APS: Attribute-aware privacy-preserving scheme in location-based services

APS: Attribute-aware privacy-preserving scheme in location-based services

ARTICLE IN PRESS JID: INS [m3Gsc;February 28, 2019;15:48] Information Sciences xxx (xxxx) xxx Contents lists available at ScienceDirect Informati...

4MB Sizes 0 Downloads 207 Views

ARTICLE IN PRESS

JID: INS

[m3Gsc;February 28, 2019;15:48]

Information Sciences xxx (xxxx) xxx

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

APS: Attribute-aware privacy-preserving scheme in location-based services Weihao Li a, Chen Li a,∗, Yeli Geng b a b

School of Cyber Engineering, Xidian University, Xi’an, China Department of Computer Science and Engineering, The Pennsylvania State University, University Park, PA, United States

a r t i c l e

i n f o

Article history: Received 30 May 2018 Revised 5 November 2018 Accepted 11 February 2019 Available online xxx Keywords: LBSs Social networks Privacy-preserving scheme K-anonymity

a b s t r a c t As one of the most significant factors for privacy protection, side information has been considered in designing privacy-preserving schemes in Location-Based Services (LBSs) over recent years. However, most existing schemes consider this concept through a straightforward way, such as query probability. In this paper, we consider the basic attribute associating with each location and design an Attribute-aware Privacy-preserving Scheme (APS) to enhance mobile user’s location privacy. Specifically, we first extract basic attributes from the local map, and specialize the Attribute-Aware Side Information (AASI). Then we build an attribute-based hierarchical tree (A-tree), which classifies locations into different categories in term of each location’s attribute. Based on such information, we design APS, which consists of two algorithms, Voronoi Dividing Algorithm (VDA) and Dummy Determining Algorithm (DDA). In VDA, we divide the local map into different Voronoi polygons based on the properties of Voronoi Diagram, which guarantees the selected locations are dispersed. In DDA, we utilize the Four Color Map Theorem to color these Voronoi polygons, which helps mobile users to choose the dummy locations as far as possible. Therefore, our APS provides an optimal dummy set to protect mobile user’s location privacy and query privacy. Finally, thorough analysis and evaluation results illustrate the effectiveness and efficiency of our proposed scheme. © 2019 Published by Elsevier Inc.

1. Introduction With the rapid development of Mobile Social Networks (MSNs), Location-Based Services have become a necessary part in mobile user’s daily life. Mobile users can enjoy multitudinous services from LBS servers by submitting personal information such as IDs, locations, interests and so on, via LBS applications. Unfortunately, LBS servers are always untrusted and the submitted personal information may thus be abused or released to third parties directly, such as the malicious users and institutions. As a result, these unwanted parties may infer where users are and what they are doing at which time, etc., then perform attacks like tracking or robbing. It obviously conflicts with mobile users’ increasing privacy concerns. Therefore, we should pay more attention to user’s privacy, including location and query privacy. To address the location privacy issues in LBSs, plenty of works have been proposed [25,34,36,37]. They can be mainly categorized into two categories, including trusted anonymizer-based approaches [1,4,8] and mobile device-based approaches ∗

Corresponding author. E-mail addresses: [email protected] (W. Li), [email protected] (C. Li), [email protected] (Y. Geng).

https://doi.org/10.1016/j.ins.2019.02.025 0020-0255/© 2019 Published by Elsevier Inc.

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS 2

ARTICLE IN PRESS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[17,20,26]. With the rapid increase of social data, the existence of trusted anonymizers has become the bottleneck of computation and communication. Recently, the advanced processing and storage capacity of mobile devices can handle many basic calculating operations easily, then mobile device-based approaches avoid employing the trusted third party. In terms of mobile device-based approaches, some approaches point out the importance of side information [22,23]. However, these existing works consider side information in a straightforward way, for example, they only adopt query probability of each location [23,29], and neglect the attribute associating with each location. In order to preserve mobile user’s query privacy, l-diversity [16] is proposed to confuse adversary by various classes of query content. However, the l-diversity aims to diverse the categories of query content, rather than the potential differences of location, and the relationship between query content and relevant location is ignored. In addition, some schemes consider social ties [6,14] to design privacy-preserving mechanisms in LBSs, but they also treat location as the simple coordinate. The location of mobile user is not only the coordinate of a position in the local map, but also various infrastructures are located in these locations, such as stores, subway stations, hospitals and schools. These infrastructures can be treated as attributes, and if this kind of information cannot be preserved appropriately, they may reveal more mobile users’ personal or corporate secrets than simple coordinates. Exposing mobile user’s location attribute to unwanted advertisers and location-based spams, leading to social reputation or economic damage, even physical violence. Therefore, we take attribute of each location into consideration, and come up with the Attribute-Aware Side Information (AASI) to design our privacy-preserving scheme. In the meantime, many approaches adopt well-know privacy metric, such as k-anonymity [5,21], to measure mobile users’ privacy, and enlarge the queried location into a larger region covering mobile users geographically. Therefore, it is difficult for adversaries to distinguish mobile user’s real location from other k − 1 sanitized locations. However, these approaches aim at enlarging mobile user’s hiding region [8,15], and assume that the adversary has no side information [20,22] and AASI. For instance, two released locations have the same attribute, such as KFC and McDonald’s, even it is a long distance between KFC and McDonald’s, and adversary can infer that this mobile user likes junk food, or even she/he is an overweight person with health problems. In this example, the attribute of location releases mobile user’s privacy, rather than the query content leakages mobile user’s personal information, which are protected by l-diversity usually. Therefore, it is quite important to pay attention to AASI when designing privacy-preserving mechanism. In this paper, we proposed a dummy-based solution termed Attribute-Aware Privacy-Preserving Scheme (APS) aiming to achieve k-anonymity for mobile users in LBSs. Different from existing schemes, APS considers AASI to select dummy locations and fake query contents carefully. Based on AASI, we construct an A-tree to classify the local map into different attribute categories. Our APS consists of two algorithms, called VDA and DDA, which guarantee the diverse attributes of dummy locations, and each released location is spread as far as possible. From the aspect of query privacy, the time-sensitive query content for each submitted location is employed to mislead adversary. The main contributions of this paper are summarized as follows: • We propose AASI with considering query probabilities and the relationship between location and potential attribute for mobile user, which makes up the shortcomings of side information. • Based on dissimilarities of attributes, we construct a hierarchical tree, called A-tree, which classifies local map into different attribute categories with time-sensitive and score-aware weights. In addition, we employ variance to design a privacy metric, measuring dissimilarities of released locations. • Based on AASI and A-tree, we propose our APS to protect mobile user’s privacy, including VDA and DDA. VDA divides the local map into different Voronoi polygons, guaranteeing each Voronoi polygon has only one available spot, then DDA selects dummy locations to construct a dummy set by Four Color Map Theorem. Finally, thorough evaluation results show the effectiveness and efficiency of our proposed solution. The rest of this paper is organized as follows. We discuss the related work in Section 2, and illustrate the preliminaries in Section 3. Section 4 thoroughly explains our APS and privacy analysis, and Section 5 shows the evaluation results. We conclude our paper in Section 6. 2. Related work A great deal of researches have been proposed to preserve mobile user’s location privacy. In this section, we review several existing works on mobile user’s privacy concerns for LBSs. 2.1. Location privacy metrics In order to quantify mobile user’s location privacy, most schemes specify location as a single coordinate, and aim at finding how accurately an adversary might infer out mobile user’s coordinate. Several relevant location privacy metrics have been proposed [23,34,35]. The category of anonymity-based approaches [8,15,35] show that the adversary can infer the real mobile user from others within an anonymity set. Therefore, the privacy degree of a mechanism is determined by the size of the anonymity set, for instance, k-anonymity (or l-diversity [16], t-closeness [12]) tries to hide the real information into other k − 1 pseudo-information. Therefore, entropy-based metrics have been proposed [19,22,23] to measure mobile user’s privacy, which analyze the uncertainty of location revealing. Shokri et al. [29,31] estimate error of the adversary to quantify mobile user’s location privacy. A game-theoretic framework [31] is designed to find the optimal location privacy-protecting mechanism, ensuring a satisfactory service quality for mobile user. However, there is no a metric based on location attribute Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 3

Table 1 Notations. n

The number of locations in local map

πi

Query probability of location loci The total number of attribute category Weight of each sub-attribute Attribute score The number of storage unit The sum of nodes Mean

|A| wλi si M N

μ

to measure the dissimilarities among locations. In our work, we design a variance-based metric that considers the attribute of location and quantifies location privacy. 2.2. Privacy-preserving mechanisms In order to solve privacy issues in LBSs, several location privacy-protecting mechanisms have been proposed over recent years. Among these mechanisms, location perturbation and obfuscation [3,26] have been used widely. They employ some noises to reduce precision, leading to the adversary cannot find out the accurate real location from observed data. K-anonymity [8,22,35] is the most popular method to achieve location privacy protection, which preserves privacy by hiding mobile user’s real location into an anonymity set. Gedik et al. [5] designed a personalized k-anonymity model in which mobile users can adjust the level of anonymity. However, they rely on the anonymizer to process mobile users’ locations, then the single failure problem cannot be avoid for the existence of anonymizer. In order to avoid using anonymizer, some mobile-based approaches have been proposed [9,26,33] to protect mobile user’s location privacy. Kido et al. [9] utilized dummy locations to achieve anonymity without using anonymizer, but they focused on reducing communication costs and ignored side information. Inspired by the notion of k-anonymity, Beresford et al. proposed the notion of Mix Zone [1]. By changing pseudonyms within a Mix Zone, mobile users can make their new pseudonyms undistinguishable to the adversary. While the Mix Zone model assumes that all users have the same anonymity set, and the message from source to its destination cannot be traced without the collusion of the mix nodes. In our scheme, we allow mobile users have personalized anonymity set based on location attribute. Different from existing mechanisms, our APS considers side information and AASI without relying on any trusted third entities. In addition, we not only consider the probability of location, but also adopt variance to design a new metric measuring the dissimilarities of location attributes. 3. Preliminaries Based on above introduction, we pay attention to the attribute of location and propose the AASI and A-tree. In order to measure mobile user’s privacy level, we utilize variance to measure the attribute dissimilarities of locations. In addition, we illustrate our motivation and basic idea in this section. The employed notations are shown in Table 1. 3.1. Attribute-Aware Side Information (AASI) Side information has been applied in the existing privacy-preserving approaches [22,23], which refers to the mobile users’ query probabilities of each cell in local map. Query probability is calculated as follows:

loci , 1 loci

π i = n

where query probability π i is the history query probability of location loci , and the number of location in local map is n. For instance, 28% queries have been sent to LBS server in the location A, and 37% queries have been submitted to LBS server in the location B, then side information contains the querying probability 28% from location A and 37% from location B. However, side information never considers how many restaurants related or hospital related queries were sent in 28% (or 37%) queries. Generally, location data usually refers to the coordination of a spot in local map, and the coordination cannot leak mobile users’ personal information literally. In a particular location, there also exists an infrastructure at least (the partition granularity of local map decides the number and category of infrastructure), and we employ the infrastructure as the basic attribute of this location. For example, Alice stays in KFC, and prefers to know the nearest bus stop. Then the coordinate of KFC and the query interest (i.e., bus stop) are submitted to the LBS service provider. Everyone can know what kind infrastructure is located in this coordination by using Google maps. Thus, we treat KFC as the attribute of Alice’s current location (AASI) and protect this attribute, rather than the coordinate (existing side information). In the existing techniques, l-diversity focuses on the diverse of query content rather than the attribute of each location, and ignores the correlation between location and query content. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS 4

ARTICLE IN PRESS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

Fig. 1. Our motivation (I).

Fig. 2. Our motivation (II).

Different from the existing side information, AASI contains basic attribute of each location and query probability. In a particular location, various queries have been sent to the LBS’s server at different timestamps from varied mobile users, then the query probabilities, query contents and the location attributes are revealed to the LBS server. For example, Alice is having lunch in KFC, and requests the nearest bus stop. The submitted query contains three important parts: current location coordinate (coordinate of KFC), query content (bus stop) and current timestamp (lunchtime, 12:00AM). In a brief, AASI considers query probability at each timestamp, coordinate, query content and attribute of each location.

3.2. Motivation Based on side information, most approaches select dummy locations with the same query probability, then adversary cannot find out the real location from the dummy locations through query probability [22,24], as shown in Fig. 1(a). In Fig. 1(a), the local map is divided into 6 × 6 cells, and each cell has different shade that represents different query probability in history, the blue user is the real mobile user Alice. In order to send dummy locations to service provider, we choose some cells to act as candidates of dummy location, which have the same query probability with real mobile user (to increase √ uncertainty), and mark with . The existing works focus on spreading submitted location as far as possible [22,32], since long distances can avoid a situation that the real mobile user and dummy users stay in the same building (i.e., hospital). In Fig. 1(b), we select dummy locations to construct a large region (i.e., CR1 ) and utilize red dotted line to indicate it, as well as dummy locations are marked with grey users. However, the large hiding region only guarantee that the selected locations are not in the same building, they neglect the effect of location attribute, as the following example explained. In Fig. 2(a), Alice locates in cell c1 where exists a McDonald’s, and dummy locations in cell c2 and c3 where is KFC and Pizza Hut respectively. Even though the area of constructed region is guaranteed and all dummy locations are spread as far as possible, they are located in restaurants, which sale fast food and junk food. Then adversary utilizes the background information to infer Alice maybe at risk of diabetes or hypertension. In Fig. 2(b), the attribute of cell c4 and c5 is hospital and gas station respectively, then the new constructed region is CR2 . Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS

ARTICLE IN PRESS W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 5

Fig. 3. Map catching (New York City).

Fig. 4. Succinct sketch of A-tree.

Although the area of CR2 is smaller than CR1 , each location has different level of attribute in region CR2 . Then the adversary cannot utilize location’s attribute to infer Alice’s true location and her personal information. In term of aforementioned illustrations, attribute of location plays a significant role in LBSs, which is the basic potential information beyond location. Following, we pay attention to the potential effect of attribute, and propose our relevant works.

3.3. Attribute-based hierarchical tree (A-tree) Graph-based method [14] considers various datasets to design privacy-preserving scheme, ignoring the existence of location attribute. In this subsection, we design an attribute-based hierarchical tree termed A-tree, which consists 4 levels, as shown in Fig. 4. In order to refine attribute from real life clearly, we capture relevant information, including locations and points of interest (POIs), from Google Maps and Baidu Maps to achieve the following data analysis, as shown in Fig. 3. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS 6

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

3.3.1. Quantifying attribute of location In a local map the number of POIs is finite, and we utilize Q to define the POI pool. Since the number of attribute depends on the basic POIs in the local map, we define the attribute as following: Definition 1. Given the POI pool Q, granularity of map division G, and the query probability π i is the history query probability of location loci . If |G | < ρ , the local map is a coarse-granularity division, otherwise it is fine-granularity. The category of attribute is calculated as following:



|A| =

η, i f |G | < ρ ζ , |G | ≥ ρ .

where |A| is the total number of attribute category, η < bζ ,

1 2

< b < 1, ρ > 0 and η, ζ ∈ N + .

Therefore, the query probability of a particular cell unit including various POIs is calculated as following:

πi = Maxoj=1 {π j },

(1)

where o is the number of POI in location loci , and locj is one of location of cell j. The root node of A-tree is local map, and second level is basic attribute, as well as third level is particular point of interest. Fig. 3(a) shows a 6mile × 7miles area of New York City from Google Maps. Fig. 3(b) displays a particular spot of New York City, searching the nearby restaurants within 4km (these red dots represent the relevant restaurants). In accordance with the information from Google Maps and Baidu Maps, we also adopt some popular social APPs (i.e., yelp!, Tripadvisor, Foursquare) to consult 7 basic categories of attribute as examples, such as Restaurants, Bars, Services, Education, Shopping, Medical, Others, as shown in Fig. 4, and we use Ai to represent each basic attribute. Based on the second level of A-tree, each basic attribute contains sub-attributes, such as, restaurant attribute includes fast food, bakery, grill store and so on. We only list small parts of each basic attribute in the sketch of A-tree, and utilize Ai to represent each sub-attribute. We display two sub-attributes to illustrate the third level of A-tree, i.e., Fast food and Women, and there are partial points of interest are shown in Fig. 4. 3.3.2. Determining weight of node The dissimilarity of attribute decides mobile user’s privacy indirectly, then we define the grade scope, T and T > 0. In the second level of A-tree, |A| is the total number of attribute, λ is number of the attribute in the second level of A-tree. For instance, in the Fig. 4, |A| = 7 and ”Restaurants” is the first attribute of A-tree (λ = 1). The range of sub-attribute weight equals

 ⎧ ⎨ 1, λ T , i f λ = 1, |A|   ⎩ ( λ − 1 ) T , λ T , λ = 1. |A| |A|

In addition, mobile users could give a score to assess the POI after using an application, such as yelp! and Dianping. The value of score decides the probabilities of recommending and choosing. Therefore, we utilize the score of each POI to refine the weight of each sub-attribute existing in A-tree, called wλi , and the score is represented by si . The weight of lociλ can be calculated as following,

⎧ sj T ⎪ ⎨ ( λ − 1 ) · | A | × ( 1 + M ) , i f λ  = 1 j sj wλi = sj ⎪ if λ = 1 ⎩1 + M , j

(2)

sj

where M ∈ N + , sj is the score of P OIλj , and P OIλj belongs to locλj , λ is number of sub-attribute Aλs , and P OIλj of location locλj

belongs to sub-attribute Aλs . For instance, in the Fig. 4, the Panera was scored 4 stars (s1 = 4), Wendy’s is 3 stars (s2 = 3), Chipotle is 5 stars (s3 = 5), Domino’s Pizza is 4.8 stars (s4 = 4.8) and Burger King is 4 stars (s5 = 4), then Panera in subattribute Fast Food gets weight w11 = 1.19, similarly, Domino’s Pizza gets w14 = 1.23. In order to improve retrieval efficiency, we utilize B+ tree to construct out A-tree, as shown in Fig. 5. In the 4th level of A-tree, each leaf node contains POI, related location, score and pointer. The pointer links to the AASI, which is a dataset stored in mobile user’s smartphone. The minimum retrieval complexity is:



Omin = O l og2



= O log2



M 2

−1

M  2





× l og M



× O log M

= O l og2 N − l og2

2

M 

M

2



N

N



−1

2 

M 2

2

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 7

Fig. 5. Data structure of A-tree.

= O[log2 N] − C = O[log2 N], where parameter M is the number of storage unit in each node, and N is the sum of nodes. 3.4. Privacy metric We adopt the concept of variance from statistics to design a privacy metric, which measures dissimilarities between user’s real location and dummy locations. In statistics and probability theory, variance is the expectation of the squared deviation of a random variable from its mean, and it informally measures how far a set of numbers are spread out from their mean1 . In our APS, the attribute of each dummy location is different from real location’s attribute, then the privacy metric measure the dissimilarities of attribute between dummy locations and real location. Given weights (Eq. (2)) and (query probabilities of locations from A-tree, and the expectation of location can be calculated as following,

μ=

k 

πi · wsi ,

i=1

where μ is mean, π i is query probability of location locis , and wsi represents weight of locis , as well as k is the number of submitted location. Then our privacy metric can be constructed as following,

PM =

k 

πi · (wsi − μ )2 .

(3)

i=1

Our privacy metric PM measures dissimilarities of locations’ attributes, avoiding the submitted queries with the same attribute. The gap of attribute between real location and dummy locations reflects how difficult the adversary finds out the real location, then the larger value of PM the better privacy level. Theorem 1. The privacy metric PM measures the attribute-dissimilarities of submitted queries, and the greater dissimilarity, the higher privacy. Proof. Given the query probability π i and weight wsi in location locis , and query probability πi as well as weight wi s in location locis . They meet πi > πi , and wsi > wi s , then

P M − P M =

k 

πi · (wsi − μ )2 −

i=1

1

k 

πi · (wis − μ )2

i=1

https://en.wikipedia.org/wiki/Variance.

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS 8

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

Fig. 6. System architecture.

=

k  i=1

=

k 

πi · (wsi )2 − μ2 −

k 

πi · (wis )2 + μ2

i=1

(πi · (wsi )2 − πi · (wis ) ) + μ − μ2 > 0 2

2

(4)

i=1

 3.5. Basic idea To address aforementioned problems, we specialize AASI and design an APS to protect mobile user’s location privacy. First of all, we design an A-tree, which consists of four levels, i.e., map, basic attributes, sub-attributes and related information of locations. In our A-tree, we employ AASI to calculate the weight of each leaf node, and each node has basic query probability at different timestamps. We illustrated our A-tree in Subsection 3.3, which establishes a basic foundation for our scheme. Based on proposed AASI and A-tree, we design a dummy-based solution to achieve mobile users’ privacy preservation, which consists of VDA and DDA. In VDA, we traverse the local map to find dummy location candidates, which have sent query at time t in history (based on AASI). Furthermore, we adopt the A-tree to filter out some parts of dummy location candidates who have similar attributes. Based on the rest of dummy location candidates, we adopt the properties of Voronoi Diagram to divide the local map into different regions, called Voronoi polygons, and there is only one location candidate in each Voronoi polygon (guaranteed by the properties of Voronoi Diagram). In DDA, we utilize Four Color Map Theorem to color regions that are constructed from VDA, and select some regions that have the same color with mobile user’s region. Four Color Map Theorem guarantees the regions have the same color are not adjacent. Finally, mobile user picks up k − 1 locations from the selected regions in DDA, and these k − 1 locations are dummy locations. Mobile user submits dummy locations with different query contents, as well as mobile user’s real information to LBS server, and requests for relevant service information. Through our APS, mobile users enjoy services form LBS server, and their real information is hidden into the dummy set. 4. Attribute-aware privacy-preserving scheme According to the proposed AASI and A-tree, we design an APS containing VDA and DDA. In this section, we introduce system architecture at first, which illustrates the basic data flow and dummy locations’ choosing principles. Following, we explain the details of algorithms, and basic pseudocode of each algorithm. 4.1. System architecture Our system architecture consists of 3 entities mainly, i.e., the GPS module, our APS, and LBS server, as shown in Fig. 6. Our APS is a mobile-based scheme, avoiding the employment of trusted third party. Alice requires location-based services, and Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

9

Fig. 7. VDA module.

she obtains relevant location data from GPS through mobile device. Based on AASI, she adopts VDA module to divide local map into various Voronoi polygons, and the semi-processed data is delivered to DDA module, as well as DDA selects suitable dummy locations to construct requirements. Finally, Alice submits well processed requirements to LBS server. Generally, mobile users communicate with the LBS server through cellular networks or Wi-Fi. Furthermore, we assume AASI has been obtained in the user’s smartphone already, since these data can be gained from some well-known social sites (i.e., Google Maps’s API). Another effective way is that the mobile users can perform the wireless access points-based solution designed in the former work [22,23]. According to the different local map, attribute categories of A-tree are different, and the child nodes also are diverse. 4.2. Voronoi Dividing Algorithm (VDA) Based on AASI, we carefully combine A-tree with Voronoi Diagram to achieve the partition of local map. Voronoi Diagram is a plane partitioning method, dividing a plane into Voronoi polygons based on distance to points in a specific subset of the plane. Firstly, we review some theorems of Voronoi Diagram, which are employed in our algorithm. Theorem 2. In each Voronoi polygon, only one scattered point exists. (In our scheme, a single location is treated as a scattered point.) Theorem 3. The closest pair of points corresponds to two adjacent Voronoi polygons in the Voronoi diagram. With the guarantee of Voronoi Diagram’s above theorems, the distribution of selecting scattered locations are dispersed as far as possible, and without any two selected locations are adjacent. Based on above theorems, we utilize a simple example to illustrate our solution, as shown in Fig. 7. The local map is divided into R cells, which are represented as Map = {l oc1 , l oc2 , · · · , l ocR }. At the particular time t, suppose Alice stays in a library (i.e., POIua ), then she’s real location is locua , which belongs to attribute and sub-attribute is Ab and Aba respectively, and she prefers to know the Starbucks (query content) nearby, and the query probability in locua is π u . (i) At initial phase, some grey cells can be filtered out from the local map based on AASI, as shown in Fig. 7(a). Alice is represented by the blue user, and grey cells mean some locations in which users sent queries in history at time t, which are collected in set C (locua ∈ C), conversely, in blank cell, there are no queries were sent at time t in history. (ii) Based on A-tree, the elements in set C belong to different attributes, and we randomly pick up one sub-attribute Axy , if locua is a child node of sub-attribute Axy (i.e., y = a), then x + + to consider next attribute. We only judge whether locua is Axy ’s child node or not in first round. Otherwise, we select one node loci in sub-attribute Axy which meets wi ≤ α + λ |TA| and wi y

y

y

is the weight of loci , loci ∈ C. The threshold α controls the gap between the real location and dummy location candidates, y

and 0 < α <

T |A| ,

y loci

y

is stored in set C . Similarly, we store selected dummy location candidates that are separated into

different attributes during threshold processing into set C , as shown in Fig. 7(b), these grey cells represent dummy location candidates in set C . (iii) We employ the Delaunay Triangulation [10,18] to connect each adjacent cell in grey, and make their perpendicular bisectors, which are represented by full line in Fig. 7(b). In this example, the local map can be separated into 12 Voronoi polygons(i.e., v1 , v2 , , v12 ) by these full lines, which are collected in a set ϑ (i.e., ϑ = {v1 , v2 , · · · , v12 }), and the number of elements in set ϑ is |ϑ|. Definition 2. The Voronoi Diagram denotes G = (L, E ), where L = {l oc1x , l oc2 , · · · , l oc|zϑ| } and each location locix only belongs y

to one region vj , vj ∈ ϑ, i < R, j < |ϑ|, and x, y, z are variables to show number of sub-attribute.

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS 10

ARTICLE IN PRESS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

Each region is a Voronoi polygon that meets the Theorems 2 and 3. By now, the local map is divided into 12 regions, and each region only has one scattered location (Theorem 2). Following, we take advantage of Theorem 3 reversely, and choose some dummy locations that cannot be adjacent to the region where Alice located. The pseudocode of VDA is shown in Algorithm 1. Algorithm 1: Voronoi dividing algorithm.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

Input : locua , AASI, A-tree Output: set C  , set ϑ While ( j ≤ R) { y if loc j sent queries at time t then y loc j ∈ C; else break; } While (|C |– –) { y y y if loci is’t a child node of Axy && loci ∈ set C && wi ≤ α + λ |TA| then

loci ∈ set C  else break to the next attribute;

} Delaunay Triangulation connects each elements in set C  ; make perpendicular bisectors of Delaunay Triangulation; {v1 , · · · , v12 } ∈ ϑ ; Output the set C  and set ϑ ;

4.3. Dummy Determining Algorithm (DDA) Note that our DDA is based on Four Color Map Theorem, which employs no more than four colors to color regions covering the whole map, and then there are no any two adjacent regions have the same color [7]. The feature of Four Color Map Theorem as shown in following. Lemma 1. Given any separation of a plane into contiguous regions, producing a figure called a map, no more than four colors are required to color the regions of the map so that no two adjacent regions have the same color2 . Our DDA aims at providing k-anonymity to protect user’s location privacy, in our example, we suppose k = 4. Set ϑ and C are outputted from VDA, which act as the input to DDA algorithm, as shown in Fig. 6. Based on the results from VDA, Alice needs to filter out some inappropriate regions from set ϑ. (i) We adopt four kinds of color (red, yellow, green and blue) to color the whole map. The first region v1 is colored in red, then v2 is in yellow, v3 is in green, v4 is in blue. Since v5 is adjacent to region v1 (in red) and v2 (in yellow) as well as v9 (in blue), in accordance with the color sequence, region v5 is colored in green. Through this way, all the regions can be colored in different colors as the shown in Fig. 8(a). (ii) The region where Alice located is in red (v6 ), and region v1 , v8 , v12 have the same color, which are collectd in set ϑ . With the guarantee of Theorem 3 and Four color Map Theorem, we need to choose another 3 locations as dummy locations to achieve 4-anonymity. Therefore, Alice chooses regions v6 , v1 , v8 and v12 as dummy locations. (iii) Based on the output from VDA, the weights of elements in set C have limited gap with mobile user’s real location, y which meets wi = α + λ |TA| . We range these elements in set C in descending order by the value of weight, and choose bigger one at first. The hiding region can be constructed as Fig. 8(b) shown, the red dotted rectangle is Alice’s hiding region, and red cells belong to the set C and set ϑ . (iv) Mobile user constructs requirements including selected locations and query contents, and submits them to the LBS server for relevant service data. Query content are selected from POI pool Q randomly, and each dummy location has different query content, guaranteeing mobile user’s query privacy. In our DDA, we suppose k = 4 to explain our algorithm, the value of parameter k is independent to the Four Color Map Theorem, in a brief, our DDA can be applied to any values of k. In Algorithm 2, we illustrate baic steps of DDA. 2

https://en.wikipedia.org/wiki/Four_color_theorem.

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 11

Fig. 8. DDA module.

Algorithm 2: Dummy determining algorithm.

1 2 3 4 5 6 7 8 9

Input : parameter k, set ϑ , set C  Output: Dummy locations v1 = red; for i from 1 to |ϑ| do if vi has a adjacent region is red then if vi has a adjacent region is yellow then if vi has a adjacent region is green then if vi has a adjacent region is blue then break; else vi = blue; else

10

vi = green;

11 12

else

vi = yel l ow;

13 14 15 16 17 18 19 20 21 22 23

else

vi = red; for j from 1 to |ϑ| do if v j has the same color with v6 then v j ∈ ϑ ; else break; Select k regions from set ϑ  ; Select dummy query content for each dummy location; Construct requirements;

4.4. Privacy analysis Since the wireless channel between mobile user and any entities is open, adversary can eavesdrop communication channel and implement attack. Some cryptography techniques such as public key infrastructure can be adopted to our scheme avoiding eavesdropping attacks. Moreover, our scheme can resist from other usually attacks, such as colluding attacks and inference attacks. x |loc ∈ O ) = λ, where A is the size of colluding group, Definition 3. A scheme is colluding attack resistant if ∀i ∈ A, P ro(locest i y locest is the estimated location by adversary, O is a set collecting the observed locations, O = {l ocix , . . . , l oc j }, |O| = k, k is the parameter of k-anonymity, λ is a constant. y

Theorem 4. Our APS is colluding attack resistant. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

ARTICLE IN PRESS

JID: INS 12

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx Table 2 Notations. Map size

6 miles × 7 miles

Total number of users The number of child nodes k Simulation time The number of cells T |A|

10,0 0 0 18,924 3,4,...,20 800 min 160 × 160 50 7

Proof. The adversary may collude with some mobile users to learn more information of other users, or collude with LBS server to infer mobile users’ sensitive information. If a scheme meets that the probability of successfully inferring out the real information among k observed data does not change with the size of colluding group, this scheme is colluding attack resistant. In our APS, mobile user submit k locations to LBS server, and the probability of successful guessing is 1k . Mobile user can store history data and try to get the intersection between history data and intercepted data. If mobile user’s history data can fully cover the intercepted data, this situation is the best case for her. In our scheme, VDA guarantee high uncertainty from the aspects of probabilities and attributes, and the real location cannot be located even if everyone knows how our APS algorithms work. Therefore, she can only guess the real location randomly within the intercepted k locations. Similarly, even the colluding group has more members, they have only partial information and guess randomly, which means the size of colluding group cannot effect the probability of guessing successfully. Based on above analysis, our APS is colluding attack resistant.  Definition 4. A scheme is inference attack resistant if ∀i, j, P ro(locix |locu ∈ O ) = P ro(locxj |locu ∈ O ), or P ro(locix |locu ∈ O ) = y

y P ro(locxj |locu

y

y

∈ O ), where ∀ i, j meet 0 < i = j < k, and x, y are variables to show number of sub-attribute.

Theorem 5. Our APS is inference attack resistant. Proof. In this part of analysis, we treat the LBS server as an active adversary who has ability to collect data and tamper data. The adversary has strong capacity of calculating and storage, and also knows all information, such as, the query probabilities of local map, AASI, A-tree, the submitted locations and query contents, etc. Then adversary makes full use of the observed information and background information to infer mobile user’s real information, there are two situations that y y the adversary cannot find out the real information. The first situation meets P ro(locix |locu ∈ O ) = P ro(locxj |locu ∈ O ), which means all of observed information have the same profile (i.e., query probability, attribute). Therefore, there is no one special location that is different from other submitted locations, and the adversary cannot find out the real one. The second y y situation meets P ro(locix |locu ∈ O ) = P ro(locxj |locu ∈ O ), which represents all of observed information are different. Therefore, from the adversary point of view, the observed locations are different from each other, and the real information cannot be inferred out. In our scheme, based on VDA, each observed locations have different attributes, and then these information have maximum dissimilarities in term of PM. The adversary cannot infer the potential relationship among submitted locations. Our APS belongs to the second situation, and the submitted locations have different attributes. Therefore, there are no any two submitted dummy locations from our APS have high attribute similarity. The adversary cannot find out the real location from observed locations according to query probabilities and attributes, our APS is inference attack resistant.  5. Performance evaluations In this section, we evaluate the performance and privacy properties of our proposed APS, and display relevant evaluation results to indicate the efficiency and effectiveness of APS.

5.1. Simulation setup In the simulation, 10,0 0 0 mobile users are deployed in a 6 miles × 7 miles area map of New York City, which is shown in Fig. 3(a), and these mobile users follow the Levy walk mobility model [28], which has been shown to better describe the mobility patterns of human being [11]. In the default setting, the local map is divided into 160 × 160 cells, and each cell is a 60 m × 70 m rectangle, as well as the initial query probability information is obtained from Google Maps API. In order to obtain the AASI and all the child nodes of A-tree, we collect data from Google Map and yelp!, there are 18,924 kinds of child nodes. There are several parameters employed in our evaluation, k is related to k-anonymity, which is commonly set from 3 to 20. Parameter α is the gap threshold of attribute weight, which is set by mobile user. Table 2 shows some basic setting of our simulation. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS

ARTICLE IN PRESS W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 13

4

Fig. 9. Execute time and communication cost vs. α .

5.2. Performance evaluation results In this subsection, we present performance evaluation results of our scheme. Generally, parameter k and α (in the Section 4.2) play the significant roles in our APS, and we compare the results from the aspects of communication cost and execution cost. 5.2.1. α vs. communication cost and execution time The threshold α is employed in VDA to control the standard selecting dummy candidates. We draw communication costs and execution results in Fig. 9 with changing α , and choose two values of parameter k, i.e., k = 5 and k = 15. Generally, the communication costs keep stable when α increases, since α only is applied in the system processing phases, which will not control the value of k and the size of submitted requirements. Obviously, the parameter k is related to the cost of communication, which decides the number of requirements, but the size of a single submitted requirement is unconcerned about k. According to the value of threshold α , execution time keeps steady when α increases. In VDA, threshold α is used to calculate the gap of weight, since system needs to traverse the whole A-tree, the value of α doesn’t affect the system execution time. When parameter k increases, our APS needs more time to choose more dummy candidates, but the time is less than 1s when k = 10. 5.2.2. Time vs. size of set C and execution time Base on A-tree, each location has a specific attribute, which has potential relationship with daily time, and APS is a time-sensitive scheme when selecting dummy candidates and giving weight for each node. Time is independent to the communication cost, thus we evaluate the storage cost with the time changing, i.e. size of sect C . Based on our default setting, we evaluate the size of set C during different times when α = 2 and α = 6. Since querying probabilities follow mobile users’ habits and attribute distributions [13], the size of set C follows daily hours, as shown in Fig. 10. For instance, there are more users using LBSs at lunchtime than midnight, and then peak point and lowest point are shown in Fig. 10 at 4AM and 12AM respectively. The set C is used to storage the dummy candidates following the regularity of searching time, then the factor of time decides the size of set C . However, daily hours have no relationship with APS’s execution time, as shown in Fig. 10. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS 14

ARTICLE IN PRESS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

Fig. 10. Execute time and communication cost vs. N.

5.2.3. The number of cells vs. size of set C and execution time The division of local map decides the weight of each cell unit and the typical representation POI in cell unit, therefore A-tree is related to the granularity of map division. If the size of cell unit is large, then there contains diverse POIs, the attribute of this large cell unite depends on the POI which has highest query probability. Then, the size of cell unit effects the attribute of one cell unit, and the fine-granularity division offers more accurate information than coarse-granularity division. In our scheme, the local map is divided into cells with same size, and each cell has its own attribute, therefore the area of each cell (or the number of cells) effects the execution time of our APS, which decides the frequency of map traversing. We consider 4 divisions of local map (i.e., 40 × 40, 80 × 80, 120 × 120, 160 × 160), the fine-grained division of local map results in more attributes, which takes more time than coarse-grained division. In a brief, fine-grained division takes more execution time and storage cost, as shown in Fig. 11. 5.2.4. |A| vs. time cost In the A-tree, the number of attribute category |A| decides constructing time. In Fig. 12, we compare the utility cost (communication coast and execution time) with the change of A when k = 5 and k = 15. It obviously that the communication cost depends on the value of parameter k, rather than the number of attribute, but the execution time is related to the number of attribute. From the aspect of execution cost, the greater |A|, the more time cost, since some traversing steps are existing in algorithm VDA and DDA, which effects the execution time of APS. Even greater |A| leads to more time cost, the fine-granularity of attribute supports more accurate selections, including dummy locations and dummy query contents. 5.3. Privacy evaluation results In this subsection, we evaluate the privacy of our APS from the aspect of exposing probability and PM. We also compare our scheme and the existing approaches from the privacy point of view. 5.3.1. APS vs. other schemes Our APS considers AASI and side information, and we compare our APS with other existing works, as shown in Table 3. Most existing schemes pay attention to querying probabilities [2,3,26] rather than AASI, and ignore the effect of location attribute leads to potential privacy risks. In Table 3, some scheme [9] utilized dummy locations to achieve anonymity without using anonymizer, but they focused on reducing communication costs and ignores some side information. Other schemes in Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS

ARTICLE IN PRESS W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 15

Fig. 11. Execute time and size of set C vs. The number of cells. Table 3 Comparisons of different approaches on privacy properties.

Anony [9] Casper [20] CAP [26] LISA [2] Casper∗ [3] MobiCrowd [30] CaDSA [23] PIM [34] APS

Side information

AASI

Query privacy

× × √ √ √ √ √ √ √

× × × × × × × × √

× √ √ √ √ × × × √

Location privacy √ × × √ × √ √ √ √

Table 3 only consider the aspect of probability to design privacy-preserving schemes. Our APS adopts the query probability and location attribute to filter local map, which resists inference attack. 5.3.2. Privacy metric vs. k We evaluate the relationship between the parameter k and privacy level (i.e., exposing probability and privacy metric), as shown in Fig. 13. In the Fig. 13(a), exposing probabilities decrease with parameter k, and these existing works are dummybased solutions. Among these schemes, the optimal scheme is the theory optimal scheme, which has the lowest exposing probability. Since the baseline scheme is the random scheme and ignores that the adversary may exploit some side information and AASI, and then it has the highest exposing probability. As a result, our APS has lower exposing probability, because we consider the effect of AASI, and TTcloak [24] only considers existing side information, Dummy-Q [27] doesn’t consider side information. The scheme considering AASI avoids revealing the potential relationship among submitted locations, and then the exposing probability much lower than others. In the Fig. 13(b), we evaluate the relationship between k and PM. Since only APS considers the AASI and PM contains location attribute related parameters, we only compare the privacy metric PM of APS with the optimal scheme and baseline scheme, which have optimal and random value in theory. The privacy metric is designed in Section 3.4, which contains the probabilities and weights of attribute. In DDA, the value of parameter k affects the number of dummy locations selecting. Then the value of k increases, the value of privacy metric PM increases. Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS 16

ARTICLE IN PRESS

[m3Gsc;February 28, 2019;15:48]

W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

Fig. 12. Execution time and communication time v.s. M.

Fig. 13. Privacy evaluation results.

6. Conclusions In this paper, we studied some limitations of existing concept of side information, and proposed attribute-aware side information with the consideration of attribute in each location. Firstly, we designed an attribute tree, called A-tree, which contains basic attribute, sub-attribute and particular locations. In order to measure the dissimilarity between submitted locations, we utilize variance to propose a privacy metric, measuring the privacy level of mobile users. Then, we proposed Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025

JID: INS

ARTICLE IN PRESS W. Li, C. Li and Y. Geng / Information Sciences xxx (xxxx) xxx

[m3Gsc;February 28, 2019;15:48] 17

a dummy-based scheme APS to protect mobile user’s location privacy and query privacy, including two algorithms, VDA and DDA. In VDA, we employed Voronoi Diagram to divide the local map, then the selected locations are not adjacent. Following, we employed the Four Color Map Theorem to construct hiding region in DDA, guaranteeing the dummy locations spread as far as possible. Finally, we proofed the privacy analysis and posted some evaluation results to indicate the effectiveness and efficiency of our proposed APS. Acknowledgments This work was supported by the National Key Research and Development Program of China (2017YFB 0802203, 2017YFB 0802201), and National Natural Science Foundation of China (61672411 and 50110 0 0 01809U1401251). References [1] A. Beresford, F. Stajano, Location privacy in pervasive computing, IEEE Pervasive Comput. 2 (1) (2003) 46–55. [2] Z. Chen, X. Hu, X. Ju, K. Shin, Lisa: location information scrambler for privacy protection on smartphones, in: Proc. of IEEE CNS 2013, 2013. [3] C.-Y. Chow, M.F. Mokbel, W.G. Aref, Casper∗ : query processing for location services without compromising privacy, ACM Trans. Database Syst. 34 (4) (2009). [4] F. Fei, S. Li, H. Dai, C. Hu, W. Dou, Q. Ni, A k-anonymity based schema for location privacy preservation, IEEE Trans. Sustain. Comput. PP (99) (2017). 1–1 [5] B. Gedik, L. Liu, Protecting location privacy with personalized k-anonymity: architecture and algorithms, IEEE Trans. Mob. Comput. 7 (1) (2008) 1–18. [6] X. Gong, X. Chen, K. Xing, D.-H. Shin, M. Zhang, J. Zhang, Personalized location privacy in mobile networks: asocial group utility approach, in: Proc. of IEEE INFOCOM 2015, 2015. [7] G. Gonthier, Formal proof–the four-color theorem, Notices of the AMS 55, 2008. [8] M. Gruteser, D. Grunwald, Anonymous usage of location-based services through spatial and temporal cloaking, in: Proc. of ACM MobiSys 2003, 2003. [9] H. Kido, Y. Yanagisawa, T. Satoh, An anonymous communication technique using dummies for location-based services, in: Proc. of IEEE ICPS 2005, 2005. [10] D.-T. Lee, B. Schachter, Two algorithms for constructing a delaunay triangulation, Int. J. Comput. Inf. Sci. 9 (3) (1980) 219–242. [11] K. Lee, S. Hong, S.J. Kim, I. Rhee, S. Chong, Slaw: a new mobility model for human walks, in: Proc. of IEEE INFOCOM 2009, 2009. [12] N. Li, T. Li, S. Venkatasubramanian, t-closeness: privacy beyond k-anonymity and l-diversity, in: Proc. of IEEE ICDE 2007, 2007. [13] W. Li, B. Niu, H. Li, Privacy preservation strategy in time-sensitive lbss, in: 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC), 2017. [14] X. Li, C. Zhang, T. Jung, J. Qian, L. Chen, Graph-based privacy-preserving data publication, in: Proc. of IEEE INFOCOM 2016, 2016. [15] X. Liu, K. Liu, L. Guo, X. Li, Y. Fang, A game-theoretic approach for achieving k-anonymity in location based services, in: Proc. of IEEE INFOCOM 2013, 2013. [16] A. Machanavajjhala, J. Gehrke, D. Kifer, M. Venkitasubramaniam, L-diversity: privacy beyond k-anonymity, in: Proc. of IEEE ICDE 2006, 2006. [17] J. Manweiler, R. Scudellari, L.P. Cox, Smile: encounter-based trust for mobile social services, in: Proc. of ACM CCS 2009, 2009. [18] M. Meyer, M. Desbrun, P. Schröder, A.H. Barr, Discrete Differential-Geometry Operators for Triangulated 2-Manifolds, Springer, Berlin Heidelberg, pp. 35–57. [19] J. Meyerowitz, R.R. Choudhury, Hiding stars with fireworks: location privacy through camouflage, in: Proc. of ACM MobiCom 2009, 2009. [20] M.F. Mokbel, C.-Y. Chow, W.G. Aref, The new casper: query processing for location services without compromising privacy, in: Proc. of ACM VLDB 20 06, 20 06. [21] Z. Montazeri, A. Houmansadr, H. Pishro-Nik, Achieving perfect location privacy in wireless devices using anonymization, IEEE Trans. Inf. Forensics Secur. PP (99) (2017). 1–1 [22] B. Niu, Q. Li, X. Zhu, G. Cao, H. Li, Achieving k-anonymity in privacy-aware location-based services, in: Proc. of IEEE INFOCOM 2014, 2014. [23] B. Niu, Q. Li, X. Zhu, G. Cao, H. Li, Enhancing privacy through caching in location-based services, in: Proc. of IEEE INFOCOM 2015, 2015. [24] B. Niu, X. Zhu, W. Li, H. Li, Y. Wang, Z. Lu, A personalized two-tier cloaking scheme for privacy-aware location-based services, in: Proc. of IEEE ICNC 2015, 2015. [25] S.T. Peddinti, A. Dsouza, N. Saxena, Cover locations: availing location-based services without revealing the location, in: Proc. of ACM WPES 2011, 2011. [26] A. Pingley, W. Yu, N. Zhang, X. Fu, W. Zhao, Cap: a context-aware privacy protection system for location-based services, in: Proc. of IEEE ICDCS 2009, 2009. [27] A. Pingley, N. Zhang, X. Fu, H.-A. Choi, S. Subramaniam, W. Zhao, Protection of query privacy for continuous location based services, in: Proc. of IEEE INFOCOM 2011, 2011. [28] I. Rhee, M. Shin, S. Hong, K. Lee, S.J. Kim, S. Chong, On the levy-walk nature of human mobility, IEEE/ACM Trans. Netw. 19 (3) (2011) 630–643. [29] R. Shokri, G. Theodorakopoulos, G. Danezis, J.-P. Hubaux, J.-Y.L. Boudec, Quantifying location privacy: the case of sporadic location exposure, in: Proc. of ACM PETS 2011, 2011. [30] R. Shokri, G. Theodorakopoulos, P. Papadimitratos, E. Kazemi, J.-P. Hubaux, Hiding in the mobile crowd: location privacy through collaboration, IEEE Trans. Dependable Secur. Comput. 11 (3) (2014) 266–279. [31] R. Shokri, G. Theodorakopoulos, C. Troncoso, J.-P. Hubaux, J.-Y.L. Boudec, Protecting location privacy: optimal strategy against localization attacks, in: Proc. of ACM CCS 2012, 2012. [32] R. Shokri, C. Troncoso, C. Diaz, J. Freudiger, J.-P. Hubaux, Unraveling an old cloak: k-anonymity for location privacy, in: Proc. of ACM WPES 2010, 2010. [33] X. Wang, A. Pande, J. Zhu, P. Mohapatra, Stamp: enabling privacy-preserving location proofs for mobile users, IEEE/ACM Trans. Netw. 24 (6) (2016) 3276–3289. [34] Y. Xiao, L. Xiong, Protecting locations with differential privacy under temporal correlations, in: Proc. of ACM CCS 2015, 2015. [35] D. Yang, X. Fang, G. Xue, Truthful incentive mechanisms for k-anonymity location privacy, in: Proc. of IEEE INFOCOM 2013, 2013. [36] Y. Zhang, W. Tong, S. Zhong, On designing satisfaction-ratio-aware truthful incentive mechanisms for k -anonymity location privacy, IEEE Trans. Inf. Forensics Secur. 11 (11) (2016) 2528–2541. [37] H. Zhu, F. Wang, R. Lu, F. Liu, G. Fu, H. Li, Efficient and privacy-preserving proximity detection schemes for social applications, IEEE Internet Things J. (2017). 1–1

Please cite this article as: W. Li, C. Li and Y. Geng, APS: Attribute-aware privacy-preserving scheme in location-based services, Information Sciences, https://doi.org/10.1016/j.ins.2019.02.025