Differentially private histogram publication

Jia Xu, Zhenjie Zhang, Xiaokui Xiao, Yin Yang, Ge Yu, Marianne Winslett

Research output: Contribution to journalArticle

82 Citations (Scopus)

Abstract

Differential privacy (DP) is a promising scheme for releasing the results of statistical queries on sensitive data, with strong privacy guarantees against adversaries with arbitrary background knowledge. Existing studies on differential privacy mostly focus on simple aggregations such as counts. This paper investigates the publication of DP-compliant histograms, which is an important analytical tool for showing the distribution of a random variable, e.g., hospital bill size for certain patients. Compared to simple aggregations whose results are purely numerical, a histogram query is inherently more complex, since it must also determine its structure, i.e., the ranges of the bins. As we demonstrate in the paper, a DP-compliant histogram with finer bins may actually lead to significantly lower accuracy than a coarser one, since the former requires stronger perturbations in order to satisfy DP. Moreover, the histogram structure itself may reveal sensitive information, which further complicates the problem. Motivated by this, we propose two novel mechanisms, namely NoiseFirst and StructureFirst, for computing DP-compliant histograms. Their main difference lies in the relative order of the noise injection and the histogram structure computation steps. NoiseFirst has the additional benefit that it can improve the accuracy of an already published DP-compliant histogram computed using a naive method. For each of proposed mechanisms, we design algorithms for computing the optimal histogram structure with two different objectives: minimizing the mean square error and the mean absolute error, respectively. Going one step further, we extend both mechanisms to answer arbitrary range queries. Extensive experiments, using several real datasets, confirm that our two proposals output highly accurate query answers and consistently outperform existing competitors.

Original languageEnglish
Pages (from-to)797-822
Number of pages26
JournalVLDB Journal
Volume22
Issue number6
DOIs
Publication statusPublished - Dec 2013
Externally publishedYes

Fingerprint

Bins
Agglomeration
Random variables
Mean square error
Experiments

Keywords

  • Database query processing
  • Differential privacy
  • Histogram

ASJC Scopus subject areas

  • Information Systems
  • Hardware and Architecture

Cite this

Xu, J., Zhang, Z., Xiao, X., Yang, Y., Yu, G., & Winslett, M. (2013). Differentially private histogram publication. VLDB Journal, 22(6), 797-822. https://doi.org/10.1007/s00778-013-0309-y

Differentially private histogram publication. / Xu, Jia; Zhang, Zhenjie; Xiao, Xiaokui; Yang, Yin; Yu, Ge; Winslett, Marianne.

In: VLDB Journal, Vol. 22, No. 6, 12.2013, p. 797-822.

Research output: Contribution to journalArticle

Xu, J, Zhang, Z, Xiao, X, Yang, Y, Yu, G & Winslett, M 2013, 'Differentially private histogram publication', VLDB Journal, vol. 22, no. 6, pp. 797-822. https://doi.org/10.1007/s00778-013-0309-y
Xu, Jia ; Zhang, Zhenjie ; Xiao, Xiaokui ; Yang, Yin ; Yu, Ge ; Winslett, Marianne. / Differentially private histogram publication. In: VLDB Journal. 2013 ; Vol. 22, No. 6. pp. 797-822.
@article{9675b5a17db344d699392e5e3eb7e9c3,
title = "Differentially private histogram publication",
abstract = "Differential privacy (DP) is a promising scheme for releasing the results of statistical queries on sensitive data, with strong privacy guarantees against adversaries with arbitrary background knowledge. Existing studies on differential privacy mostly focus on simple aggregations such as counts. This paper investigates the publication of DP-compliant histograms, which is an important analytical tool for showing the distribution of a random variable, e.g., hospital bill size for certain patients. Compared to simple aggregations whose results are purely numerical, a histogram query is inherently more complex, since it must also determine its structure, i.e., the ranges of the bins. As we demonstrate in the paper, a DP-compliant histogram with finer bins may actually lead to significantly lower accuracy than a coarser one, since the former requires stronger perturbations in order to satisfy DP. Moreover, the histogram structure itself may reveal sensitive information, which further complicates the problem. Motivated by this, we propose two novel mechanisms, namely NoiseFirst and StructureFirst, for computing DP-compliant histograms. Their main difference lies in the relative order of the noise injection and the histogram structure computation steps. NoiseFirst has the additional benefit that it can improve the accuracy of an already published DP-compliant histogram computed using a naive method. For each of proposed mechanisms, we design algorithms for computing the optimal histogram structure with two different objectives: minimizing the mean square error and the mean absolute error, respectively. Going one step further, we extend both mechanisms to answer arbitrary range queries. Extensive experiments, using several real datasets, confirm that our two proposals output highly accurate query answers and consistently outperform existing competitors.",
keywords = "Database query processing, Differential privacy, Histogram",
author = "Jia Xu and Zhenjie Zhang and Xiaokui Xiao and Yin Yang and Ge Yu and Marianne Winslett",
year = "2013",
month = "12",
doi = "10.1007/s00778-013-0309-y",
language = "English",
volume = "22",
pages = "797--822",
journal = "VLDB Journal",
issn = "1066-8888",
publisher = "Springer New York",
number = "6",

}

TY - JOUR

T1 - Differentially private histogram publication

AU - Xu, Jia

AU - Zhang, Zhenjie

AU - Xiao, Xiaokui

AU - Yang, Yin

AU - Yu, Ge

AU - Winslett, Marianne

PY - 2013/12

Y1 - 2013/12

N2 - Differential privacy (DP) is a promising scheme for releasing the results of statistical queries on sensitive data, with strong privacy guarantees against adversaries with arbitrary background knowledge. Existing studies on differential privacy mostly focus on simple aggregations such as counts. This paper investigates the publication of DP-compliant histograms, which is an important analytical tool for showing the distribution of a random variable, e.g., hospital bill size for certain patients. Compared to simple aggregations whose results are purely numerical, a histogram query is inherently more complex, since it must also determine its structure, i.e., the ranges of the bins. As we demonstrate in the paper, a DP-compliant histogram with finer bins may actually lead to significantly lower accuracy than a coarser one, since the former requires stronger perturbations in order to satisfy DP. Moreover, the histogram structure itself may reveal sensitive information, which further complicates the problem. Motivated by this, we propose two novel mechanisms, namely NoiseFirst and StructureFirst, for computing DP-compliant histograms. Their main difference lies in the relative order of the noise injection and the histogram structure computation steps. NoiseFirst has the additional benefit that it can improve the accuracy of an already published DP-compliant histogram computed using a naive method. For each of proposed mechanisms, we design algorithms for computing the optimal histogram structure with two different objectives: minimizing the mean square error and the mean absolute error, respectively. Going one step further, we extend both mechanisms to answer arbitrary range queries. Extensive experiments, using several real datasets, confirm that our two proposals output highly accurate query answers and consistently outperform existing competitors.

AB - Differential privacy (DP) is a promising scheme for releasing the results of statistical queries on sensitive data, with strong privacy guarantees against adversaries with arbitrary background knowledge. Existing studies on differential privacy mostly focus on simple aggregations such as counts. This paper investigates the publication of DP-compliant histograms, which is an important analytical tool for showing the distribution of a random variable, e.g., hospital bill size for certain patients. Compared to simple aggregations whose results are purely numerical, a histogram query is inherently more complex, since it must also determine its structure, i.e., the ranges of the bins. As we demonstrate in the paper, a DP-compliant histogram with finer bins may actually lead to significantly lower accuracy than a coarser one, since the former requires stronger perturbations in order to satisfy DP. Moreover, the histogram structure itself may reveal sensitive information, which further complicates the problem. Motivated by this, we propose two novel mechanisms, namely NoiseFirst and StructureFirst, for computing DP-compliant histograms. Their main difference lies in the relative order of the noise injection and the histogram structure computation steps. NoiseFirst has the additional benefit that it can improve the accuracy of an already published DP-compliant histogram computed using a naive method. For each of proposed mechanisms, we design algorithms for computing the optimal histogram structure with two different objectives: minimizing the mean square error and the mean absolute error, respectively. Going one step further, we extend both mechanisms to answer arbitrary range queries. Extensive experiments, using several real datasets, confirm that our two proposals output highly accurate query answers and consistently outperform existing competitors.

KW - Database query processing

KW - Differential privacy

KW - Histogram

UR - http://www.scopus.com/inward/record.url?scp=84888050192&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84888050192&partnerID=8YFLogxK

U2 - 10.1007/s00778-013-0309-y

DO - 10.1007/s00778-013-0309-y

M3 - Article

AN - SCOPUS:84888050192

VL - 22

SP - 797

EP - 822

JO - VLDB Journal

JF - VLDB Journal

SN - 1066-8888

IS - 6

ER -