p1, p2, and p3 as the threshold group P, for example. The threshold value p1 is a threshold value regarding the frequency distribution of attribute combinations, and is used to determine an entry (row) whose frequency is less than the threshold value p1. The threshold value p2 is a threshold value for determining the number of entries to be output (number of rows) when the number of rows that can be specified by the risk information attribute combination is large. The threshold value p3 is a threshold value for determining whether or not to exclude an attribute combination including an already processed attribute combination from a processing target when the number of lines that can be specified by the risk information attribute combination is large. . The threshold value group P can be set to, for example, threshold value p1 = 2, threshold value p2 = 3, and threshold value p3 = 2.

  The risk information storage unit 124 stores risk information. FIG. 8 is a diagram illustrating an example of the risk information storage unit. As illustrated in FIG. 8, the risk information storage unit 124 includes items such as “attribute combination”, “number of rows”, “row number”, “specific information”, and “effect information”. For example, the risk information storage unit 124 stores an entry (row) less than the threshold p2 in association with each attribute combination.

  “Attribute combination” is information indicating a combination of attributes that can specify a row for the received individual slip data. The “number of rows” is information indicating the number of rows that can be specified by the attribute combination. The “line number” is information indicating an exemplary line number, taking as an example lines that are less than a predetermined number of lines that can be specified. “Specific information” is information indicating an attribute value for specifying the exemplified line number among the lines that can be specified. The “influence information” is information indicating the attribute value of an attribute that is determined by specifying a row among the other attributes excluding the attribute used for the attribute combination in the row with the exemplified row number. In the example of the first line in FIG. 8, when the attribute combination is {birth year, nationality}, the number of lines that can be specified is “1” line, and the line number “3” is the specific information {birth year: 4? , Nationality: China}, and the impact information is {diagnosis result: hepatitis}.

  Returning to the description of FIG. 1, the control unit 130 executes, for example, a program stored in an internal storage device using a RAM as a work area by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. Is realized. Further, the control unit 130 may be realized by an integrated circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). The control unit 130 includes a reception unit 131, a high risk attribute extraction unit 132, an isolated entry extraction unit 133, an impact calculation unit 134, a risk information extraction unit 135, and an output control unit 136. Implement or execute the functions and operations of the information processing described. Note that the internal configuration of the control unit 130 is not limited to the configuration illustrated in FIG. 1, and may be another configuration as long as the information processing described below is performed.

  When receiving the individual vote data T, the priority information S, and the threshold value group P from the input unit 110, the accepting unit 131 accepts the inputted individual vote data T, the priority information S, and the threshold value group P. The receiving unit 131 stores the received individual vote data T, the priority information S, and the threshold value group P in the individual vote data storage unit 121, the priority information storage unit 122, and the threshold value storage unit 123, respectively, as well as an attribute combination extraction instruction. Is output to the high risk attribute extraction unit 132.

  When the attribute combination extraction instruction is input from the reception unit 131, the high risk attribute extraction unit 132 reads the sensitivity of each attribute included in the priority information S from the priority information storage unit 122. The high risk attribute extraction unit 132 refers to the individual vote data storage unit 121 based on the sensitivity of each read attribute, and generates a combination of all attributes for the attributes of the individual vote data T. The high-risk attribute extraction unit 132 calculates a priority for the generated combination of all attributes based on the product of the sensitivity of the attributes in the combination. That is, the priority is assumed to be higher risk in ascending order of product of sensitivity. That is, the priority corresponds to a leakage risk.

  The high risk attribute extraction unit 132 extracts attribute combinations whose priority satisfies a predetermined condition based on the calculated priority. That is, the high risk attribute extraction unit 132 extracts attribute combinations to be processed. The predetermined condition may be, for example, that the product of sensitivity is less than 200. That is, combinations of attributes that are too difficult to be known are excluded from the processing. Further, when the exclusion instruction is input from the risk information extraction unit 135, the high risk attribute extraction unit 132 excludes the attribute combination including the attribute combination A included in the exclusion instruction from the attribute combination to be processed.

  The high risk attribute extraction unit 132 determines whether there is an attribute combination to be processed yet. Note that the high-risk attribute extraction unit 132 also determines whether there is an attribute combination that should still be processed when a selection instruction is input from the isolated entry extraction unit 133. The high risk attribute extraction unit 132 outputs an output instruction to the output control unit 136 when there is no attribute combination to be processed.

  When there is an attribute combination to be processed, the high risk attribute extraction unit 132 selects the attribute combination having the highest priority among the attribute combinations to be processed as the attribute combination A. The high risk attribute extraction unit 132 outputs the selected attribute combination A to the isolated entry extraction unit 133. Note that, when there are a plurality of attribute combinations with the highest priority, the high risk attribute extraction unit 132 sets the attribute combination with the smallest number of attributes to have the highest priority.

  When the attribute combination A is input from the high risk attribute extraction unit 132, the isolated entry extraction unit 133 calculates the frequency distribution F of the value of the attribute combination A. The isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F has a frequency less than the threshold value p1. The isolated entry extraction unit 133 outputs a selection instruction for selecting the next attribute combination A to the high risk attribute extraction unit 132 when the frequency distribution F does not have a frequency less than the threshold p1.

  The isolated entry extraction unit 133 refers to the individual slip data storage unit 121 when the frequency distribution F has a frequency less than the threshold value p1, and determines the number of rows (number of entries) specified by the combination of attribute values of the frequency. calculate. That is, the isolated entry extraction unit 133 calculates the total number of rows for rows whose frequency is less than the threshold value p1. In addition, the isolated entry extraction unit 133 outputs the rows whose frequency is less than the threshold p1 to the influence calculation unit 134.

  When the influence level is input from the influence level calculation unit 134, the isolated entry extraction unit 133 refers to the individual form data storage unit 121, and among the rows whose frequency is less than the threshold value p1, the threshold value p2 is lower than the order of the influence level. The line (entry) is extracted. In other words, the isolated entry extraction unit 133 extracts, for each extracted combination, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition. The isolated entry extraction unit 133 outputs the attribute combination A, the calculated total number of rows, and the extracted rows to the risk information extraction unit 135.

  The influence degree calculation unit 134 receives a row whose frequency is less than the threshold value p <b> 1 from the isolated entry extraction unit 133. The influence degree calculation unit 134 refers to the individual form data storage unit 121 and the priority information storage unit 122, and determines the influence degree of attributes other than the attributes included in the attribute combination A for the row whose input frequency is less than the threshold p1. calculate. In other words, the influence degree calculation unit 134 calculates the influence degree of attributes other than the attributes included in the extracted combination in the extracted entry based on the sensitivity. In other words, the impact level is the sensitivity of the attribute value included in the impact information, and the greater the numerical value, the higher the impact level. The influence degree calculation unit 134 outputs the calculated influence degree to the isolated entry extraction unit 133.

  When the attribute combination A, the calculated total number of rows, and the extracted rows are input from the isolated entry extraction unit 133, the risk information extraction unit 135 refers to the individual data storage unit 121 and extracts the row numbers for the extracted rows. Extract specific information and impact information. The risk information extraction unit 135 stores the attribute combination A, the calculated total number of rows, the extracted row number, the specific information, and the influence information in the risk information storage unit 124 in order of priority. In other words, the risk information extraction unit 135 associates the extracted combination with an attribute whose degree of influence satisfies a predetermined condition.

  The risk information extraction unit 135 refers to the risk information storage unit 124 and determines whether or not the total number of lines of risk information is less than the threshold value p3. When the total number of lines of risk information is less than the threshold value p3, the risk information extraction unit 135 outputs a selection instruction for selecting the next attribute combination A to the high risk attribute extraction unit 132. If the total number of lines of risk information is not less than the threshold value p3, the risk information extraction unit 135 gives an exclusion instruction to exclude the attribute combination including the attribute combination A from the attribute combination to be processed. It outputs to 132. Of course, a line that can be specified by the attribute combination A can also be specified by an attribute combination including the attribute combination A. For this reason, if there are a sufficient number of lines that can be specified by the attribute combination A and the risk is output, the other information regarding the attribute combination A is less necessary and may be excluded. By excluding attribute combinations that include attribute combination A, the amount of processing can be reduced. In addition, the risk information that is output is simplified, making it easier for the user to understand.

  When an output instruction is input from the high risk attribute extraction unit 132, the output control unit 136 reads risk information from the risk information storage unit 124. The output control unit 136 rearranges the read risk information in descending order of priority in the attribute combination. The output control unit 136 generates an output screen based on the rearranged risk information. The output control unit 136 outputs the generated output screen to the display unit 111 for display. That is, the output control unit 136 causes the display unit 111 to display risk information. That is, the output control unit 136 causes the display unit 111 to display risk information including an attribute combination, the number of rows, a row number, specific information, and influence information. In other words, the output control unit 136 outputs, as risk information, extracted combinations that are associated with attributes whose influence degree satisfies a predetermined condition in descending order of leakage risk in the extracted combinations.

  That is, the output control unit 136 includes the line number, specific information, and influence information extracted by the risk information extraction unit 135 corresponding to the line extracted corresponding to the attribute combination by the isolated entry extraction unit 133 in the risk information. Output. In other words, the output control unit 136 outputs the information of the extracted entry corresponding to the extracted combination in the risk information.

  Further, the output control unit 136 outputs risk information by giving priority to a line with high sensitivity information. That is, the output control unit 136 outputs risk information with priority on an extracted entry having a high influence level, that is, an attribute with a high degree of sensitivity associated with the extracted combination.

  Further, the output control unit 136 preferentially associates the attribute information or attribute value having a high degree of sensitivity among the plurality of attributes or attribute values with respect to the influence information associated with one attribute combination. Is output. In other words, the output control unit 136 outputs risk information by preferentially associating the extracted combination with an attribute with high sensitivity.

  Further, the output control unit 136 outputs the number of rows corresponding to each attribute combination, that is, the number of extracted entries corresponding to the extracted combination included in the risk information.

  Next, operation | movement of the leakage risk provision apparatus 100 of an Example is demonstrated. FIG. 9 is a flowchart illustrating an example of the risk providing process according to the embodiment.

  When receiving the individual vote data T, the priority information S, and the threshold value group P from the input unit 110, the accepting unit 131 accepts the inputted individual vote data T, the priority information S, and the threshold value group P (step S1). . The receiving unit 131 stores the received individual vote data T, the priority information S, and the threshold value group P in the individual vote data storage unit 121, the priority information storage unit 122, and the threshold value storage unit 123, respectively, as well as an attribute combination extraction instruction. Is output to the high risk attribute extraction unit 132.

  When the attribute combination extraction instruction is input from the reception unit 131, the high risk attribute extraction unit 132 reads the sensitivity of each attribute included in the priority information S from the priority information storage unit 122. The high risk attribute extraction unit 132 refers to the individual vote data storage unit 121 based on the sensitivity of each read attribute, and generates a combination of all attributes for the attributes of the individual vote data T. The high-risk attribute extraction unit 132 calculates a priority for the generated combination of all attributes based on the product of the sensitivity of the attributes in the combination.

  The high risk attribute extraction unit 132 extracts attribute combinations whose priority satisfies a predetermined condition based on the calculated priority. The high risk attribute extraction unit 132 determines whether there is an attribute combination to be processed yet (step S2). When there is an attribute combination to be processed (step S2: affirmative), the high risk attribute extraction unit 132 selects the attribute combination with the highest priority among the attribute combinations to be processed as the attribute combination A (step S3). ). The high risk attribute extraction unit 132 outputs the selected attribute combination A to the isolated entry extraction unit 133.

  When the attribute combination A is input from the high risk attribute extraction unit 132, the isolated entry extraction unit 133 calculates the frequency distribution F of the value of the attribute combination A (step S4). The isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F has a frequency less than the threshold value p1 (step S5). The isolated entry extraction unit 133 outputs a selection instruction for selecting the next attribute combination A to the high risk attribute extraction unit 132 when the frequency distribution F does not have a frequency less than the threshold value p1 (No at Step S5). The process returns to step S2.

  If the frequency distribution F has a frequency less than the threshold value p1 (step S5: Yes), the isolated entry extraction unit 133 refers to the individual data storage unit 121 and determines the total number of rows for the frequency whose frequency is less than the threshold value p1. Calculate (step S6). In addition, the isolated entry extraction unit 133 outputs the rows whose frequency is less than the threshold p1 to the influence calculation unit 134.

  The influence degree calculation unit 134 receives a row whose frequency is less than the threshold value p <b> 1 from the isolated entry extraction unit 133. The influence degree calculation unit 134 refers to the individual form data storage unit 121 and the priority information storage unit 122, and determines the influence degree of attributes other than the attributes included in the attribute combination A for the row whose input frequency is less than the threshold p1. Calculate (step S7). The influence degree calculation unit 134 outputs the calculated influence degree to the isolated entry extraction unit 133.

  When the influence level is input from the influence level calculation unit 134, the isolated entry extraction unit 133 refers to the individual form data storage unit 121, and among the rows whose frequency is less than the threshold value p1, the threshold value p2 is lower than the order of the influence level. Are extracted (step S8). The isolated entry extraction unit 133 outputs the attribute combination A, the calculated total number of rows, and the extracted rows to the risk information extraction unit 135.

  When the attribute combination A, the calculated total number of rows, and the extracted rows are input from the isolated entry extraction unit 133, the risk information extraction unit 135 refers to the individual data storage unit 121 and extracts the row numbers for the extracted rows. Specific information and influence information are extracted (step S9). The risk information extraction unit 135 stores the attribute combination A, the calculated total number of rows, the extracted row number, specific information, and influence information in the risk information storage unit 124 in order of priority (step S10).

  The risk information extraction unit 135 refers to the risk information storage unit 124 and determines whether or not the total number of lines of risk information is less than the threshold value p3 (step S11). When the total number of lines of risk information is less than the threshold value p3 (step S11: affirmative), the risk information extraction unit 135 outputs a selection instruction for selecting the next attribute combination A to the high risk attribute extraction unit 132 Then, the process returns to step S2.

  When the total number of lines of risk information is not less than the threshold value p3 (No at Step S11), the risk information extraction unit 135 excludes attribute combinations including the attribute combination A from the attribute combinations to be processed. That is, the risk information extraction unit 135 outputs an exclusion instruction to the high risk attribute extraction unit 132 (step S12). When the exclusion instruction is input from the risk information extraction unit 135, the high risk attribute extraction unit 132 excludes the attribute combination including the attribute combination A included in the exclusion instruction from the attribute combination to be processed, and proceeds to step S2. Return.

  If there is no attribute combination to be processed (No at Step S2), the high risk attribute extraction unit 132 outputs an output instruction to the output control unit 136. When an output instruction is input from the high risk attribute extraction unit 132, the output control unit 136 reads risk information from the risk information storage unit 124. The output control unit 136 rearranges the read risk information in descending order of priority in the attribute combination. The output control unit 136 displays an output screen including the rearranged risk information on the display unit 111 (step S13). Thereby, the leakage risk providing apparatus 100 can improve the accuracy of the determination of the leakage risk.

  Next, a specific example of risk provision processing will be described. In the following description, the individual form data stored in the individual form data storage unit 121 shown in FIG. 6 is used as the individual form data T, and the priority information S is stored in the priority information storage unit 122 shown in FIG. Priority information is used. Further, as the threshold group P, threshold p1 = 2, threshold p2 = 3, and threshold p3 = 2 are used. In the following description, description will be made by paying attention to specific examples in each step of the risk providing process, and details of the operation of each unit will be omitted.

  In step S <b> 1, the receiving unit 131 receives the individual slip data T, the priority information S, and the threshold value group P. Further, the high risk attribute extraction unit 132 generates a combination of all attributes for the attributes of the individual vote data T based on the sensitivity of each attribute. The high-risk attribute extraction unit 132 calculates a priority for the generated combination of all attributes based on the product of the sensitivity of the attributes in the combination.

  In step S2, the high risk attribute extraction unit 132 extracts attribute combinations whose priority satisfies a predetermined condition based on the calculated priority. The attribute combinations to be extracted are {birth year}, {nationality}, {diagnosis result}, {birth year, nationality}, {birth year, medical examination result}, {nationality, medical examination result}, {birth year, nationality, medical examination result}. Become one. The high risk attribute extraction unit 132 determines that there is an attribute combination to be processed.

  In step S3, among the seven attribute combinations, the attribute combination with the highest priority is {birth year} with a product of “2”, so the high-risk attribute extraction unit 132 sets {birth year} to the attribute combination. Select as A.

  In step S4, the isolated entry extraction unit 133 counts the {birth year} value of the individual vote data T as the frequency distribution F in the individual vote data T of the value of the attribute combination A. That is, since the frequency of the attribute value “4?” Is “3” and the frequency of the attribute value “5?” Is “2”, the isolated entry extraction unit 133 has F = {(4?): 3, (5 ?): Count as 2}.

  In step S5, when the isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F includes a frequency less than the threshold p1 = 2, the frequency returns to step S2 because there is no frequency less than the threshold p1 = 2.

  In step S2, since {birth year} has been processed, the attribute combinations to be processed are {nationality}, {diagnosis result}, {birth year, nationality}, {birth year, diagnosis result}, {nationality, diagnosis result}, {Birth year, nationality, results of examination}. The high risk attribute extraction unit 132 determines that there is an attribute combination to be processed.

  In step S3, the attribute combination having the highest priority among the six attribute combinations is {nationality} having a product of “10”, so the high-risk attribute extraction unit 132 sets {nationality} to the attribute combination. Select as A.

  In step S4, the isolated entry extraction unit 133 counts the value of {nationality} of the individual data T as the frequency distribution F in the individual data T of the attribute combination A value. That is, since the frequency of the attribute value “Japan” is “2” and the frequency of the attribute value “China” is “3”, the isolated entry extraction unit 133 has F = {(Japan): 2, (China): 3. }.

  In step S5, when the isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F includes a frequency less than the threshold p1 = 2, the frequency returns to step S2 because there is no frequency less than the threshold p1 = 2.

  In step S2, since {birth year} and {nationality} have been processed, the attribute combinations to be processed are {diagnosis result}, {birth year, nationality}, {birth year, diagnosis result}, {nationality, diagnosis result}, {Birth year, nationality, results of examination}. The high risk attribute extraction unit 132 determines that there is an attribute combination to be processed.

  In step S3, the attribute combination having the highest priority among the five attribute combinations is {2 * 10 = 20] {birth year, nationality}, so the high risk attribute extraction unit 132 Select {birth year, nationality} as attribute combination A.

  In step S4, the isolated entry extraction unit 133 counts the {birth year, nationality} value of the individual vote data T as the frequency distribution F in the individual vote data T of the value of the attribute combination A. That is, the isolated entry extraction unit 133 counts F = {(4 ?, Japan): 2, (4 ?, China): 1, (5 ?, China): 2}.

  In step S5, when the isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F includes a frequency less than the threshold p1 = 2, since there is a frequency less than the threshold p1 = 2, the process proceeds to step S6.

  In step S6, the isolated entry extraction unit 133 calculates {1} as the total number of rows because the number of rows whose frequency is less than the threshold p1 is only {(4 ?, China): 1}.

  In step S <b> 7, the influence degree calculation unit 134 calculates the influence degree of an attribute other than {birth year, nationality} for the line with the line number “3” which is {(4 ?, China): 1}. The influence degree calculation unit 134 calculates the sensitivity “80” of the attribute value “hepatitis” of the attribute “diagnosis result” as the influence degree. When there are a plurality of attribute values, the degree of influence may be obtained by adding or multiplying each degree of sensitivity, or the maximum degree of sensitivity may be used as the degree of influence.

  In step S <b> 8, the isolated entry extraction unit 133 extracts rows with the threshold value p <b> 2 = 3 rows in descending order of influence from the rows with the frequency less than the threshold value p <b> 1. Here, since the row whose frequency is less than the threshold p1 is only the row with the row number “3”, the row with the row number “3” is extracted.

  In step S9, the risk information extraction unit 135 extracts the line number {3} and the specific information {birth year: 4? For the extracted line number “3”. , Nationality: China} and influence information {diagnosis result: hepatitis}.

  In step S10, the risk information extraction unit 135 sets the attribute combination {birth year, nationality}, total number of rows {1}, row number {3}, and specific information {birth year: 4? , Nationality: China} and influence information {diagnosis result: hepatitis} are stored in the risk information storage unit 124 in order of priority. Note that the priority of the attribute combination {birth year, nationality} is “20”, but since there is only one row with the row number {3}, this one row is stored in the risk information storage unit 124. FIG. 10 is a diagram illustrating an example of processing in the risk information storage unit. The risk information storage unit 124 a illustrated in FIG. 10 indicates a state in which risk information is stored in the risk information storage unit 124 in step 10. The risk information is arranged in order of priority by the processes of steps S6 to S9.

  In step S11, the risk information extraction unit 135 determines that the total number of lines of risk information “1” is less than the threshold value p3 = 2, so outputs a selection instruction to the high risk attribute extraction unit 132 and returns to step S2. .

  In step S2, {birth year}, {nationality}, and {birth year, nationality} have been processed, so the attribute combinations to be processed are {diagnosis result}, {birth year, diagnosis result}, {nationality, diagnosis result}, {Birth year, nationality, results of examination}. The high risk attribute extraction unit 132 determines that there is an attribute combination to be processed.

  In step S3, the attribute combination with the highest priority among the four attribute combinations is {diagnosis result} having a product of “100”, so the high-risk attribute extraction unit 132 sets {diagnosis result}. Select as attribute combination A.

  In step S4, the isolated entry extraction unit 133 counts the {diagnosis result} values of the individual vote data T as the frequency distribution F in the individual vote data T of the value of the attribute combination A. That is, the isolated entry extraction unit 133 counts F = {(lung cancer): 1, (HIV): 1, (hepatitis): 1, (cold): 2}.

  In step S5, when the isolated entry extraction unit 133 determines whether or not the calculated frequency distribution F includes a frequency less than the threshold p1 = 2, since there is a frequency less than the threshold p1 = 2, the process proceeds to step S6.

  In step S6, the isolated entry extraction unit 133 sets {3} as the total number of rows because the row whose frequency is less than the threshold p1 is {(lung cancer): 1, (HIV): 1, (hepatitis): 1}. calculate.

  In step S <b> 7, the influence degree calculation unit 134 determines {{lung cancer): 1, (HIV): 1, (hepatitis): 1} for the row numbers “1”, “2”, “3” { The degree of influence of attributes other than the diagnosis result} is calculated. The maximum sensitivity of the attributes other than {diagnosis result} is “10” of the attribute “nationality”. In this case, the next highest sensitivity is compared, and the next highest sensitivity is also “2” of the attribute “birth year”. In this specific example, since there are no other attributes, priority is given to a line with a small line number.

  In step S <b> 8, the isolated entry extraction unit 133 extracts rows with the threshold value p <b> 2 = 3 rows in descending order of influence from the rows with the frequency less than the threshold value p <b> 1. That is, although there are three rows whose frequency is less than the threshold value p1, two rows are extracted in order from the row with the smallest row number. That is, the isolated entry extraction unit 133 extracts the lines with the line numbers “1” and “2”.

  In step S9, the risk information extraction unit 135 extracts the line number, the specific information, and the influence information for the extracted lines with the line numbers “1” and “2”, respectively. Line number “1” is line number {1}, specific information {diagnosis result: lung cancer} and influence information {nationality: Japan, year of birth: 4? } Is extracted. Line number “2” is line number {2}, specific information {diagnosis result: HIV} and influence information {nationality: Japan, year of birth: 4? } Is extracted.

  In step S10, the risk information extraction unit 135 sorts the attribute combination {diagnosis result}, the total number of rows {3}, and the specific information and the influence information corresponding to the row numbers {1} and {2} in order of priority. Store in the risk information storage unit 124. Here, as described above, the line numbers {1} and {2} have the same priority, and are stored in the risk information storage unit 124 in ascending order of the line numbers. Note that the order of the attribute values in the influence information is the order in which the degree of influence (sensitivity) of each attribute value is large, that is, the nationality with the influence degree “10” and the year of birth with the influence degree “2”. The risk information storage unit 124 in this state is in the state of the risk information storage unit 124 shown in FIG.

  In step S <b> 11, the risk information extraction unit 135 determines that the total number of lines of risk information “3” is not less than the threshold value p <b> 3 = 2.

  In step S <b> 12, the risk information extraction unit 135 outputs an exclusion instruction to the high risk attribute extraction unit 132. The high risk attribute extraction unit 132 excludes the attribute combination including the attribute combination {diagnosis result} from the attribute combinations to be processed, and returns to step S2.

  In step S2, {birth year}, {nationality}, {birth year, nationality} have been processed, and the high-risk attribute extraction unit 132 performs the remaining attribute combinations {birth year, medical examination result}, {nationality, medical examination result}, { The attribute combination including {diagnosis result} is excluded from the birth year, nationality, and diagnosis result}. The high risk attribute extraction unit 132 determines that there is no attribute combination to be processed, and outputs an output instruction to the output control unit 136.

  In step S13, the output control unit 136 reads the risk information from the risk information storage unit 124, and rearranges the risk information in descending order of priority in the attribute combination. The output control unit 136 causes the display unit 111 to display an output screen including the rearranged risk information. As described above, if the risk information is already in order of priority, it is output as it is. In this way, the leakage risk providing apparatus 100 can efficiently grasp a specific example of a high-risk privacy infringement, and thus can improve the accuracy of the determination of the leakage risk. In addition, since the leakage risk providing apparatus 100 outputs attribute combinations from those with a small product of sensitivity, it is easy to analyze an effective anonymization method. That is, effective anonymization is to prevent a line from being identified with an attribute that is easy to know, and an attribute with a small product is considered to be easy to know in many cases.

  Moreover, since the leakage risk providing apparatus 100 outputs from the degree of influence, that is, the influence information having a high degree of sensitivity, the efficiency can be improved in determining the necessity of anonymization. That is, in order to determine the necessity of anonymization, analysis of the maximum risk is required, but the risk is considered to be proportional to the sensitivity of the impact information.

  As described above, the leakage risk providing apparatus 100 includes the storage unit 120 that stores the sensitivity of each attribute in the individual vote data, which is a set of entries given a plurality of attributes. Further, the leakage risk providing apparatus 100 calculates a leakage risk for each combination of attributes based on the sensitivity, and extracts a combination of attributes for which the leakage risk satisfies a predetermined condition. Further, the leakage risk providing apparatus 100 extracts, for each extracted combination, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition. Further, the leakage risk providing apparatus 100 calculates the influence level of attributes other than the attributes included in the extracted combination in the extracted entry based on the sensitivity. Further, the leakage risk providing apparatus 100 associates the extracted combination with an attribute whose degree of influence satisfies a predetermined condition. As a result, the accuracy of determination of leakage risk can be increased.

  In addition, the leakage risk providing apparatus 100 calculates the leakage risk by using the product of the attributes included in the attribute combination. As a result, risk information can be calculated in the order of easily known attributes.

  Further, the leakage risk providing apparatus 100 outputs, as risk information, the extracted combinations associated with attributes whose influence degree satisfies a predetermined condition in descending order of leakage risk in the extracted combinations. As a result, it is possible to efficiently grasp high-risk privacy violations.

  Further, the leakage risk providing apparatus 100 outputs the information of the extracted entry corresponding to the extracted combination in the risk information. As a result, the accuracy of determination of leakage risk can be increased.

  Further, the leakage risk providing apparatus 100 outputs risk information with priority given to the extracted entry having a high degree of sensitivity of the attribute associated with the extracted combination. As a result, entries can be output in the order of attributes that have a large influence when known.

  In addition, the leakage risk providing apparatus 100 outputs risk information by preferentially associating the extracted combination with a high-sensitivity attribute. As a result, the influence information can be output in the order of the attribute having the greatest influence when known in the entry.

  Moreover, the leakage risk providing apparatus 100 outputs the number of extracted entries corresponding to the extracted combination in the risk information. As a result, it is possible to grasp how much information can be specified in the individual vote data.

  In addition, when the combination of attributes includes a combination of other attributes, the leakage risk providing apparatus 100 excludes the combination of attributes including the combination of other attributes, and the leakage risk satisfies a predetermined condition. Extract attribute combinations. As a result, the processing amount can be reduced. In addition, since the output risk information is simplified, the user can easily understand.

  In the above embodiment, the medical examination result is used as an example of the individual slip data. However, the present invention is not limited to this. For example, the present invention may be applied to member registration information in stores, various questionnaire results, and the like.

  In addition, each component of each part illustrated does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each unit is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed / integrated in arbitrary units according to various loads or usage conditions. Can be configured. For example, the isolated entry extraction unit 133 and the influence degree calculation unit 134 may be integrated. In addition, the illustrated processes are not limited to the above-described order, and may be performed at the same time as long as the process contents are not contradictory, or may be performed in a different order.

  Furthermore, various processing functions performed in each device may be executed entirely or arbitrarily on a CPU (or a microcomputer such as an MPU or MCU (Micro Controller Unit)). In addition, various processing functions may be executed in whole or in any part on a program that is analyzed and executed by a CPU (or a microcomputer such as an MPU or MCU) or on hardware based on wired logic. Needless to say, it is good.

  By the way, the various processes described in the above embodiments can be realized by executing a program prepared in advance by a computer. Therefore, in the following, an example of a computer that executes a program having the same function as in the above embodiment will be described. FIG. 11 is a diagram illustrating an example of a computer that executes a leakage risk providing program.

  As illustrated in FIG. 11, the computer 200 includes a CPU 201 that executes various arithmetic processes, an input device 202 that receives data input, and a monitor 203. The computer 200 also includes a medium reading device 204 that reads a program and the like from a storage medium, an interface device 205 for connecting to various devices, and a communication device 206 for connecting to other information processing devices and the like by wire or wirelessly. Have The computer 200 also includes a RAM 207 that temporarily stores various types of information and a hard disk device 208. Each device 201 to 208 is connected to a bus 209.

  The hard disk device 208 has the same processing units as the receiving unit 131, the high risk attribute extracting unit 132, the isolated entry extracting unit 133, the influence degree calculating unit 134, the risk information extracting unit 135, and the output control unit 136 shown in FIG. The leakage risk providing program having the function is stored. Also, the hard disk device 208 stores individual data storage unit 121, priority information storage unit 122, threshold storage unit 123, risk information storage unit 124, and various data for realizing a leakage risk providing program. . The input device 202 receives input of various information such as operation information from a user of the computer 200, for example. The monitor 203 displays various screens such as an output screen for the user of the computer 200, for example. The medium reader 204 reads the individual slip data T, the priority information S, and the threshold value group P from the storage medium. The interface device 205 is connected to, for example, a printing device. The communication device 206 is connected to, for example, a network (not shown) and exchanges various information with other information processing devices.

  The CPU 201 reads out each program stored in the hard disk device 208, develops it in the RAM 207, and executes it to perform various processes. These programs function as the reception unit 131, the high risk attribute extraction unit 132, the isolated entry extraction unit 133, the influence degree calculation unit 134, the risk information extraction unit 135, and the output control unit 136 shown in FIG. Can be made.

  Note that the above leakage risk providing program is not necessarily stored in the hard disk device 208. For example, the computer 200 may read and execute a program stored in a storage medium readable by the computer 200. The storage medium readable by the computer 200 corresponds to, for example, a portable recording medium such as a CD-ROM, a DVD disk, and a USB memory, a semiconductor memory such as a flash memory, a hard disk drive, and the like. Alternatively, the leakage risk providing program may be stored in a device connected to a public line, the Internet, a LAN, or the like, and the computer 200 may read and execute the leakage risk providing program therefrom.

  As described above, the following supplementary notes are further disclosed regarding the embodiment including the present example.

(Supplementary Note 1) A storage unit that stores the sensitivity of each of the attributes in the piece data that is a set of entries given a plurality of attributes;
Based on the sensitivity, an attribute extraction unit that calculates a leakage risk for each combination of attributes, and extracts a combination of attributes for which the leakage risk satisfies a predetermined condition;
For each of the extracted combinations, an entry extraction unit that extracts entries in which the number of entries specified by the value of the attribute included in the combination satisfies a predetermined condition;
Based on the sensitivity, an influence degree calculating unit that calculates an influence degree of an attribute other than the attribute included in the extracted combination in the extracted entry;
A risk information creation unit for associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing apparatus characterized by comprising:

(Additional remark 2) The said attribute extraction part calculates the said leakage risk using the product of the said sensitivity of the said attribute contained in the combination of the said attribute,
The leakage risk providing apparatus according to supplementary note 1, wherein:

(Additional remark 3) Furthermore, the output control part which outputs the said extracted combination matched with the attribute with which the said influence degree satisfy | fills a predetermined condition as risk information in order with the said high leak risk in the said extracted combination,
The leakage risk providing apparatus according to appendix 1 or 2, characterized by comprising:

(Supplementary Note 4) The output control unit outputs information on the extracted entry corresponding to the extracted combination included in the risk information.
The leakage risk providing apparatus according to Supplementary Note 3, wherein

(Supplementary Note 5) The output control unit outputs the risk information in preference to the extracted entry having the high sensitivity of the attribute associated with the extracted combination.
The leakage risk providing apparatus according to Supplementary Note 4, wherein

(Supplementary Note 6) The output control unit outputs the risk information by preferentially associating the attribute with high sensitivity to the extracted combination.
The leakage risk providing apparatus according to any one of supplementary notes 3 to 5, characterized in that:

(Supplementary Note 7) The output control unit outputs the risk information including the extracted number of entries corresponding to the extracted combination.
The leakage risk providing apparatus according to any one of supplementary notes 3 to 6, characterized in that:

(Supplementary note 8) When the attribute combination includes the other attribute combination, the attribute extraction unit excludes the attribute combination including the other attribute combination, and the leakage risk. Extracts combinations of attributes that satisfy a given condition,
The leakage risk providing apparatus according to any one of appendices 1 to 7, characterized in that:

(Supplementary Note 9) Leakage for each combination of attributes based on the sensitivity stored in the storage unit storing each sensitivity of the attribute in the individual vote data which is a set of entries given a plurality of attributes Calculate the risk, extract the combination of attributes that the leakage risk satisfies the predetermined condition,
For each of the extracted combinations, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition is extracted.
Based on the sensitivity, calculate the degree of influence of attributes other than the attributes included in the extracted combination in the extracted entry;
Associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing method, wherein a computer executes processing.

(Additional remark 10) The process which extracts the combination of the said attribute calculates the said leakage risk using the product of the said sensitivity of the said attribute contained in the said attribute combination,
The leakage risk providing method according to supplementary note 9, characterized by:

(Additional remark 11) Furthermore, the said extracted combination matched with the attribute with which the said influence degree satisfy | fills predetermined conditions is output as risk information in order with the said leakage risk in the said extracted combination high,
The leakage risk providing method according to appendix 9 or 10, wherein the process is executed by a computer.

(Additional remark 12) The said process to output includes the information of the said extracted entry corresponding to the said extracted combination in the said risk information, and outputs,
The leakage risk providing method according to Supplementary Note 11, wherein the leakage risk is provided.

(Additional remark 13) The said process to output outputs the said risk information in preference to the said extracted entry with the said high sensitivity of the said attribute matched with the said extracted combination.
The leakage risk providing method according to supplementary note 12, characterized by:

(Supplementary note 14) In the output process, the extracted combination is preferentially associated with the attribute having high sensitivity, and the risk information is output.
The leakage risk providing method according to any one of appendices 11 to 13, characterized in that:

(Supplementary Note 15) The output process includes outputting the number of extracted entries corresponding to the extracted combination in the risk information,
The leakage risk providing method according to any one of appendices 11 to 14, characterized in that:

(Supplementary Note 16) When the attribute combination includes other attribute combinations, the process of extracting the attribute combinations excludes the attribute combinations including other attribute combinations. Extracting a combination of attributes for which the leakage risk satisfies a predetermined condition;
The leakage risk providing method according to any one of supplementary notes 9 to 15, wherein

(Supplementary Note 17) Leakage for each combination of attributes based on the sensitivity stored in the storage unit storing each sensitivity of the attribute in the individual vote data that is a set of entries given a plurality of attributes Calculate the risk, extract the combination of attributes that the leakage risk satisfies the predetermined condition,
For each of the extracted combinations, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition is extracted.
Based on the sensitivity, calculate the degree of influence of attributes other than the attributes included in the extracted combination in the extracted entry;
Associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing program for causing a computer to execute processing.

(Additional remark 18) The process which extracts the combination of the said attribute calculates the said leakage risk using the product of the said sensitivity of the said attribute contained in the said attribute combination,
The leakage risk providing program according to supplementary note 17, characterized by:

(Supplementary note 19) Further, in order from the highest leakage risk in the extracted combination, the extracted combination associated with an attribute whose influence degree satisfies a predetermined condition is output as risk information.
19. The leakage risk providing program according to appendix 17 or 18, which causes a computer to execute processing.

(Supplementary note 20) The output process includes outputting information of the extracted entry corresponding to the extracted combination in the risk information,
The leakage risk providing program according to appendix 19, characterized by:

(Additional remark 21) The process to output outputs the risk information in preference to the extracted entry having the high sensitivity of the attribute associated with the extracted combination.
The leakage risk providing program according to supplementary note 20, characterized by:

(Additional remark 22) The process to output outputs the risk information by preferentially associating the attribute with high sensitivity to the extracted combination.
The leakage risk providing program according to any one of supplementary notes 19 to 21, characterized in that:

(Supplementary Note 23) In the output process, the risk information includes and outputs the extracted number of entries corresponding to the extracted combination.
The leakage risk providing program according to any one of supplementary notes 19 to 22, characterized in that:

(Supplementary Note 24) When the attribute combination includes other attribute combinations, the process of extracting the attribute combinations excludes the attribute combinations including other attribute combinations. Extracting a combination of attributes for which the leakage risk satisfies a predetermined condition;
The leakage risk providing program according to any one of supplementary notes 17 to 23, characterized in that:

DESCRIPTION OF SYMBOLS 100 Leakage risk provision apparatus 110 Input part 111 Display part 112 Operation part 120 Storage part 121 Individual vote data storage part 122 Priority information storage part 123 Threshold storage part 124 Risk information storage part 130 Control part 131 Acceptance part 132 High risk attribute extraction part 133 Isolated entry extraction unit 134 Influence calculation unit 135 Risk information extraction unit 136 Output control unit

Claims (10)

A storage unit for storing the sensitivity of each of the attributes in the individual vote data that is a set of entries given a plurality of attributes;
Based on the sensitivity, an attribute extraction unit that calculates a leakage risk for each combination of attributes, and extracts a combination of attributes for which the leakage risk satisfies a predetermined condition;
For each of the extracted combinations, an entry extraction unit that extracts entries in which the number of entries specified by the value of the attribute included in the combination satisfies a predetermined condition;
Based on the sensitivity, an influence degree calculating unit that calculates an influence degree of an attribute other than the attribute included in the extracted combination in the extracted entry;
A risk information creation unit for associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing apparatus characterized by comprising: The attribute extraction unit calculates the leakage risk using a product of the sensitivity of the attributes included in the combination of the attributes;
The leakage risk providing apparatus according to claim 1. Furthermore, an output control unit that outputs the extracted combination associated with an attribute whose influence degree satisfies a predetermined condition in order from the highest leakage risk in the extracted combination as risk information,
The leakage risk providing apparatus according to claim 1, wherein the leakage risk providing apparatus comprises: The output control unit outputs the extracted entry information corresponding to the extracted combination included in the risk information,
The leakage risk providing apparatus according to claim 3. The output control unit outputs the risk information in preference to the extracted entry having a high degree of sensitivity of the attribute associated with the extracted combination;
The leakage risk providing apparatus according to claim 4. The output control unit preferentially associates the attribute with high sensitivity with the extracted combination and outputs the risk information.
The leakage risk providing apparatus according to any one of claims 3 to 5, wherein The output control unit outputs the risk information including the extracted number of entries corresponding to the extracted combination.
The leakage risk providing apparatus according to any one of claims 3 to 6, characterized in that: The attribute extraction unit excludes the combination of the attributes including the combination of the other attributes when the combination of the attributes includes the combination of the other attributes, and the leakage risk is a predetermined condition. Extract combinations of attributes that satisfy
The leakage risk providing apparatus according to any one of claims 1 to 7, wherein Based on the sensitivity stored in the storage unit that stores the sensitivity of each attribute in the individual vote data, which is a set of entries given a plurality of attributes, a leakage risk is calculated for each combination of the attributes. , Extract a combination of attributes for which the leakage risk satisfies a predetermined condition,
For each of the extracted combinations, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition is extracted.
Based on the sensitivity, calculate the degree of influence of attributes other than the attributes included in the extracted combination in the extracted entry;
Associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing method, wherein a computer executes processing. Based on the sensitivity stored in the storage unit that stores the sensitivity of each attribute in the individual vote data, which is a set of entries given a plurality of attributes, a leakage risk is calculated for each combination of the attributes. , Extract a combination of attributes for which the leakage risk satisfies a predetermined condition,
For each of the extracted combinations, an entry in which the number of entries specified by the attribute value included in the combination satisfies a predetermined condition is extracted.
Based on the sensitivity, calculate the degree of influence of attributes other than the attributes included in the extracted combination in the extracted entry;
Associating the extracted combination with an attribute for which the degree of influence satisfies a predetermined condition;
A leakage risk providing program for causing a computer to execute processing.

Images