JP2019101809A - Anonymization device, anonymization method, and anonymization program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an anonymization device, an anonymization method, and an anonymization program capable of outputting only safe records while remaining useful. An anonymization device (1) includes a data set input unit (11) that regularly receives an input of a data set having the same attribute, and a hierarchical tree input unit (12) that receives an input of a generalized hierarchical tree for each attribute. , The anonymization rule input unit 13 that receives the input of the anonymization rule, the output rule input unit 14 that receives the input of the output rule that defines the conditions of the record that can be output, and the entire data set is anonymous based on the anonymization rule. The anonymization processing unit 16 that anonymizes, the anonymization data output unit 17 that outputs only the records that match the output rule from the anonymized data set, and the records that have been saved that do not match the output rule before the anonymization. The storage unit 20 that stores the state is provided, and the anonymization processing unit 16 anonymizes the saved record after adding it to the received data set. [Selection diagram] Figure 1

Description

  The present invention relates to an apparatus, method and program for anonymizing a data set.

Conventionally, for example, when analyzing a data set including personal information such as movement history or purchase history together with user attributes and using it for advertisement distribution etc., it is necessary to avoid the risk of individual being identified from records and leakage of personal information was there. For this reason, a data set including personal information is provided after the process of anonymization.
When automatically anonymizing a data set, a method is used in which records having a short distance are rounded and clustered, or each attribute has a tree structure and k-anonymization is performed by repeating generalization. (See, for example, Non-Patent Documents 1 and 2).

Ji-Won Byun, Ashish Kamra, Elisa Bertino, Ninghui Li, Efficient k-anonymization using clustering techniques, Proceedings of the 12th international conference on Database systems for advanced applications, April 09-12, 2007, Bangkok, Thailand Kristen LeFevre, David J. DeWitt, Raghu Ramakrishnan, Incognito: efficient full-domain K-anonymity, Proceedings of the 2005 ACM SIGMOD international conference on Management of data, June 14-16, 2005, Baltimore, Maryland

However, in the method of automatically rounding records close in distance, since the data is clustered by a simple distance between records without considering the meaning of the data, for example, for the age "17-21" Generalization with low utility has been performed.
In addition, even if it is based on a tree structure, the purpose is to carry out k-anonymization, and when the number of attributes increases, significant generalization is performed on most of the attributes, resulting in utilization value Often had a low data set.

  An object of the present invention is to provide an anonymization device, an anonymization method, and an anonymization program that can output only secure records while leaving the utility.

  In the anonymization device according to the present invention, a data set input unit that periodically receives an input of a data set having the same attribute made up of a plurality of records, and an upper rank generalized for each of the attributes included in the data set A hierarchical tree input unit that receives an input of a generalized hierarchical tree having nodes, an anonymization rule input unit that receives an input of anonymization rules according to the usage of the data set, and an output based on the risk that an individual is identified And an anonymization processing unit that anonymizes the entire data set based on the anonymization rule, and anonymization processing unit that anonymizes the entire data set based on the anonymization rule. An anonymization data output unit that outputs only records that match the output rule from the data set, and saving without meeting the output rule A saved record storage unit for storing the stored record in a state before anonymization, the anonymization processing unit receiving the record stored in the saved record storage unit by the data set input unit Anonymize after adding to the set.

  When the record includes an attribute of date and time information, the save record storage unit may delete and store the date and time information.

  The save record storage unit may delete a record for which a predetermined period has elapsed.

  In the anonymization method according to the present invention, a data set input step for periodically receiving an input of a data set having the same attribute made up of a plurality of records, and an upper rank generalized for each attribute included in the data set A hierarchical tree input step for receiving an input of a generalized hierarchical tree having nodes, an anonymization rule input step for receiving an input of anonymization rules according to a usage of the data set, and an output based on a risk of identifying an individual And anonymization processing step of anonymizing the whole of the data set based on the anonymization rule, and anonymization processing step of the anonymization processing step. Data that outputs only records that match the output rule from the specified data set The computer executes a force step and a save record storage step for storing a record saved without matching the output rule in a state before anonymization, and in the anonymization process step, storing in the save record storage step The record being recorded is anonymized after being added to the data set received in the data set input step.

  The anonymization program according to the present invention comprises a data set input step of periodically receiving an input of a data set having the same attribute composed of a plurality of records, and a generalized upper rank for each attribute included in the data set. A hierarchical tree input step for receiving an input of a generalized hierarchical tree having nodes, an anonymization rule input step for receiving an input of anonymization rules according to a usage of the data set, and an output based on a risk of identifying an individual And anonymization processing step of anonymizing the whole of the data set based on the anonymization rule, and anonymization processing step of the anonymization processing step. To output only the records that match the output rule from the output data set Causing the computer to execute a data output step and a saved record storing step for storing a record saved without matching the output rule in a state before anonymization, and in the anonymization processing step, the saved record storing step The record stored at step S. is added to the data set received at the data set input step and then anonymized.

  According to the present invention, when anonymizing a data set, it is possible to output only a secure record while leaving the usefulness.

It is a figure showing functional composition of an anonymization device concerning a 1st embodiment. It is a figure which shows the input-output information of the anonymization apparatus which concerns on 1st Embodiment. It is a figure which shows the input-output information of the anonymization apparatus which concerns on 2nd Embodiment.

Hereinafter, a first embodiment of the present invention will be described.
FIG. 1 is a diagram showing a functional configuration of the anonymization device 1 according to the present embodiment.
The anonymization device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control unit 10, a storage unit 20, and various input / output devices.

  The control unit 10 is a part that controls the entire anonymization device 1, and realizes functions in the present embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

  The storage unit 20 is a storage area for various programs for causing the hardware group to function as the anonymization device 1 and various data, and may be a ROM, a RAM, a flash memory, a hard disk (HDD), or the like. Specifically, the storage unit 20 stores, in addition to the anonymization program for causing the control unit 10 to execute the functions of this embodiment, a data set to be processed, various file groups, and the like.

  Further, the control unit 10 includes a data set input unit 11, a hierarchical tree input unit 12, an anonymization rule input unit 13, an output rule input unit 14, a setting information input unit 15, and an anonymization processing unit 16. And an anonymization data output unit 17.

  The data set input unit 11 periodically receives an input of a data set having the same attribute, which includes a plurality of records, by batch processing or the like. For example, a data set for one day is taken in once a day and provided to the anonymization processor 16.

Each record of the data set to be anonymized consists of a plurality of attributes. The type of data of each attribute includes qualitative data, quantitative data, coded data, and the like.
The qualitative data corresponds to, for example, an address such as "Tokyo" or "Kyoto".
The quantitative data corresponds to, for example, numerical data such as "1.5" and "30".
The code type data corresponds to data having a meaning in each digit, such as a zip code, for example.

The hierarchical tree input unit 12 receives an input of a generalized hierarchical tree having a generalized upper node for each of the attributes included in the data set.
In the generalized hierarchical tree, for example, nodes such as "Kanto" or "Kansai" are provided in the upper hierarchy of nodes such as "Tokyo" or "Kyoto" which is qualitative data. Also, nodes such as "13-15" or "underage" are provided in the upper hierarchy of nodes such as "13", "14", and "15" that are quantitative data. Further, in the upper hierarchy of the node such as "123-4567" which is the code type data, a node in which some digits such as "123-45 **" are omitted is provided.

The anonymization rule input unit 13 receives file input of the anonymization rule according to the usage of the data set.
In the anonymization rule, for example, the attribute x is generalized to the height h of the tree, the part or all of the attribute y is deleted, and the attribute z is the height of the tree for records having the same number of records n or more. A generalization rule or a conditional generalization rule is defined, such as generalization to h. A plurality of conditions may be provided, and defined using, for example, and or.
Note that the anonymization rule is not limited to generalization based on a generalized hierarchical tree, and for example, an anonymization method such as sampling, swapping, or noise addition may be used.

The output rule input unit 14 receives a file input of an output rule that defines the condition of the record that can be output, in order to suppress the risk that the individual is identified from the information of the record of the data set below a predetermined level.
The output rule may be expressed by, for example, the number of overlapping records k or a threshold such as the personal identification probability p.
Also, the output rule may be defined independently for each record. Furthermore, the output rule may be defined according to the provision destination of the data set. For example, a certain threshold is output such that a certain record may be disclosed if the number of records k 以上 2 for a company having a company size of xx or more and k> 10 for a company having a size of yy or less It may be defined as a rule.

  The setting information input unit 15 receives an input of a file specifying a storage destination of various output information such as an anonymized data set, a log file, and the like.

The anonymization processing unit 16 anonymizes the entire data set based on the anonymization rule.
The data set obtained in this way is anonymized to a level suited to the purpose of using the data.

The anonymization data output unit 17 outputs only the records that match the output rule from the data set anonymized by the anonymization processing unit 16.
Note that the anonymization data output unit 17 appropriately executes processing such as deletion from the data set, mask processing, and generalization until the output rule is matched, for records that do not match the output rule.
As a result, an anonymization data set with security secured is output.

  In addition, the anonymization data output unit 17 outputs various log files and reports together with the anonymization data set, and stores the output in the storage unit 20.

FIG. 2 is a diagram showing input / output information of the anonymization device 1 according to the present embodiment.
As described above, the anonymization device 1 receives, as inputs, a generalized hierarchical tree, an anonymization rule file, an output rule file, and other setting files in addition to the data set to be anonymized.
Then, when outputting the anonymization data set, the anonymization device 1 outputs the anonymization log file, the error log file, and the anonymization report.

The anonymization log file records an ID for associating a record that does not match the output rule with the anonymization data set, and the original attribute information before this record is anonymized.
An error log file records an error message when the anonymization process is not completed normally.
The anonymization report describes what anonymization is performed based on the anonymization rules for safety management measures, and how much risk remains based on the output rules.

According to the present embodiment, after the anonymization device 1 performs the anonymization process such as generalization based on the anonymization rule adapted to the purpose of use, an output for making the risk that the individual is identified less than a predetermined Output only anonymized records that match the rules.
In the conventional anonymization method, the entire data set is processed so as to meet the output condition, so the outliers are generally generalized together with other records, and the usefulness is lowered. The anonymization device 1 of the present embodiment is safe by clarifying the information to be different depending on the use case with the anonymization rule, and outputting only the safe record that matches the output rule after the anonymization. It is possible to maintain high usefulness by excluding outliers whose gender is below a predetermined level.
As a result, the anonymization device 1 generates a data set useful for the anonymized data user because different from the conventional automatic anonymization method, certain processing rules and security can be secured. it can.

Furthermore, the anonymization device 1 can more appropriately define the security of each record by defining the output rule independently for each record of the data set.
In addition, the anonymization device 1 can output an appropriate data set according to the purpose of use by defining the output rule according to the provision destination of the data set.

Second Embodiment
Hereinafter, a second embodiment of the present invention will be described.
In addition, about the structure similar to 1st Embodiment, the same code | symbol is attached | subjected and description is abbreviate | omitted or simplified.

When automatically anonymizing a data set, records that are outliers without other similar records do not have sufficient information content due to processing such as significant generalization or deletion of all or part of the records. It has been greatly reduced. Also in the first embodiment, if deletion or significant generalization of some records is performed in order to satisfy the security based on the output rule, the usefulness may be reduced.
However, when a data set is periodically input, an increase in records similar to outliers can be expected with the passage of time, which may reduce the degree of generalization.
Therefore, in the present embodiment, the anonymization device 1 maintains the usefulness by integrating and processing the record that does not match the output rule with the data set input later.

In the present embodiment, the functions of the anonymization processing unit 16 and the anonymization data output unit 17 are different from those in the first embodiment.
The anonymization data output unit 17 stores the evacuation records that do not match the output rule and are not output targets in the storage unit 20 (evacuation record storage unit) as the excess anonymization target data set in the original state before anonymization. Remember.
The anonymization processing unit 16 anonymizes the excess anonymization target data set stored in the storage unit 20 after adding the data set input unit 11 to the data set received after the next time.

  When sampling is adopted as the anonymization rule, records not to be output occur regardless of the output rule, but these records may not be included in the data set for excessive anonymization.

Here, when the save record includes the attribute of the date and time information, the anonymization data output unit 17 deletes the date and time information, and sets the data set as the excess anonymization target data set. The date and time information does not have the same value as the record of the data set input next time (for example, the next day). Therefore, when the date and time information is a processing target for anonymization, the anonymization data output unit 17 continues to become an outlier in the next and subsequent anonymization processes by deleting the date and time information from the save record. It can be suppressed.
In the anonymization process, the anonymization processing unit 16 may delete a record for which a predetermined period has elapsed in the excess anonymization target data set.

FIG. 3 is a diagram showing input / output information of the anonymization device 1 according to the present embodiment.
In the second embodiment, in addition to the output data in the first embodiment, the anonymization device 1 stores the excessive anonymization target data set in the save database (DB) of the storage unit 20. At this time, date and time information is deleted from the data set stored in the backup DB.
Then, at the next anonymization process, the anonymization device 1 adds the data set stored in the backup DB to the anonymization target data set to perform anonymization.

According to the present embodiment, the anonymization device 1 stores the evacuation record that did not match the output rule in the evacuation DB in the state before anonymization, and adds it to the data set input from the next time onward. Reuse for conversion processing.
Therefore, when the anonymization device 1 repeatedly performs the anonymization processing on the data set having the same attribute, the anonymization processing is temporarily performed after the high-risk record is temporarily saved, and this is an outlier. However, it is possible to increase the possibility of being output target from the next time on and improve the usefulness.

Furthermore, since the anonymization device 1 deletes and stores this date and time information in the save DB when the record includes the attribute of the date and time information, outliers in the data set of the next (for example, the next day) Can be avoided, and the possibility of being output can be increased.
In addition, the anonymization device 1 can exclude the record that is not appropriate to be integrated as the processing target by deleting the record for which the predetermined period has elapsed from the save DB, and the usefulness of the output data can be enhanced.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to embodiment mentioned above. Further, the effects described in the above-described embodiment are only listing the most preferable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiment.

  The anonymization method by the anonymization device 1 is realized by software. When implemented by software, a program that configures this software is installed in an information processing apparatus (computer). Also, these programs may be recorded on removable media such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded.

1 anonymization device 10 control unit 11 data set input unit 12 hierarchical tree input unit 13 anonymization rule input unit 14 output rule input unit 15 setting information input unit 16 anonymization processing unit 17 anonymization data output unit 20 storage unit

Claims (5)

A data set input unit that periodically receives an input of a data set having the same attribute and is composed of a plurality of records;
A hierarchical tree input unit that receives an input of a generalized hierarchical tree having generalized upper nodes for each of the attributes included in the data set;
An anonymization rule input unit that receives an anonymization rule input according to a usage of the data set;
An output rule input unit that receives an input of an output rule that defines a condition of an outputable record based on a risk that an individual is identified;
An anonymization processing unit that anonymizes the entire data set based on the anonymization rule;
An anonymization data output unit that outputs only records that match the output rule from the data set anonymized by the anonymization processing unit;
And a save record storage unit that stores the saved record without matching the output rule in a state before anonymization,
The anonymization processing unit anonymizes the record stored in the save record storage unit after adding the record to the data set received by the data set input unit.   The anonymization device according to claim 1, wherein, when the record includes an attribute of date and time information, the save record storage unit deletes and stores the date and time information.   The anonymization device according to claim 1 or 2, wherein the save record storage unit deletes a record for which a predetermined period has elapsed. A data set input step of periodically receiving input of a data set having the same attribute composed of a plurality of records;
A hierarchical tree input step of accepting an input of a generalized hierarchical tree having generalized upper nodes for each of the attributes included in the data set;
An anonymization rule input step for receiving an input of an anonymization rule according to a usage of the data set;
An output rule input step of receiving an input of an output rule which defines a condition of an outputable record based on a risk at which an individual is identified;
An anonymizing process step of anonymizing the entire data set based on the anonymization rule;
An anonymization data output step of outputting only records that match the output rule from the data set anonymized in the anonymization processing step;
The computer executes a saved record storing step of storing the saved record without matching the output rule in a state before anonymization,
In the anonymization process step, an anonymization method of adding the record stored in the evacuation record storage step to the data set accepted in the data set input step and then anonymizing the record. A data set input step of periodically receiving input of a data set having the same attribute composed of a plurality of records;
A hierarchical tree input step of accepting an input of a generalized hierarchical tree having generalized upper nodes for each of the attributes included in the data set;
An anonymization rule input step for receiving an input of an anonymization rule according to a usage of the data set;
An output rule input step of receiving an input of an output rule which defines a condition of an outputable record based on a risk at which an individual is identified;
An anonymizing process step of anonymizing the entire data set based on the anonymization rule;
An anonymization data output step of outputting only records that match the output rule from the data set anonymized in the anonymization processing step;
And causing the computer to execute an evacuation record storage step of storing the evacuation records not meeting the output rule in a state before anonymization.
The anonymization program for making it anonymize after adding the record memorize | stored in the said evacuation record memory | storage step to the data set received in the said data set input step in the said anonymization process step.

Images