WO2016013057A1 - Système, procédé et programme de protection d'informations - Google Patents

Système, procédé et programme de protection d'informations Download PDF

Info

Publication number
WO2016013057A1
WO2016013057A1 PCT/JP2014/069322 JP2014069322W WO2016013057A1 WO 2016013057 A1 WO2016013057 A1 WO 2016013057A1 JP 2014069322 W JP2014069322 W JP 2014069322W WO 2016013057 A1 WO2016013057 A1 WO 2016013057A1
Authority
WO
WIPO (PCT)
Prior art keywords
quasi
simulation
identifier
information
time
Prior art date
Application number
PCT/JP2014/069322
Other languages
English (en)
Japanese (ja)
Inventor
紀宏 津嶋
雅之 吉野
Original Assignee
株式会社日立システムズ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立システムズ filed Critical 株式会社日立システムズ
Priority to JP2015513927A priority Critical patent/JP6046807B2/ja
Priority to PCT/JP2014/069322 priority patent/WO2016013057A1/fr
Publication of WO2016013057A1 publication Critical patent/WO2016013057A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to an information protection system, an information protection method, and an information protection program.
  • the present invention provides a generalized unit of quasi-identifiers in an operational environment in which k-anonymization processing is performed on a time-dependent original data at a predetermined time interval using an information processing apparatus that performs k-anonymization processing.
  • the generalized unit of the quasi-identifier can be appropriately set by paying attention to the time dependency of the quasi-identifier.
  • This information protection system is an information protection system having a k-anonymization simulation function that realizes optimization of generalized unit settings by managing time-correlation of quasi-identifiers and simulating time, and an information protection method And information protection programs.
  • a server device that performs “k-anonymization” processing that realizes “k-anonymity” that makes it difficult to identify “k” or less people from the original data
  • the items of the original data are “identifier”, “quasi-identifier”, It is divided into “other information”.
  • Anonymization is a process of processing personal information (privacy information) so that a user cannot be specified.
  • “k-anonymization” is known as an anonymity index. This is a combination of information that a user with a “quasi-identifier” does not want to be disclosed, and there are k or more people belonging to the same combination, thereby reducing the possibility that the user is specified to 1 / k or less. It is a technology that makes it difficult.
  • Patent Literature 1 and Non-Patent Literature 1 As technologies related to this “k-anonymization”, there are Patent Literature 1 and Non-Patent Literature 1.
  • “original data” is often a data set called “personal information”.
  • “Personal information” is data that is not legalized but includes the idea of privacy in the personal information defined in the conventional personal information protection law.
  • the classification of “identifier”, “quasi-identifier”, and “other information” in “original data (personal information)” is, for example, a report on “development / improvement and verification of personal information protection / analysis infrastructure” shown in Non-Patent Document 1. Defined in the certificate. Among them, there is a process called “generalization process” of “quasi-identifier”. “Generalization” is a process that abstracts the value of “quasi-identifier” by converting “age” into “age” and “complete address” into “region”, and so on. This is a process for realizing “k-anonymity” by making it impossible to identify a person (for example, “age” and “region”) below “k” people.
  • the objective is to leave the maximum number of records and the amount of information at a certain time. It is processed with the algorithm.
  • Patent Document 1 in order to prevent the generalized unit (abstraction level) from becoming too high with respect to the quasi-identifier of positioning data included in time-developing position information, the abstraction level exceeds a predetermined reference value.
  • the positioning time is divided into ad hoc (limited purpose). That is, in Patent Document 1, a general unit (abstraction level) of a quasi-identifier (position information) that develops in time (added in real time) is expressed as “unit (abstraction level) as means for preventing the unit (abstraction level) from increasing. The method of dividing
  • Patent Document 1 discloses a technique of “dividing the generalized unit when the generalized unit (abstraction level) increases”, but the technique of “setting (changing) the unit systematically” is disclosed. Not disclosed. Therefore, there is a possibility that the generalized unit does not match when the purpose is to leave only the information amount. Therefore, there is a problem that the analysis of the anonymized data set cannot be continued. Then, this invention is providing the information protection system which can continue the analysis of the anonymized data set.
  • the information protection system of the present invention is capable of managing a time-evolving quasi-identifier calculation formula in a data set having a quasi-identifier and executing a time-development simulation of k-anonymization processing.
  • the present invention is as follows.
  • the information protection system is a system that executes k-anonymization processing with time evolution for a data set (personal information) having a quasi-identifier, and has a calculation formula for calculating a distribution of k values according to the time evolution of the quasi-identifier, Generate a data set with time evolution using a calculation formula, determine whether the k value in the generated data set satisfies a preset reference value, and evaluate whether the generalized unit of the quasi-identifier is valid It is characterized by that.
  • the information protection system has a plurality of quasi-identifier calculation formulas that evolve in time in a data set having a quasi-identifier, selects a quasi-identifier correlated with the plurality of quasi-identifiers, and calculates the selected quasi-identifier calculation formula To generate a data set with time evolution, determine whether the k value in the generated data set satisfies a preset reference value, and evaluate whether the generalized unit of the quasi-identifier is valid It is characterized by.
  • the information protection system divides the quasi-identifier used in generating the data set with time development into generalized units, calculates the k value in the cell created by combining the divided areas, and sets the calculated k value in advance.
  • the extracted reference value is compared, and a cell that does not satisfy the reference value is extracted.
  • the information protection system can execute two or more different time evolution simulations, and can set two or more quasi-identifier calculation formulas.
  • the setting of the generalized unit becomes effective after several years. Can be evaluated.
  • the generalized unit can be satisfied in the simulated data set several years after the original data in advance.
  • data unit inconsistency caused by the conventional method of changing the generalized unit after several years can be prevented in advance.
  • FIG. 1 is a configuration diagram of an information protection system that realizes a k-value time-dependent evaluation simulation function in k-anonymization processing.
  • FIG. 2 is a correspondence diagram showing the structure of each data and the relationship between the data.
  • FIG. 3 is a diagram illustrating a configuration example of the original data table.
  • FIG. 4 is a diagram illustrating a configuration example of a semi-identifier management master (JSM) table.
  • FIG. 5 is a diagram illustrating a configuration example of a simulation definition master (SDM) table.
  • FIG. 6 is a diagram illustrating a configuration example of a simulation journal table (SJT).
  • FIG. 7 is a flowchart showing the entire process of the time-dependent evaluation simulation of the k value in the k-anonymization process.
  • FIG. 8 is a flowchart showing the quasi-identifier selection / registration process.
  • FIG. 9 is a flowchart showing a simulation content setting process to be executed.
  • FIG. 10 is a flowchart showing the simulation execution process.
  • FIG. 11 is a flowchart showing a data set generation process after n years.
  • FIG. 12 is a diagram illustrating a simulation execution result when the generalized unit is 3 years old and the age is changed.
  • FIG. 13 is a diagram showing a simulation execution result when the generalized unit is 5 years old and the age is changed.
  • FIG. 14 is a diagram illustrating a state before the simulation is executed when the age and the age of residence are changed and the generalized unit is 5 years old.
  • FIG. 15 is a diagram illustrating a state after the simulation is executed when the age and the number of years of residence are changed and the generalized unit is 5 years old.
  • management table various types of information may be described using an expression such as “management table”, but the various types of information may be expressed using a data structure other than a table. Further, the “management table” can be referred to as “management information” to indicate that it does not depend on the data structure.
  • the program is executed by a processor, for example, an MP (Micro Processor) or a CPU (Central Processing Unit), and performs a predetermined process.
  • a processor for example, an MP (Micro Processor) or a CPU (Central Processing Unit)
  • the subject of processing may be a processor because the storage resource (for example, a memory) and a communication interface device (for example, a communication port) are used as appropriate.
  • the processor may have dedicated hardware in addition to the CPU.
  • the computer program may be installed on each computer from a program source.
  • the program source may be provided by, for example, a program distribution server or a storage medium.
  • each element for example, the controller can be identified by a number or the like, but other types of identification information such as a name may be used as long as it is identifiable information.
  • the same reference numerals are given to the same parts.
  • the present invention is not limited to the present embodiment, and any application examples that meet the idea of the present invention can be applied. Included in the scope. Further, unless specifically limited, each component may be plural or singular.
  • FIG. 1 is a configuration diagram of an information protection system that realizes a k-value time-dependent evaluation simulation function in k-anonymization processing.
  • the information protection system includes a k-value time-dependent evaluation simulation apparatus (abbreviated as an evaluation simulation apparatus) 1 and an operation terminal 100 connected to the evaluation simulation apparatus 1 via a network 101.
  • a k-value time-dependent evaluation simulation apparatus abbreviated as an evaluation simulation apparatus 1
  • an operation terminal 100 connected to the evaluation simulation apparatus 1 via a network 101.
  • the evaluation simulation apparatus 1 also checks the simulation management apparatus 10, the CPU-a 11, the storage apparatus a 12, the communication apparatus 13 that controls communication connection with the network 101, the k-anonymization processing result, the determination result, and the simulation status.
  • the display device 14 is provided.
  • the simulation management device 10 includes a CPU-b 15 and a storage device b16.
  • These storage media are memory, HDD, and the like.
  • the simulation executor uses the operator terminal 100 to check the processing result of the k-anonymization processing device 105 on the display device 14 via the network 101. Whether the processing result is valid or not is determined by the determination device 114, and the determination result is also displayed on the display device 14. The processing result and the determination result may be acquired by the operator terminal 100 and displayed on a display unit (not shown) of the operator terminal 100.
  • the k-anonymization processing device 105 may use the configuration described in Non-Patent Document 1 described above, or may have another configuration.
  • the content of k-anonymization processing is generally known, and examples thereof include those described in Non-Patent Document 1 and Patent Document 1.
  • the operator terminal 100 receives information on the defined quasi-identifier and transmits it to the evaluation simulation apparatus 1 via the network 101.
  • the evaluation simulation apparatus 1 sends the received quasi-identifier information to the quasi-identifier management apparatus 112.
  • the quasi-identifier management device 112 stores the received quasi-identifier information in the quasi-identifier management master 40 and sends it to the simulation definition device 109.
  • the simulation executor examines the simulation contents.
  • the examination results (calculation formula for what kind of calculation is used for time evolution, simulation period, reference value of k value, initial generalized unit, etc.) are transmitted to the evaluation simulation apparatus 1 via the operation terminal 100.
  • the operation terminal 100 transmits the received simulation contents to the evaluation simulation apparatus 1, and the evaluation simulation apparatus 1 transmits the received simulation contents to the simulation definition apparatus 109.
  • the simulation definition device 109 stores and manages information other than information related to the calculation formula in the received simulation contents in the simulation definition master 50. Information about the calculation formula is registered in the simulation journal 60.
  • the simulation executor determines a simulation to be actually executed from the registered simulation. For example, the simulation executor selects a simulation name to be executed from the registered simulation name and content displayed on the operation terminal 100 using a pull-down menu. The operation terminal 100 transmits the selected simulation name to the evaluation simulation apparatus 1.
  • the evaluation simulation apparatus 1 sends the received simulation name to the simulation definition apparatus 109, and the simulation definition apparatus 109 acquires detailed information (execution simulation detailed information) of the simulation actually executed from the simulation journal 60 and the simulation definition master 50.
  • the time of “t + n” that is the time of.
  • the unit of time n is year, month, day, hour, minute, second, period, etc., and any unit can be used for simulation. Moreover, it may be a decimal number such as 0.5 years instead of an integer. By selecting such a unit, a temporally detailed simulation is possible. In addition, since long-term simulation can be performed, analysis efficiency can be improved.
  • FIG. 2 is a correspondence diagram showing the structure of each data and the relationship between the data.
  • an original data table 30 As data used or managed by the evaluation simulation apparatus 1, an original data table 30, a semi-identifier management master (JSM) table 40, a simulation definition master (SDM) table 50, a simulation journal table (SJT). : Simulation Journal Table) 60.
  • JSM semi-identifier management master
  • SDM simulation definition master
  • SJT simulation journal table
  • the original data table 30 has an identifier 1 (name) and an identifier 2 (member ID) as identifiers, and a quasi-identifier 1 (age) and a quasi-identifier 2 (address) as quasi-identifiers. , Quasi-identifier 3 (year of occupancy), quasi-identifier 4 (insurance discount stage), and other information (other 1) (annual income) and other 2 (car ownership).
  • quasi-identifier candidates are determined in the original data table 30. In this example, “birth year (age)”, “address”, “year of residence”, and “insurance discount stage” are selected as quasi-identifiers.
  • the quasi-identifier management master table 40 is composed of the quasi-identifiers of the original data table 30.
  • the semi-identifier management master table 40 has a JSM_quasi-identifier ID and a JSM_quasi-identifier. That is, the quasi-identifier of the original data table 30 corresponds to the JSM_quasi-identifier of the quasi-identifier management master (JSM) table 40.
  • JSM quasi-identifier management master
  • the simulation definition master (SDM) table 50 has an SDM_simulation ID and an SDM_simulation name.
  • the simulation journal table (SJT) 60 has SJT_simulation ID, SJT_quasi-identifier ID, and SJT_calculation formula.
  • the SDM_simulation ID in the simulation definition master (SDM) table 50 corresponds to the SJT_simulation ID in the simulation journal table (SJT) 60.
  • the JSM_quasi-identifier ID of the semi-identifier management master table 40 corresponds to the SJT_quasi-identifier ID of the simulation journal table (SJT) 60.
  • FIG. 3 is a diagram illustrating a configuration example of the original data table.
  • the original data table 30 includes a number (#) 301, an identifier 302, a quasi-identifier 303, and other information 304.
  • the identifier 302 has a column for storing information of name and member number (member ID), and the quasi-identifier 303 has age (birth year), address, years of occupancy (year of occupancy), and insurance discount stage information.
  • the other information 304 has a column for storing annual income and vehicle ownership information.
  • FIG. 4 is a diagram illustrating a configuration example of a semi-identifier management master (JSM) table.
  • the semi-identifier management master (JSM) table 40 has a JSM_quasi-identifier ID 401 and a JSM_quasi-identifier 402.
  • the JSM_quasi-identifier ID 401 is an ID for uniquely identifying the JSM_quasi-identifier.
  • the candidate of the selected semi-identifier is stored in the JSM_quasi-identifier 402 corresponding to the JSM_quasi-identifier ID 401.
  • JSM_quasi-identifier 402 corresponding to JSM_quasi-identifier ID 401 from “1” to “4” include “age (year of birth)”, “address”, “year of occupancy (year of occupancy)”, “insurance discount” Information “stage” is stored.
  • FIG. 5 is a diagram illustrating a configuration example of a simulation definition master (SDM) table.
  • the simulation definition master (SDM) table 50 has an SDM_ID 501 for uniquely identifying a simulation and an SDM_simulation name 502.
  • the evaluation simulation apparatus 1 Upon receiving simulation information to be executed from a simulation executor, the evaluation simulation apparatus 1 registers the simulation to be executed in the simulation definition master (SDM) table 50 and assigns an ID. Also, a calculation formula relating to the time evolution of the quasi-identifier in the assigned simulation is registered in the simulation journal table (SJT) 60.
  • SJT simulation journal table
  • the entries of SDM_simulation names 502 corresponding to SDM_IDs 501 from “1” to “3” include “Elapsed time evaluation by age”, “Elapsed time evaluation of age and residence years”, and “Insurance discount stage evaluation 1”. Is stored.
  • FIG. 6 is a diagram illustrating a configuration example of a simulation journal table (SJT).
  • the simulation journal table (SJT) 60 is an example of a table that manages all simulation calculation formulas.
  • the simulation journal table (SJT) 60 has a number (#) 601, an SJT_simulation ID 602 for uniquely identifying a simulation, an SJT_quasi-identifier ID 603 for uniquely identifying a quasi-identifier, and an SJT_calculation formula 604.
  • the above calculation formula is an example. For example, paying attention to the fact that the car accident rate changes with the age, the insurance premiums, insurance discount rates, incidental options, etc. of vehicle insurance (non-life insurance) can be changed. Good. Further, paying attention to the fact that the annual income changes (increased or decreased) depending on the age and age, the credit level in the credit information may be changed.
  • the simulation may be executed by the evaluation simulation apparatus 1 by combining the remaining amount of the mortgage loan with the age or the like.
  • the simulation management apparatus 10 as a main body that executes the process, but another apparatus, for example, the evaluation simulation apparatus 1 may be the main body.
  • FIG. 7 is a flowchart showing the entire process of the time-dependent evaluation simulation of the k value in the k-anonymization process.
  • the simulation management apparatus 10 registers the quasi-identifier defined in S704 in the quasi-identifier management master (JSM) table 40.
  • the simulation management apparatus 10 registers the simulation name and the simulation method in the simulation definition master (SDM) table 50 and the simulation journal table (SJT) 60.
  • the simulation management apparatus 10 executes a simulation.
  • the above processing is the entire processing of the time-dependent evaluation simulation of the k value in the k-anonymization processing. Next, detailed processing contents will be described with reference to FIG.
  • FIG. 8 is a flowchart showing the quasi-identifier selection / registration process. This process corresponds to the processes of S704 and S705 in FIG.
  • the simulation management apparatus 10 registers the field names of the quasi-identifiers selected by the quasi-identifier management apparatus 112 in the quasi-identifier management master (JSM) table 40. That is, the quasi-identifier management device 112 assigns a number next to the maximum number in the JSM_quasi-identifier ID 401 of the quasi-identifier management master (JSM) table 40, and assigns a quasi-identifier to the JSM_quasi-identifier 402 corresponding to the number assigned. Stores the field name.
  • JSM quasi-identifier management master
  • FIG. 9 is a flowchart showing a simulation content setting process to be executed. This process corresponds to the process of S706 in FIG.
  • the simulation management apparatus 10 instructs the simulation definition apparatus 109 to register the name of the simulation to be executed in the simulation definition master (SDM) table 50 and to assign an SDM_simulation ID.
  • the simulation definition device 109 registers a simulation name in the simulation definition master (SDM) table 50 and assigns an SDM_simulation ID.
  • the simulation management apparatus 10 instructs the simulation definition apparatus 109 to register in the simulation journal table (SJT) 60 a calculation formula for temporal development of each quasi-identifier.
  • the simulation definition device 109 stores information of SDM_ID 501 of the simulation definition master (SDM) table 50 in SJT_simulation ID 602 of the simulation journal table (SJT) 60, information of SDM_ID 501 in SJT_quasi identifier 603, and JSM_quasi
  • the information of the identifier ID 401 is stored in the SJT_calculation formula 604 as a calculation formula for developing each quasi-identifier over time.
  • the simulation management apparatus 10 instructs the simulation definition apparatus 109 to register the simulation IDs, quasi-identifier IDs, and calculation formulas of all quasi-identifiers in the simulation journal table (SJT) 60.
  • the simulation definition device 109 executes the process of S902 for all the quasi-identifiers and sets predetermined information in the simulation journal table (SJT) 60.
  • FIG. 10 is a flowchart showing the simulation execution process. This process corresponds to the process of S707 in FIG.
  • the simulation management apparatus 10 sets a generalized unit of a quasi-identifier to be simulated.
  • the simulation management apparatus 10 sets the age generalization unit as “3 years old”, and sets the address generalization unit as “1 chome”.
  • the simulation management apparatus 10 sets a “cell” by combining the set generalization units. That is, as shown in FIG. 12, the simulation management apparatus 10 first sets a rectangular area in which the address is arranged in increments of 1 in the vertical axis direction and the age in 1 year increments in the horizontal axis direction. One or more “cells” (portions surrounded by thick black lines in the figure) are set as generalized units of age from 1 to 1 at 1 to 11 at 1-chome. In FIG. 12, four “cells” are set.
  • the simulation management apparatus 10 transmits the i-year data set to the k-anonymization processing apparatus 105 to execute the k-anonymization process.
  • the simulation management apparatus 10 causes the determination apparatus 114 to determine whether the processing result of the k-anonymization process in S1005 is appropriate. And k value in each cell expressed with the combination of the generalized unit of the semi-identifier which performs the set simulation is calculated. That is, the simulation management apparatus 10 determines k value candidates determined to be appropriate.
  • the simulation management apparatus 10 determines whether the k value is smaller than the set reference value as a result of calculating the k value. When the calculated k value is smaller than the set reference value (Yes), the simulation management apparatus 10 executes S1008. For example, if the calculated k value is “2” and the set reference value is “5”, the simulation management apparatus 10 determines that the anonymization standard is not satisfied (an individual is specified).
  • the simulation management apparatus 10 displays the information of the cell having a value smaller than the reference value for which the k value is set on the screen of the display device 14, and notifies the simulation performer.
  • the simulation management apparatus 10 may transmit information on a cell having a value smaller than the reference value to the operation terminal 100 and display it on the display screen of the operation terminal 100 to warn that the reference value is not satisfied.
  • the simulation management apparatus 10 selects a simulation ID (information of SDM_ID 501) to be simulated from the simulation definition master (SDM) table 50.
  • the simulation management apparatus 10 acquires, from the simulation journal table (JST) 60, all SJT_quasi-identifier IDs 603 and calculation formulas in the simulation ID selected in S1101 (information of SDM_ID 501). For example, when the simulation management apparatus 10 selects “Evaluation of age and age of residence over time” whose SDM_ID 501 is “2”, the corresponding SJT_simulation ID is the same “2” (number (#) 601 is “5”). SJT_quasi-identifier ID 603 and “SJT_calculation formula 604” are acquired.
  • n may be a year unit as in the simulation of this example, or a decimal number of 0.5 years may be used as described above.
  • a negative value ⁇ 1 year, ⁇ 0.5 year can also be used.
  • FIG. 12 is a diagram illustrating a simulation execution result when the generalized unit is 3 years old and the age is changed.
  • FIG. 12 shows an example of the result of a simulation of “time-evaluated by age”.
  • “k value is 5 or more” is set as a reference value.
  • the generalized unit is “starting from 0 years old and 3 years old”. The simulation for year is set to 2015, and the time course evaluation simulation is executed every year.
  • the reference value “k value is 5 or more in all cells. Satisfies certain things. For example, the k value of a person between the ages of 31 and 33 who lives at addresses 1 to 11 of 1-chome is “8”. Similarly, the k value of people aged 34 to 36 is “7”, the k value of people 37 to 39 is “13”, and the k value of people 40 to 42 is “9”. Therefore, as of 2015, each cell divided into three-year-old age (location surrounded by a black thick line) living at 1 to 11 at 1-chome is the reference value “k value is 5 You can see that you are satisfied that you are more than people.
  • the reference value “k” The value is 5 or more.
  • the k value of people aged 31 to 33 is “6”
  • the k value of people aged 37 to 39 is “13”, satisfying the reference value “k value is 5 or more”.
  • the standard value “k value is 5 or more” is satisfied. Not done.
  • the result of the determination device 114 determining the anonymization processing result of the k-anonymization processing device 105 is that the k value is insufficiency (not healthy). Therefore, the determination device 114 notifies the screen of the display device 14 or the screen of the operation terminal 100 as an alert. Then, review the generalized unit based on the simulation results. The result is shown in FIG.
  • FIG. 13 is a diagram showing a simulation execution result when the generalized unit is 5 years old and the age is changed. As shown in FIG. 13, by setting the generalized unit to “starting from 0 years old and 5 years old”, in all cells (the part surrounded by the black thick line), 2015 ( ⁇ : black circle) As for 2016 ( ⁇ : double circle), it is clear that the reference value “k value is 5 or more” can be cleared.
  • the k value for people aged 30 to 34 in 2015 is “10”
  • the k value for people aged 35 to 39 is “18”
  • the k value for people aged 40 to 44 is “9”.
  • the reference value “k value is 5 or more” is satisfied.
  • the k value for people aged 30 to 34 in 2016 is “12”
  • the k value for people aged 35 to 39 is “15”
  • the k value for people aged 40 to 44 is “12”. Yes, the reference value “k value is 5 or more” is satisfied.
  • the soundness of the set k value (a measure of whether or not anonymization can be maintained in the future) can be determined, so that a stable information protection system can be provided.
  • FIG. 14 is a diagram showing a state before the simulation execution when the age and the age of residence are changed and the generalized unit is 5 years old (as of 2015).
  • FIG. 15 is a diagram showing a state after the simulation is executed when the age and the age of residence are changed and the generalized unit is 5 years old (2016 prediction).
  • the reference value “k value is 5 or more” is cleared in all cells (the portion surrounded by the black thick line).
  • FIG. 15 a cell having a residence age of 5 to 9 years and an age of 35 to 39 years, and a cell having a residence age of 10 to 14 years and an age of 40 to 44 years (two The k value is “4” and “3” in the portion surrounded by a heavy line. Therefore, it can be determined that the reference value “k value is 5 or more” is not cleared.
  • the means for calculating the future k value using the time-evolving quasi-identifier calculation formula and the means for comparing the calculated k value with a preset reference value And means for displaying the result of comparison, enabling execution of a time evolution simulation. Therefore, an appropriate generalized unit of the quasi-identifier can be set even with time development by k-anonymization processing of the data set of personal information having the quasi-identifier. Moreover, the analysis of the anonymized data set can be continued.
  • this invention is not limited to the above-mentioned Example, Various modifications are included.
  • the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
  • Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
  • Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor.
  • Information such as a program, a table, and a file for realizing each function may be stored in a memory, a hard disk, a recording device such as an SSD (SolID State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
  • the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

L'invention concerne un système de protection d'informations susceptible de paramétrer une unité de généralisation appropriée pour un quasi-identifiant même en cas d'évolution temporelle dans un processus d'anonymisation de facteur k relatif à un ensemble de données d'informations personnelles comportant le quasi-identifiant. À cet effet, le système de protection d'informations comprend : un moyen permettant de calculer une future valeur k d'après une formule de calcul relative au quasi-identifiant qui évolue dans le temps ; un moyen permettant de comparer la valeur k calculée à une valeur de référence prédéfinie ; et un moyen permettant d'afficher un résultat de la comparaison, ce qui permet la mise en œuvre d'une simulation d'évolution temporelle.
PCT/JP2014/069322 2014-07-22 2014-07-22 Système, procédé et programme de protection d'informations WO2016013057A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2015513927A JP6046807B2 (ja) 2014-07-22 2014-07-22 情報保護システム、情報保護方法及び情報保護プログラム
PCT/JP2014/069322 WO2016013057A1 (fr) 2014-07-22 2014-07-22 Système, procédé et programme de protection d'informations

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2014/069322 WO2016013057A1 (fr) 2014-07-22 2014-07-22 Système, procédé et programme de protection d'informations

Publications (1)

Publication Number Publication Date
WO2016013057A1 true WO2016013057A1 (fr) 2016-01-28

Family

ID=55162614

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/069322 WO2016013057A1 (fr) 2014-07-22 2014-07-22 Système, procédé et programme de protection d'informations

Country Status (2)

Country Link
JP (1) JP6046807B2 (fr)
WO (1) WO2016013057A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017215868A (ja) * 2016-06-01 2017-12-07 Necソリューションイノベータ株式会社 匿名化処理装置、匿名化処理方法、及びプログラム

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012063546A1 (fr) * 2010-11-09 2012-05-18 日本電気株式会社 Dispositif de désidentification et procédé de désidentification
WO2012090628A1 (fr) * 2010-12-27 2012-07-05 日本電気株式会社 Dispositif et procédé de sécurité d'informations
WO2014007049A1 (fr) * 2012-07-03 2014-01-09 株式会社日立システムズ Procédé de fourniture de services et système de fourniture de services

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8438650B2 (en) * 2010-07-06 2013-05-07 At&T Intellectual Property I, L.P. Anonymization of data over multiple temporal releases

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012063546A1 (fr) * 2010-11-09 2012-05-18 日本電気株式会社 Dispositif de désidentification et procédé de désidentification
WO2012090628A1 (fr) * 2010-12-27 2012-07-05 日本電気株式会社 Dispositif et procédé de sécurité d'informations
WO2014007049A1 (fr) * 2012-07-03 2014-01-09 株式会社日立システムズ Procédé de fourniture de services et système de fourniture de services

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017215868A (ja) * 2016-06-01 2017-12-07 Necソリューションイノベータ株式会社 匿名化処理装置、匿名化処理方法、及びプログラム

Also Published As

Publication number Publication date
JP6046807B2 (ja) 2016-12-21
JPWO2016013057A1 (ja) 2017-04-27

Similar Documents

Publication Publication Date Title
JP6803980B1 (ja) 信頼されたイニシャライザを用いない秘密分散
US11270023B2 (en) Anonymity assessment system
JP6597066B2 (ja) 個人情報匿名化方法、プログラム、及び情報処理装置
US11157523B2 (en) Structured data correlation from internal and external knowledge bases
US11386216B2 (en) Verification of privacy in a shared resource environment
US11055071B2 (en) Building segment-specific executable program code for modeling outputs
Bedoya-Valencia et al. Evaluating alternative resource allocation in an emergency department using discrete event simulation
Toltzis et al. Evidence-based pediatric outcome predictors to guide the allocation of critical care resources in a mass casualty event
EP4085332A1 (fr) Création de variables indépendantes pour des modèles de prédiction à partir de données non structurées par traitement de langage naturel
Tertilt et al. Generic performance prediction for ERP and SOA applications
US11386983B2 (en) Preserving privacy for data analysis
Rowley et al. A latent class model for competing risks
CN114519376A (zh) 利用神经网络的数据分割
US10313457B2 (en) Collaborative filtering in directed graph
JP6046807B2 (ja) 情報保護システム、情報保護方法及び情報保護プログラム
WO2014188638A1 (fr) Systeme de gestion de groupes a risque partage, procede de gestion de groupes a risque partage, et programme de gestion de groupes a risque partage
US20180260447A1 (en) Advanced anomaly correlation pattern recognition system
US9996606B2 (en) Method for determining condition of category division of key performance indicator, and computer and computer program therefor
Saarela et al. A flexible parametric approach for estimating continuous‐time inverse probability of treatment and censoring weights
WO2013114911A1 (fr) Système d'évaluation de risque, procédé d'évaluation de risque, et programme
US11380429B1 (en) Elastic data privacy-compliant healthcare analytics
Nikolakopoulos Misuse of the sign test in narrative synthesis of evidence
US10606917B2 (en) System, method, and recording medium for differentiated and partial feature update in alternating least square
Jackson et al. Numbers and types of neurological emergencies in England and the influence of socioeconomic deprivation: a retrospective analysis of hospital episode statistics data
Abdul Ghani et al. Analysis of MCLP, Q‐MALP, and MQ‐MALP with Travel Time Uncertainty Using Monte Carlo Simulation

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2015513927

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14898276

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14898276

Country of ref document: EP

Kind code of ref document: A1