A Method of Location Privacy Protection in Road Network Environment

. With the widespread application of location-based services, users 'privacy concerns have become the focus of users' attention. Based on the k-anonymity method and the SpaceTwist algorithm, this paper proposes a method of incremental inquiry user privacy protection. The method preliminarily anonymizes the user's location information and points of interest on the client side, On the anonymous server side, combining the road network environment with the latitude and longitude grid generates the minimum anonymous area of random loop, instead of the user initiating incremental inquiry to the location service provider, Anonymous zones ensure k-anonymity for mobile users and road information to protect user privacy. Security and experimental analysis show that this scheme can improve the effectiveness of user query service while meeting the privacy requirements of users.


Introduction
With the rapid development of mobile Internet and mobile terminal technologies, location-based services have become a basic function of mobile terminals and are widely used. For example, mobile users can use their mobile phone to check their nearest restaurants, hospitals and gas stations and so on from anywhere.
However, since the user must send his or her location to the location service provider if he wants to enjoy the service, the location service provides greater convenience to the mobile user and has a problem of exposing users' sensitive information. The attacker may cooperate with the location service provider to steal and inquire the user's privacy information and query logs, and may further analyze the user's POI (point of interest), hobbies, place of residence and other private information. For example, when a mobile user queries his nearest eye hospital, the attacker syndication location server provider obtains the location information of the user and the inquiry information, so as to infer that the user is a sensitive group of ophthalmic diseases and push spamming for the user. This shows that user privacy protection is very important.

Related Works
In recent years, research on location-based privacy protection of user location has achieved some results, most of which are based on k-anonymity algorithm [1] and SpaceTwist algorithm [2] . K-anonymity algorithm is usually used in the third-party anonymous server architecture. In this architecture, when a mobile user initiates a request to LBS (Location Based Services), it adds k-1 redundant information to its request information, so that LBS cannot identify the user's real request, so as to achieve a certain degree of privacy protection. Location-based privacy algorithms [3][4][5][6][7][8][9] used by third-party anonymous service architecture is often based on the assumption that third-party anonymous servers are completely trustworthy. However, in reality, third-party anonymous servers are not completely trustworthy. Therefore, the privacy protection method using the spatial grid [10] and the grid of latitudelongitude [11] is proposed, and they assume that the anonymous server is not completely reliable. Mobile users need to first simply anonymizing their true location, and then sent to anonymous servers. Literature [12] proposed grid privacy protection method to abandon the third-party anonymous server, through the grid predivided encryption to handle location privacy issues. Jinying Jia [13] et al in the k-anonymous based on the use of segmentation center method to deal with user privacy protection issues.
SpaceTwist algorithm can get rid of the trusted thirdparty server, get an anchor randomly in the real location of the user, and then use this anchor to initiate incremental inquiry to the location service provider. However, the location privacy cannot be protected in the case of few users. To solve this problem, Hudson [14] et al solved the problem based on SpaceTwist by expanding user demand area to achieve user k-anonymity. This method may result in the failure of location protection when the information returned by LBS to the user is incorrect information. In [15], k-anonymous episodes are formed by mobile users cooperating with each other, and then uses this anonymous set to initiate an incremental query based on SpaceTwist to the LBS. This method is not applicable to environments where malicious nodes exist. In [16], a road network-based protection approach is designed, utilizing anonymous trees and min-rings to deal with privacy protection based on road network users. Literature [17] adopts customer-server architecture. Users calculate the upcoming end of the route and initiate the service request to the LBS by replacing the real location with the end of the route. Although this method protects the user's current location, there is a risk of revealing where the user is about to arrive. In a specific environment, location privacy is more exposed. For example, in a network environment, a mobile user usually initiates a query request on a road, and an attacker narrows the scope to a road network. If a mobile user initiates. When there is only one road in the request area, the attacker can easily deduce the exact location of the mobile user. This shows that location-specific privacy protection is more challenging.
Based on the above work, this paper, taking into account the user continuous query, road network environment and semi-trusted anonymous server, in the road network environment, proposes a new method of location privacy protection for mobile network users based on latitude-longitude grids.

Related Definitions
Definition 1 Grid of latitude-longitude [11] . Use ( , ) ID x y to represent a unique grid of latitude-longitude. Where x is the latitude for which accuracy is a fraction and y is the latitude for which accuracy is a fraction.
IDpre represents the previous grid ID, IDcur represents the grid ID of the current user belongs, this function is used to inform the anonymous server when the grid of latitude-longitude of the mobile user changes.

System Architecture
This program uses a central server architecture, mainly consists of three parts: Mobile users, information anonymous server and location service provider's server. Mobile users with GPS or mobile base station positioning system to get their own latitude and longitude information function. The anonymizer holds the number of users and road information in each grid of latitude-longitude in its jurisdiction and provides anonymous lookup services to mobile users. The location server provider grasps the distribution of global interest points and provides bulk incremental queries. System architecture and workflow illustrated in figure 1.  In Figure 1, when the location changes, the mobile user needs to initiate a location ID update request to an anonymous server. When a user initiates a location service query request, the mobile user needs to first anonymize the location information and the type of point of interest, and then uses the processed information to initiate an anonymous server request. The anonymous server generates the anonymous area through the privacy parameters configured by the user, and then uses the anonymous area to initiate the KNN incremental inquiry to the location service provider server, and finally returns the requested candidate queried result to the mobile user. After the mobile user receives the returned result, it then filters the returned result.

LBS servrs Anonymizer User
Mobile users in the entire query request, without providing detailed location information, even the anonymous server cannot get the user's specific location information. At the same time, the user also performs anonymous processing on the types of points of interest, thereby ensuring that the point of interest privacy does not leak to the anonymous server and the location server provider with a certain probability.

Road Network KNN POI Incremental Inquiry
In this paper, mobile users first generate anonymity for user privacy through the algorithm of user request information generation. Secondly, the anonymous server uses minimum anonymous region generation algorithm and KNN incremental query algorithm instead of the user to complete the query request, thereby protecting the privacy of mobile users.

Problem Analysis
The traditional method [1][2][3][4][5][6][7][8][9][10] is usually just randomly add a few redundant points of interest to form a POI kanonymity in the protection of user points of interest. However, when a user initiates a continuous inquiry, there is a problem of privacy disclosure. For example, if the type of the POI requested by the user is A, the anonymous set formed by the continuous request is {A, B, D, F}, {A, C, G, E}, {A, C, D, H}. When the attacker knows that the user is a continuous query, the attacker can quickly deduce the user's POI is A, so as to obtain the user's POI private information.
The common grid of latitude-longitude method adds the grid information in the anonymous area by extending the radius of the anonymous area. This method will cause the generated anonymous area too large, which not only increases the time cost of the minimal anonymous area algorithm Increased network overhead for KNN incremental queries. As shown in Figure 2, assume that the user is ID (4,3), and set the anonymity to 4. Anonymous servers simply add grids for ID (4,2), ID (4,3), ID (5,2), ID (5,3) when adding nearby meshing to generate the smallest anonymous area and then The circumscribed circles of these four grids serve as the anonymous lowest anonymous area and the dotted circle area. When the anonymous server adopts the radius extension method, due to the fixed extension radius, the extended radius is fixed with the grid ID (4, 3) as the origin, and the extension radius makes the anonymous area contain 4 anonymous users. The generated anonymity is a solid circle area. Compared with the dotted circle, the derivative radius anonymous zone generation method adds extra redundant latitude and longitude grids such as ID (4,4), ID (3,4) and ID (4,5), resulting in the generation of the smallest anonymous zone too large. In response to the above problems, this paper uses a random loop minimum anonymous area generation algorithm and user request information generation algorithm to enhance user privacy protection while improving user quality of service.

User Request Information Generation Algorithm
When a mobile terminal initiates a request to a semitrusted anonymous center, it needs to perform simple desensitization processing on its own sensitive information and configure related privacy parameters so that the anonymous server can perform personalized and anonymous operations for the mobile user. Based on the original algorithm, this algorithm solves the problem that user's continuous inquiry will expose user's POI. The specific algorithm is shown in Table 1.
The algorithm is mainly used to generate an Poig(anonymous point of interest group) to meet the user configuration and the PoiArry (POI cache array) updates. Before each request, check whether the current request POI exists in the first kp elements of the cache array, and if there exists, directly form an anonymous set of points of interest in the first kp POI in the PoiArry; otherwise, Select kp-1 POI to form the PoiArry with the current query poi, and finally add the Poig to the top of the PoiArry. The user's Poigs are all the same when they are continuously requested, so the attacker cannot parse the user's real POI.

Anonymous Area Generation Algorithm
After the mobile terminal initiates the query request to the anonymous server, the anonymous server first needs to generate the minimum anonymous zone that meets the user's requirement according to the privacy configuration of the mobile user, and then initiates the request to the LBS instead of the user. This paper random loop minimum anonymity area generation algorithm shown in Table 2.
The minimum anonymity area generation algorithm first uses the latitude and the longitude grid as the minimum anonymity area, and then randomly selects an expansion direction to increase the anonymous area size by adding the adjacent grids of the current anonymous area clockwise until the user privacy requirements are satisfied. Finally, the smallest circumcircle of this anonymous zone is the final smallest anonymous area. Compared with Hudson's [15] algorithm, the proposed algorithm transfers the anonymous area to the anonymous server on the fixed network side, thus reducing the computational load of mobile users. Compared with the algorithm of generating anonymous region in the literature [11], the proposed algorithm reduces the anonymous area in the road-intensive environment, reduces the network overhead when computing the cost and incrementing the query. At the same time, the random loop generating method in the algorithm avoids the interest Point uneven distribution of the problem, enhance the quality of service users.

KNN Incremental Query Algorithm
After the anonymous server generates the anonymous zone for the mobile user, it needs to initiate a query for the mobile user to the LBS. In the KNN incremental query algorithm, the anonymous server initiates a request to the LBS with the KL-ASR as the real location of the user, and receives the detailed data returned by the LBS in turn and calculates the number of each POI in the Poig. When the number of POI with the least number of POI is less than Kr, the location server provider is informed to continue the incremental inquiry. When all the number of POI is not less than Kr, the location service provider is informed to stop the incremental query and end the query. Finally, the anonymous server returns the requested data to the mobile user.

POI Privacy Security Analysis and Proof
The following will be a detailed analysis of the challenger game model. The model is divided into a challenger C (mobile terminal and anonymous server) and an attacker S (location service provider service).
Challenge C generates a KL ASR poi using the same query parameters so that the location service provider can guess that the probability of b is at most ½. When C initiates a continuous query, the Poig is the same in each C-Request message at this time, so the probability that S scouts b from each request of C is at most 1/2. Suppose that this consecutive query C is launched n times. Since the content of each guess is the same, the probability of guessing b after n times of guessing is at most 1/2. So S guesses the probability of b is 11 () 22 negl  + .

Location Privacy Security Analysis And Proof
To ensure the privacy of the user's location, LBS should not be able to obtain the specific road information of the user. The following will be a detailed analysis of the challenger game model. The model is divided into challenger C (anonymous server and mobile terminal) and attacker S (malicious location server provider).
Challenge C prepares the request parameters and then generates KL ASR Hardware environment: Intel® Core ™ is-4590 CPU @ 3.30 GHX 3.3o GHz, memory: 8.00GB. Software Environment: Windwos7 64-bit operating system, compiler environment Java1.6, compiled language using the Java language.

Experimental data
Experiments use Thomas Brinkhoff trajectory generator to generate simulated mobile object data and use it to simulate the movement trajectory of 58905 mobile users in the real traffic network in Beijing urban area as a data set. 23562 POIs were randomly distributed in the map.

Experiment Analysis
In the simulation experiment, the paper compares the GOLLOR(grid of latitude-longitude of the road) with the OGOLL(ordinary grid of latitude-longitude) method of Jiajinying [15] . The two methods in the location service providers to increase the query, the scope of each inquiry to increase 100m. The minimum anonymous area defaults to 3.14km2. In the OGOLL method, the radius of the anonymous area in the anonymous area generating algorithm extends 200m each time. The center of the anonymous area is within 1km near the grid of latitudelongitude of the user. POI anonymity and road anonymity in GOLLOR are 5 and 10.  Figure 3 shows that the computational cost of both methods increases with the number of target mobile users. Because when generating anonymous areas, both methods add more grids as the number of anonymous mobile users increases, increasing the computational overhead. When the number of anonymous mobile users is less than 50, the computational cost of the two algorithms is quite large, and the computational cost of the latitude and longitude grid method with more than 50 is less computationally expensive. Because the number of redundant grid of latitude-longitude in the anonymous zone generated by the OGOLL method increases with the number of anonymous mobile users, the GOLLOR method does not have a redundant grid of latitudelongitude, so the computational cost of the GOLLOR method is relatively stable.
As can be seen from Figure 4, the network overhead of both methods increases with the increase of Ku. This is due to the fact that both the anonymity of the two algorithms increase with the increase of Ku, so the increase of anonymous area leads to the search radius of the location service provider increasing, resulting in the increase of candidate points of interest points. When Ku is less than 14, the number of POI returned by the location service providers is small because the anonymous area generated by the FF method is smaller and the number of enough POI can be provided in the anonymous area. When Ku is greater than 14, the network cost of the GOLLOR is larger at this time because the candidate set of redundant POI grows too fast in the GOLLOR method. As can be seen from Figure 5, the computational cost of both methods increases with Kr. Because location service providers will increase their computing costs as location service providers search for more points of interest as Kr increases. When Kr is less than 50, the computational cost of the OGOLL method is slightly higher than that of the GOLLOR method. Because the anonymous area generated by the GOLLOR method is smaller and the number of points of interest in the anonymous area is greater than 50 at this time, the location service provider queries fewer points of interest, so the calculation overhead is smaller. Kr is greater than 50, the GOLLOR method of anonymous area of POI smaller. Because location service providers need to increase the number of queries, it increases the computational overhead. The experimental results show that the proposed method is not only relatively stable in terms of time overhead but also has less network overhead in practical anonymous mobile users than OGOLL method, which improves the privacy of users and improves the service quality of user queries.

Conclusion
Compared with the k-anonymity algorithm, this method replaces the exact location reporting with the latitudelongitude grid, and changes the trusted anonymous server into a semi-trusted anonymous server. Compared with the SpaceTwist algorithm, the anchor point is replaced by an anonymous zone that satisfies the privacy requirement of the user, thereby improving user privacy protection. Compared with OGOLL, the k-anonymity method of road network and POI is introduced, and the anonymity weight of the road is introduced when the anonymous area is generated, so as to further enhance the protection of user privacy. How to protect the mobile trajectory of mobile users by using grid of latitudelongitude in the road network environment [18] will be the issue to be studied in the future.