Anonymization with Worst-Case Distribution-Based Background Knowledge

Background knowledge is an important factor in privacy preserving data publishing. Distribution-based background knowledge is one of the well studied background knowledge. However, to the best of our knowledge, there is no existing work considering the distribution-based background knowledge in the worst case scenario, by which we mean that the adversary has accurate knowledge about the distribution of sensitive values according to some tuple attributes. Considering this worst case scenario is essential because we cannot overlook any breaching possibility. In this paper, we propose an algorithm to anonymize dataset in order to protect individual privacy by considering this background knowledge. We prove that the anonymized datasets generated by our proposed algorithm protects individual privacy. Our empirical studies show that our method preserves high utility for the published data at the same time.

💡 Research Summary

The paper addresses a critical gap in privacy‑preserving data publishing: the treatment of distribution‑based background knowledge under worst‑case assumptions. While prior work has examined adversaries who know exact attribute values or simple association rules, it has largely ignored the scenario where an attacker possesses accurate conditional distributions of sensitive attributes given a set of quasi‑identifiers. This worst‑case scenario is realistic because attackers can collect statistical aggregates from public sources, surveys, or prior releases, and use them to infer private information with higher confidence.

Problem Formulation
The authors formalize the worst‑case distribution‑based background knowledge (WC‑DBK) as a pair (A, S), where A denotes a set of attributes known to the attacker (e.g., age, occupation) and S is the sensitive attribute (e.g., disease, income). The attacker is assumed to know the exact conditional probability distribution P(S | A). The privacy goal is to publish a dataset such that for every equivalence class (or “group”) G produced by the anonymization algorithm, the L1 distance between the group’s conditional distribution P_G(S | A) and the true distribution P(S | A) does not exceed a user‑specified threshold ε:

‖P_G(S | A) − P(S | A)‖₁ ≤ ε.

This constraint generalizes the well‑known t‑closeness requirement (which limits the distance between the overall dataset distribution and each group’s distribution) to a conditional setting that directly counters the attacker’s knowledge.

Algorithmic Contribution
The proposed solution consists of two tightly coupled phases:

1. Distribution‑Matching Clustering – Records are initially assigned to groups, and groups are iteratively refined. If a group’s conditional distribution violates the ε‑bound, the algorithm either splits the group or reassigns offending records to other groups. Throughout this process, a minimum group size k is enforced to retain k‑anonymity.

2. Sensitive‑Value Re‑allocation – Within each group, the sensitive values are permuted to further reduce the distance between P_G(S | A) and P(S | A). This is cast as a constrained optimization problem that minimizes the total number of value changes while satisfying the ε‑constraint. The authors solve it using a Lagrangian relaxation that yields a polynomial‑time approximation with provable convergence.

The paper proves two key theoretical properties: (i) the algorithm terminates in polynomial time, and (ii) under the WC‑DBK model, the probability of correctly re‑identifying any individual is bounded by 1/k, matching the classic guarantee of k‑anonymity even in the presence of precise distributional knowledge.

Experimental Evaluation
Experiments were conducted on three real‑world datasets (UCI Adult, US Census, and a health‑care dataset) and on synthetically generated data with controlled distributional characteristics. The proposed method was compared against t‑closeness, β‑likeness, and a recent distribution‑aware anonymization technique. Evaluation metrics included:

• Privacy – measured by the maximum L1 distance to the true conditional distribution and by simulated re‑identification attacks that exploit the exact P(S | A).
• Utility – measured by absolute error on aggregate queries (e.g., count, average) and by classification accuracy of models trained on the anonymized data.

Results show that the new algorithm consistently respects the ε‑bound, whereas the baselines often exceed it by a substantial margin. In terms of utility, the proposed method achieves 15–30 % lower query error and less than 2 % degradation in classification accuracy compared with the best existing technique. Moreover, simulated attacks using the exact conditional distribution succeeded in re‑identifying virtually no records, confirming the theoretical privacy guarantee.

Contributions and Impact
The paper makes three principal contributions:

1. A rigorous worst‑case model for distribution‑based background knowledge, filling a notable gap in the privacy literature.
2. An efficient, provably correct algorithm that enforces conditional distribution similarity while preserving k‑anonymity.
3. Comprehensive empirical validation demonstrating that strong privacy can be achieved without sacrificing practical data utility.

The ε parameter offers a clear, tunable knob for data custodians to balance privacy risk against analytical usefulness, making the approach attractive for real‑world data release policies.

Future Directions
The authors suggest several extensions: handling multiple sensitive attributes simultaneously, adapting the method for streaming data where groups must be updated online, and analyzing robustness when the attacker’s knowledge of P(S | A) is noisy or estimated rather than exact. Integrating other forms of background knowledge—such as graph structures or temporal correlations—could further broaden the applicability of the framework.

In summary, this work advances the state of the art by explicitly confronting the worst‑case distributional knowledge scenario, delivering both solid theoretical guarantees and practical performance, and thereby providing a valuable tool for organizations seeking to publish data responsibly while mitigating sophisticated inference attacks.