Differentially private processing and database storage

US 10,229,287 B2
Filed: 10/25/2017
Issued: 03/12/2019
Est. Priority Date: 11/02/2015
Status: Active Grant

First Claim

Patent Images

1. A method for returning differentially private results in response to a query to a database storing restricted health data for a plurality of patients, the database storing records comprising rows and columns, where the rows are associated with patients having a medical condition, and columns of the rows contain values describing health data for the patients, the method comprising:

receiving a database query from a client device, the database query requesting a random forest classifier correlating values of columns in a set of records in the database with medical conditions associated with the rows, wherein rows in the database are labeled with medical conditions from a set of two or more medical conditions and the database query specifies a degree of privacy to maintain for the restricted data in terms of a privacy parameter ϵ

describing a degree of information released about a set of data stored in the private database system due to the query;

performing the database query on the set of records to produce a differentially private version of the random forest classifier that maintains the specified degree of privacy for the restricted data, performing the query comprising;

training the random forest classifier upon the values of columns in the set of records and the medical conditions of the labeled rows, wherein the random forest classifier comprises a set of decision trees, each decision tree having one or more leaf nodes, and each leaf node indicating a relative proportion of rows labeled with each category in the leaf node; and

producing a differentially private version of the random forest classifier by perturbing relative proportions of rows labeled with each category in each leaf node by;

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hardware database privacy device is communicatively coupled to a private database system. The hardware database privacy device receives a request from a client device to perform a query of the private database system and identifies a level of differential privacy corresponding to the request. The identified level of differential privacy includes privacy parameters (ε,δ) indicating the degree of information released about the private database system. The hardware database privacy device identifies a set of operations to be performed on the set of data that corresponds to the requested query. After the set of data is accessed, the set of operations is modified based on the identified level of differential privacy such that a performance of the modified set of operations produces a result set that is (ε,δ)-differentially private.

26 Citations

View as Search Results

20 Claims

1. A method for returning differentially private results in response to a query to a database storing restricted health data for a plurality of patients, the database storing records comprising rows and columns, where the rows are associated with patients having a medical condition, and columns of the rows contain values describing health data for the patients, the method comprising:
- receiving a database query from a client device, the database query requesting a random forest classifier correlating values of columns in a set of records in the database with medical conditions associated with the rows, wherein rows in the database are labeled with medical conditions from a set of two or more medical conditions and the database query specifies a degree of privacy to maintain for the restricted data in terms of a privacy parameter ϵ
  
  describing a degree of information released about a set of data stored in the private database system due to the query;
  
  performing the database query on the set of records to produce a differentially private version of the random forest classifier that maintains the specified degree of privacy for the restricted data, performing the query comprising;
  
  training the random forest classifier upon the values of columns in the set of records and the medical conditions of the labeled rows, wherein the random forest classifier comprises a set of decision trees, each decision tree having one or more leaf nodes, and each leaf node indicating a relative proportion of rows labeled with each category in the leaf node; and
  
  producing a differentially private version of the random forest classifier by perturbing relative proportions of rows labeled with each category in each leaf node by;
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the database query further specifies the degree of privacy to maintain for the restricted data in terms of a privacy parameter δ
    - which describes an improbability of the query satisfying (ϵ
      
      )-differential privacy.
  - 3. The method of claim 2, wherein the client device is associated with a privacy budget representing remaining queries available to the client device in terms of at least one of ϵ
    - and δ
      
      , the method further comprising;
      
      determining whether decrementing the privacy budget by the specified degree of privacy exceeds the remaining queries available, wherein performing the database query is responsive to determining that decrementing the privacy budget by the specified degree of privacy does not exceed the remaining queries available; and
      
      decrementing the privacy budget by the specified degree of privacy.
  - 4. The method of claim 3, wherein the privacy budget is specified by an entity managing the database.
  - 5. The method of claim 1, wherein the random forest classifier comprises an ensemble of binary decision trees and N_tressindicates a number of decision trees in the ensemble.
  - 6. The method of claim 1, wherein the random forest classifier comprises an ensemble of binary decision trees each having leaf nodes, and producing the differentially private version of the random forest classifier comprises perturbing the leaf nodes of the ensemble of binary decision trees.
  - 7. The method of claim 1, wherein the query specifies a subset of the columns in the database to use to generate the random forest classifier, and wherein the random forest classifier is trained upon the values of the specified subset of columns.

8. A non-transitory computer-readable storage medium storing computer program instructions executable by a processor to perform operations for returning differentially private results in response to a query to a database storing restricted health data for a plurality of patients, the database storing records comprising rows and columns, where the rows are associated with patients having a medical condition, and columns of the rows contain values describing health data for the patients, the operations comprising:
- receiving a database query from a client device, the database query requesting a random forest classifier correlating values of columns in a set of records in the database with medical conditions associated with the rows, wherein rows in the database are labeled with medical conditions from a set of two or more medical conditions and the database query specifies a degree of privacy to maintain for the restricted data in terms of a privacy parameter ϵ
  
  describing a degree of information released about a set of data stored in the private database system due to the query;
  
  performing the database query on the set of records to produce a differentially private version of the random forest classifier that maintains the specified degree of privacy for the restricted data, performing the query comprising;
  
  training the random forest classifier upon the values of columns in the set of records and the medical conditions of the labeled rows, wherein the random forest classifier comprises a set of decision trees, each decision tree having one or more leaf nodes, and each leaf node indicating a relative proportion of rows labeled with each category in the leaf node; and
  
  producing a differentially private version of the random forest classifier by perturbing relative proportions of rows labeled with each category in each leaf node by;
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable storage medium of claim 8, wherein the database query further specifies the degree of privacy to maintain for the restricted data in terms of a privacy parameter δ
    - which describes an improbability of the query satisfying (ϵ
      
      )-differential privacy.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein the client device is associated with a privacy budget representing remaining queries available to the client device in terms of at least one of ϵ
    - and δ
      
      , the operations further comprising;
      
      determining whether decrementing the privacy budget by the specified degree of privacy exceeds the remaining queries available, wherein performing the database query is responsive to determining that decrementing the privacy budget by the specified degree of privacy does not exceed the remaining queries available; and
      
      decrementing the privacy budget by the specified degree of privacy.
  - 11. The non-transitory computer-readable storage medium of claim 10, wherein the privacy budget is specified by an entity managing the database.
  - 12. The non-transitory computer-readable storage medium of claim 8, wherein the random forest classifier comprises an ensemble of binary decision trees and N_treesindicates a number of decision trees in the ensemble.
  - 13. The non-transitory computer-readable storage medium of claim 8, wherein the random forest classifier comprises an ensemble of binary decision trees each having leaf nodes, and producing the differentially private version of the random forest classifier comprises perturbing the leaf nodes of the ensemble of binary decision trees.
  - 14. The non-transitory computer-readable storage medium of claim 8, wherein the query specifies a subset of the columns in the database to use to generate the random forest classifier, and wherein the random forest classifier is trained upon the values of the specified subset of columns.

15. A system comprising:
- a processor for executing computer program instructions; and
  
  a non-transitory computer-readable storage medium storing computer program instructions executable by the processor to perform operations for returning differentially private results in response to a query to a database storing restricted health data for a plurality of patients, the database storing records comprising rows and columns, where the rows are associated with patients having a medical condition, and columns of the rows contain values describing health data for the patients, the operations comprising;
  
  receiving a database query from a client device, the database query requesting a random forest classifier correlating values of columns in a set of records in the database with medical conditions associated with the rows, wherein rows in the database are labeled with medical conditions from a set of two or more medical conditions and the database query specifies a degree of privacy to maintain for the restricted data in terms of a privacy parameter ϵ
  
  describing a degree of information released about a set of data stored in the private database system due to the query;
  
  performing the database query on the set of records to produce a differentially private version of the random forest classifier that maintains the specified degree of privacy for the restricted data, performing the query comprising;
  
  training the random forest classifier upon the values of columns in the set of records and the medical conditions of the labeled rows, wherein the random forest classifier comprises a set of decision trees, each decision tree having one or more leaf nodes, and each leaf node indicating a relative proportion of rows labeled with each category in the leaf node; and
  
  producing a differentially private version of the random forest classifier by perturbing relative proportions of rows labeled with each category in each leaf node by;
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the database query further specifies the degree of privacy to maintain for the restricted data in terms of a privacy parameter δ
    - which describes an improbability of the query satisfying (ϵ
      
      )-differential privacy.
  - 17. The system of claim 16, wherein the client device is associated with a privacy budget representing remaining queries available to the client device in terms of at least one of ϵ
    - and δ
      
      , the operations further comprising;
      
      determining whether decrementing the privacy budget by the specified degree of privacy exceeds the remaining queries available, wherein performing the database query is responsive to determining that decrementing the privacy budget by the specified degree of privacy does not exceed the remaining queries available; and
      
      decrementing the privacy budget by the specified degree of privacy.
  - 18. The system of claim 15, wherein the random forest classifier comprises an ensemble of binary decision trees and N_treesindicates a number of decision trees in the ensemble.
  - 19. The system of claim 15, wherein the random forest classifier comprises an ensemble of binary decision trees each having leaf nodes, and producing the differentially private version of the random forest classifier comprises perturbing the leaf nodes of the ensemble of binary decision trees.
  - 20. The system of claim 15, wherein the query specifies a subset of the columns in the database to use to generate the random forest classifier, and wherein the random forest classifier is trained upon the values of the specified subset of columns.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Snowflake, Inc.
Original Assignee
LeapYear Technologies, Inc. (Snowflake Inc)
Inventors
Nerurkar, Ishaan, Hockenbrocht, Christopher, Damewood, Liam, Maruseac, Mihai, Rozenshteyn, Alexander
Primary Examiner(s)
Leung, Robert B

Application Number

US15/793,907
Publication Number

US 20180048654A1
Time in Patent Office

503 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24547   Optimisations to support sp...

G06F 16/2455   Query execution

G06F 16/2462   Approximate or statistical ...

G06F 16/2465   Query processing support fo...

G06F 16/248   Presentation of query results

G06F 16/25   Integrating or interfacing ...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/6245   Protecting personal data, e...

G06F 21/6254   by anonymising data, e.g. d...

G06N 20/00   Machine learning

G06N 20/20   Ensemble learning

G06N 5/01   Dynamic search techniques; ...

H04L 63/105   Multiple levels of security

Differentially private processing and database storage

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Differentially private processing and database storage

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links