Graph Perturbation as Noise Graph Addition: A New Perspective for Graph Anonymization

. Diﬀerent types of data privacy techniques have been applied to graphs and social networks. They have been used under diﬀerent assumptions on intruders’ knowledge. i.e., diﬀerent assumptions on what can lead to disclosure. The analysis of diﬀerent methods is also led by how data protection techniques inﬂuence the analysis of the data. i.e., information loss or data utility. One of the techniques proposed for graph is graph perturbation. Several algorithms have been proposed for this purpose. They proceed adding or removing edges, although some also consider adding and removing nodes. In this paper we propose the study of these graph perturbation techniques from a diﬀerent perspective. Following the model of standard database perturbation as noise addition, we propose to study graph perturbation as noise graph addition . We think that changing the perspective of graph sanitization in this direction will permit to study the properties of perturbed graphs in a more systematic way.


Introduction
Data privacy has emerged as an important research area in the last years due to the digitalization of the society. Methods for data protection were initially developed for data from statistical offices, and methods focused on standard databases.
Currently, there is an increasing interest to deal with big data. This includes (see e.g. [10,38,40]) dealing with databases of large volumes, streaming data, and dynamic data.
Data from social networks is a typical example of big data, and we often need to take into account the three aspects just mentioned. Data from social networks is usually huge (as the number of users in most important networks are on the millions), posts can be modeled in terms of streaming, and is dynamic (we can consider multiple releases of the same data set).
As data from social networks is highly sensitive, a lot of research efforts have been devoted to develop data privacy mechanisms. Data privacy tools for social networks include disclosure risk models and measures [2,35], information loss and data utility measures, and perturbation methods (masking methods) [21].
Tools have been developed for the different existing privacy models. We review the most relevant ones below.
1. Differential privacy. In this case, given a query, we need to avoid disclosure from the outcome of the query. Privacy mechanisms are tailored to queries. 2. k-Anonymity. Different competing definitions for k-anonymity for graphs exist, depending on the type of information available to the intruder. Then, for each of these definitions, several privacy mechanisms have been developed. One of the weakest condition is k-degree anonymity. Strongest conditions include nodes neighborhoods. 3. Reidentification. Methods introduce noise into a graph so that intruders are not able to find a node given some background information. Again, we can have different reidentification models according to the type of information available to the intruders (from the degree of a node to its neighborhood).
Here noise is usually understood as adding and removing edges from a graph. Nevertheless, adding and removing nodes have also been considered. Methods for achieving k-anonymity are also available for avoiding reidentification.
Note that while differential privacy and k-anonymity are defined as Boolean constraints (i.e., a protection level is fixed and then we can check if this level is achieved or not), this is not the case for reidentification. The risk of reidentification is defined in terms of the proportion of records that can be reidentified.
In this work we focus on methods for graphs perturbation. More particularly, we consider algorithms for graph randomization. In our context, they are the methods that modify a graph to avoid re-identification (and also to achieve kanonymity). The goal is to formalize data perturbation for graphs, as a model for perturbation of social networks.
Methods for graph randomization usually consist on adding and removing edges. Performance of these methods is evaluated with respect to how the modification modifies the graph (the information loss caused to the graph), and the disclosure risk after perturbation. Often, the execution time is also considered.
The structure of the paper is as follows. In Sect. 2 we review noise addition and random graphs, as the formalization introduced in this paper is based on the former and uses the latter. In Sect. 3 we formalize noise addition for graphs. In Sect. 4, we discuss existing methods for graph randomization from this perspective. In Sect. 5, we present some results related to our proposal. The paper finishes with some conclusions.

Preliminaries
In this section we review some concepts and definitions that are needed later on in this paper. We discuss noise addition for standard numerical databases and random graphs.

Noise Addition
Noise addition has been applied for statistical disclosure control (SDC) for a long time. An overview of different algorithms for noise addition for microdata can be found in [7]. Simple application of noise addition corresponds to replace value x for variable V with meanV and variance σ 2 by x + with ∼ N (0, σ 2 ). Correlated noise has also been considered so that noise do not affect correlations computed from perturbated data. See [39] (Chapter 6) for details.
Noise addition is known because it can be used to describe other perturbative masking techniques. In particular, rank swapping, post-randomization and microaggregation are special cases of matrix masking (see [12]). i.e., multiplying the original microdata set X by a record-transforming mask matrix A and by an attribute transforming mask matrix B and adding a displacing mask C to obtain the masked dataset Z = AXB + C.
Such operations are well defined for matrices and numbers, here we will define an equivalent operation for graphs.

Random Graphs
Probability distributions over graphs are usually referred by random graphs. There are different models in the literature. We review some of them here.
The Gilbert Model. This model is denoted by G(n, p). There are n nodes and each edge is chosen with probability p. With mean degree d m = p(n − 1) for a graph of n nodes, the probability of a node to have degree k is approximated by d k m e −dm /k!. I.e., this probability follows a Poisson distribution. The Erdös-Rényi Model. This model is denoted by G(n, e), and represents a uniform probability of all graphs with n nodes and e edges. This model is similar to the previous one (basically asymptotically equivalent as [1] writes it).
Most usual networks we find in real-life situations (including all kind of social networks) do not fit well with these two models. For example, it is known that most networks have degree distributions that follow a power-law. Other properties usually present in real-life networks is transitivity (also known as clustering) which means that if nodes v 1 and v 2 are connected, and nodes v 2 and v 3 are also connected, the probability of having v 1 and v 3 connected is high.
Some models extend the previous ones considering degree sequences that follow other distributions than the Poisson. One of such models is based on having a given degree sequence.
Models Based on a Given Degree Sequence. We denote this model by D(n, d n ), where n is the number of nodes and d n is a degree sequence. That is, d n ∈ N n . D(n, d n ) represents a uniform probability of all graphs with n nodes and degree sequence d n . Not all degree sequences are allowed (e.g., there is no graph for D(5, d 5 = (1, 0, 0, 0, 0))). A graphical degree sequence is one for which there is at least one graph that satisfies it.
The Havel-Hakimi algorithm [18,19] is an example of algorithm that builds a graph for a graphical degree sequence. In order to have a graph drawn from a uniform distribution D(n, d n ) we can use [23]. The authors discuss a polynomial algorithm for generating a graph from a distribution arbitrarily close to a uniform distribution, once the degree sequence is known. The algorithm is efficient (see [22]) for p-stable graphs. This type of approach is known as the Markov chain approach, as algorithms are based on switching edges according to given probabilities. See e.g. [26,27].
Another way to draw a graph according to a uniform distribution from the degree sequence, is to assign to each node in the graph d i stubs (i.e., edges still to be determined or out-going edges not yet assigned to the in-going ones). Then, choose at random pairs of stubs to settle a proper edge. Nevertheless this does not always work as we may finish with multiple edges and loops (see e.g. [3]).

The Configuration Model.
In this case it is considered that the degree sequence of a graph follows a given distribution. To build such a graph we can first randomly choose a graphical degree sequence and then apply the machinery for building a graph from the degree sequence as explained above.
In this configuration model, the degree sequence adds a constraint to the possible graphs. All previous models can be combined with the fact that the degree sequence is given. In fact, other types of constraints can be considered in a model. For example, temporal and spatial.
For example, Spatial graphs may be generated in which the probability of having an edge is proportional to the distance between the nodes [39]. Random dot product graph models, a model proposed by Nickel et al. [29], is another example. In a random dot product graph, each node has associated a vector in an R d space, and then the probability of having an edge between two nodes is proportional to the random dot product of the vectors associated to the two nodes.
Given a probability distribution over graphs G we will denote that we draw a graph G from G using G ∼ G. E.g., G ∼ G(100, 0.2) is a graph G drawn from a Gilbert model with 100 nodes and probability 0.2 of having an edge between two nodes.

Noise Addition for Graphs
The main contribution of this paper is to formalize graph perturbation in terms of noise addition. For this, we introduce two different definitions for this type of perturbation. Both of them are based on selecting a graph according to a probability distribution over graphs and adding the selected graph to the original one.
We first define what we mean with graph addition.
In order to add two graphs, we must align the set of nodes in which we are going to add them. For example if G 1 and G 2 do not have any node in common, then the addition The next simplest case is when one of the graphs is a subset of the other. Then, the resulting graph will have the largest set of nodes (i.e., the union of both sets of nodes), and the final set of edges is an exclusive-or of the edges of both graphs.
Using an exclusive-or we can model both addition and removal of edges. Whether we remove or add an edge will depend on whether this edge is in only one graph or in both. Note also that this process is somehow analogous to noise addition where X = X + with following a normal distribution. In particular, adding noise may correspond to increasing or decreasing the values in X. We formalize below graph addition for subgraphs.
We will denote that G is the addition of G 1 and G 2 by Note that for any graph G 1 and G 2 , G is a valid graph (i.e., G has no cycles and no multiedges).
We discuss now the definitions of noise graph addition. As one of the graphs, say G, is drawn from a distribution of graphs, the set of vertices created in G are not necessarily connected with the ones in the original graph. Nevertheless, even in this case, we can align (or, better, we still need to align) the two set of nodes. The difference between alternative definitions is about how the two sets of nodes are aligned. So, the general definition will be based on an alignment between the two set of nodes. This alignment corresponds to a homomorphism A : V → V ∪ {∅}. Here, ∅ corresponds to a null node, or dummy node. This notation comes from graph matching terminology (see e.g., [4]).
A matching algorithm builds such homomorphism for a given pair of graphs.
A matching algorithm M is a function that given G 1 and G 2 returns an alignment.
Definition 4. Let G 1 (V, E 1 ) be a graph, let G be a probability distribution on graphs, and let M be a matching algorithm; then, noise graph addition for G 1 following the distribution G and based on M consists of (i) drawing a graph This definition allows for adding noise graphs that are not necessarily subgraphs of each other.
Another equivalent way, is to think of graphs as labeled graphs, that is, a graph G = (V, E, μ), where μ : V → L V is a function assigning labels to the vertices of the graph G. For simplicity we will assume that L V is a set of integers. Then, given two labeled graphs G 1 and G 2 , their edges would be defined by pairs of integers corresponding to the labels of their corresponding nodes. In such way, an alignment will be given naturally by the nodes that have the same label in both graphs.
Otherwise, if the nodes from two graphs G 1 and G 2 are labeled respectively as [n 1 ] = 1, . . . , n 1 and [n 2 ] = 1, . . . , n 2 . To define a different alignment, we may relabel their nodes in the following way.
First, choose two subsets S 1 ⊂ [n 1 ] and S 2 ⊂ [n 2 ] of the same size, assume that n 1 ≤ n 2 , define a bijection f : S 2 → S 1 , then relabel the nodes in V (G 2 ) as f (j) if j ∈ S 2 and as n 1 + 1, . . . , n 2 for the remaining nodes, whose new labels f (j) are not in S 2 . In this way we obtain an alignment. Now we can identify a node with its label and then use Definition 1 for graph addition.

Graph Matching and Edit Distance
On the other side of noise addition, we find the concept record linkage. In the context of graphs this concept is similar to graph matching. Graph matching is a key task in several pattern recognition applications [41]. However, it has a high computational cost. Indeed, finding isomorphic graphs is NP-complete. Thus, several methods have been devised for efficient approximate graph matching, some use tree structures and strings such as [28,30,42], other are able to process very large scale graphs such as [24,37] or [36].
A commonly used distance for graph matching and finding isomorphic subgraphs is graph edit distance (GED). It was formalized mathematically in [34].
For defining GED, a set of edit operations is introduced, for example, deletion, insertion and substitution of nodes and edges. Then, the similarity of two graphs is defined in terms of the shortest or least cost sequence of edit operations that transforms one graph into the other.
Of course when GED(G 1 , G 2 ) = 0 this means that such graphs are isomorphic. Therefore for computing the similarity (or testing an isomorphism) between graphs an exhaustive solution is to define all possible labelings (alignments) and testing for similarity, this is quite inefficient.
However, we may use our definition of addition for defining a distance (that we call edge distance) between two labeled graphs as: We will prove that ed is a metric in the following theorem. Theorem 1. Let G be the space of labeled graphs without isolated nodes, |, then the following conditions hold: Proof. First, ed(G 1 , G 2 ) = 0 implies that every uv ∈ G 1 is also in G 2 and the other way around. Hence E(G 1 ) = E(G 2 ). Since they do not have isolated nodes, Third, for the triangle inequality we calculate two cases for an edge uv ∈ . (ii) uv ∈ G 3 and uv ∈ G 1 This case is equivalent to case i) only substituting G 1 by G 3 .
Therefore we conclude that ed is a metric.
In fact, our metric ed(G 1 , G 2 ) actually counts the number of edges we have to modify (erase/add) to transform a graph G 1 to obtain G 2 . Moreover, if we sum G 1 ⊕ (G 1 ⊕ G 2 ) we obtain G 2 and G 2 ⊕ (G 1 ⊕ G 2 ) = G 1 .
Therefore we may use our definition for graph addition not only for adding noise, but also for measuring it. This is useful for comparing any published graph with other graphs published under a different privacy protection algorithm (such as a k-anonymous graph).
Moreover, we can use the edge distance to find the median graph G median similar to the median graph obtained in [13] for the graph edit distance.
For a family of graphs F, we define: Note that G median is not necessarily unique for a given family of graphs F, so G median is also a set of graphs.
In the following result we will show that the original graph G is such that is at minimum distance from m protected graphs in G ⊕ G if there is not any edge that belongs to more than m/2 of the graphs in G.
For e ∈ A ∪ B, then its either in both E(G ⊕ G i ) and E(G ⊕ G i ) or in none of both.
For e ∈ A ∪ B and e ∈ E(G i ) then e ∈ E ((A ∪ B) We conclude for each edge e ∈ A ∪ B that the cases when e ∈ E(G i ), the edge e is counted in ed(G, G i ) but not in ed(G, G i ). While, in the cases when e ∈ E(G i ), the edge e is not counted in ed(G, G i ) but it is counted in ed(G, G i ).
Therefore, since all edges e belong to at most half of the graphs in G, then This provides us with a similar result as in noise addition for SDC in which the expected value E(x + ) = x for ∈ N (0, σ 2 ).

Edge Noise Addition, Local Randomization and Degree Preserving Randomization
In this section we explore the relation of graph noise addition with previous randomization algorithms.

Edge Noise Addition
The method for graph matching from [28], uses the structure of the neighbors at increasing distance from each node in the graph to grow a tree that is later used to codify the entire graph. Such queries are mentioned in [21] and can be iteratively refined to re-identify nodes in the graph. Hay et al. [20] propose as a solution a graph generalization algorithm similar to [8] and recently improved in [31]. To measure privacy, they sample a graph from all the possible graphs that are consistent with such generalization. In [20], they have suggested a random perturbation method that consisted on adding m edges and removing m edges. It was later studied from an informationtheoretic perspective in [6]. They also suggested a random sparsification method. Other random perturbation methods may be found in [9].
All these perturbation approaches are included in our definition. Observe that they correspond to constraints on the definition of the set of noise graphs (G) that we are using.
For example, the obfuscation by random sparsification is defined in [6] as follows. The data owner selects a probability p ∈ [0, 1] and for each edge e ∈ E(G) the data owner performs an independent Bernoulli trial, B e ∼ B (1, p). And leaves the edge in the graph in case of success (i.e., B e = 1) and remove it otherwise (B e = 0). Letting E p = {e ∈ E|B e = 1} be the subset of edges that passed this selection process, the data owner releases the subgraph G p = (U = V, E p ). Then, they argue that such graph will offer some level of identity obfuscation for the individuals in the underlying population, while maintaining sufficient utility in the sense that many features of the original graph may be inferred from looking at G p .
Note that random sparsification is obtained with our method by using G = G(n; 1 − p) ∩ G, then adding G ⊕ G for some G ∈ G.
Another relevant example is when we define G = {G : |E(G )| = m}, then G ⊕ G where G ∼ G is equivalent to adding x and deleting m − x edges, in total changing m edges from the original graph. If we restrict G to be the family of graphs G such that |E(G )| = 2m and |E(G ) ∩ E(G)| = m, then we are adding m edges and deleting m other edges, as in [20].
Note that, in this case all the m edges may be incident to the same node or they may be all independent, however such restrictions could be added with our method simply by specifying that the graphs G in G do not have degree greater than m − 1, or that their maximum degree is at most 1.
We will show an example of such a local restriction in the following subsection.

Local Randomization
In [43] a comparison between edge randomization and k-anonymity is carried out, considering that the adversary knowledge is the degree of the nodes in the original graph. There, they calculate the prior and posterior risk measures of the existence of a link between node i and j (after adding k and removing k edges) as: We define G ⊕ G t u to be the local t-randomization which adds the graph G t u with vertex set V (G t u ) = u, u 1 , . . . , u t and edge set E(G t u ) = uu 1 , . . . , uu t in which u is a fixed vertex from G and u 1 , . . . , u t ⊂ V (G \ u).
Then G ⊕ G t u changes t random edges incident to u in G. So we can apply local t-randomization for all u in V (G) to obtain the graph G t u Following the notation from [43], we compare the privacy guarantees of local t-randomization to the equivalent that would be k = tn/2 in their case. This value comes from the fact that each node has t randomized edges and therefore are counted twice.
We consider an adversary that knows about a given node and its degree. Then tries to infer if the adjacent edges in the published graph come from the original.
For a given node i we denote its degree as d i and as d i the value n − 1 − d i , in general for any value t, we denote as t the value n − 1 − t, this is the complement of the degree d i and the complement of the edges in E(G t u ) respectively.

Theorem 3.
The adversary's prior and posterior probabilities to predict whether there is a sensitive link between two target individuals i, j ∈ V (G) by exploiting the degree d i and accessing to the randomized graph G t are the following: Proof. (i) First of all, P (a ij = 1) = d i n − 1 because the adversary knows d i and there are only n − 1 possible neighbors for i (ii) Now we calculate P (a ij = 1|a t ij = 1) in our graph G t . There are only two possibilities for an edge to belong to E(G t ) (i.e., a t ij = 1) and to G (i.e., a ij = 1). The edge was already in E(G) and it does not belong to E(G t i ) neither to E(G t j ) or it is in E(G) and at the same time belongs to both E(G t i ) and E(G t j ). For an edge to belong to E(G t ) and not to G (i.e., a ij = 0). There are also two cases, a ij = 0 and the edge belongs to exactly one of E(G t i ) or E(G t j ). Considering that the probability that ij ∈ E(G t ) = t n−1 , the probability that ij ∈ E(G t ) = t n−1 , P (a ij = 1) = di n−1 and P (a ij = 0) = di n−1 we obtain the following: For (iii) we follow a similar argument as in (ii). For P (a ij = 1|a t ij = 0) there are also two possibilities for an edge that was in E(G) to be removed from E(G t ). The edge ij is in E(G) and . For an edge to belong to G and not to E(G t ). There are also two more cases, a ij = 1 and the edge belongs to both E(G t i ) and E(G t j ), or to none of them. This implies that: Which simplifies to (iii) and finishes the proof.

Degree Preserving Randomization
As we have discussed in the introduction, graphs with a given degree sequence can be uniformly generated by starting from a graph G ∈ D(n, d n ) and swapping some of its edges. The method of swap randomization is also used for generating matrices with given margins for representing tables and assessing data mining results in [14].
Recall that a swap in a graph consists of choosing two edges u 1 u 2 , u 3 u 4 ∈ E(G), such that u 2 u 3 , u 4 u 1 ∈ E(G) to obtain the graphG such that V (G) = V (G) and E(G) = E(G)\{u 1 u 2 , u 3 u 4 }∪{u 2 u 3 , u 4 u 1 }. It is also called alternating circuit in [39] were it is used for proving that all multigraphs may be transformed into graphs via alternating circuits, and used for generating synthetic spatial graphs.
In [32] and [33] this is used to prove that scale-free sequences with parameter γ > 2 are P-stable and graphic. Note that the P-stability property guarantees that a graph with a given degree sequence may be uniformly generated by choosing a graph G ∈ D(n, d n ) by applying sufficient random swaps.
Then for a given graph G with n nodes labeled as [n] = 1, . . . , n We define the family S G = G such that G = {i, j, k, l} ⊂ [n], where ij, kl ∈ E(G) and jk, li ∈ E(G). In other words S G is the set of alternating 4-circuits of G.
We may choose an arbitrary number m of such noise graphs G 1 , . . . , G m and add them to G, that is Following this procedure for m large enough is equivalent to randomizing G to obtain all the graphs D(n, d n ). Actually, for any two graphs with the same degree sequence G 1 , G 2 ∈ D(n, d n ), G = G 1 ⊕ G 2 must have at each node i the same number of edges ij that belong to E(G) as the edges il that do not belong to E(G), since the node i has the same degree in G 1 and in G 2 . Thus, any graph in D(n, d n ) may be generated by starting at some graph G and adding G from the set G of all the graphs that are a union of alternating circuits of G.

The Most General Approach for Noise Addition for Graphs
In all the previous sections we were restrictive with respect to the noise graphs that we were adding, in this last section we apply the Gilbert model which was discussed in Sect. 2.2, without any restriction. This has as a consequence that we may not be able to obtain strong conclusions on the structure of the graphs obtained after noise addition, in contrast to the results in previous sections. However, by reducing the restrictions, we are increasing the possible noise graphs that we add, hence we increase uncertainty and therefore protection. In Table 1 we present the noise addition methods discussed in this paper, together with some of their properties and requirements.
G adds m edges and removes m edges Random sparsification [6] G ∈ G(n; 1 − p) ∩ G None The edges of G remain with probability p, no added edges Local t-randomization Applied to every node in G Every node has t modified incident edges Degree preserving randomization [5] G ∈ SG SG is the set of swaps of G G, G ⊕ G ∈ D(n, d n ) Gilbert model G ∈ G(n; 1 − p) None Every edge is added or removed with probability p Proposition 1. Let G 1 (V, E 1 ) be an arbitrary undirected graph, and let G 2 (V, E 2 ) be an undirected graph generated from a Gilbert model G (|V |, p). Then, the expected number of edges of G 2 is p · |V | · (|V | − 1)/2.
Proof. Let the graph G 1 have n 1 = |E 1 | edges, and let the graph G 2 have n 2 edges. Being the graph undirected, the number of edges for a complete graph is t = v * (v − 1)/2 where v = |V | is the number of nodes. Then, we will have on average that n 2 · n 1 /t edges of G 2 link two nodes also linked by G 1 , -n 2 · (t − n 1 )/t edges of G 2 link two nodes not linked by G 1 , -(t − n 2 ) · n 1 /t edges of G 1 link two nodes not linked by G 2 , and -(t−n 2 )(t−n 1 )/t corresponds to pairs of nodes neither linked in G 1 nor in G 2 .
So, addition of graphs G 1 and G 2 result into a graph with n 2 · (t − n 1 )/t + (t − n 2 ) · n 1 /t edges on average.
From this, it follows that only when n 2 = 0, the number of edges of G is the same as the ones in G 1 ; or when n 1 = t/2. This is expresses as a lemma below. Lemma 1. Let G 1 (V, E 1 ) and G 2 (V, E 2 ) be as above with n 1 and n 2 the corresponding number of edges. Then, the noise graph addition of G 1 and G 2 , has n 1 nodes when n 2 = 0 or when n 1 = t/2.
Proof. The solutions of n 1 = n 2 · (t − n 1 )/t + (t − n 2 ) · n 1 /t are such that tn 1 = n 2 t − n 2 n 1 + tn 1 − n 2 n 1 or, equivalently, 0 = n 2 t − n 2 n 1 + −n 2 n 1 . So, one solution is that n 2 = 0, and if this is not the case, n 1 = t/2. Let us consider the case that we use our original graph to build a Gilbert model G(|V |, p) from the graph G 1 (V, E 1 ). That is, we generate a graph with p = |E 1 |/(|V | * (|V | − 1)/2). Then, the expected value for n 2 is n 2 = n 1 = |E 1 |. Therefore, noise graph addition of G 1 and G 2 will have n 1 · (t − n 1 )/t + (t − n 1 ) · n 1 /t = (2n 1 t − 2n 1 n 1 )/t edges. Figure 1 illustrates this case for the case of 100 nodes and edges between 0 and 4950 (i.e., the case of a complete graph). As proven in the lemma, only when n 1 = 0 or when n 1 = t/2 we have that the number of edges in the resulting graph is exactly the same as in the original graph (i.e., n 2 is 0 or t/2, respectively). We can also see that while n 1 ≤ 4950/2, the number of edges in the resulting graph is not so different to the ones on the original graph (maximum difference is at n 1 = t/4 with a difference of t/8 edges), but when n 1 > 4950/2 the difference starts to diverge. Maximum difference is when the graph is complete that addition will result into the graph with no edges.
Observe that difference between the edges in the added graph and the original one will be (2n 1 t − 2n 1 n 1 )/t − n and that the maximum difference is at n 1 = t/4. For n 1 = t/4 the difference (2n 1 t − 2n 1 n 1 )/t − n = t/8. For n 1 = t/4 this means a maximum of 50% increase in the number of edges.
Nevertheless, if we consider the proportion of edges added with respect to the total number of edges, this is 1 − 2 * n 1 /t, which implies that the proportion is decreasing with maximum equal to 100% when n 1 = 1. Naturally, when n 1 ≥ t/2 we start to have deletions instead of additions and with n 1 = t we have a maximum number of deletions (i.e., 100% because all edges are deleted).
Let us consider a few examples of graphs used in the literature. For each graph, Table 2 shows for a few examples of graphs, the number of nodes and edges, the expected number of edges added using a Gilbert model, and the expected increase in the number of edges. It can be seen that for large number of nodes, as the actual number of edges is rather low with respect to the ones in a complete graph, the % of increment of edges is around 100%.

Conclusions
In this paper we have introduced a formalization for graph perturbation based on noise addition. We have shown that some of the existing approaches for graph randomization can be understood from this perspective. We have also proven some properties for this approach, noted that it encompasses many of the previous randomization approaches while also defining a metric for graph modification. Additionally, we defined the local t-randomization approach which guarantees that every node has t-neighboring edges modified. It remains as future work to study new families of noise graphs and test their privacy and utility guarantees.