Limiting disclosure of sensitive data in sequential releases of databases

Shmueli, Erez; Tassa, Tamir; Wasserstein, Raz; Shapira, Bracha; Rokach, Lior

doi:10.1016/j.ins.2011.12.020

Cited by 44 publications

(62 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The two main scenarios of multiple releases of a given table are the following (see [9]): (a) The scenario of sequential release publishing [28,32], where different (vertical) projections of a given table on different subsets of attributes are released in a sequential manner; and (b) Continuous data publishing [1,3,10,25,28,35,37], in which the underlying table changes over time (e.g., tuples are added, removed, or updated), and updated snapshots of the table are released over time.…”

Section: Overviewmentioning

confidence: 99%

See 1 more Smart Citation

Privacy by diversity in sequential releases of databases

Shmueli

Tassa

2015

Information Sciences

Self Cite

View full text Add to dashboard Cite

Section: Overviewmentioning

confidence: 99%

“…The goal is to protect the private information from adversaries who examine the entire sequential release. That scenario was studied in [32] and was further investigated in [28]. We revisit their privacy definitions, and suggest a significantly stronger adversarial assumption and privacy definition.…”

mentioning

confidence: 99%

Privacy by diversity in sequential releases of databases

Shmueli

Tassa

2015

Information Sciences

Self Cite

View full text Add to dashboard Cite

“…We also assume that the adversary acquired this knowledge for all data subjects in the table T ; as stated earlier, such a strong assumption is also very common, e.g. [20,35,50,51,56,61,62]. Hence, the adversary has, on one hand, the projection of T onto its first M attributes, and on the other hand the published table T in which the first M attributes are perturbed, and it includes additional L attributes that could be sensitive.…”

Section: Classical Utility and Privacy Measuresmentioning

confidence: 99%

“…For the sake of achieving a better privacy guarantee, a more widely accepted adversarial assumption (see, e.g. [20,35,50,51,56,61,62]) is a stronger one: the adversary knows the set of individuals who contributed their information to the database and was able to extract their quasi-identifier information from publicly available databases. Such an adversary knows the projection of T on its quasi-identifier attributes.…”

Section: A Global Dbrl Disclosure Risk Measurementioning

confidence: 99%

“…As it happens in cryptography, the most recommendable option (in order to ensure privacy even in the worst case) is to assume that the attacker has obtained some information on all original records in T , and then he uses this information in order to infer links between protected records in T and original records in T . (See for example [20,35,50,51,56,61,62].) The goal of the attacker is then to infer correct links between the records in T (which typically include non-sensitive information, called quasi-identifiers, such as age, location, profession etc.)…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting distance-based record linkage for privacy-preserving release of statistical datasets

Herranz

Nin

Rodríguez

et al. 2015

Data & Knowledge Engineering

Self Cite

View full text Add to dashboard Cite

Statistical Disclosure Control (SDC, for short) studies the problem of privacy-preserving data publishing in cases where the data is expected to be used for statistical analysis. An original dataset T containing sensitive information is transformed into a sanitized version T which is released to the public. Both utility and privacy aspects are very important in this setting. For utility, T must allow data miners or statisticians to obtain similar results to those which would have been obtained from the original dataset T . For privacy, T must significantly reduce the ability of an adversary to infer sensitive information on the data subjects in T .One of the main a-posteriori measures that the SDC community has considered up to now when analyzing the privacy offered by a given protection method is the Distance-Based Record Linkage (DBRL) risk measure. In this work, we argue that the classical DBRL risk measure is insufficient. For this reason, we introduce the novel Global Distance-Based Record Linkage (GDBRL) risk measure. We claim that this new measure must be evaluated alongside the classical DBRL measure in order to better assess the risk in publishing T instead of T . After that, we describe how this new measure can be computed by the data owner and discuss the scalability of those computations.We conclude by extensive experimentation where we compare the risk assessments offered by our novel measure as well as by the classical one, using well-known SDC protection methods. Those experiments validate our hypothesis that the GDBRL risk measure issues, in many cases, higher risk assessments than the classical DBRL measure. In other words, relying solely on the classical DBRL measure for risk assessment might be misleading, as the true risk may be in fact higher. Hence, we strongly recommend that the SDC community considers the new GDBRL risk measure as an additional measure when analyzing the privacy offered by SDC protection algorithms.

show abstract

(τ, m)‐slicedBucket privacy model for sequential anonymization for improving privacy and utility

Khan

Tao

Anjum

et al. 2020

Trans Emerging Tel Tech

View full text Add to dashboard Cite

In a real-world scenario for privacy-preserving data publishing, the original data is anonymized and released periodically. Each release may vary in number of records due to insert, update, and delete operations. An intruder can combine i.e. correlate different releases to compromise the privacy of the individual records. Most of the literature, such as -safety, -safe (l, k)-diversity, have an inconsistency in record signatures and adds counterfeit tuples with high generalization that causes privacy breach and information loss. In this paper, we propose an improved privacy model ( , )-slicedBucket, having a novel idea of "Cache" table to address these limitations. We indicate that a collusion attack can be performed for breaching the privacy of -safe (l, k)-diversity privacy model, and demonstrate it through formal modeling. The objective of the proposed ( , )-slicedBucket privacy model is to set a tradeoff between strong privacy and enhanced utility. Furthermore, we formally model and analyze the proposed model to show that the collusion attack is no longer applicable. Extensive experiments reveal that the proposed approach outperforms the existing models.

show abstract

Limiting disclosure of sensitive data in sequential releases of databases

Cited by 44 publications

References 35 publications

Privacy by diversity in sequential releases of databases

Privacy by diversity in sequential releases of databases

Revisiting distance-based record linkage for privacy-preserving release of statistical datasets

(τ, m)‐slicedBucket privacy model for sequential anonymization for improving privacy and utility

Contact Info

Product

Resources

About