Preventing active re-identification attacks on social graphs via sybil subgraph obfuscation

Active re-identification attacks constitute a serious threat to privacy-preserving social graph publication, because of the ability of active adversaries to leverage fake accounts, a.k.a. sybil nodes, to enforce structural patterns that can be used to re-identify their victims on anonymised graphs. Several formal privacy properties have been enunciated with the purpose of characterising the resistance of a graph against active attacks. However, anonymisation methods devised on the basis of these properties have so far been able to address only restricted special cases, where the adversaries are assumed to leverage a very small number of sybil nodes. In this paper, we present a new probabilistic interpretation of active re-identification attacks on social graphs. Unlike the aforementioned privacy properties, which model the protection from active adversaries as the task of making victim nodes indistinguishable in terms of their fingerprints with respect to all potential attackers, our new formulation introduces a more complete view, where the attack is countered by jointly preventing the attacker from retrieving the set of sybil nodes, and from using these sybil nodes for re-identifying the victims. Under the new formulation, we show that k-symmetry, a privacy property introduced in the context of passive attacks, provides a sufficient condition for the protection against active re-identification attacks leveraging an arbitrary number of sybil nodes. Moreover, we show that the algorithm K-Match, originally devised for efficiently enforcing the related notion of k-automorphism, also guarantees k-symmetry. Empirical results on real-life and synthetic graphs demonstrate that our formulation allows, for the first time, to publish anonymised social graphs (with formal privacy guarantees) that effectively resist the strongest active re-identification attack reported in the literature, even when it leverages a large number of sybil nodes.


Introduction
The last decade has witnessed a formidable explosion in the use of social networking sites.Although the discipline of social network analysis has existed already for quite some time, today's scientists potentially have access as never before to massive amounts of social network data.Social graphs are a particular example of this type of data, in which vertices typically represent users (e.g.Facebook or Twitter users, e-mail addresses) and edges represent relations between these users (e.g.becoming "friends", following someone, exchanging e-mails).The analysis of social graphs can help scientists and other actors to discover important societal trends, study consumption habits, understand the spread of news or diseases, etc.For these goals to be achievable, it is necessary that the holders of this information, e.g.online social networks, messaging services, among others, release samples of their social graphs.However, ethical considerations, increased public awareness, and reinforced legislation1 place an increasingly strong emphasis on the need to protect individuals' privacy via anonymisation.
Social graphs have proven themselves a challenging data type to anonymise.Even a simple undirected graph, with arbitrary node labels and no attributes on vertices or edges, is susceptible of leaking private information, due to the existence of unique structural patterns that characterise some individuals, e.g. the number of friends or the relations in the immediate vicinity [31].Many privacy attacks that solely rely on the underlying graph topology of the social graph exist [1], and they are still effective [28], despite advances on social graph anonymisation.A particularly effective privacy attack is the so-called active attack, which uses a strategy consisting in inserting fake accounts, commonly referred to as sybils, into the real network.Once inserted, these fake users interact with legitimate users and among themselves, and create structures that allow the adversary to retrieve the sybil nodes from a sanitised social graph and use the connection patterns between sybils and legitimate nodes to re-identify the original users and infer sensitive information about them, such as the existence of relations.
The publication of social graphs that effectively resist active attacks was initially addressed by Trujillo-Rasua and Yero [40].They introduced the notion of (k, )-anonymity, the first privacy property to explicitly model the protection of published graphs against active adversaries.A graph satisfying (k, )-anonymity ensures that an adversary leveraging up to sybil nodes and knowing the pairwise distances of all victims to all sybil nodes, is still unable to distinguish each victim from at least k − 1 other vertices in the graph.This privacy property served as the basis for defining several anonymisation methods for a particular case, namely the one where either k > 1 or > 1 [29,26].In other words, nontrivial anonymity (k > 1) was only guaranteed against an adversary leveraging exactly one sybil node.Later, the introduction of the notion of (k, )-adjacency anonymity [27] allowed to arbitrarily increase the values of k for which a formal privacy guarantee can be provided, but the proposed methods remained unable to address scenarios where the adversary can leverage more than two sybil nodes.In consequence, until now no anonymisation method with theoretically sound privacy guarantees against active attackers leveraging three or more sybil nodes has been made available to data publishers.
To remedy the aforementioned situation, in this paper we take a different approach to the problem of anonymising a graph that may have been victim of an active attack.Our approach differs from the ones based on (k, )-(adjacency) anonymity in the fact that it quantifies the combined probability of success of the attacker in re-identifying her sybil nodes and using them to re-identify the victims, whereas (k, )-(adjacency) anonymitybased methods implicitly assume that the adversary cannot be prevented from retrieving the sybil nodes, and (over-)compensate for this by quantifying the probability that victims are re-identified in terms of any vertex subset satisfying some minimal constraints.Our new approach leverages a new probabilistic interpretation of the adversary's success probability in the two stages of re-identification.This new formulation allowed us to point out some mismatches between the goal of privacy-preserving publication, namely ensuring some upper bound on the probability of each victim being re-identified, and the actual guarantees provided by existing privacy properties.As an interesting observation, we noticed that there exist graphs that, despite failing to satisfy existing formal privacy properties, are in fact secure against active attackers.More importantly, our new formulation allowed us to prove that k-symmetry [44], an existing privacy property originally introduced for the scenario of passive attacks, i.e. attacks that do not use sybil accounts, guarantees an 1/k upper bound on the re-identification probability of each victim, regardless of the number of sybil nodes used by the adversary.This finding is of paramount importance, as it enables the use of any known anonymisation method ensuring k-symmetry for preventing active re-identification attacks via sybil subgraph obfuscation.In this sense, we additionally show that the algorithm K-Match [48], originally devised for efficiently enforcing the notion of k-automorphism, also provides a sufficient condition for ensuring k-symmetry.

Summary of contributions:
• We show that no privacy property in the literature characterises all anonymous graphs with respect to active attacks.
• We introduce a general definition of resistance to active attacks that can be used to analyse the actual resistance of a graph.
• We use the introduced privacy model to prove that k-symmetry, the strongest notion of anonymity against passive attacks, also protects against active attacks.
• Of independent interest is our proof that k-automorphism does not protect against active attacks.This is a surprising result, considering that k-automorphism and k-symmetry have traditionally been deemed as conceptually equivalent.
• We prove that the algorithm K-Match, devised to ensure a sufficient condition for k-automorphism, also guarantees k-symmetry.
• We provide empirical evidence on the effectiveness of K-Match as an anonymisation strategy against the strongest active attack reported in the literature, namely the robust active attack presented in [28], even when it leverages a large number of sybil nodes.
Structure of the paper.We discuss related work in Section 2, and describe our new probabilistic interpretation of the adversarial model for active re-identification attacks in Section 3. Then we discuss the applicability of k-symmetry for modelling protection against active attackers in Section 4, and show in Section 5 that the algorithm K-Match efficiently provides a sufficient condition for k-symmetry.Finally, we empirically demonstrate the effectiveness of K-Match against the robust active attack from [28] in Section 6 and give our conclusions in Section 7.

Related work
In this paper we focus on a particular family of properties for privacy-preserving publication of social graphs: those based on the notion of k-anonymity [38,39].These privacy properties depend on assumptions about the type of knowledge that a malicious agent, the adversary, possesses.According to this criterion, adversaries can be divided into two types.On the one hand, passive adversaries rely on information that can be collected from public sources, such as public profiles in online social networks, where a majority of users keep unmodified default privacy settings that pose no access restrictions on friend lists and other types of information.A passive adversary attempts to re-identify users in a published social graph by matching this information to the released data.On the other hand, active adversaries not only use publicly available information, but also attempt to interact with the real social network before the data is published, with the purpose of forcing the occurrence of unique structural patterns that can be retrieved after publication and used for learning sensitive information.k-anonymity models against passive attacks.k-anonymity is based on a notion of indistinguishability between users in a dataset, which is used to create equivalence classes of users that are pair-wise indistinguishable to the eyes of an attacker.Formally, given a symmetric, reflexive and transitive indistinguishability relation ∼ on the users of a graph G, G satisfies k-anonymity with respect to ∼ if and only if the equivalence class with respect to ∼ of each user in G has cardinality at least k.
Several graph-oriented notions of indistinguishably appear in the literature.For example, Liu and Terzi [21] consider two users indistinguishable if they have the same degree.Their model is known as k-degree anonymity and gives protection against attackers capable of accurately estimating the number of connections of a user.The notion of k-degree anonymity has been widely studied, and numerous anonymisation methods based on it have been proposed, e.g.[22,4,10,42,23,36,34,5]. Zhou and Pei [47] assume a stronger attacker able to determine not only the connections of a user u, but also whether u's friends (i.e.those users that u is connected to) are connected.This means that the adversary is assumed to know the induced subgraphs created by the users and their neighbours.It is simple to see that Zhou and Pei's model, known as k-neighbourhood anonymity, is stronger than k-degree anonymity.
The notion of k-automorphism [48] was introduced with the goal of modelling the knowledge of any passive adversary.Two users u and v in a graph G are said to be automorphically equivalent, or indistinguishable, if ϕ(u) = v for some automorphism ϕ in G.The notion of k-automorphism ensures that every vertex in the graph is automorphically equivalent to k − 1 other vertices.Although k-automorphism itself does not in general imply all other privacy properties (as we will show in Appendix A), the method proposed in [48] for enforcing the (stronger) k different matches principle does achieve this goal.Similar formulations of indistinguishability in terms of graph automorphisms were presented independently in the work on k-symmetry [44] and k-isomorphism [9].While ksymmetry and k-automorphism have traditionally been viewed as equivalent, k-symmetry is actually stronger, and it does imply all other privacy properties for passive attacks.In this paper, we additionally show that, in the context of active attacks, k-symmetry always guarantees a 1/k upper bound on the re-identification probability for each vertex, which k-automorphism does not.
A natural trade-off between the strength of the privacy notions and the amount of structural disruption caused by the anonymisation methods based on them has been empirically demonstrated in [48].The three privacy models described above form a hierarchy, which is displayed in the left branch of Figure 1.Privacy models tailored to active attacks also form a hierarchy, displayed in the right branch of Figure 1, which we describe next.Interrogation marks in Figure 1 indicate that connections between properties tailored for passive attacks and those tailored for active attacks have not been established yet, neither directly nor via some additional property.k-anonymity models against active attacks.Backstrom et al. were the first to show the impact of active attacks in social networks back in 2007 [2].Their attack has been optimised a number of times, see [32,33,28], and two privacy models particularly tailored to measure the resistance of social graphs to this type of attack have been recently proposed [40,27].The first of those models is (k, )-anonymity, introduced in 2016 by Trujillo-Rasua and Yero [40].They consider adversaries capable of re-identifying their own sets of sybil nodes in the anonymised graph.Adversaries are also assumed to know or able to estimate the distances of the victims to the set of sybil nodes.This last assumption was weakened later in [27] by restricting the adversary's knowledge to distances between victims and sybil nodes of length one.That is, the adversary only knows whether the victim is connected to a sybil node.That restriction led to a weaker version of (k, )-anonymity called (k, )-adjacency anonymity, as displayed in Figure 1.
There exist three anonymisation algorithms [29,26,27] that aim to create graphs satisfying (k, )-(adjacency) anonymity.Their approach consists in determining a candidate set of sybil vertices in the original graph that breaks the desired anonymity property, and forcing via graph transformation that every vertex has a common pattern of connections with the sybil vertices shared by at least k − 1 other vertices.A common shortcoming of these methods is that they only provide formal guarantees against attackers leveraging a very small number of sybil nodes (no more than two).This limitation seems to be an inherent shortcoming of the entire family of properties of which (k, )-anonymity and (k, )-adjacency anonymity are members.Indeed, for large values of , which are required in order to account for reasonably capable adversaries, anonymisation methods based on this type of property face the problem that any change introduced in the original graph to render one vertex indistinguishable from others, in terms of its distances to a vertex subset, is likely to render this vertex unique in terms of its distances to other vertex subsets.
An approach that has been used against both types of attack, passive and active, consists in randomly perturbing the graph.While intuition suggests that the task of reidentification becomes harder for the adversary as the amount of random noise added to a graph grows, no theoretically sound privacy guarantees have been provided for this scenario.Moreover, it has been shown in [28] that active attacks can be made robust against reasonably large amounts of random perturbation.Other privacy models.For the sake of completeness, we finish this brief literature survey by mentioning privacy models that aim to quantify the probability that the adversary learns any sort of sensitive information.A popular example is differential privacy (DP) [11], a semantic privacy notion which, instead of anonymising the dataset, focuses on the methods accessing the sensitive data, and provides a quantifiable privacy guarantee against an adversary who knows all but one entry in the dataset.In the context of graph data, the notion of two datasets differing by exactly one entry can have multiple interpretations, the two most common being edge-differential privacy and vertex-differential privacy.While a number of queries, e.g.degree sequences [18,14] and subgraph counts [46,17], have been addressed under (edge-)differential privacy, the use of this notion for numerous very basic queries, e.g.graph diameter, remains a challenge.Recently, differentially private methods leveraging the randomized response strategy for publishing a graph's adjacency matrix were proposed in [37].While these methods do not necessarily view vertex ids as sensitive, data holders whose goal in preventing re-identification attacks is to prevent the adversary from learning the existence of relations may view this approach as an alternative to kanonymity-based methods.Another DP-based alternative to k-anonymity-based methods consists in learning the parameters of a graph generative model under differential privacy and then using this model to publish synthetic graphs that resemble the original one in some structural properties [30,35,43,45,16,8].
Other privacy models rely on the notion of adversary's prior belief, defined as a probability distribution on sensitive values.For example, t-closeness [20] measures attribute protection in terms of the distance between the distribution of sensitive values in the anonymised dataset with respect to the distribution of sensitive attribute values in the original table.Such definition of prior belief is different to other works, such as (ρ 1 , ρ 2 )privacy [13] and -privacy [24], where prior belief represents the adversary's knowledge in the absence of knowledge about the dataset.In either case, estimating the prior belief of the adversary is challenging, as discussed in [11].Concluding remarks.As illustrated in Figure 1, the development of k-anonymity models against passive and active attacks have been traditionally split and had no apparent intersection.This article provides, to the best of our knowledge, the first connection between the two developments.This is achieved by introducing a probabilistic model for active attacks that characterises all graphs that resists active attacks, of which k-symmetry and (k, )-anonymity are proven to be sufficient, yet not necessary, conditions.

Probabilistic adversarial model
Our adversarial model is a generalisation of the model introduced in [28], which captures the capabilities of an active attacker and allows one to analyse the resistance of anonymisation methods to active attacks.Such analysis is expressed as a three-step game between the attacker and the defender.In the first step the attacker is allowed to interact with the network, insert sybil accounts, and establish links with other users (called the victims).The defender uses the second step to anonymise and perturb the network, which was previously manipulated by the attacker.Lastly, the attacker receives the anonymised network and makes a guess on the pseudonyms used to anonymise the victims.Each of these steps is formalised in what follows.

Attacker subgraph creation
The attacker-defender game starts with a graph G = (V, E) representing a snapshot of a social network, as in Figure 2(a).The attacker knows a subset of the users, called the victims and denoted I, but not the connections between them.The attacker is allowed to insert a set of sybil nodes S into G and establish connections with their victims.
This step of the attack transforms the original graph The second condition says that relations established by the adversary are constrained to the set of sybil and victim nodes.We call the resulting graph G + the sybil-extended graph of G.An example of a sybil-extended graph is depicted in Figure 2(b).
The attacker does not know the entire graph G + , unless the original graph was empty.The adversary knows, however, the subgraph formed by the set of sybil nodes S, their connections to the victims, and the victim set I. This notion of adversary knowledge is formalised next.Definition 1 (Adversary knowledge).Let G = (V, E) be an original graph and G + = (V ∪ S, E ) the sybil-extended graph created by an adversary that targets a set of victims I ⊆ V .The adversary knowledge is defined as the subgraph G S,I of G defined by Note that connections between victims are not part of the adversary knowledge.

Pseudonymisation and perturbation
When the defender decides to publish the graph G + , she pseudonymises it by replacing the real user identities with pseudonyms.That is to say, the defender obtains G + and constructs an isomorphism ϕ from G + to ϕG + .An isomorphism between two graphs there exists an isomorphism ϕ between them.Given a subset of vertices S ⊆ V , we will often use ϕS to denote the set {ϕ(v)|v ∈ S}.In Figure 2(c) we illustrate a pseudonymisation of the graph in Figure 2(b).
We call ϕG + the pseudonymised graph.Pseudonymisation serves the purpose of removing personally identifiable information from the graph.Because pseudonymisation is insufficient to protect a graph against re-identification, the defender is also allowed to perturb the graph.This is captured by a non-deterministic procedure t that maps graphs to graphs.The procedure t modifies ϕG + , resulting in the transformed graph t(ϕG + ).We assume that t(ϕG + ) is ultimately made available to the public, hence it is known to the adversary.

Re-identification
The last step of the attacker-defender game is where the attacker analyses the published graph t(ϕG + ) to re-identify her own sybil accounts and the victims (see Figure 2(d)).This allows her to acquire new information, which was supposed to remain private, such as the fact that E and F are friends.
We define the output of the adversary re-identification attempt as a mapping ρ from the set of vertices S ∪ I to the set of vertices in t(ϕG + ).This represents the adversary's belief on the pseudonyms used to anonymise the attacker and victim vertices in t(ϕG + ).To account for uncertainty on the adversary's belief, we consider that the adversary assigns a probability value p(ρ) to each mapping, denoting the probability that the adversary chooses ρ as the output of the re-identification attack.Let Φ S,I be the universe of mappings from the set of vertices in S ∪ I to the set t(ϕG + ).The law of total probability allows us to quantify the adversary's probability of success in re-identifying one victim as follows.
Proposition 1.Let G = (V, E) be an original graph, G + = (V ∪ S, E ) the sybil-extended graph created by an adversary that targets a set of victims I ⊆ V , and t(ϕG + ) the anonymised version of G + created by the defender.Then, the probability A S,I t(ϕG + ) (u) that the adversary successfully re-identifies a victim u ∈ I in t(ϕG + ) is In our analyses, we restrict the function p to be a probability distribution on the domain Φ S,I , i.e.
ρ∈Φ S,I p(ρ) = 1.We also assume that p satisfies the standard random worlds assumption enunciated in [6,25], which expresses that, in the absence of any information in addition to t(ϕG + ), any two isomorphic subgraphs in t(ϕG + ) are indistinguishable for the adversary.We enunciate the random worlds assumption next, adapting the terminology to the one used in this paper.
Assumption 1 (Random worlds assumption [6,25]).Let G = (V, E) be an original graph, G + = (V ∪ S, E ) the sybil-extended graph created by an adversary that targets a set of victims I ⊆ V , and G = t(ϕG + ) the anonymised version of G + created by the defender.Let ρ 1 and ρ 2 be two bijective functions from S ∪ I to the set of vertices V G in G .Let G ρ 1 S,ρ 1 I and G ρ 2 S,ρ 2 I be the two attacker subgraphs in G that correspond to the adversary's guesses ρ 1 and ρ 2 , respectively.If G ρ 1 S,ρ 1 I and G ρ 2 S,ρ 2 I are isomorphic, then p(ρ 1 ) = p(ρ 2 ).
In the remainder of this article, we will analyse the effectiveness of various anonymisation procedures by calculating the success probability of the adversary based on Proposition 1, and we will often resort to Assumption 1 when reasoning about the adversary's belief ρ.

Applicability of current privacy properties against active attacks
In this section we make, to the best of our knowledge, the first connection between passive and active attacks by formally proving that k-symmetry provides protection against active attacks.We also prove that k-symmetry is incomplete, just like (k, )-anonymity, in the sense that none of them characterises all anonymous graphs with respect to active attacks.Last, but not least, we show that neither k-symmetry implies (k, )-anonymity, nor the other way around.

k-symmetry: an effective privacy model against active attacks
We use the introduced privacy model to prove that k-symmetry, the strongest notion of anonymity against passive attacks, also protects against active attacks.
Definition 2 (k-symmetry [44]).Let Γ G be the universe of automorphisms in G. Theorem 1.Let G = (V , E ) be an original graph, G + = (V ∪ S, E ) the sybil-extended graph created by an adversary that targets a set of victims I ⊆ V , and t(ϕG + ) = (V, E) the anonymised version of G + created by the defender.If t(ϕG + ) satisfies k-symmetry, then for every vertex u ∈ I the probability of the adversary guessing the output of ϕ(u) is lower than or equal to 1/k.
Proof.Let G be a shorthand notation for t(ϕG + ).Let Φ S,I be the universe of mappings from the set of vertices in S ∪ I to the set of vertices in G.We define a relation ∼ between adversary's guesses in Φ S,I by Because is an equivalence relation, it follows that ∼ is also an equivalence relation.We use Φ S,I /∼ to denote the partition of Φ S,I into the set of equivalence classes with respect to ∼, and [ρ] ∼ to denote the equivalence class containing ρ. Consider, given a victim u, a successful adversary guess ρ 0 ∈ Φ S,I , i.e. a mapping satisfying that ρ 0 (u) = ϕ(u).Our first proof step is about showing that there exist k − 1 other mappings ρ Let ρ 0 (u) = v.Because G satisfies k-symmetry, it follows that there exist k −1 different vertices {v 1 , . . ., v k−1 } that are automorphically equivalent to v.That is to say, there exist k − 1 automorphisms γ 1 , . . ., γ k−1 in Γ G such that ∀i ∈ {1, . . ., k − 1} : γ i (v) = v i = v.Now, consider the mappings ρ i : S ∪ I → S i ∪ I i defined by ρ i = γ i • ρ 0 , for every i ∈ {1, . . ., k − 1}.On the one hand, given that γ 1 , • • • , γ k−1 are automorphisms, it follows that G S 0 ,I 0 γ i G S i ,I i , for every i ∈ {1, . . ., k − 1}, which implies that ρ 0 ∼ ρ i .On the other hand, ρ i (u) = u i = u j = ρ j (u) for every i = j ∈ {0, . . ., k − 1}.This allows us to conclude that ρ 0 , . . ., ρ k−1 are pairwise different and that {ρ 0 , . . ., ρ k−1 } ⊆ [ρ] ∼ .

k-symmetry versus (k, )-anonymity
As proven in Theorem 1, k-symmetry provides protection against active attacks regardless of the number of sybil nodes inserted by the attacker, as opposed to (k, )-anonymity which uses as a parameter on the maximum number of sybil nodes.In spite of that, (k, )anonymity is not weaker than k-symmetry.As we prove next, they are in fact incomparable.
Theorem 2. Let G k, be the universe of anonymised graphs such that no adversary with sybil nodes or less can re-identify a victim with probability lower or equal than 1/k.There exist k > 1 and graphs G, G , G ∈ G k, such that: • G satisfies k-symmetry, but G does not satisfy (k, )-anonymity for some ≥ 1.
• G satisfies (k, )-anonymity for some ≥ 1, but G does not satisfy k-symmetry.
Proof. Figure 3(a) shows a 2-symmetric graph G which, for 2 ≤ ≤ 8, does not satisfy (k, )-anonymity for any k > 1.Moreover, Figure 3(b) shows a (2, 1)-anonymous graph G which can be verified not to satisfy k-symmetry for any k > 1.In fact, this graph even fails to satisfy k-degree anonymity for any k > 1.An example of a graph G proving the correctness of the last statement is displayed in Figure 3(c).That graph is neither 2-symmetric nor (2, 2)-anonymous.Of independent interest is our proof that k-automorphism [48] does not protect against active attacks.This is a surprising result, given that k-automorphism and k-symmetry have traditionally been considered equivalent.We refer the interested reader to Appendix A.

Algorithm K-Match guarantees k-symmetry
In this section we prove that the algorithm K-Match, proposed in [48] as a sufficient condition to achieve k-automorphism, also guarantees k-symmetry.Given a graph G and a value of k, the K-Match algorithm obtains a supergraph G of G satisfying the following conditions: ), with addition taken modulo k.
To obtain G , the algorithm first splits the vertices of G into k groups and arranges them in a k-column matrix M called the vertex alignment table (VAT for short).If |V G | is not a multiple of k, a number of dummy vertices is added to achieve this property.The VAT is organised in such a manner that the number of graph editions to perform in the second step of the process is close to the minimum.For convenience, in what follows we will denote by v ij the vertex of G placed in position M ij of the VAT.The second step of the method consists in adding edges to E G in such a way that conditions 2.a to 2.c are enforced.To that end, for every edge (v ij , v pq ), all edges of the form (v i,j+t , v p,q+t ), additions modulo k, are added to E G if they did not previously exist.Figure 4 shows an example of a VAT allowing to enforce 3-automorphism on the graph of Figure 2 that is, a function such that the image of every element is the one located one column to its right (modulo 3) on the same row, and that is, a function such that the image of every element is the one located two columns to its right (modulo 3) on the same row.In general, these functions are not automorphisms of G upon creation of the VAT.It is the second step of the method that will transform them into automorphisms by performing all necessary edge-copying operations.For example, the edge (C, A) needs to be added to Once the method is executed, each automorphism γ t , t ∈ {1, . . ., k − 1}, defined in item 2 above is completely specified by the VAT, as γ t (v ij ) = v i,j+t , with addition modulo k, for every i ∈ 1, . . ., |V G | k and every j ∈ {1, . . ., k}.
We now show the link between the K-Match method and k-symmetry.
Theorem 3. Let G = (V, E) be a graph and let G = (V , E ) the result of applying algorithm K-Match to G for some parameter k.Then, G satisfies k-symmetry.
Proof.Let u ∈ V G be an arbitrary vertex of G , and let be the images of u by the automorphisms γ 1 , γ 2 , . . ., γ k−1 enforced on G by the execution of K-Match.By definition, we have that and, by conditions 2.a and 2.b, they are pairwise different.Thus, The most relevant consequence of Theorem 3 is that algorithm K-Match can also be used for protecting graphs against active adversaries, as it will ensure that no victim is re-identified with probability greater than 1/k.

Experiments
The purpose of these experiments3 is to demonstrate the effectiveness and usability of ksymmetry, enforced using the K-Match algorithm, for protecting graphs against active adversaries leveraging a sufficiently large number of sybil nodes and the strongest attack strategy reported in the literature, namely the robust active attack introduced in [28].Effectiveness is assessed in terms of the success rate measure used in previous works on active attacks [29,26,27,28], whereas usability is assessed in terms of several structural utility measures.In what follows, we describe the experimental setting, display the empirical results obtained and conclude the section with a discussion of these results.

Experimental setting
In order to make the results reported in this section comparable to previous works on active attacks and countermeasures against them [27,28], we study the behaviour of our proposed method on two types of randomly generated synthetic graphs.In the first case, we use Erdős-Rényi (ER) random graphs [12].We generated 200, 000 ER graphs, 10, 000 for each density value in the set {0.1, 0.15, . . ., 0.95, 1.0}.The second group of synthetic graphs was generated according to the Barabási-Albert (BA) model [3], which generates scalefree graphs.We used seed graphs of order 50 and every graph was grown by adding 150 vertices, and performing the corresponding edge additions.The BA model has a parameter m defining the number of new edges added for every new vertex.We generated 10, 000 graphs for every value of m in the set {5, 10, . . ., 50}.In generating each graph, the type of the seed graph was randomly selected among the following choices: a complete graph, an m-regular ring lattice, or an ER random graph of density 0.5.The probability of selecting each choice was set as 1 /3.In both cases, the generated synthetic graphs have 200 nodes.
Based on the discussion on the plausible number of sybil nodes in Section 3, we make the number of sybils = log 2 200 = 8.
We analyse three values for the privacy parameter k: a low value, k = 2; a high value, k = = 8; and an intermediate value, k = 5.For every value of k, we compare the behaviour of the K-Match algorithm, which ensures k-symmetry, and Mauw et al.'s algorithm for enforcing (k, Γ G,1 )-adjacency anonymity [27].In order to build the vertex alignment table, algorithm K-Match requires the vertex set of the input graph to be partitioned into k subsets such that the number of edges linking vertices in different subsets is close to the minimum.We used the multilevel k-way partitioning method reported in [19], in specific its implementation included in the METIS library 4 , for efficiently obtaining such a partition.The effectiveness of the anonymisation methods is measured in terms of their resistance to the robust active attack described in [28].Thus, following the attackerdefender game described in Section 3, for every graph we first run the attacker subgraph creation stage.Then, for every resulting graph, we obtain the two variants of anonymised graphs.Finally, for each perturbed graph, we simulate the execution of the re-identification stage and compute its success rate as defined in [28], that is where X is the set of equally-most-likely sybil subgraphs retrieved in t(ϕG + ) by the third phase of the attack, and with Y X containing all equally-most-likely fingerprint matchings according to X.In order to obtain the scores used for comparing the effectiveness of the different approaches, we compute for every method the average of the success rates over every group of 10, 000 graphs sharing the same set of parameter choices.The anonymisation methods are also compared in terms of utility.To that end, we measure the distortion caused by each method on a number of global graph statistics, namely the global clustering coefficient, the averaged local clustering coefficient, and the similarity between the degree distributions, measured in terms of the cosine of the angle between the degree vectors, following the approach introduced in [15,26].Regarding the effectiveness of the anonymisation methods, the results in Figure 5 clearly show that K-Match is considerably more effective against the robust active attack than (k, Γ G,1 )-adjacency anonymity.These results are particularly relevant in light of the fact that (k, Γ G,1 )-adjacency anonymity was until now the sole formal privacy property to provide non-negligible protection against the original active attack and some instances of the robust active attack [27,28].Finally, the experiments shown here are the first ones where the robust active attack leveraging log 2 n sybils is shown to be consistently thwarted by anonymisation methods based on formal privacy properties.So far, this had only been achieved via the addition of (large amounts of) random noise [28].

Results and discussion
Regarding utility, both methods have a small impact on the overall similarities of the degree distributions, as illustrated in Figure 6.This does not mean that the degrees are not affected by the methods.In fact, both methods make most degrees increase, but in a manner that does not significantly affect the ordering of vertices in terms of their degrees.Regarding clustering coefficient-based utilities, we can observe in Figures 7 and 8 that the superior effectiveness of K-Match does come at the price of a larger degradation in the values of local and global clustering coefficients.
The main takeaway from the experimental results presented in this section is that our refinement of the notion of re-identification probability for active adversaries has led to identifying, for the first time, an anonymisation method satisfying two key properties: (i) featuring a theoretically sound privacy guarantee against active attackers, and (ii) having this privacy guarantee translate into effective resistance to the strongest active attack reported so far, even when the attacker leverages a large number of sybil nodes.

Conclusions
We have introduced a new probabilistic interpretation of active re-identification attacks on social graphs.This enables the privacy-preserving publication of social graphs in the presence of active adversaries by jointly preventing the attacker from unambiguously retrieving the set of sybil nodes, and from using the sybil nodes for re-identifying the victims.Under the new formulation, we have shown that the privacy property k-symmetry provides a sufficient condition for the protection against active re-identification attacks.Moreover, we have shown that a previously existing efficient algorithm, K-Match, provides a sufficient condition for ensuring k-symmetry.Through a series of experiments, we have demonstrated that our approach allows, for the first time, to publish anonymised social graphs with formal privacy guarantees that effectively resist the robust active attack introduced in [28], which is the strongest active re-identification attack reported in the literature, even when it leverages a large number of sybil nodes.
The active adversary model addressed in this paper assumes that the (inherently dynamic) social graph is published only once.A more general scenario, where snapshots of a dynamic social network are periodically published in the presence of active adversaries, has recently been proposed in [7], and the robust active attack from [28] has been adapted to benefit from this scenario.Our main direction for future work consists in leveraging our methodology to propose anonymisation methods suited for this new publication scenario.
Definition 3 (k-automorphism [48]).An automorphism is an isomorphism from a graph to itself.Formally, an automorphism γ within a graph G = (V, E) is a bijective function γ : V → V , such that ∀v 1 , v 2 ∈ V : (v 1 , v 2 ) ∈ E ⇐⇒ (γ(v 1 ), γ(v )) ∈ E. A graph G is said to be k-automorphic if there exist k − 1 non-trivial automorphisms ϕ 1 , ϕ 2 , . . ., ϕ k−1 of G such that ϕ i (v) = ϕ j (v) for every v ∈ V G and every pair i, j satisfying 1 ≤ i < j ≤ k − 1.However, a missing condition in Definition 3, namely requiring every ϕ i to satisfy ϕ i (v) = v, invalidates this claim.Consider the graph shown in Figure 9.This graph satisfies k-automorphism as defined in Definition 3, as can be verified by the existence of the non-trivial automorphism γ = {(v 1 , v 5 ), (v 2 , v 6 ), (v 3 , v 4 ), (u, u)}, yet the graph is vulnerable even to the simplest structural attack, the degree-based attack, as vertex u is the sole vertex with degree 2. It is worth noting that this limitation of k-automorphism does not necessarily invalidate existing anonymisation methods.This is exemplified by the K-Match algorithm itself, which does provide the intended protection because the property it directly enforces is the so-called k different matches principle (see [48]), which in turn is not equivalent to k-automorphism, but stronger.

?Figure 1 :
Figure 1: A hierarchy of privacy properties.An arrow has the standard logical interpretation, i.e.P =⇒ P means that a graph satisfying P also satisfies P .Left side: models for passive attacks.Right side: models for active attacks.Interrogation marks indicate connections that have not been established yet.
Sybil nodes are added and victim fingerprints are created.
Attacker subgraph is recovered, victims are reidentified, and the existence of a relation is revealed.

Figure 2 :
Figure 2: An active re-identification attack viewed as an attacker-defender game.
Two vertices u and v in G are said to be automorphically equivalent, denoted u ∼ = v, if there exists an automorphism γ ∈ Γ G such that γ(u) = v.Because the relation ∼ = is an equivalence relation in the set of vertices of G, let [u]∼ = be the equivalence class of u.G is said to satisfy k-symmetry if for every vertex u it holds that |[u]∼ = | ≥ k.

Figure 4 :
Figure 4: An example of a VAT for the graph shown in Figure 2(b).

Figure 5
Figure 5 shows the success rates of the attack on both random graph collections, whereas Figures 6, 7 and 8 show utility values in terms of degree distribution similarity, variation of global clustering coefficient and variation of averaged local clustering coefficient, respectively.

Figure 9 :
Figure 9: A graph counterexample showing that k-automorphism does not achieve the intended privacy protection.