Analyzing subgraph statistics from extended local views with decentralized differential privacy

Haipei Sun, Xiaokui Xiao, Issa Khalil, Yin Yang, Zhan Qin, Hui Wang, Ting Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Many real-world social networks are decentralized in nature, and the only way to analyze such a network is to collect local views of the social graph from individual participants. Since local views may contain sensitive information, it is often desirable to apply differential privacy in the data collection process, which provides strong and rigorous privacy guarantees. In many practical situations, the local view of a participant contains not only her own connections, but also those of her neighbors, which are private and sensitive for the neighbors, but not directly so for the participant herself. We call such information beyond direct connections an extended local view (ELV), and study two fundamental problems related to ELVs: first, how do we correctly enforce differential privacy for all participants in the presence of ELVs? Second, how can the data collector utilize ELVs to obtain accurate estimates of global graph properties? This paper points out that when collecting ELVs, it is insufficient to apply a straightforward adaptation of local differential privacy (LDP), a commonly used scheme in practice, to protect the privacy of all network participants. The main problem is that an adversarial data collector can accumulate private information on a specific victim from multiple neighbors of the victim; even though the data collected from each neighbor is perturbed under LDP, their aggregate can still violate the victim's privacy. To prevent this attack, we formulate a novel decentralized differential privacy (DDP) scheme, which requires that each participant consider not only her own privacy, but also that of her neighbors involved in her ELV. The stringent privacy requirement of DDP, however, makes it challenging to design an effective mechanism for data collection. Towards this goal, we design a novel multi-phase framework under DDP that enables an analyst to accurately estimate subgraph counts, an important property of social graphs. The main idea is that instead of collecting subgraph counts directly, which would require excessively noise, the analyst first asks individuals about their respective minimum noise scale, which is private information since it depends on the local graph structure, and, thus, must be performed under DDP. For some types of subgraphs, this process is applied recursively, i.e., the analyst asks about the necessary noise to be injected into the private information on the minimum local noise scale required to protect subgraph counts under DDP. As case studies, we instantiate the proposed framework for three common subgraph patterns: triangles, three-hop paths, and k-cliques. Extensive experiments using real data demonstrate that the proposed scheme leads to accurate estimates of global subgraph counts, whereas baseline solutions fail to obtain meaningful result utility.

Original languageEnglish
Title of host publicationCCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages703-717
Number of pages15
ISBN (Electronic)9781450367479
DOIs
Publication statusPublished - 6 Nov 2019
Event26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019 - London, United Kingdom
Duration: 11 Nov 201915 Nov 2019

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
CountryUnited Kingdom
CityLondon
Period11/11/1915/11/19

Fingerprint

Statistics
Experiments

Keywords

  • Decentralized differential privacy
  • Social networks
  • Subgraph statistics

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Sun, H., Xiao, X., Khalil, I., Yang, Y., Qin, Z., Wang, H., & Yu, T. (2019). Analyzing subgraph statistics from extended local views with decentralized differential privacy. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (pp. 703-717). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3319535.3354253

Analyzing subgraph statistics from extended local views with decentralized differential privacy. / Sun, Haipei; Xiao, Xiaokui; Khalil, Issa; Yang, Yin; Qin, Zhan; Wang, Hui; Yu, Ting.

CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. p. 703-717 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Sun, H, Xiao, X, Khalil, I, Yang, Y, Qin, Z, Wang, H & Yu, T 2019, Analyzing subgraph statistics from extended local views with decentralized differential privacy. in CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 703-717, 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, London, United Kingdom, 11/11/19. https://doi.org/10.1145/3319535.3354253
Sun H, Xiao X, Khalil I, Yang Y, Qin Z, Wang H et al. Analyzing subgraph statistics from extended local views with decentralized differential privacy. In CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery. 2019. p. 703-717. (Proceedings of the ACM Conference on Computer and Communications Security). https://doi.org/10.1145/3319535.3354253
Sun, Haipei ; Xiao, Xiaokui ; Khalil, Issa ; Yang, Yin ; Qin, Zhan ; Wang, Hui ; Yu, Ting. / Analyzing subgraph statistics from extended local views with decentralized differential privacy. CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2019. pp. 703-717 (Proceedings of the ACM Conference on Computer and Communications Security).
@inproceedings{7084601e248c4e2d93792f1390e0d811,
title = "Analyzing subgraph statistics from extended local views with decentralized differential privacy",
abstract = "Many real-world social networks are decentralized in nature, and the only way to analyze such a network is to collect local views of the social graph from individual participants. Since local views may contain sensitive information, it is often desirable to apply differential privacy in the data collection process, which provides strong and rigorous privacy guarantees. In many practical situations, the local view of a participant contains not only her own connections, but also those of her neighbors, which are private and sensitive for the neighbors, but not directly so for the participant herself. We call such information beyond direct connections an extended local view (ELV), and study two fundamental problems related to ELVs: first, how do we correctly enforce differential privacy for all participants in the presence of ELVs? Second, how can the data collector utilize ELVs to obtain accurate estimates of global graph properties? This paper points out that when collecting ELVs, it is insufficient to apply a straightforward adaptation of local differential privacy (LDP), a commonly used scheme in practice, to protect the privacy of all network participants. The main problem is that an adversarial data collector can accumulate private information on a specific victim from multiple neighbors of the victim; even though the data collected from each neighbor is perturbed under LDP, their aggregate can still violate the victim's privacy. To prevent this attack, we formulate a novel decentralized differential privacy (DDP) scheme, which requires that each participant consider not only her own privacy, but also that of her neighbors involved in her ELV. The stringent privacy requirement of DDP, however, makes it challenging to design an effective mechanism for data collection. Towards this goal, we design a novel multi-phase framework under DDP that enables an analyst to accurately estimate subgraph counts, an important property of social graphs. The main idea is that instead of collecting subgraph counts directly, which would require excessively noise, the analyst first asks individuals about their respective minimum noise scale, which is private information since it depends on the local graph structure, and, thus, must be performed under DDP. For some types of subgraphs, this process is applied recursively, i.e., the analyst asks about the necessary noise to be injected into the private information on the minimum local noise scale required to protect subgraph counts under DDP. As case studies, we instantiate the proposed framework for three common subgraph patterns: triangles, three-hop paths, and k-cliques. Extensive experiments using real data demonstrate that the proposed scheme leads to accurate estimates of global subgraph counts, whereas baseline solutions fail to obtain meaningful result utility.",
keywords = "Decentralized differential privacy, Social networks, Subgraph statistics",
author = "Haipei Sun and Xiaokui Xiao and Issa Khalil and Yin Yang and Zhan Qin and Hui Wang and Ting Yu",
year = "2019",
month = "11",
day = "6",
doi = "10.1145/3319535.3354253",
language = "English",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery",
pages = "703--717",
booktitle = "CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Analyzing subgraph statistics from extended local views with decentralized differential privacy

AU - Sun, Haipei

AU - Xiao, Xiaokui

AU - Khalil, Issa

AU - Yang, Yin

AU - Qin, Zhan

AU - Wang, Hui

AU - Yu, Ting

PY - 2019/11/6

Y1 - 2019/11/6

N2 - Many real-world social networks are decentralized in nature, and the only way to analyze such a network is to collect local views of the social graph from individual participants. Since local views may contain sensitive information, it is often desirable to apply differential privacy in the data collection process, which provides strong and rigorous privacy guarantees. In many practical situations, the local view of a participant contains not only her own connections, but also those of her neighbors, which are private and sensitive for the neighbors, but not directly so for the participant herself. We call such information beyond direct connections an extended local view (ELV), and study two fundamental problems related to ELVs: first, how do we correctly enforce differential privacy for all participants in the presence of ELVs? Second, how can the data collector utilize ELVs to obtain accurate estimates of global graph properties? This paper points out that when collecting ELVs, it is insufficient to apply a straightforward adaptation of local differential privacy (LDP), a commonly used scheme in practice, to protect the privacy of all network participants. The main problem is that an adversarial data collector can accumulate private information on a specific victim from multiple neighbors of the victim; even though the data collected from each neighbor is perturbed under LDP, their aggregate can still violate the victim's privacy. To prevent this attack, we formulate a novel decentralized differential privacy (DDP) scheme, which requires that each participant consider not only her own privacy, but also that of her neighbors involved in her ELV. The stringent privacy requirement of DDP, however, makes it challenging to design an effective mechanism for data collection. Towards this goal, we design a novel multi-phase framework under DDP that enables an analyst to accurately estimate subgraph counts, an important property of social graphs. The main idea is that instead of collecting subgraph counts directly, which would require excessively noise, the analyst first asks individuals about their respective minimum noise scale, which is private information since it depends on the local graph structure, and, thus, must be performed under DDP. For some types of subgraphs, this process is applied recursively, i.e., the analyst asks about the necessary noise to be injected into the private information on the minimum local noise scale required to protect subgraph counts under DDP. As case studies, we instantiate the proposed framework for three common subgraph patterns: triangles, three-hop paths, and k-cliques. Extensive experiments using real data demonstrate that the proposed scheme leads to accurate estimates of global subgraph counts, whereas baseline solutions fail to obtain meaningful result utility.

AB - Many real-world social networks are decentralized in nature, and the only way to analyze such a network is to collect local views of the social graph from individual participants. Since local views may contain sensitive information, it is often desirable to apply differential privacy in the data collection process, which provides strong and rigorous privacy guarantees. In many practical situations, the local view of a participant contains not only her own connections, but also those of her neighbors, which are private and sensitive for the neighbors, but not directly so for the participant herself. We call such information beyond direct connections an extended local view (ELV), and study two fundamental problems related to ELVs: first, how do we correctly enforce differential privacy for all participants in the presence of ELVs? Second, how can the data collector utilize ELVs to obtain accurate estimates of global graph properties? This paper points out that when collecting ELVs, it is insufficient to apply a straightforward adaptation of local differential privacy (LDP), a commonly used scheme in practice, to protect the privacy of all network participants. The main problem is that an adversarial data collector can accumulate private information on a specific victim from multiple neighbors of the victim; even though the data collected from each neighbor is perturbed under LDP, their aggregate can still violate the victim's privacy. To prevent this attack, we formulate a novel decentralized differential privacy (DDP) scheme, which requires that each participant consider not only her own privacy, but also that of her neighbors involved in her ELV. The stringent privacy requirement of DDP, however, makes it challenging to design an effective mechanism for data collection. Towards this goal, we design a novel multi-phase framework under DDP that enables an analyst to accurately estimate subgraph counts, an important property of social graphs. The main idea is that instead of collecting subgraph counts directly, which would require excessively noise, the analyst first asks individuals about their respective minimum noise scale, which is private information since it depends on the local graph structure, and, thus, must be performed under DDP. For some types of subgraphs, this process is applied recursively, i.e., the analyst asks about the necessary noise to be injected into the private information on the minimum local noise scale required to protect subgraph counts under DDP. As case studies, we instantiate the proposed framework for three common subgraph patterns: triangles, three-hop paths, and k-cliques. Extensive experiments using real data demonstrate that the proposed scheme leads to accurate estimates of global subgraph counts, whereas baseline solutions fail to obtain meaningful result utility.

KW - Decentralized differential privacy

KW - Social networks

KW - Subgraph statistics

UR - http://www.scopus.com/inward/record.url?scp=85075917841&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85075917841&partnerID=8YFLogxK

U2 - 10.1145/3319535.3354253

DO - 10.1145/3319535.3354253

M3 - Conference contribution

AN - SCOPUS:85075917841

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 703

EP - 717

BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

ER -