The present invention generally relates to a database system, and more specifically to responding to a database query by executing a differentially private version of the query on the database.
Personally identifiable information, such as health data, financial records, telecom data, and confidential business intelligence, such as proprietary data or data restricted by contractual obligations, is valuable for analysis and collaboration. Yet, only a fraction of such sensitive information is used by organizations or analysts for statistical or predictive analysis. Privacy regulations, security concerns, and technological challenges suppress the full value of data, especially personally identifiable information and confidential and proprietary records.
Methods that attempt to solve this problem, such as access controls, data masking, hashing, anonymization, aggregation, and tokenization, are invasive and resource intensive, compromise analytical utility, or do not ensure privacy of the records. For example, data masking may remove or distort data, compromising the statistical properties of the data. As another example, many of the above mentioned methods are not effective when information is stored in disparate data sources. Technology which enables organizations or analysts to execute advanced statistical and predictive analysis on sensitive information across disparate data sources without revealing record-level information is needed.
A request to perform a query of a private database system is received by a privacy device from a client device. The request is associated with a level of differential privacy. A privacy budget corresponding to the received request is accessed by the privacy device. The privacy budget includes a cumulative privacy spend and a maximum privacy spend, the cumulative privacy spend representative of previous queries of the private database system. A privacy spend associated with the received request is determined by the privacy device based at least in part on the level of differential privacy associated with the received request. If a sum of the determined privacy spend and the cumulative privacy spend is less than the maximum privacy spend, the privacy device provides a set of results to the client device in response to the performed query and updates the cumulative privacy spend by incrementing the cumulative privacy spend by an amount equal to the determined privacy spend. Otherwise, in response to the sum of the cumulative privacy spend and the determined privacy spend being equal to or greater than the maximum privacy spend, a security policy associated with the privacy budget is accessed and a security action is performed based on the accessed security policy and the received request.
The Figures (FIGS.) and the following description describe certain embodiments by way of illustration only. One skilled in the art will readily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles described herein. Reference will now be made in detail to several embodiments, examples of which are illustrated in the accompanying figures. It is noted that wherever practicable similar or like reference numbers may be used in the figures and may indicate similar or like functionality.
System Overview
The database 106 is one or more private databases managed by one or more entities that can only be accessed by authorized or trusted users. For example, the database 106 may contain health data of patients, financial records, telecom data, and confidential business intelligence, such as proprietary data or data restricted by contractual obligations. The information stored in the database 106 is of interest to one or more clients 104, but clients 104 may not have the necessary authorization to access information contained in the databases 106.
The feature values may be numerical in nature, e.g., Features 1 and 10, or categorical in nature, e.g., Features 2 and 11. In the case of categorical feature values, each category may be denoted as an integer. For example, in Feature 11 of
Returning to
The query 108 submitted by the client 104 may be simple queries, such as count queries that request the number of entries in the databases 106 that satisfy a condition specified by the client 104, or complicated queries, such as predictive analytics queries that request a data analytics model trained on the databases 106. Upon submitting a query 108 to the differentially private security system 102, the client 104 receives a DP response 112 to a differentially private version of the submitted query 114.
The client 104 specifies a set of privacy parameters each time the client 104 submits query 108. The privacy parameters indicate an amount of decrease in the privacy budget of the client 104 in return for a response to the query 108. As described below in more detail with reference to the privacy system 160 in
The differentially private security system 102 receives an analytical query 108 from the client 104 and applies a differentially private version of the query 114 on the database 106, such that it releases a degree of information about the database 106 indicated by the privacy parameters specified by the client 104, but also protects a degree of privacy of the databases 106 specified by the entities managing the database 106. For example, the entities managing the database 106 may also set a maximum threshold on the degree of information released about the database 106 for a given query 108 that the client 104 may not exceed. Thus, the differentially private security system balances privacy protection of the database 106 while releasing useful information on the database 106 to the client 104. The differentially private security system 102 may have complete or partial access to the databases 106.
Upon receiving a query 108, the differentially private security system 102 applies DP query 114 to the database 106 and returns a DP response 112 to the client 104. The DP query 114 is a differentially private version of the query 108 that satisfies a definition of differential privacy described in more detail with reference to the privacy system 160 in
Differentially Private Security System
The differentially private security system 102 includes a user interface 150, a library 152, an account management system 154, a query handling engine 156, a data integration module 158, and a privacy system 160. Some embodiments of the differentially private security system 102 have different or additional modules than the ones described here. Similarly, the functions can be distributed among the modules in a different manner than is described here. Certain modules and functions can be incorporated into other modules of the differentially private security system 102.
The user interface 150 can generate a graphical user interface on a dedicated hardware device of the differentially private security system 102 or the client 104 in which the client 104 can submit an analytical query 108 and the desired privacy parameters, and view DP response 112 in the form of numerical values or images. The client 104 may also inspect database 106 schemata, view an associated privacy budget, or cache the DP response 112 to view the response later. The user interface 150 submits properly formatted query commands to other modules of the differentially private security system 102.
The library 152 contains software components that can be included in external programs that allow the client 104 to submit the analytical query 108, receive the DP response 112, and other functions within a script or program. For example, the client 104 may use the software components of the library 152 to construct custom data analytic programs. Each of the software components in the library 152 submits properly formatted query commands to other modules of the differentially private security system 102.
The account management system 154 receives properly formatted query commands (herein “query commands” or “QC”), parses the received query commands, and updates the account of the client 104 according to the received query command. For example, the account management system 154 may check the query commands for syntactic correctness, or check whether a client 104 has access to a requested resource. As another example, the account management system 154 may check whether the privacy parameters specified by the client 104 for a given analytical query 108 can be accommodated, and if so, decrement the privacy budget of the client 104 by the amount specified in the query 108. Query commands verified by the account management system 154 are provided to the query handling engine 156. Examples of query commands accommodated by the differentially private security system 102 are listed below.
The query handling engine 156 transforms the received query commands into appropriate function calls and database access commands by parsing the query command string. The function calls are specific to the query 108 requested by the client 104, and the access commands allow access to the required database 106. Different databases 106 require different access commands. The access commands are provided to the database integrator 158.
The database integrator 158 receives the access commands to one or more databases 106 and collects the required databases 106 and merges them into a single data object. The data object has a structure similar to that of a database structure described in reference to
The privacy system 160 receives the data object from the database integrator 158, appropriate function calls from the query handling engine 156 indicating the type of query 108 submitted by the client 104, privacy parameters specified for the query 108, and produces a DP response 112 to a differentially private version of the query 108 with respect to the databases 106. The privacy system 160 will be described in further detail in reference to
Privacy System
Definition of Differential Privacy
For a given query 108, the privacy system 160 receives a data object X, function calls indicating the type of query 108, privacy parameters specified by the client 104, and outputs a DP response 112 to a differentially private version of the query 108 with respect to X Each data object X is a collection of row vectors xi=1, 2, . . . , n, in which each row vector xi has a series of p elements xij=1, 2, . . . , p.
A query M satisfies the definition of ε-differential privacy if for all:
where is the space of all possible data objects, X, X′ neighboring data objects, S is an output space of query M, and neighboring databases are defined as two data objects X, X′ that have at most one different entry from one another. That is, given two neighboring data objects X, X′ in which one has an individual's data entry, and the other does not, there is no output of query M that an adversary can use to distinguish between X, X′. That is, an output of such a query M that is differentially private reveals no information about the data object X. The privacy parameter ε controls the amount of information that the query M reveals about any individual data entry in X, and represents the degree of information released about the entries in X. For example, in the definition given above, a small value of E indicates that the probability an output of query M will disclose information on a specific data entry is small, while a large value of E indicates the opposite.
As another definition of differential privacy, a query M is (ε,δ)-differentially private if for neighboring data objects X, X′:
The privacy parameter δ measures the improbability of the output of query M satisfying ε-differential privacy. As discussed in reference to
There are three important definitions for discussing the privacy system 160: global sensitivity, local sensitivity, and smooth sensitivity. Global sensitivity of a query M is defined as
where X, X′ are any neighboring data objects, such that d(X, X′)=1. This states that the global sensitivity is the most the output of query M could change by computing M on X and X′.
The local sensitivity of a query Mon the data object X is given by:
where the set {X′: d(X, X′)=1} denotes all data objects that have at most one entry that is different from X. That is, the local sensitivity LSM(X) is the sensitivity of the output of the query M on data objects X′ that have at most one different entry from X, measured by a norm function.
Related to the local sensitivity LSM(X), the smooth sensitivity given a parameter β is given by:
where d(X, X′) denotes the number of entries that differ between X and X′.
Notation for Random Variables
The notation in this section is used for the remainder of the application to denote the following random variables.
Further, a vector populated with random variables R as its elements is denoted by v(R). A matrix populated with random variables R as its elements is denoted by M(R).
Count Engine 302
The count engine 302 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for counting the number of entries in a column of the data object X that satisfy a condition specified by the client 104, given privacy parameters (ε,δ). An example query command for accessing the count engine 302 is given in QC1 above. For the example data object X shown in
The count engine 302 retrieves the count q from X. If privacy parameter δ is equal to zero, the count engine 302 returns
as the DP response 112 for display on the user interface 150, where c1 is a constant. An example value for c1 may be 1. If the privacy parameter δ is non-zero, the count engine 302 returns
as the DP response 112 for display on the user interface 150, where c1 is a constant. An example value for c1 may be 1.
The client 104 may request visualization of entries in the data object X for analysis of trends or patterns that depend on the features of the entries. In one embodiment, the privacy system 160 generates a differentially private visualization of the requested data entries from X.
The privacy system 160 first maps the requested entries from X for the selected features specified by the client 104. For example, as shown in the visualization 410 of
For each disjoint region, the privacy system 160 submits a differentially private count query to the count engine 302, and randomly plots a number of entries determined by the DP response 112 of the count engine 302 for that region. The resulting DP visualization plot is returned to the client 104 for display to a user by the user interface 150. For example, square 440 in visualization 410 contains 3 entries, while the same square in DP visualization 420 contains 4 randomly plotted entries determined by the DP response 112 of the count engine 302.
Median Engine 304
The median engine 304 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for generating the median of entries in a column of the data object X that satisfy a condition specified by the client 104, given privacy parameters (ε,δ). An example query command for accessing the median engine 304 is given in QC2 above. For the example data object X shown in
The median engine 304 aggregates the values of entries satisfying the condition specified by the client 104 into a list U, and retrieves the median q from U. If privacy parameter δ is equal to zero, the median engine 304 returns
as the DP response 112 for display on the user interface 150, in which c1, c2 are constant factors. Example values for c1, c2 may be 6 and 1/6, respectively. If δ is non-zero, the median engine 304 returns
as the DP response 112 for display on the user interface 150. Example values for c1, c2 may be 2 and 1, respectively.
Mean Engine 306
The mean engine 306 produces a DP response 112 responsive the differentially private security system 102 receiving a query 108 for generating the mean of entries in a column of the data object X that satisfy a condition specified by the client 104, given privacy parameters (ε,δ). An example query command for accessing the mean engine 306 is given in QC3 above. For the example data object X shown in
The mean engine 306 aggregates the values of entries satisfying the condition specified by the client 104 into a list U. Assuming there are n values in U, the mean engine 306 further divides U into m sub-lists Vj=1, 2, . . . , m each with n/m values. The mean engine 306 aggregates each mean rj of sub-list Vj into a list R. The mean engine 306 requests a differentially private median query of the values in R to the median engine 304. The resulting output from the median engine 304 is returned as the DP response 112 for display on the user interface 150.
Variance Engine 308
The variance engine 308 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for generating the variance of entries in a column of the data object X that satisfy a condition specified by the client 104, given privacy parameters (ε,δ). An example query command for accessing the variance engine 308 is given in QC4 above. For the example data object X shown in
The variance engine 308 aggregates the values of entries satisfying the condition specified by the client 104 into a list U. Assuming there are n values in U, the variance engine 308 further divides U into m sub-lists Vj=1, 2, . . . , m each with n/m values. The variance engine 308 aggregates each variance rj of sub-list Vj into a list R. The variance engine 308 requests a differentially private median query of the values in R to the median engine 304. The resulting output from the median engine 304 is returned as the DP response 112 for display on the user interface 150.
IQR Engine 310
The IQR engine 310 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for generating the interquartile range (IQR) of entries in a column of the data object X that satisfy a condition specified by the client 104, given privacy parameters (ε,δ). An example query command for accessing the IQR engine 310 is given in QC5 above. For the example data object X shown in
In one embodiment, the IQR engine 310 aggregates the values of entries satisfying the condition specified by the client 104 into a list U. Assuming there are n values in U, the sample IQR of U is denoted as IQR(U), and a log transform of IQR(U) is denoted as:
The IQR engine 310 further maps the quantity Hn(U) to an integer k0 such that Hn(U)∈[k0, k0+1). The IQR engine 310 extracts a value A0(U) indicating the number of entries in U required to change in order for the new list Ũ to satisfy Hn(Ũ)∉[k0, k0+1).
The IQR engine 310 then generates a value R0(U) given by:
in which c1 is a constant factor. If R0(U) is greater than a predetermined threshold, the IQR engine 310 returns
as the DP response 112 for display on the user interface 150. If R0(U) is equal to or less than the predetermined threshold, the IQR engine 310 returns “No Answer” as the DP response 112 for display on the user interface 150.
In another embodiment, the IQR engine 310 aggregates the values of entries satisfying the condition specified by the client 104 into an ordered list U. The IQR engine 310 retrieves the first quartile and the third quartile from U, given by q and q′, respectively. If δ is zero, the IQR engine 310 returns:
as the DP response 112 for display on the user interface 150, in which c1, c2 are constant factors.
If δ is non-zero, the IQR engine 310 returns:
as the DP response 112 for display on the user interface 150, in which c1, c2 are constant factors.
Batch Gradient Engine 312
The batch gradient engine 312 produces a DP response 112 responsive to the differentially private security system 102 receiving a valid query 108 for generating a set of parameters θ for a general linear model that captures the correlation between a series of observable features and a dependent feature, given privacy parameters (ε,δ). The general linear model is trained on the selected columns of X. An example query command for accessing the batch gradient engine 312 is given in QC6 above.
Given a row vector x that contains a series of observable features and a label feature y, the correlation between the observable features and the label feature in a general linear model may be given as:
y=xθT,
where θ is a row vector containing parameters of the model. That is, the label feature is modeled as a weighted sum of the observable features, where each value in θ is the weight given to a corresponding observable feature.
For the example data object X shown in
Examples of general linear models supported by the batch gradient engine 312 are, but not limited to, linear regression, logistic regression, and support vector machine (SVM) classifiers.
The optimal values for the set of parameters θ is found by training the general linear model on training data (Xtrain, ytrain) consisting of selected columns of data object X. Specifically, Xtrain is a matrix database in which each column corresponds to a selected observable feature, and y is a column vector of the selected label feature values. Each entry in Xtrain has a one-to-one correspondence with an entry in y. The optimal θ is generally found by minimizing a loss function on (Xtrain, ytrain) over possible values of θ. Mathematically, the minimization is given by:
The batch gradient engine 312 returns a DP response 112 θDP of a differentially private batch gradient query by perturbing the loss function to be minimized. Specifically, the perturbed minimization is given by:
in which K is the Lipschitz constant for loss function l(⋅). If j is the index of the columns in Xtrain, xij denotes the value of entry i and column j in Xtrain, and it is publicly known that for each column j, aj≤xij≤bj, R2 may be given by:
R2=max(∥u∥2|aj≤uj≤bj)
where u is a vector having elements uj. The DP response 112 θDP may be provided for display on the user interface 150.
Stochastic Gradient Engine 314
Similarly to the batch gradient engine 312, the stochastic gradient engine 314 produces a DP response 112 responsive to the differentially private security system 102 receiving a valid query 108 for generating a set of parameters θ for a general linear model that captures the correlation between a series of observable features and a label feature, given privacy parameters (ε,δ). An example query command for accessing the stochastic gradient engine 314 is given in QC7 above.
Similar to the batch gradient engine 312, examples of general linear models supported by the stochastic gradient engine 314 are, but not limited to, linear regression, logistic regression, and support vector machine (SVM) classifiers.
The stochastic gradient engine 314 also minimizes a loss function on training data (Xtrain, ytrain) over possible values of θ to find the optimal vales of parameter vector θ. However, the stochastic gradient engine 314 may minimize the loss function based on individual points or a subset of the training data, instead of the entire training data.
As discussed in reference to the batch gradient engine 312, a general minimization problem for finding the optimal values for θ over training data (Xtrain, ytrain) is given by:
where l(⋅) is a loss function. The minimization is solved by applying stochastic gradient descent on the loss function l(⋅) with respect to θ. This involves the steps of identifying an initial set of values for θ, calculating the gradient of the loss function with respect to θ, and updating θ based on the calculated gradient. The steps are repeated until the algorithm reaches convergence, and an optimal set of values for θ that minimize the loss function are identified.
Specifically, given the estimate for the parameter θt at time t, stochastic gradient descent generates a new estimate θt+1 at the next time step t+1 by the following equation:
θt+1=θt−ηt·n·∇θ
in which ∇θtl(Xtrain, ytrain; θ) is the gradient of the loss function with respect to θ, and ηt is the learning rate. The algorithm is repeated until the estimate for θ converges.
The stochastic gradient engine 314 returns a DP response 112 θDP of a differentially private stochastic gradient query by perturbing the update of θ at one or more time steps of the stochastic gradient descent algorithm. Specifically, a perturbed update at time t to t+1 is given by:
The stochastic gradient engine 314 may output the perturbed update at each time step as the DP response 112 for display on the user interface 150, or the converged parameter vector θDP as the DP response 112 for display on the user interface 150.
Random Forest Engine 316
The random forest engine 316 produces a DP response 112 responsive to the differentially private security system 102 receiving a valid query 108 for generating a trained random forest classifier that bins a series of feature values into one among multiple categories, given privacy parameters (ε,δ). The random forest classifier is trained on the selected columns of X. An example query command for accessing the random forest engine 316 is given in QC8 above. For the example data object X shown in
The random forest classifier, is trained on training data (Xtrain, ytrain) to learn the correlation between the selected features of an entry and the category the entry belongs to. Specifically, Xtrain is a matrix database in which each column corresponds to a selected feature of interest to the client 104, and y is a column vector of already known labels indicating the category of a corresponding entry. Each entry in Xtrain has a one-to-one correspondence with a label entry in y. Upon being trained, the random forest classifier, or a classifier in general, receives a new data entry with selected feature values and generates an estimate of the category for the new entry.
The random forest classifier is an ensemble of individual binary decision tree classifiers, in which each binary decision tree generates an estimate for the category of an entry. Given a new data entry, the random forest classifier aggregates the category estimates from each binary decision tree and produces a final estimate for the category of the data entry.
For each trained binary decision tree, each node except the root node corresponds to a partition of training data entries formed by a splits at a parent node. The splits at the parent node is based on a test condition of a feature of the training data (Xtrain, ytrain) that compares the feature value of an entry to a reference value, and verifies whether the feature value meets that condition or not. Returning to the example shown in
At the end of the training process, each leaf node is associated with a category that has a dominant proportion in the corresponding partition at the leaf node. In
The random forest engine 316 returns a DP response 112 of a differentially private random forest query by perturbing the proportion of training data entries at leaf nodes of each trained binary decision tree. Specifically, the random forest engine 316 trains a random forest classifier T with an ensemble of Ntrees binary decision trees Bj=1, 2, . . . , N
The random forest engine 316 returns the random forest classifier TDP containing an ensemble of perturbed binary decision trees BDPj=1, 2, . . . , Ntrees as the DP response 112. Moreover, the random forest engine 316 may display the perturbed proportion of data entries for leaf nodes of each binary decision tree BDPj=1, 2, . . . , Ntrees for display on the user interface 150.
Histogram Engine 318
The histogram engine 318 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for generating a histogram of a selected column in X, given privacy parameters (ε,δ). The histogram engine 318 creates one or more bins corresponding to one or more disjoint ranges of the selected feature values, and indicates the number or proportion of entries that belong to each bin. An example query command for accessing the histogram engine 318 is given in QC9 above. For the example data object X shown in
The histogram engine 318 returns a DP response 112 of a differentially private histogram query by perturbing the counts for each bin.
In one embodiment, the histogram engine 318 generates the requested histogram from the selected column of X, and perturbs the counts of each bin by submitting a request to the count engine 302.
In another embodiment, the histogram engine 318 generates the requested histogram from the selected column of X, and perturbs the counts of each bin by decomposing the counts using a private wavelet decomposition algorithm. In such an embodiment, the histogram engine 318 aggregates the counts qi=1, 2, . . . , B for each bin bi=1, 2, . . . , B into a matrix (or vector) Q. The histogram engine 318 decomposes Q into a tree structure that is representative of a wavelet decomposition. Each leaf node of the tree corresponds to a count qi, and each parent node of the tree corresponds to one of multiple wavelet coefficients cj=1, 2, . . . , m. The value of a wavelet coefficient cj is calculated based on the counts qi incorporated in the leaf nodes of the tree. This allows a count qi to be reconstructed as a function ƒi of the wavelet coefficients cj=1, 2, . . . , m. That is, for each count qi:
qi=ƒi(c0,c1, . . . ,cm).
The histogram engine 318 generates a perturbed histogram by perturbing the wavelet coefficients, and reconstructing the counts using the perturbed wavelet coefficients. Specifically, the perturbed wavelet coefficients cDPi=1, 2, . . . , m are given by:
The reconstructed counts from the perturbed wavelet coefficients is now given by:
qiDP=ƒi(c0DP,c1DP, . . . ,cmDP).
The histogram engine 318 outputs the perturbed histogram as the DP response 112 for display on the user interface 150.
In one embodiment, the histogram engine 318 may also be used to generate a differentially private visualization of data entries as described above in reference to the count engine 302 and
Model Testing Engine 320
The model testing engine 320 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for testing the performance of a classification model, given privacy parameters (ε,δ). The classification model is trained and tested on selected columns of X. As such, the model testing engine 320 may be appended to any other module that trains a classifier on X, such as the batch gradient engine 312, the stochastic gradient engine 314, or the random forest engine 316. For the example data object X shown in
As discussed in reference to the random forest engine 316, classification models in general is trained on training data (Xtrain, ytrain) to learn the correlation between selected features of an entry and the category the entry belongs to. The training data (Xtrain, ytrain) may be extracted from a subset of entries contained in the data object X. Upon being trained, the classifier is able to receive a new data entry containing values for the selected features and generate an estimate of the category for the new entry.
Often times, the estimate of the category for an entry is determined by applying a cutoff threshold to a numerical, not categorical, output of a classifier. For example, in the random forest classifier described in reference to the random forest engine 316, the category associated with a leaf node tL, is determined by the proportion of training data entries associated with each category, which is a numerical value. The random forest engine 316 may determine that a leaf node is associated with category “0” if the proportion of entries associated with label “0” is above a cutoff threshold of 0.5, 0.6, or 0.7. As another example, logistic regression classifiers output a numerical value in the range of [0, 1] given an entry of feature values. The entry may be classified into category “0” if the associated output is below a cutoff threshold of 0.5, 0.4, or 0.3. Regardless of the example, the cutoff threshold for determining the boundary between each category is a critical parameter depending on the context the classifier is applied to.
The model testing engine 320 receives a trained classifier and tests the performance of the trained classifier a series of cutoff thresholds, and generates a confusion matrix for each threshold indicating the performance of the classifier. The model testing engine 320 may test the performance of the classifier on testing data (Xtest, ytest) Similarly to training data, Xtest contains a set of entries with selected feature values, and ytest contains a vector of already known labels for each corresponding entry in Xtest. However, in contrast to training data, testing data (Xtest, ytest) comprises entries that are not present in training data (Xtrain, ytrain). That is, testing data comprises entries that the classifier has not “seen” yet.
The model testing engine 320 generates a series of cutoff thresholds based on the numerical values of p.
For example, as shown in
For each threshold mi, the model testing engine 320 generates corresponding category label estimates from p, and compares the estimates to the vector of known labels ytest. Given the comparisons, the model testing engine 320, constructs a confusion matrix that evaluates the performance of the classifier.
For each threshold mi, the model testing engine 320 generates a perturbed confusion matrix by using the histogram engine 318. This is because each entry contributes to only one among the 4 disjoint categories, and thus, the entries in the confusion matrix 700 can be viewed as a histogram. The model testing engine 320 outputs each threshold mi, and the corresponding perturbed confusion matrix as the DP response 112 for display on the user interface 150.
Synthetic Database Engine 322
The synthetic database engine 322 produces a DP response 112 responsive to the differentially private security system 102 receiving a query 108 for transforming X into a synthetic database S, given privacy parameters (ε,δ). The resulting synthetic database S has a number of entries corresponding to that in X, but a fewer number of columns or features than X. Moreover, the spatial relationship between a pair of entries in X is retained in S. The transformation of X to S is (ε,δ)-differentially private with respect to a neighboring data object X′ with a 1-element difference from X.
The synthetic database engine 322 produces a DP response 112 of a differentially private synthetic database query by projecting the elements of X to S using a projection matrix. Assuming that data object X is a n×p matrix having n rows and p columns, the transformation by the synthetic database engine 322 is given by:
where J is a p×k projection matrix, with k<p. The resulting synthetic database matrix S is a n×k matrix containing equal number of entries or rows as data object matrix X, but containing a smaller number of features or columns than the original data object X.
As discussed above, the transformation using projection matrix J is (ε,δ) differentially private. Moreover, the spatial relationship between a pair of entries in X is retained in S. That is, the distance between a pair of entries (xi,xj) in the p-dimensional feature space of X is approximately equal to the distance between a pair of entries (si,sj) in the k-dimensional feature space of S. The synthetic database engine 322 outputs S as the DP response 112 for display on the user interface 150.
In the example of
Validation Engine 324
The validation engine 324 produces a DP response 112 responsive to the differentially private security system 102 receiving a request for whether a query 108 satisfies the definition of (ε,δ)-differential privacy for privacy parameters (ε,δ). In one embodiment, the validation engine 324 may receive a function call from the client 104 that points to the query 108. The query 108 may be, for example, an analytical model or an algorithm that can be applied to a data object X.
The validation engine 324 certifies whether the received query 108 satisfies the definition of (ε,δ)-differential privacy by applying the query 108 to example pairs of neighboring data objects (Z, Z′). Specifically, the validation engine 324 generates pairs of neighboring data objects (Z, Z′), having at most 1 entry different from each other. The validation engine 324 applies the received query 108 to each example pair of neighboring data objects (Z, Z′) and determines whether an estimate of the quantity Pr[M(X)∈S]/Pr[M(X′)∈S] satisfies the definition of (ε,δ)-differential privacy a sampling of outputs from S of the query M and over the randomness of the query M.
In one embodiment, the validation engine 324 may output a binary value to the client 104 as the DP response 112 for display on the user interface 150 that indicates whether or not the query 108 is (ε,δ)-differentially private. In some embodiments, the validation engine 324, in response to a determination that the query 108 is not (ε,δ)-differentially private, can reject or deny the query.
A request from a client device to perform a query is received 1010 and a level of differential privacy corresponding to the request is identified. A set of data in the private database system and a set of operations to be performed based on the received request is identified 1012. The set of identified data in the private database system is accessed 1014. The set of operations is modified 1016 based on the received level of differential privacy. The set of modified operations is performed 1018 on the set of data to produce a differentially private result set. The differentially private result set is provided 1020 to the client device for display on the client device.
The machine may be a server computer, a client computer, a personal computer (PC), a tablet PC, a set-top box (STB), a smartphone, an internet of things (IoT) appliance, a network router, switch or bridge, or any machine capable of executing instructions 1124 (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute instructions 1124 to perform any one or more of the methodologies discussed herein.
The example computer system 1100 includes one or more processing units (generally processor 1102). The processor 1102 is, for example, a central processing unit (CPU), a graphics processing unit (GPU), a digital signal processor (DSP), a controller, a state machine, one or more application specific integrated circuits (ASICs), one or more radio-frequency integrated circuits (RFICs), or any combination of these. The computer system 1100 also includes a main memory 1104. The computer system may include a storage unit 1116. The processor 1102, memory 1104 and the storage unit 1116 communicate via a bus 1108.
In addition, the computer system 1106 can include a static memory 1106, a display driver 1110 (e.g., to drive a plasma display panel (PDP), a liquid crystal display (LCD), or a projector). The computer system 1100 may also include alphanumeric input device 1112 (e.g., a keyboard), a cursor control device 1114 (e.g., a mouse, a trackball, a joystick, a motion sensor, or other pointing instrument), a signal generation device 1118 (e.g., a speaker), and a network interface device 1120, which also are configured to communicate via the bus 1108.
The storage unit 1116 includes a machine-readable medium 1122 on which is stored instructions 1124 (e.g., software) embodying any one or more of the methodologies or functions described herein. The instructions 1124 may also reside, completely or at least partially, within the main memory 1104 or within the processor 1102 (e.g., within a processor's cache memory) during execution thereof by the computer system 1100, the main memory 1104 and the processor 1102 also constituting machine-readable media. The instructions 1124 may be transmitted or received over a network 1126 via the network interface device 1120.
While machine-readable medium 1122 is shown in an example embodiment to be a single medium, the term “machine-readable medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, or associated caches and servers) able to store the instructions 1124. The term “machine-readable medium” shall also be taken to include any medium that is capable of storing instructions 1124 for execution by the machine and that cause the machine to perform any one or more of the methodologies disclosed herein. The term “machine-readable medium” includes, but is not limited to, data repositories in the form of solid-state memories, optical media, and magnetic media.
Budget Tracking
Returning to
As an example, for a budgeted privacy parameter ε, the client 104 is allowed more queries associated with lower c values than higher c values. For example, if the privacy budget has a maximum privacy spend ε=1, and each query corresponds with a privacy spend of ε=0.1, ten queries are allowed before a security action is performed. On the other hand, if each query is associated with a privacy spend of ε=0.2, only five queries are allowed. The impact of a query upon a budget can depend on factors in addition to the budgeted privacy parameters, such as multipliers that are applied to one or more of the privacy parameters of the query before determining if the query is allowable in view of the budget.
The differentially private security system 102 maintains both privacy budgets and cumulative privacy spends. A cumulative privacy spend is a measure of how much of a budget has been spent. For example, if the budgeted privacy parameter is ε, where there have been five queries with spend ε=0.1, the cumulative privacy spend is 0.5. In an embodiment, determining whether a query can be executed or if a security action will be performed involves determining whether the sum of the budgeted privacy parameter associated with the query and the cumulative privacy spend exceeds the maximum privacy spend. If the privacy spend associated with a query causes the maximum privacy spend to be exceeded, then a security action, such as blocking the query, is performed.
In an embodiment, the table budget 1215 limits access to the data table 1210 by entry. For example, the table budget 1215 can maintain a cumulative privacy spend for each entry. In such an embodiment, only cumulative privacy spends of queried entries are incremented. If the sum of the privacy spend associated with a query and the cumulative privacy spend of an entry exceeds the maximum privacy spend of the entry, the entry can be excluded from further queries, but a different entry of the same table may still be queried if the sum of the privacy spend associated with the query and the cumulative privacy spend associated with the different entry is not exceeded. It should be noted that different entries may have different maximum privacy spends.
In the embodiment of
Users of a differentially private database system 102 can be members of groups or organizations, each corresponding to a different/supplemental privacy budget. In the embodiment of
The cumulative privacy spend associated with a personal budget 1225 increases in response to a successful query 1240A by user 1220A with the data table 1210, for instance by an amount equal to the value of the privacy spend corresponding to the query. As noted above, if the sum of the privacy spend corresponding to the query 1240A by the user 1220A and the cumulative privacy spend associated with the user 1220A exceeds the privacy budget 1225A associated with the user, a security action can be taken.
The cumulative privacy spend associated with a group budget 1235 increases in response to a successful query of the data table 1210 by any of the users of the group 1230A. For instance, if the user 1220A queries the data table 1210, and the privacy spend associated with the query is X, then the cumulative privacy spend associated with the group 1230A is increased by X (as is the cumulative privacy spend associated with the user 1220A). In the event that a query of the data table 1210 associated with a privacy spend causes either 1) the sum of the cumulative privacy spend associated with the group 1230A and the privacy spend corresponding to the query to exceed the group budget 1235A or 2) the sum of the cumulative privacy spend associated with user 1220A and the privacy spend corresponding to the query to exceed the budget 1225A, a security action can be taken (for instance, the query can be blocked). In other words, just because a privacy budget associated with one of a user and a group is not exceeded by a query doesn't guarantee that the query will be processed. Further, if the user 1220A queries the data table 1210 until the group budget 1235A is exceeded, user 1220B (also a member of group 1230A) can be prevented from querying the data table 1210, even though user 1220B hasn't previously queried the data table 1210. It should be noted that the user 1220B, being a member of both the group 1230A and the group 1230B, can be prevented from querying the data table 1210 in response to either the group budget 1235A or the group budget 1235B being exceeded. It should also be noted that the user 1220B (or any other user) can also be prevented from querying the data table 1210 in response to the table budget 1215 being exceeded.
The type and number of budgets associated with the environment of
The budgets within a differentially private security system 102 can be set by an administrator, an entity associated with the differentially private security system 102, or the like. For example, an administrator can set, increase, or decrease personal, group, and table budgets, can reset cumulative privacy spends associated with one of users, groups, tables, and the like, or can take any other suitable action to implement and maintain privacy budget tracking. In some embodiments, the administrator can remove a budget, allowing indefinite querying, and can lock budgets or data tables to prevent further access by a user or group. Furthermore, the administrator can create, modify, and implement security policies and security actions corresponding to the differentially private security system 102.
Budget tracking can prevent situations where multiple independent entities can collectively query a differentially private database, and can combine results to obtain more information about the underlying data within the database than would otherwise be permissible. For example, if a criminal tried to steal a person's health records using queries with high privacy loss to approximate with great specificity details of the person's health by coordinating with one or more other querying entities, an implementation of table-wide budget tracking as described herein may prevent the criminal from such coordination, thereby protecting the person's health data from being compromised.
The differentially private security system 102 accesses 1320 one or more privacy budgets relevant to the query. For example, if one or more tables are being queried, any table budgets of the one or more tables are accessed. Likewise, the personal budget of the client 104 requesting the query and/or the budget of the personal user account of the user instigating the query can be accessed. If the user requesting the query is a member of one or more groups, any group budgets of the one or more groups are accessed.
The differentially private security system 102 determines 1330 a privacy spend associated with the received request. This is based at least in part on the privacy parameters as set by the query. For example, if the ε associated with a query is 0.1, the privacy spend can be determined based on the value ε=0.1. In such embodiments, the privacy spend can be 0.1, or can be some value computed based on 0.1. For each privacy budget associated with the query, the privacy spend is added to the cumulative privacy spend associated with each privacy budget to determine 1340 if the sum exceeds the privacy budget.
If the sums of the privacy spend and the cumulative privacy spends associated with each privacy budget corresponding to the query are each less 1350 than the maximum privacy spend allowed by the corresponding privacy budget, the query is performed and results are provided 1352 to the client. The cumulative privacy spend for each applicable privacy budget corresponding to the query is updated 1354 based on the determined privacy spend to reflect the loss of privacy due to the query. For example, if the cumulative privacy spend for a budget is 0.7 and a query is performed with a privacy spend of 0.1, the cumulative privacy spend is updated to 0.8.
If, for at least one privacy budget, the sum of the determined privacy spend and the cumulative privacy spend corresponding to the privacy budget is instead greater 1360 than the maximum privacy spend allowed by the budget, a security policy is accessed 1362 and a security action is performed 1634 based on the security policy. A security policy defines one or more security actions to be performed in response to the cumulative privacy spend associated with a query request exceeding a budget. For instance, a security action can include rejecting the query, providing a complete or partial set of query results to the client device while notifying the administrator or database manager that the query exceeded the maximum privacy spend, or any other suitable security action.
Security actions can be situational, and the security policy can set conditions under which different security actions are performed. For example, if the differentially private security system 102 is connected to a first database and a second database, the security actions performed in response to a privacy budget being exceeded may differ between the two. Security actions may depend on the extent to which a query exceeds a budget. For example, if a query exceeds a budget within a threshold amount, the query proceeds and an administrator is notified, but if the query exceeds the budget more than the threshold amount, the query is rejected. Security actions may be specific to users, clients, groups, tables, or any other suitable factor.
Relational Operators
Queries may include one or more relational operators, such as the projection operator, the selection operator, the union operator, or the join operator. Relational operators can modify metadata of the data being queried, which can affect the amount of noise added to query results to provide differential privacy. Relational operators may modify the sensitivity of the data being queried, which, depending upon the embodiment, can affect the privacy spend of the query. In an embodiment, queries are performed upon temporary copies of data to ensure the data and/or metadata of the database is not permanently modified by performing the queries. In an embodiment, the query syntax is Structured Query Language (SQL) or another programming language that enables querying a database.
The metadata described herein describes the data of one or more tables of a database. It may describe data of one or more tables overall, or may be specific to one or more columns, entries, features or categories of data. For example, a data table with two hundred entries, each associated with an age feature, has metadata indicating the minimum age found within the table is 2 years and the maximum age is 102 years. Queries that cause changes to database data can similarly cause changes to the metadata describing the changed database data. Continuing with the previous example, if the entry that includes “102 years” is updated to “103 years”, the metadata range is modified to a minimum of 2 years and a maximum of 103 years.
In some embodiments, a plurality of metadata types are maintained for the database, for instance pertaining to individual features, groups of features, one or more data tables overall, and/or the database as a whole. For example, a minimum and a maximum of a feature may be tracked, e.g. age or income, and an average of the feature may be tracked as well, such as an average age of 52 years. In another example, if a first feature is base salary and a second feature is yearly bonus, there could be metadata indicating an average total compensation based on base salary and yearly bonus.
Metadata pertaining to data being queried can impact the noise added when implementing differential privacy. For example, determining the noise added to a query response may be based on a minimum and a maximum of a feature of the data being queried. The range of the minimum and maximum, for example, could determine a multiplier by which to magnify or dampen added noise when making the results differentially private. In other words, the metadata associated with a query can affect the implementation of differential privacy to the query, for instance based on the sensitivity of the data being queried.
For example, a first query takes the mean of ten salaries ranging from $0 to $1,000,000, and a second query takes the mean of ten salaries ranging from $30,000 to $40,000. The first query is more sensitive because an individual entry can more dramatically impact the result of the query. For example, if all but one entries of the data queried by the first query include a $0 salary and one entry includes a $1,000,000 salary, the result of the query is very sensitive to the entry including a $1,000,000 salary. If this entry is removed, the actual result changes from $100,000 to $0. However, due to the increased density of salaries in the data queried by the second query, no one entry has as much impact upon the end result of the second query as the $1,000,000 entry has upon the first query. For example, if nine entries include a $30,000 salary and one includes a $40,000 salary, removal of the entry with $40,000 salary changes the actual result from $31,000 to $27,000, a much smaller change than $100,000 to $0. As such, the sensitivity of the second query is less than that of the first query.
A sensitivity factor k modifies the privacy spend of a query. The sensitivity factor is a measure of the extent to which an operation, such as a relational operation, can affect the privacy of the table, compounding the amount of information the query reveals, for instance as measured by ε. Relational operations in a query can magnify or reduce the sensitivity of the query, changing the sensitivity factor.
Determining the privacy spend of a query can include multiplying c by the sensitivity factor k, i.e. ε*k. For example, if a relational operator doubles the sensitivity of a query, the privacy spend is 2ε, rather than just ε. Furthermore, the cumulative privacy spend increments by 2ε rather than ε. For example, if a cumulative privacy spend for ε is 0.3, a privacy parameter of a query is ε=0.2, and the sensitivity factor of the query is k=2, the cumulative privacy spend after the query is performed is 0.3+(0.2*2), or 0.7. The sensitivity factor impacts the noise added to the query to preserve differential privacy. For example, for the count engine 302, if the sensitivity factor is 2, the equation may instead become:
In some embodiments, queried data is modified by one or more transformations in a relational operation within the query. Transformations that can augment a relational operator include arithmetic operators such as: addition, subtraction, multiplication, floating point and integer division, modulo, negation, sign, absolute value, power, exponential, square root, and logarithm; floor, ceiling, and rounding; logical operators including and, or, exclusive or, and not; comparators including equality, inequality, greater than, less than, greater than or equal, and less than or equal; trigonometric and hyperbolic functions like sine, cosine, tangent, arctangent, arcsine, arccosine, hyperbolic sine, hyperbolic cosine, hyperbolic tangent, hyperbolic arcsine, hyperbolic arccosine, and hyperbolic arctangent; minimum and maximum; decode; and coalesce. In some embodiments, only numerical queried features are transformed, and not categorical features.
Projection
A query including a projection operator 1420 is performed upon the table 1410. In an embodiment, data relevant to the query is temporarily copied and the temporary copy is queried rather than the original database. In an embodiment, upon completion of the query, the temporary copy is erased. The query includes “SELECT Weight/2 FROM DataTable” which projects the weight feature from the data table 1410 in a temporary copy and performs an arithmetic division by two upon the projected weight of each entry in the temporary copy. After performing the division, each weight value in the database is halved. For example, the weight entry ‘328’ of the table 1410 is ‘164’ in the projected data 1430.
The arithmetic division changes the minimum and maximum values for the weight feature in the projected data 1430. The minimum value of the weight feature in the data table, 156 pounds, is halved, making the minimum value of the projected data 78 pounds. Likewise, the maximum value of the weight feature is halved from 328 pounds to 164 pounds. The metadata of the projection 1435 reflects the changes to the data accordingly, with the minimum changed to 78 and the maximum changed to 164. The altered metadata can impact the amount of noise added to the differentially private result of the query, for example, by changing a sensitivity factor k, as compared to an embodiment where the weight feature is not halved during the projection. For example, a query that performs a ‘mean’ operation on values of a specific feature may have a sensitivity of
where H is the maximum of the feature, L is the minimum of the feature, and N is the number of entries.
Selection
A query including a selection operator 1520 is performed upon the table 1510. In an embodiment, data relevant to the query is temporarily copied and the temporary copy is queried rather than the original database. In an embodiment, upon completion of the query, the temporary copy is erased. The query includes “SELECT Weight FROM DataTable WHERE Weight>200” which projects the weight feature from the data table 1410 and selects entries with weight greater than two hundred pounds. Due to the selection operator, only two of the four entries are represented in the temporary copy of selected data from the data table 1530.
The selection changes the minimum and maximum values for the weight feature in the selected data from the data table 1530. Because of the condition applied to the weight feature by the selection operator 1520 (the selection only of weights greater than 200 pounds) the minimum weight of the selected data is 200 pounds. The metadata of the selection 1535 reflects the changes to the data accordingly, with the minimum set to 200. The maximum remains 328 because no condition was set by the query with regard to maximum weight. In an embodiment, the minimum weight is set not to the value of the condition, e.g. 200, but rather the actual minimum weight within the selected data (254 pounds in this example). In such an embodiment, the metadata records a minimum weight of 254 pounds rather than 200 pounds. The altered metadata can impact the amount of noise added to the differentially private result of the query, for example, by changing a sensitivity factor k.
Union
A query including a multiset union operator 1620 is performed upon the tables 1610. In an embodiment, data relevant to the query is temporarily copied and the temporary copy is queried rather than the original database. In an embodiment, upon completion of the query, the temporary copy is erased. The query includes “SELECT Name,Age FROM DataTableA UNION SELECT Name,Age FROM DataTableB” which projects the name and age features from each data table 1610 into unioned result data 1630. Because it is a multiset union operator, all names and ages are projected, regardless of whether or not an entry in one table 1610 has a copy in the other table 1610. For example, each data table 1610 has an entry for a man named John who is 56 years old, weighs 328 pounds, and has heart disease. The unioned data 1630 has two separate entries for John because he is in each table 1610 at the time the multiset union operation is performed. If the union operation were not a multiset union operation, only one entry of the two is kept in the unioned data 1630.
The unioned data 1630 has a worst case multiplier 1615C of N=2. It is 2 because of the overlapping entries between the two data tables 1610, for John and Jacob, which each appear twice in the unioned data 1630. The worst case multiplier 1615C increases the privacy spend of the query because further operations upon the unioned data 1630 has a higher risk of revealing information about the entries that are repeated.
For example, in a non-differentially private system, if a mean of the age feature of the unioned data 1630 is queried, the mean is skewed towards John and Jacob's ages because they each appear twice. The mean age of the unioned data 1630 is 53.75 years. If the union operation is a set union operation, and John and Jacob aren't repeated within the unioned data 1630, the mean age is 49.67 years. If a user performing the query 1620 knows John and Jacob are repeated in the multiset unioned data, it is possible for the user to infer from the mean of the ages of the multiset unioned data, as compared to the mean of the ages of the set unioned data that John and Jacob have an average age older than 49.67 years. If these queries are performed within a differentially private system with the same sensitivity applied to each, it may still be possible to determine how old John and Jacob are relative to the differentially-private average age. However, by doubling the sensitivity of the query with the multiset union operator via N, the mean of the multiset unioned data does not provide as much information and thereby prevents the user from definitively identifying John and Jacob as having an average age greater than that of the overall average age; the results are unreliable enough to not guarantee the accuracy of such a comparison.
Join
In an embodiment, J and K are provided by a user as part of a query. Alternatively, J and K can be determined by computing a desired rank statistic, namely, computing an upper bound on how many entries correspond to a particular key in a data table for some percentile of the data. For example, for 90% of the keys within a data table, there are a total of 30 or fewer entries per key. J and K could also be determined by computing the total number of distinct keys present in a table and dividing the total number of entries by the number of distinct keys.
The differentially private security system 102 pre-processes each data table involved in a join operation by limiting the first table to at most J entries corresponding to each key, and the second table to at most K entries corresponding to each key. After pre-processing, a query including a join operation proceeds as normal. Alternatively, instead of J and K, only one value, K, is provided or determined. In this embodiment, a join operation is performed, and the joined data is then limited to at most K instances of each key.
J and K are used as multipliers to the sensitivity of a query including a join operation. For example, when performing a count upon joined data, the operation's sensitivity is J*K instead of 1, and the privacy spend of the query is correspondingly J*K*ε. Alternatively, instead of multiplying by J*K for each table, the first table is given a privacy spend of J*ε and the second table is given a privacy spend of K*ε.
The resulting joined data 1730 has four entries because each entry with ID “1” of data table 1710A is joined with each entry with ID “1” of data table 1710B. Neither table had its entries limited before the join operation because neither had more than 2 entries corresponding to any one key. The four entries in the joined data 1730 are all for a man named John who is 56 years old. Although certain data varies per entry, such as weight and visit date, John's data is still four times as sensitive than if there were just a single entry for him in the joined data 1730. This is reflected in the sensitivity multiplier for the table 1715C represented by L, which equals J*K, or 4. Additional operations upon the joined data therefore have a privacy spend multiplied by 4. For example, a count operation would have a privacy spend 4ε. This is because the repetition of data decreases privacy, similar to the union operation example described above.
Multiple Operators
Multiple relational operators may be executed as part of the same query. In such embodiments, the sensitivity for each operator is taken as a product to determine the total sensitivity for the query. Alternatively, privacy spend is determined on a per-table basis for each table involved in the query. For example, the query can include:
In this example, a join operation is performed for A and B. Then a union operation is performed with C. The combined data is then projected at Age to determine a number of ages. The projection operation has a sensitivity multiplier of 1, and therefore does not magnify the privacy spend associated with the query. C is disjoint from A and B and so has a sensitivity multiplier of 1 and also does not magnify the privacy spend associated with the query. The cumulative privacy spend for C is therefore increased by ε. Continuing with this example, if A has multiplicity J=2 and B has multiplicity K=3, the cumulative privacy spend of A is increased by 2ε and the cumulative privacy spend of B is increased by 3ε, resulting in a total increase of 6ε. Accordingly, the cumulative privacy spend of the user instigating the query is increased 6ε, as the product of the sensitivity multipliers, 1*1*6, is 6.
Some portions of the above description describe the embodiments in terms of algorithmic processes or operations. These algorithmic descriptions and representations are commonly used by those skilled in the data processing arts to convey the substance of their work effectively to others skilled in the art. These operations, while described functionally, computationally, or logically, are understood to be implemented by computer programs comprising instructions for execution by a processor or equivalent electrical circuits, microcode, or the like. Furthermore, it has also proven convenient at times, to refer to these arrangements of functional operations as modules, without loss of generality. The described operations and their associated modules may be embodied in software, firmware, hardware, or any combinations thereof.
As used herein any reference to “one embodiment” or “an embodiment” means that a particular element, feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
Some embodiments may be described using the expression “coupled” and “connected” along with their derivatives. It should be understood that these terms are not intended as synonyms for each other. For example, some embodiments may be described using the term “connected” to indicate that two or more elements are in direct physical or electrical contact with each other. In another example, some embodiments may be described using the term “coupled” to indicate that two or more elements are in direct physical or electrical contact. The term “coupled,” however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other. The embodiments are not limited in this context.
As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
In addition, use of the “a” or “an” are employed to describe elements and components of the embodiments herein. This is done merely for convenience and to give a general sense of the disclosure. This description should be read to include one or at least one and the singular also includes the plural unless it is obvious that it is meant otherwise.
Upon reading this disclosure, those of skill in the art will appreciate still additional alternative structural and functional designs for a system and a process for receiving a query for a private database, and responding to the query by executing a differentially private version of the query on the private database. Thus, while particular embodiments and applications have been illustrated and described, it is to be understood that the described subject matter is not limited to the precise construction and components disclosed herein and that various modifications, changes and variations which will be apparent to those skilled in the art may be made in the arrangement, operation and details of the method and apparatus disclosed herein.
This application is a continuation of U.S. patent application Ser. No. 15/953,409, filed Apr. 14, 2018, which is incorporated by reference herein.
Number | Name | Date | Kind |
---|---|---|---|
6038563 | Bapat et al. | Mar 2000 | A |
6438549 | Aldred et al. | Aug 2002 | B1 |
6546389 | Agrawal et al. | Apr 2003 | B1 |
6618721 | Lee | Sep 2003 | B1 |
6823338 | Byrne et al. | Nov 2004 | B1 |
7219237 | Trimberger | May 2007 | B1 |
7356840 | Bedell et al. | Apr 2008 | B1 |
7698250 | Dwork et al. | Apr 2010 | B2 |
7801967 | Bedell et al. | Sep 2010 | B1 |
9002803 | Qayyum et al. | Apr 2015 | B2 |
9094378 | Yung | Jul 2015 | B1 |
9244976 | Zhang et al. | Jan 2016 | B1 |
9384226 | Goel et al. | Jul 2016 | B1 |
9436735 | Feng et al. | Sep 2016 | B1 |
10192069 | Nerurkar et al. | Jan 2019 | B2 |
10229287 | Nerurkar et al. | Mar 2019 | B2 |
10642847 | Nerurkar et al. | May 2020 | B1 |
10733320 | Nerurkar et al. | Aug 2020 | B2 |
11055432 | Hockenbrocht | Jul 2021 | B2 |
11698990 | McFall | Jul 2023 | B2 |
20010034847 | Gaul | Oct 2001 | A1 |
20030110467 | Balakrishnan | Jun 2003 | A1 |
20030177118 | Moon et al. | Sep 2003 | A1 |
20040225896 | Ng | Nov 2004 | A1 |
20040250120 | Ng | Dec 2004 | A1 |
20050278786 | Tippett et al. | Dec 2005 | A1 |
20060053112 | Chitkara et al. | Mar 2006 | A1 |
20060161527 | Dwork et al. | Jul 2006 | A1 |
20060200431 | Dwork et al. | Sep 2006 | A1 |
20060224597 | Fitzpatrick et al. | Oct 2006 | A1 |
20060238503 | Smith et al. | Oct 2006 | A1 |
20060265396 | Raman et al. | Nov 2006 | A1 |
20060282433 | Dutta et al. | Dec 2006 | A1 |
20070047558 | Ayers et al. | Mar 2007 | A1 |
20070136027 | Dwork et al. | Jun 2007 | A1 |
20070143289 | Dwork et al. | Jun 2007 | A1 |
20070239982 | Aggarwal et al. | Oct 2007 | A1 |
20080033960 | Banks et al. | Feb 2008 | A1 |
20080133935 | Elovici et al. | Jun 2008 | A1 |
20090119298 | Faitelson et al. | May 2009 | A1 |
20090177685 | Ellis et al. | Jul 2009 | A1 |
20090249436 | Coles et al. | Oct 2009 | A1 |
20090254971 | Herz et al. | Oct 2009 | A1 |
20090265354 | Machak et al. | Oct 2009 | A1 |
20090327228 | Krause et al. | Dec 2009 | A1 |
20110064221 | McSherry et al. | Mar 2011 | A1 |
20110078143 | Aggarwal | Mar 2011 | A1 |
20110125730 | Bordawekar et al. | May 2011 | A1 |
20110131222 | DiCrescenzo | Jun 2011 | A1 |
20110208763 | McSherry et al. | Aug 2011 | A1 |
20110238611 | McSherry et al. | Sep 2011 | A1 |
20110282865 | Talwar et al. | Nov 2011 | A1 |
20120109830 | Vogel | May 2012 | A1 |
20120143922 | Rane et al. | Jun 2012 | A1 |
20120166483 | Choudhary et al. | Jun 2012 | A1 |
20120197864 | Bourdoncle et al. | Aug 2012 | A1 |
20120226492 | Tsuboi et al. | Sep 2012 | A1 |
20130031136 | Shah | Jan 2013 | A1 |
20130145473 | Cormode et al. | Jun 2013 | A1 |
20130332891 | Schmitlin et al. | Dec 2013 | A1 |
20140013400 | Warshavsky et al. | Jan 2014 | A1 |
20140088989 | Krishnapuram et al. | Mar 2014 | A1 |
20140214735 | Harik | Jul 2014 | A1 |
20140281572 | Wang et al. | Sep 2014 | A1 |
20140282910 | Palmer et al. | Sep 2014 | A1 |
20140283091 | Zhang et al. | Sep 2014 | A1 |
20150235051 | Fawaz et al. | Aug 2015 | A1 |
20150286827 | Fawaz et al. | Oct 2015 | A1 |
20150293923 | Eide et al. | Oct 2015 | A1 |
20160036827 | Kling et al. | Feb 2016 | A1 |
20160105409 | Torman et al. | Apr 2016 | A1 |
20160283738 | Wang et al. | Sep 2016 | A1 |
20160306709 | Shaull | Oct 2016 | A1 |
20160335455 | Mohan et al. | Nov 2016 | A1 |
20170124152 | Nerurkar et al. | May 2017 | A1 |
20170126694 | Nerurkar et al. | May 2017 | A1 |
20170169253 | Curcio | Jun 2017 | A1 |
20170235974 | Zhang et al. | Aug 2017 | A1 |
20170316391 | Peikert et al. | Nov 2017 | A1 |
20170359364 | Thakurta et al. | Dec 2017 | A1 |
20180039674 | Seyvet et al. | Feb 2018 | A1 |
20180239924 | Rickard et al. | Aug 2018 | A1 |
20180329952 | Ramachandra et al. | Nov 2018 | A1 |
20180349384 | Nerurkar et al. | Dec 2018 | A1 |
20190147188 | Benaloh | May 2019 | A1 |
20190318121 | Hockenbrocht et al. | Oct 2019 | A1 |
Number | Date | Country |
---|---|---|
3096427 | Apr 2022 | CA |
108537055 | Sep 2018 | CN |
110198302 | Sep 2019 | CN |
3782039 | Feb 2021 | EP |
WO 2015090445 | Jun 2015 | WO |
WO 2015157020 | Oct 2015 | WO |
WO 2017187207 | Nov 2017 | WO |
WO-2019199366 | Oct 2019 | WO |
Entry |
---|
Agrawal, R. et al., “Privacy-Preserving Data Mining,” ACM SIGMOD, May 2000, pp. 439-450. |
Amirbekyan, A. et al., “Privacy Preserving Regression Algorithms,” Proceedings of the 7th WSEAS International Conference on Simulation, Modeling, and Optimization, 2007, pp. 37-45. |
Beigi, G. et al. “Privacy in Social Media: Identification, Mitigation and Applications.” ACM Trans. Web, vol. 9, No. 4, Article 39, Jul. 2018, pp. 1-36. |
Bost, R. et al. “Machine Learning Classification over Encrypted Data”. NDSS '15, Feb. 8-11, 2015, pp. 1-14. |
Chaudhuri, K. et al., “Privacy-preserving logistic regression,” Advances in Neural Information Processing Systems, 2009, pp. 289-296. |
Dankar, F. et al., “Practicing Differential Privacy in Health Care: A Review,” Transactions on Data Privacy, 2013, vol. 5, pp. 35-67. |
Cock, M.D. et al., “Fast, Privacy Preserving Linear Regression over Distributed Datasets based on Pre-Distributed Data,” Proceedings of the 8th ACM Workshop on Artificial Intelligence and Security, 2015, pp. 3-14. |
Du, W. et al., “Privacy-Preserving Multivariate Statistical Analysis: Linear Regression and Classification,” Proceedings of the 2004 SIAM International Conference on Data Mining, 2004, pp. 222-233. |
Dwork, C. et al., “Differential Privacy and Robust Statistics,” Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, Nov. 14, 2008, 42 pages, [Online] [Retrieved on Sep. 15, 2016], Retrieved from the Internet<URL:http://www.stat.cmu.edu/˜jingle/dprs_stoc09.pdf>. |
Dwork, C. “Differential Privacy: A Survey of Results,” TAMC 2008, LNCS 4978, Agrawal, M. et al. (eds.), pp. 1-19. |
Dwork, C., “A Firm Foundation for Private Data Analysis,” Proceedings of the ACM, Jan. 2011, 8 pages, vol. 54, Issue 1. |
Dwork, C. et al., “Calibrating Noise to Sensitivity in Private Data Analysis,” Proceedings of the Third Conference on Theory of Cryptography, New York, NY, Mar. 4-7, 2006, pp. 265-284. |
European Patent Office, Extended European Search Report, EP Patent Application No. 20153847.7, dated Apr. 30, 2020, 11 pages. |
Extended European Search Report and Written Opinion, European Application No. 16862625.7, dated Mar. 27, 2019, 9 pages. |
European Patent Office, Extended European Search Report, EP Patent Application No. 20173244.3, dated Sep. 14, 2020, 13 pages. |
Fang, W. et al., “Privacy preserving linear regression modeling of distributed databases,” Optimization Letters, 2013, vol. 7, pp. 807-818. |
Fletcher, S. et al. “A Differentially Private Decision Forest.” Proceedings of the 13th Australasian Data Mining Conference (AusDM 2015), Sydney, Australia, vol. 168, 2015, pp. 99-108. |
Frades, M.R., “Overview on Techniques in Cluster Analysis,” in Bioinformatics in Clinical Research, Methods in Molecular Biology (Methods and Protocols), 2010, vol. 593, pp. 81-107. |
Fraley, C. et al., “How Many Clusters? Which Clustering Method? Answers Via Model-Based Cluster Analysis,” The Computer Journal, 1998, vol. 41, No. 8, pp. 578-588. |
Friedman, A. et al., “Data Mining with Differential Privacy,” Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Dec. 2010, 11 pages, [Online] [Retrieved on Sep. 13, 2016], Retrieved from the Internet<URL:http://users.cis.flu.edu/˜lzhen001/activities/KDD_USB_key_2010/docs/p493.pdf>. |
Geumlek, J. et al. “Renyi Differential Privacy Mechanisms for Posterior Sampling.” NIPS 2017: Advances in Neural Information Processing Systems 30, Oct. 2, 2017, pp. 1-34. |
Han, S. et al., “Privacy-Preserving Gradient-Descent Methods,” IEEE Transactions on Knowledge and Data Engineering, Jun. 2010, vol. 22, No. 6, pp. 884-899. |
Huang, Y. et al., “Telco Churn Prediction with Big Data,” Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data, Jun. 4, 2015, 13 pages, [Online] [Retrieved on Sep. 13, 2016], Retrieved from the Internet<URL:http://users.wpi.edu/˜yli15/Includes/SIGMOD15Telco.pdf>. |
Jagannathan, G. et al., “A Practical Differentially Private Random Decision Tree Classifier,” International Conference on Data Mining Workshops, Proceedings of the ICDM International Workshop on the Privacy Aspects of Data Mining, 2009, pp. 114-121. |
Jayaraman, B. et al. “Evaluating Differentially Private Machine Learning in Practice.” 28th USENIX Security Symposium, Feb. 2019, pp. 1-18. |
Ji, Z. et al., “Differential Privacy and Machine Learning: a Survey and Review,” Cornell University Library—arXiv preprint, Dec. 24, 2014, 32 pages, [Online] [Retrieved on Sep. 14, 2016], Retrieved from the Internet<URL:http://arxiv.org/pdf/1412.7584.pdf>. |
Kellaris, G. et al., “Practical differential privacy via grouping and smoothing,” Proceedings of the VLDB Endowment, Mar. 1, 2013, vol. 6, No. 5, pp. 301-312. |
Liu, H. et al. “Privacy-Presenting Monotonicity of Differential Privacy Mechanisms.” Applied Sciences, vol. 8, No. 11, Oct. 28, 2018, pp. 1-32. |
Nissim, K. et al., “Smooth Sensitivity and Sampling in Private Data Analysis,” Proceedings of the Thirty-Ninth Annual ACM Symposium on Theory of Computing, Jun. 13, 2007, 11 pages, [Online] [Retrieved on Sep. 14, 2016], Retrieved from the Internet<URL:http://www.cse.psu.edu/˜sxr48/pubs/smooth-sensitiviy-stoc.pdf>. |
Patil, A. et al., “Differential Private Random Forest,” International Conference on Advances in Computing, Communications and Informatics, Sep. 27, 2014, 10 pages, [Online] [Retrieved on Sep. 14, 2016], Retrieved from the Internet<URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp-&arnumber=6968348&isnumber=6968191>. |
PCT International Search Report and Written Opinion, PCT Application No. PCT/US16/44178, dated Oct. 18, 2016, 20 pages. |
PCT International Search Report and Written Opinion, PCT Application No. PCT/US19/15035, dated Jun. 20, 2019, 14 pages. |
Peng, S. et al., “Query Optimization for Differentially Private Data Management Systems”, ICDE Conference 2013, pp. 1093-1104. |
Sanil, A.P. et al., “Privacy Preserving Regression Modelling Via Distributed Computation,” Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2004, pp. 677-682. |
Shang, S. et al., “The Application of Differential Privacy for Rank Aggregation: Privacy and Accuracy,” 17th International Conference on Information Fusion, Jul. 7, 2014, pp. 1-7. |
Xiao, X. et al., “Differential privacy via wavelet transforms,” IEEE Transactions on Knowledge and Data Engineering, Aug. 2011, vol. 23, No. 8, pp. 1200-1214. |
Xiao, X. et al., “iReduct: Differential Privacy with Reduced Relative Errors”, SIGMOD' 11, Jun. 12-16, 2011, pp. 229-240. |
Xu, J. et al., “Differentially Private Histogram Publication,” IEEE 28th International Conference on Data Engineering, Apr. 2012, pp. 32-43. |
Zhang, N. et al., “Distributed Data Mining with Differential Privacy”, IEEE ICC 2011 proceedings. |
Zhang, J. et al., “Functional Mechanism: Regression Analysis under Differential Privacy,” Proceedings of the VLDB Endowment, 2012, vol. 5, No. 11, pp. 1364-1375. |
Koufogiannis, F. et al. “Gradual Release of Sensitive Data under Differential Privacy.” Cornel University, Cryptography and Security, Oct. 15, 2018, pp. 1-22. |
Chaudhuri, S. et al. “Database Access Control & Privacy: Is There a Common Ground?” CIDR 2011: Fifth Biennial Conference on Innovative Data Systems Research, Jan. 9-12, 2011, pp. 96-103. |
European Patent Office, Extended European Search Report, European Patent Application No. 19785548.9, dated Dec. 10, 2021, 10 pages. |
European Patent Office, Extended European Search Report, European Patent Application No. 19889515.3, dated Jun. 24, 2022, seven pages. |
Gaboardi, M. et al. “PSI: A Private Data Sharing Interface.” arXiv Preprint arXiv:1609.04340v3, Aug. 4, 2018, pp. 1-35. |
Metoui, N. et al. “Differential Privacy Based Access Control.” OTM 2016: On the Move to Meaningful Internet Systems, Oct. 18, 2016, pp. 962-974. |
Mironov, I. “Renyi Differential Privacy.” arXiv Preprint arXiv:1702.07476v3, Aug. 25, 2017, pp. 1-13. |
Saranya, R. et al. “Precision-Constrained Privacy Preserving Role-Based Access Control.” International Journal of Emerging Technology in Computer Science & Electronics, vol. 13, No. 1, Mar. 2015, pp. 405-408. |
Siegenthaler, M. et al. “Privacy Enforcement for Distributed Queries.” 3rd International Conference on Pervasive Computing Technologies for Healthcare, Apr. 1-3, 2009, pp. 1-6. |
“U.S. Appl. No. 15/203,797, Final Office Action dated Jun. 8, 2018”, 13 pgs. |
“U.S. Appl. No. 15/203,797, Non Final Office Action dated Jan. 17, 2018”, 13 pgs. |
“U.S. Appl. No. 15/793,898, Final Office Action dated May 15, 2018”, 14 pgs. |
“U.S. Appl. No. 15/793,898, Non Final Office Action dated Feb. 7, 2018”, 11 pgs. |
“U.S. Appl. No. 15/793,907, Final Office Action dated May 15, 2018”, 14 pgs. |
“U.S. Appl. No. 15/793,907, Non Final Office Action dated Jan. 31, 2018”, 11 pgs. |
“U.S. Appl. No. 15/953,409, Non Final Office Action dated Jun. 26, 2020”, 13 pgs. |
“U.S. Appl. No. 15/953,409, Notice of Allowance dated Mar. 11, 2021”, 14 pgs. |
“U.S. Appl. No. 15/953,409, Response filed Nov. 25, 2020 to Non Final Office Action dated Jun. 26, 2020”, 17 pgs. |
“Canadian Application Serial No. 3096427, Examiners Rule 86(2) Requisition dated Jun. 3, 2021”, 3 pgs. |
“Canadian Application Serial No. 3096427, Response filed Oct. 1, 2021 to Examiners Rule 86(2) Requisition dated Jun. 3, 2021”, 5 pgs. |
“European Application Serial No. 19785548.9, Noting of loss of rights dated Aug. 5, 2022”, 1 pg. |
“European Application Serial No. 19785548.9, Response to Communication pursuant to Rules 161(2) and 162 EPC filed Nov. 26, 2020”, 2 pgs. |
“International Application Serial No. PCT/US2016/044178, International Preliminary Report on Patentability dated Oct. 29, 2020”, 5 pgs. |
Number | Date | Country | |
---|---|---|---|
20210294917 A1 | Sep 2021 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 15953409 | Apr 2018 | US |
Child | 17336252 | US |