[go: up one dir, main page]

CN113573234B - A location privacy protection method in large indoor location service scenarios - Google Patents

A location privacy protection method in large indoor location service scenarios Download PDF

Info

Publication number
CN113573234B
CN113573234B CN202110883750.8A CN202110883750A CN113573234B CN 113573234 B CN113573234 B CN 113573234B CN 202110883750 A CN202110883750 A CN 202110883750A CN 113573234 B CN113573234 B CN 113573234B
Authority
CN
China
Prior art keywords
privacy
location
dimensional space
noise
discretization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110883750.8A
Other languages
Chinese (zh)
Other versions
CN113573234A (en
Inventor
闵明慧
崔博言
李孙笑何
胥俊怀
李世银
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China University of Mining and Technology Beijing CUMTB
Original Assignee
China University of Mining and Technology Beijing CUMTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China University of Mining and Technology Beijing CUMTB filed Critical China University of Mining and Technology Beijing CUMTB
Priority to CN202110883750.8A priority Critical patent/CN113573234B/en
Publication of CN113573234A publication Critical patent/CN113573234A/en
Application granted granted Critical
Publication of CN113573234B publication Critical patent/CN113573234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/021Services related to particular areas, e.g. point of interest [POI] services, venue services or geofences
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • H04W4/025Services making use of location information using location based information parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/33Services specially adapted for particular environments, situations or purposes for indoor environments, e.g. buildings

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Processing Or Creating Images (AREA)
  • Instructional Devices (AREA)

Abstract

一种大型室内位置服务场景下位置隐私保护方法,位置服务与信息安全领域。保护方法,针对三维空间位置服务过程中不可信服务器或者窃听攻击者导致的位置隐私泄露,采用地理位置不可区分性,基于三维拉普拉斯加噪机制对位置的X,Y和Z坐标同时进行扰动,利用离散化和截断的方法确定扰动位置,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化;应对三维空间位置服务环境的位置隐私泄露,提高位置服务系统在位置推断攻击下的位置数据隐私安全性能。优点:基于差分隐私的三维空间中地理不可区分性,实现了同时对位置的三个维度进行扰动保护,提供了三维空间位置隐私保护的严格度量方法和实现机制。

Figure 202110883750

A location privacy protection method in a large indoor location service scenario, in the field of location service and information security. The protection method, aiming at the leakage of location privacy caused by untrusted servers or eavesdropping attackers in the process of 3D space location service, adopts geographical indistinguishability, based on the 3D Laplacian noise mechanism, the X, Y and Z coordinates of the location are simultaneously processed. Perturbation, using discretization and truncation methods to determine the perturbation position, analyze the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensate for the privacy budget degradation caused by discretization by adding additional noise; deal with location privacy in a three-dimensional spatial location service environment Leakage, improve the location data privacy security performance of the location service system under location inference attacks. Advantages: Based on the geographic indistinguishability in three-dimensional space of differential privacy, the disturbance protection of the three dimensions of the location is realized at the same time, and the strict measurement method and implementation mechanism of the three-dimensional space location privacy protection are provided.

Figure 202110883750

Description

一种大型室内位置服务场景下位置隐私保护方法A location privacy protection method in large indoor location service scenarios

技术领域technical field

本发明涉及位置服务与信息安全领域,特别是一种大型室内位置服务场景下位置隐私保护方法。The invention relates to the field of location service and information security, in particular to a location privacy protection method in a large indoor location service scenario.

背景技术Background technique

由于5G智能通信技术的快速发展和城市内日趋增加的高人口密度,位置服务[[1]王宇航.位置数据的隐私保护技术研究[D].哈尔滨工业大学,2020]在大型室内建筑中得到了广泛的应用,如大型医院、大型商场等。至2025年,全球室内LBS市场规模预计将达到187.4亿美元。与此同时,用户位置隐私泄露的风险也日益严重。美国联邦通信委员会提议在2020年对四家主要的移动电话公司处以至少2亿美元的罚款,原因是它们泄露了消费者的实时位置数据。三维空间例如各种大型室内建筑中的位置隐私保护问题越来越受到学术界和工业界的关注。目前,大多数位置隐私保护方案侧重二维空间的位置隐私保护,当用户的位置数据包含高度信息时,这些机制无法应对不可信位置服务器或窃听攻击者利用已有的背景知识进行的位置推断攻击。Due to the rapid development of 5G intelligent communication technology and the increasing high population density in cities, location-based services [[1] Wang Yuhang. Research on privacy protection technology for location data [D]. Harbin Institute of Technology, 2020] have been obtained in large indoor buildings. Wide range of applications, such as large hospitals, large shopping malls, etc. The global indoor LBS market size is expected to reach USD 18.74 billion by 2025. At the same time, the risk of leakage of user location privacy is becoming more and more serious. The FCC is proposing to fine four major mobile phone companies at least $200 million in 2020 for leaking real-time location data on consumers. The issue of location privacy protection in three-dimensional spaces such as various large-scale indoor buildings has received increasing attention from academia and industry. At present, most location privacy protection schemes focus on location privacy protection in two-dimensional space. When the user's location data contains high-level information, these mechanisms cannot deal with location inference attacks by untrusted location servers or eavesdropping attackers using existing background knowledge. .

近年来,国内外研究者十分关注位置服务中的位置隐私泄露问题,并采用K-匿名[[2]崔玉娟.基于位置服务的隐私保护方法研究[D].西北师范大学,2020]、mix-zone、加密和扰动等方法对位置隐私进行保护。但是,基于加密的位置隐私保护机制将用户位置信息完全隐藏,不适用于位置服务应用场景。此外,基于K-匿名的位置隐私保护机制,需要依赖于可信第三方,一旦服务器瘫痪或者被攻击,用户隐私存在泄露威胁。基于扰动的位置隐私保护机制一般可以在用户端本地实现,可避免对可信、安全服务器的依赖。In recent years, researchers at home and abroad have paid great attention to the problem of location privacy leakage in location services, and adopted K-anonymity [[2] Cui Yujuan. Research on privacy protection methods based on location services [D]. Northwest Normal University, 2020], mix- Location privacy is protected by methods such as zone, encryption, and perturbation. However, the encryption-based location privacy protection mechanism completely hides user location information, which is not suitable for location service application scenarios. In addition, the location privacy protection mechanism based on K-anonymity needs to rely on a trusted third party. Once the server is paralyzed or attacked, there is a threat of leakage of user privacy. The perturbation-based location privacy protection mechanism can generally be implemented locally on the user side, which can avoid the dependence on trusted and secure servers.

二维地理位置不可区分性是传统差分隐私的拓展,被用来保护二维平面空间中单个用户的位置隐私[[3]M.Andrés,N.Bordenabe,K.Chatzikokolakis,and C.Palamidessi,Geo-indistinguishability:Differential privacy for location-based systems[C].ACM Conference Computer and Communications Security(CCS),2013:901-914]。移动用户可以本地利用基于二维地理位置不可区分性的扰动机制随机地产生一个假的位置发布给位置服务器进行服务请求,真实的位置只有用户本身知晓。然而,当用户处于大型医院等三维空间时,由于引入用户的高度位置信息,导致上述针对二维空间的位置隐私保护机制无法有效的阻止位置推断攻击。例如,一个高层医院的不同楼层代表不同种类的疾病,如果用户的楼层信息被泄露,他/她的病情也会被泄露暴而露在攻击者面前。因此研究三维空间位置服务中的用户位置数据保护机制十分重要。Two-dimensional geographic indistinguishability is an extension of traditional differential privacy and is used to protect the location privacy of a single user in two-dimensional planar space [[3] M.Andrés, N.Bordenabe, K.Chatzikokolakis, and C.Palamidessi, Geo -indistinguishability: Differential privacy for location-based systems [C]. ACM Conference Computer and Communications Security (CCS), 2013: 901-914]. The mobile user can locally generate a fake location by using the perturbation mechanism based on the indistinguishability of the two-dimensional geographic location and publish it to the location server for service requests. The real location is only known by the user itself. However, when the user is in a three-dimensional space such as a large hospital, due to the introduction of the user's height position information, the above-mentioned location privacy protection mechanism for the two-dimensional space cannot effectively prevent the location inference attack. For example, different floors of a high-rise hospital represent different kinds of diseases. If the user's floor information is leaked, his/her condition will also be leaked and exposed to the attacker. Therefore, it is very important to study the protection mechanism of user location data in 3D space location service.

发明内容SUMMARY OF THE INVENTION

本发明的目的是要提供一种大型室内位置服务场景下位置隐私保护方法,保护大型室内等三维空间中位置服务场景下的位置数据隐私安全。The purpose of the present invention is to provide a location privacy protection method in a large indoor location service scenario, so as to protect the privacy security of location data in a location service scenario in a large indoor three-dimensional space.

本发明的目的是这样实现的:三维空间中位置隐私保护方法,针对三维空间位置服务过程中不可信服务器或者窃听攻击者导致的位置隐私泄露,采用地理位置不可区分性,基于三维拉普拉斯加噪机制对位置的X,Y和Z坐标同时进行扰动,利用离散化和截断的方法确定扰动位置,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化;应对三维空间位置服务环境的位置隐私泄露,提高位置服务系统在位置推断攻击下的位置数据隐私安全性能。The purpose of the present invention is to achieve the following: a method for protecting location privacy in three-dimensional space, aiming at the location privacy leakage caused by untrusted servers or eavesdropping attackers in the process of three-dimensional space location service, using geographic indistinguishability, based on three-dimensional Laplace The noise-adding mechanism simultaneously perturbs the X, Y and Z coordinates of the location, uses the discretization and truncation method to determine the perturbed location, analyzes the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensates for the resulting discretization by adding additional noise. The privacy budget is degraded; the location privacy leakage of the three-dimensional space location service environment is dealt with, and the location data privacy security performance of the location service system under the location inference attack is improved.

具体步骤如下:Specific steps are as follows:

步骤1:定义三维空间中的地理不可区分机制;提出基于差分隐私的严格、且可证明的三维空间中位置隐私的度量方法——三维地理不可区分性,其定义如下:Step 1: Define the geographic indistinguishability mechanism in 3D space; propose a rigorous and provable measurement method of location privacy in 3D space based on differential privacy - 3D geographic indistinguishability, which is defined as follows:

Figure GDA0003513269620000021
Figure GDA0003513269620000021

其中,ε为隐私预算,扰动机制

Figure GDA0003513269620000022
使得三维空间中所有
Figure GDA0003513269620000023
满足ε-地理不可区分性,其中
Figure GDA0003513269620000024
为真实位置的可能集合,
Figure GDA0003513269620000025
为扰动位置的可能集合,x1为用户位置,x′为扰动位置,d3(x1,x2)为以x1为中心的球形区域的半径;Among them, ε is the privacy budget, the perturbation mechanism
Figure GDA0003513269620000022
make all three-dimensional space
Figure GDA0003513269620000023
Satisfy ε-geographic indistinguishability, where
Figure GDA0003513269620000024
is the possible set of real locations,
Figure GDA0003513269620000025
is the possible set of disturbed positions, x 1 is the user position, x' is the disturbed position, and d 3 (x 1 , x 2 ) is the radius of the spherical region centered on x 1 ;

步骤1中,三维地理不可区分性确保对于三维空间中的任意两个地理相近的位置,扰动位置的概率分布相似,由隐私预算ε和以用户位置x1为中心的半径为d3(x1,x2)的球形区域决定,空间内的真实位置得到保护。In step 1 , 3D geographic indistinguishability ensures that for any two geographically close locations in 3D space, the probability distribution of perturbed locations is similar, determined by the privacy budget ε and the radius centered at the user location x1 as d3 ( x1 ,x 2 ) of the spherical area determines that the true position in the space is protected.

步骤2:对三维空间中位置的X,Y和Z坐标同时进行扰动;Step 2: Simultaneously perturb the X, Y and Z coordinates of the position in the three-dimensional space;

步骤2中,具体步骤如下:In step 2, the specific steps are as follows:

步骤1)、引入噪声产生机制的概率密度函数为Step 1), the probability density function of introducing the noise generation mechanism is

Figure GDA0003513269620000026
Figure GDA0003513269620000026

其中,ε为隐私预算,x1用户真实位置,x′为扰动位置,d3(x1,x2)为以x1为中心的球形区域的半径,A为归一化系数;Among them, ε is the privacy budget, x 1 is the user's real position, x' is the disturbance position, d 3 (x 1 , x 2 ) is the radius of the spherical area centered at x 1 , and A is the normalization coefficient;

步骤2)、用球坐标系替换笛卡尔坐标系来确定扰动位置;用户真实位置为x1,其扰动位置为x′,表示成(r,θ,ψ),其中,ε为隐私预算,r表示x1和x′之间的距离,θ是极角,ψ是方位角,球坐标系中的概率密度函数为:Step 2), replace the Cartesian coordinate system with the spherical coordinate system to determine the perturbation position; the user's real position is x 1 , and its perturbation position is x', expressed as (r, θ, ψ), where ε is the privacy budget, r Represents the distance between x 1 and x′, θ is the polar angle, ψ is the azimuth angle, and the probability density function in the spherical coordinate system is:

Figure GDA0003513269620000027
Figure GDA0003513269620000027

定义三个变量表示为半径

Figure GDA0003513269620000028
极角θ,方位角Ψ,三个变量的边缘分布分别为:Define three variables expressed as radius
Figure GDA0003513269620000028
The polar angle θ, the azimuth angle Ψ, and the marginal distributions of the three variables are:

Figure GDA0003513269620000029
Figure GDA0003513269620000029

步骤3)、根据噪声分布函数将扰动位置x′送至LBS服务器;Step 3), send the disturbance position x' to the LBS server according to the noise distribution function;

上述步骤2)中,获得扰动位置x′的方法:In the above step 2), the method for obtaining the disturbance position x':

步骤(1)、在单位球内选取一个随机向量U=(θ,ψ);Step (1), select a random vector U=(θ,ψ) in the unit sphere;

步骤(2)、式(3)中

Figure GDA00035132696200000210
即为伽马分布Γ(3,1/ε)的概率密度函数,根据伽马分布Γ(3,1/ε)确定一个半径r,扰动位置x′即服从分布x1+Ur。In step (2), formula (3)
Figure GDA00035132696200000210
It is the probability density function of the gamma distribution Γ(3,1/ε), and a radius r is determined according to the gamma distribution Γ(3,1/ε), and the disturbance position x' is subject to the distribution x 1 +Ur.

步骤3:将拉普拉斯机制产生的噪声近似在三维坐标下的立方体网格

Figure GDA0003513269620000031
中,设计离散化加噪机制,推导离散化前后隐私预算的关系,确保离散化的加噪机制依然保证差分隐私特性;Step 3: Approximate the noise generated by the Laplace mechanism to a cubic mesh in 3D coordinates
Figure GDA0003513269620000031
In , the discretization noise addition mechanism is designed, and the relationship between the privacy budgets before and after discretization is deduced to ensure that the discretization noise addition mechanism still guarantees the differential privacy characteristics;

步骤3中,用户真实位置为x1,通过以下两个步骤生成扰动位置

Figure GDA0003513269620000032
In step 3, the user's real position is x 1 , and the disturbed position is generated by the following two steps
Figure GDA0003513269620000032

步骤1)、在以x1为中心的球坐标系中,利用三变量的拉普拉斯加噪机制产生一个扰动位置

Figure GDA0003513269620000033
Step 1), in the spherical coordinate system with x 1 as the center, use the three-variable Laplace noise mechanism to generate a perturbed position
Figure GDA0003513269620000033

步骤2)、

Figure GDA0003513269620000034
重新映射到空间中距离最近的位置x′,此机制记为
Figure GDA0003513269620000035
Figure GDA0003513269620000036
Step 2),
Figure GDA0003513269620000034
Remap to the nearest position x' in space, this mechanism is denoted as
Figure GDA0003513269620000035
Figure GDA0003513269620000036

离散化后的隐私预算ε'由隐私预算ε、立方体网格

Figure GDA0003513269620000037
的步长和设备的精度决定,而退化的隐私预算通过添加额外噪声来进行补偿;The discretized privacy budget ε' consists of the privacy budget ε, the cube grid
Figure GDA0003513269620000037
is determined by the step size and the accuracy of the device, and the degraded privacy budget is compensated by adding additional noise;

步骤4:设计截断后的加噪机制保证三维空间中地理不可区分性;上述机制不能在任意三维空间满足差分隐私。Step 4: Design a truncated noise-adding mechanism to ensure geographic indistinguishability in three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.

步骤4中,机制不能在任意三维空间满足差分隐私;具体原因如下:In step 4, the mechanism cannot satisfy differential privacy in any three-dimensional space; the specific reasons are as follows:

1)上述离散化的加噪机制仅仅在有限范围内可保证差分隐私;1) The above discretized noise-adding mechanism can only guarantee differential privacy in a limited range;

2)实际场景下用户访问空间有限;为保证离散后的地理不可区分性并将位置限定在有限区域内,利用截断的方法将不合理的位置映射到限定范围内,保证三维空间中地理位置不可区分属性。2) In actual scenarios, the user access space is limited; in order to ensure the geographical indistinguishability after discretization and limit the location to a limited area, the truncation method is used to map the unreasonable locations to the limited range to ensure that the geographic location in the three-dimensional space is indistinguishable. Distinguishing properties.

在步骤3中,三维空间中三变量的拉普拉斯加噪机制对位置的X、Y和Z坐标同时进行扰动保证三维空间中地理不可区分性。In step 3, the three-variable Laplacian noise mechanism in the three-dimensional space simultaneously perturbs the X, Y, and Z coordinates of the location to ensure geographic indistinguishability in the three-dimensional space.

在步骤3中,将噪声离散在三维空间的球面坐标系中,在保持地理不可区分性参数不变的同时生成扰动位置。In step 3, the noise is discretized in the spherical coordinate system of the three-dimensional space, and the perturbed position is generated while keeping the geographic indistinguishability parameter unchanged.

在步骤4中,为保证离散后的地理不可区分性并将位置限定在有限区域内,利用截断的方法将不合理的位置映射到限定范围内,保证地理位置不可区分属性不变。基于设备精度、有限空间范围、离散化单元,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化,使得离散化和截断之后的加噪机制依然严格保证三维空间中地理不可区分性。In step 4, in order to ensure the discrete geographic indistinguishability and limit the location to a limited area, the unreasonable location is mapped to the limited range by using the truncation method to ensure that the geographic location indistinguishability attribute remains unchanged. Based on device accuracy, limited space range, and discretization unit, analyze the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensate the privacy budget degradation caused by discretization by adding additional noise, so that the noise addition mechanism after discretization and truncation is made. Geographic indistinguishability in three-dimensional space is still strictly guaranteed.

有益效果,由于采用了上述方案,针对大型室内等三维空间位置服务过程中不可信服务器或者窃听攻击者导致的位置隐私泄露问题,提出基于差分隐私的三维空间中地理位置不可区分性对位置隐私进行严格度量,利用三维拉普拉斯加噪机制对位置的X,Y和Z坐标同时进行扰动,使得攻击者无法获取用户的精确位置信息。此外,由于实际应用中硬件设备精度有限,移动设备无法基于连续的加噪函数产生任意的虚假位置;再者,实际场景下用户访问空间有限。因此,利用离散化和截断的方法确定扰动位置,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化,使得离散化和截断之后的加噪机制依然严格保证差分隐私。Beneficial effects, due to the adoption of the above scheme, in view of the problem of location privacy leakage caused by untrusted servers or eavesdropping attackers in the process of large-scale indoor three-dimensional space location services, a differential privacy-based three-dimensional spatial location indistinguishability is proposed to perform location privacy analysis. Strictly measure, use the three-dimensional Laplacian noise mechanism to simultaneously perturb the X, Y and Z coordinates of the location, so that the attacker cannot obtain the precise location information of the user. In addition, due to the limited precision of hardware devices in practical applications, mobile devices cannot generate arbitrary false positions based on a continuous noise-adding function; moreover, the user access space is limited in practical scenarios. Therefore, the discretization and truncation method is used to determine the perturbation position, analyze the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensate the privacy budget degradation caused by discretization by adding additional noise, so that the added noise after discretization and truncation The mechanism still strictly guarantees differential privacy.

解决了针对大型室内等三维空间位置服务过程中不可信服务器或者窃听攻击者导致的位置隐私泄露的问题,达到了大型室内等三维空间中位置服务场景下的位置隐私保护的目的。It solves the problem of location privacy leakage caused by untrusted servers or eavesdropping attackers in the process of location services in three-dimensional spaces such as large indoor spaces, and achieves the purpose of location privacy protection in location service scenarios in three-dimensional spaces such as large indoor spaces.

三维空间中的地理不可区分机制,即对于处于半径为R的给定球形区域内的任意位置,无论攻击者了解多少先验知识,其对用户真实位置的推断结果的分布相似;这意味着尽管攻击者能确定用户处于该半径为R的球形区域内,它也无法确定用户确切的位置,且对于一个已经知道用户所在区域的攻击者而言,无论它具有多少先验知识也不能从用户的扰动位置中推断出更多的信息。Geographically indistinguishable mechanism in three-dimensional space, that is, for any location within a given spherical region of radius R, no matter how much prior knowledge the attacker knows, the distribution of the inference results of the user's true location is similar; this means that despite the fact that The attacker can determine that the user is in the spherical area of radius R, and it cannot determine the exact location of the user, and for an attacker who already knows the user's area, no matter how much prior knowledge it has, it cannot be derived from the user's location. More information is inferred from the perturbed position.

确保对于三维空间中的任意两个地理相近的位置,即εd3(x1,x2)可被看作地理不可区分性度量:x1和x2距离越近,其扰动位置分布

Figure GDA0003513269620000041
Figure GDA0003513269620000042
越相似。Ensure that for any two geographically close locations in three-dimensional space, εd 3 (x 1 , x 2 ) can be regarded as a measure of geographic indistinguishability: the closer x 1 and x 2 are, the more disturbed the location distribution
Figure GDA0003513269620000041
and
Figure GDA0003513269620000042
more similar.

对三维空间中位置的X,Y和Z坐标同时进行扰动,提出三维拉普拉斯加噪机制在连续的空间内实现三维空间中地理不可区分性,根据噪声分布函数将随机产生的扰动位置x′送至位置服务的服务器,当真实位置为x1和x2

Figure GDA0003513269620000043
时,传送区域内任意位置的可能性差异最多为
Figure GDA0003513269620000044
The X, Y and Z coordinates of the position in the three-dimensional space are simultaneously perturbed, and the three-dimensional Laplacian noise mechanism is proposed to achieve geographic indistinguishability in the three-dimensional space in a continuous space. According to the noise distribution function, the randomly generated perturbed position x 'Send to the server of location service, when the real location is x 1 and x 2 ,
Figure GDA0003513269620000043
, the probability difference at any location within the transfer area is at most
Figure GDA0003513269620000044

考虑到实际中硬件设备精度有限,有限精度使得移动设备无法基于连续的加噪函数产生任意的虚假位置。Considering the limited precision of hardware devices in practice, the limited precision makes it impossible for mobile devices to generate arbitrary false positions based on a continuous noise function.

离散化的加噪机制依然可以保证三维空间中地理不可区分性,但会导致隐私预算的退化;离散化后的隐私预算ε'由隐私预算ε、立方体网格

Figure GDA0003513269620000045
的步长和设备的精度决定,而退化的隐私预算通过添加额外噪声来进行补偿。The discretized noise-adding mechanism can still ensure geographic indistinguishability in three-dimensional space, but it will lead to the degradation of the privacy budget; the discretized privacy budget ε' is composed of the privacy budget ε, the cube grid
Figure GDA0003513269620000045
is determined by the step size and the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.

由于大多数位置隐私保护方案侧重二维空间的位置隐私保护,当用户的位置数据包含高度信息时,这些机制无法应对不可信位置服务器或窃听攻击者利用已有的背景知识进行的位置推断攻击,而基于加密的位置隐私保护机制将用户位置信息完全隐藏,不适用于位置服务应用场景。此外,一些位置隐私保护机制例如K-匿名,需要依赖于可信第三方,一旦服务器瘫痪或者被攻击,用户隐私存在泄露威胁。因此,本发明采用地理位置不可区分性,基于三维拉普拉斯加噪机制确定扰动位置,同时考虑实际场景下设备精度有限和用户访问空间有限设计离散化和截断的位置扰动方案,使得攻击者无法获取用户的精确位置信息,对抗三维空间位置服务环境下位置推断攻击,提高位置服务系统中的位置数据隐私安全性能。Since most location privacy protection schemes focus on location privacy protection in two-dimensional space, when the user's location data contains high-level information, these mechanisms cannot deal with location inference attacks by untrusted location servers or eavesdropping attackers using existing background knowledge. The encryption-based location privacy protection mechanism completely hides the user's location information, which is not suitable for location service application scenarios. In addition, some location privacy protection mechanisms, such as K-anonymity, need to rely on a trusted third party. Once the server is paralyzed or attacked, there is a threat of leakage of user privacy. Therefore, the present invention adopts the indistinguishability of geographic location, determines the disturbance location based on the three-dimensional Laplacian noise mechanism, and designs a discretized and truncated location disturbance scheme considering the limited precision of the equipment and the limited user access space in the actual scene, so that the attacker can It is impossible to obtain the precise location information of the user, resist the location inference attack in the three-dimensional space location service environment, and improve the privacy and security performance of the location data in the location service system.

优点:本发明将位置高度信息考虑在内,提出三维空间位置隐私保护的严格、且可证明的度量方式,设计三维拉普拉斯加噪机制,保护大型室内等三维空间中位置服务场景下的位置数据隐私安全。Advantages: The present invention takes the location height information into account, proposes a strict and provable measurement method for privacy protection of three-dimensional space, designs a three-dimensional Laplacian noise addition mechanism, and protects the location service scenarios in three-dimensional spaces such as large indoor spaces. Location data privacy and security.

附图说明Description of drawings

图1为本发明中大型医院等三维空间位置服务系统场景图;1 is a scene diagram of a three-dimensional space location service system such as a medium and large hospital of the present invention;

图2为本发明采用的一种基于三维空间地理不可分区机制的位置隐私保护方法流程图;2 is a flowchart of a method for protecting location privacy based on a three-dimensional spatial geographic indistinguishable mechanism adopted by the present invention;

具体实施方式Detailed ways

三维空间中位置隐私保护方法,针对三维空间位置服务过程中不可信服务器或者窃听攻击者导致的位置隐私泄露,采用地理位置不可区分性,基于三维拉普拉斯加噪机制对位置的X,Y和Z坐标同时进行扰动,利用离散化和截断的方法确定扰动位置,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化;应对三维空间位置服务环境的位置隐私泄露,提高位置服务系统在位置推断攻击下的位置数据隐私安全性能。The location privacy protection method in 3D space, for location privacy leakage caused by untrusted servers or eavesdropping attackers in the process of 3D space location service, using geographic indistinguishability, based on the 3D Laplacian noise mechanism for the location X, Y Perform perturbation with Z coordinate at the same time, use discretization and truncation to determine the perturbation position, analyze the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensate the privacy budget degradation caused by discretization by adding additional noise; deal with three-dimensional space position The location privacy of the service environment is leaked, and the location data privacy security performance of the location service system under location inference attacks is improved.

具体步骤如下:Specific steps are as follows:

步骤1:定义三维空间中的地理不可区分机制;提出基于差分隐私的严格、且可证明的三维空间中位置隐私的度量方法——三维地理不可区分性,其定义如下:Step 1: Define the geographic indistinguishability mechanism in 3D space; propose a rigorous and provable measurement method of location privacy in 3D space based on differential privacy - 3D geographic indistinguishability, which is defined as follows:

Figure GDA0003513269620000051
Figure GDA0003513269620000051

其中,ε为隐私预算,扰动机制

Figure GDA0003513269620000052
使得三维空间中所有
Figure GDA0003513269620000053
满足ε-地理不可区分性,其中
Figure GDA0003513269620000054
为真实位置的可能集合,
Figure GDA0003513269620000055
为扰动位置的可能集合,x1为用户位置,x′为扰动位置,d3(x1,x2)为以x1为中心的球形区域的半径;Among them, ε is the privacy budget, the perturbation mechanism
Figure GDA0003513269620000052
make all three-dimensional space
Figure GDA0003513269620000053
Satisfy ε-geographic indistinguishability, where
Figure GDA0003513269620000054
is the possible set of real locations,
Figure GDA0003513269620000055
is the possible set of disturbed positions, x 1 is the user position, x' is the disturbed position, and d 3 (x 1 , x 2 ) is the radius of the spherical region centered on x 1 ;

步骤1中,三维地理不可区分性确保对于三维空间中的任意两个地理相近的位置,扰动位置的概率分布相似,由隐私预算ε和以用户位置x1为中心的半径为d3(x1,x2)的球形区域决定,空间内的真实位置得到保护。In step 1 , 3D geographic indistinguishability ensures that for any two geographically close locations in 3D space, the probability distribution of perturbed locations is similar, determined by the privacy budget ε and the radius centered at the user location x1 as d3 ( x1 ,x 2 ) of the spherical area determines that the true position in the space is protected.

步骤2:对三维空间中位置的X,Y和Z坐标同时进行扰动;Step 2: Simultaneously perturb the X, Y and Z coordinates of the position in the three-dimensional space;

步骤2中,具体步骤如下:In step 2, the specific steps are as follows:

步骤1)、引入噪声产生机制的概率密度函数为Step 1), the probability density function of introducing the noise generation mechanism is

Figure GDA0003513269620000056
Figure GDA0003513269620000056

其中,ε为隐私预算,x1用户真实位置,x′为扰动位置,d3(x1,x2)为以x1为中心的球形区域的半径,A为归一化系数;Among them, ε is the privacy budget, x 1 is the user's real position, x' is the disturbance position, d 3 (x 1 , x 2 ) is the radius of the spherical area centered at x 1 , and A is the normalization coefficient;

步骤2)、用球坐标系替换笛卡尔坐标系来确定扰动位置;用户真实位置为x1,其扰动位置为x′,表示成(r,θ,ψ),其中,ε为隐私预算,r表示x1和x′之间的距离,θ是极角,ψ是方位角,球坐标系中的概率密度函数为:Step 2), replace the Cartesian coordinate system with the spherical coordinate system to determine the perturbation position; the user's real position is x 1 , and its perturbation position is x', expressed as (r, θ, ψ), where ε is the privacy budget, r Represents the distance between x 1 and x′, θ is the polar angle, ψ is the azimuth angle, and the probability density function in the spherical coordinate system is:

Figure GDA0003513269620000057
Figure GDA0003513269620000057

定义三个变量表示为半径

Figure GDA0003513269620000058
极角θ,方位角Ψ,三个变量的边缘分布分别为:Define three variables expressed as radius
Figure GDA0003513269620000058
The polar angle θ, the azimuth angle Ψ, and the marginal distributions of the three variables are:

Figure GDA0003513269620000059
Figure GDA0003513269620000059

步骤3)、根据噪声分布函数将随机产生的扰动位置x′送至LBS服务器;Step 3), send the randomly generated disturbance position x' to the LBS server according to the noise distribution function;

上述步骤2)中,获得扰动位置x′的方法:In the above step 2), the method for obtaining the disturbance position x':

步骤(1)、在单位球内选取一个随机向量U=(θ,ψ);Step (1), select a random vector U=(θ,ψ) in the unit sphere;

步骤(2)、式(3)中

Figure GDA00035132696200000510
即为伽马分布Γ(3,1/ε)的概率密度函数,根据伽马分布Γ(3,1/ε)确定一个半径r,扰动位置x′即服从分布x1+Ur。In step (2), formula (3)
Figure GDA00035132696200000510
It is the probability density function of the gamma distribution Γ(3,1/ε), and a radius r is determined according to the gamma distribution Γ(3,1/ε), and the disturbance position x' is subject to the distribution x 1 +Ur.

步骤3:将拉普拉斯机制产生的噪声近似在三维坐标下的立方体网格

Figure GDA0003513269620000061
中,设计离散化加噪机制,推导离散化前后隐私预算的关系,确保离散化的加噪机制依然保证差分隐私特性;Step 3: Approximate the noise generated by the Laplace mechanism to a cubic mesh in 3D coordinates
Figure GDA0003513269620000061
In , the discretization noise addition mechanism is designed, and the relationship between the privacy budgets before and after discretization is deduced to ensure that the discretization noise addition mechanism still guarantees the differential privacy characteristics;

步骤3中,用户真实位置为x1,通过以下两个步骤生成扰动位置

Figure GDA0003513269620000062
In step 3, the user's real position is x 1 , and the disturbed position is generated by the following two steps
Figure GDA0003513269620000062

步骤1)、在以x1为中心的球坐标系中,利用三变量的拉普拉斯加噪机制产生一个扰动位置

Figure GDA0003513269620000063
Step 1), in the spherical coordinate system with x 1 as the center, use the three-variable Laplace noise mechanism to generate a perturbed position
Figure GDA0003513269620000063

步骤2)、

Figure GDA0003513269620000064
重新映射到空间中距离最近的位置x′,此机制记为
Figure GDA0003513269620000065
Figure GDA0003513269620000066
Step 2),
Figure GDA0003513269620000064
Remap to the nearest position x' in space, this mechanism is denoted as
Figure GDA0003513269620000065
Figure GDA0003513269620000066

离散化后的隐私预算ε'由隐私预算ε、立方体网格

Figure GDA0003513269620000067
的步长和设备的精度决定,而退化的隐私预算通过添加额外噪声来进行补偿;The discretized privacy budget ε' consists of the privacy budget ε, the cube grid
Figure GDA0003513269620000067
is determined by the step size and the accuracy of the device, and the degraded privacy budget is compensated by adding additional noise;

步骤4:设计截断后的加噪机制保证三维空间中地理不可区分性;上述机制不能在任意三维空间满足差分隐私。Step 4: Design a truncated noise-adding mechanism to ensure geographic indistinguishability in three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space.

步骤4中,机制不能在任意三维空间满足差分隐私;具体原因如下:In step 4, the mechanism cannot satisfy differential privacy in any three-dimensional space; the specific reasons are as follows:

1)上述离散化的加噪机制仅仅在有限范围内可保证差分隐私;1) The above discretized noise-adding mechanism can only guarantee differential privacy in a limited range;

2)实际场景下用户访问空间有限;为保证离散后的地理不可区分性并将位置限定在有限区域内,利用截断的方法将不合理的位置映射到限定范围内,保证三维空间中地理位置不可区分属性。2) In actual scenarios, the user access space is limited; in order to ensure the geographical indistinguishability after discretization and limit the location to a limited area, the truncation method is used to map the unreasonable locations to the limited range to ensure that the geographic location in the three-dimensional space is indistinguishable. Distinguishing properties.

在步骤3中,三维空间中三变量的拉普拉斯加噪机制对位置的X、Y和Z坐标同时进行扰动保证三维空间中地理不可区分性。In step 3, the three-variable Laplacian noise mechanism in the three-dimensional space simultaneously perturbs the X, Y, and Z coordinates of the location to ensure geographic indistinguishability in the three-dimensional space.

在步骤3中,将噪声离散在三维空间的球面坐标系中,在保持地理不可区分性参数不变的同时生成扰动位置。In step 3, the noise is discretized in the spherical coordinate system of the three-dimensional space, and the perturbed position is generated while keeping the geographic indistinguishability parameter unchanged.

在步骤4中,为保证离散后的地理不可区分性并将位置限定在有限区域内,利用截断的方法将不合理的位置映射到限定范围内,保证地理位置不可区分属性不变。基于设备精度、有限空间范围、离散化单元,分析离散化和截断前后隐私预算的数学量化关系,通过添加额外的噪声补偿由于离散化导致的隐私预算退化,使得离散化和截断之后的加噪机制依然严格保证三维空间中地理不可区分性。In step 4, in order to ensure the discrete geographic indistinguishability and limit the location to a limited area, the unreasonable location is mapped to the limited range by using the truncation method to ensure that the geographic location indistinguishability attribute remains unchanged. Based on device accuracy, limited space range, and discretization unit, analyze the mathematical quantification relationship of the privacy budget before and after discretization and truncation, and compensate the privacy budget degradation caused by discretization by adding additional noise, so that the noise addition mechanism after discretization and truncation is made. Geographic indistinguishability in three-dimensional space is still strictly guaranteed.

下面结合实例进一步描述本发明的技术方案,但要求保护的范围并不局限于所述。The technical solutions of the present invention are further described below in conjunction with examples, but the claimed scope is not limited to the description.

实施例1:一种大型室内位置服务场景下三维空间中位置隐私保护技术方法,具体实施步骤如下:Embodiment 1: A technical method for location privacy protection in a three-dimensional space in a large-scale indoor location service scenario, the specific implementation steps are as follows:

步骤1:设定三维空间环境,同时考虑三个维度的位置扰动机制,并设计三维拉普拉斯加噪机制。如图1所示为大型医院的三维空间位置服务系统场景图,假设医院在一个长和宽为600米高60米的立方体地图内,该地图被划分为30×30×20的立方体网格,共18000个长宽为20米,高为3米的立方体网格,不同网格代表不同的位置区域,区域编号为{c1,c2,c3,...}。当用户在医院内活动时,用户将其当前位置发送给位置服务器请求位置服务,此时不可信的位置服务器或窃听攻击者会利用已有的背景知识推理攻击用户的位置隐私,并向用户发送垃圾邮件或进行诈骗等。此时,采用三维空间中地理位置不可区分性,用户向位置服务器发布一个扰动位置,防止攻击者窃取用户在医院中的位置隐私,从而提高位置服务系统在位置推断攻击下的位置数据隐私安全性能。Step 1: Set the three-dimensional space environment, consider the position disturbance mechanism in three dimensions at the same time, and design the three-dimensional Laplacian noise mechanism. Figure 1 shows the scene diagram of the 3D spatial location service system of a large hospital. Assuming that the hospital is in a cube map with a length and width of 600 meters and a height of 60 meters, the map is divided into 30 × 30 × 20 cubic grids. There are a total of 18,000 cube grids with a length and width of 20 meters and a height of 3 meters. Different grids represent different location areas, and the area numbers are {c 1 ,c 2 ,c 3 ,...}. When the user is active in the hospital, the user sends his current location to the location server to request location services. At this time, the untrusted location server or eavesdropping attacker will use the existing background knowledge to reason and attack the user's location privacy, and send a message to the user. Spam or scam, etc. At this time, using the indistinguishability of geographic location in three-dimensional space, the user publishes a disturbed location to the location server to prevent attackers from stealing the user's location privacy in the hospital, thereby improving the location data privacy and security performance of the location service system under location inference attacks. .

本发明在大型室内位置服务场景下位置隐私保护方法主要分为定义三维空间中地理不可区分机制、基于三维空间中地理不可区分机制生成扰动位置、设计离散化加噪机制、利用截断的方法保证三维空间地理不可区分属性这四个过程。In the large-scale indoor location service scenario, the location privacy protection method of the present invention is mainly divided into defining a geographical indistinguishable mechanism in a three-dimensional space, generating a disturbed position based on the geographical indistinguishable mechanism in a three-dimensional space, designing a discretization and noise-adding mechanism, and using a truncation method to ensure three-dimensional The four processes of spatial geography indistinguishable properties.

步骤2:定义三维空间中的地理不可区分机制,提出基于差分隐私的严格、且可证明的三维空间位置隐私度量方法,三维空间中地理不可区分机制定义如下:Step 2: Define the geographic indistinguishability mechanism in 3D space, and propose a rigorous and provable 3D spatial location privacy measurement method based on differential privacy. The geographic indistinguishability mechanism in 3D space is defined as follows:

Figure GDA0003513269620000071
Figure GDA0003513269620000071

其中扰动机制

Figure GDA0003513269620000072
使得三维空间中所有
Figure GDA0003513269620000073
满足ε-地理不可区分性,其中
Figure GDA0003513269620000074
为真实位置的可能集合,
Figure GDA0003513269620000075
为扰动位置的可能集合。该定义确保对于三维空间中的任意两个地理相近的位置,其扰动位置的概率分布相似,由隐私预算ε和以用户位置x1为中心的半径为d3(x1,x2)的球形区域决定。即εd3(x1,x2)可被看作地理不可区分性度量:x1和x2距离越近,其扰动位置分布
Figure GDA0003513269620000076
Figure GDA0003513269620000077
越相似。由于球形空间内的所有位置都会产生近似的扰动位置分布,空间内的真实位置得到保护。The perturbation mechanism
Figure GDA0003513269620000072
make all three-dimensional space
Figure GDA0003513269620000073
Satisfy ε-geographic indistinguishability, where
Figure GDA0003513269620000074
is the possible set of real locations,
Figure GDA0003513269620000075
is the possible set of perturbation locations. This definition ensures that for any two geographically close locations in three-dimensional space, the probability distributions of their perturbed locations are similar, given by the privacy budget ε and a sphere of radius d 3 (x 1 ,x 2 ) centered at the user location x 1 Regional decision. That is, εd 3 (x 1 , x 2 ) can be regarded as a geographical indistinguishability measure: the closer the distance between x 1 and x 2 , the more disturbed the location distribution
Figure GDA0003513269620000076
and
Figure GDA0003513269620000077
more similar. Since all positions within the spherical space produce an approximate distribution of perturbed positions, the true positions within the space are protected.

步骤3:在三维空间中基于三维地理不可区分机制生成扰动位置。为使操作更加方便高效,本发明以球坐标系替换笛卡尔坐标系。用户真实位置为x1,其扰动位置为x′,可以被表示成(r,θ,ψ),其中r表示x1和x′之间的距离,θ是极角,ψ是方位角,代入公式⑵知:

Figure GDA0003513269620000078
定义三个变量,分别为半径
Figure GDA0003513269620000079
极角θ,方位角Ψ,其边缘分布函数为:Step 3: Generate perturbed locations in 3D space based on a 3D geographic indistinguishability mechanism. In order to make the operation more convenient and efficient, the present invention replaces the Cartesian coordinate system with the spherical coordinate system. The user's real position is x 1 , and its perturbed position is x', which can be expressed as (r, θ, ψ), where r represents the distance between x 1 and x', θ is the polar angle, and ψ is the azimuth angle. Substitute Formula (2) know:
Figure GDA0003513269620000078
Define three variables, namely the radius
Figure GDA0003513269620000079
Polar angle θ, azimuth angle Ψ, the edge distribution function is:

Figure GDA00035132696200000710
Figure GDA00035132696200000710

Figure GDA00035132696200000711
Figure GDA00035132696200000711

Figure GDA00035132696200000712
Figure GDA00035132696200000712

最后,根据以下两步得到扰动位置x′:(1)在单位球内选取一个随机向量U=(θ,ψ)(2)根据伽马分布Γ(3,1/ε)选取一个半径r,扰动位置x′即服从分布x1+Ur。Finally, the disturbance position x′ is obtained according to the following two steps: (1) Select a random vector U=(θ,ψ) in the unit sphere (2) Select a radius r according to the gamma distribution Γ(3,1/ε), The perturbation position x' follows the distribution x 1 +Ur.

步骤4:离散化的拉普拉斯机制。在用户的实际位置x1,通过以下两个步骤生成扰动位置

Figure GDA00035132696200000713
Figure GDA00035132696200000714
为立方体网格,假设
Figure GDA00035132696200000715
的长为u、宽为v、高为h,且u>v>h:Step 4: Discretized Laplace mechanism. At the user's actual position x 1 , the perturbed position is generated by the following two steps
Figure GDA00035132696200000713
Figure GDA00035132696200000714
is a cube mesh, assuming
Figure GDA00035132696200000715
The length is u, the width is v, and the height is h, and u>v>h:

1)在以x1为中心的球坐标系中,利用步骤3中3变量的拉普拉斯机制产生一个扰动位置

Figure GDA00035132696200000716
1) In the spherical coordinate system centered at x 1 , use the Laplace mechanism of the 3 variables in step 3 to generate a perturbed position
Figure GDA00035132696200000716

2)将

Figure GDA00035132696200000717
重新映射到距离
Figure GDA00035132696200000718
最近的位置x′,即:2) will
Figure GDA00035132696200000717
Remap to distance
Figure GDA00035132696200000718
The nearest position x', i.e.:

Figure GDA00035132696200000719
Figure GDA00035132696200000719

令dr,dθ,

Figure GDA00035132696200000720
分别表示r,θ,
Figure GDA00035132696200000721
三个方向上的设备精度,B表示步骤1)中
Figure GDA00035132696200000722
产生的离散点集。每个点
Figure GDA00035132696200000723
是由r,r+dr,θ,θ+dθ,
Figure GDA00035132696200000724
连接的区域的概率生成的。在步骤1)中生成
Figure GDA00035132696200000725
的概率为NB(x')=N(x')∩B。Let dr, dθ,
Figure GDA00035132696200000720
respectively represent r, θ,
Figure GDA00035132696200000721
Device accuracy in three directions, B means in step 1)
Figure GDA00035132696200000722
The resulting set of discrete points. each point
Figure GDA00035132696200000723
is composed of r, r+dr, θ, θ+dθ,
Figure GDA00035132696200000724
Probabilities of connected regions are generated. generated in step 1)
Figure GDA00035132696200000725
The probability of is N B (x')=N(x')∩B.

N(x')与立方体

Figure GDA00035132696200000726
的步长有关,NB(x')由立方体
Figure GDA00035132696200000727
的步长和设备精度共同影响。离散化后的隐私预算ε'与之前的隐私预算ε,
Figure GDA0003513269620000081
的长u、宽v、高h和设备的精度有关。由于离散化降低了隐私预算ε',根据ε'和ε的差异量化需要添加的噪声,通过添加这部分额外的噪声补偿由于离散化导致的隐私预算退化,从而确保离散化的加噪机制依然保证三维空间中地理不可分区特性。N(x') and cube
Figure GDA00035132696200000726
is related to the step size, N B (x') is determined by the cube
Figure GDA00035132696200000727
The step size and device accuracy together affect. The discretized privacy budget ε' and the previous privacy budget ε,
Figure GDA0003513269620000081
The length u, width v, and height h are related to the accuracy of the equipment. Since discretization reduces the privacy budget ε', the noise that needs to be added is quantified according to the difference between ε' and ε. By adding this part of the extra noise, the privacy budget degradation caused by the discretization is compensated, so as to ensure that the noise addition mechanism of the discretization is still guaranteed. Geographically indistinguishable properties in three-dimensional space.

步骤5:用截断的方法保证离散拉普拉斯机制的地理不可区分性。假设α代表有限区域,其直径为Dα。令

Figure GDA0003513269620000082
为截断后的加噪机制。有
Figure GDA0003513269620000083
Figure GDA0003513269620000084
该阶段机制类似离散的拉普拉斯机制,区别在于扰动位置被重新映射在
Figure GDA0003513269620000085
中最近的点,即将空间α外的位置映射到空间内的一点。通过这种方法本发明同样保证了截断后的拉普拉斯加噪机制依然满足三维空间中地理不可区分性。Step 5: Guarantee geographic indistinguishability of discrete Laplacian mechanisms by means of truncation. Suppose that α represents a finite area, the diameter of which is D α . make
Figure GDA0003513269620000082
It is the truncated noise-adding mechanism. Have
Figure GDA0003513269620000083
Figure GDA0003513269620000084
The phase mechanism is similar to the discrete Laplace mechanism, except that the perturbation position is remapped in
Figure GDA0003513269620000085
The closest point in the space, that is, the position outside the space α is mapped to a point in the space. Through this method, the present invention also ensures that the truncated Laplacian noise mechanism still satisfies the geographic indistinguishability in three-dimensional space.

Claims (7)

1. A position privacy protection method under a large indoor position service scene is characterized by comprising the following steps: a position privacy protection method in a three-dimensional space aims at position privacy leakage caused by an untrusted server or an eavesdropper in the three-dimensional space position service process, geographical position indistinguishability is adopted, X, Y and Z coordinates of a position are simultaneously disturbed based on a three-dimensional Laplace noise mechanism, the disturbed position is determined by a discretization and truncation method, the mathematical quantization relation of privacy budgets before and after discretization and truncation is analyzed, and budget degradation caused by discretization is compensated by adding extra noise; the position privacy of the three-dimensional space position service environment is revealed, and the position data privacy security performance of the position service system under the position inference attack is improved;
step 1: defining a geographically indistinguishable mechanism in three-dimensional space; a strict and provable measurement method for position privacy in a three-dimensional space based on differential privacy, namely three-dimensional geographic indistinguishability, is provided, and is defined as follows:
Figure FDA0003513269610000011
wherein epsilon is privacy budget and perturbation mechanism
Figure FDA0003513269610000012
So that all real positions x in the three-dimensional space1,
Figure FDA0003513269610000013
Location of disturbance
Figure FDA0003513269610000014
Satisfies epsilon-geographic indistinguishability, wherein
Figure FDA0003513269610000015
Is a possible set of real positions of the mobile terminal,
Figure FDA0003513269610000016
to perturb the possible set of locations, x1For the user's true position, x' is the disturbance position, d3(x1,x2) Is given by x1The radius of the central spherical region;
step 2: simultaneously disturbing the X, Y and Z coordinates of the position in the three-dimensional space;
and step 3: cubic grid for approximating noise generated by Laplace mechanism under three-dimensional coordinates
Figure FDA0003513269610000017
In the method, a discretization noise adding mechanism is designed, the relation of privacy budgets before and after discretization is deduced, and the discretization noise adding mechanism is ensured to still ensure the differential privacy characteristics;
and 4, step 4: designing a noise adding mechanism after cutting to ensure geographical indistinguishability in a three-dimensional space; the above mechanism cannot satisfy differential privacy in any three-dimensional space;
in the step 2, the concrete steps are as follows:
step 1), introducing a noise generation mechanism as a probability density function
Figure FDA0003513269610000018
Where ε is the privacy budget, x1True user position, x' disturbance position, d3(x1X') is x1Radius of the spherical area as the center, A is a normalization coefficient; the formula is represented by x1A three-variable laplace function centered;
step 2), replacing a Cartesian coordinate system with a spherical coordinate system to determine a disturbance position; the user real position is x1The disturbance position is x' and is expressed as
Figure FDA0003513269610000019
Where ε is the privacy budget and r represents x1And x', theta is the polar angle,
Figure FDA00035132696100000110
is the azimuth, in a spherical coordinate system, at a true position x1The probability density function of the centered three-variable laplace is:
Figure FDA00035132696100000111
defining three random variables as radii
Figure FDA00035132696100000112
The polar angle Θ, the azimuth angle Φ, and the edge distribution of three random variables are:
Figure FDA00035132696100000113
step 3), sending the disturbance position x' to an LBS server according to the noise distribution function, wherein the LBS in the LBS server is Location Based Services, namely the position-Based service;
in step 3, the user true position is x1The perturbation position x' is generated by the following two steps:
step 1) in the presence of x1In a spherical coordinate system as a center, a disturbance position is generated by utilizing a three-variable Laplace plus noise mechanism
Figure FDA0003513269610000021
Step 2) mixing
Figure FDA0003513269610000022
Remapping to nearest disturbance locations
Figure FDA0003513269610000023
This mechanism is described as
Figure FDA0003513269610000024
The discretized privacy budget Epsilon' is composed of the privacy budget Epsilon and a cubic grid
Figure FDA0003513269610000025
And the accuracy of the device, while the degraded privacy budget is compensated by adding extra noise.
2. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 1, the three-dimensional geographic indistinguishability ensures that for any two geographically close locations in three-dimensional space, the probability distributions of the disturbance locations are similar, as measured by the privacy budget ε and the user location x1A radius of d as a center3(x1,x2) The true position in space is protected.
3. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in the step 2), which is a specific step, the method for obtaining the disturbance position x' includes:
step (1) selecting a random vector in a unit ball
Figure FDA0003513269610000026
In the step (2) and the formula (3)
Figure FDA0003513269610000027
Namely a probability density function of gamma distribution gamma (3, 1/epsilon), a radius r is determined according to the gamma distribution gamma (3, 1/epsilon), and the disturbance position x' follows the distribution x1+Ur。
4. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, the mechanism cannot meet the difference privacy in any three-dimensional space; the specific reasons are as follows:
1) the discretization noise adding mechanism can ensure the differential privacy only in a limited range;
2) the user access space is limited in an actual scene; in order to ensure the indistinguishable geography after dispersion and limit the position in a limited area, an unreasonable position is mapped into a limited range by a truncation method, and the indistinguishable attribute of the geography position in a three-dimensional space is ensured.
5. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the three-variable laplacian noise mechanism in the three-dimensional space simultaneously perturbs X, Y and the Z coordinate of the position to ensure geographical indistinguishability in the three-dimensional space.
6. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 3, the noise is dispersed in a spherical coordinate system of the three-dimensional space, and the disturbance position is generated while the geographic indistinguishable parameters are kept unchanged.
7. The method as claimed in claim 1, wherein the method for protecting location privacy in a large indoor location service scenario comprises: in step 4, in order to ensure the geographical indistinguishability after the dispersion and to limit the position in a limited area, an unreasonable position is mapped into a limited range by using a truncation method, and the indistinguishable attribute of the geographical position is ensured to be unchanged; based on the equipment precision, the limited space range and the discretization unit, the mathematical quantization relation of the privacy budgets before and after discretization and truncation is analyzed, and extra noise is added to compensate privacy budget degradation caused by discretization, so that a noise adding mechanism after discretization and truncation still strictly ensures geographical indistinguishability in a three-dimensional space.
CN202110883750.8A 2021-08-03 2021-08-03 A location privacy protection method in large indoor location service scenarios Active CN113573234B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 A location privacy protection method in large indoor location service scenarios

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110883750.8A CN113573234B (en) 2021-08-03 2021-08-03 A location privacy protection method in large indoor location service scenarios

Publications (2)

Publication Number Publication Date
CN113573234A CN113573234A (en) 2021-10-29
CN113573234B true CN113573234B (en) 2022-04-12

Family

ID=78170083

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110883750.8A Active CN113573234B (en) 2021-08-03 2021-08-03 A location privacy protection method in large indoor location service scenarios

Country Status (1)

Country Link
CN (1) CN113573234B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114117536B (en) * 2021-12-07 2022-07-01 中国矿业大学 Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN114969824B (en) * 2022-06-15 2023-03-07 中国矿业大学 A Personalized 3D Spatial Location Privacy Preservation Method Based on Differential Perturbation
CN116321125B (en) * 2023-03-24 2025-12-19 兰州理工大学 Disturbance position determining method and system based on geographic indistinguishability

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10904720B2 (en) * 2018-04-27 2021-01-26 safeXai, Inc. Deriving signal location information and removing private information from it

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108595976A (en) * 2018-03-27 2018-09-28 西安电子科技大学 Android terminal sensor information guard method based on difference privacy
CN108734022A (en) * 2018-04-03 2018-11-02 安徽师范大学 The secret protection track data dissemination method divided based on three-dimensional grid
CN108563962A (en) * 2018-05-03 2018-09-21 桂林电子科技大学 A kind of difference method for secret protection based on spatial position service
CN109444815A (en) * 2018-10-12 2019-03-08 桂林电子科技大学 Method for protecting track privacy and system based on the positioning of indoor sound
CN110602631A (en) * 2019-06-11 2019-12-20 东华大学 Processing method and processing device for location data for resisting conjecture attack in LBS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"5G System (5GS) Location Services (LCS)";3GPP;《3GPP TS 23.273 V17.01.0》;20210608;全文 *
基于多边形构建的差分隐私位置保护方法;张开宇;《信息与电脑(理论版)》;20200225(第04期);全文 *

Also Published As

Publication number Publication date
CN113573234A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
CN113573234B (en) A location privacy protection method in large indoor location service scenarios
CN108600304B (en) Personalized position privacy protection method based on position k-anonymity
Chatzikokolakis et al. Efficient utility improvement for location privacy
CN114117536B (en) Location privacy protection method in three-dimensional space LBS (location based service) based on deep reinforcement learning
CN107770722B (en) Privacy protection method of position service of double invisible areas based on side information constraint
Cui et al. Location privacy protection via delocalization in 5G mobile edge computing environment
Zhang et al. Location privacy protection method based on differential privacy in crowdsensing task allocation
Zhang et al. Mobile crowdsensing task allocation optimization with differentially private location privacy
Wang et al. A new privacy protection approach based on k-anonymity for location-based cloud services
Galdames et al. Batching location cloaking techniques for location privacy and safety protection
CN114969824B (en) A Personalized 3D Spatial Location Privacy Preservation Method Based on Differential Perturbation
CN111858826A (en) Retrieval method, system, terminal device and storage medium for spatiotemporal trajectory
Wang et al. k‐anonymity based location privacy protection method for location‐based services in internet of thing
Zhang et al. A k-anonymous location privacy protection method of polygon based on density distribution
Ling et al. Decentralized location privacy protection method of offset grid
Gupta et al. Mobility-Aware prefetching and replacement scheme for location-based services: MOPAR
Yan et al. Towards achieving geo‐indistinguishability for 3D GPS location: A 3D Laplace mechanism approach
Che et al. SALS: semantics-aware location sharing based on cloaking zone in mobile social networks
Yang et al. Location privacy protection scheme based on location services
Liu et al. A real‐time privacy‐preserving scheme based on grouping queries for continuous location‐based services
Han et al. Location nearest neighbor query scheme in edge computing based on differential privacy
Liu et al. Coverage analysis for target localization in camera sensor networks
CN107682817B (en) Cross-road network position anonymizing method for maintaining constant statistical characteristics
Liu et al. Optimizing task allocation with temporal‐spatial privacy protection in mobile crowdsensing
Yang et al. LP-BT: A location privacy protection algorithm based on ball trees

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant