Data anonymization based on guessing anonymity

US 10,380,351 B2
Filed: 01/06/2014
Issued: 08/13/2019
Est. Priority Date: 12/18/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

invoking, by a processing device, an anonymization function provided via an application interface,the anonymization function being invoked through an activation of a user input mechanism of the application interface;

receiving, by the processing device and based on invoking the anonymization function, a selection of a noise model to be applied to data;

determining, by the processing device, a first anonymization parameter,the first anonymization parameter comprising an expected distortion;

determining, by the processing device, a particular level for the first anonymization parameter,the determined particular level being a maximum expected distortion level;

determining, by the processing device, a second anonymization parameter based on the first anonymization parameter,the second anonymization parameter being an expected guessing anonymity,the expected guessing anonymity being a number of guesses needed to determine an original record from a sanitized record;

determining, by the processing device and based on determining the particular level for the first anonymization parameter, a parameter value for the noise model that optimizes the second anonymization parameter;

generating, by the processing device, noise based on the noise model and the determined parameter value;

applying, by the processing device, the generated noise to the data;

generating, by the processing device, noise perturbed data based on applying the generated noise to the data,the noise perturbed data being associated with;

the determined particular level with respect to the expected distortion, andthe determined parameter value with respect to the expected guessing anonymity; and

providing, by the processing device, the noise perturbed data to a destination.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Privacy is defined in the context of a guessing game based on the so-called guessing inequality. The privacy of a sanitized record, i.e., guessing anonymity, is defined by the number of guesses an attacker needs to correctly guess an original record used to generate a sanitized record. Using this definition, optimization problems are formulated that optimize a second anonymization parameter (privacy or data distortion) given constraints on a first anonymization parameter (data distortion or privacy, respectively). Optimization is performed across a spectrum of possible values for at least one noise parameter within a noise model. Noise is then generated based on the noise parameter value(s) and applied to the data, which may comprise real and/or categorical data. Prior to anonymization, the data may have identifiers suppressed, whereas outlier data values in the noise perturbed data may be likewise modified to further ensure privacy.

64 Citations

20 Claims

1. A method comprising:
- invoking, by a processing device, an anonymization function provided via an application interface,the anonymization function being invoked through an activation of a user input mechanism of the application interface;
  
  receiving, by the processing device and based on invoking the anonymization function, a selection of a noise model to be applied to data;
  
  determining, by the processing device, a first anonymization parameter,the first anonymization parameter comprising an expected distortion;
  
  determining, by the processing device, a particular level for the first anonymization parameter,the determined particular level being a maximum expected distortion level;
  
  determining, by the processing device, a second anonymization parameter based on the first anonymization parameter,the second anonymization parameter being an expected guessing anonymity,the expected guessing anonymity being a number of guesses needed to determine an original record from a sanitized record;
  
  determining, by the processing device and based on determining the particular level for the first anonymization parameter, a parameter value for the noise model that optimizes the second anonymization parameter;
  
  generating, by the processing device, noise based on the noise model and the determined parameter value;
  
  applying, by the processing device, the generated noise to the data;
  
  generating, by the processing device, noise perturbed data based on applying the generated noise to the data,the noise perturbed data being associated with;
  
  the determined particular level with respect to the expected distortion, andthe determined parameter value with respect to the expected guessing anonymity; and
  
  providing, by the processing device, the noise perturbed data to a destination.
- View Dependent Claims (2, 3, 4, 5, 18)
- - 2. The method of claim 1, further comprising:
    - modifying outlier data in the noise perturbed data.
  - 3. The method of claim 1, where applying the generated noise comprises:
    - applying the generated noise to at least one identifier associated with the data.
  - 4. The method of claim 1, further comprising:
    - modifying data in the noise perturbed data,where providing the noise perturbed data comprises;
      
      providing the noise perturbed data with the modified data.
  - 5. The method of claim 1, where optimizing the second anonymization parameter comprises:
    - maximizing the expected guessing anonymity based on the maximum expected distortion.
  - 18. The method of claim 1, further comprising:
    - receiving a selection of one or more attributes of the data; and
      
      where applying the generated noise to the data comprises;
      
      applying the generated noise to the one or more attributes of the data.

6. An apparatus comprising:
- a memory to store instructions; and
  
  a processor to execute the instructions to;
  
  invoke an anonymization function provided via an application interface,the anonymization function being invoked through an activation of a user input mechanism of the application interface;
  
  receive, based on invoking the anonymization function, a selection of a noise model to be applied to data;
  
  determine a first anonymization parameter,the first anonymization parameter comprising an expected distortion;
  
  determine a particular level for the first anonymization parameter;
  
  the determined particular level being a maximum expected distortion level;
  
  determine a second anonymization parameter based on the first anonymization parameter,the second anonymization parameter being an expected guessing anonymity,the expected guessing anonymity being a number of guesses needed to determine an original record from a sanitized record;
  
  determine, based on determining the particular level for the first anonymization parameter, a parameter value for the noise model that optimizes the second anonymization parameter;
  
  generate noise based on the noise model and the determined parameter value;
  
  apply the generated noise to the data;
  
  generate noise perturbed data based on applying the generated noise to the data,the noise perturbed data having an anonymized structure, andthe noise perturbed data being associated with;
  
  the determined particular level with respect to the expected distortion, andthe determined parameter value with respect to the expected guessing anonymity; and
  
  provide the noise perturbed data to a destination.
- View Dependent Claims (7, 8, 9, 10, 11, 17, 19)
- - 7. The apparatus of claim 6, where the processor, when optimizing the second anonymization parameter, is to:
    - optimize the second anonymization parameter by maximizing the expected guessing anonymity based on the maximum expected distortion level.
  - 8. The apparatus of claim 6, where the processor, when applying the generated noise, is to:
    - apply the generated noise to at least one quasi-identifier in the data.
  - 9. The apparatus of claim 6, where the processor is further to:
    - modify outlier data in the noise perturbed data.
  - 10. The apparatus of claim 6, where the processor is further to:
    - suppress one or more identifiers in the data.
  - 11. The apparatus of claim 6, where the noise model is applicable to:
    - real attributes in the data, andcategorical attributes in the data.
  - 17. The apparatus of claim 6, where a type of data is specified based on the selection of the noise model.
  - 19. The apparatus of claim 6, where the processor is further to:
    - receive a selection of one or more attributes of the data; and
      
      where the processors, when applying the generated noise to the data, are to;
      
      apply the generated noise to the one or more attributes of the data.

12. A non-transitory computer readable medium storing instructions, the instructions comprising:
- one or more instructions which, when executed by a processor, cause the processor to;
  
  invoke an anonymization function provided via an application interface,the anonymization function being invoked through an activation of a user input mechanism of the application interface;
  
  receive, based on invoking the anonymization function a selection of a noise model to be applied to data;
  
  determine a first anonymization parameter;
  
  the first anonymization parameter comprising an expected distortion;
  
  determine a particular level for the first anonymization parameter;
  
  the determined particular level being a maximum expected distortion level;
  
  determine a second anonymization parameter based on the first anonymization parameter,the second anonymization parameter being an expected guessing anonymity,the expected guessing anonymity being a number of guesses needed to determine an original record from a sanitized record;
  
  determine, based on determining the particular level for the first anonymization parameter, a parameter value for the noise model that optimizes the second anonymization parameter;
  
  generate noise based on the noise model and the determined parameter value;
  
  apply the generated noise to the data;
  
  generate noise perturbed data based on applying the generated noise to the data,the noise perturbed data being associated with;
  
  the determined particular level with respect to the expected distortion, andthe determined parameter value with respect to the expected guessing anonymity; and
  
  provide the noise perturbed data to a destination.
- View Dependent Claims (13, 14, 15, 16, 20)
- - 13. The non-transitory computer readable medium of claim 12, where the one or more instructions, when executed by the processor, further cause the processor to:
    - modify outlier data in the noise perturbed data.
  - 14. The non-transitory computer readable medium of claim 12, where the one or more instructions, that cause the processor to apply the generated noise to the data, cause the processor to:
    - apply the generated noise to at least one identifier associated with the data.
  - 15. The non-transitory computer readable medium of claim 12, where the one or more instructions, when executed by the processor, further cause the processor to:
    - modify the noise perturbed data, andwhere the one or more instructions, that cause the processor provide the noise perturbed data, cause the processor to;
      
      provide the modified noise perturbed data based on modifying the noise perturbed data.
  - 16. The non-transitory computer readable medium of claim 12, where the one or more instructions, that cause the processor to optimize the second anonymization parameter, cause the processor to:
    - maximize the expected guessing anonymity subject to the maximum expected distortion level.
  - 20. The non-transitory computer readable medium of claim 12, where the one or more instructions, that cause the processor to optimize the second anonymization parameter, cause the processor to:
    - receive a selection of one or more attributes of the data; and
      
      where the one or more instructions, that cause the processor to apply the generated noise to the data, cause the processor to;
      
      apply the generated noise to the one or more attributes of the data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Rachlin, Yaron, Probst, Katharina, Ghani, Rayid
Primary Examiner(s)
Obeid, Mamon

Application Number

US14/148,237
Publication Number

US 20140123304A1
Time in Patent Office

2,045 Days
Field of Search

705 26, 705 30, 705 50, 705 51
US Class Current
CPC Class Codes

G06F 21/60   Protecting data

G06F 21/6254   by anonymising data, e.g. d...

H04L 9/30   Public key, i.e. encryption...

Data anonymization based on guessing anonymity

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

64 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Data anonymization based on guessing anonymity

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

64 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others