Definition 1 (Backward-attack)

Assume target individual P whose record t is in sanitized released table T_i, use t.QIA and C to represent the QIAs values of t and P’s candidate CaseID set in T_i, respectively. U contains all this record r: r is from the previous released tables {T₁, T₂, …, T_i-1}, and r’ s CaseID is in C. The Backward-attack (B-attack) may happen if there is a record r (r∈U) whose QIAs values r.QIA does not cover t.QIA. We Denote the set of these excludable records as B. The QIAs values of r (r.QIA) cover the ones of t (t.QIA), if the records r and t satisfy: for each quasi-identification attribute QI in QIA, r.QI is equal to or more generalized than t.QI.

Definition 2 (Forward-attack)

Assume target individual P whose record t is in sanitized released table T_i. We use t.QIA and C to represent the QIAs values of t and P’s candidate CaseID set in T_i, respectively. U contains all this record r: r is from the subsequent released tables {T_i+1, T_i+2, …}, and r’s CaseID is in C. The Forward-attack(F-attack) may happen if there is a record r (r∈U) whose QIAs value r.QIA does not cover t.QIA. Denote the set of these excludable records as F.

Definition 3 (Latest-attack)

Assume target individual P whose record t is in sanitized released table T_i, and none of the previous released tables {T₁, T₂, …, T_i-1} contain the CaseID of P. We use C to represent the P’s candidate CaseID set in T_i. The Latest-attack(L-attack) may happen if there is any CaseID cid(cid∈C) which appears in some previous released tables. Denote the set of these excludable records as L.

Based on the above three attacks, the definition of an anonymity model can be introduced [22]:

Definition 4 (PPMS(k, θ*)-bounding)

Assume {s₁, s₂, …, s_m} are all the possible sensitive attribute values in datasets, accordingly, θ* = {θ₁, θ₂, …, θ_m} are the probability thresholds set by the data holder. Released tables T₁, T₂, …, T_j satisfy PPMS(k, θ*)-bounding if each T_i (1≤i≤j)satisfies:

1. For each individual P, assume the candidate CaseID set of P in T_i is C, then there is |C-(B∪F∪L)|≥k;
2. For every individual P, an adversary can conclude that P has any sensitive attribute value s_j with a probability at most θ_j.

PPMS(k, θ*)-bounding uses NC-bounding and OID-bounding to defend against the above three attacks. NC-bounding makes each group contain at least k new CaseIDs, which can defend against backward-attack and latest-attack. Let t be a record in released T_i, t₁, t₂, …, t_j are records have the same CaseID with t in previous tables T_x, T_y, …, T_z(x<y<…, <z). To thwart forward-attack, OID-bounding requires that QIAs values of t should cover all records that share the same CaseID with t in previous tables. Wang et al. [22] also found that the forward-attack can be avoided when QIAs values of t only cover the records that share the same CaseID with t in T_x, they call this method PPMS_EAR. Their experiments show that PPMS_EAR can thwart the above three attacks while maintaining the usability of tables.

Table 1(A)–1(C) are three original tables, Adverse Drug Reaction (ADR) is a sensitive attribute, and Sex and Age are quasi-identification attributes. For simplicity, letters are used to denote a type of ADR. Table 2(A)–2(C) are corresponding sanitized released tables which satisfy PPMS(3, 1/3)-bounding. Obviously, the released tables can thwart backward-attack, forward-attack and latest-attack. However, an adversary can still disclose the privacy of individuals. Let us consider some examples.

Example 1

Bob knows that Alice(F, 39) is in Table 2(B), and he can relate Alice to records{t₁₃, t₁₅, t₁₈}. He also knows that Alice will stop medicine in quarter 3, because her illness is shown as cured in quarter 2. Therefore, Bob can exclude t₁₃, t₁₅, and conclude Alice’s record is t₁₈ with the probability of 100%. The privacy of Alice is disclosed.

Example 2

Bob knows that Clare(M, 47) is in Table 2(B), and can be related to records{t₁₆, t₁₇, t₂₁}. Bob cannot relate Clare to a unique record, but {t₁₆, t₁₇, t₂₁} all contain many more adverse drug reactions than other records. Thus, Bob can conclude that Clare gets more adverse drug reactions than other people. The privacy of Clare is disclosed.

PPMS(k, θ*)-bounding has not considered medicine discontinuation and records with massive symptoms, hence privacy may be disclosed by an adversary. As the extended versions of PPMS(k, θ*)-bounding, the other existing SRS data publishing methods [23–25] have not considered the attacks described by example 1 and example 2, either. It is necessary to find a way to defend against the above attacks. However, increasing the security usually makes the information usability decline. It is challenging to balance privacy security against the information utility. To alleviate these problems, this paper proposes a new SRS data publishing method which can improve the privacy and guarantee the information usability. The main contributions of this paper are summarized as follows:

1. Identifying two new attacks which are aimed at ADEs data publishing;
2. Based on the PPMS(k, θ*)-bounding, proposing a new data publishing method- PPMS(k, θ, ɑ)-bounding. The new method can enhance the security of privacy and preserve the quality of released tables. A corresponding algorithm is presented.
3. Using a real FAERS database from the US Food and Drug Administration to verify PPMS(k, θ, ɑ)-bounding.

Definition 5 (Medication Discontinuation-attack)

Assume target individual P whose record t is in sanitized released table T_i, and T_i+1 does not contain the CaseID of P. Use C to represent the P’s candidate CaseID set in T_i. The Medication discontinuation-attack(MD-attack) may happen if there is any CaseID cid(cid∈C), which appears in T_i+1. Denote the set of these excludable records as MD. Example 1 is an instance of MD-attack.

Definition 6 (Substantial Symptoms-attack)

The adversary can conclude that the target individual experiences more symptoms/adverse drug reactions than other people. We have used example 2 to illustrate this style of attack (SS-attack). We refer to the record with substantial symptoms/adverse drug reactions as an ss-record. Publishers can decide the specific method for defining an ss-record.

Based on PPMS(k, θ*)-bounding, PPMS(k, θ, ɑ)-bounding needs to thwart these two new attacks:

Definition 7 (PPMS(k, θ, ɑ)-bounding)

Assume {s₁, s₂, …, s_m} are values of all the possible sensitive attributes in the datasets, accordingly, θ = {θ₁, θ₂, …, θ_m} are the probability thresholds set by the data holder. Released tables T₁, T₂, …, T_j satisfy PPMS(k, θ, ɑ)-bounding if each T_i (1≤i≤j)satisfies:

1. k-bounding: For each individual P, assume that the candidate CaseID set of P in T_i is C, then there is |C-(B∪F∪L∪MD)|≥k;
2. θ-bounding: For every individual P, an adversary can conclude that P has any sensitive attribute value s_j with a probability at most θ_j.
3. a-bounding: For every individual P, an adversary can conclude that P has many more symptoms/adverse drug reactions than others with the probability at most ɑ.

The privacy requirement of Definition 7(1) is used to avoid record disclosure. MD-attack is considered under this requirement which is the extended version of PPMS(k, θ*)-bounding. The adversary cannot distinguish the target individual from at least k records, even though he/she has excluded some candidates through MD-attack、F-attack、B-attack and L-attack. The privacy requirement of Definition 7(2) states that the probability of attribute disclosure will not exceed a threshold, even though the adversary can exclude some candidate records from various attacks. Thus, this privacy requirement is to guarantee the security of sensitive attributes values. Besides, the SS-attack can be thwarted by meeting the privacy requirement of Definition 7(3) that limits the frequency of ss-record in groups.

To satisfy the PPMS(3, 1/3, 1/4)-bounding, Table 3(A)–3(C) can be released for Table 1(A)–1(C). Each sanitized group incorporates at least three such individual P which have these properties: (a) P is the first time appearing in multiple releases; (b) P will not appear in the next release. At the same time, the new sensitive values cover the corresponding old ones according to the OID-bounding. Each group still contains at least three records and the frequency of each sensitive value does not exceed the threshold 1/3, even though the sets B,F,L and MD have been excluded by the adversary. Thus, the attacks in [22] can be prevented. Specially, the exclusion of set MD from releases has no effect on reaching privacy acquirements, so MD-attack in example 1 can be resisted. Besides, the frequency of ss-record in groups does not exceed 1/4, the SS-attack (example 2) can be also thwarted.

4.1 Definitions and symbols

Before stating the algorithm, we introduce new symbols as follows:

Substantial symptoms-record(ss-record): as mentioned earlier, for a record t(t∈T), if t has many more symptoms/adverse drug reactions than others in T, then t is an ss-record in table T.

New-record (n-record): for a record t(t∈T), t’s caseid is its initial appearance in a released table. That is, t is a n-record in table T.

Old-record(o-record): for a record t(t∈T), t’s caseid is not the initial appearance in a released table. That is, t is an o-record in table T.

Medication discontinuation-record(md-record): for a record t(t∈T_i), t’s caseid will not appear in next table T_i+1, t is a md-record in T_i.

nx-record(x∈{ss, n, o, md}): if t is not x kind of record, t is nx-record. For instance, if t is not a md-record in table T, then t can be denoted as nmd-record in T.

x&y-record(x, y∈{ss, n, o, md}): if t is x kind of record and y kind of record, then t is an x&y -record. For instance, if t is a n-record and md-record in table T, then t can be denoted as n&md-record in T.

According to the background knowledge, the adversary can derive four views for an anonymous group G. Assume the adversary knows the target individual P’s QIAs values, and learns that the target is in a released table.

1. View 1: the adversary knows that individual P is in a specific group G, P appears for the first time in released tables and P stops medication in next quarter. We denote view 1 of group G as GV₁. GV₁ contains all the n&md-records in G.
2. View 2: the adversary knows that individual P is in a specific group G, P appears for the first time in released tables. We denote view 2 of group G as GV₂. GV₂ contains all the n-records in G.
3. View 3: the adversary knows that individual P is in a specific group G, P stops medication in next quarter. We denote view 3 of group G as GV₃. GV₃ contains all the md-records in G.
4. View 4: the adversary knows P is in a specific group G. We denote view 4 of group G as GV₄. Obviously, GV₄ = G.
5. GV_x(y) (x∈{1, 2, 3, 4}, y∈{ss, n, o, md}): represents the set of all the y type of records in GV_x.
6. F_ss(GV_x) (x∈{1, 2, 3, 4}): the frequency of ss-record in GV_x.
7. If the adversary can disclose privacy in any one of these views, the anonymous group G is unsafe. Thus, we have to provide privacy protection in all these four views.

4.2 Algorithm of PPMS(k, θ, ɑ)-bounding

We present an algorithm called HA to achieve PPMS(k, θ, ɑ)-bounding. The overview of this algorithm is as shown in Algorithm 1.

Algorithm 1: HA

Input: the original dataset D_i, the previous anonymous released tables T_pre = {T₁, T₂, …, T_i-1}, k, θ, α

Output: anonymous released table T_i of original table D_i

1:Combine records with the same caseid into a super record;

2:for each o-record t in D_i do

3:{

4: Find a released table T_j which is the first table contains caseid of t in T_pre;

5: Record t_pre (t_pre∈T_j) has the same caseid with t, generalize the QIA values of t to cover that of t_pre;

6:}

7:Grouping(T_i, D_i, k, θ, α);

8:Generalization;

9:return T_i;

The algorithm merges records with the same caseid into super records firstly (line 1). Next, it achieves QID-bounding strategy to prevent F-attack (line 2-line 6). Then, the algorithm groups the records in current table with procedure Grouping (line 7). Last, the algorithm anonymizes the table and releases it (line 8-line 9). Our algorithm has made three changes to the PPMS_EAR [22]. We first redefine the privacy risk to satisfy θ-bounding when medication discontinuation-attack is considered (the change 1). The introduce and analysis of the change 1 are as follows.

Lemma 1. To resist Medication discontinuation-attack, for any sensitive value v, the allowed largest number of v in a group G is as formula (1).

(1)

Proof. It is easy to know that η_v(G)/|GV₁|≤θ_v. Meanwhile, it is clear that η_v(G)/|GV_x|≤θ_v because |GV_x|≥|GV₁| (x∈{2, 3, 4}). Thus, the frequency of v will not exceed the threshold θ_v in the four views of group G. The proof is completed.

The privacy risk is the same as that in PPMS_EAR [22] except η_v(G), it is as formula (2).

(2)

PR_v(G∪{t}) can evaluate the privacy risk caused by record t’s sensitive value v after G including t. The occurrence of v in G is denoted as σ_v(G). In fact, a record usually has multiple sensitive values in ADE data, thus the privacy risk caused by record t is as formula (3).

(3)

S_t denotes the set of all the sensitive values contained by record t.

The difference of information loss (△IL(G, t)) between group G and group G∪t is the same as in PPMS_EAR. Thus, we can get the△PRIL(G, t) [22] which is as formula (4).

(4)

A record t has less △PRIL(G, t) [22] with a greater probability to be included in group G. This use of △PRIL(G, t) is shown on line 10 of the procedure grouping which will be introduced with the change 2. △PRIL(G, t) = ∞ represents that the inclusion of t will break the θ-bounding, thus t cannot be included in G when △PRIL(G, t) = ∞. Therefore, the change 1 is actually about the redefinition of △PRIL(G, t) with the consideration of MD-attack.

Now we illustrate the change 2 which is included by the procedure grouping.

Procedure 1: Grouping

Input: T_i, D_i, k, θ, α

Output: T_i

/* Lines 1–24 are the steps of creating groups */

1:Randomly choose a record t from D_i;

2:D_i = D_i-t;

3:while(true)

4:{

5: Create a new empty group G;

/* Update_Group (G, t) updates G’s parameters which will be used by Jugde_α_bounding(G, t^~, α). The details of the procedure Update_Group will be introduced later */

6: G = Update_Group (G, t); //G∪t_bst, the parameters of G are updated

7: while (|GV₁|<k)

8: {

/* Jugde_α_bounding(G, t^~, α) determines whether G∪t^~ violates α_bounding requirement.

Jugde_α_bounding(G, t^~, α) = true indicates that G∪t^~ meets the α_bounding requirement.

Jugde_α_bounding(G, t^~, α) = false indicates that the α_bounding requirement cannot be met.

The details of the procedure Jugde_α_bounding will be introduced later. */

9: D_i^~contains all these records t^~ in D_i: Jugde_α_bounding(G, t^~, α) = true;

10: Find a record t_bst (t_bst∈ D_i^~)has the least △PRIL(G, t_bst) in D_i^~;

11: if t_bst can not be found then // If creating groups fails

12: {

13: Add all records of G to D_i;

14: Break; //The process of creating groups is completed, jumps to the line 19

15:}

16: G = Update_Group (G, t_bst); //G∪t_bst, the parameters of G are updated

17: D_i = D_i-t_bst;

18:} //end while (|GV₁|<k)

19: if |GV₁|> = k then // If creating groups successes

20: T_i∪G;

21: else// If creating groups fails

22: Break;// The process of creating groups is completed, jumps to the line 25

23: Choose a record t which is farthest from t_bst;

24:}//end while(true)

/*Lines 25–30 are the steps of processing the remaining records*/

25:for each t∈D_i do

26:{

27: Find a group G from T_i which has the least △PRIL(G, t);

28: G∪t;

29: D_i = D_i-t;

30:}

In the procedure grouping, to resist medication discontinuation-attack, for each group G, the |GV₁| of G should be no less than k (the change 2, line 7- line 18). When |GV₁| = k, group G is completed; otherwise, the grouping of G will continue. Thus, the k-bounding can be guaranteed. Besides, the procedure processes the remaining records after the completion of grouping step (line 25-line 30).

The third change is also in procedure grouping. We should verify if the α-bounding can be satisfied. However, before G is completed, |GV_x| (x∈{2, 3, 4}) cannot be known. Thus, we find a way to verify α-bounding in the group process.

Lemma 2. F_ss(GV₂) is no more than |GV₂(ss)| / (|GV₂- GV₂(n&nmd&nss)|).

Proof. It is easy to know that |GV₂- GV₂(n&nmd&nss)|≤ |GV₂|. Thus, |GV₂(ss)| / (|GV₂- GV₂(n&nmd&nss)|)≥|GV₂(ss)|/| GV₂| = F_ss(GV₂).

Similarly, we can get:

F_ss(GV₃) ≤ |GV₃(ss)| / (|GV₃- GV₃(o&nss)|).

F_ss(GV₄) ≤|GV₄(ss)| / (|GV₄- GV₄(o&nss)- GV₄(n&nmd&nss)|).

According to the above observations, it is easy to know that GV₂ meets the a- bounding requirement when a ≥ |GV₂(ss)| / (|GV₂-GV₂(n&nmd&nss)|). The similar conclusions can be got for GV₃ and GV₄. According to these conclusions, we can verify α-bounding through procedure Jugde_α_bounding and procedure Update_Group. These two procedures are shown below.

Procedure 2: Jugde_α_bounding

Input: G, t

Output: true or false

G is completed in one of these conditions:

In grouping step, the grouping of G is completed;

In the step of processing remaining record, a remaining record is added to G.

G.MSAVR₁ represents GV₁(SS) after group G is completed;

G.MSAVR₂ represents GV₂(SS) after group G is completed;

G.MSAVR₃ represents GV₃(SS) after group G is completed;

G.MSAVR₄ represents GV₄(SS) after group G is completed;

G.N₁ represents |GV₁ |after group G is completed;

G.N₂ represents |GV₂- GV₂(n&nmd&nss) |after group G is completed;

G.N₃ represents |GV₃- GV₃(o&nss) |after group G is completed;

G.N₄ represents |GV₄- GV₄(o&nss)- GV₄(n&nmd&nss) |after group G is completed;

1:When G is created without records, G.MSAVR_x = 0, G.N_x = k(x∈{1, 2, 3, 4}).

2:G = Update_Group (G, t);

3:if (G.MSAVR₁ / G.N₁ >α || G.MSAVR₂ / G.N₂ >α || G.MSAVR₃ /G.N₃ >α || G.MSAVR₄ / G.N₄ >α)

4: return false;

5:else

6: return true;

The procedure Jugde_α_bounding determines whether the group G violates α_bounding requirement after incorporating the record t. According to procedure 1, each group contains at least k n&md-records when the creation of it is completed. The set R_G is used to represent these k n&md-records of G. It is clear that there are R_G ⊆GV₁, R_G ⊆(GV₂- GV₂(n&nmd&nss)), R_G ⊆(GV₃- GV₃(o&nss)) and R_G ⊆(GV₄- GV₄(o&nss)- GV₄(n&nmd&nss)), when the creation of G is completed. Thus, we reserve the positions for the above k n&md-records in GV₁, GV₂-GV₂(n&nmd&nss), GV₃- GV₃(o&nss) and GV₄-GV₄(o&nss)-GV₄(n&nmd&nss), respectively. The initial value of G.N_x (x∈{1, 2, 3, 4}) is k (line 1). Besides, we assume that all the above k n&md-records are nss-records at the beginning of the creation of G, so the initial value of G.MSAVR_x is 0 (x∈{1, 2, 3, 4})(line 1). After updating G.MSAVR_x and G.N_x (line 2), the procedure Jugde_α_bounding verifies α_bounding: if all the four views of group G can meet the α_bounding requirement, then the α_bounding can be met by G (line 3-line 6). The main function of the procedure Update_Group is to update G.MSAVR_x and G.N_x after incorporating the record t.

Procedure 3: Update_Group

Input: G, t

Output: G

1:G = G∪t

2:if t is n&md-record then

3:{

4: if t is ss-record then

5: {

6: G.MSAVR₁++; G.MSAVR₂++; G.MSAVR₃++; G.MSAVR₄++;

7: if t is a remaining record then

8: {

/* t∉R_G, t∈GV_x(x∈{1, 2, 3, 4}), t∈(GV₂-GV₂(n&nmd&nss)), t∈(GV₃- GV₃(o&nss)) and t∈(GV₄- GV₄(o&nss)- GV₄(n&nmd&nss)) */

9: G.N₁++; G.N₂++; G.N₃++; G.N₄++;

10:}

11:}

12}

13:else if t is n&nmd-record then

14:{

15: if t is ss-record then

16: {

/* t∉R_G, t∈GV₂, t∈GV₄, t∈(GV₂- GV₂(n&nmd&nss)), t∈(GV₄- GV₄(o&nss)-GV₄(n&nmd&nss))*/

17: G.MSAVR₂++; G.MSAVR₄++; G.N₂++; G.N₄++;

18:}

19:}

20:else if t is o&md-record then

21:{

22: if t is ss-record then

23: {

/* t∉R_G, t∈GV₃, t∈GV₄, t∈(GV₃- GV₃(o&nss)), t∈(GV₄- GV₄(o&nss)- GV₄(n&nmd&nss))*/

24: G.MSAVR₃++; G.MSAVR₄++; G.N₃++; G.N₄++;

25:}

26:}

27:else

28:{

29: if t is ss-record then

30: {

/* t∉R_G, t∈GV₄, t∈(GV₄- GV₄(o&nss)- GV₄(n&nmd&nss))*/

31: G.MSAVR₄++; G.N₄++;

32:}

33:}

34:return G;

For various types of records, the procedure Update_Group updates G.MSAVR_x and G.N_x (x∈{1,2,3,4}). Now we take the lines 2–12 as an example. These lines consider G.MSAVR_x and G.N_x when t is a n&md-record. It is clear that there is t∈GV_x(x∈{1,2,3,4}) when t is a n&md-record. Thus, G.MSAVR_x is updated if t is an ss-record (line 6). On the other hand, the positions of t have been already reserved in GV₁, GV₂-GV₂(n&nmd&nss), GV₃-GV₃(o&nss) and GV₄-GV₄(o&nss)-GV₄(n&nmd&nss), when t is not a remaining record. Therefore, G.N_x (x∈{1,2,3,4}) remains unchanged when t is not a remaining record. However, there are t∉R_G, t∈GV₁, t∈(GV₂-GV₂(n&nmd&nss)), t∈(GV₃-GV₃(o&nss)) and t∈(GV₄-GV₄(o&nss)-GV₄(n&nmd&nss)) when t is remaining record and ss-record. Thus, G.N_x (x∈{1,2,3,4}) is updated (line 9). Similarly, the other parts of procedure Update_Group update G.MSAVR_x and G.N_x according to the type of t.

Our algorithm quits predetermining the maximum number of ss-records, so it is more flexible. The experimental results also show that our heuristic algorithm can maintain the usability of released tables when has more stringent privacy requirement.

5.1 Security

Dangerous Identity Ratio(DIR) [21–22] and Dangerous Sensitivity Ratio (DSR) [21–22] are used to evaluate the security of publishing methods. We call a group as a dangerous identity group (DIG) if the number of records in the group is less than threshold k. If a group contains at least one sensitive value v_i whose frequency is higher than its threshold θ_i, we call it as a dangerous sensitivity group (DSG). DIR/DSR represents the ratio of DIG/DSG in all anonymous groups.

For measuring the ability to resist substantial symptoms-attack, we define the substantial symptoms group ratio (SSGR). If the frequency of ss-record in a group is higher than threshold ɑ, we call the group as substantial symptoms group(SSG). Similar to DIR and DSR, SSGR represents the ratio of SSG in all anonymous groups.

As shown in Figs 1 and 2, the DIR and DSR of PPMS_Ear are both greater than 0, because PPMS_Ear has not taken the medication discontinuation-attack into consideration. The DIR and DSR are even greater than 10% in some released tables of PPMS_Ear. An adversary can compromise the privacy requirements in the released tables of PPMS_Ear which is vulnerable to the medication discontinuation-attack. lMeanwhile, PPMS(k, θ, ɑ)-bounding has considered that an adversary may disclose privacy through information about medication discontinuation. Therefore, PPMS(k, θ, ɑ)-bounding can avoid Medication discontinuation-attack, DIR and DSR are both 0.

The SSGR of the two methods is shown in Fig 3. We can see that the SSGR of PPMS(k, θ, ɑ)-bounding is 0 because our method can thwart SS-attack with limiting the frequencies of ss-records. However, PPMS_Ear cannot resist SS-attack, hence its SSGR in some released tables is greater than 10%. The settings of θ(θ = 0.4, θ = bf) are omitted, because they generate similar results.

5.2 Information loss

Normalized Information Loss(NIL) [21–22] is used to evaluate the information usability. As shown in Fig 4, we can see that the NIL of PPMS(k, θ, ɑ)-bounding is very close to PPMS_Ear. Our analysis result is that procedure Jugde_α_bounding achieves ɑ-bounding through a heuristic method, and it is easier for records to be incorporated by groups in this method. The HA estimates the frequencies of ss-records to guarantee α-bounding when grouping. Compare with predetermining the maximum number of ss-records in groups, this heuristic method can “accommodate” more ss-records in each anonymous group while the privacy requirement is not compromised. Therefore, our method can have similar information loss with PPMS_Ear even if the privacy requirements of ours are more stringent.