IJEST template - International Journal of Computer Technology and ...

Sushma Rani.N et al, Int. J. Comp. Tech. Appl., Vol 2 (5), 1283-1289 

ISSN:2229-6093 

PRIVACY ENHANCING AND BREACH REDUCTION 

SUSHMA RANI.N #1 , TULASI PRASAD *2 , PRASAD KAVITI *3 

MVGR College of Engineering, Vizianagaram, India #1 

Sr.Asst.Professor & Coordinator Examinations, Dept of CSE, Chaitanya Engineering College *2 

Asst Professor, Dept of Computer Science & Engineering *3 

sushma24583@gmail.com #1 

tulasiprasadsariki@gmail.com *2 

prasadkaviti@gmail.com *3 

Abstract 

Hiding the information without getting it 

revealed to others while publishing in a network 

is a major task now a days. For example an 

individual who wants to share his personal 

information like hospitalized or banking data to 

a researcher for his future enhancement or for 

his benefit , how much scientific guarantee can 

be given to that individual who are the subjects 

of the data count to be redefined while data 

remain practically useful. In this scenario k- 

Anonymity and l-Diversity are two emerging 

privacy preserving techniques are getting 

popularity by providing the high security to 

their data. In which K-anonymity provide 

protection by not getting the data to reach 

unidentified individuals. In this method, each 

record is identical from at least k-1 records with 

respect to certain identifying attributes like 

quasi identifiers. On the other hand, I-diversity 

loads every quasi identifier group to contain ‘l’ 

well represented sensitive values. The same 

sensitive values must be possessed by every 1/l 

tuples in each quasi identifier group. Even 

though there were other privacy preserving 

techniques like Generalization, Suppression this 

k-Anonymity and l-Diversity got popularity 

because of its privacy preserving mechanism. In 

this paper we are proposing a new framework 

for Privacy preservation mechanism to the data 

using k-Anonymity and l-Diversity. And to 

enhance the proposed framework we have used 

the mathematical concepts of Self Union of 

partition sets and the common divisor functions 

in order to effectively limit the privacy 

disclosure of the sensitive data. 

Keywords: Privacy preserving, Anonymity, 

Diversity, Sensitive Data. 

1. Introduction 

Since then, society has experienced 

exponential growth in the number and variety of 

data collections containing person-specific 

information as computer technology, network 

connectivity and disk storage space has become 

increasingly affordable. Data holders, operating 

autonomously and with limited knowledge, were 

left with the difficulty of releasing information that 

does not compromise privacy, confidentiality or 

national interests. In many cases the survival of the 

database itself depended on the data holder's ability 

to produce anonymous data because not releasing 

such information at all may diminish the need for 

the data, while on the other hand, failing to provide 

proper protection within a release may create 

circumstances that harm the public or others. 

Industries, organizations, and governments had to 

satisfy demands for electronic release of 

information in addition to demands of privacy from 

individuals whose personal data may be disclosed 

by the process. 

As shown in Fig .1 today’s globally networked 

society places great demand on the collection and 

sharing of person-specific data for many new uses. 

This happens at a time when more and more 

historically public information is also electronically 

available. So in today’s technically-empowered 

data rich environment, how does a data holder, 

such as a medical institution, public health agency, 

or financial organization, share person-specific 

records in such a way that the released information 

remain practically useful but the identity of the 

individuals who are the subjects of the data cannot 

be determined. The fact that the personal 

information can be collected, stored and used 

without any consent or awareness creates fear for 

privacy violation for many people. The 

advancement of database technology has also 

significantly increased privacy concerns. 

Depending on the roles of the underlying server, 

earlier research classified the server technology 

into two categories: centralized publication and 

distributed collection. The first category assumes 

that the dataset, called microdata, is stored at a 

trustable server. The server releases the data in a 

manner that protects personal privacy, and permits 

effective mining on the microdata. The second 

category addresses a different scenario, where an 

un-trustable server independently contacts a set of 

IJCTA | SPT-OCT 2011 

Available online@www.ijcta.com 

1283


ISSN:2229-6093 

individuals, and solicits a tuple from each person. 

The major concern in un-trustable servers is the 

modification of data as the problem of releasing a 

version of privately held data so that the 

individuals who are the subjects of the data cannot 

be identified is not a new problem. 

variation on this can be a filter applied to the rule 

set to suppress rules containing identifying 

attributes. 

• Query restriction- Which attempts to detect 

when statistical compromise might be possible 

through the combination of queries. 

2.3 Privacy preservation Techniques 

Fig .1: Centralized database system 

2. Related work 

2.1 Classification of Data 

Data classified into three types 

• Public data: This data is accessible to every 

one including the adversary. 

• Privacy /Sensitive data: This kind of data 

must be protected: The data should remain 

unknown to the adversary. 

• Unknown data: This is the data that is not 

known to the adversary, and is not inherently 

sensitive. However, before disclosing this data to 

an adversary (or enabling an adversary to estimate 

it, such as by publishing a data mining model) we 

must show that it does not enable the adversary to 

discover sensitive data. 

2.2 Requirements of Privacy Preserving 

• Secure sharing of data between 

organizations – Being able to share data for 

mutual benefit without compromising 

competitiveness. 

• Confidentiality of publicly available data – 

Ensuring that individuals are not identifiable from 

aggregated data and that inferences regarding 

individuals are disallowed (e.g. from government 

census data). 

• Anonymity of private data – Individuals and 

organizations mutating or randomizing information 

to preserve privacy. 

• Access Control – Privacy preservation has 

long been used in general database work to refer to 

the unauthorized extraction of data. This meaning 

has also been applied to data mining. 

• Authority Control and Cryptographic 

Techniques - Such techniques effectively hide data 

from unauthorized access but do not prohibit 

inappropriate use by authorized (or naive) users. 

• Anonymous data - In which any identifying 

attributes, are removed from the source dataset. A 

(a) Generalization 

Generalization is a popular method of thwarting 

linking attacks. It works by replacing QI-values in 

the microdata with fuzzier forms. To illustrate, 

assume that a hospital wants to release the 

microdata of Table 1(a). Here, Disease is sensitive, 

that is, the publication must prevent the disease of 

any patient from being discovered. Simply 

removing the names is insufficient due to the 

possibility of linking attacks [33, 35]. For example, 

consider an adversary that knows the age 21 and 

gender M of Alan. Given Table 1(a) (even without 

the names), s/he is still able to assert that the first 

tuple must belong to Alan, and thus find out his 

real disease pneumonia. As Age and Sex can be 

combined to recover a patient’s identity, they are 

referred to as quasi-identify (QI) attributes. Table 

1b is a generalized version of Table 1(a). Notice 

that, for instance, the age 21 of the first tuple in 

Table 1(a) has been replaced with an interval [21, 

40] in Table 1(b). 

Table [1]: An example of generalization 

Fig .2: Regarding generalization as point-ofrectangle 

transformation 

Also observe that generalization creates QI-groups, 

each of which consists of tuples with identical 

(generalized) QI-values. For example, Table 1(b) 

has two QI-groups, including the first and last 4 

tuples, respectively. To understand why 

generalization helps to prevent linking attacks, 

consider the same adversary aforementioned that 



1284


ISSN:2229-6093 

knows Alan’s age and gender. Given Table 1(b), 

she/he cannot tell exactly which of the first 4 tuples 

describes Alan. With a random guess, the adversary 

can correctly link Alan to pneumonia only with 

50% probability. It is often convenient to regard 

generalization as a point-to-rectangle 

transformation in the QIspace, which is a space 

formed by all the QI attributes. Fig 2 represents 

each tuple in Table 1(a) as a point, whose 

horizontal and vertical coordinates equal the tuple’s 

age and sex, respectively. A black (white) point 

indicates a tuple with sensitive value pneumonia 

(bronchitis). Rectangle R1 represents the first QIgroup 

of Table 1(b). The Age-extent of R1 is the 

Age-value [21, 40] of the QI-group, and its Sexextent 

covers both F and M, corresponding to the 

wildcard ‘*’ in the group. Similarly, rectangle R2 

describes the second QI-group. A microdata 

relation can be generalized in numerous ways. 

Various generalizations, however, may provide 

drastically different privacy protection. Hence, in 

practice, generalization needs to be guided by an 

anonymization principle, which is a criterion 

deciding whether a table has been adequately 

anonymized. Most notable principles include k- 

anonymity, l-diversity, and t-closeness. 

(b) Generalization including suppression 

The idea of generalizing an attribute is a simple 

concept. A value is replaced by a less specific, 

more general value that is faithful to the original. In 

Figure 2 the original ZIP codes {02138, 02139} 

can be generalized to 0213*, thereby stripping the 

rightmost digit and semantically indicating a larger 

geographical area. In a classical relational database 

system, domains are used to describe the set of 

values that attributes assume. For example, there 

might be a ZIP domain, a number domain and a 

string domain. I extend this notion of a domain to 

make it easier to describe how to generalize the 

values of an attribute. In the original database, 

where every value is as specific as possible, every 

attribute is considered to be in a ground domain. 

For example, 02139 is in the ground ZIP domain, 

Z0. In order to achieve k-anonymity I can make 

ZIP codes less informative. I do this by saying that 

there is a more general, less specific domain that 

can be used to describe ZIPs, say Z1, in which the 

last digit has been replaced by 0 (or removed 

altogether). There is also a mapping from Z0 to Z1, 

such as 02139 0213*. Given an attribute A, I 

say a generalization for an attribute is a function 

on A. 

That is, each f: A B is a generalization. I also 

say that: 

(1) 

private table PT, I define a domain generalization 

hierarchy DGHA for A as a set of functions fh : 

h=0,…,n-1 such that: 

(2) 

A=A0 and |An| = 1. DGHA is over: (3) 

Clearly, the fh’s impose a linear ordering on the 

Ah’s where the minimal element is the ground 

domain A0 and the maximal element is An. The 

singleton requirement on An ensures that all values 

associated with an attribute can eventually be 

generalized to a single value. In this presentation I 

assume Ah, h=0,…,n, are disjoint; if an 

implementation is to the contrary and there are 

elements in common, then DGHA is over the 

disjoint sum of Ah’s and definitions change 

accordingly. Given a domain generalization 

hierarchy DGHA for an attribute A, if viAi and 

vjAj then I say vi vj if and only if i j and: 

This defines a partial ordering on: 

(5) 

(4) 

Such a relationship implies the existence of a value 

generalization hierarchy VGHA for attribute A.I 

expand my representation of generalization to 

include suppression by imposing on each value 

generalization hierarchy a new maximal element, 

atop the old maximal element. The new maximal 

element is the attribute's suppressed value. The 

height of each value generalization hierarchy is 

thereby incremented by one. No other changes are 

necessary to incorporate suppression. Figure 3 and 

Figure 4 provides examples of domain and value 

generalization hierarchies expanded to include the 

suppressed maximal element (*****). In this 

example, domain Z0 represents ZIP codes for 

Cambridge, MA, and E0 represents race. From now 

on, all references to generalization include the new 

maximal element; and, hierarchy refers to domain 

generalization hierarchies unless otherwise noted. 

Fig 3: ZIP domain and value generalization 

hierarchies including suppression 

is a generalization sequence or a functional 

generalization sequence. Given an attribute A of a 



1285


ISSN:2229-6093 

Fig 4: Race Domain and value generalization 

hierarchies including suppression 

2.4 Breach Mechanism 

2.4.1 Randomized Sequence 

Definition: Let (Ω, ƒ, P) be a probability space of 

elementary events over some set Ω and σ - algebra 

ƒ. A randomization operator is a measurable 

function [8]. 

R: Ω x {all possible T} 

{all possible T} 

That randomly transforms the sequence of N 

transactions into a (usually) different sequence of N 

transactions. Given a sequence of N transactions 

T 1 , we shall writer T 1 =R (T), where T is a 

constant and R (T) is a random variable. 

3. System Overview 

When the user poses a query in order to retrieve the 

sensitive data, the query first retrieves the data 

from the database maintained, depending upon the 

sensitive data specification. Then, we apply the 

generalization algorithm along with the concepts of 

k-Anonymity and l-Diversity to get the sensitive 

datasets. Once the group identifiers are allocated 

to the generalized database, we apply the second 

phase that is the self – union algorithm on the 

partition sets obtained to uniquely identify the 

sensitive data items. Then moving further into the 

third phase, we generate a random number, based 

upon which we select a function, amongst a set of 

functions which have a common divisor, which 

generates the indices of the sensitive data items to 

be given as the output to the user, which is the 

result set of the query. 

2.4.2 Non - Randomized Sequence 

Definition: Suppose that a non-randomized 

sequence T is drawn from some known 

distribution, and t i ε T is the i-th transactions in T. 

A general privacy breach of level ρ with the respect 

to a property P (t i ) occurs if There exists 

T 1 : P [P (t i ) | R (T) = T 1 ] ≥ ρ 

We say that a property Q (T 1 ) causes a privacy 

breach of level ρ with respect to P (t i ) if 

P [P (t i )| Q(R (T))] ≥ ρ 

When we define privacy breaches, we think of the 

prior distribution of the transactions as known, so 

that it makes sense to speak about the posterior 

probability of a property P (t i ) versus prior. In 

practice, however, we do not know the prior 

distribution. In fact, there is no prior distribution; 

the transactions are not randomly generated. 

However, modeling transactions as being randomly 

generated from a prior distribution allows us to 

cleanly define privacy breaches. 

Consider a situation when, for some transaction t i ε 

T, an itemset A subset of T and an item a ε A, the 

1 

property “A subset t i ε T 1 ” causes a privacy breach 

with respect to the property “a ε t 1 i .” I other 

words, the presence of A in a randomized 

transaction makes it likely that item’s present in the 

corresponding nonrandomized transaction. 

Fig 5: Dataflow diagram of the present proposed 

system 



1286


ISSN:2229-6093 

Where S 1 = {Distinct sensitive data uniquely 

identified} 

S1 = { S 1 1, S 1 2…S 1 max } Where max = maximum k 

= maximum l 

• Phase-3: Query Processing Phase 

Choose ‘p’ functions f1(x), f2(x), f3(x)… fp(x) 

such that f 1 (x) is a common divisor of f1(x), f2(x) 

…, fp(x). 

Generate a random ‘r’ where 1


ISSN:2229-6093 

Fig 8: Query posing on sensitive data with using 

Breach Reduction technique 

Fig 10: Query posing on sensitive data with 

using Breach Reduction technique 

Fig 9: Query posing on sensitive data without 

using Breach Reduction technique 

5. Conclusion and Future work 

The existing centralized-publication methods do 

not support republication of microdata in the 

presence of both insertions and deletions. Our 

present proposed technique remedies this problem 

by using a mathematical technique called selfunion 

and the common divisor functions along with 

the previously existing techniques of k-Anonymity 

and l-Diversity. We have provided an efficient 

algorithm for computing anonymized versions of 

the microdata, which adequately protect privacy 

and yet support effective data analysis. The 

technique thus developed is a novel concept that 

prevents an adversary from using multiple releases 

to infer sensitive information. We have presented a 

formal analytical study with an example that 

elaborates the theoretical foundation of our 

proposed technique and proves its effectiveness of 

limiting privacy disclosure. We have also provided 

a comparison of the enhanced privacy levels 

provided with our technique against the previously 

existing techniques for a given database size. This 

work also initiates several promising directions for 

future work. First, it would be exciting to extend 

the proposed technique to tackle alternative forms 



1288


ISSN:2229-6093 

of background knowledge. Research towards this 

direction may lead to the discovery of alternative 

generalization principles. Secondly, research in 

these areas could also lead to more secured 

database publications where the privacy of the 

individuals need not be compromised. This work 

can thus be represented as one of the initial steps 

towards definition of a complete framework for 

information disclosure control. 

6. References 

[1]. m-Invariance: Towards Privacy Preserving Republication 

of Dynamic Datasets by Xiaokui Xiao 

and Yufei Tao,ACM 978-1-59593-686-8/07/0006, 

pg nos.254- 258, SIGMOD’07, 2007 

[2]. J. Kim. A method for limiting disclosure of 

microdata based on random noise and 

transformation Proceedings of the Section on 

Survey Research Methods of the American 

Statistical Association, pg nos.370-374, 1986. 

[3]. T. Su and G. Ozsoyoglu. Controlling FD and 

MVD inference in multilevel relational database 

systems. IEEE Transactions on Knowledge and 

Data Engineering, pg nos. 474--485, 1991. 

[4] M. Morgenstern. Security and Inference in 

multilevel database and knowledge based systems 

Proc. of the ACM SIGMOD Conference, pg nos. 

357--373, 1987. 

[5] T. Hinke. Inference aggregation detection in 

database management systems. In Proc. of the 

IEEE Symposium on Research in Security and 

Privacy, pg nos 96-107, Oakland, 1988. 

[6] D. Denning, P. Denning, and M. Schwartz. The 

tracker: A threat to statistical database security. 

ACM Trans. on Database Systems, pg nos 76-- 

96,1979. 

[7]. A. Machanavajjhala, J. Gehrke, and D. Kifer. l- 

diversity: Privacy beyond k-anonymity. In Intnl. 

Conf. Data Engg. (ICDE), page 24-28, 2006. 

[8]. Privacy Preserving mining of association rules 

by Alexdendre Evfimievski, RamaKrishnan 

Srikanth, Rakesh Agarwal, Johannes Gehrke, ACM 

1-58113-567-X/02/0007. 

[9]. L. Sweeney. k-Anonymity: a model for 

protecting privacy. International Journal of 

Uncertainty, Fuzziness and Knowledge-Based 

Systems, pg nos: 557-570,2002. 

[11]. Anatomy: Simple and Effective Privacy 

Preservation by Xiaokui Xiao and Yufei Tao, pg 

nos: 368- 371, ACM 1595933859/06/09, 2006. 

[12]. Personalized Privacy Preservation by Xiaokui 

Xiao and Yufei Tao, pg nos: 242- 246, ACM 

1595932569/06/0006,2009. 



1289

IJEST template - International Journal of Computer Technology and ...

Create successful ePaper yourself

Delete template?

Save as template?