Authentication User's Privacy: An Integrating

0 downloads 0 Views 1MB Size Report
exact locations to their location service providers but in the process, location information of .... Section 6 presents experiments and its evaluations .... Where Dti (i, j), Dtj (i, j) are distances between two mobile clients at two different time ti and tj .
Wireless Pers Commun DOI 10.1007/s11277-015-2300-y

Authentication User’s Privacy: An Integrating Location Privacy Protection Algorithm for Secure Moving Objects in Location Based Services Imran Memon

© Springer Science+Business Media New York 2015

Abstract Location based services (LBSs) are gaining importance due to the advancement in mobile networks and positioning technologies. The proliferation of location-based services in recent years has highlighted the need to consider location privacy. This has led to the development of methods enhancing location privacy, and to the investigation of reasons for sharing location information. While computational attacks on location privacy and their prevention have attracted a lot of research, attacks based on humans strategies and tactics have mostly been considered implicitly. Nevertheless, in querying LBSs, a user send its exact locations to their location service providers but in the process, location information of the users are misused either purposefully or otherwise by service providers creating privacy issues for users. It has therefore become important that mechanisms necessary to protect the privacy of users are adopted when querying location based services. It’s on this premise that we introduced a novel query privacy algorithm called the authentication speed dynamic transportation mode cloaking algorithm for continuous query LBSs that considers users’ similarity in speed, direction and travelling with the same transport mode for cloaking for anonymization. Experimental evaluation of the algorithm on a real world map shows that our model ensures total privacy for users, enhanced privacy guarantee, improves quality of service significantly and achieved an excellent performance measure also we compare our method with existing privacy protection methods such as V-DCA, DSDCA, AVD-DCA,D-TC and GCA. Keywords Location based services (LBSs) · Privacy preservation · Query linking privacy · Quality of service (QoS)

I. Memon (B) College of Computer Science, Zhejiang University, Hangzhou 310027, People’s Republic of China e-mail: [email protected] I. Memon School of Computer Science and Engineering, University of Electronic Science and Technology, Chengdu, Sichuan, People’s Republic of China

123

I. Memon

1 Introduction Recently, users aren‘t dependent on the PC as the information and telecommunication infrastructure based on the Internet anymore. Location based services (LBSs) have attracted a lot of attention from research, industry and the public in recent years. Advances in wireless communications, positioning technologies, and consumer electronics combine to enable a range of applications that use a mobile user’s geo-spatial location to deliver on-line, location enhanced services, often referred to as location-based services [1]. Applications such as navigation support or online social networks (OSNs) and the proliferation of LBSs in general have highlighted privacy risks and the need for countermeasures. So far, research has mainly focused on topics such as storing and processing sensitive data in a privacy preserving way, user preferences for location privacy, motivations for location sharing [2], and computational inference attacks. LBSs are basically a type of service where information is provided based on the mobile users geographical location. Location privacy threats refer to the risks that an adversary can obtain unauthorized access to raw location data, derived or computed location information by locating a transmitting device, hijacking the location transmission channel, and identifying the subject (person) using a mobile device [3]. The privacy threat comes from the fact that providing such services requires interworking between different LBSs providers, which implies location data of a user must be shared with others [4]. The propagation of these data between service providers can be a problem especially if the provision of services is done in a cascaded manner. Disclosure of Location data to third parties who are not supposed to have it violates the privacy of users, since it can reveal sensitive information such as their health status through the hospital they attend with a high probability. For example, if the location data of a user indicates cancer treatment center as a place where he regularly visits, it can easily be inferred that the user may be a cancer patient. In the same manner, the knowledge of one’s location may reveal so much of his private life including his residence, place of work, political and religious affiliations in the worst case scenarios. There are two ways to classify privacy protection of users when accessing LBSs. The first is the ability to prevent other parties from learning one’s current or past location which is termed location privacy and the second is the ability to delink an issued query from the issuer also known as the query privacy. It’s obvious that the objective of any privacy scheme is to protect private information from adversaries. From the definition of privacy protection above, we can achieve privacy if a client’s location and / or identity information is kept secret not forgetting the fact that location is required for the service. Simultaneous observation by an adversary of three components including location of the client, the time at which that location is observed and the identity of client is always threat to client’s Privacy. Therefore, in accessing an untrusted LBSs server, client’s identity or a combination of it with any one of the other two components should be kept secret. To protect the privacy of mobile users, several techniques have been proposed which includes false location, space transformation, and spatial cloaking. Nevertheless, many researchers have done extensive work on the protection of location and query privacy of users using spatial cloaking based on k-anonymity model employing the third party architecture (TTP) [5]. Although TTP-based approach has been considered a bottleneck and a single point of attack, it seems the best option compared to other types of architecture when one wants to simultaneously achieve authentication and privacy of users. For example, in deploying the other types of architecture like semi-distributed systems and TTP free, achieving privacy and authentication simultaneous has always been an issue. In other words, there is always a tradeoff between privacy and access control in which ever architecture used [6]. In

123

Authentication User’s Privacy

the past, a fair amount of research efforts have been dedicated to protecting location privacy of mobile travelers. The first category is represented by location cloaking techniques [1,7– 12]. Spatial location cloaking typically adds uncertainty to the location information exposed to the location query services by increasing the spatial resolution of a mobile user’s locations while meeting location k-anonymity and/or location l-diversity [13]. More specifically, the spatially cloaked region is constructed to ensure that at least k users (location k anonymity) are located in the same region, which contains l different static sensitive objects (locations). To protect location privacy using spatial cloaking based on k-anonymity, a mobile client’s location is cloaked into a region of k − 1 other users. In this way the adversary may not be able to know where in the region the mobile client is located. To protect a user from being linked to a query, concept of K-anonymity is also used. Using this concept, a query from mobile client is made indistinguishable from K − 1 other queries in the region such that the query cannot be linked to a specific client in the region [14]. There are two types of queries namely snapshot queries and continuous queries. A snapshot query is a “one time” requests such as “Where is my nearest bus stop”. A continuous query is sequence of snapshot queries at discrete time points. For example, “Continuously send me information on buses that are within five minutes from my current location?”. Lots of works on Privacy preservation of LBSs in the past have concentrated on the snapshot query without considering continuous query which is another important application of concern because the query is not onetime but last for a period of time. The area of continuous query has become so important in academic circles because aggregating different continuous snapshots of a mobile user may lead to the query being linked to the issuer. This type of attack is called query tracking attacks. Chow et al. [8] explained that, to solve the privacy issue related to continuous LBSs query, the set of k users in a cloaking region must remain grouped together over all snapshots of the query. Other works of researchers have also identified other form of attacks when continuously querying the LBSs using k-amonymity model. Some of these attacks include maximum movement boundary attacks [15] inference attack, [16] and query homogeneity attacks [9] and skew attacks [10].This vulnerability of k-amonymity model to attacks meant privacy preservation in continuously querying LBSs requires further investigation [17]. This led to researchers modifying the k-anonymity model with other cloaking techniques in other to overcome these attacks. In this paper, we introduce a novel query privacy algorithm called Authentication Speed Dynamic Transportation Mode Cloaking (AS-DTMC) Algorithm for continuous query LBSs that considers users’ similarity in speed, direction and travelling with the same transport mode for cloaking for anonymization. In this paper, the main contributions of our work are summarized as follows: i. we proposed a novel query privacy algorithm called Authentication Speed Dynamic Transportation Mode Cloaking (AS-DTMC) algorithm for continuous query LBSs that considers users’ similarity in speed, direction and travelling with the same transport mode for cloaking for anonymization. ii. We introduce QoS, complete privacy guarantee and performance to evaluate the efficiency of our algorithm. iii. We carry out experiments and analyze our algorithm based on a real world map to test its efficiency and performance. Compare with existing privacy protection methods such as V-DCA [18], DSDCA [19], AVD-DCA [7], D-TC [20] and GCA [11], we run a set of simulation experiments to evaluate our proposal and make a comparison of the performance.

123

I. Memon

The rest of the paper is organized as follows: Sect. 2 discuses related work on privacy preservation in LBSs. Section 3 discusses the preliminaries including designing goals, system architecture and cloaking principle. Section 4 analyses the security of the algorithm whiles Sect. 5 deals the design of our algorithm. Section 6 presents experiments and its evaluations and conclude in Sect. 7.

2 Related Work Query privacy protection is an important part of the privacy protection in LBSs, and its purpose is to prevent attackers linking the query content with a specific user. Gruteser and Grunwald [21] was the first to use k-anonymity model to solve privacy issues. They argued that when a user request services, the anonymity server generates a cloaked region for the user, which contains the user itself and other k − 1 users, hence the k users cannot be distinguished by their identity. They included the temporal dimension in addition to obfuscating location, but on the basis of spatial cloaking, spatial-temporal cloaking delays the response of the service required by the client. Gedik and Liu [22] suggested a personalized k-anonymity model that allows the client to put forward the privacy requirements including the parameter k. Chow et al. [8] proposed the property of memorization for query privacy in continuous LBSs. Here, they suggest that successive cloaking regions must also include locations of all users cloaked previously. This property may however result in very large cloaking regions thus inducing high processing overhead for the server. To protect users of continuous query in LBSs, use of historical locations of mobile clients was proposed in [23] in order to generate relatively smaller cloaking regions. Pan et al. [11] introduced the distortion of locations during the entire section of query to avoid the cloaked region becoming unacceptably large, since a large region may also affect quality of service (QoS). They also introduced privacy and quality models to ensure a balance between privacy and quality requirements in the cloaked region. They failed to identify the fact that velocity cannot remain the same, hence using distortion for the whole period may not be practical. Stenneth and Yu [20] proposed the Dynamic Transportation Mode Cloaking algorithm, which they argued that in cloaking mobile client of different transportation mode using k anomynity will protect a user in that region with more than 1/K confidence was only true for snapshot queries but not for continuous queries. It introduced a new concept of transportation mode homogeneity for continuous query and argued that cloaking k clients with the same transportation mode will increase their protection with probability of more than 1/k. They further claim that clients with the same transport mode are more likely to stay close in the future, and therefore cloaking them together will keep a smaller cloaked region and hence improve QoS. Furthermore, kglobal and klocal were introduced as the local privacy and global privacy requirements respectively to preserve privacy in continuous query environment. Local privacy ensures that each individual snapshot is transportation mode anonymous with respect to some local K -anonymity value. Global privacy ensures that the aggregation of all the submitted snapshots is also transportation mode anonymous with respect to some global K -anonymity value. In previous work [7,11,18,19,24], we proposed the velocity dynamic cloaking algorithm and argued that even if clients with the same transportation modes are cloaked together, they may have different moving trend and status so it was important to consider their moving trend during cloaking. We therefore introduced cloaking clients with similar velocity and

123

Authentication User’s Privacy

acceleration to preserve privacy in continuous query LBSs. However, we discovered that clients moving with similar velocity and acceleration may not necessarily be moving in the same direction and hence their privacy may not be protected. It is obvious that even though they may be moving with similar velocity and acceleration, their similarity in direction is important to effectively protect their privacy. This is the premise on which we present our work. We therefore consider cloaking the users with similar velocity and direction; since mobile users keeping similar direction and velocity are more likely to stay together to effectively protect their privacy. Of course, user staying together implies smaller cloaked region and hence better QoS. Wang et al. [24] showed that by combining consecutive cloaked location data including speed, and heading direction, an adversary can obtain a more accurate estimation of the actual location. They proposed a solution to prevent such inferences by cloaking maximum and minimum of speed and direction. Our work is different from theirs from the fact that we are not cloaking velocity and direction. In this paper, we proposed a novel query privacy algorithm called Authentication Speed Dynamic Transportation Mode Cloaking (AS-DTMC) algorithm for continuous query LBSs that considers users’ similarity in speed, direction and travelling with the same transport mode for cloaking for anonymization whiles allowing users to choose their privacy requirement to enable assure them of full privacy guarantee. Compare with existing privacy protection methods such as V-DCA [18], DSDCA [19], AVD-DCA [7], D-TC [20] and GCA [11], we run a set of simulation experiments to evaluate our proposal and make a comparison of the performance.

3 Preliminaries Definition 1 Velocity similarity - we introduce velocity similarity Sim V to reflect the similarity of mobile clients’ velocity. Let vi = (vi x, vi y ) be two-dimensional vectors of client i, the velocity similarity Sim V (i, j) of client i and j can be calculated as follows [7]: Sim v (i, j) =

 (vi x − v j x )2 + (vi y − v j y )2

(1)

Definition 2 (Distance between mobile clients) For a mobile client i initially located at a position v in a region with location co-ordinate l (xi yi ) and an adjacent client i with corresponding co-ordinates l (x j y j ), the distance between these mobile clients at time ti can be calculated as:   2  2 Distance D (i, j) = (2) xi − x j + yi − y j where i, j = 1, 2, 3. . .. . .. . .n The change in distance D(i, j) between the mobile nodes at time t j with respect to ti can be calculated as |D(i, j)| = Dti (i, j) − Dt j (i, j) (3) Where Dti (i, j), Dt j (i, j) are distances between two mobile clients at two different time ti and t j . Definition 3 Directional similarity -We introduce the directional similarity sim to reflect the similarity of mobile clients’ direction. Consider two mobile clients i and j with loca-

123

I. Memon

tion l(xi yi ) and l(xj yj ) with two angles of direction i and i respectively to an origin location l(xo, yo ). The directional similarity sim of client i and j can be calculated as follows [19]: Θsim (i, j) ≈ i ≈ j y i = tan−1 x

(4) (5)

Definition 4 (Qualified cloaked region) For a particular query q, the client q  that is cloaked together with q should satisfy the following conditions using formulas (1), (2) and (3) [18]: (1) Sim v (q, q  ) ≤ ζ ; (2) MinD (q, q) ≤∝, (3) A (R) ≤ δq ; Conditions (1) give the velocity similarity ζ for the clients cloaked together while condition (2) give minimum change in distance ∝. A region meeting all the conditions can be a candidate cloaking region. If and only if the candidate cloaking region CR at time t fulfills the following prerequisites, CR is a qualified cloaking region: |C R ∩ R1 ∩ R2... ∩ Rt−1 | ≥ k global

(6)

This condition protects the client from query tracking attack. The clients in the qualified cloaking region CR form the qualified cloaking set. The third condition ensures that adding q  into the cloaking set meets the quality requirement. R is the cloaked region formed by q  and the clients already been cloaked with q and the cloaking area A(R) is calculated with formula (3). As a larger cloaking area indicates a higher data distortion, we introduce δq to limit data distortion in case that it brings out bad QoS. δq is combined with klocal and k global to balance the privacy and quality. δq can be determined by the anonymizing service based on the history. This condition ensures 100 % privacy guarantee at all times for MC. The maximum number of cloaked sets that meest the privacy and quality requirement in Definition 4 is denoted by Csuccess . Csuccess can be used as a measure of the performance of our cloaking algorithm. 3.1 System Architecture The architecture consists of mobile clients (MC), Anonymizing Server (AS), and LocationBased Server (LBSs). This system also takes into consideration privacy requirement profile of users which will allows them determine their minimum privacy requirement of their choices at different locations. For example, a cancer patient may want a higher privacy level at the treatment center than at a shopping mall. Our basic assumption for the operation of this system is that the LBSs is not trusted and may inadvertently leak location information of users. In view of the above assumptions, the adversary may be able to intercept a sample set of query forwarded to the LBSs and he may therefore be capable of knowing the exact location of some mobile users in the cloaked region. However, the query should not be linked to individual users. For this reason, the proposed protocol concentrates on the query privacy preservation than location privacy The core of the system is the AS which consist of four parts namely the Cloaking engine, Results refiner, and cloaked repository and profile storage. Cloaking engine is responsible for cloaking the exact location into a region containing at least k − 1 other clients and forwards the region request to LBSs. Results refiner filters

123

Authentication User’s Privacy

Fig. 1 The system architecture

the candidate results generated by LBSs into an accurate one based on the client’s location. Cloaked repository may keep some previously cloaked results and use them to generate the new region. The AS is placed at some cellular service provider (e.g. mobile base stations) and mobile clients can access the LBSs through it. Profile storage –stores the privacy requirement profile of MC including location of preference for higher privacy. The architecture is shown in Fig. 1.

3.2 Protocol Execution and Prototype Description A Mobile Client (MC) registers with the Report Server and submits privacy profile together with his point of interest. RS issues him with an ID and a certificate (public keys) which is to be presented any time he wants services. A mobile client who needs the services of LBSs sends a request for service (stating how long the service should last) together with his certificate and a privacy profile to AS at say time t1. AS then forwards the certificate to RS for authentication of the client and where necessary update the privacy profile if different from that given at the time of registration for storage. RS will verify the validity of MC by confirming or denying the identity of MC to AS. AS abort the request if verification is negative. Upon successful verification of MC, AS will based cloaking mechanism to generate a cloaked region of the location of MC together with k other users. Cloaking of MCs within the region should meet their moving trends which will be discussed in later sections. If all cloaking conditions are met, AS then forwards the cloaked query request to LBSs for the service. Upon receiving the query with the cloaked region, the service provider will calculate many candidate results using locations in the region and pass all the results to AS. AS can

123

I. Memon

pick up the correct query answer due to MC using his exact location and return the required results to him. AS will then continue issuing the request to LBSs within the lifetime of the query with different cloaked regions related to the real-time location of the query client until say time t2 when the query expires. The mobile client sends a new query in the form of (l, k, Tf , Texp , Con). Where l = (x, y) is the location co-ordinates of client which includes latitude(x) and longitude(y). These values can be determined by the GPS or other positioning components. k represents the privacy requirement profile of MC. T f is the time at which the query is created and Tex p is the expiration time of the query. For a continuous query, query will continuously be issued periodically by AS within the period (Tex p − Tf ). Texp − Tf can be used to determine the number of snapshots in the continuous query. Generally, the longer the active query last, the larger the number of snapshots. The content of the query is denoted by Con. On receiving the query, cloaking engine cloaks location l into a region R ensuring the value of k has been has been considered. Before a cloaked region is considered successful, the following conditions must be met; i. The number of client cloaked in a region klocal must be greater or equal to k to satisfy MC privacy requirement. ii. Clients cloaked must have similar velocities and moving in similar directions. iii. The clients cloaked must be relatively close in distance to have the effective cloaked area relatively small and hence a good QoS.

4 Security Analysis In this section, we analyze the threats that are likely to affect our algorithm. An adversary with the following knowledge can launch an attack; Attacking model (1) (2) (3) (4)

The exact position of users (Mobile Clients) and their velocities The Cloaked Algorithm. A sample of cloak set of some snapshots. Knowledge of some sample query contents

Having these pieces of information an attacker may be able to launch three types of attacks namely homogeneity attack [25], query tracking attack [9] and maximum movement boundary (MMB) attack [15]. 4.1 Homogeneity Attack K-anonymity has been used to preserve users’ privacy in continuous query location based services. Recently, it has been observed that enforcing k-anonymity alone is not sufficient to ensure privacy. Let us consider a scenario, in which all users from a cloaked region are interested in the same type of service such as the location of a special club. In this case, even if an adversary cannot link an individual query back to a specific user, it is still known to the adversary that all the users in the cloaked region have inquired about that special club. While this example depicts an extreme case, in reality, it is not uncommon that users from the same cloaked region request only a limited number of services. Consequently, an adversary can still infer that some user has issued a query on a certain service with a high probability. This kind

123

Authentication User’s Privacy

of attack is referred to as query homogeneity attack and renders the existing k-anonymity model vulnerable. Therefore, homogeneity attacks are possible when users cloaked together query the same service. This makes it possible for an adversary to link the query to these users [4,25]. To counter this kind of attack, a modified l-diversity concept originally proposed for the relational database domain, can be applied in LBSs domain to protect query contents. The key idea is to ensure that for all queries sharing the same cloaked region, their query contents must be different enough, such that the probability of linking a query to its original issuer is less than some pre-defined threshold. Therefore, we avoid cloaking together users requesting the same service.

4.2 Maximum Movement Boundary Attack In K-anonymity, the privacy of snapshot is assured by use of rectangular areas occupied by the cloaked set. But if an attacker possess rectangles from the same user at different times and therefore knows the user’s maximum velocity, then it is possible to infer user’s approximated location from the overlap of the current rectangle and the maximum movement bound with respect to the previous rectangle, an attack referred to as maximum movement boundary attack [15]. With the above described attacks, an adversary can progressively find more precise locations of a user and approximate the user’s trajectory. As a result the attacker could also generate a complete profile of the user’s activities from the identified trajectory. Hence, protecting the trajectory privacy of user’s as much as possible while processing a query from client is essential. Maximum Movement Boundaries attacks are related to location-dependent attacks. To deal with these kinds of attacks, [26] proposed two simple solutions, namely patching and delaying. The first solution, called patching, enlarges the current cloaked region to cover the last one so that the overlapped area with the MMB is at least as large as the last cloaked region. The drawback of this method is that the size of the cloaked region would increase significantly as time evolves and therefore affecting QoS. The second solution, called delaying, suspends the request by time t until the MMB grows large enough to fully contain the current cloaked region. However, the user may have already changed her location and is no longer in the cloaked region at this later time. Moreover, for some critical systems where time is essence, this method is not suitable. Proposed to postpone requests, and they considered the scenario where the attacker has prior knowledge about the placement of sensitive regions on a map. As already pointed out, this method can’t be used for the time critical systems. Du et al. [27], Xu et al. [28] developed a mobility-aware cloaking technique by considering mobility patterns in location cloaking. However, the privacy metric employed in these previous studies is only the granularity of cloaked regions (without considering the location k-anonymity). Another related work is [29], which employed entropy of information theory to measure the location anonymity level by considering the probabilities of users being in a cloaked region. As entropy does not care whether user locations are actually different, the exact user location would be disclosed if all k users are at the same location. To solve this problem of maximum movement boundary attack, we use similar velocity for cloaked users. With similar velocity, mobiles cloaked together keep into minimum their distances and therefore maximum movement boundary that ensures privacy is kept small meaning that the desired quality of service is still achieved.

123

I. Memon

4.3 Query Tracking Attacks Suppose two different continuous queries are issued by a mobile user at some time interval. If the user is cloaked with different sets of users for these two continuous queries, the locationdependent attack is possible. On the other hand, if the user is always cloaked with the same set of users, the cloaked region would eventually expand to the whole service region when the users move apart and issue more and more queries over time. In the long run, the quality of service will degrade to un-acceptable level. An attack that exhibits this behavior is called Query tracking attack. To deal with this kind of attack and still maintain the desired quality of service we employ the Kglobal property. For example, Wang et al. in [18] noted that when obtaining client q’s cloaking region at ti and ti+1 as Ri and Ri+1 , an attacker can launch query tracking attack by calculating Ri ∩ Ri+1 to narrow the cloaked region of client q. However, even though the attacker possesses the exact position of the user, or knows the exact snapshots, including cloak set and query content, tracking attack can be avoided by utilizing k global property. k global property requires that the size of intersection of the current cloaking set with those generated previously should be larger than a specified value of k global . The requirement of k global can resist the query tracking attack. Though the adversaries may own all of the cloaking sets, they can’t distinguish the query client from at least k global − 1 others. However, in practice, k global may be defined much smaller than klocal .

5 Algorithm 5.1 Algorithm Depiction We propose the Authentication Speed Dynamic Transportation Mode Cloaking (AS-DTMC) Algorithm in this section. We propose the. The velocity similarities, kglobal , together with distances between mobile nodes are considered for each snapshot cloaking. AS-DTMC is a history-based cloaking strategy that ensures the queries cloaked together at time ti−1 have higher likelihood of staying together at ti . When generating the cloaking region Ri , the clients nearest to successfully cloaking regions should be given prior consideration. When new query q comes, AS will first verify if MC is a legitimate client. New query q, instead of searching all the clients in the pre-cloaked set Rset . These steps continue until there are no clients to be cloaked together anymore and velocity and changing distances will be calculated (steps 4–17). The cloaked region requirement of klocal and δp is treated as the qualified cloaked region (steps 19–21).The subsequent snapshot i in the query lifetime, we respectively check the satisfaction of the δq by adding each client in Ri−1 , Ri−2 , . . ., Ri−m into Si . The client causing the lowest data distortion is chosen into Si . The steps will be repeated until the size of Si doesn’t change (steps 22–24). The MBR ri covering Si can be a candidate cloaking region (steps 25–26). Finally, the privacy model δp is calculated. If it is not satisfied, ri is expanded from all the sides until it is equal to δp and Ri = ri (steps 27–29). When all these conditions are achieved, AS-DTMC proceeds to issue the snapshot query to the LBSs with Ri (step 30), otherwise, the snapshot will be suppressed and the cloaking engine will process the subsequent snapshots (steps 31–32).

123

Authentication User’s Privacy

123

I. Memon

6 Experiment and Evaluation In this section, we evaluate our proposed AS-DTMC algorithm to test its efficiency and performance. This section will be divided into three parts, the evaluation criteria and metrics are discussed in Section A. In section B, we describe the experimental setup and evaluate results comparing it with that previous work V-DCA [18], DSDCA [19], AVD-DCA [7], DTC [20] and GCA [11],in which we considered similar velocity and acceleration for cloaking in the algorithm. 6.1 Evaluation Criteria and Metrics We now discuss the evaluation criteria that we use to measure the efficiency of our algorithm. We evaluated the algorithm with three considerations: (1) Complete Privacy Guarantee (2) Quality of Service (3) Performance. (1) Complete Privacy Guaranty: For a continuous query, the privacy depends on kglobal . Since kglobal is always greater than k, privacy guarantee for a user is always assured. We must admit that since it is possible for some of the query to be suppressed for their inability to meet the cloaking conditions, we therefore introduce a metric called complete privacy guarantee (P) to measure the ability of our algorithm to avoid suppression of a query. We evaluate this metric P as the ratio of the number of successfully cloaked snapshots Csuccess to the total number of cloaks generated by AS Ctotal within an active query period. P=

Csuccess × 100 % Ctotal

(7)

(2) QoS: As the clients staying far apart may reduce the accuracy of the results, we evaluate the QoS using the average cloaking area during the query lifetime. Larger value of cloaked area implies a bad QoS meaning the query client and the clients being cloaked together are far apart. For a continuous query q, Ri is the cloaked region of q at snapshot time t, the average cloaking area Aavg (q) is the mean of all the cloaked area A [19]. The computation of Aavg (q) is: n A (8) Aavg (q) = i=1 Csuccess (3) Performance: We evaluated the performance as the ability of the algorithm to find the Klocal − 1 closest users. The cloaking time is the time the algorithm takes to perturb the request. The average cloaking time CTavg for a query that has just elapse its active period for a continuous query CS consisting of Csuccess snapshots can be evaluated as; n CTRi (9) C Tavg = i=1 Csuccess Where CTRi is the cloaking time of the query with region Ri . 6.2 Experimental Setup In our experimental setup, we use the famous Thomas Brinkhoff Network-based Generator of Moving Object to generate data for simulation of our algorithm [30]. We adopt the highway of Shanghai as our road map. During the experiment, 2000 were mobile clients were generated moving along the map with medium speed for 70 snapshots at interval of 10 s. Therefore,

123

Authentication User’s Privacy

Complete Privacy Guaranty(%)

90

Complete Privacy Guaranty

80 70 60 50 40 30 20 10 0 0

10

20

30

40

50

60

70

80

90

100

Number of snapshots

Fig. 2 Complete privacy guarantee

9

Cloaking Area(m*m)*10^6

8 7 6 5 4

AS-DTMC V-DCA DSDCA AVD-DCA D-TC GCA

3 2 1 0 0

10

20

30

40

50

60

70

80

90

100

Number of snapshots

Fig. 3 Comparing QoS

their corresponding speeds and location(x,y) of all the clients were all obtained from the generator. The directions of all the mobile clients were calculated using equation (5). The privacy model restricts the area greater than 150 square meters. Our experiment was based on an assumption that a mobile client can set his privacy profile to a maximum of k=5. With the simulated data, we implemented our algorithms using a laptop with 4 GB memory and a Core i3 2.40 GHz Intel processor. The results obtained are as shown in Figs. 2, 3 and 4 below. Figure 2 shows the test of complete privacy guarantee. The graph shows a variation of the complete privacy guarantee against the number of snapshots. Generally, the trend of the graph shows the number of snapshot varies directly with complete privacy guarantee snapshots. This trend shows that our algorithm was able to avoid suppression of cloaked region as the number of snapshots increased. On the contrary, it exhibited a lower complete privacy guarantee when the number of snapshots was low. This trend might be due to the fact that at smaller values of snapshot,

123

I. Memon 1.4

Cloaking Time (ms)*10^2

1.3 1.2 1.1 1.0 AS-DTMC V-DCA DSDCA AVD-DCA D-TC GCA

0.9 0.8 0.7 0.6 0

10

20

30

40

50

60

70

80

90

100

Number of snapshots

Fig. 4 Comparing performance

the repository of mobile client built was relatively small hence a lot more of the query had to be suppressed. Another significant trend is that our algorithm could achieve about 77 % complete privacy guarantee which meant that about 77 % of all cloaked regions generated by the anonymization server (AS) met all privacy requirement. Figure 3 shows the test of quality of service. The graph shows a variation of the cloaking area against the number of snapshots. The cloaked area varies inversely with the number of snapshot until when the number of snapshot was about thirty, thereafter the cloaked area remained almost constant. Generally, as the snapshot increases the cloaked area decreases hence improving the quality of service. This trend of improving QoS continued until it became almost constant after the 30th snapshot. The relatively higher cloaked area experienced at lower values of snapshot might be due to the fact that there was not enough repository of mobile client at the initial stages. Comparing our graph with the one obtained in previous work using V-DCA, DSDCA, AVD-DCA, D-TC and GCA shown in Fig. 3, there was significant improvement of QoS at all values of snapshots by the AS-DTMC. Using the V-DCA, DSDCA, AVD-DCA,D-TC and GCA quality of service almost remained constant at all values of snapshot whilst the AS-DTMC exhibited varied QoS. Figure 4 shows the performance test of our algorithm. The graph shows a variation of the cloaking time against the number of snapshots. The cloaked time varies inversely with the number of snapshot until about the 40th snapshot when the cloaking time remain almost constant at about 70 ms. Comparing the performance of V-DCA, DSDCA, AVD-DCA,DTC and GCA with AS-DTMC, the former performs better at lower values of snapshots than the latter. But, as snapshots increases the AS-DTMC performs better than V-DCA, DSDCA, AVD-DCA, D-TC and GCA. The bad performance of AS-DTMC at smaller values of snapshots may be due to the fact that it considers two distinct quantities of velocity and direction hence the slight delay in cloaking time. V-DCA, DSDCA, considered velocity and speed which makes it two quantities but it’s in fact a single quantity because acceleration is the rate of change of velocity hence cloaks faster. On the other hand,as snapshot increases AS-DTMC performs better because of the repository of mobile clients and the fact similarity in velocity and direction kept mobile node together hence cloaking time was faster.

123

Authentication User’s Privacy

7 Conclusion In this paper, we presented a new query privacy algorithm AS-DTMC that takes into direction, speed similarity and clocking region of users for continuous query location based systems. We evaluated the AS-DTMC on the map of shanghai for three metric namely complete Privacy Guarantee, Quality of Service and Performance measure. The AS-DTMC achieved total privacy for mobile clients at all times and successfully cloaked about 75 % of all regions that the anonymization server attempted to. It improved quality of service significantly and excellent performance was achieved than existing methods like V-DCA, DSDCA, AVDDCA, D-TC and GCA during the entire period of continuously querying location based service.

References 1. Mun, M. Y., Kim, D. H., Shilton, K., Estrin, D., Hansen, M. H., & Govindan, R. (2014). PDVLoc: A personal data vault for controlled location data sharing. Transactions on Sensor Networks (TOSN), 10(4), 58. doi:10.1145/2523820. 2. Memon, I., Chen, L., Majid, A., Lv, M., Hussain, I., & Chen, G. (2014). Travel recommendation using geo-tagged photos in social media for tourist. Journal Wireless Personal Communications. doi:10.1007/ s11277-014-2082-7. 3. Memon, I., Mohammed, M. R., Akhtar, R., Memon, H., Memon, M. H., & Shaikh, R. A. (2014). Design and implementation to authentication over a GSM system using certificate-less public key cryptography (CL-PKC). Wireless Personal Communications, 79(1), 661–686. 4. Wernke, M., Skvortsov, P., Dürr, F., & Rothermel, K. (2014). A classification of location privacy attacks and approaches. Personal and Ubiquitous Computing, 18(1), 163–175. 5. Sun, M., & Tan, G. (2014). NativeGuard: Protecting android applications from third-party native libraries. In WiSec ’14: Proceedings of the 2014 ACM conference on security and privacy in wireless & mobile networks. 6. Akhtar, R., Leng, S., Memon, I., Ali, M., & Zhang, L. Architecture of hybrid mobile social networks for efficient content delivery. Journal Wireless Personal Communications. doi:10.1007/s11277-014-1996-4 7. Kamenyi, D. M., Wang, Y., Zhang, F., & Memon, I. (2013). Authenticated privacy preserving for continuous query in location based services. Journal of Computational Information Systems, 9(24), 9857–9864. 8. Chow, C.-Y., Mokbel, M. F., Bao, J., & Liu, X. (2011). Query-aware location anonymization for road networks. GeoInformatica, 15(3), 571–607. 9. Soria-Comas, J., Domingo-Ferrer, J., Sánchez, D., & Martínez, S. (2014). Enhancing data utility in differential privacy via microaggregation-based kk-anonymity. The International Journal on Very Large Data Bases, 23(5), 771–794. 10. Serwadda, A., & Phoha, V. V. (2013). Examining a large keystroke biometrics dataset for statistical-attack openings. Transactions on Information and System Security, 16(2), 1–30. 11. Pan, X., Meng, X., & Xu, J. (2009). Distortion-based anonymity for continuous queries in location-based mobile services, ACM GIS. 12. Akhtar, R., Amin, N. U., Memon, I., & Shah, M. (2013). Source: Proceedings of SPIE—The international society for optical engineering (vol. 8768). 13. Nilizadeh, S., Kapadia, A., & Ahn, Y.-Y. (2014). Community-enhanced de-anonymization of online social networks. In CCS ’14: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. 14. Stenneth, L., Wolfson, O., Xu, B., & Yu, P. S. (2012). PhonePark: Street parking using mobile phones. In Proceedings—2012 IEEE 13th international conference on mobile data management (MDM 2012) (pp. 278–279). 15. Xiong, J., Xiong, J., & Claramunt, C. (2014). A spatial entropy-based approach to improve mobile risk-based authentication. In GeoPrivacy ’14: Proceedings of the 1st ACM SIGSPATIAL international workshop on privacy in geographic information collection and analysis. 16. Ahmadinejad, S. H., & Fong, P. W. L. (2013). On the feasibility of inference attacks by third-party extensions to social network systems. In ASIA CCS ’13: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security.

123

I. Memon 17. Pan, X., Meng, X., & Xu, J. (2011). Protecting location privacy against location-dependent attack in mobile services. Knowledge and Data Engineering, 24(8), 1506–1519. doi:10.1109/TKDE.2011.105. 18. Wang, Y., He, l.-p., Peng, J., Zhang, T., & Li, H. (2012). Privacy preserving for continuous query in location based services. In Parallel and Distributed Systems (ICPADS), IEEE. 19. Gustav, Y. H., Wang, Y., Kamenyi, D. M., Zhang, F., & Memon, I. (2013). Velocity similarity anonymization for continuous query location based services. In 2013 International conference on computational problem-solving (ICCP) (pp. 433–436). doi:10.1109/ICCPS.2013.6893578 20. Stenneth, L., & Yu, P. S. (2010). Global privacy and transportation mode homogeneity anonymization in location based mobile systems with continuous queries. In CollaborateCom. 21. Gruteser, M., & Grunwald, D. (2003). Anonymous usage of location-based services through spatial and temporal cloaking. In MobiSys’03. New York, NY, USA: ACM. 22. Gedik, B., & Liu, L. (2008). Protecting location privacy with personalized k-anonymity: Architecture and algorithms. IEEE Transactions on Mobile Computing – TMC, 7(1), 1–18. doi:10.1109/TMC.2007.1062. 23. Xu, T., & Cai, Y. (2008). Exploring historical location data for anonymity preservation in location-based services. In INFOCOM. 24. Wang, Y., Zhou, L., & Wang, R. (2011). A novel frequency sense solution for cognitive radio based on tracing localization. In 2011 IEEE international conference on communications (ICC). doi:10.1109/icc. 2011.5962510 25. Sun, Y., Yin, L., Liu, L., & Xin, S. (2014). Toward inference attacks for k-anonymity. Personal and Ubiquitous Computing, 18(8). 26. Cheng, R., Zhang, Y., Bertino, E., & Prabhakar, S. (2006). Preserving user location privacy in mobile data management infrastructures. In Proceedings of the privacy enhancing technology workshop (PET ’06). 27. Du, J., Xu, J., Tang, X., & Hu, H. (2007). iPDA: Enabling privacy-preserving location-based services. In Proceedings of the conference on mobile data management (MDM). 28. Xu, J., Tang, X., Hu, H., & Du, J. (2010). Privacy-conscious location-based queries in mobile environments. IEEE Transactions on Parallel and Distributed Systems, 21(3), 313–326. 29. Domenic, M. K., Wang, Y., Zhang, F., Memon, I., & Gustav, Y. H. (2013). Preserving users’ privacy for continuous query services in road networks. In Proceedings of 2013 6th international conference on information management, innovation management and industrial engineering, ICIII 2013 (vol. 1, pp. 352–355). 30. Brinkhoff, T. (2008). Network-based generator of moving objects. http://www.fhoow.de/institute/iapg/ personen/brinkhoff/generator/

Imran Memon B.S. Electronics 2008 from IICT University of Sindh Jamshoro Sindh Pakistan. M.E. Computer Engineering from University of Electronic Science and Technology, Chengdu Sichuan China. I am doing Ph.D. from college of computer science and technology Zhejiang University. I got Academic Achievement Award 2011–2012 from UESTC China and also got Excellent Performance Award 2011– 2012 from UESTC China, published more than 22 international conference papers and 10 journal papers and reviewer 4 science citation index journals, 2 EI index and journals many international conferences. Current research interests; Artificial intelligence system, Network security, embedded system, Information security, Peer to Peer networks. He is the reviewer of wireless personal communication journal.

123