l-diversity
Contents
l-diversity#
In Brief#
l-diversity aims to protect the diversity of sensitive attributes in the anonymity by indistinguishability paradigm. An anonymity set is l-diverse if contains at least l “well-represented” values for the sensitive attribute.
More in Detail#
l-diversity [1] was proposed to overcome one of the weakness of k-anonymity against the homogeneity attack.
Indeed, suppose to publish the 3-anonymous dataset depicted in Table 3, and suppose that an attacker is searching for Bob in the dataset, knowing that their target, Bob, was born in July 1946. Even if the attacker is not able to discriminate Bob between patients 1003, 1004, and 1005, the disease associated with all these three patients is a stroke. Thus, the adversary cannot re-identify Bob, but they can still infer that Bob suffers from heart disease.
Pseudo-id |
Gender |
Date of Birth |
ZIP code |
Disease |
|---|---|---|---|---|
1000 |
F |
[1970-1979] |
0**** |
Lyme Disease |
1001 |
F |
[1970-1979] |
0**** |
Hypertension |
1002 |
F |
[1970-1979] |
0**** |
Vertigo |
1003 |
M |
[1940-1949] |
10*** |
Stroke |
1004 |
M |
[1940-1949] |
10*** |
Stroke |
1005 |
M |
[1940-1949] |
10*** |
Stroke |
1006 |
F |
[1940-1949] |
10053 |
Diabetes |
1007 |
F |
[1940-1949] |
10053 |
Osteoporosis |
1008 |
F |
[1940-1949] |
10053 |
Arthritis |
The basic idea behind l-diversity is to maintain the diversity of sensitive attributes. Essentially, each anonymity set should mantain at least l different values of sentive attributes.
Unfortunately, l-diversity is insufficient to prevent attacks when the overall distribution is skewed. The attacker can infer the value of sensitive attribute knowing the global distribution of the attributes.