Improved angelization technique against background knowledge attack for 1:M microdata

Motivation

Most of the published work in data privacy focuses on either privacy or utility. Keeping a balance between them has always remained an open research problem among researchers. Therefore, the main focus of this research is to come up with an optimized solution where the privacy of the sensitive attributes does not affect the utility of the quasi attribute. A novel solution is needed to independently publish the sensitive table and quasi data without affecting the utility and privacy of the anonymized data. Also, the data should be real-life realistic data, i.e., 1:M data.

The Table 1 of EHRs having 1:M microdata of different individuals are classified into; unique identifier attributes—ID (e.g., name, national identification number, passport number), quasi identifier attributes—QI (e.g., age, gender, zip code, country, religion), and confidential or sensitive attributes—SA (e.g., Symptoms).

Before publishing the data, removing only the ID is not enough because the attacker (i.e., intruder) that can re-identify individual record respondents using some background knowledge—BK (i.e., external source of knowledge that helps in re-identification of an individual) by combining the certain pattern of QIs with some externally available data (e.g., census or voting data), to perform the linking attack, (see Fig. 1).

The θ-Sensitive k-Anonymity is a state-of-the-art privacy algorithm, which is applicable to preserve privacy for a single sensitive (SA). However, in addition to low data utility, it cannot work directly for any other type of data. Similarly, the (p, l)-angelization (Kanwal et al., 2019), does not focus for data utility improvement. The following scenario explains θ-Sensitive k-Anonymity approach inapplicability for 1:M microdata and its low data utility, and also (p, l)-angelization (Kanwal et al., 2019) high utility loss.

• Scenario I Sensitive Vertical Attack (sVer):

The initial work for 1:M in (k, l)-diversity (Gong et al., 2017) partially generalize the SA, which give a privacy leakage window to the adversary and reveal the current medical status of a person with the help of some background knowledge; information about a most recent visit or the first visit (either his disease is progressing (worsening), or recovering).

The (k, l)-diversity used a transaction generalization technique (Gong et al., 2017) to apply k-anonymity on SAs. The lowest common cut on transaction generalization hierarchy, leaves the single SA from different sub-set unprotected and vulnerable, as shown in Fig. 2. In Fig. 2, if a patient’s SAs of multiple records are headache, flu, tiredness, and chills, the (k, l)-diversity will make a lowest common cut on transaction generalization hierarchy and generalize the SAs into ‘Low, Chills’. The Low node covers headache, flu, tiredness leaf-nodes and Chills cover chills; which remains ‘unprotected and vulnerable and also keeps the Cough leaf-node isolated, which any potential adversary can exploit both the Chills and Cough leaf-nodes, this causes sVer attack, due to partially generalized sensitive attributes.

• Scenario II inapplicability for 1:M microdata:

The θ-Sensitive k-Anonymity algorithm (Khan et al., 2020a) is based on the θ-threshold value; which is a multiplied component of variance, and observation1. The variance calculation in each EC (i.e., group of anonymous records) is concerning with the frequency distribution of SA values.

If there are more than one SA values for a single record (1:M microdata), then the variance calculation in an EC is not possible. For example to check the inapplicability of θ-Sensitive k-Anonymity for 1:M microdata, consider Table 1 having 1:M microdata. For an anonymized EC, the θ is obtained as Eq. (2), based on variance is obtained as Eq. (1). That shows inapplicability of the threshold value for the 1:M dataset. (1)${\displaystyle {\sigma }^2=\left(\frac{\Sigma F{X}^2}{N}-{\left(\frac{\Sigma FX}{N}\right)}^2\right)}$ (2)${\displaystyle \theta =VarianceofafullydiverseEC\left({\sigma }^2\right)\times Observation1\left(\mu \right).}$

It is obvious that the sensitive values and the corresponding frequency distributions can not be applied to 1:M microdata in Table 1. The reason is that the Symptoms attribute in Table 1 has more than one sensitive value for a specific individual record, which does not represent a frequency distribution for a specific sensitive value. Similarly, if Table 1 is transformed to Table 2; having a complete record in a single tuple. Again, the SA values are more than one in a single tuple, and the θ-Sensitive k-Anonymity approach can not be directly applied to implement diversity in an EC. So, the variance-based θ threshold calculation to obtain a diverse EC is not applicable for 1:M microdata.

• Scenario III High utility loss:

It is based on two approaches.

(a) The θ-Sensitive k-Anonymity (Khan et al., 2020a) approach only focuses the attribute disclosure prevention and does not have any consideration for improving the utility of the anonymized data. The algorithm for the θ-Sensitive k-Anonymity begins with checking the k for its minimum value and no further utility improvement consideration is available in the rest of the algorithm.

(b) The (p, l)-angelization (Kanwal et al., 2019) splits the microdata table T into Quasi Table (QT) and Sensitive Table (ST). However, the sensitive buckets inside each table have a one-to-one correspondence with one another, which affects the utility in the QT.

Contribution

The main contributions of the proposed (θ^∗, k)-utility privacy algorithm are as follows.

• The proposed (θ^∗, k)-utility privacy algorithm, categorizes the SA values of 1:M microdata into Low, Mild, High, Severe, and A-symptomatic values, based on the category Table 3 to reshape the original microdata Table 1 into Table 4, for the purpose to get the 1:1 microdata. The SA 1:M record values are replaced with category table SA values. If the SA values are repeated in more than one category, the higher category value is considered and ignored the lower one and stored in history table.

• The proposed algorithm using the angelization approach, anonymizes the microdata T in Table 1 into QT and ST (see Section 5) and are linked through the Bucket ID (BID) using the one-to-many correspondence (i.e., QS-Loose Linkability) for improving utility and privacy, instead of one-to-one correspondence.

• Based of the above points, the experiment results demonstrate the out performance of the proposed (θ^∗, k)-utility privacy algorithm, as compared to its counterparts in terms of utility and privacy.

The rest of the article is organized as follows. Section 2 discusses Related Work. Section 3 covers the Preliminaries, and Section 4 discusses the HLPN analysis of previous models. Section 5 discusses the proposed algorithm. Section 6 discusses the Experimental Analysis. Section 7 depicts some Discussion on the base and current proposed work. Section 8 concludes the article with possible future research directions.

Privacy for 1:1 microdata

Lv & Piccialli (2021) approach is based on the combination of k-anonymity and algorithm of K-A-DP to preserve data privacy. It reduces risks of privacy loss, but It only focuses on numeric values. The author discussed that DP is used for protection when stored in a different place and applied to stored data. It also provides data privacy of electronic health records that cause utility loss (Choudhury et al., 2019). Tu et al. (2018) discussed the model used for preserving the vulnerability of records using the k anonymity. It is used to minimize vulnerability to identify the records, but identifying sensitive values can not completely protect that cause breach. Liu & Li (2018) proposed an approach that is k-anonymous based on clustering. This process is time-consuming in terms of finding anonymous equivalence.

The article (Nasir et al., 2017) prevents the attribute disclosure with skewness attack, which extended the distribution scheme based on the weighted table. It provides low data privacy for the same sensitive values due to non-generalized quasi values. Lee & Lee (2017) proposed a model that used the identification factors to predict the re-identification of quasi attributes. The identification probability is based on some factors. But also, it can not fully minimize the aspect of re-identification. Majeed, Ullah & Lee (2017) proposed the protection of personal identity information from vulnerability. It provides data privacy to minimize vulnerable records but still has low diversity. Yaseen et al., (2018) proposed a model based on conventional, divisor, and cardinality hierarchy. That generates generalization hierarchies but does not focus on textual values. Anjum et al. (2018) extended the p+-sensitive k-anonymity and improved this in a balanced p+-sensitive k-anonymity model. It has low diversity for sensitive attributes.

Raju, Seetaramanath & Rao (2019) proposed a model based on slicing, which correlated quasi attributes. The suppression of sensitive attributes depends on the threshold used to create one sensitive value used for all sensitive attributes. A lot of QI and SA suppression may cause huge utility losses. Song et al. (2019) proposed a model that used k-anonymous data using noise addition and randomization for categorical data. It may be used for privacy but not use for long-range numeric data. The author presents the improved k-Anonymity with l diversity; the k anonymity and l diversity protect the identity disclosure. It provides data utility (Jain, Gyanchandani & Khare, 2020). The θ-Sensitive k-Anonymity is a variance-based θ threshold calculation to obtain diverse Equal Classes. Although the θ-Sensitive k-Anonymity prevents attribute disclosure with sensitive variance and similarity, it cannot be used directly for 1:M microdata (Khan et al., 2020a).

Privacy for 1:M microdata

The 1:M type of data is a more realistic form of records stored in EHRs. The(k, l)-diversity model based on 1:M generalization, which prevented attribute disclosure (Gong et al., 2017). But it provides low utility and privacy for data. Wang et al. (2019b) the algorithm is based on clustering, various decision functions used, but is vulnerable to sensitive attributes. It provides utility for quasi attributes but still has vulnerable to sensitive attributes. The author discussed the approach based on providing privacy for vulnerability disclosure using the model of 1: M MSA- (p, l)-diversity. The attribute disclosure is prevented through this model but also has low data utility due to one-to-one linkage (Kanwal et al., 2021). Anjum et al. (2018) proposed a heuristic approach to protect the sensitive and quasi values using splitting. It provides privacy but gives low data utility due to 1:1 correspondence. The l-anatomy focuses on the utility of data (Anjum et al., 2019). But they publish the sensitive attributes without generalization. This approach deals with achieving utility, but that may not provide enough security. The generic 1:M data privacy (G-model) model uses the signature method to achieve privacy (Albulayhi, Tošić & Sheldon, 2020). However, it has a limitation in which attackers can attack using the signature values to spot records.

The author focuses on COVID-patient data, where the privacy keeps through spatial k-anonymity. But it has limitations to achieving privacy, causing loss of privacy (Iyer et al., 2021). This author discussed the approach for privacy-preserving using the k-Anonymity. The focus is using the values of (p, and l) as a threshold. But it cannot prevent the sensitive variance attack, although this approach uses k-anonymity to improve the privacy. It provides low data privacy (Zhang et al., 2017). The author used the approach of (α, k) to protect privacy. The Poker dataset is used to measure results, and it cannot protect from the attack to sensitive attributes. It protects from identity disclosure. The attacker accesses the data using a background knowledge attack with low data utility (Wang et al., 2019a). The (p, l)-angelization (Kanwal et al., 2019) for 1:M-MSA data has very low utility considerations. Although, (p, l)-angelization creates two tables linking through a bucket id (BID). However, that linkage is useless and contributes to utility improvement because of the one-to-one correspondence between the two tables.

The previous approaches do not provide privacy for sensitive attributes and data utility. If someone deals with they cannot directly be used for the 1:M dataset or cannot prevent from background knowledge attack on sensitive attributes for 1:M COVID-19 data (Gong et al., 2017; Kanwal et al., 2019); so to preserve the 1:M dataset privacy and data utility, we overcame these limitations and extended the θ-Sensitive k-Anonymity because the θ-Sensitive k-Anonymity deals with similarity and variance attack for 1:1 and overcome the limitation of privacy and utility in 1:M microdata to preserve the COVID-19 patient data privacy.

(k, l)-diversity

The formal modeling and analysis reveals the way how an adversary can perform a sensitive vertical attack on the 1:M dataset as shown in Fig. 3. The working of (k, l)-diversity given in Kanwal et al. (2019) from Rule (1) to (12), where data is taken from data owner and data publisher anonymized it. The types are shown in Table 6 and data placed with description in Table 7. The black rectangular boxes show transition arrows showing the flow, and circles represent places or sub-part of the system. The data owner, data publisher, and the adversary are the entities.

The first transition shows input taken from the data owner of 1:M data after taking, anonymizing the data, and publishing it. After publishing that data adversary can perform an attack on it. The anonymization process starts from transformation and then checks the individual record, distinct at least k-1. After this in each subpartition, the GSA record is balanced and after that stored in IT-v. The G-list consists of records less than k. The CT has contains records of IT-v and G-list. Then the category of numeric and categorical is checked by choose attribute and check dim, after this update values according to the threshold. Finally, Mndrn is used for generalization and checking the splits of SA subpartition, if it can not then places the records into G-list.

The sVer attack performed on (k, l)-diversity because of partially generalization of SA values. It can be correlated with any generalized categorical SA value. Since all the generalized categorical SA values are on a different level in the hierarchy, SA values on a different level can be vertically correlated to breach the privacy of an individual in Rule 3 as. (3)${\displaystyle \mathbf{R(sV\; er)}:=\forall i47ϵ,x47,\forall i48ϵx48,\forall i49ϵx49|sVer-atk\left(i47\left[2\right],i48\left[2\right]\right)\to \left(i49\left[1\right]=i2\left[2\right]\wedge i49\left[2\right]\right)=i2\left[3\right].}$ In Rule 3 an attacker can be attacked due to the lowest common cut on transaction generalization hierarchy, leaving the single SA from different sub-set unprotected and vulnerable which leads toward correlation of the background information with published data that ultimately caused an attack on sensitive attributes known as sVer.

θ-Sensitive k-Anonymity

The formal modeling analysis reveals the way how an adversary can perform a sensitive variance attack on 1:M data because of inapplicability of θ-Sensitive k-Anonymity for 1:M microdata.

The working of theta given in Khan et al. (2020a) from Rule (1) to (8), where data is taken from data owner and data publisher anonymized it as shown in Fig. 4. The types are shown in Table 8 and data placed with description in Table 9. The black rectangular boxes show transition arrows showing the flow, and circles represent places or sub-part of the system. The data owner, data publisher, and the adversary are the entities.

The first transition shows input is taken from the data owner of 1:M data after taking, anonymizing the data, and publishing. After publishing that data adversary can perform an attack on it. The anonymization process starts from taking input and checking k value. After it calculates threshold using var() function, and if needed variance value adjust using adj(), swap using swap() or adding noise using Add ns(). For 1:M dataset, SA values are more than one in a single tuple in that way θ-Sensitive k-Anonymity approach can not be directly applied to implement diversity in an EC. Because the variance-based θ threshold calculation to obtain a diverse EC is not applicable for 1:M microdata. So a sensitive variance attack can be performed on the published data using any background knowledge. In Rule 4 as: (4)${\displaystyle \mathbf{R(SV\; A)}:=\forall i38ϵ,x38,\forall i40ϵx40,\forall i41ϵx41,\forall i2ϵx2|sva-att\left(i38\left[2\right],i40\left[2\right]\right)\to i43\left[1\right]=i2\left[1\right]\wedge i41\left[2\right]=i2\left[3\right]}$

The EC produced, can not prevent the sva in definition 3, and csa in definition 4, because of inappliabilty of θ-Sensitive k-Anonymity for 1:M dataset, therefore the attack can be performed on 1:M dataset.

The (θ^∗, k)-utility Algorithm

The working of the proposed (θ^∗, k)-utility Algorithm 1 is partitioned into three major parts; transformation (lines 3-18), sensitive buckets creation (line 20-27), and quasi generalized buckets creation (lines 29-35). Initially, the 1:M data in T is in its original form, and the sensitive buckets (sbt) and the quasi generalized data (genData) are taken as empty sets. The algorithms begin by computing distinct SAs in T (lines 3-5), which are further categorized into five different sensitive categories to create category CtgT at line 7 (Table 3).

 
____________________________ 
Algorithm 1 (θ∗,k)-utility_____________________________________________________________________________________________ 
Require: 
    T: 1:M Microdata Table; 
     k: k-anonymity; 
     Γ: T populated with CtgT ; 
     τ: Individual tuple from transform Table (T  ); 
     ℏ: Individual history tuple from history table H; 
Ensure: 
    QT: Quasi Table :-genData; 
     ST: Sensitive Table :-sbt; 
     ___________________________________________________________________________________________________________________________________________________ 
 1:  sbt={}; 
 2:  genData={}; 
 3:  for all tsai ⋅⋅⋅tsan in T do 
 4:     Dsan := Compute(Distinct(SA value)) 
 5:  end for 
 6:  for all dsai ⋅⋅⋅dsan do 
 7:     CtgT := Categorize Dsan into five categories 
 8:  end for 
 9:  for all tsai ⋅⋅⋅tsan do 
10:     Γ:= T ↔ CtgTcat 
11:  end for 
12:  for  all ri ⋅⋅⋅rn do 
13:     for all ti ⋅⋅⋅tn do 
14:         τi:= max(tsai)∀tsa 
i  ϵ CtgTcat 
15:         ℏi:= ¬max(tsai)∀tsa 
i  ϵ CtgTcat 
16:     end for 
17:  end for 
18:  T  := ∑n 
    i=1 τi 
19:  Hi:= ∑n 
    i=1 ℏi 
20:  while T     ⁄= {} do 
21:     if T     ≤ 2k then 
22:         sbtk :=   T 
23:         sbt := sbt ∪sbtk 
24:     else 
25:         Apply θ-Sensitive k-Anonymity Khan, Razaullah and Tao, Xiaofeng and Anjum, Adeel and Kanwal, Tehsin 
            and Malik, Saif Ur Rehman and Khan, Abid and Rehman, Waheed Ur and Maple, Carsten (2020) 
26:     end if 
27:  end while 
28:  N := —T  qi—   // BID is obtained from bksa 
29:  while N ⁄= {} do  
30:     if N ≤ 2k then 
31:         genData := N 
32:     else 
33:         genData := genData ∪ gen(N)   // Linked via BID 
34:     end if 
35:  end while 
36:  return  sbt 
37:  return  genData____________________________________________________________________________________________________________________________    

The CtgT will be used as a reference table while creating sbt. Lines 9-11, populate the original 1:M Table T by assigning the categorical SA values (i.e., Low, Mild, High, Severe, A-symptomatic) to the actual SA (i.e., symptoms attribute), shown in Table 4. The for loop (lines 12-17), creates transform table T; Table 10 at line 14 (i.e., see definition 7). Table 10 has 1:1 microdata. Lines 12 and 13 checks the number of tuples (t_i) that belongs to a single individual record (r_i), i.e. 1:M data. Line 14 creates the transformed tuples (τ_i) by selecting high weighted categorical sensitive attribute values. The sensitive vertical attack (sVer) in definition 5 is prevented at this step of the algorithm. By creating the transformed Table 10 from the original Table 1, the leaf-nodes (i.e., in Fig. 2) cannot be correlated with any generalized categorical SA value. Since all the generalized categorical SA values are on the same level in the hierarchy, SA values on a single level cannot be vertically correlated to breach the privacy of an individual. The remaining categorical sensitive values are stored in a history table ℍ (Table 11) at line 19, to avoid any wastage of data.

Next, the algorithm will create sensitive buckets from the transformed data T. The while loop processes all the tuples in T to create k (i.e., user input) size sensitive buckets (sbt). If the tuples to anonymize in T are less than 2 k the algorithm will create final sbt, otherwise it will process sensitive part of all tuples using the θ-Sensitive k-Anonymity algorithm (Khan et al., 2020), to create more diverse Equivalence Classes (ECs) for ST (i.e., Table 12). Since the sbt obtained through the θ-Sensitive k-Anonymity algorithm (Khan et al., 2020), the EC produced can prevent the sva (i.e., Definition 3), and csa (i.e., definition 4). The prevention of data from sva and csa have already been proved in the algorithm of θ-Sensitive k-Anonymity (Khan et al., 2020).

The last part of the algorithm (line 29-35) creates a generalized QT i.e., Table 12A. The QIs are anonymized at lines 31 and 33 in such a way that the adversary’s confidence about the presence of an individual (in definition 1: ma) or confidence over the absence (i.e., Definition 2-nma) is prevented. The obtained k-anonymized quasi buckets (kb) are linked through the Bucket ID (BID) with the sbt using the one-to-many correspondence (QS-Loose linkability) between the two sub-tables, i.e., Tables 12A and 12B. In Table 12A, the Patient Record ID column is not part of the published table. Finally, the algorithm returns the genData in the form of QT, and sbt in the form of ST, linked through BIDs. The tables obtained from the proposed Algorithm 1 are shown in Tables 12A and 12B. The one-to-many correspondence between QT and ST is the loose linkage (in definition 6) between a single sbt in ST with more than one tuples in different ECs in QT. The EC4 in Table 12A adds a noise tuple (i.e., n1) correspondent to the already added noise SA value in Table 12B because of the θ requirements in θ-Sensitive k-Anonymity algorithm (Khan et al., 2020). The beauty of the QS-loose linkability is the improved utility of the data. Because it allows the least distance QI values to create an EC that can be linked with more than one sbt in ST. Another beauty is the improved privacy implementation. Because the adversary’s confidence to uniquely identify a tuple that belongs to an individual, is reduced by linking a single sbt in ST with more than one k-anonymized ECs in QTs.

HLPN analysis of (θ^∗, k)-utility algorithm

The different attacks discussed in Section 5 and 6 are mitigated through the proposed (θ^∗, k)-utility algorithm.

The data owner, data publisher, adversary are used to model HLPN for the (θ^∗, k)-utility algorithm in Fig. 5. The types showed in Table 13 and data places with description in Table 14. For (θ^∗, k)-utility algorithm initially find distinct SAs values. The Rule 6, is used to compute distinct SAs sensitive attributes. In Rule 6 as: (6)${\displaystyle \mathbf{R(Compute(Dist(SA)))}:=\forall i2ϵx2,i3ϵx3|i3\left[1\right]:=\text{Dist(SA)}\left(i2\left[1\right]\right)\wedge x{3}^{{}^{\prime }}:=x3\cup \left\{i3\left[1\right]\right\}}$

After this by using Rule 7, categorized symptoms into five different sensitive categories to create category Table 3. In Rule 7 as: (7)${\displaystyle \mathbf{R(Categorize)}:=\forall i4ϵx4,i5ϵx5|i5\left[1\right]:=i4\left[1\right]\wedge i5\left[2\right]:=i5\left[2\right]\wedge x{5}^{{}^{\prime }}:=x5\cup \left\{i5\left[1\right],i5\left[2\right]\right\}}$

The Rule 8, populate the Table 1 by assigning the categorical SA values (i.e., Low, Mild, High, Severe, A-symptomatic) to the actual SA (i.e., symptoms attribute) in Table 4. In Rule 8 as: (8)${\displaystyle \mathbf{R(Populate)}:=\forall i6ϵx6,i7ϵx7|i7\left[1\right]:=\text{Populate i}6\left[1\right]\wedge x{7}^{{}^{\prime }}:=x7\cup \left\{i7\left[1\right]\right\}}$

Rule 9 is used for selecting a high weighted categorical attributes sensitive value to transformed in Table 10. In the transformation process ignored records stored in History Table 11, it consists of remaining categorical sensitive values, that are stored in a History Table 11 to avoid any wastage of data in Rule 10. The 2 k input take using Rule 11. The k value checked using Rule 12. The threshold value calculated using Rule 13, it will process sensitive part of all tuples using the θ-Sensitive k-Anonymity algorithm (Khan et al., 2020), to create more diverse Equivalence Classes (ECs) for Sensitive Table (ST) Table 12B. (9)${\displaystyle \mathbf{R(Max)}:=\forall i8ϵx8,i9ϵx9|i9\left[1\right]:=\text{max}\left(i8\left[1\right]\right)\wedge x{9}^{{}^{\prime }}:=x9\cup \left\{i9\left[1\right]\right\}}$ (10)${\displaystyle \mathbf{R(Remaining CSA)}:=\forall i10ϵx10,i11ϵx11|i11\left[1\right]:=\neg \text{max}\left(i10\left[1\right]\right)\wedge x11^{{}^{\prime }}:=x11\cup \left\{11\left[1\right]\right\}}$ (11)${\displaystyle \mathbf{R(Input K)}:=\forall i12ϵx12,i13ϵx13|i13\left[1\right]:=\text{input}\left(i12\left[1\right]\right)\wedge x13^{{}^{\prime }}:=x13\cup \left\{13\left[1\right]\right\}}$ (12)${\displaystyle \mathbf{R(Check k)}:=\forall i14ϵx14,i15ϵx15|i15\left[1\right]:=\text{check}\left(i14\left[1\right]\right)\wedge x15^{{}^{\prime }}:=x15\cup \left\{15\left[1\right]\right\}}$ (13)${\displaystyle \text{R(Apply}\theta \text{-Sensitive k-Anonymity)}:=\forall i16ϵx16,i17ϵx17|i17\left[1\right]:=\theta \text{-Sensitive k-Anonymity}\left(i16\left[1\right]\right)\wedge x17^{{}^{\prime }}:=x17\cup \left\{17\left[1\right]\right\}}$

The splitting is performed for QA and SA attributes, and both are linked with one-to-many correspondence using Rule 14. The obtained k-anonymized quasi buckets are linked through the Bucket ID (BID) with the sbt using the one-to-many correspondence between the two tables. Finally, the algorithm returns the Table 12A QT and Table 12B ST linked through BIDs. In Rule 14 as: (14)${\displaystyle \mathbf{R(Splitting)}:=\forall i18ϵx18,i19ϵx19,i20ϵx20|i19\left[1\right]:=Split\left(\left\{i18\left[1\right]\right\}\right)\wedge i19\left[2\right]:=BID\left\{i18\left[1\right]\right\}\wedge x19^{{}^{\prime }}:=x19\cup \left\{i19\left[1\right],i19\left[2\right]\right\}i20\left[2\right]:=Split\left(\left\{i18\left[1\right]\right\}\right)\wedge i20\left[2\right]:=BID\left\{i18\left[1\right]\right\}\wedge x20^{{}^{\prime }}:=x20\cup \left\{i20\left[1\right],i20\left[2\right]\right\}}$ (15)${\displaystyle \mathbf{R(MA Attack)}:=\forall i21ϵx21,\forall i22ϵx22,\forall i23ϵx23,\forall i24ϵx24|MADis\left(i21\left[1\right],i22\left[2\right]\right)\to i21\left[1\right]i22\left[1\right]\cup i23\left[2\right]\ne i2\left[2\right]\wedge i2\left[3\right]\left(i24\left[2\right]\cup i24\left[3\right]\right)=\varnothing }$ (16)${\displaystyle \mathbf{R(NMA Attack)}:=\forall i25ϵx25,\forall i26ϵx26,\forall i27ϵx27,\forall i28ϵx28-NMADis\left(i25\left[1\right],i27\left[2\right]\right)\to i28\left[2\right]\wedge NMADis\left(i26\left[1\right],i27\left[2\right]\right)=\varnothing }$ (17)${\displaystyle \mathbf{R(SV\; er Attack)}:=\forall i29ϵx29,\forall i30ϵx30,\forall i31ϵx31,\forall i32ϵx32|SaDisc\left(i29\left[1\right],i30\left[1\right]\right)\to \left(\left\{i29\left[1\right],i130\left[1\right]\right\}\cup \left\{i31\left[2\right]\right\}\right):=i2\left[2\right]\wedge i2\left[3\right]\left(i32\left[2\right]\cup i32\left[3\right]\right)=\varnothing }$ (18)${\displaystyle \mathbf{R(QS\; -\; Loose Linkability)}:=\forall i33ϵx34,\forall i34ϵx34,\forall i35ϵx35,\forall i36ϵx36|\left(i33\left[1\right],i34\left[1\right]\right)\to \left(\left\{i33\left[1\right],i134\left[1\right]\right\}\cup \left\{i35\left[2\right]\right\}\right):=i2\left[2\right]\wedge i2\left[3\right]\left(i36\left[2\right]\cup i36\left[3\right]\right)=\varnothing }$ (19)${\displaystyle \mathbf{R(SV\; A)}:=\forall i39ϵ,x39,\forall i40ϵx40,\forall i42ϵx42,\forall i43ϵx43|SaDisc\left(i39\left[2\right],i40\left[2\right],i42\left[2\right]\right)\ne \left(i2\left[1\right]\cup i2\left[2\right]\cup i2\left[3\right]\right)\left(i43\left[2\right]\cup i43\left[3\right]\right)=\varnothing }$

In Rules 15 and 16, the adversary’s confidence about the presence of an individual, or confidence over the absence is prevented. The sensitive vertical attack (sVer) prevented by creating the Table 4 from the Table 1, so SA values on a single level cannot be vertically correlated to breach the privacy of an individual in Rule 17. The adversary’s confidence to uniquely identify a tuple which belongs to an individual, is reduced by linking a single sbt in ST with more than one k-anonymized EC in QTs in Rule 18. The diverse EC produced, can prevent the sva and csa. The prevention of data from sva and csa in Rule 19. The (θ^∗, k)-utility algorithm protects from above mentioned attacks, results in form of a null value as shown in Rules 15, 16, 17, 18, and 19.

Experimental setup

All the experiments are performed on a machine having Windows 10 operating system with Core i7 processor and 8GB RAM. The proposed algorithm is implemented in Python 3.9 language. We used the modified ‘Adult’ dataset, which is publically accessible from the repository of UC Irvine machine learning.^{1 ,2}

In the modified Adult dataset the age, zipcode, and gender are considered as QIs, while the symptoms attribute is considered as the SA.

The anonymized data obtained from the proposed and the base algorithms are analyzed for utility using normalized certainty penalty (NCP) (Anjum et al., 2018) and query accuracy (Anjum et al., 2018), for privacy using the average number of vulnerable records, and the computational efficiency is analyzed with the average execution time of all the algorithms.

Utility loss

The utility loss of the anonymized data is measured using the following techniques.

Normalized certainty penalty

Normalized certainty penalty (NCP) is one of the techniques which measures the utility loss caused by data anonymization. We measure the utility loss caused by the QIs. High penalties indicate high utility loss and vice versa.

Let T ={q₁,q₂, …,q_m} are QI. The utility loss for a single QI attribute is shown in Eq. (20) as. (20)${\displaystyle NC{P}_{q_i}\left(t\right)=\frac{x_i-y_i}{\left|\right.Qi\left|\right.}}$

where y_i ≤ z_i ≤ x_i, and z_i is the actual QI value from T, and |Qi—is the domain range on QI_i, i.e., max{t.QI_i} − min{t.QI_i}. The total weighted certainty penalty for the whole table is the sum of all attributes in a tuple and then adding NCP obtained from all tuples, as in Eq. (21). (21)${\displaystyle NCP\left(T^{\ast }\right)=\sum _{t=T^{\ast }}\sum _{i=1}^q{w}_i\cdot NC{P}_{qi}\left(t\right)}$ where, NCP(t) = ${\sum }_{i=1}^q{w}_i\cdot NC{P}_{q_i}$ (t) represents penalty for a tuple, w_i are weights associated to attributes, and T^∗ is the final anonymized release.

Figure 6 shows the NCP for utility measurement on anonymized release. Figure 6 shows the comparative results of θ-Sensitive k-Anonymity, (k, l)-diversity, (p, l)-angelization and the proposed (θ^∗, k)-utility algorithms, with varying k for the complete dataset. The increase in the graph values shows more utility loss. The higher value of k collectively for all algorithms results in higher utility loss because of the increased generalization range in each EC. For (k, l)-diversity, it is impossible to satisfy both k-anonymity and l-diversity constraints at the same time to achieve high privacy with minimum information loss, where the high value of the l-diversity is not recommended for high value of k. However, still the (k, l)-diversity results shows better utility than the θ-Sensitive k-Anonymity and the (p, l)-angelization algorithms, because the (p, l)-angelization algorithm only extends the (k, l)-diversity (which works only for 1:1 dataset) for the 1:M-MSA data without considering utility and privacy of the anonymized data. In (p, l)-angelization, increasing the diversity in for sensitive attributes in SAFBs greatly reduces the utility of the k-anonymous groups because of the one-to-one correspondence between the ST and QT. Through the one-to-one correspondence between the ST and QT, any change in ST directly affect the QT for the same changes. So with respect to utility (p, l)-angelization is more worse than (k, l)-diversity. The multiplicative increase in utility loss for θ-Sensitive k-Anonymity is because of its straight forward privacy implementation for single SA without any contribution for utility improvement in the developed algorithm.

Our proposed (θ^∗, k)-utility algorithm, independently generalizes the QI values to create less distance ECs for any size of k, which results in low utility loss as compared to its counterparts. Here, the k size in QT is not affected by any changes in ST. The proposed (θ^∗, k)-utility algorithm in Fig. 6B depicts the NCP with varying size of data set and for a fixed value of k =4. The utility loss reduces with more and more 1:M records is because of the availability of more suitable QI values from the increased dataset to create smaller distance ECs, which reduces the loss in data utility. Our proposed (θ^∗, k)-utility algorithm produces better results as compared to its counterparts, and depicts almost a constant data utility with any number of records. This is because of the separate publishing of the QT from the ST, which is enabled by the one-to-many correspondence approach.

Query accuracy

Query accuracy measures the utility loss between the original and anonymized release using an aggregate query, e.g. COUNT, AVG, SUM etc. Consider the following aggregate query in Eq. (22). (22)${\displaystyle SELECTCOUNT\left(\ast \right)\text{from}{\mathrm{}T}^{\ast }\text{where}{\mathrm{}A}_1^{qi}ϵ\text{Domain}\left(A_1^{qi}\right)\text{AND}\cdots \text{AND}{\mathrm{}A}_m^{qi}ϵDomain\left(A_m^{qi}\right)}$

Anonymized table T^* has m as a total A^qis, i.e., $A_i^{qi}$,$A_i^{qi}$, …,$A_q^{qi}$. The domain size i.e., ($A_i^{qi}$) depends on query selectivity (θ) which indicates the expected number of tuples selection from an executed aggregate query. The tuple selectivity can be seen in in Eq. (23). (23)${\displaystyle \theta =\frac{\left|\right.t_q\left|\right.}{\left|\right.T\left|\right.}}$

where |T| is the total number of tuples in the dataset and |t_q| indicates the number of tuples obtained from a query (Q). To measure the utility loss, the query error in Eq. (24) analyzes the error between the COUNT queries executed on the published and original dataset. (24)${\displaystyle QueryError=|Count\left(anonymized\right)-Count\left(original\right)|/Count\left(original\right)}$ Query error is a common matrix to measure the utility of the anonymized release. We perform utility loss analysis between the θ-Sensitive k-Anonymity, (k, l)-diversity, (p, l)-angelization, and the proposed algorithm of (θ^∗, k)-utility, by generating 1000 randomly queries and averaging their query error in Fig. 7.

Figure 7A shows the query error for varying k size. For all the comparative graphs, with increase in k size the query error increases, because high k means high distance ECs. Then the aggregate query results in more number tuples on anonymized data as compared to the original data. So the high comparative difference between the original and anonymized data results in an increased query error rate. The (p, l)-angelization do no focus on the utility of the data at all because even the separately created sensitive and quasi tables are not considered as actual separate tables because they are still directly connected through the one-to-one buckets in both tables. While in (k, l)-diversity although both QI and SA are generalized separately, even though, both are dependent on k, for measuring the utility of any k-anonymous group. The values obtained from the θ-Sensitive k-Anonymity indicates its better utility than the (p, l)-angelization and (k, l)-diversity is because of its local generalization. The lowest utility loss by our proposed approach is because of the autonomous ECs of QIs.

Figure 7B shows the query error with respect to varying selectivity for k = 4 and dataset = 6,000. With increase in selectivity (i.e., high predicates) less number of records will be selected, which results in a low error rate in the anonymized data. Again, our proposed (θ^∗, k)-utility algorithm has continuously low query error as compared to the θ-Sensitive k-Anonymity, (p, l)-angelization, and (k, l)-diversity techniques because of the independent anonymization of the QT with respect to the ST. The low query error in our proposed approach depicts the low difference in the tuples selection between the original and anonymized releases.

Privacy loss

The privacy loss means re-identification of an individual record in the anonymized dataset. In this work, we are using two different methods to measure privacy loss. One is the actual record intersection method, while another is the probability method.

Record intersection

Loss in the privacy of data is the identification of vulnerable records in the anonymized data which ultimately re-identify an individual record. Equation (25) measures an average number of vulnerable records.

The original dataset contains an input file that contains the total data that is not yet anonymized i.e., Table 1, the output table indicates the published tables in the anonymized form, i.e., QT12a and ST12b. (25)${\displaystyle VulnerableRecords=Actual\cap Output.}$ The vulnerability of number of records in (k, l)-diversity and(p, l)-angelization is higher than the θ-Sensitive k-Anonymity and (θ^∗, k)-utility as shown in Fig. 8A. This is due to the fact that the (k, l)-diversity uses a transaction generalization technique (Gong et al., 2017). The lowest common cut on transaction generalization hierarchy leaves the single SA from different sub-set unprotected and vulnerable, as shown in Fig. 2 that causes sVer attack which breaches the privacy of that specific individual. In (p, l)-angelization the vulnerability exists due to the sensitive attributes fingerprint correlation attack, as mentioned in Khan et al. (2020c). As in (p, l)-angelization, the QT and ST tables have one-to-one correspondence (discussed in Motivation Scenario III), so the adversary can correlate both tables and can easily create a single table. In that way, the ma and nma attacks (see definitions in Section 3) can be performed on the dataset. The variance-based privacy implementation by θ-Sensitive k-Anonymity is stronger. However for the 1:M dataset, it becomes useless to achieve privacy because in such data each record consists of more than one tuple, and attackers can perform sva, and csa attacks on the dataset. However, the proposed (θ^∗, k)-utility further improves its privacy by categorizing the SA into categorical SA values (i.e., Fig. 2), and prevents all such attacks (i.e., ma, nma, sva, csa, and sVer). This reduces the re-identification of an individual record and provides more data protection as compared to its counterparts, as shown in Fig. 8A.

Execution time

Computational efficiency is the overall execution time of an algorithm. Figure 9 shows the execution time of our proposed (θ^∗, k)-utility algorithm along with its counterpart techniques. In both Figures i.e., Figs. 9A and 9B, the (p, l)-angelization has the highest execution time because of the weight calculation and handling 1:M-MSA data. The proposed (θ^∗, k)-utility algorithm has higher execution time than θ-Sensitive k-Anonymity, because of the additional work of categorising the SA and creating one-to-many loose linkability between QT and ST, along with the variance calculations for SAs. The (k, l)-diversity has the lowest execution time because of the simple approach of the algorithm i.e., only 1:M generalization and splitting the attributes.