KR102218374B1 - Method and Apparatus for Measuring Quality of De-identified Data for Unstructured Transaction - Google Patents

Abstract

The present embodiments re-identify using an individual redundancy model, a model that verifies whether a specific individual cannot be identified when the same set of items appears in at least different transactions in a transaction database containing personal information for a plurality of individuals. By verifying the existence of the original record and measuring the similarity of the original using the utilization quality index that numerically measured the statistical similarity of the difference between the original record and the non-identified record, an indicator of the similarity between the de-identified transaction data and the original data Provides a method and apparatus for measuring the quality of non-identifying data of personal information that provides a measure of the possibility of re-identification.

Description

{Method and Apparatus for Measuring Quality of De-identified Data for Unstructured Transaction}

The technical field to which this embodiment belongs relates to a method and apparatus for measuring the quality of unstructured transaction unidentified data.

The content described in this section merely provides background information on the present embodiment and does not constitute the prior art.

In recent years, due to the rapid development and explosive growth of information and communication technologies, the amount of data is increasing, and accordingly, technologies for collecting and managing large amounts of data and analysis technologies based on advanced distributed processing systems are maturing.

Among the large volumes of data distributed, transaction data, which is unstructured data, has various information including individual supermarket purchase information and hospital diagnosis details, and appears in the form of various types of item sets. In addition, since transaction data helps discover a great deal of new knowledge in areas such as marketing and pharmaceuticals, research and distribution of transaction data is essential.

However, when circulating transaction data, there is also a risk of personal information infringement by linking individual records contained in transaction data to identity information. In order to prevent such infringement of personal information, measures to de-identify data when using data containing personally identifiable information suggested by current laws to prevent issues related to leakage of personal information from occurring as a law related to personal information protection is initiated. Essentially required.

Korea Publication No. 10-2018-0119104 (2018.11.01)

Embodiments of the present invention have a main object of the present invention to provide an index for similarity between non-identified data and original data and a measure for re-identification possibility.

Still other objects, not specified, of the present invention may be additionally considered within the range that can be easily deduced from the following detailed description and effects thereof.

According to an aspect of the present embodiment, in a method of measuring the quality of personal information non-identifying data by a computing device, when identical item sets appear in at least different individual transactions in a transaction database containing personal information for a plurality of individuals. The original using quality indicators that numerically measure statistical similarity between the original record and the non-identified record, and the step of verifying whether to re-identify using the individual redundancy model, a model that verifies whether a specific individual cannot be identified. It provides a method of measuring the quality of non-identifying data of personal information, including measuring the degree of similarity.

According to another aspect of the present embodiment, it includes one or more processors and a memory for storing one or more programs executed by the one or more processors, wherein the processor is the same item set in a transaction database containing personal information for a plurality of individuals. A re-identification verifier that verifies whether or not a specific individual is not identified when they appear in at least different individuals' transactions, and the statistical similarity between the original and non-identified records A device for measuring the quality of non-identifying data of personal information including an original similarity measuring unit that measures whether or not the original similarity is measured using the utilization quality index measured numerically.

As described above, according to the embodiments of the present invention, the re-identification risk and the possibility of personal estimation are specific to the same item sets appearing in the corresponding item set of at least p different persons in the transaction database containing personal information for several individuals. The'individual redundancy (p)' model, which is a model that verifies whether an individual cannot be identified, is presented as a verification model. Original similarity is very similar to the original by quantitatively evaluating the degree of similarity between the original transaction data and the de-identified transaction data, preventing the use of data with poor statistical similarity due to the problem of re-identification of a specific individual or too different from the original There is an effect that can prevent.

Even if it is an effect not explicitly mentioned herein, the effect described in the following specification expected by the technical features of the present invention and the provisional effect thereof are treated as described in the specification of the present invention.

1 is a block diagram illustrating an apparatus for measuring quality of non-identifying personal information data according to an embodiment of the present invention.
2 is a flowchart of a non-identifying risk quality indicator according to an embodiment of the present invention.
3 is a flowchart showing a similarity of the original residual rate according to an embodiment of the present invention.
4 is a flowchart of an item-based original similarity according to an embodiment of the present invention.
5 is a diagram illustrating item hierarchy information of Table 2 according to an embodiment of the present invention.
6 is a flowchart illustrating a method of measuring quality of non-identifying personal information data according to an embodiment of the present invention.
7 is a flowchart illustrating a method of measuring quality of non-identifying personal information data according to an embodiment of the present invention.
8 is a block diagram illustrating and describing a computing environment including a computing device suitable for use in embodiments.

Hereinafter, in describing the present invention, when it is determined that the subject matter of the present invention may be unnecessarily obscured as matters apparent to those skilled in the art with respect to known functions related to the present invention, a detailed description thereof will be omitted, and some embodiments of the present invention will be described. It will be described in detail through exemplary drawings.

1 is a block diagram illustrating an apparatus for measuring quality of non-identifying personal information data. As shown in FIG. 1, the apparatus 10 for measuring the quality of non-identified personal information data includes a re-identification verification unit 100 and an original similarity measurement unit 200. The apparatus 10 for measuring the quality of personal information non-identifying data may omit some elements or additionally include other elements among various elements illustrated in FIG. 1.

The apparatus 10 for measuring the quality of non-identified personal information data presents a quality evaluation index for the non-identified data set based on the risk of re-identification of the non-identified transaction data and the personal estimate and the similarity of the original.

Transaction data is a form of unstructured data that does not have a predefined data model or is not standardized. It has various information including personal supermarket purchase information and hospital diagnosis details, and appears in the form of various item sets. This can help in areas such as marketing and pharmaceuticals.

De-identification is a process of converting some or all of personal information so that a specific individual cannot be identified, and the personal identification data is converted or replaced with another value.

The re-identification verification unit 100 includes a personal redundancy-based table generation unit 110, a re-identification risk calculation unit 120, and a personal estimation possibility risk calculation unit 130.

The re-identification verification unit 100 uses a personal redundancy model, which is a model that verifies whether a specific individual cannot be identified when the same set of items appears in at least different transactions in a transaction database containing personal information for a plurality of individuals. To verify re-identification.

The personal redundancy-based table generation unit 110 finds a set of frequent items based on personal redundancy by using the total number of individual redundancy, which is the total number of individuals who have generated the transaction in which the items of personal information appear, as a concept of support, and finds a set of frequent items based on personal redundancy. Create

When the personal information model is 1, the re-identification risk calculation unit 120 checks and re-examines the transaction record that can identify whether a specific individual is a transaction because the corresponding transaction items occur only to a specific individual in the transaction record including personal information. Calculate identification risk.

When the personal information model is 2 or more, the individual estimation possibility risk calculation unit 130 evaluates the probability of estimating a specific individual and calculates the individual estimation possibility through the individual estimation possibility risk according to the transaction database.

The original similarity measurement unit 200 includes a residual ratio calculation unit 210 and an original similarity calculation unit 220.

The original similarity measurement unit 200 measures whether or not the original similarity is based on a utilization quality index that numerically measures the statistical similarity between the original record and the non-identified record.

In the process of converting the original data into non-identifying data, the residual rate calculation unit 210 removes records that violate the de-identification processing to form fewer non-identified records than the number of original data, and The residual rate is calculated using the number of records.

The original similarity calculation unit 220 calculates the original similarity of the transaction record by forming a 1-item original similarity for each item of the transaction record, and comparing the original similarity and the original data set for each item. The 1-item original similarity is calculated as the number of child nodes representing the item hierarchy information to the domain size of the entire item, and the original similarity and information loss are inversely proportional. The original similarity of the transaction record is calculated by assigning the weight to the 1-item original similarity, and each item corresponding to the transaction has a weight as the total size of the items.

The original similarity of the transaction record represents the similarity between the original record set and the non-identification result record set, calculates the similarity to the original record for each record of the non-identification result record set, and averages the similarity to calculate the result similarity. The result similarity is used as an indicator of statistical similarity and utilization quality for non-identification measures.

Hereinafter, a method of re-identification verification by the apparatus 10 for measuring the quality of non-identifying personal information data through an unstructured transaction will be described.

Individual redundancy (p-redundancy) is a transactional database of items that contain personal information for multiple individuals, and when the same items appear in at least different P (P is a natural number) transactions, a specific individual can be identified. Make it impossible to discern.

The p-redundancy in a transactional database containing personal information requires at least P different individuals to have the living information for the same living information.

Table 1 below shows the personal information personal information table, and Table 2 shows the original transaction table for each individual.

USER_ID NAME INCOME UID1 John 3,400,000 UID2 Alice 1,500,000 UID3 Bob 5,640,000

TRANSACTION USER_ID ITEMS TID1 UID1 Milk, eggs, butter, bread TID2 UID2 Milk, eggs, bread TID3 UID3 Milk, butter TID4 UID1 Milk, eggs and coffee TID5 UID2 Bread, ramen TID6 UID1 White bread, butter

Tables 1 and 2 above know that the attacker has purchased eggs and butter, and if he finds out that TID1 is John's purchase when searching the personal transaction database in Table 2, John will also have milk and bread. You can see that they were purchased together. It knows that there is a risk of information leakage in case of individual surrendering to purchase.

Therefore, the risk quality assessment indicator for transaction de-identification measures uses the personal redundancy (p-redundancy) model for these de-identified transaction data sets to determine the re-identification risk and individual estimation potential for the de-identified transaction data set. Measure and use.

Individual redundancy verification is verified through a set of frequent items based on individual redundancy. The process of obtaining a set of frequent items based on personal redundancy is similar to the Apriori method, but uses Personal Support, which is the total sum of individuals who have generated transactions in which the item appears, as the concept of support.

Table 3 below shows the personal purchase history table of Table 2.

USER_ID NAME ITEM SET UID1 John Milk, bread, butter, eggs, ramen UID2 Alice Milk, bread, eggs, coffee UID3 Bob Milk, butter

Table 4 below shows the support of Table 3 based on the number of individual duplicates, and shows all item sets, and shows the table based on the number of individual duplicates in the transaction table.

1-ITEM PS ITEM SET PS ITEM SET PS ITEM SET PS milk 3 Milk, eggs 2 Eggs, coffee One Milk, eggs and coffee One egg 2 Milk, butter 2 White bread, butter One Milk, butter, bread One butter 2 Milk, bread 2 Bread, coffee One Milk, eggs, butter, bread One bread 2 Milk, coffee One White bread, ramen One coffee One Eggs, butter One Milk, eggs, bread 2 Ramen One Egg, white bread 2 Milk, eggs and butter One

Referring to Table 4 above, the number of individual duplicates for the total surrender (set) can be checked through the number of individual duplicates as to how many individual transactions among a total of three customers (John, Alice, and Bob).

The non-identification risk quality evaluation index can use the records found in the personal redundancy verification using the generated personal redundancy-based frequent item set table and the corresponding non-identification transaction table.

Individual redundancy verification is divided into two indexes to be verified according to the individual redundancy model, that is, p value. When the p value is 1, the risk of re-identification is indicated, and when the p value is 2 or more, the possibility of personal estimation is calculated. Personal redundancy verification is performed after creating a table based on personal redundancy for non-identifying transactions. The personal redundancy p value is defined as the minimum personal support, and the number of transaction records having an item set that does not exceed the personal minimum support is calculated.

The ratio of the risk of re-identification and the likelihood of individual estimation is calculated as a comparison of the size of the entire data set in order to use it as a standard measurement method, so that the size of the risk of re-identification and the likelihood of individual estimation is always between [0,1].

Hereinafter, a description will be given of using the re-identification risk and the individual presumable risk as non-identification risk quality indicators. 2 is a flow chart of a non-identifying risk quality indicator.

Individual redundancy (p) can be used by specifying its value according to the nature of the data being analyzed, and the degree of de-identification increases as the p value increases, but if the p value is infinite, it will not be possible to distinguish all contents of the database. On the contrary, if the p value is 1, all values can be distinguished in the same form as in the existing database, so an appropriate value is set according to the nature of the analyzed data.

Individual redundancy verification is divided into when the value of the individual redundancy (p) is 1 or 2 or more, and when p=1, the risk of re-identification is calculated, and when p≥2, the individual estimation probability is calculated.

The 1-redundancy verification checks the transaction record that allows you to identify whether the transaction is of a specific individual because the items of the transaction occur only to a specific individual in the transaction record containing personal information. In other words, it verifies the transaction record in which the risk of re-identification exists. In the verification method, a value of p, which is the minimum personal support, is set to 1 and the number of transaction records having an item set that does not exceed the support is calculated.

Records identified in 1-redundancy verification can be defined as records at risk of re-identification because the combination of item sets is the only combination of values. In order to use the re-identification risk as a standard measurement method, the re-identification risk is defined as follows.

은 재식별 위험성이 있는 트랜잭션 레코드,

는 비식별 트랜잭션 전체 레코드를 의미하며, 재식별 위험도를 [0,1]로 상기 수학식 1로 정의할 수 있다. 이때, T는 검사 할 비식별 트랜잭션이다.Referring to Equation 1 above, when the individual redundancy is 1,

Is a transaction record at risk of re-identification,

Denotes an entire record of non-identification transactions, and may be defined as Equation 1 as the risk of re-identification as [0,1]. At this time, T is the non-identifying transaction to be checked.

When the individual redundancy (p) is 2 or more, the transaction data verified in p-redundancy does not have a unique item set for all item sets, so data that can identify a specific individual through items containing personal information exist. I never do that. Although it is not possible to re-identify a specific individual, the possibility of estimating a specific individual can be evaluated when verifying with an individual redundancy value of 2 or more.

Table 5 below is a non-identified transaction database in which generalization measures were taken using the item hierarchy of Table 2, the original transaction database, and Table 2 shows the de-identified transaction table.

TRANSACTION USER_ID ITEMS TID1 UID1 Milk, eggs, bread TID2 UID2 Milk, eggs, bread TID3 UID3 Egg, white bread TID4 UID1 Milk, eggs TID5 UID2 Bread, food TID6 UID1 Bread, food

In all of the above-described transactions in Table 5, there are no records found in 1-redundancy verification. However, when performing 2-redundancy verification, 4 records (TID1, TID2, TID5, TID6) are found. This means that only (TID1, UID1) and (TID2, UID2) are the transaction data with the item set of <Milk, Egg, Bread>, and the transaction data with the item set of <Bread, Food> is (TID5, UID2) and ( TID6, UID1).

In the case of TID3, there are (TID1, UID1) and (TID2, UID2) records with a set of dissolution items <egg, bread>, and since the number of individual duplicates is 3, it is not found. As such, it can be seen that the records that are not at risk of re-identification, but are found in the verification of individual redundancy with a low p value, are records with a high probability of estimating a specific individual.

만큼의 개인 추정 가능성을 갖는다.Therefore, the possibility of personal estimation is the probability of estimating a specific individual, and if verification is performed by verifying individual redundancy, the same items appear in at least p different transactions in the transaction database.

It has as many personal estimates as possible.

는 개인 추정 가능성이 있는 트랜잭션 레코드,

비식별 트랜잭션 전체 레코드를 의미하며, 개인 추정 가능성 위험도를 [0,1]로 수학식 2를 정의한다. 이때, T는 검사 할 비식별 트랜잭션이다.Referring to Equation 2 above, the individual redundancy is p,

Is a transaction record with potential personal estimation,

It means the entire record of the non-identifying transaction, and Equation 2 is defined as [0,1] as the risk of personal estimation. At this time, T is the non-identifying transaction to be checked.

만큼의 데이터가

확률로 개인 추정 가능성 위험이 존재한다고 할 수 있다.Therefore, if the individual estimation probability in Table 5 is calculated using Equation 2 above, when the 2-redundancy verification is performed, the entire transaction database

As much data as

It can be said that there is an individual presumable possibility risk by probability.

As a verification method for the non-identification model, the risk of re-identification and the likelihood of individual estimation may be indicators of the risk quality for the distribution of records. Contrary to the risk quality index for distribution, the original similarity is a utilization quality index that numerically measures the statistical similarity of the difference between the original record set and the result record set. That is, the utility of the generated data is quantitatively evaluated. The original similarity measurement can be used as a general quality index that can be quantitatively evaluated by making the size always have a value between [0,1].

The utilization quality index is divided into two, and the original similarity is calculated and evaluated. The first is the residual rate, which evaluates the usability of distribution data that has been de-identified by analyzing the ratio of data deleted in the process of de-identification as an indicator, and the second is the item-based original similarity.

Hereinafter, a process of forming non-identifying data by removing a record violating the corresponding non-identifying privacy model will be described. 3 is a flowchart showing the similarity of the original residual ratio.

Retention rate removes records that violate the de-identification process during the de-identification conversion process, and thus retains fewer result records than the original number of records. As the number of records removed in this way decreases the utilization of the data set, the residual ratio is defined as the ratio of the number of resulting records to the number of original records and evaluated as an indicator of data utilization. 3 is a diagram for explanation of calculating a residual rate as an original similarity.

Referring to Equation 3 above, the residual rate for the transaction data set T can be obtained by dividing the number of non-identified records by the number of original records. The persistence rate increases as the number of unidentified records increases, and the residual rate increases as fewer records violating the de-identification process are removed. Therefore, the greater the survival rate, the greater the usability of the data set.

Hereinafter, a processor that obtains the item-based original similarity for the entire unidentified transaction data will be described, defining the item similarity for each 1-item of the transaction record, and finally, the original similarity of the entire transaction data set. Explain. 4 shows a flowchart of the item-based original similarity.

As shown in the item-based original similarity flow chart, the item-based original similarity calculation defines the item similarity for each 1-item in the transaction record, and based on this, the total size of the item corresponding to the transaction record is given a weight for each item. Define the original similarity to the record. After that, all transaction record similarity values are averaged to define the original similarity value of the entire unidentified transaction data set.

The original similarity of the transaction data is obtained by comparing the original similarity of each item with the original data set because the transaction data is displayed in the form of an item set.

The data composing an item contains hierarchical information about the item, and this hierarchical information is information used when de-identification of transaction data is performed. By linking individual records to identity information, generalization is performed using hierarchical information about items that are at risk of invading personal information. Generalization means that values are mapped from the initial domain to other domains so that different values of the initial domain are mapped to a single value of the target domain. The amount of information loss is calculated by calculating how much generalization has been made.

= n,

는 I 집합의 전체 원소 개수) 1-항목으로 이루어진 원본 트랜잭션을 T = {t1,t2....,tt}, 비식별이 이루어진 트랜잭션을 P = {p1, p2,....,pk}, 비식별이 이루어진 트랜잭션의 항목(

)은 각 트랜잭션마다 일대일로 대응된다.1-item is a unit that composes transaction data, and 1-item set I = {i1,i2....,ii} can be defined as the domain of the entire transaction. (

= n,

Is the total number of elements in the set of I) T = {t1,t2....,tt} for the original transaction consisting of 1-item, and P = {p1, p2,....,pk} for the transaction with de-identification. , The item of the transaction in which de-identification was made (

) Is a one-to-one correspondence for each transaction.

When comparing with the original for a generalized 1-item for which de-identification measures were taken, a neighboring parent node is defined to quantitatively calculate the difference from the original. For example, a1,....,al is an ancestor node, and u has no child nodes other than the child nodes of a1,....,al. At this time, u is said to be the adjacent upper node of a1,....,al. In the hierarchical information tree, the neighboring higher node is called a neighboring higher node to S having only the incident ear nodes a1,a2....,al as child nodes.

= 입사귀 노드 a1,....,al의 총 개수 = l) 원본 트랜잭션 항목(

)의 근접 상위 항목을 ux 로 표현하면 두 가지 경우로 나누어 1-항목 원본 유사도를 계산할 수 있다.Nodes in proximity can be calculated using 1-item similarity.

= Total number of incoming ear nodes a1,....,al = l) Original transaction item (

If we express the close parent item of) as ux, we can calculate the 1-item original similarity by dividing it into two cases.

Hereinafter, table 2 describes hierarchical information on items constituting a transaction that is not identified in Table 5. 5 is a diagram illustrating item hierarchy information in Table 2.

First, when the original similarity is 0, generalization of the de-identified yellow tree occurs up to the highest layer node (root node) of the layer information, and all the information is lost, which can be described with FIG. 5.

As shown in Figs. 5 and 2 and 5,'butter', which is an item of (TID1, UID1), has been generalized to'*', which is a root node. This is because transaction TID1 is not satisfied with the de-identification action, so the generalization of the item'butter' should take place. Even if it is generalized to the item'meat', which is the adjacent upper node of the item'butter', the de-identification action is not satisfied. In the same way, even if it generalizes to the neighboring upper node of'meat' and generalizes to'food', it is not satisfied with the de-identification measure, so it is finally generalized to'*', the highest level node. When the generalization of an item is made up to the highest level node (*) of the hierarchical information, this item is pruning, and the non-identifying transaction of TID1 becomes {milk, egg, bread}. This is because all information on the item is lost, so the original similarity to the item'butter' of TID1 is calculated as 0.

Pruning can reduce the search space by deciding whether part of a rule can be truncated or ignored.

Among the items {Milk, Eggs, Coffee} of TID3, 1-item'coffee' was generalized to the neighboring upper node in the same way as above, but all higher-level items were not satisfied with the de-identification action, and finally generalized to the highest-tier node. And Pruning to make the original similarity 0.

가 최고 계층 항목이 아닌 근접 상위 항목인 ux 보다 더 상위 항목으로 일반화 된 경우에 대한 원본 유사도 계산 방식이다. '간식'은 항목 '라면'의 근접 상위 노드이므로 '간식'의 크기를 1이라 할 수 있다. 최종적으로 '간식'에서 '음식'으로 일반화가 되었기 때문에 '음식'의 크기를 계산해야 한다. '음식'의 크기는 4로 계산하는데 이는 '음식'이 1-항목 {계란, 버터, 식빵, 라면}을 자식 입사귀 노드로 갖기 때문이다.Second, when calculating the original similarity by using the size of the neighboring upper node, one-item'Ramen' of the item set {bread, ramen} of TID5 is generalized to'food'. This is the original transaction 1-item

This is the original similarity calculation method for the case where is generalized to an item higher than ux, which is the closest higher item, not the highest level item. Since'snack' is a node adjacent to the item'Ramen', the size of'snack' can be said to be 1. Finally, since it has been generalized from'snack'to'food', the size of'food' must be calculated. The size of'food' is calculated as 4, because'food' has 1-item {eggs, butter, bread, ramen} as child entrance ear nodes.

The 1-item original similarity is calculated as compared to the size of the entire item domain, and the range always has a value between [0,1]. The original similarity when the item is generalized is calculated based on the original similarity 1 when generalization has not occurred, and how many items have been generalized relative to the item domain size, resulting in loss of information.

= 6)를 분모로 항목 '간식'의 근접 상위 노드의 크기(

= 4)를 분자로 계산하여 총

만큼의 정보의 손실이 일어났다고 계산을 하여 트랜잭션 TID5의 (라면 -> 음식) 원본 유사도는 1-

=

로 계산할 수 있다. 같은 방식으로 트랜잭션 TID6 (버터 -> 음식) 원본 유사도는 (라면 -> 음식)과 같이 1-

=

로 계산할 수 있다.Therefore, the original similarity of (Ramen -> Food) is the size of the domain of the entire item (

= 6) as the denominator, the size of the adjacent parent node of the item'snack' (

= 4) to calculate the total

The similarity of the original (Ramen -> Food) in transaction TID5 is 1-

=

Can be calculated as In the same way, transaction TID6 (butter -> food) original similarity is 1-

=

Can be calculated as

Tables 6 and 7 below show examples in which generalization has occurred with close-up items of different sizes. Table 6 shows the original transaction table 2 for each individual, and Table 7 shows the de-identified transaction table in Table 6.

TRANSACTION USER_ID ITEMS TID1 UID1 Milk, eggs, butter, bread TID2 UID2 Milk, eggs, bread TID3 UID3 Eggs, milk TID4 UID1 Milk, eggs and coffee TID5 UID2 White bread, ramen TID6 UID1 White bread, butter

TRANSACTION USER_ID ITEMS TID1 UID1 Milk, eggs, bread TID2 UID2 Milk, eggs, bread TID3 UID3 Eggs, drinks TID4 UID1 Milk, eggs TID5 UID2 Bread, food TID6 UID1 Bread, food

According to Tables 6 and 7 described above, TID3 and TID4 are generalized to'food', which is a two-level higher level item in which each 1-item {milk, coffee} is the same, resulting in a transaction satisfying the de-identification measure. Each item {ramen, butter} of TID5 and TID6 was generalized to'food', which is the same two-level higher item, and became a non-identifying transaction.

= 6)를 분모로 항목 '우유'의 두 단계 상위 노드의 크기(

= 2)를 분자로 계산하여 총

만큼의 정보의 손실이 일어났다고 계산을 하여 TID3의 항목 (우유 -> 음료) 원본 유사도는 1-

=

로 계산할 수 있다. 반면 TID5의 항목 (라면 -> 음식)에 대한 원본 유사도는 상술하듯이 1-

=

가 나온다.When calculating the original similarity for the item'milk' of TID3, the size of the entire domain of the item (

= 6) as the denominator, the size of the two-level upper node of the item'milk' (

= 2) to the numerator

Calculate that there was a loss of information as much as that, and the similarity of the original item (milk -> beverage) of TID3 is 1-

=

Can be calculated as On the other hand, the original similarity to the item (Ramen -> Food) of TID5 is 1-

=

Comes out.

Even if each 1-item having different adjacent upper nodes is generalized by the same step size, if the sizes of the adjacent higher nodes are different, the information loss of 1-item is calculated differently as a result of conversion.

Therefore, when the method of calculating the original similarity is summarized, the calculation of the 1-item original similarity is calculated by calculating the number of child leaf nodes compared to the domain size of the entire item to determine how generalized the item has caused information loss. It is calculated using the loss is inversely proportional. This is defined as the original similarity (SIMitem) and is defined as follows.

Referring to Equation 4 above, 1-item similarity is calculated by calculating how much information was lost while 1-item of the original went through a de-identification process, and 1-item similarity was calculated using an inverse proportion to the amount of information loss. Measure the similarity to the original.

In the following, the transaction record source similarity means the similarity between a specific original record and a pair of non-identifying transaction records, and the similarity to the original item for each item of the non-identifying transaction record is calculated, and calculated based on the value. do. Each item corresponding to a transaction has the same weight. 6 is a flowchart of the similarity of the original transaction.

의 가중치를 갖게 된다. 각 항목의 동일한 가중치와 수학식 5를 이용하여 1-항목 유사도를 곱한 값을 각 항목 당 해당 트랜잭션 항목 집합에서 영향을 준 지표로 계산하여 그 합을 해당 트랜잭션 레코드의 원본 유사도로 계산한다.For example, if the item set of the ith transaction Ti is {a, b, c, d, e, f}, each item is

Will have a weight of The same weight of each item is multiplied by 1-item similarity using Equation (5), and the sum is calculated as an index affected by the corresponding transaction item set for each item, and the sum is calculated as the original similarity of the corresponding transaction record.

이다. 그러므로 트랜잭션(TID4, UID1)의 레코드 원본 유사도는

(1+1+

) =

의 값을 갖는다. 위의 계산 방식에 따라서 트랜잭션 레코드 원본 유사도는 아래 수학식 5와 같이 나타낼 수 있다.When calculating the original similarity of transactions (TID4, UID1) based on Tables 6 and 7, each item has the same weight as 3 (milk, egg, coffee), the size of the item set of the transaction. The item'milk, egg' is not generalized and the original is maintained, so that the value of 1-item original similarity is 1, and in the case of item'coffee', the value of original similarity is generalized to'beverage', the parent item.

to be. Therefore, the record source similarity of transaction (TID4, UID1) is

(1+1+

) =

Has the value of According to the above calculation method, the similarity of the original transaction record can be expressed as Equation 5 below.

Referring to Equation 5 above, I is the entire domain, and T is the size of a transaction item set. Equation 5 is an equation obtained by adding all the original similarity values of the items by applying the same weight to the 1-item original similarity.

In conclusion, the original similarity of the entire non-identification transaction table means the similarity between the original record set and the non-identification result record set. For each record in the non-identification result record set, record similarity with the original record is calculated, and its value Is calculated within the average. The resulting value is used as an indicator of statistical similarity and usability quality for non-identifying measures.

7 is a flowchart illustrating a method of measuring quality of non-identifying personal information data according to another embodiment of the present invention. The method of measuring the quality of the non-identified personal information data may be performed by a computing device, and a detailed description of the operation performed by the apparatus for measuring the quality of the non-identified personal information will be omitted.

In step S710, the computing device uses a personal redundancy model, which is a model that verifies whether a specific individual cannot be identified when the same item sets appear in at least different transactions in a transaction database containing personal information for a plurality of individuals. To verify the re-identification.

In step S710, the personal redundancy number, which is the total number of individuals who have generated the transaction in which the items of personal information appear, is used as a concept of support, finds a set of frequent items based on individual redundancy, creates a table based on personal redundancy, and creates a personal redundancy. Based on the degree-based table, personal redundancy is verified according to the individual redundancy model.

Calculation of records found in personal redundancy verification is expressed in pseudocode as follows.

for each item set in in T

RC.count ← 0

if(for all record of PFI.ps p)

for n=0; n<T.item.size; n++ do

PFI of the record thenif in

PFI of the record then

end if

PFI of the record thenif in

PFI of the record then

RC.count++ // Uniqueness record count

end if

end for

return RC.count

In the personal redundancy verification algorithm, T is the check transaction table, PFI is the personal redundancy-based frequent item set table, and p is the minimum individual support. In the personal redundancy verification algorithm, T, PFI, and p are input, and a p-redundancy verification record count (RC) is output.

In the personal redundancy verification, if the individual redundancy model is 1, the individual minimum support is set to 1, and the re-identification risk is calculated based on the record with the risk of re-identification having an item set that does not exceed the individual minimum support. If the model is 2 or more, the probability of estimating a specific individual is evaluated as a probability, and the individual estimating probability is calculated through the individual estimating probability risk according to the transaction database.

In step S720, the computing device measures the original similarity by using a utilization quality index that numerically measures the statistical similarity between the original record and the non-identified record.

Original similarity evaluates the degree of similarity between the original transaction data and the de-identified transaction data. If the original similarity is very similar, there is a problem that information of a specific individual is re-identified, and if the original similarity is too different, there is a problem of using data with poor statistical similarity.

In the step (S720) of measuring whether or not there is an original similarity using the utilization quality indicator, the number of the non-identifying records less than the number of the original data is removed by removing records that violate the non-identification processing in the process of converting the original data into non-identifying data. And the number of non-identified records and the number of original records are used to calculate the residual ratio.

In addition, in the step of measuring whether or not there is an original similarity using the utilization quality index (S720), a 1-item original similarity is formed for each item of the transaction record, and the original similarity for each item is compared with the original data set to record the transaction. Calculate the original similarity of The 1-item original similarity is calculated as the number of child nodes representing the item hierarchy information to the domain size of the entire item, and the original similarity and information loss are inversely proportional.

The original similarity of the transaction record is calculated by assigning a weight to the 1-item original similarity of each item corresponding to the transaction as the total size of the items. The original similarity of the transaction record represents the similarity between the original record set and the non-identified result record set, calculates the similarity with the original record for each record of the non-identified result record set, and averages the similarity to calculate the result similarity. , The result similarity is used as an indicator of statistical similarity and utilization quality for non-identifying measures.

In FIG. 7, it is interposed that each process is sequentially executed, but this is merely an example, and if a person skilled in the field is concerned, the order shown in FIG. 7 is changed and executed without departing from the essential characteristics of the embodiment of the present invention. Or, by executing one or more processes in parallel, or adding other processes, various modifications and variations may be applied.

8 is a block diagram illustrating and describing a computing environment including a computing device suitable for use in example embodiments. In the illustrated embodiment, each component may have different functions and capabilities in addition to those described below, and may include additional components in addition to those not described below.

The illustrated computing environment includes an apparatus 10 for measuring the quality of personal information non-identifying data. In an embodiment, the apparatus 10 for measuring the quality of personal information non-identifying data may be any type of computing device that transmits and receives signals to and from other terminals.

The apparatus 10 for measuring the quality of personal information non-identifying data includes at least one processor 810, a computer-readable storage medium 820, and a communication bus 860. The processor 810 may cause the apparatus 10 for measuring the quality of personal information non-identifying data to operate according to the aforementioned exemplary embodiment. For example, the processor 810 may execute one or more programs stored in the computer-readable storage medium 820. The one or more programs may include one or more computer-executable instructions, and when the computer-executable instructions are executed by the processor 810, the apparatus 10 for measuring the quality of personal information non-identifying data may be used as an exemplary embodiment. It may be configured to perform operations according to.

Computer-readable storage medium 820 is configured to store computer-executable instructions or program code, program data, and/or other suitable form of information. The program 830 stored in the computer-readable storage medium 820 includes a set of instructions executable by the processor 810. In one embodiment, the computer-readable storage medium 820 includes memory (volatile memory such as random access memory, nonvolatile memory, or a suitable combination thereof), one or more magnetic disk storage devices, optical disk storage devices, It may be flash memory devices, other types of storage media that can be accessed by the quality measurement apparatus 10 of personal information non-identifying data and store desired information, or a suitable combination thereof.

The communication bus 860 interconnects various other components of the apparatus 10 for measuring the quality of personal information non-identifying data, including a processor 810 and a computer-readable storage medium 820.

The apparatus 10 for measuring quality of personal information non-identifying data may also include one or more input/output interfaces 840 and one or more communication interfaces 850 that provide an interface for one or more input/output devices (not shown). The input/output interface 840 and the communication interface 850 are connected to the communication bus 860. The input/output device (not shown) may be connected to other components of the apparatus 10 for measuring the quality of non-identifying data of personal information through the input/output interface 840. Exemplary input/output devices include pointing devices (mouse or trackpad, etc.), keyboards, touch input devices (touch pads or touch screens, etc.), voice or sound input devices, input devices such as various types of sensor devices and/or photographing devices, And/or an output device such as a display device, a printer, a speaker, and/or a network card. An exemplary input/output device (not shown) is a component constituting the device 10 for measuring the quality of non-identifying personal information, and may be included in the device 10 for measuring the quality of non-identified personal information, or non-identifying personal information. It may be connected to the computing device as a separate device different from the data quality measuring apparatus 10.

The operations according to the embodiments may be implemented in the form of program instructions that can be executed through various computer means and recorded in a computer-readable medium. Computer-readable medium refers to any medium that has participated in providing instructions to a processor for execution. The computer-readable medium may include program instructions, data files, data structures, or a combination thereof. For example, there may be a magnetic medium, an optical recording medium, a memory, and the like. Computer programs may be distributed over networked computer systems to store and execute computer-readable codes in a distributed manner. Functional programs, codes, and code segments for implementing the present embodiment may be easily inferred by programmers in the technical field to which the present embodiment belongs.

The present embodiments are for explaining the technical idea of the present embodiment, and the scope of the technical idea of the present embodiment is not limited by these embodiments. The scope of protection of this embodiment should be interpreted by the following claims, and all technical ideas within the scope equivalent thereto should be construed as being included in the scope of the present embodiment.

10: Personal information non-identification quality measuring device
100: re-identification verification unit
200: original similarity measurement unit

Claims (14)

In the method of measuring the quality of personal information non-identifying data by a computing device,
The step of verifying the risk of re-identification using the personal redundancy model, a model that verifies whether a specific individual is identified when the same set of items appears in at least different transactions in a transaction database containing personal information for a plurality of individuals. ; And
Including the step of measuring the original similarity using a utilization quality index that numerically measured the statistical similarity of the difference between the original record and the non-identified record,
The step of measuring the original similarity using the utilization quality indicator is to form a 1-item original similarity for each item of the transaction record, and calculate the original similarity of the transaction record by comparing the original similarity and the original data set for each item. Including the step of,
The 1-item original similarity is calculated as the number of child nodes representing item hierarchy information relative to the domain size of the entire item, and the original similarity and information loss are inversely proportional to the quality of personal information non-identifying data. The method of claim 1,
Verifying the risk of re-identification using the personal redundancy model,
Generating an individual redundancy-based table by finding a set of frequent items based on individual redundancy by using the number of individual redundancy, which is the total number of individuals who generated the transaction in which the items of personal information appear, as a concept of support; And
And verifying an individual redundancy according to the individual redundancy model based on the individual redundancy-based table. The method of claim 2,
The step of verifying the degree of personal redundancy,
When the individual redundancy model is 1, calculating a re-identification risk based on a record having a re-identification risk having an item set that does not exceed the individual minimum support level with the minimum individual support level as 1; And
When the personal redundancy model is 2 or more, the quality of personal information non-identifying data further comprising the step of calculating a personal estimation possibility through the personal estimation possibility risk according to the transaction database by evaluating a probability of estimating a specific individual How to measure. The method of claim 1,
The step of measuring the original similarity using the utilization quality index,
In the process of converting original data to non-identifying data, records that violate the de-identification process are removed to form the number of non-identified records less than the number of the original data, and the number of the non-identified records and the number of the original records are determined. Method for measuring the quality of personal information non-identifying data, including the step of calculating a residual rate by using. delete delete The method of claim 1,
The quality of personal information non-identifying data, characterized in that the original similarity of the transaction record is calculated by assigning the weight to the 1-item original similarity of each item corresponding to the transaction as the total size of the items. How to measure. The method of claim 7,
The original similarity of the transaction record represents the similarity between the original record set and the non-identification result record set, calculates the similarity with the original record for each record of the non-identification result record set, and averages the similarity. Calculate the similarity,
The result similarity is used as the statistical similarity to the non-identification measure and the utilization quality index. Re-identification risk is verified using the personal redundancy model, a model that verifies whether a specific individual is identified when the same set of items appears in at least different transactions in a transaction database containing personal information about multiple individuals. Identification verification unit; And
Including an original similarity measurement unit that measures the original similarity using a utilization quality index that numerically measures the statistical similarity of the difference between the original record and the non-identified record,
The original similarity measurement unit includes an original similarity calculator configured to form a 1-item original similarity for each item of the transaction record, and calculate the original similarity of the transaction record by comparing the original similarity and the original data set for each item,
The 1-item original similarity is calculated by the number of child nodes representing the item hierarchy information relative to the domain size of the entire item, and the original similarity and information loss are inversely proportional to the quality measuring apparatus of personal information non-identifying data. The method of claim 9,
The original similarity measurement unit,
In the process of converting original data to non-identifying data, records that violate the de-identification process are removed to form the number of non-identified records less than the number of the original data, and the number of the non-identified records and the number of the original records are determined. An apparatus for measuring quality of non-identifying personal information, including a residual rate calculation unit that calculates a residual rate by using. delete delete The method of claim 9,
The quality of personal information non-identifying data, characterized in that the original similarity of the transaction record is calculated by assigning the weight to the 1-item original similarity of each item corresponding to the transaction as the total size of the items. Measuring device. The method of claim 9,
The original similarity of the transaction record represents the similarity between the original record set and the non-identification result record set, calculates the similarity with the original record for each record of the non-identification result record set, and averages the similarity. Calculate the similarity,
The resultant similarity is used as a statistical similarity to non-identifying measures and a usability quality index.

Images