58 lines
3.2 KiB
TeX
58 lines
3.2 KiB
TeX
\SetKwInput{KwResult}{Output}
|
|
|
|
\SetKwData{diffCur}{diffCur}
|
|
\SetKwData{diffMin}{diffMin}
|
|
\SetKwData{evalCur}{evalCur}
|
|
\SetKwData{evalOrig}{evalOrig}
|
|
\SetKwData{evalSum}{evalSum}
|
|
\SetKwData{metricCur}{metricCur}
|
|
\SetKwData{metricOrig}{metricOrig}
|
|
\SetKwData{opt}{opt}
|
|
\SetKwData{opti}{opt$_i$}
|
|
\SetKwData{optim}{optim}
|
|
\SetKwData{optimi}{optim$_i$}
|
|
\SetKwData{opts}{opts}
|
|
\SetKwData{reg}{reg}
|
|
|
|
\SetKwFunction{calcMetric}{calcMetric}
|
|
\SetKwFunction{evalSeq}{evalSeq}
|
|
\SetKwFunction{getCombs}{getCombs}
|
|
\SetKwFunction{getOpts}{getOpts}
|
|
|
|
\section{Selection of events}
|
|
\label{sec:theotherthing}
|
|
|
|
In Section~\ref{sec:thething}, we introduced the notion of {\thething} events in privacy-preserving time series publishing.
|
|
The differentiation among regular and {\thething} events stipulates a privacy budget allocation that deviates from the application of existing differential privacy protection levels.
|
|
Based on this novel event categorization, we designed three models (Section~\ref{subsec:lmdk-mechs}) that achieve {\thething} privacy.
|
|
For this, we assumed that the timestamps in the {\thething} set $L$ are not privacy sensitive, and therefore we used them in our models as they were.
|
|
|
|
This may pose a direct or indirect privacy threat to the users.
|
|
For the former case, we consider the case where we desire to publish $L$ as complimentary information to the release of the event values.
|
|
For the latter, the privacy budget is usually an inseparable attribute of the data release which not only quantifies the privacy guarantee to the data generators (users) but also gives an estimate of the data utility to the data consumers (analysts).
|
|
|
|
In Example~\ref{ex:lmdk-risk}, we demonstrate the extreme case of the application of the Skip {\thething} privacy model from Figure~\ref{fig:lmdk-skip}, where we approximate {\thethings} and invest all of the available privacy budget to regular events, i.e.,~$\varepsilon_i = 0 \forall i \in L$.
|
|
|
|
\begin{example}
|
|
\label{ex:lmdk-risk}
|
|
|
|
Figure~\ref{fig:lmdk-risk} shows the privacy risks that the application of a {\thething} privacy model that nullifies or approximates outputs, similar to Skip, might cause.
|
|
We point out (in light red shade) the details that might cause indirect information inference.
|
|
In this extreme case, the minimization of the privacy budget in combination with nullifying the output (either by not publishing or by adding a lot of noise) or approximating the current output with previously released outputs might hint to any adversary that the current event is a {\thething}.
|
|
|
|
\begin{figure}[htp]
|
|
\centering
|
|
\includegraphics[width=\linewidth]{problem/lmdk-risk}
|
|
\caption{The privacy risks (in light red shade) that the application of the {\thething} privacy Skip model might pose.}
|
|
\label{fig:lmdk-risk}
|
|
\end{figure}
|
|
|
|
Apart from the privacy budget that we invested at {\thethings}, we can also observe a pattern for the budgets at regular events as well.
|
|
Therefore, an adversary who observes the values of the privacy budget can easily infer not only the number but also the exact temporal position of {\thethings}.
|
|
|
|
\end{example}
|
|
|
|
\input{problem/theotherthing/contribution}
|
|
\input{problem/theotherthing/problem}
|
|
\input{problem/theotherthing/solution}
|