JP6693135B2 - Information processing apparatus, information processing method, and program - Google Patents

Description

  The present invention relates to an information processing device, an information processing method, and a program.

  A method of k-anonymization that processes original data to have k-anonymity has been proposed (Patent Document 1). There is proposed a method of calculating a rule for anonymizing stream data acquired in the past so as to satisfy k-anonymity and anonymizing newly acquired stream data (Patent Document 2).

  In addition, a method of anonymization is proposed in which the data recorded in each item in the original data is hierarchized in a tree structure and the items in each item are generalized based on the count result of appearance frequency. (Patent Document 3).

US Patent Application Publication No. 2002/169793 JP, 2013-80375, A International Publication No. 2011-145401

  The method disclosed in Patent Document 1 and Patent Document 3 is a method of anonymizing individual votes collected in advance. In order to properly process the additional pieces that occur sequentially, it is necessary to process the initially processed pieces and the additional pieces together, and it takes time to process the data. Therefore, it is difficult to perform anonymization processing when additional individual votes are sequentially generated.

  Patent Document 2 discloses a method of processing additional individual pieces that are sequentially generated. However, when there is little commonality between the additional individual votes and the individual votes processed in the past, anonymity cannot be ensured, and it may be possible to identify an individual from the additional individual votes.

  In one aspect, an object is to provide an information processing device or the like that reduces the processing load required for anonymization of additional individual pieces that occur sequentially.

The information processing device sequentially acquires an input individual vote having data associated with each of a plurality of items, and the input individual vote acquired by the acquisition unit, based on a rule, for each of the plurality of items. A conversion unit that sequentially converts any one of a plurality of anonymized individual votes having associated data into the same output individual vote , wherein the conversion unit converts the input individual vote to the anonymized individual vote. When it is not possible to convert to the same output individual form, all the data associated with the items included in the anonymized individual form are converted to the replacement individual form which is replaced with other data.

  According to one aspect, it is possible to reduce the processing load required for anonymization of additional individual pieces that occur sequentially.

It is explanatory drawing which shows the structure of an information processing system. It is explanatory drawing which shows the example of original data. It is explanatory drawing which shows the record layout of anonymized data DB. It is explanatory drawing which shows the creation process of anonymized automaton. It is explanatory drawing which shows the creation process of anonymized automaton. It is explanatory drawing which shows the creation process of anonymized automaton. It is explanatory drawing which shows an anonymization automaton. It is explanatory drawing which shows the example of streaming data. It is an explanatory view showing an example of streaming data after anonymization processing. It is a flow chart which shows a flow of processing of a program. It is a flow chart which shows a flow of processing of a subroutine of hierarchy tree creation. It is a flow chart which shows a flow of processing of a subroutine of node reduction. It is a flow chart which shows a flow of processing of a subroutine of bypass addition. It is a flow chart which shows a flow of processing of a subroutine of bypass addition. It is a flow chart which shows a flow of processing of a subroutine of anonymization. FIG. 8 is an explanatory diagram showing an example of streaming data after anonymization processing according to the second embodiment. It is explanatory drawing which shows the anonymization automaton of Embodiment 2. 9 is a flowchart showing a flow of processing of a program according to the second embodiment. FIG. 16 is an explanatory diagram showing an example of streaming data according to the third embodiment. FIG. 16 is an explanatory diagram showing an example of streaming data after anonymization processing according to the third embodiment. 16 is a flowchart showing the flow of processing of a sub-routine for anonymization according to the third embodiment. It is explanatory drawing which shows the production process of the hierarchy tree of Embodiment 4. It is explanatory drawing which shows the production process of the hierarchy tree of Embodiment 4. 20 is a flowchart showing the flow of processing of a sub-routine for creating a hierarchical tree according to the fourth embodiment. It is explanatory drawing which shows the structure of the information processing system of Embodiment 5. 21 is a flowchart showing the flow of processing of a program according to the fifth embodiment. 28 is a flowchart showing the flow of processing of a program according to the sixth embodiment. It is a functional block diagram which shows operation | movement of the information processing apparatus of Embodiment 7. It is explanatory drawing which shows the structure of the information processing system of Embodiment 8.

[Embodiment 1]
FIG. 1 is an explanatory diagram showing the configuration of the information processing system 10. The information processing system 10 includes a server 11, a first client 21 and a second client 25. The server 11, the first client 21 and the second client 25 are connected via a network.

  The server 11 includes a server CPU (Central Processing Unit) 12, a main storage device 13, an auxiliary storage device 14, a communication unit 15, and a bus. The server 11 of the present embodiment is an information processing device that performs anonymization processing of streaming data. The server 11 of the present embodiment is a general-purpose personal computer, an information device such as a large-scale computer, or the like. Further, the server 11 of this embodiment may be a virtual machine operating on a large-scale computer.

  The server CPU 12 is an arithmetic and control unit that executes the program according to the present embodiment. For the server CPU 12, one or a plurality of CPUs, a multi-core CPU, or the like is used. The server CPU 12 is connected to each part of the hardware configuring the simulation device 10 via a bus.

  The main storage device 13 is a storage device such as SRAM (Static Random Access Memory), DRAM (Dynamic Random Access Memory), and flash memory. The main storage device 13 temporarily stores information required during the process performed by the server CPU 12 and a program being executed by the server CPU 12.

  The auxiliary storage device 14 is a storage device such as an SRAM, a flash memory, a hard disk or a magnetic tape. The auxiliary storage device 14 stores a program to be executed by the server CPU 12, anonymized data DB (Data Base) 31, anonymized automaton 32, and various kinds of information necessary for executing the program. The communication unit 15 is an interface that communicates with a network.

  The second client 25 is a client that sequentially acquires input individual votes and sends them to the network. The second client 25 is an information terminal installed in a store or the like and an information device such as a personal computer, a tablet, or a smartphone used by a general consumer or the like. In the following description, a user who operates the second client 25 will be referred to as a second user.

  The input form is acquired from, for example, membership registration on the website, transaction records of mail-order sales, point grant records of point cards, and the like. The input form is sequentially sent from the second client 25 to the network in a predetermined format including data corresponding to a plurality of items.

  The first client 21 is a client used by a user who utilizes anonymized data for marketing or the like. Anonymized data will be described later. The first client 21 of the present embodiment uses an information device such as a general-purpose personal computer or a large-scale computer. In the following description, the user who operates the first client 21 will be referred to as the first user. The first client 21 sequentially receives the output votes obtained by anonymizing the input votes by the server CPU 12.

  The first client 21 and the second client 25 include a CPU, a main storage device, an auxiliary storage device, and a communication unit, like the server 11. Further, the first client 21 and the second client 25 include an input interface such as a keyboard, a touch panel, a mouse and the like, and an output interface such as a liquid crystal display, an organic EL display and a print. Illustrations of the internal configurations of the first client 21 and the second client 25 are omitted.

  FIG. 2 is an explanatory diagram showing an example of original data. The original data is stored in an information processing device different from the information processing system 10 of the present embodiment. The original data is, for example, data such as Web site member registration, mail-order transaction records, and point-granting records on point cards. One row in FIG. 2 shows one piece included in the original data. The individual vote is data treated as one lump, such as membership registration information for one person or a record of one transaction. In FIG. 2, as an example, an individual vote including three items of postal code, year of birth, and gender is shown. Note that FIG. 2 shows an example in which only the first three digits of the postal code are recorded.

  In addition to these, the individual data of the original data may include items such as address, name, telephone number, mail address, family structure, purchased product, and payment method. Therefore, the original data may include personal information. Secondary use of original data containing personal information is legally restricted. In the original data shown in FIG. 2, several tens to several million individual votes are recorded. In the following description, the original data individual form will be referred to as the original data individual form.

  FIG. 3 is an explanatory diagram showing a record layout of the anonymized data DB 31. The anonymized data DB 31 is a DB that records anonymized data.

  Anonymized data will be described. Anonymized data means data processed so that an individual cannot be identified from individual votes. The anonymized data can be used for marketing analysis, service optimization, and the like. In the following description, using anonymized data is described as secondary use.

  The state in which there are k or more individual votes including the same content in any individual vote is called k-anonymity. Here, k is an integer of 2 or more. If k-anonymity is ensured, it is not possible to narrow down the number of individuals associated with the individual votes to less than k and specify. The anonymized data DB 31 of this embodiment has k-anonymity.

  The anonymized data DB 31 of the present embodiment may have Pk-anonymity, for example. Pk-anonymity means a state in which there is less than 1 / k possibility that an individual can be identified from individual votes.

  The anonymized data DB 31 has a postal code field, a birth year field, and a gender field. A postal code is recorded in the postal code field. Note that FIG. 3 shows an example in which only the first three digits of the postal code are recorded. Age is recorded in the birth year field. Gender is recorded in the gender field. The “*” recorded in the postal code field, age field and gender field will be described later.

  The anonymized data DB 31 has one record for each anonymized individual vote. In addition to these, the anonymized data DB 31 may have fields for recording, for example, anonymized information such as an address, a name, a telephone number, an email address, a family structure, a purchased product, a payment method, and the like.

  Anonymization is performed by an information processing device different from the information processing system 10 according to the present embodiment. Anonymized data DB 31 in FIG. 3 shows an example in which the original data shown in FIG. 2 is anonymized. The data obtained by anonymizing the original data individual row of the original data is the record of the first row of the anonymized data DB 31.

  The relationship between the original data and the anonymized data will be described. Regarding the original data individual form described in the first line of FIG. 2, all three items of postal code, age, and sex are recorded in the first record of the anonymized data DB 31 of FIG. If the source data contains multiple source data votes with the same content, and if an individual cannot be identified from the source data vote, the same anonymized vote as the source data vote is anonymous. It may be included in the converted data DB 31.

  In the original data individual form described in the second line of FIG. 2, the gender is replaced with “*” and recorded in the second record of the anonymized data DB 31 of FIG. Here, "*" means that the gender was hidden. By hiding the gender, a plurality of original data individual votes that differ only in gender are converted into the same anonymized individual vote. By processing the original data individual pieces in this way, the original data is converted into anonymized data having anonymity of a predetermined condition.

  Replacing the data of each item with “*” is referred to as generalization in the following description. Generalization is one of the methods of anonymizing the original data individual votes. Regarding the third line of the original data, the anonymized individual vote in which the year of birth is replaced with “*” is recorded in the anonymized data DB 31. Here, "*" means that the age is generalized.

  Any value or sign such as "-", "/", or "999" that is not used for data can be used instead of "*". In the following description, a value or code used for generalization will be referred to as a generalized code. Note that generalized codes that differ depending on the item may be used.

  The method of anonymizing the original data is not limited to generalization. For example, replace the address with the prefecture name, replace the name with the initial, replace the data of some items with the data of the same item in other votes, delete some items, and replace the original data. Can be anonymized. Further, these methods may be combined with generalization. The information processing device 10 according to the present embodiment can use the anonymized data DB 31 anonymized by an arbitrary method.

  The anonymized data DB 31 has tens to millions of records. That is, the anonymized data DB 31 stores several tens to several millions of anonymized individual votes.

  4 to 6 are explanatory diagrams showing a process of creating the anonymized automaton 32. FIG. 7 is an explanatory diagram showing the anonymized automaton 32. The anonymization automaton 32 is a virtual machine that receives an input individual vote, performs a process based on a predetermined rule, and converts it into an anonymized individual vote. That is, the anonymization automaton 32 is a virtual machine that expresses the rules of the process of anonymizing the input individual vote. The anonymized automaton 32 is a finite state automaton created based on the anonymized individual votes recorded in the anonymized data DB 31. The procedure for the anonymized automaton 32 to process the input individual number will be described later.

  FIG. 4 shows a hierarchical tree which is the first stage of creating the anonymized automaton 32. The server CPU 12 inputs the anonymized individual number recorded in the anonymized data DB 31 described using FIG. 3 and creates the hierarchical tree shown in FIG. The hierarchical tree has a parent node 60, an intermediate node 61 and a receiving node 63. The parent node 60 and the intermediate node 61 are indicated by circles. The receiving node 63 is shown as a double ellipse. In the following description, the parent node 60, the intermediate node 61, and the reception node 63 may be collectively referred to as a node.

  The parent node 60, the intermediate node 61, and the accepting node 63 are connected by a transition branch 65 shown by a solid line. One transition branch 65 is input to each of the intermediate node 61 and the reception node 63.

  One or more transition branches 65 are output from the intermediate node 61. The condition for selecting the transition branch 65 is displayed on the label near each arrow. The reception node 63 corresponds to each anonymized individual record recorded in the anonymized data DB 31. The transition branch 65 does not output from the reception node 63.

  The hierarchical tree has a hierarchical structure of four layers from the parent node 60 of the first layer to the receiving node 63 of the fourth layer. The number of layers is the number obtained by adding 1 to the number of fields of the anonymized data DB 31. The label of the transition branch 65 that connects the intermediate node 61 included in one hierarchy and the intermediate node 61 or the acceptance node 63 included in the next hierarchy is data included in one field of the anonymized data DB 31.

  The numbers following “n” in the circle or the double ellipse indicating the parent node 60, the intermediate node 61, and the accepting node 63 are the numbers when the records of the anonymization DB 31 described using FIG. 3 are processed in order from the top. , The order in which the server CPU 12 creates nodes.

  In the following description, when it is necessary to specify the intermediate node 61, the symbols shown in the circle are used and described as, for example, the intermediate node 61n2. Similarly, when the receptive node 63 needs to be specified, the receptive node 63n4 is described using the symbols shown in the double ellipse.

  In the following figures and description, the acceptance node 63 is displayed with the item names omitted. For example, “*, 20, female” described in the acceptance node 63n16 in FIG. 4 means that the postal code is “*”, the age is “20”, and the gender is “woman”.

  A method for the server CPU 12 to create the hierarchical tree shown in FIG. 4 will be described. The server CPU 12 creates the parent node 60. The server CPU 12 assigns the number 1 to the parent node 60, as indicated by "n1" in the figure.

  The server CPU 12 acquires the first record “198, 50, man” from the anonymized DB 31. The server CPU 12 adds the transition branch 65 and the intermediate node 61n2 output from the parent node 60. The server CPU 12 gives the added transition branch 65 a label “∘: 198” corresponding to the data recorded in the first field of the first record. The added transition branch 65 means that the process performed by the server CPU 12 transits to the intermediate node 61n2 when the input individual number having the postal code “198” is input to the parent node 60.

  The server CPU 12 adds the transition branch 65 and the intermediate node 61n3 output from the intermediate node 61n2. The server CPU 12 gives the added transition branch 65 a label “year: 50” corresponding to the data recorded in the second field of the first record.

  Since the next third field is the last field of the first record, the server CPU 12 adds the transition branch 65 and the acceptance node 63n4 output from the intermediate node 61n3. The server CPU 12 gives the added transition branch 65 a label “sex: male” corresponding to the data recorded in the third field of the first record. The server CPU 12 associates the anonymized individual vote “198, 50, man” recorded in the first record with the accepting node 63n4.

  The server CPU 12 acquires the second record “198, 20, *” from the anonymized data DB 31. The server CPU 12 determines whether or not the transition branch 65 corresponding to the data recorded in the first field of the second record is output from the parent node 60 of the hierarchical tree being created. A transition branch 65 whose postal code is "198" already exists. Therefore, the server CPU 12 sets the intermediate node 61n2 ahead of the transition branch 65 as the next processing target.

  The server CPU 12 determines whether or not the transition node 65 corresponding to the data recorded in the second field of the second record is output from the intermediate node 61n2 of the hierarchical tree being created. There is no transition branch 65 whose birth year is “20”. Therefore, the server CPU 12 adds the transition branch 65 and the intermediate node 61n5 output from the intermediate node 61n2. The server CPU 12 gives the added transition branch 65 a label “year: 20” corresponding to the data recorded in the second field of the second record. The server CPU 12 sets the created intermediate node 61n5 as the next processing target.

  The server CPU 12 determines whether or not the transition node 65 corresponding to the data recorded in the third field of the second record is output from the intermediate node 61n5 of the hierarchical tree being created. The transition branch 65 output from the intermediate node 61n5 does not yet exist. Since the next third field is the last field of the second record, the server CPU 12 adds the transition branch 65 and the acceptance node 63 output from the intermediate node 61n5. The server CPU 12 gives the added transition branch 65 a label “sex: *” corresponding to the data recorded in the third field of the second record. The server CPU 12 associates the anonymized individual number “198, 20, *” recorded in the second record with the reception node 63n6.

  Similarly, the server CPU 12 subsequently acquires a record from the anonymized data DB 31 and determines the presence or absence of the corresponding transition branch 65 from the parent node 60 in order. If there is no transition branch 65 and node, the transition branch 65 and the node are added to the hierarchical tree. To do. The server CPU 12 processes all the records included in the anonymized data DB 31 to complete the hierarchical tree shown in FIG.

  FIG. 5 shows a state in which the second stage of creating the anonymized automaton 32 is completed. In the second stage, the server CPU 12 deletes unnecessary nodes from the hierarchical tree described with reference to FIG. Specifically, the intermediate nodes 61n5 and 61n9 are deleted from the hierarchical tree of FIG.

  The deletion of the intermediate node 61 will be described. The intermediate node 61 output only by the transition branch 65 of the generalized code “*” does not contribute to the processing by the anonymization automaton 32. The server CPU 12 deletes the intermediate node 61 output from only the transition branch 65 of the generalized code “*” from the hierarchical tree. The server CPU 12 connects the transition branch 65 input to the deleted intermediate node 61 to the intermediate node 61 or the accepting node 63 ahead of the transition branch 65 output from the deleted intermediate node 61.

  A more specific description will be given. The server CPU 12 sequentially determines whether or not the label of the transition branch 65 output from each intermediate node 61 is only the generalized code “*”. For example, only the transition branch 65 of "sex: *" is output from the intermediate node 61n5. The server CPU 12 deletes the intermediate node 61n5 and the transition branch 65 of "sex: *". The server CPU 12 connects the transition branch 65 having the label “year: 20” input to the intermediate node 61n5 to the reception node 63n6 connected to the transition branch 65 “sex: *”.

  FIG. 6 is an explanatory diagram illustrating a third stage of creating the anonymized automaton 32. In the third stage, the server CPU 12 creates the bypass branch 67 (see FIG. 7). The bypass branch 67 outputs from one of the intermediate nodes 61 and inputs to another intermediate node 61 or the receiving node 63.

  The server CPU 12 creates the node sequence 69 from the anonymized automaton 32 in the process of creation described with reference to FIG. The server CPU 12 assigns a serial number starting from 1 to the node sequence 69. In addition, the server CPU 12 assigns serial numbers to the nodes in each node row 69, with the parent node 60 side being 1.

  One node sequence 69 includes a parent node 60, one accepting node 63, and an intermediate node 61 between them. The server CPU 12 creates the same number of node arrays 69 as the reception nodes 63. The server CPU 12 creates a bypass branch 67 that outputs from the intermediate node 61 included in one node string 69 and inputs to the intermediate node 61 included in another node string 69.

  In the following description, the case where the server CPU 12 assigns serial numbers from the leftmost node column 69 will be described as an example.

  The server CPU 12 starts the process from the parent node 60 which is the first node of the first node sequence 69. The server CPU 12 determines whether the parent node 60 is the receiving node 63. The server CPU 12 determines that the parent node 60 is not the receiving node 63. The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 to which the label of the generalized code “*” is added is output from the parent node 60. Since the transition branch 65 labeled with the generalized code “*” is output from the parent node 60, the server CPU 12 is the second node of the first node sequence 696. The intermediate node 61n2 is the next processing target.

The server CPU 12 determines whether the intermediate node 61n2 is the receiving node 63. The server CPU 12 determines that the intermediate node 61n2 is not the receiving node 63. The server CPU 12 determines whether the intermediate branch 61n2 outputs the transition branch 65 or the bypass branch 67 labeled with the generalized code “*”. Since the transition branch 65 labeled with the generalized code “*” is output from the intermediate node 61n2, the server CPU 12 sets the intermediate node 61n3, which is the third node in the first node sequence 69, as the next processing target. And

  The server CPU 12 determines whether the intermediate node 61n3 is the receiving node 63. The server CPU 12 determines that the intermediate node 61n3 is not the receiving node 63. The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 labeled with the generalized code “*” is output from the intermediate node 61n3. Since the transition branch 65 labeled with the generalized code “*” is not output from the intermediate node 61n3, the server CPU 12 starts the process of determining whether or not to create the bypass branch 67 output from the intermediate node 61n3.

  A process of determining whether or not to create the bypass branch 67 output from the intermediate node 61n3 will be described. Since the intermediate node 61n3 being processed is not the parent node 60, the server CPU 12 sets the intermediate node 61n2, which is the immediately preceding node in the first node sequence 69, as the determination target.

  The server CPU 12 determines whether the intermediate branch 61n2 outputs the transition branch 65 or the bypass branch 67 labeled with the generalized code “*”. Since the transition branch 65 labeled with the generalized code “*” is output from the intermediate node 61n2, the server CPU 12 includes the intermediate node 61n7 input by the transition branch 65 in the first node sequence 69. Is determined. Since the intermediate node 61n7 is not included in the first node sequence 69, the server CPU 12 outputs the intermediate node 61n3 and creates the bypass branch 67 toward the intermediate node 61n7. As described above, the server CPU 12 ends the processing of the intermediate node 61n3. The server CPU 12 sets the reception node 63n4, which is the fourth node of the first node sequence 69, as the next processing target.

  Since the reception node 63n4 is the last node of the first node sequence 69, the server CPU 12 moves to the process of the second node sequence 69. The server CPU 12 starts the process from the parent node 60 which is the first node of the second node sequence 69. Since the processing of the parent node 60 and the intermediate node 61n2 is the same as the processing described in the first node sequence 69, the description thereof will be omitted. It should be noted that the server CPU 12 may store the node that has been processed once and omit the second and subsequent processes. The server CPU 12 is the third node of the second node row 69. The receiving node 63n6 is the next processing target.

  Since the reception node 63n4 is the last node of the second node sequence 69, the server CPU 12 moves to the process of the third node sequence 69. The server CPU 12 starts the process from the parent node 60 which is the first node of the third node row 69. Since the processing of the parent node 60 and the intermediate node 61n2 is the same as the processing described in the first node sequence 69, the description thereof will be omitted. The server CPU 12 is the third node of the third node row 69. The intermediate node 61n7 is the next processing target.

  The server CPU 12 determines whether the intermediate node 61n7 is the receiving node 63. The server CPU 12 determines that the intermediate node 61n7 is not the receiving node 63. The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 labeled with the generalized code “*” is output from the intermediate node 61n7. Since the transition branch 65 labeled with the generalized code “*” is not output from the intermediate node 61n7, the server CPU 12 starts the process of determining whether or not the bypass branch 67 output from the intermediate node 61n7 can be created.

  A process of determining whether or not the bypass branch 67 output from the intermediate node 61n7 can be created will be described. Since the intermediate node 61n7 being processed is not the parent node 60, the server CPU 12 sets the intermediate node 61n2, which is the immediately preceding node in the third node sequence 69, as the determination target.

  The server CPU 12 determines whether the intermediate branch 61n2 outputs the transition branch 65 or the bypass branch 67 labeled with the generalized code “*”. Since the transition branch 65 labeled with the generalized code “*” is output from the intermediate node 61n2, the server CPU 12 includes the intermediate node 61n7 input by the transition branch 65 in the third node sequence 69. Is determined. Since the intermediate node 61n7 is included in the third node sequence 69, the server CPU 12 sets the parent node 60, which is the previous node in the third node sequence 69, as the determination target.

  The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 to which the label of the generalized code “*” is added is output from the parent node 60. Since the transition branch 65 labeled with the generalized code “*” is output from the parent node 60, the server CPU 12 includes the intermediate node 61n12 input by the transition branch 65 in the third node sequence 69. Is determined. Since the intermediate node 61n12 is not included in the third node sequence 69, the server CPU 12 outputs the intermediate node 61n7 and creates the bypass branch 67 toward the intermediate node 61n12. With the above, the server CPU 12 ends the processing of the intermediate node 61n7. The server CPU 12 sets the reception node 63n8, which is the fourth node of the third node sequence 69, as the next processing target.

  An example of giving up the creation of the bypass branch 67 will be described by taking the fifth node sequence 69 as an example. The server CPU 12 starts the process from the parent node 60 which is the first node of the fifth node array 69. Since the processing of the parent node 60 is the same as the processing described in the first node sequence 69, the description thereof will be omitted. The server CPU 12 sets the intermediate node 61n12, which is the second node in the fifth node array 69, as the next processing target.

  The server CPU 12 determines whether the intermediate node 61n12 is the receiving node 63. The server CPU 12 determines that the intermediate node 61n12 is not the receiving node 63. The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 labeled with the generalized code “*” is output from the intermediate node 61n12. Since the transition branch 65 labeled with the generalized code “*” is not output from the intermediate node 61n12, the server CPU 12 starts the process of determining whether or not the bypass branch 67 output from the intermediate node 61n12 can be created.

  A process of determining whether or not to create the bypass branch 67 output from the intermediate node 61n12 will be described. Since the intermediate node 61n12 being processed is not the parent node 60, the server CPU 12 sets the parent node 60, which is the immediately preceding node in the fifth node sequence 69, as the determination target.

  The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 to which the label of the generalized code “*” is added is output from the parent node 60. Since the transition branch 65 labeled with the generalized code “*” is output from the parent node 60, the server CPU 12 includes the intermediate node 61n12 input by the transition branch 65 in the fifth node sequence 69. Is determined. Since the intermediate node 61n12 is included in the fifth node sequence 69, the server CPU 12 determines that the bypass branch 67 extending from the fifth node sequence 69 toward the intermediate node 61n12 cannot be created.

  Since the determination target is the parent node 60, the server CPU 12 ends the processing of the intermediate node 61n12 without creating the bypass branch 67.

  By repeating the above processing, the server CPU 12 creates the bypass branch 67 that transits from one node sequence 69 to another node sequence 69. The anonymized automaton 32 is completed by completing the processing of all the nodes.

  FIG. 7 shows the completed anonymized automaton 32. The anonymized automaton 32 has a parent node 60, an intermediate node 61, and a reception node 63. The parent node 60, the intermediate node 61 and the accepting node 63 are connected by a transition branch 65 shown by a solid line and a bypass branch 67 shown by a broken line. The intermediate node 61 indicates an intermediate process of processing the input individual number. The transition branch 65 and the bypass branch 67 indicate paths for processing the input individual number. The transition branch 65 and the bypass branch 67 are examples of the determination branch of the present embodiment.

  One or more transition branches 65 are output from the parent node 60. One transition branch 65 is input to the intermediate node 61. One or more transition branches 65 are output from the intermediate node 61. One transition branch 65 is input to the reception node 63. There is no transition branch 65 output from the acceptance node 63. The bypass branch 67 outputs from one of the intermediate nodes 61 and inputs to another intermediate node 61 or the receiving node 63.

  An outline of a method in which the server CPU 12 processes an input vote by using the anonymized automaton 32 will be described. The input individual number is input to the parent node 60 from the outside. The input data reaches the receiving node 63 via the transition branch 65, the bypass branch 67, and the intermediate node 61. The conditions for selecting the transition branch 65 and the bypass branch 67 are displayed in the labels near the respective arrows. The received acceptance node 63 shows the result of anonymizing the input individual vote. The reception node 63 corresponds to any one of the anonymized individual records recorded in the anonymized data DB 31.

  FIG. 8 is an explanatory diagram showing an example of streaming data. The streaming data is an input piece that the second client 25 sequentially generates and sends to the network. One line in FIG. 8 shows one input vote. The server CPU 12 sequentially receives the input individual number via the communication unit 15. The timing at which the server CPU 12 receives the input form and the number of input forms to be received are not fixed.

  FIG. 9 is an explanatory diagram showing an example of streaming data after anonymization processing. FIG. 9 shows an example in which the data of FIG. 8 is anonymized by using the anonymization automaton 32 described using FIG. 7. An example of a specific process performed by the server 11 using the anonymized automaton 32 will be described.

  An example will be described in which the server CPU 12 acquires the input individual number “198, 20, female” shown in the first line of FIG. 8 from the second client 25. The server CPU 12 inputs the input number into the parent node 60. From the parent node 60, three transition branches 65 that are divided according to the postal code are output.

  Since the postal code of the input vote is "198", the server CPU 12 causes the intermediate node 61nB that transits along the transition branch 65 of the postal code 198 and the transition branch 65 of the generalized code "*" that does not specify the postal code. It is determined that it is possible to transit to the intermediate node 61nF that transits along the line. Since the range of data that can be transited to the intermediate node 61nB is narrower than the range of data that can be transited to the intermediate node 61nF, the server CPU 12 selects the transition branch 65 toward the intermediate node 61nB, and sets it to the intermediate node 61nB. Transfer processing. Note that, in the following description, the description of the determination in the case where the transition branch 65 of the generalized code “*” and the other transition branches 65 can be selected is omitted.

  From the intermediate node 61nB, three transition branches 65 that are divided according to age are output. Since the age of the input vote is 20, the server CPU 12 selects the transition branch 65 toward the acceptance node 63 of "198, 20, *". Since it has reached the acceptance node 63, the server CPU 12 determines that the result of anonymizing the input individual votes of "198, 20, woman" is "198, 20, *".

  An example will be described in which the server CPU 12 acquires the input individual number “198, 30, male” shown in the second line of FIG. 8 from the second client 25. The server CPU 12 inputs the input number into the parent node 60. From the parent node 60, three transition branches 65 that are divided according to the postal code are output. Since the postal code of the input number is "198", the server CPU 12 selects the transition branch 65 toward the intermediate node 61nB and moves the process to the intermediate node 61nB.

  From the intermediate node 61nB, three transition branches 65 that are divided according to age are output. Since the age of the input piece is 30, it does not match any label of the two transition branches 65 other than the generalized code “*”. The server CPU 12 determines that the generalized code “*” is applicable, and selects the transition branch 65 toward the intermediate node 61nD.

  From the intermediate node 61nD, two transition branches 65 that are divided according to sex are output. Since the sex of the input vote is male, the server CPU 12 selects the transition branch 65 toward the accepting node 63 of "198, *, male". Since it has reached the acceptance node 63, the server CPU 12 determines that the result of anonymizing the input individual votes of "198, 30, male" is "198, *, male".

  An example will be described in which the server CPU 12 obtains the input individual number “198, 60, woman” shown in the fifth line of FIG. 8 from the second client 25. The server CPU 12 inputs the input number into the parent node 60. From the parent node 60, three transition branches 65 that are divided according to the postal code are output. Since the postal code of the input number is "198", the server CPU 12 selects the transition branch 65 toward the intermediate node 61nB and moves the process to the intermediate node 61nB.

  From the intermediate node 61nB, three transition branches 65 that are divided according to age are output. Since the age of the input vote is 60, it does not match any of the labels of the three transition branches 65. The server CPU 12 determines that the generalized code “*” applies, and selects the transition branch 65 toward the intermediate node 61nD.

  From the intermediate node 61nD, two transition branches 65 that are divided according to sex are output. Since the sex of the input vote is female, it does not match any label of the two transition branches 65. The server CPU 12 determines that the generalized code “*” applies, and selects the bypass branch 67 toward the intermediate node 61nF.

  From the intermediate node 61nF, two transition branches 65 that are divided according to age are output. Since the age of the input piece is 60, it does not match any label of the two transition branches 65. Further, the transition branch 65 and the bypass branch 67 labeled with "*" are not output from the intermediate node 61nD. Therefore, the server CPU 12 cannot apply the input vote to the accepting node 63. The server CPU 12 determines that the result of anonymizing the input individual votes of "198, 60, woman" is "*, *, *" in which all items are replaced with generalized codes. In the following description, a piece in which all items are replaced with a generalized code is called a replacement piece.

  The processing by the anonymized automaton 32 described above will be briefly summarized. The server CPU 12 inputs the acquired input individual number into the parent node 60. The server CPU 12 makes a node transition along the transition branch 65 and the bypass branch 67 of the anonymized automaton 32. In the following description, the transition branch 65 and the bypass branch 67 will be collectively referred to as a determination branch.

  When there is no determination branch that matches the input individual number and the determination branch of “*” is output, the server CPU 12 selects the determination branch of “*”. If there is no determination branch that matches the input individual number and there is no “*” determination edge, the server CPU 12 determines that the replacement individual number is the result of the anonymization process. When the processing reaches the reception node 63, the server CPU 12 determines that the content of the reception node 63 is the result of anonymizing the input target.

  The server CPU 12 receives the input individual numbers sequentially transmitted from the second client 25, and performs the anonymization process described above. The server CPU 12 sequentially transmits the output number, which is the result of the anonymization process, to the first client 21.

  FIG. 10 is a flowchart showing the flow of processing of the program. The program shown in FIG. 10 is a program that acquires anonymized data, creates the anonymized automaton 32, and anonymizes the streaming data for output. The processing flow of the program according to the present embodiment will be described with reference to FIG.

  The server CPU 12 acquires the anonymized data DB 31 from the network via the communication unit 15 (step S501) and stores it in the auxiliary storage device 14. The anonymized data DB 31 may be stored in the auxiliary storage device 14 in advance.

  The server CPU 12 activates a subroutine for creating a hierarchical tree (step S502). The hierarchical tree creating subroutine is a subroutine for creating a hierarchical tree that is a tree structure having a hierarchy based on the anonymized individual records recorded in the anonymized data DB 31. The subroutine for creating a hierarchical tree is the first stage subroutine for creating the anonymized automaton 32. The processing flow of the hierarchical tree creation subroutine will be described later.

  The server CPU 12 activates a node reduction subroutine (step S503). The node reduction subroutine is a subroutine for deleting unnecessary intermediate nodes 61 and parent nodes 60 from a tree structure having a hierarchy, and reducing intermediate nodes 61 and changing parent nodes 60. The node reduction subroutine is the second stage subroutine for creating the anonymized automaton 32. The process flow of the node reduction subroutine will be described later.

  The server CPU 12 starts a bypass addition subroutine (step S504). The bypass addition subroutine is a subroutine that completes the anonymization automaton 32 by adding the bypass branch 67 to the anonymization automaton 32 being created. The bypass addition subroutine is a third stage subroutine for creating the anonymized automaton 32. The process flow of the bypass addition subroutine will be described later.

  The server CPU 12 saves the completed automaton 32 in the auxiliary storage device 14 (step S505).

  The CPU of the second client 25 acquires the input individual number generated by the second user performing input and the like (step S601). The CPU of the second client 25 transmits the acquired input form to the server 11 (step S602).

  The server CPU 12 receives the input vote (step S510). The server CPU 12 activates an anonymization subroutine (step S511). The anonymization subroutine is a subroutine for anonymizing by inputting the input pieces into the automaton 32 saved in step S505. The process flow of the anonymization subroutine will be described later.

  The server CPU 12 sends the anonymized output form to the CPU of the first client 21 (step S512). The CPU of the first client 21 saves the received output form (step S701).

  The server CPU 12 determines whether to end the process (step S515). The case of ending the processing is, for example, the case of receiving an input for ending the processing of the streaming data via the network.

  When it is determined that the processing is not to be ended (NO in step S515), the server CPU 12 returns to step S510. When it is determined that the process is to be ended (YES in step S515), the server CPU 12 ends the process.

  FIG. 11 is a flowchart showing the flow of processing of a subroutine for creating a hierarchical tree. The subroutine for creating a hierarchical tree is a subroutine for creating a tree structure having a hierarchy based on the anonymized individual records recorded in the anonymized data DB 31. The hierarchical tree described with reference to FIG. 4 is a hierarchical tree created by the hierarchical tree creation subroutine by processing the anonymized data DB 31 described with reference to FIG.

  The processing flow of hierarchical tree creation will be described with reference to FIG. The server CPU 12 creates and stores a hierarchical tree on the auxiliary storage device 14 or the main storage device 13.

  The server CPU 12 creates the parent node 60 (step S801). The server CPU 12 sets the counter I to the initial value 1 (step S802). The server CPU 12 sets the variable N to the initial value 1 (step S803). The server CPU 12 assigns the number 1 to the parent node 60.

  The server CPU 12 acquires the I-th record from the anonymized data DB 31 (step S804). The server CPU 12 sets the counter J to the initial value 1 (step S805).

  The server CPU 12 determines whether the transition branch 65 indicating the layer recorded in the Jth field of the record acquired in step S804 is output from the Nth node of the layer tree being created (step S806). When it is determined that there is no corresponding transition branch 65 (NO in step S806), the server CPU 12 adds the transition branch 65 and the node corresponding to the anonymized individual piece being processed to the hierarchical tree being created ( Step S807). The server CPU 12 gives a serial number to the added node.

  When it is determined that there is the corresponding transition branch 65 (YES in step S806), the server CPU 12 sets the variable N to the number of the node ahead of the corresponding transition branch 65 (step S808). When the node 61 is added in step S807, the server CPU 12 sets the variable N to the number of the added node (step S808).

  The server CPU 12 determines whether processing of all fields of the record acquired in step S804 has been completed (step S809). When it is determined that the processing has not ended (NO in step S809), the server CPU 12 adds 1 to the counter J (step S812). After that, the server CPU 12 returns to step S806.

  When it is determined that the processing of all fields is completed (YES in step S809), the server CPU 12 determines whether the processing of all records in the anonymized data DB 31 is completed (step S810). When it is determined that the processing has not ended (NO in step S810), the server CPU 12 adds 1 to the counter I (step S811). After that, the server CPU 12 returns to step S803.

  When it is determined that the processing of all records is completed (YES in step S810), the server CPU 12 ends the processing. Among the nodes added by the server CPU 12 in step S807, the node that has the transition branch 65 that outputs is the intermediate node 61, and the node that does not have the transition branch 65 that outputs is the accepting node 63.

  FIG. 12 is a flowchart showing the flow of processing of a node reduction subroutine. The node reduction subroutine is a subroutine for deleting unnecessary intermediate nodes 61 and parent nodes 60 from a tree structure having a hierarchy, and reducing intermediate nodes 61 and changing parent nodes 60. The process flow of the node reduction subroutine will be described with reference to FIG. The node reduction subroutine changes, for example, the hierarchical tree described with reference to FIG. 4 as described with reference to FIG.

  The server CPU 12 sets the counter N to the initial value 1 (step S821). The server CPU 12 determines whether the label of the transition branch 65 output from the Nth node is only the generalized code “*” (step S822).

  When it is determined that there is only the transition branch 65 of the generalized code “*” (YES in step S822), the server CPU 12 deletes the Nth node (step S823). The server CPU 12 connects the transition branch 65 that has been input to the deleted intermediate node 61 to the intermediate node 61 or the accepting node 63 behind the deleted intermediate node 61.

  If it is determined that there is not only the transition branch 65 of the generalized code "*" (NO in step S822) and after the end of step S823, the server CPU 12 determines whether or not the processing of all intermediate nodes 61 has been completed ( Step S824). When it is determined that the processing has not ended (NO in step S824), the server CPU 12 adds 1 to the counter N (step S825). After that, the server CPU 12 returns to step S822.

  If it is determined that the processing is completed (YES in step S824), the server CPU 12 ends the processing.

  13 and 14 are flowcharts showing the flow of the processing of the bypass addition subroutine. The bypass addition subroutine is a subroutine that completes the anonymization automaton 32 by adding the bypass branch 67 to the anonymization automaton 32 being created. The processing flow of the bypass addition subroutine will be described with reference to FIGS. 6, 13 and 14.

  The server CPU 12 sets the counter M to the initial value 1 (step S831). The server CPU 12 sets the counter K to the initial value 1 (step S832).

  The server CPU 12 determines whether or not the Kth node of the Mth node column 69 is the accepting node 63 (step S833). When it is determined that the node is not the accepting node 63 (NO in step S833), it is determined whether the transition branch 65 or the bypass branch 67 of the generalized code “*” is output from the Kth node of the Mth node sequence ( Step S834). When it is determined that the transition branch 65 or the bypass branch 67 of the generalized code “*” is not output (NO in step S834), the server CPU 12 substitutes K for the variable A (step S835).

  The server CPU 12 determines whether the variable A is 1 (step S836). Here, when the variable A is 1, it means that the A-th node of the M-th node sequence 69 is the parent node 60. When it is determined that the variable A is not 1 (NO in step S836), the server CPU 12 subtracts 1 from the variable A (step S837).

  The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 of the generalized code “*” is output from the A-th node of the M-th node sequence 69 (step S838). When it is determined that the transition branch 65 or the bypass branch 67 having the generalized code “*” is not output (NO in step S838), the server CPU 12 returns to step S836.

  When it is determined that the transition branch 65 of the generalized code “*” or the bypass branch 67 is outputting (YES in step S838), the server CPU 12 receives the variable N as an intermediate value input by the transition branch 65 of the generalized code “*”. It is set to the number of the node 61 (step S839).

  The server CPU 12 determines whether the Mth node sequence 69 includes the Nth intermediate node 61 (step S840). When it is determined that the Mth node sequence 69 includes the Nth intermediate node 61 (YES in step S840), the server CPU 12 returns to step S836.

  When it is determined that the Mth node sequence 69 does not include the Nth intermediate node 61 (NO in step S840), the server CPU 12 sets the bypass branch 67 from the Kth node of the Mth node sequence 69 toward the Nth intermediate node 61. It is added to the automaton 32 being created (step S841). The condition for selecting the bypass branch 67 is that the data of the same item as the transition branch 65 output from the Kth node is the generalized code “*”.

  When the Kth node of the Mth node column 69 is the accepting node 63 (YES in step S833), the server CPU 12 determines whether or not the processing up to the last node of the Mth node column 69 has been completed (step S842). .. Even when the transition branch 65 or the bypass branch 67 of the generalized code “*” is output from the Kth node of the Mth node column 69 (YES in step S834), the server CPU 12 reaches the last node of the Mth node column 69. It is determined whether or not the process of (3) is completed (step S842). When the variable A is 1 (YES in step S836) and after step S841 is completed, the server CPU 12 determines whether or not the processes up to the final node of the M-th node column 69 have been completed (step S842).

  When it is determined that the processing is not completed (NO in step S842), the server CPU 12 increments the counter K by 1 (step S843). After that, the server CPU 12 returns to step S833.

  When it is determined that the processing is completed (YES in step S842), the server CPU 12 determines whether the processing of all the node rows 69 is completed (step S844). When it is determined that the processing has not ended (NO in step S844), the server CPU 12 adds 1 to the counter M (step S845). After that, the server CPU 12 returns to step S832.

  When it is determined that the processing is completed (YES in step S844), the server CPU 12 ends the processing.

  FIG. 15 is a flowchart showing the flow of processing of the anonymization subroutine. The anonymization subroutine is a subroutine for anonymizing by inputting the input pieces into the automaton 32 saved in step S505. The process flow of the anonymization subroutine will be described with reference to FIG.

  The server CPU 12 sets the variable N to the initial value 1 (step S861). The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 corresponding to the input number is output from the Nth node (step S862).

  When it is determined that it has not been output (NO in step S862), the server CPU 12 sets, in the output data, the replacement individual number in which all items are generalized codes “*” (step S863). The server CPU 12 then ends the process.

  When it is determined that the variable N is being output (YES in step S862), the server CPU 12 sets the variable N to the number of the node ahead of the output transition branch 65 (step S871). At this time, the server CPU 12 gives priority to the transition branch 65 in which specific data is specified, over the transition branch 65 in which the generalized code “*” is specified.

  The server CPU 12 determines whether the Nth node is the accepting node 63 (step S872). When it is determined that it is not the receiving node 63 (NO in step S872), the server CPU 12 returns to step S862.

  When it is determined that the receiving node 63 is the receiving node 63 (YES in step S872), the server CPU 12 sets an individual piece having the content of the receiving node 63 as output data (step S873). After that, the server CPU 12 ends the process.

  According to the present embodiment, by using the anonymization automaton 32, it is possible to sequentially anonymize input individual votes, which are streaming data, one by one. Since the output of the anonymized automaton 32 matches the anonymized individual vote included in the existing anonymized data, the input individual vote is anonymized.

  In step S871, by inputting the transition branch 65 in which specific data is specified over the transition branch 65 in which the generalized code “*” is specified, input is made in a narrow domain within a range in which anonymity can be secured. Generalize individual votes. Also, by using the bypass branch 67, an attempt is made to generalize with another node sequence 69 if the appropriate acceptor node 63 is not reached.

  According to this embodiment, anonymity can be secured while avoiding excessive generalization. Therefore, it is possible to anonymize the input data of the streaming data suitable for secondary use.

  The anonymized data DB 31 and the anonymized automaton 32 may be stored in an external storage device connected via a network.

  The method of anonymizing when creating the anonymized data DB 31 is not limited to generalization. The anonymized data DB 31 is not limited to the DB having k-anonymity. The anonymized data DB 31 having an arbitrary level of anonymity can be used by using an arbitrary anonymization method.

[Embodiment 2]
The second embodiment relates to an information processing system 10 capable of changing the priority order of items when anonymizing. Note that the description of the same parts as those in the first embodiment will be omitted.

  FIG. 16 is an explanatory diagram showing an example of streaming data after anonymization processing according to the second embodiment. FIG. 17 is an explanatory diagram showing the anonymized automaton 32 of the second embodiment. 16 shows a result of anonymizing the streaming data shown in FIG. 8 using the anonymization automaton 32 shown in FIG.

  Differences between the streaming data anonymized by the present embodiment shown in FIG. 16 and the streaming data anonymized by the first embodiment shown in FIG. 9 will be described. In the present embodiment, it is prioritized to output the data of the original data of the gender without generalization. On the other hand, in the first embodiment, priority is given to outputting the postal code data without generalizing it. Thus, by changing the anonymization automaton 32, it is possible to change which item is preferentially output. Whether it is preferable to give priority to gender or zip code depends on the purpose of secondary use of anonymized data.

  FIG. 18 is a flowchart showing the flow of processing of the program according to the second embodiment. The processing flow of the program according to the present embodiment will be described with reference to FIG.

  The server CPU 12 acquires the anonymized data DB 31 from the network via the communication unit 15 (step S501) and stores it in the auxiliary storage device 14. The server CPU 12 acquires the priority order of the items stored in the auxiliary storage device 14 in advance (step S531). The server CPU 12 may acquire the priority order of items from the first client 21 or the like via the network.

  The server CPU 12 replaces the fields of the anonymized data DB 31 according to the priority order acquired in step S531 (step S532). For example, the server CPU 12 sets the field in which the item with the highest priority is recorded as the first field and the field in which the item with the second highest priority is recorded as the second field.

  The server CPU 12 activates a subroutine for creating a hierarchical tree (step S502). Subsequent processing is the same as that of the first embodiment described with reference to FIG. 10, and thus description thereof will be omitted.

  FIG. 17 described above shows the automaton created by the server CPU 12 in step S531 by obtaining the priority order of sex, age, and zip code.

  According to the present embodiment, it is possible to provide an information processing device that anonymizes streaming data according to the purpose of secondary usage.

[Third Embodiment]
The third embodiment relates to an information processing system 10 that anonymizes only some items. Note that the description of the same parts as those in the first embodiment will be omitted.

  FIG. 19 is an explanatory diagram showing an example of streaming data according to the third embodiment. FIG. 20 is an explanatory diagram showing an example of streaming data after anonymization processing according to the third embodiment. As shown in FIG. 19, the streaming data according to the present embodiment is an input individual vote including an item of disease in addition to sex, year of birth, and zip code. As shown in FIG. 20, the items of sex, year of birth, and zip code are anonymized, but the items of diseases are output without anonymization. In the following description, items that are output without anonymization are referred to as non-anonymized items.

  Further, in the present embodiment, the arrangement order of the fields of the anonymized data DB 31 is different from the arrangement order of the items of the input data of the streaming data. The arrangement order of the items of the individual items of the streaming data is stored in the auxiliary storage device 14 in advance or included in the input individual items.

  FIG. 21 is a flowchart showing the flow of processing of the anonymization subroutine of the third embodiment. The subroutine shown in FIG. 21 is a subroutine used in place of the subroutine described with reference to FIG. The process flow of the anonymization subroutine of this embodiment will be described with reference to FIG.

  The server CPU 12 sets the variable N to the initial value 1 (step S861). The server CPU 12 determines whether the transition branch 65 or the bypass branch 67 corresponding to the input number is output from the Nth intermediate node 61 (step S862).

  When it is determined that the output has not been performed (NO in step S862), the server CPU 12 sets, as output data, data obtained by replacing all items to be anonymized with the generalized code “*” (step S875).

  When it is determined that the variable N is being output (YES in step S862), the server CPU 12 sets the variable N to the number of the intermediate node 61 ahead of the output transition branch 65 (step S871). At this time, the server CPU 12 gives priority to the transition branch 65 in which specific data is specified, over the transition branch 65 in which the generalized code “*” is specified.

  The server CPU 12 determines whether the Nth node is the accepting node 63 (step S872). When it is determined that it is not the receiving node 63 (NO in step S872), the server CPU 12 returns to step S862.

  When it is determined that the receiving node 63 is the receiving node 63 (YES in step S872), the server CPU 12 sets the content of the receiving node 63 in the output data (step S873). After the end of steps S873 and S875, the server CPU 12 adds the non-anonymized item to the output data (step S876). After that, the server CPU 12 ends the process.

  According to the present embodiment, it is possible to anonymize the input individual vote in a state in which the data of highly important items are completely left in the secondary use such as disease names. In addition, according to the present embodiment, it is possible to anonymize the input form of streaming data that includes items different from the original data when creating the anonymized data DB 31.

  It should be noted that the server CPU 12 may change the order of the items of the output individual items in accordance with the data recorded in the anonymized data DB 31 after the step S876 and before ending the processing of this subroutine. By doing so, for example, the first user can easily use the anonymized data DB 31 and the streaming data in combination.

[Embodiment 4]
The fourth embodiment relates to an information processing system 10 that creates an anonymized automaton 32 by deleting an unnecessary transition branch 65 after creating a large hierarchical tree. Note that the description of the same parts as those in the first embodiment will be omitted.

  22 and 23 are explanatory diagrams showing a process of creating a hierarchical tree according to the fourth embodiment. 22 will be described. FIG. 22 shows an initial stage of creating a hierarchical tree. In FIG. 22, the intermediate nodes 61 of each layer have the same type and number of transition branches 65. 22 and 23, the illustration of the number of the receiving node 63 is omitted.

  Specifically, all the intermediate nodes 61 of the second layer have three transition branches 65 whose ages are “20”, “50”, and “*”. All the intermediate nodes 61 of the third layer have three transition branches 65 having genders of “male”, “female” and “*”. The number of transition branches 65 between layers is the same as the number of types of data included in each field. The content of each reception node 63 corresponds to the transition branch 65 through which the reception node 63 is reached from the parent node 60.

  FIG. 23 shows a process of deleting a receiving node 63 that does not match the anonymized individual number contained in the anonymized data DB 31. For example, the individual vote “198, 20, male” described at the left end of FIG. 23 is not included in the anonymized data DB 31. The server CPU 12 deletes such an accepting node 63 from the hierarchical tree, thereby preventing the output of individual chips for which anonymization processing is insufficient.

  When deleting the acceptance node 63, the server CPU 12 also deletes the transition branch 65 input to the acceptance node 63. At this time, when an intermediate node 61 that does not have the output transition branch 65 occurs, the server CPU 12 also deletes the intermediate node 61. By completing the above processing, a hierarchical tree similar to the hierarchical tree described using FIG. 4 is completed.

  FIG. 24 is a flow chart showing the flow of processing of the hierarchical tree creating subroutine of the fourth embodiment. The subroutine shown in FIG. 24 is a subroutine used instead of the subroutine described with reference to FIG. The processing flow of the subroutine for creating a hierarchical tree according to the present embodiment will be described with reference to FIG.

  The server CPU 12 creates the parent node 60 (step S901). The server CPU 12 sets the counter J to the initial value 1 (step S902).

  The server CPU 12 extracts the type of data included in the Jth field of the anonymized data DB 31 (step S903). The anonymized data DB 31 shown in FIG. 3 will be described as an example. The zip code field, which is the first field, contains three types of data, "198", "998", and "*". Therefore, when J = 1, the server CPU 12 extracts three pieces of data “198”, “998”, and “*”.

  The server CPU 12 creates the transition branch 65 and the intermediate node 61 corresponding to each data extracted in step S903 in the (J + 1) th layer (step S904). For example, when J = 1, the server CPU 12 creates three intermediate nodes 61 and a transition branch 65, which are an intermediate node 61n2, an intermediate node 61n3, and an intermediate node 61n4. Of the nodes created in step S914, the node that does not have the transition branch 65 to output is the accepting node 63.

  The server CPU 12 determines whether or not processing of all fields of the anonymized data DB 31 has been completed (step S905). When it is determined that the processing has not ended (NO in step S905), the server CPU 12 adds 1 to the counter J (step S906). After that, the server CPU 12 returns to step S903.

  When it is determined that the process is completed (YES in step S905), the server CPU 12 sets the variable N to the initial value 1 (step S910). The server CPU 12 determines whether or not the individual form corresponding to the Nth accepting node 63 exists in the anonymized data DB 31 (step S911). When it is determined that the node does not exist (NO in step S911), the server CPU 12 deletes the reception node 63 from the hierarchical tree being created (step S912). The server CPU 12 also deletes the transition branch 65 input to the deleted acceptance node 63. At this time, when the intermediate node 61 that does not have the output transition branch 65 occurs, the server CPU 12 also deletes the intermediate node 61 that does not have the transition branch 65.

  When it is determined that the accepting node 63 exists (YES in step S911) and after the end of step S912, the server CPU 12 determines whether or not the processes of all the accepting nodes 63 have been completed (step S913). When it is determined that the processing has not ended (NO in step S913), the server CPU 12 adds 1 to the counter N (step S914). After that, the server CPU 12 returns to step S911.

  If it is determined that the processing is completed (YES in step S913), the server CPU 12 ends the processing.

  According to this embodiment, the anonymized automaton 32 can be created by an algorithm different from that of the first embodiment. The method for creating the anonymized automaton 32 is not limited to the methods described in the present embodiment and the first embodiment. If the parent node 60 and the accepting node 63 corresponding to the anonymized individual pieces included in the anonymized data DB 31 are provided, the anonymized automaton 32 created by any method can be used.

  The anonymization automaton 32 shown in FIG. 7 is an image for explaining the function of the anonymization automaton 32. The anonymized automaton 32 may be represented in a state transition table or any other format and stored in the auxiliary storage device 14.

[Fifth Embodiment]
The fifth embodiment relates to an information processing system 10 that accumulates streaming data and recreates the anonymized automaton 32. Note that the description of the same parts as those in the first embodiment will be omitted.

  FIG. 25 is an explanatory diagram showing the configuration of the information processing system 10 according to the fifth embodiment. The information processing system 10 includes a server 11, a first client 21, a second client 25, and an anonymization server 18. The server 11, the first client 21, the second client 25, and the anonymization server 18 are connected via a network.

  The anonymization server 18 is a server that acquires the original data individual votes and creates the anonymized data DB 31. The anonymization server 18 of the present embodiment is a general-purpose personal computer, an information device such as a large-scale computer, or the like. Further, the server 11 and the anonymization server 18 of this exemplary embodiment may be virtual machines that operate on the same hardware. The anonymization server 18 is an example of the creation unit according to the present embodiment.

  Like the server 11, the anonymization server 18 includes a CPU, a main storage device, an auxiliary storage device, and a communication unit. Original data before anonymization is stored in the auxiliary storage device of the anonymization server 18. Illustration of the internal configuration of the anonymization server 18 is omitted.

  FIG. 26 is a flowchart showing the flow of processing of the program according to the fifth embodiment. The processing flow of this embodiment will be described with reference to FIG.

  The CPU of the anonymization server 18 acquires a large number of original data individual votes (step S951). It should be noted that the original data individual number may be a number of individual numbers sequentially generated from the second client 25.

  The CPU of the anonymization server 18 anonymizes the acquired original data individual form to create the anonymized data DB 31 (step S952). To anonymize the original data individual votes, for example, k-anonymization, Pk-anonymization, anonymization based on laws and guidelines such as US HIPAA (Health Insurance Portability and Accountability Act) privacy rules and guidelines can be used. Can be used. The CPU of the anonymization server 18 transmits the anonymized data DB 31 to the server 11.

  The server CPU 12 acquires the anonymized data DB 31 via the communication unit 15 (step S501) and acquires it in the auxiliary storage device 14. Since the processing performed by the server CPU 12 and the processing performed by the CPU of the first client 21 up to step S512 are the same as those in the first embodiment, the description thereof will be omitted.

  The CPU of the second client 25 acquires the input individual number generated by the second user performing input and the like (step S601). The CPU of the second client 25 transmits the acquired input vote to the server 11 and the anonymization server 18 (step S611).

  The CPU of the anonymization server 18 receives the input form (step S953) and stores it in the input form storage unit provided in the auxiliary storage device. The anonymization server 18 repeats step S953 each time the second client 25 transmits the input individual number.

  The CPU of the anonymization server 18 collectively creates the new anonymized data DB 31 by combining the original data individual data acquired in step S951 and the input individual data received in step S953 as original data (step S954). At this time, the CPU of the anonymization server 18 realizes the function of the recreating unit of this embodiment. The timing when the CPU of the anonymization server 18 executes step S954 can be arbitrarily determined. For example, the anonymization server 18 performs step S954 at a predetermined time, such as weekly or monthly. Further, the CPU of the anonymization server 18 may execute step S954 when the number of input votes received in step S953 exceeds a predetermined number.

  The CPU of the anonymization server 18 notifies the server 11 that the new anonymized data DB 31 has been created (step S955).

  The server CPU 12 determines whether to end the process (step S515). When it is determined that the process is to be ended (YES in step S515), the server CPU 12 ends the process.

  When it is determined that the processing is not to be ended (NO in step S515), the server CPU 12 determines whether or not the new anonymized data DB 31 exists (step S552). The presence or absence of the new anonymized EB 31 is determined by whether or not the anonymization server 18 has received the notification transmitted in step S955.

  If it is determined that there is not any (NO in step S552), the server CPU 12 returns to step S510. When it is determined that the file exists (YES in step S552), the server CPU 12 returns to step S501.

  According to the present embodiment, it is possible to provide the information processing system 10 that updates the anonymized automaton 32 at any time by reflecting streaming data. Even when the input individual-bit data has a trend that changes with the passage of time, it is possible to provide useful anonymized data without becoming obsolete.

[Sixth Embodiment]
The sixth embodiment relates to an information processing system 10 that creates anonymized automata 32 and anonymizes streaming data by different servers. The description of the parts common to those of the fifth embodiment will be omitted.

  FIG. 27 is a flowchart showing the flow of processing of the program according to the sixth embodiment. The processing flow of this embodiment will be described with reference to FIG.

  The CPU of the anonymization server 18 acquires a majority source data individual vote (step S951). It should be noted that the original data may be data in which input individual numbers sequentially generated from the second client 25 are accumulated.

  The CPU of the anonymization server 18 anonymizes the acquired original data individual form to create the anonymized data DB 31 (step S952). The CPU of the anonymization server 18 activates a subroutine for creating a hierarchical tree (step S961). The subroutine described with reference to FIG. 11 or the subroutine described with reference to FIG. 24 can be used for the subroutine for creating a hierarchical tree.

  The CPU of the anonymization server 18 starts a node reduction subroutine (step S962). The subroutine described with reference to FIG. 12 can be used for the node reduction subroutine.

  The CPU of the anonymization server 18 activates a bypass addition subroutine (step S963). As the bypass addition subroutine, the subroutine described with reference to FIGS. 13 and 14 can be used.

  The CPU of the anonymization server 18 transmits the completed anonymization automaton 32 to the server 11 (step S964). The server CPU 12 acquires the anonymized automaton 32 (step S561).

  The CPU of the second client 25 acquires the input individual number generated by the second user performing input and the like (step S601). The CPU of the second client 25 transmits the acquired input vote to the server 11 and the anonymization server 18 (step S611).

  The server CPU 12 receives the input form of streaming data from the second client 25 (step S510). The server CPU 12 activates an anonymization subroutine (step S511). As the anonymization subroutine, the subroutine described with reference to FIG. 15 or the subroutine described with reference to FIG. 21 can be used. It is desirable that the server CPU 12 delete the input individual number received in step S510 from the auxiliary storage device 14 or the like after the end of step S511.

  The server CPU 12 sends the anonymized output form to the CPU of the first client 21 (step S512). The CPU of the first client stores the received output form (step S701).

  The server CPU 12 determines whether to end the process (step S515). When it is determined that the processing is not to be ended (NO in step S515), the server CPU 12 returns to step S561. When it is determined that the process is to be ended (YES in step S515), the server CPU 12 ends the process.

  The CPU of the anonymization server 18 receives the input vote (step S953) and stores it in the main storage device 13 or the auxiliary storage device. The anonymization server 18 repeats step S953 each time the second client 25 transmits the input individual number.

  The CPU of the anonymization server 18 determines whether to recreate the anonymized data DB 31 (step S954). The conditions for re-creating can be set arbitrarily. For example, the CPU of the anonymization server 18 may determine to recreate it every week or every month (YES in step S954). In addition, the CPU of the anonymization server 18 may determine to recreate (YES in step S954) when the number of input pieces received in step S953 exceeds a predetermined number.

  When it is determined to recreate the anonymized data DB 31 (YES in step S954), the CPU of the anonymization server 18 returns to step S952. When it is determined that the anonymized data DB 31 is not recreated (NO in step S954), the CPU of the anonymization server 18 returns to step S953.

  According to the present embodiment, it is possible to provide the information processing system 10 that performs the anonymization automaton 32 and the anonymization of the input individual pieces of streaming data with different hardware. By setting the security level of the anonymization server 18 that handles a large amount of personal information to be high, it is possible to protect the personal information.

[Embodiment 7]
FIG. 28 is a functional block diagram showing operations of the information processing apparatus 11 according to the seventh embodiment. The information processing device 11 operates as follows under the control of the server CPU 12.

  The acquisition unit 51 acquires an input individual vote having data associated with each of a plurality of items. The conversion unit 52 outputs the input vote acquired by the acquisition unit 51 to the same output vote as any one of the anonymized votes having data associated with the plurality of items based on the rule. Convert to.

[Embodiment 8]
The eighth embodiment relates to a mode in which the server 11 of the present embodiment is realized by operating a general-purpose computer and a program 47 in combination. FIG. 29 is an explanatory diagram showing the configuration of the information processing system 10 according to the eighth embodiment. The configuration of this embodiment will be described with reference to FIG. Note that the description of the parts common to the first embodiment is omitted.

  The information processing system 10 of the present embodiment includes a server computer 45, a first client 21 and a second client 25. The server computer 45, the first client 21 and the second client 25 are connected via a network.

  The server computer 45 includes a server CPU 12, a main storage device 13, an auxiliary storage device 14, a communication unit 15, a reading unit 17, and a bus. The server computer 45 is an information processing device such as a general-purpose personal computer.

  The program 47 is recorded in the portable recording medium 48. The server CPU 12 reads the program 47 via the reading unit 17 and saves it in the auxiliary storage device 14. Further, the server CPU 12 may read the program 47 stored in the semiconductor memory 49 such as a flash memory installed in the server computer 45. Further, the server CPU 12 may download the program 47 from another server computer (not shown) connected via the communication unit 15 and a network (not shown) and store the program 47 in the auxiliary storage device 14.

  The program 47 is installed as a control program of the server computer 45, loaded into the main storage device 13 and executed. Thereby, the server computer 45 functions as the server 11 described above.

The technical features (constituent elements) described in the respective embodiments can be combined with each other, and by combining them, new technical features can be formed.
The embodiments disclosed this time are to be considered as illustrative in all points and not restrictive. The scope of the present invention is defined not by the above meaning but by the scope of the claims, and is intended to include meanings equivalent to the scope of the claims and all modifications within the scope.

(Appendix 1)
An acquisition unit that acquires an input individual number having data associated with each of a plurality of items,
Conversion for converting the input vote acquired by the acquisition unit into the same output vote as any one of the plurality of anonymized votes having data associated with the plurality of items, based on a rule An information processing device including a unit.

(Appendix 2)
When the conversion unit cannot convert the input individual number into the same output individual number as the anonymized individual number, all the data associated with the item of the anonymized individual number is converted to another one. The information processing apparatus according to appendix 1, wherein the information is converted into a replacement individual piece replaced with data.

(Appendix 3)
The rule is a rule for converting the input vote into an output vote in which the data associated with each item is the same as the data associated with each item of the input vote or other data that replaces the data. The information processing apparatus according to supplementary note 1 or supplementary note 2.

(Appendix 4)
The rule has a plurality of layers of decision branches corresponding to the items and data that the anonymized individual vote has, and the output votes are determined by the decision branches of each layer,
The conversion unit selects the determination branch when the data associated with the item of the input individual corresponds to the determination branch, and converts the input individual into the output individual defined by the selected determination branch. The information processing apparatus according to any one of appendices 1 to 3.

(Appendix 5)
The information processing apparatus according to any one of appendices 1 to 4, wherein the conversion unit sequentially converts the acquired input individual number.

(Appendix 6)
The information processing apparatus according to any one of appendices 1 to 5, wherein the conversion unit does not transform the data of the input individual form associated with an item that the anonymized individual form does not have.

(Appendix 7)
The anonymized individual vote is an individual vote in which data associated with some or all items is replaced with other data. The information processing apparatus according to any one of appendices 1 to 6.

(Appendix 8)
The information processing device according to appendix 1 to 7, wherein the anonymized individual bill has k-anonymity.

(Appendix 9)
The rules are
An input node,
A plurality of accepting nodes that are associated with the anonymized individual vote and that can transition from the input node;
A plurality of decision branches indicating conditions of transition from the input node to the accept node,
The information processing device according to any one of appendices 1 to 8, which is a finite state automaton, comprising: a plurality of nodes connected to the determination branch.

(Appendix 10)
The information processing apparatus according to appendix 9, wherein the finite state automaton makes a transition to a node having a narrow range of data to be transitioned when there are a plurality of nodes that can transition based on the input number from one node. ..

(Appendix 11)
The finite automaton is
11. The information processing apparatus according to appendix 9 or 10, further comprising a bypass branch that transitions from a node included in one node string connected from an input node to one accepting node to a node included in another node string.

(Appendix 12)
12. The information processing device according to appendix 11, wherein the bypass branch causes a node included in the one node sequence to make a transition from a node that cannot be transited to any other node.

(Appendix 13)
The information processing apparatus according to any one of appendices 1 to 12, further comprising: a creation unit that creates an anonymized individual vote from a plurality of original data individual votes each having data associated with a plurality of items.

(Appendix 14)
An original data storage unit that stores an original data individual piece having data associated with each of a plurality of items,
A creation unit for creating anonymized individual votes from the original data individual votes stored in the original data storage section,
An input number storage unit that stores the acquired input number,
Note 1 to Note 12 further comprising: a recreating unit for recreating the anonymized individual vote from the original data individual form stored in the original data storage unit and the input individual form stored in the input individual form storage unit. The information processing apparatus described in any one of 1.

(Appendix 15)
Acquire the input number that has the data respectively associated with multiple items,
Causes the computer to execute the processing of converting the acquired input individual vote into the same output individual vote as any one of the plurality of anonymized individual votes having the data respectively associated with the plurality of items. Information processing method.

(Appendix 16)
Acquire the input number that has the data respectively associated with multiple items,
A program for causing a computer to execute a process for converting the acquired input individual vote into the same output individual vote as one of the plurality of anonymized individual votes having data associated with each of the plurality of items ..

10 Information Processing System 11 Server (Information Processing Device)
12 server CPU
13 main storage device 14 auxiliary storage device 15 communication unit 17 reading unit 18 anonymization server 21 first client 25 second client 31 anonymized data DB
32 Anonymized Automata (rule)
45 server computer 47 program 48 portable storage medium 49 semiconductor memory 51 acquisition unit 52 conversion unit 60 parent node 61 intermediate node 63 acceptance node 65 transition branch 67 bypass branch 69 node sequence

Claims (8)

An acquisition unit that sequentially acquires input individual numbers each having data associated with a plurality of items,
The input individual vote acquired by the acquisition unit is sequentially converted into the same output individual vote as any one of the plurality of anonymized individual votes having the data respectively associated with the plurality of items based on the rule. And a conversion unit ,
When the conversion unit cannot convert the input individual number into the same output individual number as the anonymized individual number, all the data associated with the item of the anonymized individual number is converted to another one. An information processing device that converts the data into replacement individual data . The rule is a rule for converting the input vote into an output vote in which the data associated with each item is the same as the data associated with each item of the input vote or other data that replaces the data. Is
The information processing apparatus according to claim 1 . The rule has a plurality of layers of decision branches corresponding to the items and data that the anonymized individual vote has, and the output votes are determined by the decision branches of each layer,
The conversion unit selects the determination branch when the data associated with the item of the input individual corresponds to the determination branch, and converts the input individual into the output individual defined by the selected determination branch. The information processing apparatus according to claim 1 or 2 . The input vote, the anonymized vote and the output vote include anonymized items and non-anonymized items,
The converting unit, together with the input microdata have the same anonymous items and anonymized item of any one of the anonymous already microdata of said anonymized already microdata, the non-anonymous said input microdata The information processing apparatus according to any one of claims 1 to 3 , wherein the information is converted into an output individual form having the same non-anonymized item as the generalized item . The rules are
An input node,
A plurality of accepting nodes that are associated with the anonymized individual vote and that can transition from the input node;
A plurality of decision branches indicating conditions of transition from the input node to the accept node,
The information processing apparatus according to any one of claims 1 to 4 , which is a finite state automaton including a plurality of nodes connected to the determination branch. The finite automaton is
The information processing apparatus according to claim 5 , further comprising a bypass branch that transitions from a node included in one node sequence connected from the input node to one reception node to a node included in another node sequence. Through the network line, sequentially obtain the input form with the data associated with each item,
Based on the rules, the obtained input votes are sequentially converted into the same output votes as any one of a plurality of anonymized votes having data associated with the plurality of items ,
When it is not possible to convert the input individual vote into the same output individual vote as the anonymized individual vote, all data associated with the items of the anonymized individual vote are replaced with other data Convert into individual votes,
An information processing method for causing a computer to execute a process of transmitting a converted output form . Sequentially acquire the input number of items having data associated with each of a plurality of items,
Based on the rules, the obtained input votes are sequentially converted into the same output votes as any one of a plurality of anonymized votes having data associated with the plurality of items ,
When it is not possible to convert the input individual vote into the same output individual vote as the anonymized individual vote, all data associated with the items of the anonymized individual vote are replaced with other data A program that causes a computer to execute the process of converting into individual pieces .

Images