WIXLIB

revealed that, with the perturbation-based randomization approach, the data warehouseItemAprilMayJuneJulySumserver could use privacy intrusion techniquesto filter noise from the perturbed data, therebyBook10Known15KnownQ5 25rediscovering part of the original private data.8CD20Known27KnownQ6 47The projection-based approach avoids thisDVDKnown351636Q7 87problem by exploiting the relationship amongGameKnown25Known14Q8 39attributes and disclosing only those necessarySumQ1 30Q2 60Q3 58Q4 50for data mining.Guiding data submission can also reduceunnecessary privacy disclosure, enhancing Figure 3. Inference that discloses private information. If the data miningthe performance of data perturbation. In ear- server becomes an adversary, it might be able to infer from the querylier work,7 we and colleague Shengquan answers and certain cells (Known) the number of DVDs a data providerWang proposed a guidance-based dimension sold in June (which is private and should not be disclosed) by computingreduction scheme for dynamic systems, such Q1 Q3 – (Q5 Q6 ) 88 – 72 16, where Q1 to Q8 are query answers.as online survey systems, in which dataproviders (survey respondents and so on) join the sysFigure 4 shows an inference control protocol taxontem and submit their data asynchronously. To guide omy based on two inference control methods.data providers that have not yet submitted data, thescheme analyzes the data already collected and esti- Query-oriented methodmates the attributes necessary for data mining. TheThe query-oriented method4 is centered on the consystem then sends the estimated useful attributes to cept of a safe query set, which says that query set Q1,data providers as guidance. Our work shows that this Q2, , Qn is safe if a data mining server cannot inferguidance-based scheme is more effective than private data from the answers to Q1, Q2, , Qn. Thus,approaches without such guidance.query-oriented inference control means that when thedata warehouse server receives a query, it will answerINFERENCE CONTROL PROTOCOLthe query only if the union set of query history—theProtecting private data in the data warehouse server set of all queries already answered—and the recentlyrequires controlling the information disclosed to the received query are safe. Otherwise, it will reject thedata mining servers—which is the aim of the inference query. Relative to query-oriented inference control incontrol protocol. Following the minimum necessary statistical databases, inference control in data warerule, the inference control protocol ensures that the data houses involves significantly more data. Consequently,warehouse server answers the queries necessary for data the burden is on inference control protocols to processmining yet minimizes privacy disclosure.queries more efficiently.Several requirements drive the inference control proBecause dynamically determining a query set’s safetytocol’s design and implementation. One is the need to (online query history check) can be time-consuming, ablock inferences. If a data mining server becomes an static version of the query-oriented method might beadversary, it will try to infer private information from more suitable. The static version determines a safe setthe query answers it has already received. Figure 3 gives of queries offline (before any query is actually received).an example.If a query set is safe, then any one of its subsets is alsoFurther, the inference control protocol must be effi- safe. At runtime, when the data warehouse servercient enough to satisfy the datawarehouse server’s required onlineresponse time—the time betweenInference control protocolissuing a query and answering it.The time that an inference controlprotocol uses is part of that responseQuery-oriented methodData-oriented methodtime. It must be controlled so thatthe data warehouse server can maintain its reduced response time.Classify safeDo perturbationCheck queryDo perturbationTo meet these requirements, inferand unsafe setsonline when queryhistory onlineby data collectionofflinereceivedence control protocols must restrictthe information included in thequery answers so that the data mining server cannot infer private data Figure 4. An inference control protocol taxonomy. A designer can choose which of twomethods—query- or data-oriented—best serves the design.from received query answers.April 200755

receives the query, it answers only if the query is in thepredetermined safe set. Otherwise, it will reject thequery. On the downside, the static method is conservative in selecting a safe set, which might cause it to rejectsome queries unnecessarily.Data-oriented methodserver reject some privacy-divulging queries (such asQ3 in Figure 3). This, in turn, would effectively downgrade the data perturbation level yet retain the samedegree of privacy protection. Because the data is perturbed, the server would have to reject far fewer queriesand could thus answer most queries fairly accuratelywhile continuing to protect private information.With the data-oriented method of inference control,9the data warehouse server perturbs the stored raw data INFORMATION SHARING PROTOCOLand estimates the query answers as accurately as possiBecause each data mining server constructs local datable on the basis of the perturbed data. As Figure 4 shows, mining models in its own system, these servers are likelythe data collection protocol can handle perturbation to share their local data mining models rather than theunless the application requires storing original data in the raw data in the data warehouses. Local data mining moddata warehouse server. In that case,els can be sensitive, especially whenthe data warehouse server might havethe local models are not globally valid.The query-oriented methodto perturb the data when processingTo protect the privacy of individthe query.ual data mining systems, some mechcan provide more accurateThe data-oriented method assumesanism must control the disclosure ofanswers than thethat perturbation can protect privateprivate information in local datadata-oriented method.information from being disclosed,mining models. This mechanism isenabling the data warehouse server tothe information sharing protocol,answer all queries freely on the basiswhich again follows the minimumof the perturbed data. Research has shown that the query necessary rule. The protocol’s objective is to enable dataanswers estimated from the perturbed data can still sup- mining servers across multiple systems to constructport the construction of accurate data mining models.5global data mining models while disclosing only the minimum private information about local data mining modAdvantages and disadvantagesels necessary for information sharing.The two methods have unique performance considMany information sharing protocols exist for applierations. The data-oriented method offers query respon- cations other than data mining, such as database intersiveness, since the data warehouse server will answer all operation or data integration.10 Information sharing isqueries. The query-oriented method, in contrast, nor- necessary for most distributed data mining systems, andmally rejects a substantial number of queries,9 which much work has focused on designing specific informameans that some data mining servers might be unable tion sharing protocols for data mining tasks.to complete their data mining tasks.A major design concern of the information sharingOn the plus side, the query-oriented method can pro- protocol is defending against adversaries that behavevide more accurate answers than the data-oriented arbitrarily within the capability allocated to them. Themethod. When the data warehouse server answers a defense strategy depends on the adversary model—thequery, its answer will always be precise. The data-ori- set of assumptions about an adversary’s intent andented method, in contrast, answers queries with esti- behavior. Two of the more popular adversary modelsmation, so it might not be accurate enough to support are semihonest10 and beyond semihonest.data mining, particularly when the construction of datamining models requires highly accurate query answers. Semihonest adversariesEfficiency is an important advantage for the static verAn adversary is semihonest if it properly follows thesion of the query-oriented method, which has the short- designated protocol but records all intermediate comest response time because most of its computational cost putation and communication, thereby providing a wayis offline. The dynamic version must trade off efficiency to derive private information.and query responsiveness: To answer more queries, theCryptographic encryption has proved effective indata warehouse server must spend more time analyzing defending against semihonest adversaries.2,10,11 In thisthe query history. The data-oriented method also suf- method, each data mining server encrypts its local datafers from low efficiency, since the computational over- mining model and exchanges the encrypted model withhead for query estimation can be several orders of other data mining servers.magnitude higher than for query answering.Some encryption scheme properties, such as the RivestOne way to enhance inference control protocol per- Shamir-Adleman (RSA) cryptosystem’s commutativeformance is to integrate query- and data-oriented meth- encryption property, make it possible to design algoods. Introducing the query answer-or-reject scheme to rithms for data mining servers to perform certain datathe data-oriented method would let the data warehouse mining tasks and set operations without knowing the56Computer

private keys of other entities.2,10,11 Tasks include classification, association rule mining, clustering, and collaborative filtering; set operations include set intersection, setunion, and element reduction.Because it is not possible to recover the original (local)data mining models from their encrypted values withoutknowing the private keys, this method is a secure defenseagainst semihonest adversaries. Researchers have alreadyevolved a detailed taxonomy and cryptographic encryption methods for various system settings.2,3Beyond semihonest adversarieserogeneous privacy requirements is a challenge withmuch potential return.Privacy measurementsThe accuracy versus protection tradeoff inherent inprivacy-preserving data mining means that some mechanism must accurately measure the degree of privacyprotection. Although extensive work has focused on privacy measurement, as yet no one has proposed a commonly accepted measurement technique for genericprivacy-preserving data mining systems. Proper privacyprotection measurement has three criteria: It mustAn adversary is considered beyondsemihonest if it deviates from the reflect system settings (adversariesResearch on anomalydesignated protocol, changes itsmight have different levels of interinput data, or both.est in different data values, such asdetection can contribute toBecause it is difficult if not imposbeing more concerned withmultiple disciplines, such assible to defend against an adversarypatients that have contagious dissecurity, biology, and finance.that is behaving arbitrarily, dealingeases than other diseases),with beyond semihonest adversaries account for data providers’ diverserequires more refined models. Oneprivacy concerns (some might consuch model is the intent-based adversary model,12 whichsider age as private information, while others are willformulates an adversary’s intent as combining the intenting to disclose it publicly), andto obtain accurate data mining results with compromis satisfy the minimum necessary rule.ing other entities’ private information. A game-theoreticmethod is then developed to defend against adversariesA comprehensive study of privacy measurement forthat weigh the accuracy of data mining results over com- all three protocols would be a huge step toward improvpromising other parties’ privacy.12ing the performance of privacy-preserving data miningThe basic idea is to design the information sharing pro- techniques.tocol in a way that no adversary can both obtain accurate data mining results and intrude on other servers’ Anomaly detectionprivacy. Adversaries that are more concerned with theA common application of data mining is to detectaccuracy of data mining results will be forced not to data-set anomalies, as in mining log file data to detectintrude on the privacy of others to get that accuracy.intrusions. However, few researchers have consideredprivacy protection in detecting anomalies.OPEN RESEARCH ISSUESResearch on anomaly detection is an important partSeveral issues require additional research to ensure the of data mining and can contribute to multiple discioptimum performance of the techniques described.plines, such as security, biology, and finance. Thoroughlyinvestigating issues related to the design of privacy-preProtocol integrationserving data mining techniques for anomaly detectionMany systems need a seamless integration of the three would be extremely beneficial.protocols, yet little research has addressed this need.Our proposed integrated architecture could serve as Multiple protection levelsa platform for studying protocol interaction. SuchIn some cases, multiple levels of private informationinsights can pave the way for effective and efficient must be protected. The first level might be a data pointintegration.value, and the second level, the data point sensitivity(knowledge of whether or not a data point is private).Heterogeneous privacy requirementsMost existing studies focus on protecting the first levelPrivacy-preserving data mining techniques depend and assume that all entities already know the secondon respecting the privacy protection levels that data level. Research has yet to answer how to protect theproviders require. Most existing studies assume homoge- second level (and higher levels) of private information.nous privacy requirements—that all data owners needthe same privacy level for all their data and its attributes. This assumption is unrealistic in practice and couldur work is an important first step in addressing theeven degrade system performance unnecessarily.critical systemic issues of privacy preservation inDesigning and implementing techniques that exploit hetdata mining. Much research remains to realize theOApril 200757

potential of the architecture and design principles wehave described. Much literature already addresses privacy-preserving data mining, but clearly the ideas mustcross considerable ground to become practical systems.Studies are needed for the design of privacy-preservingdata mining techniques in real-world scenarios, in whichdata owners can freely address their individual privacyconcerns without the data miner’s consent. Also criticalis work that more closely incorporates designs with specialized applications such as healthcare, market analysis, and finance. Our hope is that others will continueefforts in this important area. References1. J. Han and M. Kamber, Data Mining Concepts and Techniques, Morgan Kaufmann, 2001.2. C. Clifton et al., “Tools for Privacy Preserving DistributedData Mining,” SIGKDD Explorations, vol. 4, no. 2, 2003,pp. 28-34.3. V.S. Verykios et al., “State-of-the-Art in Privacy PreservingData Mining,” SIGMOD Record, vol. 33, no. 1, 2004, pp.50-57.4. L. Wang, S. Jajodia, and D. Wijesekera, “Securing OLAP DataCubes against Privacy Breaches,” Proc. 25th IEEE Symp.Security and Privacy, IEEE Press, 2004, pp. 161-175.5. R. Agrawal and R. Srikant, “Privacy-Preserving Data Mining,” Proc. 19th ACM SIGMOD Int’l Conf. Management ofData, ACM Press, 2000, pp. 439-450.6. R.J. Bayardo and R. Agrawal, “Data Privacy through Optimalk-Anonymization,” Proc. 21st Int’l Conf. Data Eng., IEEEPress, 2005, pp. 217-228.7. N. Zhang, S. Wang, and W. Zhao, “A New Scheme on Privacy-Preserving Data Classification,” Proc. 11th ACMSIGKDD Int’l Conf. Knowledge Discovery and Data Mining, ACM Press, 2005, pp. 374-383.8. Z. Huang, W. Du, and B. Chen, “Deriving Private Informationfrom Randomized Data,” Proc. 24th ACM SIGMOD Int’lConf. Management of Data, ACM Press, 2005, pp. 37-48.9. R. Agrawal, R. Srikant, and D. Thomas, “Privacy-PreservingOLAP,” Proc. 25th ACM SIGMOD Int’l Conf. Managementof Data, ACM Press, 2005, pp. 251-262.10. R. Agrawal, A. Evfimievski, and R. Srikant, “InformationSharing across Private Databases,” Proc. 22nd ACM SIGMOD Int’l Conf. Management of Data, ACM Press, 2003,pp. 86-97.11. Y. Lindell and B. Pinkas, “Privacy Preserving Data Mining,”Proc. 12th Ann. Int’l Conf. Advances in Cryptology, SpringerVerlag, 2000, pp. 36-54.12. N. Zhang and W. Zhao, “Distributed Privacy Preserving Information Sharing,” Proc. 31st Int’l Conf. Very Large DataBases, ACM Press, 2005, pp. 889-900.Nan Zhang is an assistant professor of computer scienceand engineering at the University of Texas at Arlington. Hisresearch interests include databases and data mining, information security and privacy, and distributed systems. Zhangreceived a PhD in computer science from Texas A&M University. He is a member of the IEEE. Contact him atnzhang@cse.uta.edu.Wei Zhao is a professor of computer science and the deanfor the School of Science at Rensselaer Polytechnic Institute. His research interests include distributed computing,real-time systems, computer networks, and cyberspace security. Zhao received a PhD in computer and information sciences from the University of Massachusetts, Amherst. He isa Fellow of the IEEE and a member of the IEEE ComputerSociety and the ACM. Contact him at zhaow3@rpi.edu.Engineering and Applying the InternetIEEE Internet Computing reports emerging tools,technologies, and applications implemented through the Internetto support a worldwide computing environment.In 2007, we’ll look at: Autonomic Computing Roaming Distance Learning Dynamic Information Dissemination Knowledge Management Media Searchwww.computer.org/internet/58Computer

preserving data mining systems. FOUNDATIONAL DESIGN As Figure 1 shows, privacy-preserving data mining usually has multiple steps that translate to a three-tiered architecture: At the bottom tier are the data providers, the data owners, which are often physically distributed. The data providers submit their private data to the data warehouse server.