A prototypical case of data anonymization is location anonymization: here the most common data anonymization technique { k-anonymity { corresponds to cloaking and consists in providing to the potential attacker a large granularity view of the user location. However the anonymizer should take into account that if the landscape is not neutral - so that some user locations are more likely than others - then the attacker could perform some inferences over the data received and lower substantially the anonymity level with respect to the nominal one, associated to a specific cloak. Data anonymization can be considered a two players' game: given a user position, there are in general several cloaks of a given size that the anonymizer can provide to the potential attacker, furthermore upon receiving a cloak the latter can choose among different points where to deliver an attack; the outcome of the game for each participant depends not only on his own strategy, but also on the strategy of the other player. A specific pair of strategies will be considered a solution to the game if none of the players (who are considered fully rational) could gain benefit by leaving that behavior unilaterally. This solution can be used as a reference solution, to determine the size of the cloak suitable to fulfill specific anonymity constraints, or to determine the relative effectiveness of other obfuscation solutions. This paper extends the results introduced in a previous work and analyzes a new communication scenario.
Gianini, G., Damiani, E. (2008). Cloaking games in location based services. In SWS '08: Proceedings of the 2008 ACM workshop on Secure web services (pp.61-70). Association for Computing Machinery [10.1145/1456492.1456503].
Cloaking games in location based services
Gianini, G;
2008
Abstract
A prototypical case of data anonymization is location anonymization: here the most common data anonymization technique { k-anonymity { corresponds to cloaking and consists in providing to the potential attacker a large granularity view of the user location. However the anonymizer should take into account that if the landscape is not neutral - so that some user locations are more likely than others - then the attacker could perform some inferences over the data received and lower substantially the anonymity level with respect to the nominal one, associated to a specific cloak. Data anonymization can be considered a two players' game: given a user position, there are in general several cloaks of a given size that the anonymizer can provide to the potential attacker, furthermore upon receiving a cloak the latter can choose among different points where to deliver an attack; the outcome of the game for each participant depends not only on his own strategy, but also on the strategy of the other player. A specific pair of strategies will be considered a solution to the game if none of the players (who are considered fully rational) could gain benefit by leaving that behavior unilaterally. This solution can be used as a reference solution, to determine the size of the cloak suitable to fulfill specific anonymity constraints, or to determine the relative effectiveness of other obfuscation solutions. This paper extends the results introduced in a previous work and analyzes a new communication scenario.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
