Efficient and flexible anonymization of transaction data

Abstract

Transaction data are increasingly used in applications, such as marketing research and biomedical studies. Publishing these data, however, may risk privacy breaches, as they often contain personal information about individuals. Approaches to anonymizing transaction data have been proposed recently, but they may produce excessively distorted and inadequately protected solutions. This is because these approaches do not consider privacy requirements that are common in real-world applications in a realistic and flexible manner, and attempt to safeguard the data only against either identity disclosure or sensitive information inference. In this paper, we propose a new approach that overcomes these limitations. We introduce a rule-based privacy model that allows data publishers to express fine-grained protection requirements for both identity and sensitive information disclosure. Based on this model, we also develop two anonymization algorithms. Our first algorithm works in a top-down fashion, employing an efficient strategy to recursively generalize data with low information loss. Our second algorithm uses sampling and a combination of top-down and bottom-up generalization heuristics, which greatly improves scalability while maintaining low information loss. Extensive experiments show that our algorithms significantly outperform the state-of-the-art in terms of retaining data utility, while achieving good protection and scalability.

Appendix

Proof of Theorem 1

We observe that our problem can be reduced from the NP-hard problem of optimal privacy-constrained anonymization (OPC) [51]. The latter problem seeks to transform \(\mathcal D \) into \(\tilde{\mathcal{D }}\) that has a minimum \(UL(\tilde{\mathcal{D }})\), using the set-based item generalization model, w.r.t. two sets of constraints \(\fancyscript{U}\) (on utility) and \(\fancyscript{P}\) (on privacy), and parameters \(k\) and \(s\). We can map an instance of OPC to an instance of our problem in polynomial time by constructing \(\varTheta \) in such a way that, for each \(p\in \fancyscript{P}\), we specify a PS-rule whose antecedent contains all the items in \(p\) and no other items, \(s=0\,\%\) to disallow suppression, and \(c=1\). Then, \(\tilde{\mathcal{D }}\) is a solution to our problem if and only if it is a solution to the OPC problem. \(\square \)

Proof of Theorem 2

Assume that a \(\tilde{\mathcal{D }}\) in which the PS-rules in \(\varTheta \) are protected can be constructed from \(\mathcal D \), for given \(k\) and \(c\), when \(sup(I \cup J,\mathcal D )> N \times c\), for a rule \(I\rightarrow J\) in \(\varTheta \). Then, from Definition 4, we have \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J,\tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})}\le c\). Since \(sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})\ge sup(I \cup J,\mathcal D )\) from the way \(\varPhi \) works, we have \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi , \tilde{\mathcal{D }})}\ge \frac{sup(I\cup J,\mathcal D )}{N}\). Thus, \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi , \tilde{\mathcal{D }})}>c\), which contradicts our assumption and proves the theorem true. \(\square \)

Proof of Theorem 3

Consider a dataset \(\tilde{\mathcal{D }}\) constructed using a generalization function \(\varPhi \) that maps each and every \(i\in \mathcal P \) to the same \(\tilde{i}\in \tilde{\mathcal{P }}\). Since we have \(sup(\tilde{i},\tilde{\mathcal{D }})=N \ge k\) for all rules in \(\varTheta \), these rules satisfy Condition (1) of Definition 4 for \(\tilde{\mathcal{D }}\). Also, as \(sup(\bigcup _{\forall i \in I_q}\varPhi (i) \cup J_q, \tilde{\mathcal{D }})\le N\times c\) and \(sup(\tilde{i},\tilde{\mathcal{D }})=N\) hold, we have \(\frac{sup(\bigcup _{\forall i \in I_q}\varPhi (i) \cup J_q, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I_q}\varPhi (i),\tilde{\mathcal{D }})}\le c\). So the rules in \(\varTheta \) also satisfy Condition (2) of Definition 4, and are all protected in \(\tilde{\mathcal{D }}\). Thus, \(\tilde{\mathcal{D }}\) is a generalized dataset that is constructed from \(\mathcal D \) as required. \(\square \)

Proof of Theorem 4

Assume that \(\small UL(\tilde{\mathcal{D _1}})<UL(\tilde{\mathcal{D _2}})\). For each generalized item \(\tilde{i}\) in both \(C_1\) and \(C_2\), we have \(\small UL(\tilde{i},\tilde{\mathcal{D _1}})=UL(\tilde{i},\tilde{\mathcal{D _2}})\). Thus, there must be sets of generalized items \(C_1^{\prime }= C_1{\setminus }C_2\) and \(C_2^{\prime }=C_2{\setminus }C_1\) such that \(\small \sum _{\tilde{i_x}\in {C_1^{\prime }}}UL(\tilde{i_x},\tilde{\mathcal{D _1}})<\sum _{\tilde{i_y}\in {C_2^{\prime }}}UL(\tilde{i_y},\tilde{\mathcal{D _2}})\) or \(\small \sum _{\forall \tilde{i_x}\in {C_1^{\prime }}}((2^{|\tilde{i_x}|}-1)\times w(\tilde{i_x})\times sup(\tilde{i_x},\tilde{\mathcal{D _1}}))<\sum _{\forall \tilde{i_y}\in {C_2^{\prime }}}((2^{|\tilde{i_y}|}-1)\times w(\tilde{i_y})\times sup(\tilde{i_y},\tilde{\mathcal{D _2}}))\), in order for our assumption to hold. However, this cannot be true because for each \(\tilde{i_x}\in C_1^{\prime }\) we have \(\small |\tilde{i_x}|=\sum _{\forall \tilde{i_q} \in desc(\tilde{i_x})}|\tilde{i_q}|\) (by definition), \(\small sup(\tilde{i_x},\tilde{\mathcal{D _1}})\ge \sum _{\forall \tilde{i_q} \in desc(\tilde{i_x})}sup(\tilde{i_q}, \tilde{\mathcal{D _2}})\) (by B-Split), and \(\small w(\tilde{i_x})\ge \sum _{\forall \tilde{i_q}\in desc(\tilde{i_x})}w(\tilde{i_q})\) (the condition given in Theorem 4). Thus, we cannot have \(UL(\tilde{\mathcal{D _1}})<UL(\tilde{\mathcal{D _2}})\). \(\square \)

Proof of Theorem 5

Consider an arbitrary generalized dataset \(\tilde{\mathcal{D }}\) that is constructed from \(\mathcal D \) using a set-based generalization function \(\varPhi \). In the following, we prove that \(I\rightarrow J\) is protected in \(\tilde{\mathcal{D }}\) by showing that it satisfies both conditions of Definition 4. From \(sup(I,\mathcal D )\le sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})\) and the condition (1) of the Theorem 5, we get that \(sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})\ge k\). Thus, \(I\rightarrow J\) satisfies the condition (1) of Definition 4. Also, from \(sup(J,\mathcal D )\ge sup(\bigcup _{\forall i \in I}\varPhi (i) \cup J,\tilde{\mathcal{D }})\) and the condition (2) of Theorem 5, we have that \(sup(\bigcup _{\forall i \in I}\varPhi (i) \cup J,\tilde{\mathcal{D }})\le c\times k\). By combining the latter relation with \(sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})\ge k\), we get \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i) \cup J,\tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})}\le c\). Thus, \(I\rightarrow J\) also satisfies the condition (2) of Definition 4. \(\square \)

Proof of Theorem 6

Assume that \(I\rightarrow J\) is protected in \(\tilde{\mathcal{D _1}}\), not protected in \(\tilde{\mathcal{D _2}}\) and there is no item \(i \in I\) that maps to \(\tilde{i_l}\) or \(\tilde{i_r}\). By the construction of \(C_2\), \(i\) is not mapped to \(\tilde{i}\) either. Thus, we have \(\small sup(\bigcup _{\forall i\in I}\varPhi (i),\tilde{\mathcal{D _1}})=\small sup(\bigcup _{\forall i\in I}\varPhi (i),\tilde{\mathcal{D _2}})\), since other than \(\tilde{i_l}\) and \(\tilde{i_r}\), the support of each generalized item in \(\tilde{\mathcal{D _2}}\) and \(\tilde{\mathcal{D _1}}\) is the same. This implies \(\frac{sup(\bigcup _{\forall i\in I}\varPhi (i)\cup J,\tilde{\mathcal{D _1}})}{sup(\bigcup _{\forall i\in I}\varPhi (i),\tilde{\mathcal{D _1}})}=\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J,\tilde{\mathcal{D _2}})}{sup(\bigcup _{\forall i\in I}\varPhi (i),\tilde{\mathcal{D _2}})}\). Thus, \(I\rightarrow J\) is protected in \(\tilde{\mathcal{D _2}}\), which contradicts our assumption and proves the theorem true. \(\square \)

Proof of Theorem 7

Assume that \(I^{\prime }\rightarrow J\) is not protected in \(\tilde{\mathcal{D }}\). Due to condition (1), we have \(\small sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})\ge k\) and \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})}\le c\), and, from conditions (2) and (3), we have \(\small sup(\bigcup _{\forall i^{\prime }\in I^{\prime }}\varPhi (i^{\prime }),\tilde{\mathcal{D }})=sup(\bigcup _{\forall i \in I}\varPhi (i),\tilde{\mathcal{D }})\) since all items in \(I^{\prime }\) are contained in \(I\) and all items in \(I\) are mapped to \(\bigcup _{\forall i \in I}\varPhi (i)\). Thus, \(I^{\prime }\rightarrow J\) is protected by Definition 4, which contradicts our assumption. \(\square \)

Proof of Theorem 8

Assume that \(I\rightarrow J^{\prime }\) is not protected in \(\tilde{\mathcal{D }}\). \(\small sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})\ge k\) holds from condition (1), hence \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J^{\prime }, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})}>c\) must hold, for our assumption to be true. From \(\small sup(J^{\prime }, \tilde{\mathcal{D }}_{\tilde{I}})=sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J^{\prime }, \tilde{\mathcal{D }})\), \(sup(J, \tilde{\mathcal{D }}_{\tilde{I}})=sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})\normalsize \), and condition (2), we get \(\frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J^{\prime }, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})}\le \frac{sup(\bigcup _{\forall i \in I}\varPhi (i)\cup J, \tilde{\mathcal{D }})}{sup(\bigcup _{\forall i \in I}\varPhi (i), \tilde{\mathcal{D }})}<c\), which contradicts our assumption. \(\square \)

Proof of Theorem 9

Let \(X_1,\ldots ,X_n\) be independent Poisson trials and the probability \(Pr(X_i)=p_i\). Let also \(X=\sum _{\forall i\in [1,n]}X_i\) and \(\mu =E[X]\). For any \(\gamma >0\), the additive Chernoff bound \(Pr(|X-\mu |\ge \gamma )\le (2\times e^{-2n\gamma ^2})\) holds. By setting \(|\mathcal D _s|=n\), \(\gamma =\epsilon \), \(X=\frac{sup(I,\mathcal D _s)}{|\mathcal D _s|}\), and \(\mu =\frac{sup(I,\mathcal D )}{|\mathcal D |}\), we get \(Pr(|\frac{sup(I,\mathcal D _s)}{|\mathcal D _s|}-\frac{sup(I,\mathcal D )}{|\mathcal D |}|\ge \epsilon )\le (2\times e^{-2|\mathcal D _s|\epsilon ^2})\). After setting \(\delta \ge 2\times e^{-2|\mathcal D _s|\epsilon ^2}\) and some calculations, we get \(|\mathcal D _s|\ge \frac{ln(\frac{2}{\delta })}{2\times \epsilon ^2}\), which proves the theorem true. \(\square \)

Theorem 10

The time complexity of Algorithm 4 is \(O(2^{|\mathcal P |}\times |\mathcal S |\times N)\) and the space complexity is \(O(2^{|\mathcal P |}\times |\mathcal S |+N\times |\mathcal I |)\).

Proof

We first examine the time complexity of B-Split, Update, Replace, and Check. B-Split requires \(O\left( |\mathcal P |^2+|\mathcal P |\right)\approx O(|\mathcal P |^2)\) time, where \(|\mathcal P |\) is the size of the largest possible generalized item, since it examines all pairs of items mapped to this generalized item and then assigns all public items to the created seeds. Update scans \(\tilde{\mathcal{D }}\) once to replace \(\tilde{i}\) with \(\tilde{i_l}\) and \(\tilde{i_r}\), hence it is computed in \(O(|\mathcal P |\times N)\) time, where \(N\) is the number of transactions in \(\tilde{\mathcal{D }}\). Replace has the same time complexity with Update and Check needs \(O(|\varTheta |\times (N+|\mathcal P |))\) time; \(O(N)\) time to form \(I\rightarrow J\) and determine if it is protected, \(O(|\mathcal P |\times (log(|\mathcal P |)+|\varTheta |))\) time to construct \(\varTheta ^{\prime }\) using Find-rules in the worst-case in which all rules have at least one item mapped to \(\tilde{i}\) in their antecedent, and \(O(|\varTheta ^{\prime }|\times N)\) time to compute the support and confidence of these rules. Since Algorithm 4 performs up to \(\lfloor \frac{2\times |\mathcal P |-1}{2}\rfloor \approx |\mathcal P |\) recursive calls, one for each edge in the generalization tree, it needs \(O\left(|\mathcal P |\times \left(|\mathcal P |^2 + |\mathcal P |\times N + |\varTheta |\times (N+|\mathcal P |)\right)\right)\) time, which can be approximated as \(O(2^{|\mathcal P |}\times |\mathcal S |\times N)\) in the worst case when \(|\varTheta |=(2^{|\mathcal P |}-1)\times |\mathcal S |\) and assuming that \(N>|\mathcal P |\). Note that \(|\varTheta |=(2^{|\mathcal P |}-1)\times |\mathcal S |\) when it contains all possible rules and there is no rule whose antecedent is the same with another rule and its consequent is a superset of that of the second rule (otherwise the former rule is redundant due to its lower confidence).

We then examine the space complexity of Update, Replace, and Check. Update and Replace need to store \(O(N\times |\mathcal I |)\) items each. The Rule-tree used in Check is created once and stores \(O(2^{|\mathcal P |}\times |\mathcal S |)\) items, as inserting a rule adds one item as a tree node and \(|\mathcal S |\) items in the consequent-list. \(Q\) needs to store \(O(|\mathcal P |^2)\) items when the generalization tree is the tallest one, hence Algorithm 4 requires \(O(2^{|\mathcal P |}\times |\mathcal S |+N\times |\mathcal I |)\) space. \(\square \)

Theorem 11

The time complexity of Algorithm 5 is \(O(2^{|\mathcal P |}\times |\mathcal S |\times N)\) and the space complexity is \(O(2^{|\mathcal P |}\times |\mathcal S |+N\times |\mathcal I |)\).

Proof

The time complexity of the sample-based partitioning phase of Algorithm 5 is \(O(h\times (|\mathcal P |^2+|\mathcal P |\times N+|\varTheta |\times (|\mathcal P |+|\mathcal D _s|)))\), where \(h\) is the height of the generalization tree \(\mathcal G \) returned by Sample-Based-Partition. This is because the latter function calls Split and Update, whose cost was examined in Theorem 10, as well as Check, whose cost is \(O(|\varTheta |\times (|\mathcal P |+|\mathcal D _s|))\). The top-down cut revision phase needs \(O(h^{\prime }\times (|\mathcal P |^2+|\mathcal P |\times N + |\mathcal P |\times (log(|\mathcal P )+\varTheta )+ \varTheta \times (|\mathcal P |+N)))\), where \(h^{\prime }\) is the number of executions of the while loop of step \(9\) in Algorithm 5. Finally, steps 24–29 need \(O(h^{\prime \prime }\times (|\varTheta |\times (|\mathcal P |+N)+|\mathcal P |+N))\) time, assuming that all nodes of \(\mathcal G \) are merged to their ancestors that lie \(h^{\prime \prime }\) levels above them, since Check and Merge-siblings take \(O(|\varTheta |\times (|\mathcal P |+N))\) and \(O(|\mathcal P |+N)\) time, respectively. It also holds \(h^{\prime }+h\le |\mathcal P |\) and \(h^{\prime \prime }\le |\mathcal P |\), as \(\mathcal G \) has up to \(|\mathcal P |\) levels. Thus, Algorithm 5 takes \(O(|\mathcal P |\times (|\mathcal P |^2+|\mathcal P |\times N+|\varTheta |\times (|\mathcal P |+N)))\) time, or approximately \(O(2^{|\mathcal P |}\times |\mathcal S |\times N)\), in the worst case when \(|\varTheta |=O(2^{|\mathcal P |}\times |\mathcal S |)\) and assuming that \(N>|\mathcal P |\). The space complexity of Update and Check was examined in Theorem 10 and the cost of storing \(\mathcal G \) is \(O(|\mathcal P |^2)\) items. Thus, Algorithm 5 requires \(O(2^{|\mathcal P |}\times |\mathcal S |+N\times |\mathcal I |)\) space. \(\square \)

COUNT() Queries and \(ARE\) Computation

Consider an SQL-like COUNT() query

\(\mathbf{Q:}\) SELECT COUNT( \(\tilde{T_n}\) (or \(T_n\) )) FROM \(\tilde{\mathcal{D }}\) (or \(\mathcal D \) )

WHERE \(\tilde{I}J\) supports \(\tilde{T_n}\) in \(\tilde{\mathcal{D }}\)  (or  \(IJ\) supports \(T_n\) \(\mathtt {in}\) \(\mathcal D \) )

where \(\tilde{I}\) and \(I\) are itemsets comprised of public items in \(\tilde{\mathcal{D }}\) and \(\mathcal D \), respectively, and \(J\) is an itemset comprised of sensitive items. Since data recipients have only access to \(\tilde{\mathcal{D }}\), they need to estimate an answer for \(Q\). This can be performed by computing the probability \(P(\tilde{T_n},Q)\) that \(\tilde{T_n}\), the anonymized version of a transaction \(T_n\) in \(\mathcal D \), satisfies \(Q\). Assume that a generalized item \(\tilde{i_m}\) in \(\tilde{T_n}\) is interpreted as any possible subset of the items mapped to it with equal probability, and that there are no correlations among generalized items [27, 29, 42]. \(P(\tilde{T_n} ,Q)\) is given by \(\displaystyle \Pi _{\forall \tilde{i_m} \in \tilde{T_n}}\frac{2^{|\tilde{i_m}|-c(I)}}{2^{|\tilde{i_m}|}-1}\) where \(c:\mathcal I \rightarrow [0,|i_m|]\) is a function that, given \(I\), returns the number of items in \(I\) that are mapped to \(\tilde{i_m}\) in \(\tilde{\mathcal{D }}\). An approximate answer \(e(Q)\) to \(Q\) is then derived by summing the corresponding probabilities across all transactions \(\tilde{T_n}\) in \(\tilde{\mathcal{D }}\) that support \(J\).

We considered two workloads \(W_1\) and \(W_2\), each comprised of 1,000 queries, whose items were selected uniformly at random. Queries in \(W_1\) involve a \(2\)-itemset in \(\mathcal P \), whereas those in \(W_2\) require retrieving a \(3\)-itemset comprised of \(2\) public and \(1\) sensitive items.