the-last-thing/text/problem/theotherthing/solution.tex

228 lines
12 KiB
TeX
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

\subsection{Protecting {\thethings}}
\label{subsec:lmdk-sel-sol}
The main idea of the privacy-preserving {\thething} selection component is to privately select extra {\thething} event timestamps, i.e.,~dummy {\thethings}, from the set of timestamps $T /\ L$ of the time series $S_T$ and add them to the original {\thething} set $L$.
Selecting extra events, on top of the actual {\thethings}, as dummy {\thethings} can render actual ones indistinguishable.
The goal is to select a list of sets with additional timestamps from a series of events at timestamps $T$ for a set of {\thethings} at $L \subseteq T$.
Thus, we create a new set $L'$ such that $L \subset L' \subseteq T$.
First, we generate a set of dummy {\thething} set options by adding regular event timestamps from $T /\ L$ to $L$ (Section~\ref{subsec:lmdk-set-opts}).
Then, we utilize the exponential mechanism, with a utility function that calculates an indicator for each of the options in the set based on how much it differs from the original {\thething} set $L$, and randomly select one of the options (Section~\ref{subsec:lmdk-opt-sel}).
This process provides an extra layer of privacy protection to {\thethings}, and thus allows the release, and thereafter processing, of {\thething} timestamps.
% We utilize the exponential mechanism with a utility function that calculates an indicator for each of the options in the set that we selected in the previous step.
% The utility depends on the positioning of the {\thething} timestamps of an option in the series, e.g.,~the distance from the previous/next {\thething}, the distance from the start/end of the series, etc.
\subsubsection{{\Thething} set options generation}
\label{subsec:lmdk-set-opts}
Algorithms~\ref{algo:lmdk-sel-opt} and \ref{algo:lmdk-sel-heur} approach this problem with an optimal and heuristic methodology, respectively.
Function \evalSeq evaluates the result of the union of $L$ and a timestamp combination from $T \setminus L$ by, e.g.,~estimating the standard deviation of all the distances from the previous/next {\thething}.
\getOpts returns all the possible \emph{valid} sets of combinations \opt such that larger options contain all of the timestamps that are present in smaller ones.
Each combination contains a set of timestamps with sizes $\left|L\right| + 1, \left|L\right| + 2, \dots, \left|T\right|$, where each one of them is a combination of $L$ with $x \in [1, \left|T\right| - \left|L\right|]$ timestamps from $T$.
\paragraph{Optimal}
Algorithm~\ref{algo:lmdk-sel-opt}, between Lines~{\ref{algo:lmdk-sel-opt-for-each}--\ref{algo:lmdk-sel-opt-end}} evaluates each option in \opts.
It finds the option that is the most \emph{similar} to the original (Lines~{\ref{algo:lmdk-sel-opt-comparison}-\ref{algo:lmdk-sel-opt-end}}), i.e.,~the option that has an evaluation that differs the least from that of the sequence $T$ with {\thethings} $L$.
\begin{algorithm}
\caption{Optimal dummy {\thething} set options generation}
\label{algo:lmdk-sel-opt}
\DontPrintSemicolon
\KwData{$T, L$}
\SetKwInput{KwData}{Input}
\KwResult{\optim}
\BlankLine
% Evaluate the original
\evalOrig $\leftarrow$ \evalSeq{$T, \emptyset, L$}\;
% Track the minimum (best) evaluation
\diffMin $\leftarrow$ $\infty$\;
% Track the optimal sequence (the one with the best evaluation)
\opts $\leftarrow$ $[]$\;
\ForEach{\opt $\in$ \getOpts{$T, L$}}{ \label{algo:lmdk-sel-opt-for-each}
\evalCur $\leftarrow 0$\;
\ForEach{\opti $\in$ \opt}{
\evalCur $\leftarrow$ \evalCur $+$ \evalSeq{$T, \opti, L$}/\#\opt\; \label{algo:lmdk-sel-opt-comparison}
}
% Compare with current optimal
\diffCur $\leftarrow \left|\evalCur - \evalOrig\right|$\;
\If{\diffCur $<$ \diffMin}{
\diffMin $\leftarrow$ \diffCur\;
\opts $\leftarrow$ \opt\;
}
} \label{algo:lmdk-sel-opt-end}
\Return{\opts}
\end{algorithm}
Algorithm~\ref{algo:lmdk-sel-opt} guarantees to return the optimal set of dummy {\thethings} with regard to the original set $L$.
However, it is rather costly in terms of complexity: given $n$ regular events and a combination of size $r$, it requires $\mathcal{O}(C(n, r) + 2^C(n, r))$ time and $\mathcal{O}(r*C(n, r))$ space.
Next, we present a heuristic solution with improved time and space requirements.
\paragraph{Heuristic}
Algorithm~\ref{algo:lmdk-sel-heur}, follows an incremental methodology.
At each step it selects a new timestamp, that corresponds to a regular ({non-\thething}) event from $T \setminus L$, to create an option.
\begin{algorithm}
\caption{Heuristic dummy {\thething} set options selection}
\label{algo:lmdk-sel-heur}
\DontPrintSemicolon
\KwData{$T, L$}
\KwResult{\opts}
\BlankLine
% Evaluate the original
\evalOrig $\leftarrow$ \evalSeq{$T, \emptyset, L$}\;
% Get all possible option combinations
\opts $\leftarrow$ $[]$\;
$L' \leftarrow L$\;
\While{$L' \neq T$}{\label{algo:lmdk-sel-heur-while}
% Track the minimum (best) evaluation
\diffMin $\leftarrow$ $\infty$\;
\optimi $\leftarrow$ Null\;
% Find the combinations for one more point
\ForEach{\reg $\in T \setminus L'$}{
% Evaluate current
\evalCur $\leftarrow$ \evalSeq{$T, \reg, L'$}\; \label{algo:lmdk-sel-heur-comparison}
% Compare evaluations
\diffCur $\leftarrow$ $\left|\evalCur - \evalOrig\right|$\;
\If{\diffCur $<$ \diffMin}{
\diffMin $\leftarrow$ \diffCur\;
\optimi $\leftarrow$ \reg\;
}\label{algo:lmdk-sel-heur-cmp-end}
}
% Save new point to landmarks
$L'$.add(\optimi)\;
% Add new option
\opts.append($L' \setminus L$)\;
}\label{algo:lmdk-sel-heur-end}
\Return{\opts}
\end{algorithm}
Similar to Algorithm~\ref{algo:lmdk-sel-opt}, it selects new options based on a predefined metric (Lines~{\ref{algo:lmdk-sel-heur-comparison}-\ref{algo:lmdk-sel-heur-cmp-end}}).
This process (Lines~{\ref{algo:lmdk-sel-heur-while}-\ref{algo:lmdk-sel-heur-end}}) goes on until we select a set that is equal to the size of the series of events, i.e.,~$L' = T$.
In terms of complexity, given $n$ regular events it requires $\mathcal{O}(n^2)$ time and space.
Note that the reverse heuristic approach, i.e.,~starting with $T$ {\thethings} and removing until $L$, performs similarly with Algorithm~\ref{algo:lmdk-sel-heur}.
\paragraph{Partitioned}
We improve the complexity of Algorithm~\ref{algo:lmdk-sel-opt} by partitioning the {\thething} timestamp sequence $L$.
Algorithm~\ref{algo:lmdk-sel-hist}, \getHist generates a histogram from $L$ with bins of size \h.
We find \h by using the FreedmanDiaconis rule which is resilient to outliers and takes into account the data variability and data size~\cite{meshgi2015expanding}.
For every possible histogram version, the \getDiff function finds the difference between two histograms; for this operation we utilize the Euclidean distance~(see Section~\ref{subsec:sel-utl} for more details).
\begin{algorithm}
\caption{Partitioned dummy {\thething} set options selection}
\label{algo:lmdk-sel-hist}
\DontPrintSemicolon
\KwData{$T, L$}
\KwResult{\opts}
\BlankLine
\hist, \h $\leftarrow$ \getHist{$T, L$}\;
\histCur $\leftarrow$ hist\;
\opts $\leftarrow$ $[]$\;
\While{sum($L'$) $\neq$ len($T$)}{ \label{algo:lmdk-sel-hist-while}
% Track the minimum (best) evaluation
\diffMin $\leftarrow$ $\infty$\;
% The candidate option
\opt $\leftarrow$ \histCur\;
% Check every possibility
\ForEach{\hi \reg $L'$}{ \label{algo:lmdk-sel-hist-cmp-start}
% Can we add one more point?
\If{\hi $+$ $1$ $\leq$ \h}{
\histTmp $\leftarrow$ \histCur\;
\histTmp$[i]$ $\leftarrow$ \histTmp$[i]$ $+$ $1$\;
% Find difference from original
\diffCur $\leftarrow$ \getDiff{\hist, \histTmp}\;
% Remember if it is the best that you've seen
\If{\diffCur $<$ \diffMin}{ \label{algo:lmdk-sel-hist-cmp}
\diffMin $\leftarrow$ \diffCur\;
\opt $\leftarrow$ \histTmp\;
}
}
} \label{algo:lmdk-sel-hist-cmp-end}
% Update current histogram
\histCur $\leftarrow$ \opt\;
% Add current best to options
\opts $\leftarrow$ \opt\;
} \label{algo:lmdk-sel-hist-end}
\Return{\opts}
\end{algorithm}
In Lines~{\ref{algo:lmdk-sel-hist-cmp-start}-\ref{algo:lmdk-sel-hist-cmp-end}} we check every possible histogram version by incrementing each bin by $1$ and comparing it to the original (Line~\ref{algo:lmdk-sel-hist-cmp}).
In the end of the process, we return \opts which contains all the versions of \hist that are closest to \hist for all possible sizes of \hist.
\subsubsection{Privacy-preserving option selection}
\label{subsec:lmdk-opt-sel}
The Algorithms of Section~\ref{subsec:lmdk-set-opts} return a set of possible versions of the original {\thething} set $L$ by adding extra timestamps in it from the series of events at timestamps $T \supseteq L$.
In the next step of the process, we randomly select a set by utilizing the exponential mechanism (Section~\ref{subsec:prv-mech}).
For this procedure, we allocate a small fraction of the available privacy budget, i.e.,~$1$\% or even less (see Section~\ref{subsec:sel-eps} for more details).
\paragraph{Utility score function}
Prior to selecting a set, the exponential mechanism evaluates each set using a utility score function.
One way evaluate each set is by taking into account the temporal position the events in the sequence.
% Nearby events
Events that occur at recent timestamps are more likely to reveal sensitive information regarding the users involved~\cite{kellaris2014differentially}.
Thus, taking into account more recent events with respect to {\thethings} can result in less privacy loss and better privacy protection overall.
This leads to worse data utility.
% Depending on the {\thething} discovery technique
The values of events near a {\thething} are usually similar to that of the latter.
Therefore, privacy-preserving mechanisms are likely to approximate their values based on the nearest {\thething} instead of investing extra privacy budget to perturb their actual values; thus, spending less privacy budget.
Saving privacy budget for releasing perturbed versions of actual event values can bring about better data utility.
% Distant events
However, indicating the existence of dummy {\thethings} nearby actual {\thethings} can increase the adversarial confidence regarding the location of the latter within a series of events.
Hence, choosing dummy {\thethings} far from the actual {\thethings} (and thus less relevant) can limit the final privacy loss.
Another approach for the score function is to consider the number of events in each set.
On the one hand, sets with more dummy {\thethings} may render actual {\thethings} more indistinguishable probabilistically.
That is due to the fact that, it is harder for an adversary to pick a {\thething} when the ratio of {\thethings} to the size of the set gets lower.
On the other hand, more dummy {\thethings} lead to distributing the privacy budget to more events, and therefore investing less at each timestamp.
Thus, providing a better level of privacy protection.
\paragraph{Option release}
The options that Algorithms~\ref{algo:lmdk-sel-opt} and \ref{algo:lmdk-sel-heur} generate contain actual timestamps which can be utilized directly by the {\thething} privacy mechanisms that we presented in Section~\ref{subsec:lmdk-mechs}.
However, Algorithm~\ref{algo:lmdk-sel-hist} returns histograms instead of timestamps.
Therefore, we need to process the result of the exponential mechanism further by creating a sample from the true {\thethings} and populating it with the remaining amount of choices, i.e.,~$\left|L'\right| - \left|L\right|$ by performing sampling without replacement from the resulting option $L$.