WO2015026384A1 - Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence - Google Patents

Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence Download PDF

Info

Publication number
WO2015026384A1
WO2015026384A1 PCT/US2013/071284 US2013071284W WO2015026384A1 WO 2015026384 A1 WO2015026384 A1 WO 2015026384A1 US 2013071284 W US2013071284 W US 2013071284W WO 2015026384 A1 WO2015026384 A1 WO 2015026384A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
category
privacy
privacy preserving
released
Prior art date
Application number
PCT/US2013/071284
Other languages
English (en)
Inventor
Nadia FAWAZ
Abbasali Makhdoumi KAKHAKI
Original Assignee
Thomson Licensing
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thomson Licensing filed Critical Thomson Licensing
Priority to EP13803358.4A priority Critical patent/EP3036677A1/fr
Priority to US14/912,639 priority patent/US20160203333A1/en
Publication of WO2015026384A1 publication Critical patent/WO2015026384A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Definitions

  • This invention relates to a method and an apparatus for preserving privacy, and more particularly, to a method and an apparatus for generating a privacy preserving mapping mechanism without the full knowledge of the joint distribution of the private data and public data to be released.
  • This service, or other benefit that the user derives from allowing access to the user's data may be referred to as utility.
  • privacy risks arise as some of the collected data may be deemed sensitive by the user, e.g., political opinion, health status, income level, or may seem harmless at first sight, e.g., product ratings, yet lead to the inference of more sensitive data with which it is correlated.
  • the latter threat refers to an inference attack, a technique of inferring private data by exploiting its correlation with publicly released data.
  • the present principles provide a method for processing user data for a user, comprising the steps of: accessing the user data, which includes private data and public data, the private data corresponding to a first category of data, and the public data corresponding to a second category of data; decoupling dependencies between the first category of data and the second category of data, from dependencies between the second category of data and released data; determining a privacy preserving mapping that maps the second category of data to the released data responsive the dependencies between the second category of data and the released data; modifying the public data for the user based on the privacy preserving mapping; and releasing the modified data to at least one of a service provider and a data collecting agency as described below.
  • the present principles also provide an apparatus for performing these steps.
  • the present principles also provide a method for processing user data for a user, comprising the steps of: accessing the user data, which includes private data and public data, the private data corresponding to a first category of data, and the public data corresponding to a second category of data; determining dependencies between the first category of data and the second category of data responsive to mutual information between the first category of data and the second category of data; decoupling the dependencies between the first category of data and the second category of data, from dependencies between the second category of data and released data; determining a privacy preserving mapping that maps the second category of data to the released data responsive the dependencies between the second category of data and the released data based on maximal correlation techniques; modifying the public data for the user based on the privacy preserving mapping; and releasing the modified data to at least one of a service provider and a data collecting agency as described below.
  • the present principles also provide an apparatus for performing these steps.
  • the present principles also provide a computer readable storage medium having stored thereon instructions for processing user data for a user according to the methods described above.
  • FIG. 1 is a flow diagram depicting an exemplary method for preserving privacy, in accordance with an embodiment of the present principles.
  • FIG. 2 is a flow diagram depicting an exemplary method for preserving privacy when the joint distribution between the private data and public data is known, in accordance with an embodiment of the present principles.
  • FIG. 3 is a flow diagram depicting an exemplary method for preserving privacy when the joint distribution between the private data and public data is unknown and the marginal probability measure of the public data is also unknown, in accordance with an embodiment of the present principles.
  • FIG. 4 is a flow diagram depicting an exemplary method for preserving privacy when the joint distribution between the private data and public data is unknown but the marginal probability measure of the public data is known, in accordance with an embodiment of the present principles.
  • FIG. 5 is a block diagram depicting an exemplary privacy agent, in
  • FIG. 6 is a block diagram depicting an exemplary system that has multiple privacy agents, in accordance with an embodiment of the present principles.
  • FIG. 7 is a pictorial example illustrating different privacy metrics, in
  • differential privacy In the database and cryptography literatures from which differential privacy arose, the focus has been algorithmic. In particular, researchers have used differential privacy to design privacy preserving mechanisms for inference algorithms, transporting, and querying data. More recent works focused on the relation of differential privacy with statistical inference. It is shown that differential privacy does not guarantee a limited information leakage. Other frameworks similar to differential privacy exist such as the Pufferfish framework, which can be found in an article by D. Kifer and A. Machanavajjhala, "A rigorous and customizable framework for privacy," in ACM PODS, 2012, which however does not focus on utility preservation.
  • the term analyst which for example may be a part of a service provider's system, as used in the present application, refers to a receiver of the released data, who ostensibly uses the data in order to provide utility to the user. Often the analyst is a legitimate receiver of the released data. However, an analyst could also illegitimately exploit the released data and infer some information about private data of the user. This creates a tension between privacy and utility requirements. To reduce the inference threat while maintaining utility the user may release a "distorted version" of data, generated according to a conditional probabilistic mapping, called “privacy preserving mapping," designed under a utility constraint.
  • a user would like to remain private as “private data,” the data the user is willing to release as “public data,” and the data the user actually releases as “released data.”
  • a user may want to keep his political opinion private, and is willing to release his TV ratings with modification (for example, the user's actual rating of a program is 4, but he releases the rating as 3).
  • the user's political opinion is considered to be private data for this user
  • the TV ratings are considered to be public data
  • the released modified TV ratings are considered to be the released data.
  • another user may be willing to release both political opinion and TV ratings without modifications, and thus, for this other user, there is no distinction between private data, public data and released data when only political opinion and TV ratings are considered.
  • private data this refers to data that the user not only indicates that it should not be publicly released, but also that he does not want it to be inferred from other data that he would release.
  • Public data is data that the user would allow the privacy agent to release, possibly in a distorted way to prevent the inference of the private data.
  • public data is the data that the service provider requests from the user in order to provide him with the service. The user however will distort (i.e., modify) it before releasing it to the service provider.
  • public data is the data that the user indicates as being "public” in the sense that he would not mind releasing it as long as the release takes a form that protects against inference of the private data.
  • a specific category of data is considered as private data or public data is based on the point of view of a specific user. For ease of notation, we call a specific category of data as private data or public data from the perspective of the current user. For example, when trying to design privacy preserving mapping for a current user who wants to keep his political opinion private, we call the political opinion as private data for both the current user and for another user who is willing to release his political opinion.
  • finding the privacy preserving mapping relies on the fundamental assumption that the prior joint distribution that links private data and released data is known and can be provided as an input to the optimization problem.
  • the true prior distribution may not be known, but rather some prior statistics may be estimated from a set of sample data that can be observed.
  • the prior joint distribution could be estimated from a set of users who do not have privacy concerns and publicly release different categories of data, that may be considered to be private or public data by the users who are concerned about their privacy.
  • the marginal distribution of the public data to be released, or simply its second order statistics may be estimated from a set of users who only release their public data.
  • the statistics estimated based on this set of samples are then used to design the privacy preserving mapping mechanism that will be applied to new users, who are concerned about their privacy.
  • there may also exist a mismatch between the estimated prior statistics and the true prior statistics due for example to a small number of observable samples, or to the incompleteness of the observable data.
  • the present principles propose methods to design utility-aware privacy preserving mapping mechanisms when only partial statistical knowledge of the prior is available.
  • the public data is denoted by a random variable X E X with the probability distribution P x .
  • X is correlated with the private data, denoted by random variable S e S.
  • the correlation of S and X is defined by the joint distribution P s x .
  • the released data, denoted by random variable Y E y is a distorted version of X.
  • Y is achieved via passing X through a kernel, P Y ⁇ X .
  • the term "kernel” refers to a conditional probability that maps data X to data Y probabilistically. That is, the kernel P Y ⁇ X is the privacy preserving mapping that we wish to design.
  • D (. ) is the K-L divergence
  • E(. ) is the expectation of a random variable
  • H(. ) is the entropy
  • e e [0,1] is called the leakage factor
  • I(S; Y) represents the information leakage.
  • leakage factor, e, and distortion level, D of a privacy preserving mapping.
  • our objective is to limit the amount of private information that can be inferred, given a utility constraint.
  • the objective can be mathematically formulated as to find the probability mapping P Y ⁇ X that minimizes the maximum information leakage 7(5; Y) given a distortion constraint, where the maximum is taken over the uncertainty in the statistical knowledge on the distribution P s x available at the privacy agent:
  • Problems (1 ) to (3) describe settings with increasing uncertainty, that is, decreasing knowledge, on the joint statistics of S and X. It should be noted that the amount of statistical knowledge available on S and X affects the amount of distortion required to meet a certain level of privacy (for example, a target leakage factor). More precisely, in any of the three problems above, the same range of leakage factors can be achieved, however for a given leakage factor, mappings obtained by solving problems with less statistical knowledge may lead to higher distortion.
  • mappings obtained in settings with less statistical knowledge may have a higher leakage factor.
  • D the more knowledge about the joint statistics of S and X is available, the better the privacy-accuracy tradeoff that can be achieved.
  • the optimum privacy preserving mapping is characterized as the kernel, achieving the minimum objective of
  • Eq. (2) The minimum objective of Eq. (2) is denoted by 7,(7)).
  • a privacy preserving mapping is called (e, D) - divergence-distortion private if its leakage factor and expected distortion are not greater than e and D, respectively.
  • Theorem 1 decouples the dependency of Y and S into two terms, one relating S and X, and one relating X and Y. Thus, one can upper bound the information leakage even without knowing P s x , by minimizing the term relating X and Y. The application of this result in our problem is described in the following.
  • Maximal correlation is a measure of correlation between two random variables with applications both in information theory and computer science.
  • maximal correlation provides its relation with S * (X; Y).
  • (1 - 2D) 2 is the injected privacy term obtained by the kernel P Y ⁇ X and 1 - h(p) is the intrinsic information/privacy term, quantifying the relation between X and S.
  • Marginal distribution P v is known, but not the joint distribution ⁇ 3 ⁇ 4 ⁇
  • Theorem 2 shows that we can rewrite the optimization problem (13) as
  • FIG. 1 illustrates an exemplary method 100 for distorting public data to be released in order to preserve privacy according to the present principles.
  • Method 100 starts at 105.
  • it collects statistical information based on released data, for example, from the users who are not concerned about privacy of their public data or private data. We denote these users as “public users,” and denote the users who wish to distort public data to be released as “private users.”
  • the statistics may be collected by crawling the web, accessing different databases, or may be provided by a data aggregator, for example, by bluekai.com. Which statistical information can be gathered depends on what the public users release. For example, if the public users release both private data and public data, an estimate of the joint distribution P s x can be obtained. In another example, if the public users only release public data, an estimate of the marginal probability measure P x can be obtained, but not the joint distribution P s x . In another example, we may only be able to get the mean and variance of the public data. In the worst case, we may be unable to get any information about the public data or private data.
  • step 120 it determines a privacy preserving mapping based on the statistical information given the utility constraint.
  • the solution to the privacy preserving mapping mechanism depends on the available statistical information. For example, if the joint distribution P s x is known, the privacy preserving mapping may be obtained using Eq. (2); if the marginal distribution P x is known, but not the joint distribution P s x , the privacy preserving mapping may be obtained using Eq. (4); if neither the marginal distribution P x nor joint distribution P s x is known, the privacy preserving mapping P Y ⁇ X may be obtained using Eq. (8).
  • the public data of a current private user is distorted, according to the determined privacy preserving mapping, before it is released to, for example, a service provider or a data collecting agency, at step 140.
  • Method 100 ends at step 199.
  • FIGs. 2-4 illustrate in further detail exemplary methods for preserving privacy when different statistical information is available.
  • FIG. 2 illustrates an exemplary method 200 when the joint distribution P s x is known
  • FIG. 3 illustrates an exemplary method 300 when the marginal probability measure P x is known, but not joint distribution P s x
  • FIG. 4 illustrates an exemplary method 400 when neither the marginal probability measure P x nor joint distribution P s x is known. Methods 200, 300 and 400 are discussed in further detail below.
  • Method 200 starts at 205. At step 210, it estimates joint distribution P s x based on released data. At step 220, it formulates the optimization problem as Eq. (2). At step 230, it determines a privacy preserving mapping based on Eq. (2), for example, solving Eq. (2) as a convex problem. At step 240, the public data of a current user is distorted, according to the determined privacy preserving mapping, before it is released at step 250. Method 200 ends at step 299.
  • Method 300 starts at 305. At step 310, it formulates the optimization problem as Eq. (8) via maximal correlation. At step 320, it determines a privacy preserving mapping based on Eq. (8), for example, solving Eq. (8) using power iteration or Lanczos algorithm. At step 330, the public data of a current user is distorted, according to the determined privacy preserving mapping, before it is released at step 340. Method 300 ends at step 399.
  • Method 400 starts at 405. At step 410, it estimates distribution P x based on released data. At step 420, it formulates the optimization problem as Eq. (4) via maximal correlation. At step 430, it determines a privacy preserving mapping based on Eq. (12) , for example, by solving the related Eq. (14) using power iteration or Lanczos algorithm. At step 440, the public data of a current user is distorted, according to the determined privacy preserving mapping, before it is released at step 450. Method 400 ends at step 499.
  • a privacy agent is an entity that provides privacy service to a user.
  • a privacy agent may perform any of the following:
  • FIG. 5 depicts a block diagram of an exemplary system 500 where a privacy agent can be used.
  • Public users 510 release their private data (S) and/or public data (X).
  • S private data
  • X public data
  • the information released by the public users becomes statistical information useful for a privacy agent.
  • a privacy agent 580 includes statistics collecting module 520, privacy preserving mapping decision module 530, and privacy preserving module 540.
  • Statistics collecting module 520 may be used to collect joint distribution P s x , marginal probability measure P x , and/or mean and covariance of public data.
  • Statistics collecting module 520 may also receive statistics from data aggregators, such as bluekai.com.
  • privacy preserving mapping decision module 530 designs a privacy preserving mapping mechanism P Y ⁇ X , for example, based on the optimization problem formulated as Eq. (2), (8), or (12).
  • Privacy preserving module 540 distorts public data of private user 560 before it is released, according to the conditional probability P Y ⁇ X .
  • statistics collecting module 520, privacy preserving mapping decision module 530, and privacy preserving module 540 can be used to perform steps 1 10, 120, and 130 in method 100, respectively.
  • the privacy agent needs only the statistics to work without the knowledge of the entire data that was collected in the data collection module.
  • the data collection module could be a standalone module that collects data and then computes statistics, and needs not be part of the privacy agent.
  • the data collection module shares the statistics with the privacy agent.
  • a privacy agent sits between a user and a receiver of the user data (for example, a service provider).
  • a privacy agent may be located at a user device, for example, a computer, or a set-top box (STB).
  • STB set-top box
  • a privacy agent may be a separate entity.
  • All the modules of a privacy agent may be located at one device, or may be distributed over different devices, for example, statistics collecting module 520 may be located at a data aggregator who only releases statistics to the module 530, the privacy preserving mapping decision module 530, may be located at a "privacy service provider" or at the user end on the user device connected to a module 520, and the privacy preserving module 540 may be located at a privacy service provider, who then acts as an intermediary between the user, and the service provider to whom the user would like to release data, or at the user end on the user device.
  • the privacy agent may provide released data to a service provider, for example, Comcast or Netflix, in order for private user 560 to improve received service based on the released data, for example, a recommendation system provides movie recommendations to a user based on its released movies rankings.
  • a service provider for example, Comcast or Netflix
  • a recommendation system provides movie recommendations to a user based on its released movies rankings.
  • FIG. 6 we show that there are multiple privacy agents in the system. In different variations, there need not be privacy agents everywhere as it is not a requirement for the privacy system to work. For example, there could be only a privacy agent at the user device, or at the service provider, or at both. In FIG. 6, we show that the same privacy agent "C" for both Netflix and Facebook. In another embodiment, the privacy agents at Facebook and Netflix, can, but need not, be the same.
  • the notion of neighboring can have multiple definitions, e.g., Hamming distance 1 (differ in a single coordinate), or ( p distance below a threshold. In the present application, we use the former definition.
  • Proposition 2 is summarized in FIG. 7.
  • P(Y ⁇ S) is e - divergence private if we add Gaussian noise instead of Laplacian noise, with a variance chosen appropriately as follows.
  • the variance of the Gaussian noise depends on the correlation in the data S via the variance of X, ⁇ .
  • N be a Gaussian distribution with a variance satisfying; « / 2e(fe_1) . Adding this noise to X, the leakage factor is less than or equal to e.
  • the probability of detecting private data is very small using divergence privacy.
  • the implementations described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed may also be implemented in other forms (for example, an apparatus or program).
  • An apparatus may be implemented in, for example, appropriate hardware, software, and firmware.
  • the methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs”), and other devices that facilitate communication of information between end-users.
  • PDAs portable/personal digital assistants
  • the appearances of the phrase “in one embodiment” or “in an embodiment” or “in one implementation” or “in an implementation”, as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
  • this application or its claims may refer to "determining" various pieces of information. Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory. Further, this application or its claims may refer to "accessing" various pieces of information. Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
  • Receiving is, as with “accessing”, intended to be a broad term.
  • Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory).
  • “receiving” is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.
  • implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted.
  • the information may include, for example, instructions for performing a method, or data produced by one of the described implementations.
  • a signal may be formatted to carry the bitstream of a described embodiment.
  • Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal.
  • the formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream.
  • the information that the signal carries may be, for example, analog or digital information.
  • the signal may be transmitted over a variety of different wired or wireless links, as is known.
  • the signal may be stored on a processor-readable medium.

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention concerne le compromis confidentialité-utilité auquel est confronté un utilisateur qui souhaite divulguer certaines données publiques (indiquées par X) à un analyste, qui sont corrélées avec ses données privées (indiquées par S) en vue d'obtenir une certaine utilité. Les données publiques sont faussées avant leur divulgation conformément à un mécanisme probabiliste de mappage préservant la vie privée, qui limite la fuite d'informations selon les contraintes utilitaires. En particulier, ce mécanisme probabiliste préservant la vie privée est modélisé comme une distribution conditionnelle, P_(Y|X), où Y correspond aux données réellement divulguées à l'analyste. L'invention concerne des mécanismes de mappage utilitaires préservant la vie privée contre les attaques d'interférence lorsque l'on dispose seulement de connaissances statistiques partielles voire d'aucune connaissance statistique de la distribution préalable, P_(S,X). En particulier, au moyen de techniques de corrélation optimales, l'invention permet d'obtenir un résultat de séparabilité concernant la fuite d'informations, qui débouche sur la conception du mappage préservant la vie privée.
PCT/US2013/071284 2012-08-20 2013-11-21 Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence WO2015026384A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP13803358.4A EP3036677A1 (fr) 2013-08-19 2013-11-21 Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence
US14/912,639 US20160203333A1 (en) 2012-08-20 2013-11-21 Method and apparatus for utility-aware privacy preserving mapping against inference attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361867543P 2013-08-19 2013-08-19
US61/867,543 2013-08-19

Publications (1)

Publication Number Publication Date
WO2015026384A1 true WO2015026384A1 (fr) 2015-02-26

Family

ID=49759569

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2013/071284 WO2015026384A1 (fr) 2012-08-20 2013-11-21 Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence

Country Status (2)

Country Link
EP (1) EP3036677A1 (fr)
WO (1) WO2015026384A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150235051A1 (en) * 2012-08-20 2015-08-20 Thomson Licensing Method And Apparatus For Privacy-Preserving Data Mapping Under A Privacy-Accuracy Trade-Off
US10216959B2 (en) 2016-08-01 2019-02-26 Mitsubishi Electric Research Laboratories, Inc Method and systems using privacy-preserving analytics for aggregate data
CN110457940A (zh) * 2019-07-10 2019-11-15 贵州大学 一种基于图论和互信息量的差分隐私度量方法
CN111723402A (zh) * 2020-06-21 2020-09-29 天津理工大学 一种基于ql学习策略面向mdu隐私数据保护的流量补偿激励方法
CN112312388A (zh) * 2020-10-29 2021-02-02 国网江苏省电力有限公司营销服务中心 一种基于局部保护集的路网环境位置匿名方法
CN112364372A (zh) * 2020-10-27 2021-02-12 重庆大学 一种有监督矩阵补全的隐私保护方法
US11132453B2 (en) 2017-12-18 2021-09-28 Mitsubishi Electric Research Laboratories, Inc. Data-driven privacy-preserving communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100024042A1 (en) * 2008-07-22 2010-01-28 Sara Gatmir Motahari System and Method for Protecting User Privacy Using Social Inference Protection Techniques
EP2241986A1 (fr) * 2009-04-13 2010-10-20 Sap Ag Dépôt de mappages de schémas préservant la confidentialité pour la réutilisation des mappages de schémas

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100024042A1 (en) * 2008-07-22 2010-01-28 Sara Gatmir Motahari System and Method for Protecting User Privacy Using Social Inference Protection Techniques
EP2241986A1 (fr) * 2009-04-13 2010-10-20 Sap Ag Dépôt de mappages de schémas préservant la confidentialité pour la réutilisation des mappages de schémas

Non-Patent Citations (12)

* Cited by examiner, † Cited by third party
Title
"Privacy-Preserving Data Mining", vol. 34, 31 December 2008, SPRINGER US, Boston, MA, ISBN: 978-0-38-770992-5, ISSN: 1386-2944, article JOSEP DOMINGO-FERRER: "A Survey of Inference Control Methods for Privacy-Preserving Data Mining", pages: 53 - 80, XP055102636, DOI: 10.1007/978-0-387-70992-5_3 *
A. RENYI: "On measures of dependence", ACTA MATHEMATICA HUNGARICA, vol. 10, no. 3
D. KIFER; A. MACHANAVAJJHALA: "A rigorous and customizable framework for privacy", ACM PODS, 2012
ELZA ERKIP ET AL: "The Efficiency of Investment Information", IEEE TRANSACTIONS ON INFORMATION THEORY, IEEE PRESS, USA, vol. 44, no. 3, 3 May 1998 (1998-05-03), XP011027054, ISSN: 0018-9448 *
FLAVIO DU PIN CALMON ET AL: "Privacy against statistical inference", COMMUNICATION, CONTROL, AND COMPUTING (ALLERTON), 2012 50TH ANNUAL ALLERTON CONFERENCE ON, IEEE, 1 October 2012 (2012-10-01), pages 1401 - 1408, XP032345161, ISBN: 978-1-4673-4537-8, DOI: 10.1109/ALLERTON.2012.6483382 *
H. GEBELEIN: "Das statistische Problem der Korrelation als Variations- und Eigenwert-problem und sein Zusammenhang mit der Ausgleichungsrechnung", ZEITSCHRIFT FUR ANGEW. MATH. UND MECH., vol. 21, 1941, pages 364 - 379
H. O. HIRSCHFELD: "A connection between correlation and contingency", PROCEEDINGS OF THE CAMBRIDGE PHILOSOPHICAL SOCIETY, vol. 31
H. S. WITSENHAUSEN: "On sequences of pairs of dependent random variables", SIAM JOURNAL ON APPLIED MATHEMATICS, vol. 28, no. 1
I.S. REED: "Information theory and privacy in data banks", PROCEEDINGS OF THE JUNE 4-8, 1973, NATIONAL COMPUTER CONFERENCE AND EXPOSITION ON, AFIPS '73, 4 June 1973 (1973-06-04), New York, New York, USA, pages 581, XP055090933, DOI: 10.1145/1499586.1499731 *
R. AHLSWEDE; P. GACS: "Spreading of sets in product spaces and hypercontraction of the markov operator", THE ANNALS OF PROBABILITY
S. KAMATH; V. ANANTHARAM: "Non-interactive simulation of joint distributions: The hirschfeld-gebelein-rényi maximal correlation and the hypercontractivity ribbon", COMMUNICATION, CONTROL, AND COMPUTING (ALLERTON, 2012
V. ANANTHARAM; A. GOHARI; S. KAMATH; C. NAIR, ON MAXIMAL CORRELATION, HYPERCONTRACTIVITY, AND THE DATA PROCESSING INEQUALITY STUDIED BY ERKIP AND COVER, 2013

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150235051A1 (en) * 2012-08-20 2015-08-20 Thomson Licensing Method And Apparatus For Privacy-Preserving Data Mapping Under A Privacy-Accuracy Trade-Off
US10216959B2 (en) 2016-08-01 2019-02-26 Mitsubishi Electric Research Laboratories, Inc Method and systems using privacy-preserving analytics for aggregate data
US11132453B2 (en) 2017-12-18 2021-09-28 Mitsubishi Electric Research Laboratories, Inc. Data-driven privacy-preserving communication
CN110457940A (zh) * 2019-07-10 2019-11-15 贵州大学 一种基于图论和互信息量的差分隐私度量方法
CN110457940B (zh) * 2019-07-10 2023-04-11 贵州大学 一种基于图论和互信息量的差分隐私度量方法
CN111723402A (zh) * 2020-06-21 2020-09-29 天津理工大学 一种基于ql学习策略面向mdu隐私数据保护的流量补偿激励方法
CN111723402B (zh) * 2020-06-21 2023-05-30 天津理工大学 一种基于ql学习策略面向mdu隐私数据保护的流量补偿激励方法
CN112364372A (zh) * 2020-10-27 2021-02-12 重庆大学 一种有监督矩阵补全的隐私保护方法
CN112312388A (zh) * 2020-10-29 2021-02-02 国网江苏省电力有限公司营销服务中心 一种基于局部保护集的路网环境位置匿名方法
CN112312388B (zh) * 2020-10-29 2023-07-14 国网江苏省电力有限公司营销服务中心 一种基于局部保护集的路网环境位置匿名方法

Also Published As

Publication number Publication date
EP3036677A1 (fr) 2016-06-29

Similar Documents

Publication Publication Date Title
US20160203333A1 (en) Method and apparatus for utility-aware privacy preserving mapping against inference attacks
EP3036677A1 (fr) Procédé et appareil permettant un mappage utilitaire préservant la vie privée contre les attaques d'interférence
Mozannar et al. Fair learning with private demographic data
Muggeo Interval estimation for the breakpoint in segmented regression: a smoothed score‐based approach
EP3036679A1 (fr) Procédé et appareil de mappage de protection de la vie privée sensible à l'utilité par l'intermédiaire d'un bruit supplémentaire
McClure et al. Differential Privacy and Statistical Disclosure Risk Measures: An Investigation with Binary Synthetic Data.
Smith Estimation bias in spatial models with strongly connected weight matrices
Salamatian et al. How to hide the elephant-or the donkey-in the room: Practical privacy against statistical inference for large data
EP3036678A1 (fr) Procédé et appareil d'association préservant la confidentialité tenant compte de l'utilité dans une optique de collusion et de composition
US20150235051A1 (en) Method And Apparatus For Privacy-Preserving Data Mapping Under A Privacy-Accuracy Trade-Off
US20160006700A1 (en) Privacy against inference attacks under mismatched prior
Bianchi et al. Estimation and testing in M‐quantile regression with applications to small area estimation
McGovern et al. On the assumption of bivariate normality in selection models: a copula approach applied to estimating HIV prevalence
WO2015157020A1 (fr) Procédé et appareil de mise en correspondance de préservation de confidentialité éparse
Wang et al. On the marginal standard error rule and the testing of initial transient deletion methods
Peress Small chamber ideal point estimation
Juarez et al. “You Can’t Fix What You Can’t Measure”: Privately Measuring Demographic Performance Disparities in Federated Learning
US20150371241A1 (en) User identification through subspace clustering
He et al. Transfer learning in high‐dimensional semiparametric graphical models with application to brain connectivity analysis
Sharma et al. A practical approach to navigating the tradeoff between privacy and precise utility
US20160203334A1 (en) Method and apparatus for utility-aware privacy preserving mapping in view of collusion and composition
Liu et al. PrivAG: Analyzing attributed graph data with local differential privacy
Huang Combining estimators in interlaboratory studies and meta‐analyses
Jamalzehi et al. A new similarity measure based on item proximity and closeness for collaborative filtering recommendation
Li et al. A causal data fusion method for the general exposure and outcome

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13803358

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14912639

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2013803358

Country of ref document: EP