RASE: Efficient Privacy-preserving Data Aggregation against Disclosure Attacks for IoTs

TL;DR

RASE addresses the privacy-utility tension in IoT data aggregation by coupling local perturbation, permutation, and robust estimation. It introduces a budget-aware local randomizer BR with Laplace noise, a Mallows-based shuffler RS with grouping-refinement to hide senders, and multiple estimators (SE, MLE, BS) to recover the mean under noise. The approach provides ε-LDP guarantees locally and preserves sender anonymity through permutation, with theoretical privacy results and practical utility bounds; experiments on the REFIT dataset show improved privacy against disclosure attacks and competitive mean-estimation accuracy. This framework enables privacy-conscious IoT data collection with feasible computation and strong protection against identity disclosure, suggesting a practical path toward stronger privacy standards in sensor-driven services.

Abstract

The growing popular awareness of personal privacy raises the following quandary: what is the new paradigm for collecting and protecting the data produced by ever-increasing sensor devices. Most previous studies on co-design of data aggregation and privacy preservation assume that a trusted fusion center adheres to privacy regimes. Very recent work has taken steps towards relaxing the assumption by allowing data contributors to locally perturb their own data. Although these solutions withhold some data content to mitigate privacy risks, they have been shown to offer insufficient protection against disclosure attacks. Aiming at providing a more rigorous data safeguard for the Internet of Things (IoTs), this paper initiates the study of privacy-preserving data aggregation. We propose a novel paradigm (called RASE), which can be generalized into a 3-step sequential procedure, noise addition, followed by random permutation, and then parameter estimation. Specially, we design a differentially private randomizer, which carefully guides data contributors to obfuscate the truth. Then, a shuffler is employed to receive the noisy data from all data contributors. After that, it breaks the correct linkage between senders and receivers by applying a random permutation. The estimation phase involves using inaccurate data to calculate an approximate aggregate value. Extensive simulations are provided to explore the privacy-utility landscape of our RASE.

Figures (9)

• Figure 1: An example of the system model.
• Figure 2: When $m=5$, the probability of the Mallows model at each Kendall tau distance for different $\theta$.
• Figure 3: Overview of RASE: sanitization of sensitive data with a three-part privacy preservation framework.
• Figure 4: The probability assigned to central permutation $\sigma_0$ for different parameters $\theta$ and $n$.
• Figure 5: Comparison of sanitizing algorithms for $n=64$ sensor devices: (a) precision-recall on the raw data; (b) precision-recall after BR; (c) precision-recall after BR-Mallows; (d) precision-recall after Laplace-fisher; (e) precision-recall after RASE.

Theorems & Definitions (24)

• Definition 1: $\epsilon$-local differential privacy Graham2018Privacy
• Definition 2: Compositionality, associativity and invertibility
• Definition 3: $d_{\sigma}$-privacy Meehan2021Privacy
• Example 1
• Definition 4: Interval precision
• Lemma 1
• Theorem 1
• Definition 5: Group width Meehan2021Privacy
• Lemma 2: Meehan et al. Meehan2021Privacy
• Example 2