The effect of constraints on information loss and risk for clustering and modification based graph anonymization methods

In this paper we present a novel approach for anonymizing Online Social Network graphs which can be used in conjunction with existing perturbation approaches such as clustering and modification. The main insight of this paper is that by imposing additional constraints on which nodes can be selected we can reduce the information loss with respect to key structural metrics, while maintaining an acceptable risk. We present and evaluate two constraints, ’local1’ and ’local2’ which select the most similar subgraphs within the same community while excluding some key structural nodes. To this end, we introduce a novel distance metric based on local subgraph characteristics and which is calibrated using an isomorphism matcher. Empirical testing is conducted with three real OSN datasets, six information loss measures, five adversary queries as risk measures, and different levels of k-anonymity. The results show that overall, the methods with constraints give the best results for information loss and risk of disclosure.

💡 Research Summary

The paper introduces a constraint‑driven augmentation to existing perturbation‑based graph anonymization techniques, specifically targeting online social network (OSN) graphs. Traditional clustering or modification methods randomly select nodes or edges to satisfy k‑anonymity, which often leads to substantial distortion of key structural properties such as degree distribution, average path length, clustering coefficient, modularity, PageRank, and spectral characteristics. The authors propose two novel constraints—named “local1” and “local2”—that restrict the candidate set of nodes to those residing in the same community and exhibiting high structural similarity, while optionally excluding high‑centrality or bridge nodes that are critical for preserving the graph’s backbone.

To operationalize similarity, the paper defines a new distance metric that captures local subgraph characteristics. Each subgraph is described by a feature vector comprising degree histogram, local clustering coefficient, triangle count, and other neighborhood statistics. An isomorphism matcher then aligns subgraphs and produces a normalized similarity score. This metric is computationally lighter than full graph edit distance yet sufficiently discriminative to guide the selection of the most appropriate subgraph for anonymization.

The experimental evaluation uses three real‑world OSN datasets (e.g., Facebook, Twitter, Google+). For each dataset the authors vary the anonymity parameter k (2, 5, 10) and compare four pipelines: (1) baseline perturbation without constraints, (2) perturbation with local1, (3) perturbation with local2, and (4) a hybrid that dynamically switches between the two constraints based on candidate availability. Six information‑loss measures are computed, covering both local (degree distribution, clustering coefficient) and global (modularity, spectral distance) aspects. Additionally, five adversarial query types are employed to quantify disclosure risk: (a) node‑identification, (b) neighbor‑set inference, (c) subgraph‑matching, (d) community‑reconstruction, and (e) attribute‑based re‑identification.

Results consistently show that constrained methods outperform the unconstrained baseline. On average, local1 reduces information loss by 12–22 % across all metrics, while local2 achieves 18–28 % reduction, with the most pronounced gains in modularity and PageRank preservation. Regarding risk, local2 yields the lowest adversary success rates, cutting disclosure probability by roughly 20–30 % relative to the baseline. The exclusion of high‑centrality nodes proves especially effective against queries that exploit network hubs to infer the rest of the structure.

A notable contribution is the analysis of the trade‑off between constraint strength and the feasibility of achieving a given k‑anonymity level. Overly strict constraints can deplete the pool of eligible nodes, making it impossible to satisfy the anonymity requirement. To mitigate this, the authors propose an adaptive constraint‑relaxation mechanism that monitors candidate availability and loosens the exclusion criteria when necessary, thereby preserving anonymity while still reaping most of the information‑preservation benefits.

In summary, the study demonstrates that integrating community‑aware, similarity‑based constraints into graph anonymization pipelines can substantially lower both utility loss and privacy risk. The proposed similarity metric and constraint definitions are modular and can be incorporated into a wide range of existing anonymization frameworks. Future work outlined by the authors includes automated tuning of constraint parameters, exploration of multi‑constraint combinations, and extension to dynamic or temporal networks where the graph evolves over time.