Privacy Threats and Privacy Preservation in Multiple Data Releases of High-Dimensional Datasets

Abstract

Determining how to balance data utilities and data privacy when datasets are released to be utilized outside the scope of data-collecting organizations constitutes a major challenge. To achieve this aim in data collection (datasets), several privacy preservation models have been proposed, such as k-Anonymity and l-Diversity. Unfortunately, these privacy preservation models may be insufficient to address privacy violation issues in datasets that have high-dimensional attributes. For this reason, the privacy preservation models, k^m-Anonymity and LKC-Privacy, for addressing privacy violation issues in high-dimensional datasets are proposed. However, these privacy preservation models still exhibit privacy violation issues from using data comparison attacks, and they further have data utility issues that must be addressed. Therefore, a privacy preservation model can address privacy violation issues in high-dimensional datasets to be proposed in this work, such that there are no concerns about privacy violations in released datasets from data comparison attacks, and it is highly efficient and effective in data maintenance. Furthermore, we show that the proposed model is efficient and effective through extensive experiments.

1. Introduction

User privacy violation is a serious issue that data holders must consider when collected data are released to be utilized outside the scope of data-collecting organizations [1,2,3,4,5,6,7,8,9]. Therefore, in this paper, k-Anonymity [10] is proposed to address this issue before datasets are released. All explicit user identifier values are available in the datasets to be removed. Moreover, users’ unique quasi-identifier values are suppressed or generalized by their less-specific values to be at least k indistinguishable tuples.

Here, we provide an example of privacy preservation based on k-Anonymity constraints in conjunction with data generalization [10,11]. With k-Anonymity, the parameter k represents the privacy preservation consultant such that it is represented by a positive integer that is equal to or greater than 2, i.e., $k\in I^{+}$ and $k\ge 2$. Suppose that k is set to 2, i.e., $k=2$. Let

Table 1. An example of a raw dataset.

SSN	Name	Age	Gender	Zip Code	Disease
000-00-0001	Jacob	45	Male	60636	Flu
000-00-0002	Jessica	46	Female	60632	Fever
000-00-0003	David	47	Male	60635	Cancer
000-00-0004	Bob	48	Male	60639	Cancer
000-00-0005	Amelia	48	Female	60632	Flu
000-00-0006	Sophia	42	Female	60632	HIV
000-00-0007	Isabella	42	Female	60632	Fever

be the raw dataset. In Table 1, there are two explicit identifier attributes ($SSN$ and $Name$), three quasi-identifier attributes ($Age$, $Gender$, and $Zipcode$), and a sensitive attribute ($Disease$). For privacy preservation, the $SSN$ and $Name$ data are removed in the first step. Finally, all unique quasi-identifier values are generalized by their less-specific values to be at least two indistinguishable tuples. The resulting released version of the data from Table 1 is shown in

Table 2. The released version of the data in Table 1, which satisfies 2-Anonymity constraints.

Age	Gender	Zip Code	Disease	EC
45–46	*	6063*	Flu	$e{c}_1$
45–46	*	6063*	Fever
47–48	Male	6063*	Cancer	$e{c}_2$
47–48	Male	6063*	Cancer
42–48	Female	60632	Flu	$e{c}_3$
42–48	Female	60632	HIV
42–48	Female	60632	Fever

* represents none.

.

Table 2 shows that all possible data utilization conditions, owing to their quasi-identifier attributes, always have at least two tuples that are satisfied. In this situation, privacy violation in Table 2 seems impossible. Unfortunately, in [12], the authors demonstrate that Table 2 still has privacy violation issues that must be addressed. For example, let $Bob$ be the target user such that $Bob$’s disease is the target data of the adversary. We assume that the adversary believes the user profile tuple in Table 2 to be $Bob$’s. Moreover, the adversary knows that $Bob$ is a 48-year-old male. Thus, the adversary can be confident based on Table 2 that $Bob$ has $Cancer$. Although two user profile tuples match the adversary’s knowledge about $Bob$, the adversary can see that only $Cancer$ is shown in the $Disease$ attribute of these tuples. From this example, we can conclude that although the released datasets guarantee that all possible data utilization conditions, owing to their quasi-identifier attributes, always have at least k satisfied tuples, they still have privacy violation issues that must be addressed. To address this vulnerability of k-Anonymity, l-Diversity [12] is proposed. For privacy preservation with l-Diversity, in addition to removing the explicit identifier values and distorting (suppressing or generalizing) all unique quasi-identifier values, the number of distinct sensitive values available in each sensitive attribute is also considered, i.e., every group of indistinguishable quasi-identifier values must relate to at least l different sensitive values, where $l\in I^{+}$ and $l\ge 2$, in every sensitive attribute.

Here, an example of privacy preservation is given based on l-Diversity, where Table 1 is the raw dataset. For privacy preservation, let the value of l be set to 2. The released version of the data from Table 1 satisfying the 2-Diversity constraints is shown in

Table 3. The released version of the data from Table 1, which satisfies 2-Diversity constraints.

Age	Gender	Zip Code	Disease	EC
45–48	*	6063*	Flu	$e{c}_1$
45–48	*	6063*	Fever
45–48	*	6063*	Cancer
45–48	*	6063*	Cancer
42–48	Female	60632	Flu	$e{c}_2$
42–48	Female	60632	HIV
42–48	Female	60632	Fever

* represents none.

. In Table 3, it is guaranteed that all possible data utilization conditions, owing to the quasi-identifier attributes, always have at least l different sensitive values to be satisfied. Therefore, we can conclude that l-Diversity is more secure in terms of privacy preservation than k-Anonymity.

Unfortunately, to the best of our knowledge about l-Diversity, it is generally insufficient to address privacy violation issues in datasets that have high-dimensional attributes and are independently released when new data becomes available [13,14,15,16,17]. To eliminate these vulnerabilities in l-Diversity in high-dimensional datasets, $k^m$-Anonymity [18] and $LKC$-Privacy [19,20,21] are proposed. These privacy preservation models assume that the adversary has limited background knowledge about the target user. That is, in terms of the adversary’s background knowledge about the target user, the m and L values are limited by $k^m$-Anonymity and $LKC$-Privacy, respectively, so m or L sizes of the unique quasi-identifier values are suppressed or generalized to be k or K indistinguishable tuples. However, the effectiveness of these privacy preservation models is questioned because they are based on an estimation of the adversary’s level of background knowledge about the target user, and they are inadequate for addressing privacy violation issues in datasets that do not allow the quasi-identifier attributes to determine $NULL$ or the empty value. Moreover, these privacy preservation models can also be inadequate for addressing privacy violation issues in datasets that are independently released and have multiple sensitive attributes [22,23,24,25,26,27,28].

To address privacy violation issues in datasets that have multiple sensitive attributes, two well-known privacy preservation models have been proposed, i.e., aggregate query frameworks [29,30] and data anonymization models for multiple sensitive attributes [31,32,33]. For privacy preservation with aggregate query frameworks, the data analyst is not allowed to utilize the data available in datasets directly, i.e., they can only utilize the data via aggregate query frameworks. Another well-known privacy preservation solution is distorting users’ unique quasi-identifier values in datasets to make them indistinguishable. Moreover, the number of distinct sensitive values and re-identifiable sensitive values in every sensitive attribute of each group of indistinguishable quasi-identifier values are also considered when establishing privacy preservation constraints.

For preserving data privacy in independently released datasets, in [26,34], the authors recommend that, in addition to releasing datasets that satisfy privacy preservation constraints, all results that could be compared between the released and original datasets must also satisfy the privacy preservation constraints.

In addition, to the best of our knowledge about the above-mentioned privacy preservation models, they have serious vulnerabilities that must be improved. That is, they are inadequate for addressing privacy violation issues in datasets that have high-dimensional quasi-identifier attributes, multiple sensitive attributes, and independent data releases. These vulnerabilities in these privacy preservation models will be explained in Section 2.

This paper is organized as follows. The motivation for this work is explained in Section 2. Then, our privacy preservation model for high-dimensional datasets is proposed in Section 3. Subsequently, the experimental results are discussed in Section 4. Finally, our conclusion and directions for future work in this field are discussed in Section 5 and Section 6, respectively.

2. Motivation

Before we explain the motivation for this work, we present the necessary definitions.

Definition 1

(High-dimensional datasets). Let $QI$=$\{q{i}_1,$$q{i}_2,$$\dots ,$$q{i}_p\}$ be the set of quasi-identifier attributes. Let $D{O}^{q{i}_r}$=$\{d{o}_1^{q{i}_r},$$d{o}_2^{q{i}_r},$$\dots ,$$d{o}_v^{q{i}_r}\}$ be the data domain of $q{i}_r$∈$QI$, where 1 ≤r≤p. Let $S=\{s_1,s_2,\dots ,s_q\}$ be the set of sensitive attributes. Let $D{O}^{s_o}$=$\{d{o}_1^{s_0},d{o}_2^{s_0},\dots ,d{o}_w^{s_0}\}$ be the data domain of $s_o\in S$, where $1\le o\le q$. Let $D=\{d_1,d_2,\dots ,d_n\}$ be the high-dimensional dataset. Every $d_i$ of D, where $1\le i\le n$, represents the profile tuple of the user $u_i$ such that it is in the form $QI\cup S$, i.e., $d_i$=$(d{o}_{\omega }^{q{i}_1},$$d{o}_{\psi }^{q{i}_2},$$\dots ,$$d{o}_{\phi }^{q{i}_p},$$d{o}_{\varrho }^{s_1},$$d{o}_{\xi }^{s_2},$$\dots ,$$d{o}_{\vartheta }^{s_q})$, where $d{o}_{\omega }^{q{i}_1}\in D{O}^{q{i}_1}$, $d{o}_{\psi }^{q{i}_2},\in D{O}^{q{i}_2}$, $d{o}_{\phi }^{q{i}_p}\in D{O}^{q{i}_p}$, $d{o}_{\varrho }^{s_1}\in D{O}^{s_1}$, $d{o}_{\xi }^{s_2}\in D{O}^{s_2}$, and $d{o}_{\vartheta }^{s_q}\in D{O}^{s_q}$. Let $D^{\mathrm{\Gamma }\cup \Delta }$ be a sub-data version of D such that it is constructed from $\mathrm{\Gamma }\cup \Delta$, where $\mathrm{\Gamma }\subseteq QI$ and $\Delta \subseteq S$, i.e., $\mathrm{\Gamma }=\{q{i}_{r_1},q{i}_{r_2},\dots ,q{i}_{r_p}\}$⊆$QI$ and $\Delta =\{s_{o_1},s_{o_2},\dots ,s_{o_q}\}$⊆S. Thus, every $d_i^{\mathrm{\Gamma }\cup \Delta }$ of $D^{\mathrm{\Gamma }\cup \Delta }$, where $1\le i\le n$, is in the form $(d{o}_{\omega }^{q{i}_{r_1}},$$d{o}_{\psi }^{q{i}_{r_2}},$$\dots ,$$d{o}_{\phi }^{q{i}_{r_p}},$$d{o}_{\varrho }^{s_{o_1}},$$d{o}_{\xi }^{s_{o_2}},$$\dots ,$$d{o}_{\vartheta }^{s_{o_q}})$. The data projection on Γ and Δ of $D^{\mathrm{\Gamma }\cup \Delta }$ is $D^{\mathrm{\Gamma }}$ and $D^{\Delta }$, respectively. The data projection on $q{i}_{r_{\beta }}$ and $s_{o_{\alpha }}$ of $D^{\mathrm{\Gamma }\cup \Delta }$ is $D^{\mathrm{\Gamma }}\left[q{i}_{r_{\beta }}\right]$ and $D^{\Delta }\left[s_{o_{\alpha }}\right]$, respectively.

Definition 2

(Data generalization hierarchy). Let $f_{DGH}\left(D{O}^{q{i}_r}\right):D{O}_{\zeta }^{q{i}_r}\to D{O}_{\zeta +1}^{q{i}_r}$ be the generalized function of $D{O}^{q{i}_r}$ from the level ζ to $\zeta +1$ such that all values of the level ζ are more specific than their related values at the level $\zeta +1$. Therefore, we can write the data generalization sequence of $D{O}^{q{i}_r}$, $DG{H}_{D{O}^{q{i}_r}}$, from the level 0 to L, as $D{O}_0^{q{i}_r}$$\stackrel{f_{DGH}\left(D{O}_0^{q{i}_r}\right)}{\to }$$D{O}_1^{q{i}_r}$$\stackrel{f_{DGH}\left(D{O}_1^{q{i}_r}\right)}{\to }$$D{O}_2^{q{i}_r}$…$D{O}_{L-2}^{q{i}_r}$$\stackrel{f_{DGH}\left(D{O}_{L-2}^{q{i}_r}\right)}{\to }$$D{O}_{L-1}^{q{i}_r}$$\stackrel{f_{DGH}\left(D{O}_{L-1}^{q{i}_r}\right)}{\to }$$D{O}_L^{q{i}_r}$. That is, all values at the level 0 are more specific than at other levels, and the values at level L are less specific than at other levels.

Definition 3

(Data generalization). Let Λ be the set of specified quasi-identifier values in $q{i}_r$ of D. The meaning of data generalization is that Λ is distorted by an appropriately less-specific value that is presented by $DG{H}_{D{O}^{q{i}_r}}$ as indistinguishable.

Definition 4

(Data suppression). Let $d_i$ be an arbitrary tuple of D. The meaning of data suppression is that $d_i$ is not available in the released version of the data in D.

Definition 5

(Adversary’s background knowledge about the target user). Let $G_{u_i}$=$\{g_1,$$g_2,$$\dots ,$$g_b\}$ be the information about the user $u_i$. If $B_{u_i}$ is the adversary’s background knowledge about the user $u_i$ in D, $B_{u_i}$ must satisfy both limitations as follows: $B_{u_i}\subseteq G_{u_i}$ and $B_{u_i}\subseteq d_i\left[QI\right]$.

Definition 6

(Privacy violation concerns). Let l be a positive integer such that it is equal to or greater than two, i.e., $I^{+}$ and $I\ge 2$. Let $s_o\in S$ be a specific sensitive attribute. If the number of distinct sensitive values available in $s_o$ is at most $l-1$, $s_o$ has privacy violation concerns that must be addressed.

Definition 7

(l-Diversity). Let l be the privacy preservation constraint. Let $f_A($$l,$$D,$$DG{H}_{D{O}^{q{i}_1}},$$DG{H}_{D{O}^{q{i}_2}},$$\dots ,$$DG{H}_{D{O}^{q{i}_p}}):$ D ${\to }_{l,DG{H}_{D{O}^{q{i}_1}},DG{H}_{D{O}^{q{i}_2}},\dots ,DG{H}_{D{O}^{q{i}_p}}}$$\mathbb{D}$ be the function for transforming D into $\mathbb{D}$. That is, all unique quasi-identifier values are available in $QI$ of $\mathbb{D}$, and they are suppressed or generalized by their less-specific values in $DG{H}_{D{O}^{q{i}_1}},$$DG{H}_{D{O}^{q{i}_2}},$$\dots ,$$DG{H}_{D{O}^{q{i}_p}}$ to be indistinguishable. Moreover, every group of indistinguishable quasi-identifier tuples must be related to at least l distinct sensitive values of every sensitive attribute $s_o\in S$. In addition, every group of indistinguishable quasi-identifier tuples satisfies l-Diversity constraints, and they are referred to as equivalence classes $ec$ of $\mathbb{D}$. Hence, $\mathbb{D}$ can be presented by the set of its equivalence classes, i.e., $EC=\{e{c}_1,e{c}_2,\dots ,e{c}_a\}$.

Here, we give an example of privacy preservation based on l-Diversity constraints in datasets that have multiple sensitive attributes. Let

Table 4. An example of raw datasets that have high-dimensional quasi-identifiers and sensitive attributes.

Position	Education	…	Age	Gender	Zip Code	Disease	Salary	…
Accounting	Bachelor	…	45	Male	60636	Flu	USD 10,000	…
Accounting	Master	…	46	Female	60632	Flu	USD 13,000	…
Programmer	Doctor	…	47	Male	60635	Cancer	USD 14,000	…
Programmer	Master	…	48	Male	60639	Cancer	USD 15,000	…
Lecturer	Doctor	…	48	Female	60632	Flu	USD 16,000	…
Lecturer	Doctor	…	42	Female	60632	HIV	USD 17,000	…
Lecturer	Master	…	42	Female	60632	Fever	USD 18,000	…

be the raw dataset D. Let the value of l be set to 2. With these instances, the released version of the data $\mathbb{D}$ in Table 4 satisfies the 2-Diversity constraints, as shown in

Table 5. The released version of the data in Table 4, which satisfies 2-Diversity constraints.

Position	Education	…	Age	Gender	Zip Code	Disease	Salary	…	EC
*	*	…	45–47	*	6063*	Flu	USD 10,000	…	$e{c}_1$
*	*	…	45–47	*	6063*	Flu	USD 13,000	…
*	*	…	47–47	*	6063*	Cancer	USD 14,000	…
*	*	…	48	*	6063*	Cancer	USD 15,000	…	$e{c}_2$
*	*	…	48	*	6063*	Flu	USD 16,000	…
Lecturer	*	…	42	Female	60632	HIV	USD 17,000	…	$e{c}_3$
Lecturer	*	…	42	Female	60632	Fever	USD 18,000	…

. In Table 5, there are three equivalence classes, i.e., $e{c}_1$, $e{c}_2$, and $e{c}_3$. Moreover, Table 5 guarantees that all possible data utilization conditions, owing to the quasi-identifier attributes, always have at least l distinctly satisfied sensitive values in every sensitive attribute. However, Table 5 has data utility issues that must be addressed, i.e., the meaning of the data in Table 5 is much less clear than in Table 4.

2.1. Data Utility Issues

2.1.1. Data Utility Issues Based on the Number of $QI$ Attributes

Let the value of l be set to 2, and let Table 4 without $Disease$ be the raw dataset D. For these instances, the released version of the data $\mathbb{D}$ in Table 4 satisfies the 2-Diversity constraints, as shown in

Table 6. The released version of the data in Table 4 without $Disease$, which satisfies 2-Diversity constraints.

Position	Education	Age	Gender	Zip Code	Salary	EC
Accounting	*	45–46	*	6063*	USD 10,000	$e{c}_1$
Accounting	*	45–46	*	6063*	USD 13,000
*	*	47–48	*	6063*	USD 14,000	$e{c}_2$
*	*	47–48	*	6063*	USD 15,000
*	*	47–48	*	6063*	USD 16,000
Lecturer	*	42	Female	60632	USD 17,000	$e{c}_3$
Lecturer	*	42	Female	60632	USD 18,000

* represents none.

. In another situation, let Table 4 without $Education$, $Age$, $Zipcode$, and $Disease$ be the raw dataset D. For these instances, the released version of the data $\mathbb{D}$ in Table 4 satisfies the 2-Diversity constraints, as shown in

Table 7. The released version of the data in Table 4 without $Education$, $Age$, $Zipcode$, and $Disease$, which satisfies 2-Diversity constraints.

Position	Gender	Salary	EC
Accounting	*	USD 10,000	Table 7-$e{c}_1$
Accounting	*	USD 13,000
Programmer	Male	USD 14,000	Table 7-$e{c}_2$
Programmer	Male	USD 15,000
Lecturer	Female	USD 16,000	Table 7-$e{c}_3$
Lecturer	Female	USD 17,000
Lecturer	Female	USD 18,000

* represents none.

. In Table 6 and Table 7, we can see that Table 7 utilizes more data than Table 6. Therefore, we can conclude that the number of quasi-identifier attributes directly influences the data utility of $\mathbb{D}$.

2.1.2. Data Utility Issues Based on the Number of S Attributes

Let the value of l be set to 2, and let Table 4 without $Education$, $Age$, and $Zipcode$ be the raw dataset D. For these instances, the released version of the data $\mathbb{D}$ in Table 4 satisfies the 2-Diversity constraints, as shown in

Table 8. The released version of the data in Table 4 without $Education$, $Age$, and $Zipcode$, which satisfies 2-Diversity constraints.

Position	Gender	Disease	Salary	EC
*	*	Flu	USD 10,000	$e{c}_1$
*	*	Flu	USD 13,000
*	*	Cancer	USD 14,000
*	*	Cancer	USD 15,000
Lecturer	Female	Flu	USD 16,000	$e{c}_2$
Lecturer	Female	HIV	USD 17,000
Lecturer	Female	Fever	USD 18,000

* represents none.

. In Table 7 and Table 8, we can see that Table 7 utilizes more data than Table 8. Therefore, we can conclude that the number of sensitive attributes also influences the data utility of $\mathbb{D}$.

Based on Section 2.1.1 and Section 2.1.2, it is clear that the number of $QI$ and S attributes influences the data utility of $\mathbb{D}$. For this reason, only the utilized $QI$ and S attributes of D should be available in $\mathbb{D}$ in D. For example, let Table 4 be the raw dataset D. Suppose that if the data holder only needs to show a statistical report of employee salaries based on gender and position, only $Position$, $Gender$, and $Salary$ are available in the released version of the data $\mathbb{D}$ in Table 4. Although this privacy preservation solution addresses the data utility issues of $\mathbb{D}$, it often leads to privacy violation from data comparison attacks when the adversary has background knowledge about the target user and has received enough released versions of the data in D.

2.2. Privacy Violation from Data Comparison Attacks

In this section, a data privacy attack (violation) on independently released datasets D using data comparison is demonstrated. It is based on the assumption that datasets can be changed when new data becomes available. Moreover, we assume that the adversary has received the corresponding released version of the data in D. The adversary believes that the tuple of the received datasets is the profile tuple of the target user. In addition, we assume that the adversary has enough background knowledge about the target user and that the sensitive attribute targeted by the adversary is available in all received datasets. Privacy violation is considered to have occurred when the comparison result of the targeted sensitive attribute in the received datasets does not satisfy the given value of l.

Let $D^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$ be a sub-data version of D such that it is constructed from ${\mathrm{\Gamma }}_x\subseteq QI$ and ${\Delta }_x\subseteq S$. Let $D^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$ be a sub-data version of D such that it is constructed from ${\mathrm{\Gamma }}_y\subseteq QI$ and ${\Delta }_y\subseteq S$, where ${\mathrm{\Gamma }}_x\cap {\mathrm{\Gamma }}_y\ne \varnothing$, ∣${\mathrm{\Gamma }}_x$∪${\mathrm{\Gamma }}_y$∣<$(\mid$${\mathrm{\Gamma }}_x$∣+∣${\mathrm{\Gamma }}_y$$\mid )$, and ${\Delta }_x$∩${\Delta }_y$≠∅. For privacy preservation, let $f_A($$l,$$D^{{\mathrm{\Gamma }}_x\cup {\Delta }_x},$$DG{H}_{D{O}^{q{i}_{x_1}}},$$DG{H}_{D{O}^{q{i}_{x_2}}},$$\dots ,$$DG{H}_{D{O}^{q{i}_{x_p}}})$:$D^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$${\to }_{l,DG{H}_{D{O}^{q{i}_{x_1}}},DG{H}_{D{O}^{q{i}_{x_2}}},\dots ,DG{H}_{D{O}^{q{i}_{x_p}}}}$${\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$, where $q{i}_{x_1},$$q{i}_{x_2},$$\dots ,$$q{i}_{x_p}$∈${\mathrm{\Gamma }}_x$ is the function for transforming $D^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$ into ${\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$. Let $f_A($$l,$$D^{{\mathrm{\Gamma }}_y\cup {\Delta }_y},$$DG{H}_{D{O}^{q{i}_{y_1}}},$$DG{H}_{D{O}^{q{i}_{y_2}}},$$\dots ,$$DG{H}_{D{O}^{q{i}_{y_p}}})$:$D^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$${\to }_{l,DG{H}_{D{O}^{q{i}_{y_1}}},DG{H}_{D{O}^{q{i}_{y_2}}},\dots ,DG{H}_{D{O}^{q{i}_{y_p}}}}$${\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$, where $q{i}_{y_1},$$q{i}_{y_2},$$\dots ,$$q{i}_{y_p}$∈${\mathrm{\Gamma }}_y$ is the function for transforming $D^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$ into ${\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$. That is, ${\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$ and ${\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$ are satisfied by Definition 7. Let $s_o$∈$({\Delta }_x$∩${\Delta }_y)$ be the sensitive attribute targeted by the adversary such that it is available in $D^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$ and $D^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$. Let $u_i$ be the target user of the adversary. Let $B_{u_i}$ be the adversary’s background knowledge about the target user $u_i$. Let the values in $e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right]$ and $e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right]$ match those in $B_{u_i}$. Moreover, $e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right],$$\dots ,$$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right]$ and $e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right],$$\dots ,$$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right]$ without data generalities satisfy the limitations $(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[{\mathrm{\Gamma }}_x\right])$⊂$(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[{\mathrm{\Gamma }}_y\right])$ and ∣$(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[s_o\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[s_o\right])$−$(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[s_o\right]$∪…∪$e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[s_o\right])$∣<$l-1$. Therefore, the targeted value of the target user $u_i$ is available in $s_o$ in ${\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}$ and ${\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}$, and it can be revealed by $(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[s_o\right]$ ∪ … ∪ $e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_y\cup {\Delta }_y}}\left[s_o\right])$ − $(e{c}_{z_1}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[s_o\right]$ ∪ … ∪ $e{c}_{z_c}^{{\mathbb{D}}^{{\mathrm{\Gamma }}_x\cup {\Delta }_x}}\left[s_o\right])$.

Here, we provide an example of privacy violation issues in an independently released dataset D from data comparison attacks. Let Table 4 be the raw dataset. Let the value of l be set to 2. Let Table 7 be the released version of the data in a sub-table of Table 4 such that it is constructed from $Position$, $Gender$, and $Salary$, and it further satisfies the 2-Diversity constraints. Moreover, let

Table 9. The released version of the data in Table 4 without $Position$, $Education$, $Age$, and $Disease$, which satisfies 2-Diversity constraints.

Gender	Zip Code	Salary	EC
Male	6063*	USD 10,000	Table 9-$e{c}_1$
Male	6063*	USD 14,000
Male	6063*	USD 15,000
Female	60632	USD 13,000	Table 9-$e{c}_2$
Female	60632	USD 16,000
Female	60632	USD 17,000
Female	60632	USD 18,000

* represents none.

be the released version of the data in a sub-table of Table 4 such that it is constructed from $Gender$, $Zipcode$, and $Salary$. In addition, Table 9 satisfies the 2-Diversity constraints. Suppose that the adversary has received Table 7 and Table 9. Let John be the target user of the adversary such that they strongly believe that the tuple in Table 7 and Table 9 is $John$’s profile tuple. Moreover, the adversary knows that Johnis a male accountant. Furthermore, we assume that the adversary needs to reveal John’s salary, which is given in Table 7 and Table 9. In this situation, the adversary can be confident that the tuple of Table 7-$e{c}_1$ and Table 9-$e{c}_1$ must be $John$’s profile tuple because only the quasi-identifier values of these equivalence classes match the adversary’s background knowledge about $John$. Moreover, the adversary can see that Table 9-$e{c}_1$ relates to Table 7-$e{c}_1$ and Table 7-$e{c}_2$, and they also see that the Table 9-$e{c}_2$ relates to Table 7-$e{c}_1$ and Table 7-$e{c}_3$. Therefore, the adversary can infer from Table 7 and Table 9 that USD 10,000 is John’s salary. The data relationships between Table 7 and Table 9 are shown in Figure 1.

Based on Section 2.1 and Section 2.2, it is clear that although the datasets satisfy l-Diversity constraints, they still have two serious issues that must be addressed, i.e., data utility and privacy violation. To eliminate these vulnerabilities in l-Diversity, we propose a new extended privacy preservation model of l-Diversity. It will be presented in Section 3.

3. The Proposed Model

In this section, we describe a new privacy preservation model that can address privacy violation issues in high-dimensional datasets that are allowed to change and independently release data when new data becomes available such that released datasets are not susceptible to privacy violation from data comparison attacks.

3.1. Privacy Preservation in High-Dimensional Datasets

Let l be a privacy preservation constraint represented by a positive integer that is equal to or greater than two. Let $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ be the specific raw dataset that is released at the timestamp j. Let ${\mathbb{D}}^{{\mathrm{\Gamma }}_1\cup {\Delta }_1},$${\mathbb{D}}^{{\mathrm{\Gamma }}_2\cup {\Delta }_2},$$\dots ,$${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ be the released versions of the data D such that they relate to $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and are released from the timestamp 1 to $j-1$. For privacy preservation, let $f_A^j(l,$$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},$${\mathbb{D}}^{{\mathrm{\Gamma }}_1\cup {\Delta }_1},$${\mathbb{D}}^{{\mathrm{\Gamma }}_2\cup {\Delta }_2},$$\dots ,$${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}},$$DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_p}}$$):$$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}{\to }_{l,{\mathbb{D}}^{{\mathrm{\Gamma }}_1\cup {\Delta }_1},}$${\mathbb{D}}^{{\mathrm{\Gamma }}_2\cup {\Delta }_2},\dots ,{\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}},DG{H}_{d{o}^{{q{i}_r}_1}},DG{H}_{d{o}^{{q{i}_r}_1}},\dots ,DG{H}_{d{o}^{{q{i}_r}_p}}$${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ be the function for transforming $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ into ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. That is, all unique quasi-identifier values are suppressed or generalized by their less-specific values in $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_p}}$ to be indistinguishable. Moreover, every group of indistinguishable quasi-identifier tuples must relate at least l distinct sensitive values in every $s_{o_z}\in {\Delta }_j$. In addition, every group of tuples in ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is then satisfied by the given value of l to call an equivalence class $e{c}^j$ of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. Thus, we can say that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is the set of its equivalence classes, i.e., $E{C}^j=\{e{c}_1^j,e{c}_2^j,\dots ,e{c}_a^j\}$. In addition to suppressing or generalizing all unique quasi-identifiers and considering the number of distinct sensitive values, the comparison result between the sensitive values in $e{c}_z^j\left[s_{o_{\varkappa }}\right]$ and every related $e{c}_z^t\left[s_{o_{\varkappa }}\right]$ in $E{C}^t$, where $1\le t\le (j-1)$, must also be satisfied by the given value of l, i.e., ∣$e{c}_z^j\left[s_{o_{\varkappa }}\right]$−$e{c}_z^t\left[s_{o_{\varkappa }}\right]$∣≥l.

In addition, after datasets satisfy the proposed privacy preservation constraint, they are often more secure in terms of privacy preservation than their corresponding raw datasets, but they lose some data utility. Moreover, a given privacy preservation constraint for each dataset generally has various released versions of the data that can be satisfied. For example, let Table 4 without $Education$, $Age$, $Zipcode$, and $Disease$ be the raw dataset for public use. Suppose that only Table 7 is the previously released version of the data that relates to the specific raw dataset. Let the value of l be set to 2. For these instances,

Table 10. The released version of the data in Table 4 without $Position$, $Education$, $Age$, and $Disease$, which satisfies the proposed privacy preservation constraint, where $l=2$.

Gender	Zip Code	Salary	EC
*	6063*	USD 10,000	$e{c}_1$
*	6063*	USD 13,000
Male	6063*	USD 14,000	$e{c}_2$
Male	6063*	USD 15,000
Female	60632	USD 16,000	$e{c}_3$
Female	60632	USD 17,000
Female	60632	USD 18,000

* represents none.

and

Table 11. The released version of the data in Table 4 without $Position$, $Education$, $Age$, and $Disease$, which also satisfies the proposed privacy preservation constraint, where $l=2$.

Gender	Zip Code	Salary	EC
*	6063*	USD 10,000	$e{c}_1$
*	6063*	USD 14,000
*	6063*	USD 15,000
*	6063*	USD 13,000
Female	60632	USD 16,000	$e{c}_2$
Female	60632	USD 17,000
Female	60632	USD 18,000

* represents none.

are both released versions of the data that are not susceptible to privacy violation from data comparison attacks. However, Table 10 and Table 11 are different, so they could be different in terms of data utilization. Only the released version of the data has the desired high data utility. Therefore, the data utility metric is a necessity in the proposed model; this will be discussed in Section 3.2.

3.2. Data Utility Metric

Although ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ satisfies the proposed privacy preservation constraint, it is generally higher in terms of privacy preservation than $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. However, ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ often loses some data utility. For this reason, only ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ has sufficiently high data utility. Thus, the data utility metric is a necessity in the proposed privacy preservation model. Since privacy preservation based on data suppression and generalization was established, several data utility metrics have been proposed, e.g., the precision metric ($PREC$) for data suppression in conjunction with data generalization [35], the discernibility metric ($DM$) [36], and relative error [37,38]. These metrics will be explained in Section 3.2.1, Section 3.2.2, and Section 3.2.3, respectively.

3.2.1. Precision Metric (PREC) for Data Suppression in Conjunction with Data Generalization [35]

With the proposed privacy preservation model, ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can satisfy the privacy preservation constraints using data suppression in conjunction with data generalization. For this reason, ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ has two data penalty costs that must be considered, i.e., the penalty costs of data suppression and data generalization. With data generalization, the penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ depends on the level and the number of generalized values such that a high level and a larger number of generalized values lead to a higher penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. Therefore, the penalty cost of data generalization for ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be defined by Equation (1), i.e., the penalty cost of data generalization for ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is between 0 and ∣${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∣ · ∣${\mathbb{D}}^{{\mathrm{\Gamma }}_j}$∣. A higher penalty cost of $f_{\mathbb{GEN}}$ means that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is more generalized.

$$f_{\mathbb{GEN}}\left({\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\right)=\sum _{i=1}^{\mid {\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid }\sum _{r=1}^{\mid {\mathbb{D}}^{{\mathrm{\Gamma }}_j}\mid }{\displaystyle \frac{\zeta }{\mid DG{H}_{D{O}^{q{i}_r}}\mid }}$$

(1)

where

• ∣${\mathbb{D}}^{{\mathrm{\Gamma }}_j}$∣ is the number of quasi-identifier attributes that are available in ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$;
• $\zeta$ is the generalized level of the quasi-identifier value that is available in $q{i}_r$ of $d_i$;
• ∣$DG{H}_{D{O}^{q{i}_r}}$∣ is the height of the data generalization hierarchy for $D{O}^{q{i}_r}$;
• ∣${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∣ is the number of tuples that are available in ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$.

Another penalty cost for ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is data suppression, which depends on the number of suppressed tuples and the size of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. Thus, the penalty cost of data suppression for $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be defined by Equation (2). That is, the penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is between 0 and ∣$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$${\mid }^2$. A higher penalty cost of $f_{\mathbb{SUP}}$ means that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is more suppressed.

$$\begin{array}{c}\hfill f_{\mathbb{SUP}}(D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},{\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j})=\\ \hfill \mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}-{\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid ·\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid \end{array}$$

(2)

Therefore, the total penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be defined based on the penalty cost of $f_{\mathbb{GEN}}$ and $f_{\mathbb{SUP}}$, as shown in Equation (3). In addition, a higher penalty cost of $f_{\mathbb{PREC}}$ means that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ has lower data utility.

$$\begin{array}{c}\hfill f_{\mathbb{PREC}}(D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},{\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j})=\\ \hfill f_{\mathbb{GEN}}\left({\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\right)+f_{\mathbb{SUP}}(D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},{\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j})\end{array}$$

(3)

3.2.2. Discernibility Metric (DM) [36]

The $DM$ metric is a data utility metric that can also be used to define the penalty cost or the data utility of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. With the $DM$ metric, the penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ depends on the size of its equivalence classes. That is, it can be defined by Equation (4). The $DM$ penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is between 0 and ∣${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$${\mid }^2$. A higher $DM$ penalty cost means that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ has lower data utility.

$$f_{\mathbb{DM}}\left(E{C}^j\right)=\sum _{z=1}^{\mid E{C}^j\mid }\mid e{c}_z^j{\mid }^2$$

(4)

3.2.3. Relative Error [37,38]

The relative error is the metric that is used to define the penalty cost of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. With this metric, the data utility of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ depends on the difference in the queried results between ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and its original dataset $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. A higher relative error means that ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ has lower data utility. For query results that are represented by numerical data, their relative errors can be defined by Equation (5).

$$f_{\mathbb{REI}}(\nu ,{\nu }_0)={\displaystyle \frac{\mid \nu -{\nu }_0\mid }{\nu }}$$

(5)

where

• $\nu$ is the result that is queried from $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$;
• ${\nu }_0$ is the relative result of $\nu$ such that it is queried from ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$.

With query results that are not represented by numerical data, their relative errors can be defined by Equation (6).

$$f_{\mathbb{REC}}(n\left(\nu \right),n\left({\nu }_0\right))={\displaystyle \frac{\mid n\left(\nu \right)-n\left({\nu }_0\right)\mid }{n\left(\nu \right)}}$$

(6)

where

• $n\left(\nu \right)$ is the number of values that are queried from $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$;
• $n\left({\nu }_0\right)$ is the number of relative values of $n\left(\nu \right)$ such that they are queried from ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$.

3.3. The Proposed Algorithm

In this section, a new privacy preservation algorithm, $l^{HD}$-$Diversity($$l,$$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},$${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$, $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_v}}$), is presented that can address privacy violation issues in high-dimensional datasets that are allowed to change and independently release data when new data become available. With the proposed algorithm, in addition to privacy preservation, the data utility and exclusion time are also maintained where possible. To achieve the aims of the proposed algorithm, greedy [39,40,41,42] and data clustering [43,44,45] are applied. Moreover, the proposed algorithm is based on the assumption that all corresponding released versions of the data $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ are released from the timestamp 1 to $j-1$, i.e., ${\mathbb{D}}^{{\mathrm{\Gamma }}_1\cup {\Delta }_1},$${\mathbb{D}}^{{\mathrm{\Gamma }}_2\cup {\Delta }_2},$$\dots ,$${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$, and they always satisfy the proposed privacy preservation model. Thus, only ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ is considered to construct ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. The proposed algorithm (Algorithm 1) is shown below.

The inputs of the proposed privacy preservation algorithm are a positive integer l, the sub-data version $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ of D, the corresponding released version of the data ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$, and the data generalization hierarchies $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$ and $DG{H}_{d{o}^{{q{i}_r}_v}}$. The output of the proposed privacy preservation algorithm is the released version of the data ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ such that it satisfies the proposed privacy preservation constraints that are presented in Section 3.1.

Algorithm 1$l^{HD}$-$Diversity($$l,$$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j},$${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$, $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_v}}$)

Require:  A positive integer l, the sub-data version $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ of D, and the relatedly released data version ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$, $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$ and $DG{H}_{d{o}^{{q{i}_r}_v}}$. Ensure:  A released data version ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$.   Let $TMP{T}_1$ and $TMP{T}_2$ be the set of temporal tuples.   Let $TMP{S}_1$ and $TMP{S}_2$ be the set of temporal penalty costs.   if∣$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∣<lthen       return $Failure$   else if${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ is $NULL$ then       $TMP{T}_1$←$d_i$, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}-d_i$, $TMP{S}_2$←∞, g← 1       while $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_1}\right],D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_2}\right],\dots ,D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_q}\right]$ satisfy l do           $TMP{S}_1$←$f_{\mathbb{PREC}}\left(f_A(TMP{T}_1\cup d_i)\right)$           if $TMP{S}_1<TMP{S}_2$ then              $TMP{T}_2$←$d_i$              $TMP{S}_2$←$TMP{S}_1$           end if           if g=∣$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∣ then              $TMP{T}_1$←$TMP{T}_1$∪$TMP{T}_2$              $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$−$TMP{T}_2$, $TMP{S}_2$←∞, g← 1              if $TMP{T}_1\left[s_{o_1}\right],TMP{T}_1\left[s_{o_2}\right],\dots ,TMP{T}_1\left[s_{o_q}\right]$ satisfy l then                  ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∪$f_A(TMP{T}_1,$$DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_v}}$)                  $TMP{T}_1$←$d_i$, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$−$d_i$              end if           end if           g←$g+1$       end while   else       $TMP{T}_1$←$d_i$, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}-d_i$, $TMP{S}_2$←∞, g← 1       while $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_1}\right],D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_2}\right],\dots ,D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\left[s_{o_q}\right]$ satisfy l do           $TMP{S}_1$←$f_{\mathbb{PREC}}\left(f_A(TMP{T}_1\cup d_i)\right)$           if $TMP{S}_1<TMP{S}_2$ then              $TMP{T}_2$←$d_i$              $TMP{S}_2$←$TMP{S}_1$           end if           if g=∣$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∣ then              $TMP{T}_1$←$TMP{T}_1$∪$TMP{T}_2$              $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$−$TMP{T}_2$, $TMP{S}_2$←∞, g← 1              if $TMP{T}_1\left[s_{o_1}\right],TMP{T}_1\left[s_{o_2}\right],\dots ,TMP{T}_1\left[s_{o_q}\right]$ satisfy l then                  for z← 1 to ∣$E{C}^{j-1}$∣ do                      if Every compared result between each $TMP{T}_1\left[s_{o_{\varkappa }}\right]$ and its comparable $e{c}_z\left[s_{o_{\varkappa }}\right]$ in $E{C}^{j-1}$ of ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$, where $1\le \varkappa \le q$ and $1\le z\le$∣$E{C}^{j-1}$∣, satisfies l then                          ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$∪$f_A(TMP{T}_1,$$DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$$DG{H}_{d{o}^{{q{i}_r}_v}}$).                          $TMP{T}_1$←$d_i$, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$←$D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$−$d_i$                      end if                  end for              end if           end if           g←$g+1$       end while   end if   return${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$

For privacy preservation, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is first investigated to answer the question “can $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ be transformed to satisfy the given value of l?”. If $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ cannot be transformed to satisfy the given value of l, the algorithm returns $Failure$. If it can be transformed, the second or third part of the algorithm is enabled. In the second part, the algorithm investigates the question “is there a corresponding released version of the data ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$?”. That is, if ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ is $NULL$, it means that $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ does not have a corresponding released version of the data. Thus, $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be transformed to satisfy the given value of l, without considering privacy violation from data comparison attacks, using the following steps:

• In the first step, an arbitrary tuple $d_i\in D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is chosen to be the initialized tuple for constructing the first equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. Moreover, $d_i$ is removed from $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and kept by $TMP{T}_1$.
• In the second step, the maximum penalty cost for constructing the first equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is determined such that it is kept by $TMP{S}_2$, i.e., $TMP{S}_2=\infty$.
• In the third step, all tuples of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ are iterated until they cannot satisfy the given value of l. In each iteration, a tuple $d_i$ of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is assigned to its appropriate equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and removed from $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. In addition, to construct each new equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$, an arbitrary tuple $d_i\in D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is chosen to be the initialized tuple, and the maximum penalty cost, $TMP{S}_2=\infty$, for constructing the equivalence class is set to be maximized.
• In the fourth step, the unique quasi-identifier values are made available in $q{i}_1,$$q{i}_2,$$\dots ,$ and $q{i}_p$ are generalized by their less-specific values, which are represented by $DG{H}_{d{o}^{{q{i}_r}_1}},$$DG{H}_{d{o}^{{q{i}_r}_2}},$$\dots ,$ and $DG{H}_{d{o}^{{q{i}_r}_v}}$, respectively.
• Finally, ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is returned.

In addition, the tuples of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ cannot be transformed to satisfy the given value of l; they are suppressed.

Another part of the algorithm is enabled when $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be satisfied by the given value of l and when the corresponding released version of the data ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is available. In this part of the algorithm, in addition to generalizing the unique quasi-identifier values and considering the number of unique sensitive values, all compared results between each equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and its comparable equivalence class in ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ are also considered to satisfy the given value of l. Moreover, the tuples of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ cannot be transformed to satisfy the given value of l; they are also suppressed. Finally, ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is returned.

The Complexity of the Proposed Algorithm

In this section, we discuss the complexity of the proposed algorithm. With the proposed algorithm, we can see that before every equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ is constructed, its most similar tuples are first determined such that they are $f_{\mathbb{PREC}}\left(TMP{T}_1\right)$ as minimized as possible, and each of their sensitive attributes must collect at least l distinct sensitive values. In addition, the most similar tuples are determined and removed from $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ in each iteration of the proposed algorithm. For this reason, the tuples of $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ are reduced by one in every iteration. Therefore, the cost of determining the most similar tuples in the proposed algorithm can be defined by Equation (7).

$$\begin{array}{c}\hfill \mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid +(\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid -1)+(\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid \\ \hfill -2)+\cdots +(\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid -(\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid -1))=\\ \hfill {\displaystyle \frac{\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}{\mid }^2+\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid }{2}}\end{array}$$

(7)

For example, suppose that six tuples are available in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. An infographic illustrating the cost of determining the most similar tuples in the proposed algorithm is shown in Figure 2, where the blue square is the number of tuples that are considered by each iteration of the proposed algorithm.

In addition to the cost of determining the most similar tuples, the proposed algorithm has two further costs that must be considered, i.e., the cost of data generalization and the cost of comparing the results between each constructed equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and its comparable equivalence classes in ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$.

The cost of data generalization depends on the number of quasi-identifier attributes, the height of the data generalization hierarchy of each quasi-identifier attribute, and the number of equivalence classes of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$. Therefore, the cost of generalizing the unique quasi-identifier values of the proposed algorithm can be defined by Equation (8).

$$\begin{array}{c}\hfill MAX(\mid DG{H}_{d{o}^{{q{i}_r}_1}}\mid ,\mid DG{H}_{d{o}^{{q{i}_r}_2}}\mid ,\\ \hfill \cdots ,\mid DG{H}_{d{o}^{{q{i}_r}_v}}\mid )·\mid D^{{\mathrm{\Gamma }}_j}\mid ·\mid E{C}^j\mid \end{array}$$

(8)

Another cost of the proposed algorithm is that of comparing the results between each constructed equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and its comparable equivalence classes in ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$. This cost depends on the number of sensitive attributes, the number of equivalence classes of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$, and the number of equivalence classes of ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$. Therefore, the cost of comparing the results between each constructed equivalence class of ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ and its comparable equivalence class in ${\mathbb{D}}^{{\mathrm{\Gamma }}_{j-1}\cup {\Delta }_{j-1}}$ can be defined by Equation (9).

$$\mid D^{{\Delta }_j}\mid ·\mid E{C}^j\mid ·\mid E{C}^{j-1}\mid$$

(9)

Thus, the total cost (the complexity) for the proposed algorithm of constructing the released version of the dataset ${\mathbb{D}}^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ in $D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}$ can be defined by Equation (10).

$$\begin{array}{c}\hfill {\displaystyle \frac{\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}{\mid }^2+\mid D^{{\mathrm{\Gamma }}_j\cup {\Delta }_j}\mid }{2}}·MAX(\\ \hfill \mid DG{H}_{d{o}^{{q{i}_r}_1}}\mid ,\mid DG{H}_{d{o}^{{q{i}_r}_2}}\mid ,\dots ,\mid DG{H}_{d{o}^{{q{i}_r}_v}}\mid )·\\ \hfill \mid D^{{\mathrm{\Gamma }}_j}\mid ·\mid D^{{\Delta }_j}\mid ·\mid E{C}^{j-1}\mid ·\mid E{C}^j{\mid }^2\end{array}$$

(10)

4. Experiment

This section is focused on evaluating the effectiveness and efficiency of the proposed privacy preservation model by comparing it with l-Diversity [12] and $LKC$-Privacy [19].

4.1. Experimental Setup

All experiments were performed to evaluate the effectiveness and efficiency of the proposed privacy preservation model; they were conducted on both Intel(R) Xeon(R) Gold 5218 @2.30 GHz CPUs with 64 GB memory and six 900 GB HDDs with RAID-5. Furthermore, all implementations were built and executed using Microsoft Windows Server 2019 in connection with Microsoft Visual Studio 2019 Community Edition and Microsoft SQL Server 2019.

Moreover, all of the experimental results discussed were obtained from the $Adult$ dataset, which is available at the $UCI$ Machine Learning Repository [46]. This dataset is constructed from 32561 user profile tuples. Each user profile tuple consists of 14 attributes, i.e., $Age$, $Workclass$, $Fnlwgt$, $Education$, $Education$-$num$, $Marital$-$status$, $Occupation$, $Relationship$, $Race$, $Sex$, $Capital$-$gain$, $Capital$-$loss$, $Hours$-$per$-$week$, and $Native$-$country$. To effectively conduct the experiments, only the attributes $Age$, $Workclass$, $Education$, $Marital$-$status$, $Occupation$, $Relationship$, $Sex$, $Capital$-$loss$, $Hours$-$per$-$week$, and $Native$-$country$ were made available in the experimental datasets. The attributes $Age$, $Education$, $Marital$-$status$, $Occupation$, $Sex$, and $Native$-$country$ were set as the quasi-identifier attributes. Other attributes (i.e., $Workclass$, $Capital$-$loss$, $Hours$-$per$-$week$, and $Relationship$) were set as the sensitive attributes. Moreover, in this dataset, all user profile tuples include the values “?” and “0”; for the purposes of this study, they were removed. Therefore, the experimental dataset only included 1428 user profile tuples. We assumed that all experimental datasets had been released twice. Histograms and the cumulative percentages of each quasi-identifier attribute and each sensitive attribute are shown in Figure 3 and Figure 4, respectively.

4.2. Experimental Results and Discussion

4.2.1. Effectiveness of the Model

In the first experiment, we evaluate the effect of the number of quasi-identifier attributes on the data utility of the datasets constructed by the proposed model and the compared models such that they are based on $PREC$ and $DM$ penalty costs. For the experiment, the value of l is fixed at 2 for the proposed model and l-Diversity. For $LKC$-Privacy, the values of L, K, and C are set to the number of quasi-identifier attributes, l, and $1/l$, respectively. Furthermore, all sensitive values available in the experimental datasets are protected sensitive values. Only $Capital$-$Loss$ is set as a sensitive attribute. The number of quasi-identifier attributes varies from 1 to 6. The process of varying the number of quasi-identifier attributes is as follows.

• Initially, only $Native$-$country$ is a quasi-identifier attribute.
• In the second experiment, the experimental dataset only contains $Native$-$country$ and $Sex$ as quasi-identifier attributes.
• $Native$-$country$, $Sex$, and $Marital$-$status$ are the quasi-identifier attributes in the third experiment.
• The fourth experiment has the quasi-identifier attributes $Native$-$country$, $Sex$, $Marital$-$status$, and $Occupation$.
• The quasi-identifier attributes in the fifth experimental dataset are $Native$-$country$, $Sex$, $Marital$-$status$, $Occupation$, and $Education$.
• In the final experimental dataset, $Age$, $Education$, $Marital$-$status$, $Occupation$, $Sex$, and $Native$-$country$ are all set as quasi-identifier attributes.

As shown in Figure 5 and Figure 6, when the number of quasi-identifier attributes is increased, the $PREC$ and $DM$ penalty costs of all experimental datasets also increase. Moreover, l-Diversity and $LKC$-Privacy are equally effective and exhibit higher performance than the proposed model. However, they are slightly different. The higher $PREC$ and $DM$ penalty costs in the experimental datasets with an increasing number of quasi-identifier attributes are due to the increase in the number of quasi-identifier attributes, and the size of the equivalence classes also increases. In addition, larger equivalence classes generally lead to more suppressed or generalized values. Moreover, larger equivalence classes often lead to a large number of generalized values in datasets. The reason l-Diversity and $LKC$-Privacy are equally effective in terms of maintaining the data utility of the experimental datasets with every experiment is that when the experimental datasets do not allow for the retrieval of missing values and all sensitive values are protected sensitive values, the released version of the data from the datasets based on l-Diversity is not different from that based on $LKC$-Privacy. The reason for the reduced effectiveness of the proposed model compared to the other models is that, in addition to datasets needing to satisfy the privacy preservation constraints, the compared results between datasets and their corresponding released versions must also satisfy the privacy preservation constraints. For this reason, the datasets satisfy the privacy preservation constraint of the proposed model; they are not susceptible to privacy violation from data comparison attacks. However, datasets constructed from l-Diversity and $LKC$-Privacy are still susceptible to such attacks.

In the second experiment, we evaluate the effect of the number of sensitive attributes on the data utility of datasets constructed by the proposed model and the compared models such that they are based on $PREC$ and $DM$. In this experiment, the proposed model is only evaluated by comparison with l-Diversity because $LKC$-Privacy cannot address privacy violation issues in datasets with multiple sensitive attributes. In this experiment, the value of l is fixed at 2; all quasi-identifier attributes are available in the experimental datasets; and the number of sensitive attributes varies from 1 to 4. The process of varying the number of sensitive attributes is as follows.

• The first experimental dataset only has $Capital$-$loss$ as a sensitive attribute.
• The second experimental dataset only contains $Capital$-$loss$ and $Relationship$ as sensitive attributes.
• $Capital$-$loss$, $Relationship$, and $Workclass$ are the sensitive attributes in the third experimental dataset.
• In the final experimental dataset, $Capital$-$loss$, $Relationship$, $Workclass$, and $Hours$-$per$-$week$ are all set as sensitive attributes.

Figure 7 and Figure 8 show that when the number of sensitive attributes is increased, the $PREC$ and $DM$ penalty costs of all experimental datasets are also increased. The reason for the higher $PREC$ and $DM$ penalty costs in the experimental datasets with an increasing number of sensitive attributes is that when the number of sensitive attributes is increased, the size of the equivalence classes also increases. Moreover, l-Diversity is more effective than the proposed model. However, they are slightly different. The reason for the reduced effectiveness of the proposed model compared to l-Diversity is that, in addition to datasets needing to satisfy the privacy preservation constraints, the compared results between datasets and their corresponding released versions must also satisfy the privacy preservation constraints, but this privacy preservation constraint is not considered by l-Diversity. For this reason, although the proposed model is less effective than l-Diversity, it is more secure in terms of privacy preservation.

In the third experiment, we evaluate the effect of the value of l on the data utility of datasets constructed by the proposed model and the other models such that they are based on $PREC$ and $DM$. In this experiment, only $Capital$-$loss$ is set as a sensitive attribute, and all quasi-identifier attributes are available in the experimental datasets. The value of l is varied from 2 to 10 for the proposed model and l-Diversity. In $LKC$-Privacy, the values of L, K, and C are set to the number of quasi-identifier attributes, l, and $1/l$, respectively. Furthermore, all sensitive values available in the experimental datasets are protected sensitive values.

Figure 9 and Figure 10 show that when the value of l is increased, the $PREC$ and $DM$ penalty costs of all experimental datasets are also increased. This is because when the value of l is increased, the size of the equivalence classes is also increased. Moreover, the compared models are more effective than the proposed model. However, they are slightly different. The reason that the proposed model is less effective than the compared models is that in addition to datasets needing to satisfy the privacy preservation constraints, the compared results between the datasets and their corresponding released versions must also satisfy the privacy preservation constraints, but this privacy preservation constraint is not considered by the compared models.

Figure 5, Figure 6, Figure 7, Figure 8, Figure 9 and Figure 10 show that the number of sensitive attributes and the value of l have a greater effect on the data utility in the datasets than the number of quasi-identifier attributes; this is because the privacy preservation constraint of the proposed model and of the compared models is based on the number of distinct sensitive values.

In the fourth experiment, we evaluate the effect of a limited number of quasi-identifier attributes on the data utility of datasets constructed by the proposed model and the compared models such that they are based on $PREC$ and $DM$. In this experiment, we assume that the data holder needs to limit the number of quasi-identifier attributes for data release from one to six attributes. In this experiment, the value of l is fixed at 2 for the proposed model and l-Diversity. In $LKC$-Privacy, the values of L, K, and C are set to the number of quasi-identifier attributes, l, and $1/l$, respectively. Furthermore, all sensitive values available in the experimental datasets are protected sensitive values. Only $Capital$-$loss$ is set as a sensitive attribute. All quasi-identifier attributes are available in the experimental datasets.

Figure 11 and Figure 12 show that the proposed model is more effective than the compared models in all experiments constructed from experimental datasets with five quasi-identifier attributes at most. The reason for this is that it supports separation of the quasi-identifier attributes to preserve the privacy of data in datasets, while the compared models do not consider this property in their privacy preservation constraints. For this reason, the compared models must consider all quasi-identifier attributes in every experiment. However, when the experimental dataset has six quasi-identifier attributes, the proposed model is less effective than the compared models. This is because the experimental datasets are the same size, and in addition to datasets needing to satisfy the privacy preservation constraints, the compared results between datasets and their corresponding released versions must also satisfy the privacy preservation constraint of the proposed model.

In the fifth experiment, we evaluate the effect of a limited number of sensitive attributes on the data utility of datasets constructed by the proposed model and the compared models such that they are based on $PREC$ and $DM$. In this experiment, the proposed model is only evaluated by comparison with l-Diversity because $LKC$-Privacy cannot address privacy violation issues in datasets that have multiple sensitive attributes, and we assume that the data holder needs to limit the number of sensitive attributes for data release from one to four attributes. For this experiment, the value of l is fixed at 2. All quasi-identifiers and sensitive attributes are available in the experimental datasets.

Figure 13 and Figure 14 show that the proposed model is more effective than the compared models in all experiments constructed from the experimental datasets with three sensitive attributes at most. The reason for this is that it supports separation of the sensitive attributes to preserve the privacy of data in datasets, while the compared models do not consider this property in their privacy preservation constraints. For this reason, the compared models must consider all sensitive attributes in every experiment. However, when the experimental dataset has four sensitive attributes, the proposed model is less effective than the compared models. The reason for this is that the experimental datasets are the same size, and in addition to datasets needing to satisfy the privacy preservation constraints, the compared results between datasets and their corresponding released versions must also satisfy the privacy preservation constraint of the proposed model.

Figure 11, Figure 12, Figure 13 and Figure 14 clearly indicate that the proposed model is more secure in terms of privacy preservation and better in terms of maintaining the data utility of datasets compared to the other models.

In the sixth experiment, we evaluate the data utility of datasets that satisfy the privacy preservation constraint of the proposed model, l-Diversity, and $LKC$-Privacy such that they are based on the $AVERAGE$ query function in conjunction with the $AND$ or $OR$ query operator and the range of queries and they are evaluated by the relative error metric presented in Section 3.2.3. In this experiment, the value of l is fixed at 2 for the proposed model and l-Diversity. With $LKC$-Privacy, the values of L, K, and C are set to the number of quasi-identifier attributes, l, and $1/l$, respectively. Furthermore, all sensitive values available in the experiment datasets are protected sensitive values. Only $Capital$-$loss$ is a sensitive attribute, and all quasi-identifier attributes are available in the experimental datasets. Moreover, all of the experimental results are shown in Figure 15 and Figure 16 and are presented as the mean of the average of the results of 15 randomized queries in the form of Query 1. The experimental results are shown in Figure 17 and are presented as the mean of the average results of 15 randomized queries in the form of Query 2.

• Query 1: SELECT AVERAGE (Capital-loss) WHERE $q{i}_1$ = $qi{v}_1$ [AND/OR] … [AND/OR] $q{i}_p$ = $qi{v}_p$;
• Query 2: SELECT AVERAGE (Capital-loss) WHERE Age BETWEEN LB AND UB.

The elements of these queries are defined as follows:

• $q{i}_1\dots q{i}_p$ are the specified quasi-identifier attributes $Age$, $Education$, $Marital$-$status$, $Occupation$, $Sex$, and $Native$-$country$.
• $qi{v}_1\dots qi{v}_p$ are the specified values for querying the data from the datasets.
• $LB$ is the lower bound for querying the data from the datasets.
• $UB$ is the upper bound for querying the data from the datasets.

In Figure 15, we show the data utility of query results affected by the $OR$ query operation. The experimental results show that the number of query-condition attributes inversely influences the data utility of query results; i.e., a larger number of query-condition attributes leads to higher data utility of the query results. This is because a larger number of query-condition attributes gives all experimental models more options for generalizing the data in datasets, thus resulting in fewer errors.

Figure 16 shows the effect of using the $AND$ query operation on the query results. Obviously, when the number of query-condition attributes is increased, the relative errors of the query results are also increased. This is because all experimental models have limitations regarding the values satisfied in data queries.

Figure 17 shows the effect of using the range of queries on the query results. Note that when the query range condition is set to 0, it means that the exact same value is applied. The trend of the experimental results in Figure 17 is similar to that of the experimental results shown in Figure 15 for the same reason, i.e., a wide range of query conditions often leads to more options for generalizing the data in datasets, thus resulting in fewer errors.

4.2.2. Efficiency

In the seventh experiment, we evaluate the efficiency of the proposed model, which is based on the number of quasi-identifier attributes. In this experiment, the value of l is fixed at 2 for the proposed model and l-Diversity. With $LKC$-Privacy, the values of L, K, and C are set to the number of quasi-identifier attributes, l, and $1/l$, respectively. Furthermore, all sensitive values available in the experimental datasets are set as protected sensitive values. Only $Capital$-$loss$ is a sensitive attribute, and the number of quasi-identifier attributes varies from 1 to 6.

Figure 18, Figure 19 and Figure 20 show that the proposed model is less efficient than l-Diversity, but it is more efficient than $LKC$-Privacy. The reason l-Diversity is more efficient than all other experimental models is that its privacy preservation constraints are simpler than those of the other models. That is, with the proposed model, in addition to the datasets needing to satisfy the privacy preservation constraints, the compared results must also satisfy the model’s privacy preservation constraints. Thus, in addition to the cost of considering the data from datasets to satisfy privacy preservation constraints, the model incurs the cost of data comparison between it and its corresponding datasets. The reason $LKC$-Privacy is less efficient than the other experimental models is that it must consider sub-datasets with a size of L at most.

5. Conclusions

This work enumerates and explains the vulnerabilities of privacy preservation models to data comparison attacks when datasets are independently released. To address the vulnerabilities of privacy preservation models, we propose a new model that can address privacy violations caused by data comparison attacks on datasets. Moreover, our experimental results indicate that released datasets are satisfied by the proposed model, which is found to be more secure in terms of privacy preservation and better in terms of maintaining the data utility of datasets compared to the other models.

6. Future Work

Although the proposed model can address privacy violation issues resulting from data comparison attacks on independently released datasets, adversaries will discover new approaches to compromising the privacy of data. Thus, an appropriate privacy preservation model that can address newly discovered privacy violation issues should be proposed.