JP6668604B2 - Information distribution device for inter-device communication - Google Patents

Description

  The present invention relates to a technology for distributing information to be communicated between devices.

  Conventionally, devices connected to the Internet were mainly IT-related devices such as personal computers, servers, printers, and storage devices that perform operations such as calculating, outputting, and storing information. In recent years, various other devices have been used. There has been proposed a technology for realizing the Internet of Things (IoT), which is also connected to the Internet. By this, for example, information on devices such as doors, lights, air conditioners, and televisions is delivered, and when information on unlocking the door from the outside is acquired, it is determined that the user has returned home, and the lighting and air conditioner in the room are turned on. Alternatively, it is possible to perform cooperative control such that it is determined that the user goes to sleep and the television is turned off when the information that turns off the lighting of the room is acquired at night. Further, when the user plays a DVD of a movie with a DVD player, cooperative control such as making a recording reservation for a television program in which the leading actor of the movie appears can be performed.

  When cooperative control by such various devices is to be realized, information is transmitted and received between companies that manage information of each device, and personal information is not leaked by information provided to other companies. It is necessary to take care.

  Patent Literature 1 discloses an apparatus for controlling home electric appliances via a communication line. Patent Document 2 discloses that anonymization is performed such that there are a predetermined number (k values) or more of individuals having the same attribute value so that the anonymized information is not easily re-identified by collation with other information. Is described.

JP-A-2004-40285 JP 2014-102643 A

  FIG. 13 is a diagram illustrating an example of the cooperative control. In the example of FIG. 13, a door sensor 91, an air conditioner 92, and a television 93 are provided in the user's house as devices for performing cooperative control. The door sensor 91 is connected to the cooperation system 9A of the company A via the communication path Na. Similarly, the air conditioner 92 is connected to the cooperation system 9B of the company B via the communication path Nb, and the television 93 is connected to the cooperation system 9C of the company C via the communication path Nc.

  The communication paths Na, Nb, and Nc are not particularly limited, such as a telephone line, a wireless communication line, and the Internet, as long as the devices 91 to 93 can communicate with the cooperation systems 9A, 9B, and 9C. good. Each of the cooperation systems 9A, 9B, and 9C is connected to a plurality of user home devices 91 to 93 via communication paths Na, Nb, and Nc.

The cooperative systems 9A, 9B, and 9C communicate with each other via the network N, for example, transmit information obtained from the devices 91 to 93 to another cooperative system, and based on information received from another cooperative system. To control the devices 91 to 93. The cooperative system A acquires unlocking and locking information from the door sensor 91, and transmits this information, an ID corresponding to each door sensor 91, and anonymized user information to the cooperative systems 9B and 9C. In this example, the ID, the sensor information, and the gender information are transmitted to the cooperation system 9B, and the information is transmitted to the cooperation system 9C.
Transmit ID, sensor information, gender, age information. This ID is different for each of the cooperation systems 9B and 9C so that reconnection is not possible by this ID.

  When receiving the unlocking information from the door sensor 91, the cooperative system 9B sets the air conditioner 92 to a low temperature if the user is a male and operates the air conditioner 92 to a high temperature if the user is a female. To operate.

  When receiving the unlocking information from the door sensor 91, the cooperative system 9C operates the television 93 and selects a recommended television program according to the age and gender of the user.

  The data 99 is an example of data registered in the database of the cooperation system 9B at this time, and the data 98 is an example of data registered in the database of the cooperation system 9C.

  Since the data provided from the cooperation system 9A is anonymized information such as ID, sensor information, gender, and age, it is unlikely that an individual is specified from this information. However, if the cooperation systems 9B and 9C that have received this information record the reception date and time and the update date and time as a time stamp, there is a possibility that the information can be re-identified by the time stamp. For example, the person in charge of the cooperative system B illegally acquires the data 99 of the cooperative system 9C, compares the data 99 with the data 98 of the cooperative system 9B, and specifies data with the same time stamp. In the example of FIG. 13, among the data 99 of the cooperation system 9C, the time stamp of the data having the ID a256 and the data having the ID of x123 of the cooperation system 9B match, and the data of a256 corresponds to the data of the user corresponding to x123. It turns out that it is. That is, the user's own company data and other company's data are connected based on the time stamp, and the user of the other company's data can be identified.

  Therefore, the present invention provides a technique for disturbing the timing of providing anonymized information when providing the information, thereby reducing the possibility of reconnection by collation with a time stamp.

The information distribution device according to the present invention,
A data acquisition unit for acquiring sensor data and user data,
An anonymization unit that anonymizes the sensor data and the user data to be anonymized data,
A storage unit for storing the anonymized data,
A timing change unit that changes the transmission timing of the anonymized data so as to be different from a predetermined transmission timing according to the timing at which the anonymized data is stored in the storage unit or the timing at which the sensor data is acquired,
A transmission unit that transmits the anonymized data based on the changed transmission timing.

  The information distribution device, the timing change unit, according to the anonymization level or security risk of the anonymized data, if the anonymization level is high or the security risk is low, reduce the change of the transmission timing, When the anonymization level is low or the security risk is high, the change of the transmission timing may be increased.

The information distribution device, a segment number acquisition unit that acquires the segment number when anonymizing the sensor data and user data,
Based on a reduction coefficient indicating the amount of decrease in the minimum number of appearances when the number of categories is increased and the number of categories, the minimum number of appearances when the personal information is anonymized with the number of categories is a predetermined reference value. And an anonymous state predicting unit that calculates the number of segments in which the minimum number of occurrences is equal to or more than a predetermined reference value when it is determined that the number is less than the predetermined reference value.

The information distribution method according to the present invention includes:
Obtaining sensor data and user data;
Anonymizing the sensor data and user data to make anonymized data;
Storing the anonymized data;
Changing the transmission timing of the anonymized data so as to be different from the predetermined transmission timing according to the timing at which the anonymized data is stored in the storage unit or the timing at which the sensor data is obtained,
Transmitting the anonymized data based on the changed transmission timing.

  The information distribution method, according to the anonymization level or security risk of the anonymization data, if the anonymization level is high or the security risk is low, reduce the change in the transmission timing, the anonymization level is low or If the security risk is high, the change in the transmission timing may be increased.

The information distribution method, a step of obtaining the number of segments when anonymizing the sensor data and user data,
Based on the reduction coefficient indicating the amount of decrease in the minimum number of appearances when the number of categories is increased and the number of categories, the minimum number of appearances when the personal information is anonymized with the number of categories is a predetermined reference value. And determining the number of divisions in which the minimum number of appearances is equal to or more than a predetermined reference value when it is determined that the number is less than the predetermined reference value.

  Further, the present invention may be a program for causing a computer to execute the above method. Further, the conversion program may be recorded on a computer-readable recording medium.

  Here, a computer-readable recording medium refers to a recording medium that can store information such as data and programs by electrical, magnetic, optical, mechanical, or chemical action and can be read from a computer. . Examples of such a recording medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, a memory card, and the like.

  Further, as a recording medium fixed to the computer, there is a hard disk, a ROM (Read Only Memory), or the like.

  The present invention can provide a technique of disturbing the timing of providing anonymized information when providing the information, thereby reducing the possibility of reconnection by collation with a time stamp.

FIG. 1 is an explanatory diagram of the anonymization process. FIG. 2 is a diagram illustrating an example of the cooperative control system. FIG. 3 is an explanatory diagram of the reduction coefficient. FIG. 4 is a diagram illustrating an example of the personal information aggregation database. FIG. 5 is a diagram illustrating an example of the cooperative control definition database. FIG. 6 is an explanatory diagram of information used for determining the security level of each device. FIG. 7 is a functional block diagram of the cooperation system. FIG. 8 is a diagram illustrating a hardware configuration of the cooperation management server and the cooperation system. FIG. 9 is a diagram showing a schematic configuration of the device. FIG. 10 is an explanatory diagram of the cooperative control method. FIG. 11 is an explanatory diagram of the cooperative control method. FIG. 12 is an explanatory diagram of the cooperative control method. FIG. 13 is a diagram illustrating an example of conventional cooperative control.

  Hereinafter, embodiments for implementing the present invention will be described with reference to the drawings. The configuration of the following embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment.

  <First embodiment>

  FIG. 1 is an explanatory diagram of the anonymization process. FIG. 1A shows an example in which the last name item is deleted from the member information including the last name, age, and gender items. As shown in FIG. 1 (A), if there is only one 16-year-old woman in the member information in which the age is described, the 16-year-old woman is identified when it is found that this is a member. it can. That is, if only one person has the attribute of 16-year-old woman, there is a possibility that the individual can be identified by comparing it with other information.

  In FIG. 1 (B), the description of the age of the member list is abstracted and classified by age, such as 0s (under 10 years old), 10s, and 20s. However, even in this case, there is only one female teenager, and the individual can be identified as in FIG. 1A, which is insufficient for anonymization.

  Therefore, in FIG. 1C, the abstraction is further abstracted, and the division of the age is changed to that of teenagers (under 19 years old) and 20s. In the case of FIG. 1 (C), there are two women under the age of ten, and the attributes [teens and under] and [female] are not single. Therefore, as described above, even if it is determined that a 16-year-old woman is this member, it cannot be specified which is the data of the 16-year-old woman. Such a state where there are k or more people having the same attribute is referred to as satisfying "k-anonymity", and processing data in such a manner is referred to as "k-anonymization".

  FIG. 2 is a diagram illustrating an example of the cooperative control system. In the example of FIG. 2, a door sensor 91, an air conditioner 92, and a television 93 are provided in a user's house as devices for performing cooperative control. Further, the device for performing the cooperative control is not limited to the device in the user's house, and may be a lighting 94 of a parking lot outside the user's house. In addition, the device that performs the cooperative control may be a terminal that performs payment at a store or an automatic ticket gate 95 at a station.

  The door sensor 91 is connected to the cooperative system 1A of the company A via the communication path Na. Similarly, the air conditioner 92 is connected to the cooperation system 1B of the company B via the communication path Nb, the television 93 is connected to the cooperation system 1C of the company C via the communication path Nc, and the lighting 94 is connected to the communication path Nd. Is connected to the cooperation system 1D of the company D via. In addition, the automatic ticket gate 95 connects to the cooperation system 1E of the company E via the network Ne.

  The communication paths Na to Ne are not particularly limited, such as a telephone line, a wireless communication line, and the Internet. Any communication path may be used as long as the devices 91 to 95 can communicate with the cooperative systems 1A to 1E. The devices 91 to 95 and the cooperative systems 1A to 1E are not limited to communicating with each other. The devices 91 to 95 may transmit sensor information or the devices 91 to 95 may receive the anonymized data. It may be performed in the direction. In addition, each of the cooperative systems 1A to 1E is connected to devices 91 to 94 at a plurality of user homes via communication paths Na to Nd.

The cooperative systems 1A to 1E are devices that connect to the cooperative management server 2 via the network N and transmit and receive information used for cooperative control via the cooperative management server 2 respectively. For example, the cooperation systems 1 </ b> A to 1 </ b> E receive sensor data indicating information detected by the device at the user's home, and transmit the sensor data to the cooperation management server 2. Further, the cooperative systems 1A to 1E receive sensor data of devices of other companies from the cooperative management server 2, and based on the sensor data, anonymized data for performing cooperative control is transmitted to the devices 91 to 94 in the user's home. Send. Note that, when the devices 91 to 95 are described without specifying any of the devices 91 to 95, they are also referred to as devices 90. Further, when describing the cooperative systems 1A to 1E without specifying any of the cooperative systems 1A to 1E, the cooperative systems 1A to 1E are also referred to as the cooperative system 1.

  As shown in FIG. 2, the cooperative management server 2 includes a data acquisition unit 21, a security level determination unit 22, an anonymization unit 23, a storage unit 24, a timing change unit 25, a data transmission unit 26, a number-of-sections acquisition unit 27, The system includes an anonymous state prediction unit 28, a personal information aggregation database 31, a cooperative control definition database 32, and a risk determination database 33.

  The data acquisition unit 21 acquires sensor data and user data from each cooperation system 1.

  The security level determination unit 22 determines, as a security level, a risk that personal information is specified based on a result of evaluation by a risk evaluator, information on security of each cooperative system 1, and information on security of the device 90. The evaluation result and information on security are stored in a storage device in advance, for example, and read out and used for determining the security level. Information that can be obtained from the cooperative system 1 and the device 90, such as the version of the operating system (OS) and the application status of the security patch, may be received from the cooperative system 1 and the device 90, respectively.

  The anonymization unit 23 performs anonymization processing on the sensor data and the user data to generate anonymized data.

  The storage unit 24 functions as a queue for temporarily storing anonymized data and transmitting the data at an appropriate timing.

  The timing changing unit 25 changes the transmission timing of the anonymized data so as to be different from the timing at which the anonymized data is stored in the storage unit or the predetermined transmission timing according to the timing at which the sensor data is acquired. The timing change unit 25, for example, reduces the change of the transmission timing when the anonymization level is high or the security risk is low, according to the anonymization level or security risk of the anonymization data, and reduces the anonymization level or security. If the risk is high, the change in the transmission timing is increased.

  The data transmitting unit 26 reads out the anonymized data from the storage unit 24 based on the changed transmission timing determined by the timing changing unit 25 and transmits the data.

  The number-of-sections acquiring unit 27 acquires the number of sections when anonymizing personal information to be anonymized. The number of divisions is the number of types of attribute values (words) that can be taken by the attributes included in the anonymous information, in other words, the number of divisions when the attribute values are divided for each identical attribute value. FIG. A5 is an explanatory diagram of the division. For example, if the attribute is gender, the attribute values are classified into two categories, male and female. When the attribute is age, the attribute value is classified into three categories of minors, adults, and elderly people, five categories of 20s or less, 30s, 40s, 50s, and 60s or more, and 0s, 10s, 20s, 30s, 40s, 50s, 60s, 70s, 80s and above. When the attribute is an area such as an address or a place of purchase, the attribute value is divided into two categories, western Japan and eastern Japan, nine categories of Hokkaido, Tohoku, Kanto, Chubu, Kinki, China, Shikoku, Kyushu, Okinawa, Hokkaido, and Aomori. Prefectures, Iwate prefecture, Tokyo prefecture, Osaka prefecture, etc.

  The number-of-sections acquiring unit 27 acquires the number of sections by counting words registered in the anonymization dictionary as words (attribute values) that abstract the attribute of the target data, for example.

  The anonymity state prediction unit 28 may determine, based on the decrease coefficient and the number of sections, that the minimum number of appearances when the personal information is anonymized by the number of sections is lower than a predetermined reference value, that is, the anonymity may not be satisfied. Is determined. When there is a possibility that the anonymity is not satisfied, the anonymous state prediction unit 28 obtains the number of sections satisfying the anonymity.

FIG. 3 is an explanatory diagram of the reduction coefficient. As shown in FIG. 3, when the total number is 20,000, the minimum number of appearances is 10,000 when the number of divisions is 2, the minimum number of appearances is 1000 when the number of divisions is 7, and the minimum number of appearances is 500 when the number of divisions is 11. When the combination 85 of the number of divisions and the minimum number of appearances is obtained, when the power approximate expression 1 is obtained, y = 114659x- ^1.414 . From the power approximation equation 1, the number of decreases in the minimum number of appearances when the number of sections in each section increases by 1 can be found. Therefore, the anonymous state prediction unit 28 determines whether the minimum number of occurrences exceeds the reference value based on the number of sections acquired by the number-of-sections acquiring unit 27 and the total number of target data (in the present embodiment, a transmission unit described later). That is, it is determined whether or not the anonymity is satisfied. If the minimum number of occurrences does not exceed the reference value, the number of sections whose minimum number of occurrences exceeds the reference value is determined.

  The personal information aggregation database 31 is a database in which user information (personal information) used for cooperative control is periodically acquired from each cooperation system 1 and stored. FIG. 4 is a diagram illustrating an example of the personal information aggregation database 31. The personal information aggregation database 31 in FIG. 4 has information such as ID, provider, gender, age, hobby, and genre of interest. Here, the ID is identification information for identifying the user information. For example, the ID is added to the user information for each user and each device at the provider. The provider is information indicating the provider of the user information, such as company A to company E.

  The cooperative control definition database 32 is a database that stores definition data defining cooperative control to be executed when sensor data is received. FIG. 5 is a diagram illustrating an example of the cooperative control definition database 32. The cooperative control definition database 32 in FIG. 5 has information such as an ID, a provider, a device, a provider, and provided information. The ID is identification information for identifying the definition data, and is added to the definition data for each user and each device, for example. The provider is information indicating the provider of the sensor data, such as company A to company E. The device is information indicating the type and model of the device that has detected the sensor data. The provision destination is information indicating a destination when transmitting sensor data and user data for cooperative control. The provided information is information indicating items to be provided to the provided destination in the user information. Note that not only items to be provided but also items not to be provided may be indicated. For example, if an item of the family structure is not provided and another item is provided, an item not provided such as opt-out (family structure) is designated. Also, it is possible to specify that all items are not provided as in the case of opt-out (all items). The example in FIG. 5 indicates that no user information is provided to Company D when the ID of Company A is x001.

  As described above, the cooperative control definition database 32 indicates which information is transmitted to which provider, and when sensor information is received, it is possible to control information to be provided and information not to be provided based on the cooperative control definition database 32. desirable. However, the present invention is not limited to this, and it is possible to omit the cooperative control definition database 32 by providing all information to all destinations when sensor information is received.

  FIG. 6 is an explanatory diagram of information used for determining the security level of each device. FIG. 6A shows an example of an item for evaluating a risk, FIG. 6B shows an evaluation table in which an evaluation value is associated with a score of information used for determining a security level, and FIG. An example of data stored as an evaluation result is shown.

  As shown in FIG. 6A, the risk evaluation items are classified into large items such as a company evaluation, a service / device evaluation, and an information accumulation evaluation, and these large items are each classified into small items. For example, the operator evaluation is an evaluation of an operator that operates a cooperative system that performs cooperative control of the devices to be evaluated, and includes small contracts such as contract / management status, provision by a third party, terms of use, security certification, and accidents / troubles. It is divided into items. The service / equipment evaluation is an evaluation related to a cooperative system that performs cooperative control of the evaluation target device and the relevant device, and is classified into small items such as an OS version, a security patch, an HTTP response, a difference in standard, and a failure / service trouble. The information accumulation evaluation is an evaluation relating to information accumulated by the cooperative control of the evaluation target device, and is classified into small items such as connection start time, use period, combined information risk, continuous operation time, and information sensitivity. . The evaluator obtains a score for each of the small items. For example, if there is no problem in the contract / management status, the minimum score is 1, and if there is a problem, a score is given in 10 levels according to the degree of the problem. Further, the version of the OS or the security patch of the cooperative system 1 or the device 90 is acquired, and if the version is the latest version, the minimum score is 1, and if the version is an old version, the score is obtained in ten stages according to the age.

  The evaluation table shown in FIG. 6B associates a score value for each large item with a security level. The security level determination unit 22 totals the scores of each small item for each large item, obtains the security level corresponding to the totaled score from the evaluation table, and obtains the security level of each large item as shown in FIG. Is stored in the risk determination database 33 in association with the ID of the device to be evaluated.

  The evaluation table shown in FIG. 6B associates the security level with the threshold of the anonymous level, the disturbance level, the display color, and the like, in addition to the score and the security level.

  FIG. 7 is a functional block diagram of the cooperation system 1. The cooperation system 1 includes a data acquisition unit 11, a data transmission unit 12, and a security update unit 13.

  The data acquisition unit 11 acquires sensor data from each device 90. In addition, the data acquisition unit 11 acquires anonymized data from the cooperative management server 2.

  The data transmission unit 12 transmits the sensor data to the cooperation management server 2. In addition, the data transmission unit 12 transmits the anonymized data to the device 90 and performs the cooperative control.

  The security update unit 13 acquires a security patch (update information) from the cooperative management server 2, and changes a set value or replaces a program module based on the security patch.

  FIG. 8 is a diagram illustrating a hardware configuration of the cooperation management server 2 and the cooperation system 1. The cooperative management server 2 and the cooperative system 1 are so-called computers having a CPU 101, a memory 102, a communication control unit 103, a storage device 104, and an input / output interface 105.

  The CPU 101 executes a program expanded in an executable manner in the memory 102. As a result, the CPU 101 of the cooperative management server 2 performs the above-described data acquisition unit 21, security level determination unit 22, anonymization unit 23, storage unit 24, timing change unit 25, data transmission unit 26, number-of-sections acquisition unit 27, The function of the anonymous state prediction unit 28 is provided. The CPU 101 of the cooperative system 1 provides the functions of the data acquisition unit 11, the data transmission unit 12, and the security update unit 13 described above.

  The memory 102 can also be called a main storage device. The memory 102 stores, for example, a program executed by the CPU 101, data received via the communication control unit 103, data read from the storage device 104, and other data.

  The communication control unit 103 connects to another device via a network and controls communication with the device. The input / output interface 105 is appropriately connected to output means such as a display device and a printer, input means such as a keyboard and a pointing device, and input / output means such as a drive device. The drive device is a removable storage medium read / write device, such as a flash memory card input / output device, a USB adapter for connecting a USB memory, or the like. In addition, the removable storage medium may be a disk medium such as a CD (Compact Disc), a DVD (Digital Versatile Disk), and a Blu-ray (Blu-ray (registered trademark) Disc). The drive device reads the program from the removable storage medium and stores the program in the storage device 104.

The storage device 104 can also be referred to as an external storage device. The storage device 104 may be an SSD (Solid State Drive), HDD, or the like. The storage device 104 exchanges data with a drive device. For example, the storage device 104 stores an information processing program and the like installed from the drive device. Further, the storage device 104 reads the program and delivers the program to the memory 102. In the present embodiment, the storage device 104 of the cooperative management server 2 stores the personal information aggregation database 31, the cooperative control definition database 32, and the risk determination database 33 described above.

  FIG. 9 is a diagram illustrating a schematic configuration of the device 90. The device 90 includes a function unit 41, a control unit 42, a communication unit 43, and an output unit 44.

  The function unit 41 is a unit that realizes the function of each device, for example, a unit that receives a broadcast and displays a video or outputs a sound in the case of a television, a unit that locks or unlocks a door, In the case of an air conditioner, there are means for adjusting the air, and in the case of lighting, means for emitting illumination light.

  The control unit 42 detects the state of the function unit 41 and controls the function unit 41 based on the control data received by the communication unit 43. Further, when the control data includes the evaluation data indicating the security level in the control data, the control unit 42 controls the output unit 44 based on the evaluation data to output the information indicating the security level.

  The communication unit 43 is a communication module that communicates with the cooperation system 1 and transmits the state of the function unit 41 detected by the control unit 42 to the cooperation system 1 as sensor data. The communication unit 43 receives the control data from the cooperation system 1 and sends the control data to the control unit 42. The communication unit 43 may directly communicate with the cooperative system 1, or may connect to a device such as a wireless router in the user's home by a short-range wireless communication method such as Bluetooth or WiFi, and communicate with the cooperative system 1 via this device. What you do. The communication unit 43 is not limited to a unit that communicates with the cooperation system 1, but is a transmission unit that unidirectionally transmits sensor data to the cooperation system 1 or a reception unit that receives control data from the cooperation system 1. Is also good.

  The output unit 44 is a unit that outputs the security level, and includes a display that displays an indicator and a message that indicates the security level in color, a speaker that outputs sound and voice, and the like. Note that, for a device such as a television or an interphone in which the function unit includes a display and a speaker, the function unit 41 may function as an output unit.

Next, a cooperative control method executed by the cooperative management server 2 and the cooperative system 1 of the cooperative control system according to the present embodiment according to a program will be described. 10 to 12 are explanatory diagrams of the cooperative control method.

  When receiving the sensor data from the device 90 via the cooperation system 1 (step S10 (FIG. 10)), the cooperative management server 2 stores the cooperative control definition data corresponding to the device ID included in the sensor data in the cooperative control definition database 32. (Step S20). The cooperative management server 2 reads personal information to be provided together with the sensor data from the personal information aggregation database 31 based on the definition data, and generates anonymized data to be provided to each device 90 (step S30).

  Next, the cooperative management server 2 determines whether or not the device ID indicated as the provision destination of the anonymized data is a target of the cooperative control based on whether or not the ID is present in the risk determination database 33 or the like (step S40). If it is not the object of the cooperative control (No at Step S40), the data is saved (Step S50), and the process is terminated.

  On the other hand, if it is the object of the cooperative control (step S40, Yes), the cooperative management server 2 obtains the security level corresponding to the ID of the device of the provision destination from the risk determination database 33 (step S60), and The lowest security level among the security levels is set as the security level of the device (step S70 (FIG. 11)). When the security level is equal to or less than a predetermined value, in the present embodiment, when the security level is E, the provision of the anonymized data is stopped. In addition, the cooperative management server 2 obtains, from an evaluation table, a threshold and a disturbance level of an anonymous level corresponding to the security level of the device from the evaluation table for the anonymized data to be transmitted to the device, and sets them as conditions for providing the security level. Is obtained and added to the anonymized data, and the transmission time is added (step S80). The transmission permission time specifies a time at which the anonymized data is transmitted from the cooperative management server 2 to each of the cooperative systems 1. The transmission permission time is, for example, the time required for a predetermined amount of anonymized data to stay in the storage unit (queue) 24 and to satisfy the provision conditions such as anonymous level and security level and to be transmitted. Set the time added to.

Next, the cooperative management server 2 anonymizes the personal information included in the anonymized data. For example, values such as 11 years old, 25 years old, and 39 years old are abstracted as 10-12 years old, 24-26 years old, and 37-39 years old (step S90). Then, the cooperative management server 2 counts the number of pieces of information having the same value of personal information included in the anonymized data with respect to the anonymized data provided to the same business entity within a predetermined period, and That is, the minimum number of appearances (k value) is obtained and set as the anonymous level (step S100). The cooperative management server 2 determines whether or not the anonymous level exceeds a threshold set as a condition for each anonymized data (step S110). If the anonymous level exceeds the threshold (step S110, Yes), the anonymized data is determined. Is stored in the storage unit (queue) 24 (step S150). On the other hand, if the threshold value is not exceeded (No at Step S110), the cooperative management server 2 determines whether or not it is necessary to provide the information in real time (Step S120), and if it is not necessary to provide the information in real time (Step S120). , No), expanding the data range for checking anonymity, such as the past hour or the past day, and determining whether the anonymous level of the anonymized data exceeds the threshold within the predetermined data range even if the calculation takes time. It is checked whether or not the anonymous level exceeds the threshold (step S130). If the anonymous level exceeds the threshold, the anonymized data is stored in the storage unit 24 (step S150). If the anonymized level of the anonymized data does not exceed the threshold in the data range, the anonymization is performed again so as to exceed the threshold (step S130). For example, each item of the anonymized data is further abstracted to reduce the number of sections. Then, the anonymized data exceeding the threshold is stored in the storage unit 24 (step S150). When it is determined that the anonymous level needs to be provided in real time (step S120, Yes), the number of sections whose anonymous level exceeds the threshold is predicted based on the number of sections of personal information included in the anonymized data. Anonymization is performed so that the number of divisions exceeds the number (step S140), and stored in the storage unit (queue) 24 (step S150). As described above, the processes in FIGS. 10 and 11 are periodically executed, and the received sensor data is anonymized and stored in the storage unit 24. Then, the cooperative management server 2 performs the transmission processing of FIG. 13 in parallel with the processing of FIGS.

  Further, the cooperative management server 2 sequentially reads out each anonymized data stored in the storage unit 24 (step S160), acquires a disturbance level of information (step S170), reads out a transmission permission time, and reads the current time and the current time. It is determined by comparison whether or not the transmission permission time has been reached (step S180).

  When it is determined that the transmission permission time has not been reached (step S180, No), that is, before the transmission permission time has been reached, it is determined whether or not a plurality of pieces of the same information exist in the anonymized data transmitted at the same timing. (Step S190). Here, the same information has, for example, the same value of items other than the device ID. It should be noted that the present invention is not limited to the completely same one, and some items such as a provider and a model of a device may be different. Transmission at the same timing means that the unit for transmitting anonymized data is determined at predetermined time intervals, such as every five minutes or every ten minutes, and is transmitted in the same transmission unit. The transmission unit is not limited to the one determined by time, but may be the one determined by the number of anonymized data. For example, when the transmission unit is 100, the anonymized data transmitted from the first case to the anonymized data transmitted to the 100th case are anonymized data transmitted at the same timing.

  When it is determined that a plurality of pieces of the information exist (step S190, Yes), the order of transmitting the anonymized data is changed at random, and the order of requesting the cooperative control is disturbed by the anonymized data (step S200). Basically, the data is transmitted in the order stored in the storage unit 24, but the order is changed due to the disturbance. At the time of this disturbance, the range of the change, that is, the degree of the disturbance is set according to the disturbance level acquired in step S160. If the disturbance level is 1%, the order is switched within a range of 1% with respect to the entire transmission unit, and if the disturbance level is 40%, the order is switched within a range of 40% with respect to the entire transmission unit.

  On the other hand, if it is determined in step S190 that the same information does not exist (step S190, No), the elapsed time of the anonymized data, for example, after the sensor information is received in step S10, or stored in the storage unit 24. It is determined whether or not the elapsed time from is equal to or greater than a threshold (step S210). If the elapsed time of the anonymized data is not equal to or greater than the threshold (No at Step S210), the transmission is suspended and the process proceeds to Step S270. If the elapsed time is equal to or greater than the threshold (Yes at Step S210), the anonymization is performed. Noise information having the same information as the data (anonymized data for which the determination of whether the elapsed time is equal to or greater than the threshold in step S210) is generated and added to the storage unit 24 as anonymized data of the same transmission unit; The process proceeds to step S200 to disturb the transmission order. In other words, if there is no such information, the individual may be identified. Since transmission is not possible, transmission is suspended and processing of other anonymized data is started. If the permission time approaches and exceeds the threshold, noise data is added. Compared to the anonymized data, the noise data has a different device ID, and the other items have the same information. That is, by adding this noise data, a plurality of pieces of the same information are pseudo-existed. The device ID of the noise data is a dummy and does not affect cooperative control. Can be prevented.

Then, the cooperative management server 2 uniformly sets the transmission permission time of the anonymized data whose transmission order is disturbed in step S200 (step S240), and returns to step S180. Even if the transmission permission time is set uniformly, anonymous data that exceeds the transmission permission time will be transmitted sequentially, and this order may appear as a minute time stamp difference. By changing the order and transmitting at a uniform transmission timing, reconnection by a time stamp is prevented.

  If the current time has reached the anonymized data transmission permission time in step S180 (step S180, Yes), the anonymized data is transmitted to the destination cooperation system 1 (step S250). Further, the cooperative management server 2 stores the transmitted anonymized data in the storage unit (step S260), and determines whether the sensor information and the personal information to be processed next exist in the storage unit 24 (step S270). ), If it exists (step S270, Yes), the process returns to step S170 to repeat the process, and if it does not exist (step S270, No), the process ends.

  The cooperative system 1 that has received the anonymized data (step S310) generates control information for cooperatively controlling the device 90 based on the anonymized data (step S320) and transmits the control information to the device 90 via the network. (Step S330). For example, when receiving the anonymized information including the sensor data indicating the unlocking of the door sensor 91 and the personal information indicating the gender of the user, the cooperation system 1B sets the air conditioner 92 to a low temperature if the user is a male. If the user is a woman, control data for operating the air conditioner 92 at a high temperature is transmitted to the air conditioner 92.

  Further, when receiving the anonymized information including the sensor data indicating the unlocking of the door sensor 91 and the personal information indicating the age and gender of the user, the cooperative system 1C operates the television 93 to operate the age and gender of the user. Control data for selecting a TV program recommended in response is transmitted to the TV 93.

  When receiving the anonymized information including the sensor data indicating that the user has left the ticket gate of the nearest station, the cooperation system 1D changes the control data for turning on the external light to the external light.

  For example, the cooperative system 1 stores a control data template generated when the anonymized information is received, reads the control data template when the anonymized information is received, and sets a value based on the personal information. Insert to generate control information.

  Then, the device 90 that has received the control data from the cooperation system 1 controls the functional unit based on the control data to execute the cooperative control, and displays the security level in a display color based on the control data.

  As described above, according to the present embodiment, when providing anonymized data, by disturbing the timing of providing the anonymized data, it is possible to reduce the possibility of reconnection by collating with the time stamp. For example, by changing the order of provision, the provision timing is disturbed.

  In addition, when k anonymity is not satisfied when transmitting anonymized data, noise data can be inserted to satisfy the anonymity and disturb the provision timing.

  Further, according to the present embodiment, for anonymized information that needs to be processed in real time, the anonymized state at the time of transmission is predicted, and the number of segments is adjusted so that the anonymity can be satisfied at the time of transmission. This prevents anonymity from being provided because the anonymity is not satisfied at the time of transmission, and it is possible to reliably provide anonymized information.

<Others>
The present invention is not limited to the illustrated examples described above, and it goes without saying that various changes can be made without departing from the spirit of the present invention. For example, in the second and third embodiments, a power approximation formula is used as the reduction coefficient. However, an approximation formula such as a polynomial approximation formula or an exponential approximation formula may be used instead.

DESCRIPTION OF SYMBOLS 1 Cooperation system 2 Cooperation management server 11 Data acquisition part 12 Data transmission part 13 Security update part 21 Data acquisition part 22 Security level judgment part 23 Anonymization part 24 Storage part 25 Timing change part 26 Data transmission part 27 Division number acquisition part 28 Anonymity State prediction unit 31 Personal information aggregation database 32 Cooperative control definition database 33 Risk judgment database 41 Function unit 42 Control unit 43 Communication unit 44 Output unit 90 Device

Claims (4)

A data acquisition unit for acquiring sensor data and user data,
An anonymization unit that performs anonymization processing on the user data,
A storage unit that stores anonymized data including the sensor data and the anonymized user data,
A timing change unit that changes the transmission order of the anonymized data so as to be different from the storage order in which the anonymized data is stored in the storage unit,
A transmission unit that transmits data stored in the storage unit according to the transmission order ,
The sensor data includes a device ID indicating a source device of the sensor data,
When the plurality of the anonymized data is not stored in the storage unit, the timing change unit further stores, in the storage unit, noise data having a device ID included in the anonymized data as a dummy value, Changing the transmission order so that the storage order of the anonymized data and the noise data is different from the storage order stored in the storage unit,
Information distribution device. The anonymization process includes a process of classifying attribute values of the user data for each identical attribute value,
A division number acquisition unit that acquires the division number of the divided user data,
Based on the reduction coefficient indicating the amount of decrease in the minimum number of appearances when the number of divisions is increased and the number of divisions, the minimum number of appearances when personal information is anonymized with the number of divisions falls below a predetermined reference value. An anonymous state prediction unit that calculates the number of segments in which the minimum number of appearances is equal to or greater than a predetermined reference value,
The minimum number of appearances is the minimum number among the number of attribute values belonging to each section,
The information distribution device according to claim 1. Obtaining sensor data and user data;
Anonymizing the user data;
Storing anonymized data including the sensor data and the anonymized user data in a storage unit ;
Changing the transmission order of the anonymized data so as to be different from the storage order in which the anonymized data is stored in the storage unit ;
Transmitting the data stored in the storage unit according to the transmission order , and
The sensor data includes a device ID indicating a source device of the sensor data,
The step of changing the transmission order of the anonymized data, when the plurality of the anonymized data is not stored in the storage unit, the noise data with the device ID included in the anonymized data as a dummy value, Further storing in a storage unit, including a process of changing the transmission order so as to be different from the storage order in which the anonymized data and the noise data are stored in the storage unit,
Information distribution method. Obtaining sensor data and user data;
Anonymizing the user data;
Storing anonymized data including the sensor data and the anonymized user data in a storage unit ;
Changing the transmission order of the anonymized data so as to be different from the storage order in which the anonymized data is stored in the storage unit ;
Transmitting the data stored in the storage unit in accordance with the transmission order ; and
The sensor data includes a device ID indicating a source device of the sensor data,
The step of changing the transmission order of the anonymized data, when the plurality of the anonymized data is not stored in the storage unit, the noise data with the device ID included in the anonymized data as a dummy value, Further storing in a storage unit, including a process of changing the transmission order so as to be different from the storage order in which the anonymized data and the noise data are stored in the storage unit,
Information distribution program.