可信数据库中的隐私保护技术研究
|
摘要
随着信息社会的发展和人们对隐私关注的不断加强,隐私数据库已经成为当前数据库研究领域和数据安全研究领域的热点之一。与安全数据库不同,隐私数据库要达到隐私保护和隐私使用的平衡。隐私数据库在收集、存储和管理隐私拥有者个体敏感数据的同时,还需依据隐私拥有者指定的隐私保护要求控制隐私数据的使用。这使得隐私数据保护严重依赖隐私拥有者的隐私偏好,导致隐私数据保护缺乏统一的保护规则,给当前隐私数据库研究带来了巨大的挑战。
本文在当前隐私保护研究的基础上,对隐私的概念、模型、建模方法和隐私保护语言、隐私保护方法等问题进行了研究,具体内容包括:隐私的概念模型和逻辑模型;基于代理机制的隐私建模方法;基于EPAL规范的隐私保护SQL语言设计和实现;多拥有者隐私数据的隐私策略冲突检测机制;可信数据库隐私保护应用等。本文研究的内容和创新工作主要包括以下几个方面:
1.面向数据库的隐私模型
当前隐私数据库研究使用基于关系视图的隐私模型。该模型只关注了隐私与个体信息之间的语义关系映射,没有考虑隐私与环境的相互影响。本文提出了一种面向隐私数据库的隐私模型,定义了实现隐私保护需要考虑的操作映射。根据该模型,本文提出了一种隐私分类体系,提出了广泛存在、但未得到研究者关注的隐私类型——多拥有者隐私。本文阐述了这种隐私类型的产生机制,分析了这种隐私的保护要求。
2.基于代理机制的隐私模型建模方法
基于视图的隐私建模方法考虑了隐私多态性和个性化特性,但未考虑隐私的动态性特征。隐私的动态性指隐私会随环境而不断进化,它要求隐私数据库对隐私之间的进化模式、关联算法提供一致的保护力度,并需要协调不同隐私拥有者指派的隐私策略。视图机制难以满足这些隐私保护要求。本文提出一种基于对象代理机制的隐私建模方法。该方法以同时具有关系模型和面向对象模型两者优点的对象代理模型为理论基础,将初始隐私对象(称为最小保护单元)抽象为基本对象,将拥有者对该对象的不同隐私视角建模为不同类别和层次的代理对象,将由不同语义隐私操作生成的新隐私模式定义为该隐私类的不同代理类。所生成的新隐私对象既能根据用户需求选择性地释放特定的隐私属性,又能进一步根据不同语义隐私操作创建新的复杂隐私对象,并能通过对象及代理对象之间的更新迁移自动地维持同一隐私对象不同视角之间的一致性,减少隐私管理的代价。同时,为了解决代理类爆炸问题(对应与关系隐私数据模型中的视图爆炸问题),我们引入了切换操作集合扩展对象代理机制,并在对象代理数据库TOTEM中加以实现。
3.基于EPAL规范的隐私保护SQL语言的设计和实现
当前隐私数据库研究的一个基本假设是隐私拥有者有能力为每个隐私项详细地指定他们的隐私要求。但在现实情况下,这种假设并不存在。这是因为隐私策略定义涉及的语义和场景信息较为复杂。本文参考EPAL规范,结合SQL语法标准,设计了隐私保护SQL语言的体系架构,并结合应用场景定义各种操作语义,实现了一种具有SQL简单语法的隐私保护语言。
4.多拥有者隐私数据的隐私策略冲突检测机制
当前隐私数据库研究均认为隐私创建者和隐私拥有者是同一个个体。然而,本文通过研究发现多拥有者隐私的创建者和拥有者通常并不一致,并且多拥有者隐私在进化过程中会不断引入新的数据拥有者,每个隐私拥有者都会提出新的隐私保护要求。因此,使用多拥有者隐私既要满足隐私应用的公共隐私保护要求,也要满足各拥有者个性化的隐私保护要求。本文重点研究多拥有者隐私策略之间的隐私策略冲突问题,构建了拥有者隐私关注(称为隐私约束)图形化描述方式,提出数据库中隐私约束判定方法和一个基于子图同构的多拥有者隐私策略冲突检测方法。该方法用来判断所有拥有者隐私保护要求之间是否存在冲突。通过对象代理模型中源对象和代理对象之间的双向指针,能将同一多拥有者隐私的不同内容视图及其进化内容视图链接在一起,进而将各拥有者定义在不同视图上的隐私策略聚合成统一的隐私策略集合。该方法将该隐私策略集合抽象为一个分层隐私策略图,将每条隐私策略抽象为该图中的一条有向边,将每个隐私约束抽象为一个约束子图。通过比较隐私策略图中是否包含约束子图,来判断该隐私能否被正确的使用。该方法已实现在可信数据库的隐私保护模块中,并从理论和实验两方面验证了该方法的有效性。
5.可信数据库中隐私保护模块的设计和实现本文所作的研究工作都应用在基于TOTEM的可信数据库系统隐私保护模块中,并且运用在以电子邮件为载体的多拥有者隐私保护中。实验证明,本文的研究成果能有效地保护多拥有者隐私。
With the development of the society and the emphasis on the privacy, the research of the privacy database has been one of the hotspots of database security. The privacy database provides some protection mechanism for privacy data usage based on the privacy preferences defined by the privacy data providers. Compared with satefy database, the privacy database should protect the privacy data as well as be easy to use them. The reason why the privacy data protection lacks of uniform protection formula is that the protection for privacy data relies on the preference of privacy data owner. This dissertation is about studies on protection methodologies of multi-owner privacy data and implementation, which includes: the concept and taxonomy of multi-owner privacy data; the methodology of modeling multi-owner privacy data by object deputy model; the privacy data protection language in privacy database based on TOTEM; multi-owner privacy data protection policy detection mechanism and etc. Research contents and innovations of this dissertation are summarized as follows:
1. The privacy concept and formal model for Hippocratci database
Nowadays, the research on privacy database focuses on that have single centralized owners. In fact, another kind of privacy data, which have multiple owners, extensively exists in our daily life. This kind of data usually comes into being in the interactions of multiple individuals, and they will expand in this procedure. Obviously, this kind of data should be treated much carefully. In my thesis, this kind of data and its hiberarchy is described, and the privacy protection demands are reviewed.
2. Methodology of modeling privacy by object deputy mechanism
Privacy data of multi-owner includes the protection demands of the single owner data type, including polymorphism and individuation. It also asks for more demands in data evpOep enWassRciaWe reguOaWRn's prrwcWON, and correspondence of policies defined by multiple defference owners. The single owner privacy daWp Rdeong is Eased Rn We "view" mechanism in the relationship databases. This is a very straightforward method, but cannot meet the demands of multi-owner privacy data type. In the thesis, a multi-owner privacy data modeling method based on the object deputy mechanism is brought forward, which has the merits of relational data models as well as that of object-oriented data models. In the multi-owner privacy data model, the basic objects are the initial privacy data, deputy objects are the different data versions designated by different data owners in different ratings. In this kind of data model, the new data, which are produced in semantic expanding, are defined as deputy data, too. This method can agilely define the attributes of any objects based on the deputy mechanism, generate the new data types based on the relationship of individual basic objects, as well as maintain the coherence of different data versions by objects renovating transference. For the sake of deputy class explosion, we define the switching manipulation to extend the deputy mechanism. In my thesis, the implementation of these methods is described.
3. The privacy data protection language: design and implementation
In the research of privacy database, there is a basic hypothesis that data provider can designate the particular privacy demand for every privacy data type. In the fact, because of the complicated semantic scene, this hypothesis may not be satisfied. In the thesis, an architectonic of privacy data protection language is designed, referring with the EPAL regulations and SQL standards. A demo of the privacy data protection language in TOTEM database is shown in the thesis.
4. Multi-owner privacy policy conflict detection mechanism
In the single owner privacy protection, the data creator and data owner is same individual. However, for the multi-owner, the creator and the owner may be different. Further more, in the procedure of data evolution; there will be new owners, and new demands. The privacy protection mechanism should meet the demands of every individual and that of the all individuals. In the thesis, a method of privacy data protection policy detection mechanism based on the sub-graph isomorphic is provided, which is to detect the collision among different owners. The bi-directional pointer in object deputy model can link all privacy policies defined for the privacy data and its different data versions and evolutional versions by defference owners. These policies form a policy set. Each policy in the set is abstracted as a directed edge, and the policy can be abstracted as a stratified-directed graph. Each policy constraint, which is defined by an owner and used to represent the prohibited privacy data release pattern of the owner, is abstracted as a stratified-directed subgraph. The method how to analyze and model the policy constraints is discussed in the section and an algorithm is proposed to detect whether the stratified-directed subgraph of a privacy constraint mode is isomorphic to the stratified-directed graph of a privacy policy set.
5. The design and implementation of privacy data protection module in the trust database
In the TOTEM, an object deputy database system, there are privacy data protection modules. The methods discussed in my thesis, will be used in the trust database system in TOTEM circumstance. Discussed privacy data protection mechanism will be a part of protection module for emails. In the experimentation, the feasibility and validity of privacy data protection of multi-owner is proved the truth.
本文在当前隐私保护研究的基础上,对隐私的概念、模型、建模方法和隐私保护语言、隐私保护方法等问题进行了研究,具体内容包括:隐私的概念模型和逻辑模型;基于代理机制的隐私建模方法;基于EPAL规范的隐私保护SQL语言设计和实现;多拥有者隐私数据的隐私策略冲突检测机制;可信数据库隐私保护应用等。本文研究的内容和创新工作主要包括以下几个方面:
1.面向数据库的隐私模型
当前隐私数据库研究使用基于关系视图的隐私模型。该模型只关注了隐私与个体信息之间的语义关系映射,没有考虑隐私与环境的相互影响。本文提出了一种面向隐私数据库的隐私模型,定义了实现隐私保护需要考虑的操作映射。根据该模型,本文提出了一种隐私分类体系,提出了广泛存在、但未得到研究者关注的隐私类型——多拥有者隐私。本文阐述了这种隐私类型的产生机制,分析了这种隐私的保护要求。
2.基于代理机制的隐私模型建模方法
基于视图的隐私建模方法考虑了隐私多态性和个性化特性,但未考虑隐私的动态性特征。隐私的动态性指隐私会随环境而不断进化,它要求隐私数据库对隐私之间的进化模式、关联算法提供一致的保护力度,并需要协调不同隐私拥有者指派的隐私策略。视图机制难以满足这些隐私保护要求。本文提出一种基于对象代理机制的隐私建模方法。该方法以同时具有关系模型和面向对象模型两者优点的对象代理模型为理论基础,将初始隐私对象(称为最小保护单元)抽象为基本对象,将拥有者对该对象的不同隐私视角建模为不同类别和层次的代理对象,将由不同语义隐私操作生成的新隐私模式定义为该隐私类的不同代理类。所生成的新隐私对象既能根据用户需求选择性地释放特定的隐私属性,又能进一步根据不同语义隐私操作创建新的复杂隐私对象,并能通过对象及代理对象之间的更新迁移自动地维持同一隐私对象不同视角之间的一致性,减少隐私管理的代价。同时,为了解决代理类爆炸问题(对应与关系隐私数据模型中的视图爆炸问题),我们引入了切换操作集合扩展对象代理机制,并在对象代理数据库TOTEM中加以实现。
3.基于EPAL规范的隐私保护SQL语言的设计和实现
当前隐私数据库研究的一个基本假设是隐私拥有者有能力为每个隐私项详细地指定他们的隐私要求。但在现实情况下,这种假设并不存在。这是因为隐私策略定义涉及的语义和场景信息较为复杂。本文参考EPAL规范,结合SQL语法标准,设计了隐私保护SQL语言的体系架构,并结合应用场景定义各种操作语义,实现了一种具有SQL简单语法的隐私保护语言。
4.多拥有者隐私数据的隐私策略冲突检测机制
当前隐私数据库研究均认为隐私创建者和隐私拥有者是同一个个体。然而,本文通过研究发现多拥有者隐私的创建者和拥有者通常并不一致,并且多拥有者隐私在进化过程中会不断引入新的数据拥有者,每个隐私拥有者都会提出新的隐私保护要求。因此,使用多拥有者隐私既要满足隐私应用的公共隐私保护要求,也要满足各拥有者个性化的隐私保护要求。本文重点研究多拥有者隐私策略之间的隐私策略冲突问题,构建了拥有者隐私关注(称为隐私约束)图形化描述方式,提出数据库中隐私约束判定方法和一个基于子图同构的多拥有者隐私策略冲突检测方法。该方法用来判断所有拥有者隐私保护要求之间是否存在冲突。通过对象代理模型中源对象和代理对象之间的双向指针,能将同一多拥有者隐私的不同内容视图及其进化内容视图链接在一起,进而将各拥有者定义在不同视图上的隐私策略聚合成统一的隐私策略集合。该方法将该隐私策略集合抽象为一个分层隐私策略图,将每条隐私策略抽象为该图中的一条有向边,将每个隐私约束抽象为一个约束子图。通过比较隐私策略图中是否包含约束子图,来判断该隐私能否被正确的使用。该方法已实现在可信数据库的隐私保护模块中,并从理论和实验两方面验证了该方法的有效性。
5.可信数据库中隐私保护模块的设计和实现本文所作的研究工作都应用在基于TOTEM的可信数据库系统隐私保护模块中,并且运用在以电子邮件为载体的多拥有者隐私保护中。实验证明,本文的研究成果能有效地保护多拥有者隐私。
With the development of the society and the emphasis on the privacy, the research of the privacy database has been one of the hotspots of database security. The privacy database provides some protection mechanism for privacy data usage based on the privacy preferences defined by the privacy data providers. Compared with satefy database, the privacy database should protect the privacy data as well as be easy to use them. The reason why the privacy data protection lacks of uniform protection formula is that the protection for privacy data relies on the preference of privacy data owner. This dissertation is about studies on protection methodologies of multi-owner privacy data and implementation, which includes: the concept and taxonomy of multi-owner privacy data; the methodology of modeling multi-owner privacy data by object deputy model; the privacy data protection language in privacy database based on TOTEM; multi-owner privacy data protection policy detection mechanism and etc. Research contents and innovations of this dissertation are summarized as follows:
1. The privacy concept and formal model for Hippocratci database
Nowadays, the research on privacy database focuses on that have single centralized owners. In fact, another kind of privacy data, which have multiple owners, extensively exists in our daily life. This kind of data usually comes into being in the interactions of multiple individuals, and they will expand in this procedure. Obviously, this kind of data should be treated much carefully. In my thesis, this kind of data and its hiberarchy is described, and the privacy protection demands are reviewed.
2. Methodology of modeling privacy by object deputy mechanism
Privacy data of multi-owner includes the protection demands of the single owner data type, including polymorphism and individuation. It also asks for more demands in data evpOep enWassRciaWe reguOaWRn's prrwcWON, and correspondence of policies defined by multiple defference owners. The single owner privacy daWp Rdeong is Eased Rn We "view" mechanism in the relationship databases. This is a very straightforward method, but cannot meet the demands of multi-owner privacy data type. In the thesis, a multi-owner privacy data modeling method based on the object deputy mechanism is brought forward, which has the merits of relational data models as well as that of object-oriented data models. In the multi-owner privacy data model, the basic objects are the initial privacy data, deputy objects are the different data versions designated by different data owners in different ratings. In this kind of data model, the new data, which are produced in semantic expanding, are defined as deputy data, too. This method can agilely define the attributes of any objects based on the deputy mechanism, generate the new data types based on the relationship of individual basic objects, as well as maintain the coherence of different data versions by objects renovating transference. For the sake of deputy class explosion, we define the switching manipulation to extend the deputy mechanism. In my thesis, the implementation of these methods is described.
3. The privacy data protection language: design and implementation
In the research of privacy database, there is a basic hypothesis that data provider can designate the particular privacy demand for every privacy data type. In the fact, because of the complicated semantic scene, this hypothesis may not be satisfied. In the thesis, an architectonic of privacy data protection language is designed, referring with the EPAL regulations and SQL standards. A demo of the privacy data protection language in TOTEM database is shown in the thesis.
4. Multi-owner privacy policy conflict detection mechanism
In the single owner privacy protection, the data creator and data owner is same individual. However, for the multi-owner, the creator and the owner may be different. Further more, in the procedure of data evolution; there will be new owners, and new demands. The privacy protection mechanism should meet the demands of every individual and that of the all individuals. In the thesis, a method of privacy data protection policy detection mechanism based on the sub-graph isomorphic is provided, which is to detect the collision among different owners. The bi-directional pointer in object deputy model can link all privacy policies defined for the privacy data and its different data versions and evolutional versions by defference owners. These policies form a policy set. Each policy in the set is abstracted as a directed edge, and the policy can be abstracted as a stratified-directed graph. Each policy constraint, which is defined by an owner and used to represent the prohibited privacy data release pattern of the owner, is abstracted as a stratified-directed subgraph. The method how to analyze and model the policy constraints is discussed in the section and an algorithm is proposed to detect whether the stratified-directed subgraph of a privacy constraint mode is isomorphic to the stratified-directed graph of a privacy policy set.
5. The design and implementation of privacy data protection module in the trust database
In the TOTEM, an object deputy database system, there are privacy data protection modules. The methods discussed in my thesis, will be used in the trust database system in TOTEM circumstance. Discussed privacy data protection mechanism will be a part of protection module for emails. In the experimentation, the feasibility and validity of privacy data protection of multi-owner is proved the truth.
引文
[1]Simson Garfinkel, Gene SpafTord著;吕俊辉,崔锦秀,李勇等译;Web安全、隐私和商务;机械工业出版社,2004
[2]Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y., Hippocratic Databases, In Proc.28th Int'l Conf. on Very Large Data Bases, Hong Kong, China, Aug.2002.
[3]Xiaokui Xiao Yufei Tao, Personalized Privacy Preservation,25th ACM SIGMOD International Conference on Management of Data/Principles of Database Systems, Chicago, Illinois, USA; June 26-29,2006.
[4]LeFevre K., Agrawal, R., Ercegovac V., Ramakrishnan R., Xu Y., and DeWittResearch D., Limiting Disclosure in Hippocratic Databases, Proceedings of the 30th VLDB Conference, Toronto, Canada,2004
[5]W3C, The Platform for Privacy Preferences (P3P), W3C Recommendation,16 April 2002, Available at http://www.w3.org/TR/P3P (August 2002).
[6]P.Ashley, S. Hada, G. Karjoth, C. Powers, andM. Schunter. Enterprise Privacy Authorization Language (EPAL). Research Report 3485, IBM Research,2003. http://www.zurich.ibm.com/security/enterprise-privacy/epal/specification.
[7]Michael Backes,0 DOkXV "XUP XWK, and G"Xn WHU DOMRWK; Unification in Privacy Policy (YDOXDWRN-7UDnVOLWng EPAL into Prolog; 5th IEEE International Workshop on Policies for Distributed Systems and 1 HWRUk V(3ROFy'04), 2004
[8]Ji-Won Byun, Elisa Bertino, and k inghui Li, Purpose Based Access Control of Complex 'DMDIRU3 UIYDFY 3 URWFWRN 6ACO A7'05,XnH1-3,2005
[9](. BHWR DnG 5 DYL 6DnGKX "DWDEDVH Security----Concepts, Approached, and CKDOPJH",'(((7UDn VDFWRN 2 n' HSH GDEOHand Secure Computing, Vol.2, k O.1,2005
[10]Jiwon Byun, Elisa Bertino, and k inghui Li. Purpose-based access control for privacy protection in relational database systems. Technical Report 2004-52, Purdue University, 2004.
[11]Ji-Won Byun, Yonglak Sohn, Elisa Bertino, and k inghui Li; Secure Anonymization for Incremental Datasets; SDM 2006, Seoul, Korea,2006
[12]Yu Liu, Ting Wang, Jianhua Feng; A Semantic Information Loss Metric for Privacy Preserving Publication; DASFAA 2010, Part Ⅱ, pp.138-152; 2010
[13]Yufei Tao; Privacy Preserving Publication:Anonymization Frameworks and Principals; Handbook of Database Security:Applications and Trends; 2007;
[14]D. Basin, S.J. Burri and G. Karjoth; Dynamic Enforcement of Abstract Separation of Duty Constraints; Research Report; 2009;
[15]R. Agrawal, R. Srikant, and D. Thomas. Privacy preserving OLAP. In SIGMOD, pages 251-262,2005.
[16]P.6DP DDL PrRtectIng resSRnGents'LGentities in microdata release. TKDE, 13(6):1010-1027,2001.
[17]R. Srikant and R. Agrawal. Mining quantitative association rules in large relational tables. 'n 6'GMOD, SDges 1-12,1996.
[18]Dakshi Agrawal, Charu C. Aggarwal; privacy preserving data mining; 6'GMOD'00, Dallas, Texas,OMMM,
[19]Chao Yao, Lingyu t ang, Xiaoyang Sean t ang, Sushil gajodia: Indistinguishability:The Other Aspect of Privacy. Secure Data Management OMM6:1-17
[OM]LATANYA St EENEY, k-ANONYMITY:A MODEL cOR PROTECTING PRIS ACY, International gournal on r ncertainty, cuzziness and Knowledge-based Systems,1M(5), OMO, 557-57M
[O1]A. Machanavajjhala,g. Gehrke, and D. Kifer.1-diversity:Privacy beyond k-anonymity. In ICDE, OMM6.
[OO]G. Aggarwal, T. ceder, K. Kenthapadi, R. Motwani, R. Panigrahy, D. Thomas, and A. ZKX. AnRnyp L]Ing tDEOs.'n'CD7, SDges 246-258,2005.
[OP]L. Sweeney. Achieving k-anonymity privacy protection using generalization and suppression. International gournal on r ncertainty, cuzziness and Knowledge-based 6ystep s,10(5):571-588,2002.
[O4]K. t ang, P. S. Yu, and S. Chakraborty. Bottom-up generalization:A data mining solution to privacy protectiRn.'n'CDM, SDges 249-256,2004.
[O5]gi-t on Byun, Yonglak Sohn, Elisa Bertino, and Ninghui Li; Secure Anonymization for Incremental Datasets; SDM OMM6, Seoul, Korea, OMM6
[O6]Li, g., t ong, R.C.t., cu, A.t.C., Pei,g.; Anonymization by local recoding in data with attribute hierarchical taxonomies; IEEE Trans. Kobwl. Data Eng. OM(9),1181-1194; OMMS
[O7]t arner, S. L. (1965). Randomized response:a survey technique for eliminating evasive answer bias; gournal of the AmericDn 6tDtLstIcDOAssRcLDtLRn 60,63-69
[C8]Charu C. Aggarwal and Philip S. Yu; A Condensation Approach to Privacy Preserving Data Mining; (DB7'04; SS.183-199;
[09]Charu C. Aggarwal; On Randomization, Public Information and the Curse of Dimensionality; Proc. of International CRnlerence Rn DDtD (ngLneerLng('CD('03), SS. 99-1Mo, OMMP
[PM]C. C. Aggarwal. On k-anonymity and the curse of dimensionality. In s LDB, pages 901-909,2005.
[31]R. Bayardo and R. Agrawal. Data privacy through optimal k-anonymization. In ICDE, PDges 217-228,2005.
[32]P. Pamarati and L. Pweeney. Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technical Report Technical Report, PRI International, March 1998.
[33]K. LeFevre, D. g. DeWitt, and R. Ramakrishnan. Incognito:Efficient full-domain k-DnRnyP LWy.'n S'GM2 D, pDges 49-60,2005.
[34]K. LeFevre, D. g. DeWitt, and R. Ramakrishnan. Mondrian multidimensional k-anonymity. In ICDE,2MMS.
[35]A. Meyerson and R. Williams. On the complexity of optimal k-anonymity. In PODP, pDges 223-228,2004.
[3S]K. Wang, B. C. M. Fung, and P. P. Yu. HDndLFDppLng DWDFker's FRnⅡdenFe:An alternative to k-anonymization. To appear in Kowledge and Information Pystems.
[37]C. Yao, X. P. Wang, and P. gajodia. Checking for k-anonymity violation by views. In 9 LDB, pDges 910-921,2005.
[38]P. Zhong, Z. Yang, and R. k. Wright. Privacy-enhancing k-anonymization of customer dDWD'n 32DS, pDges 139-147,2005.
[39]k inghui Li, Tiancheng Li, and Puresh s enkatasubramanian; t-Closeness:Privacy Beyond k-Anonymity and l-DLYers LYy;'CDE'07;
[4]Mk. R. Adam and g. C. Worthmann. Pecurity-control methods for statistical databases:a comparative study. ACM Computing SXrYeys,21 (4):515-556,1989.
[41]9 IEKRr 5 DsWRgLDDn SXFLX SXngKR HRng; "7Ke Boundary between Privacy and r tility in DDWD3 XEOsKLng",9 LDB'07,9 IennD Austria; Peptember 23-27,2MM.
[42]David g. Martin Daniel Kifer Ashwin MDFKDnDYDMKDOD-RKDnnes GeKrke; ":RrsWCDse Background Knowledge for Privacy-Preserving Data PublisKIng",'CDE'07,'sWDnEXO, Turkey,2NM.
[43]Raymond ChiWing, Wongy Ada WaiChee, Fu Ke:Dng,-LDn 3eL,"MInIP DOWy A WDFk In Privacy Preserving Data PublisKIng",9 LDB'07,9 IennD A XsWa; Peptember 23-27,2MM7.
[44]Michael Backes, Markus Duermuth, Rainer Pteinwandt; An Algebra for Composing Enterprise Privacy Policies; Research Report RZ 3557; EPORICP 2MM4, LCk P 3193, pages 33-52, Peptember 2MM4;
[45]BIn ZKRX-LDn 3eI;"3reseryIng 3rLYDFy in Pocial k etworks Against k eighborhood A WDFks",'CDE'08, CDnFFun, Mp[IFR, AprLO7-12,2008
[4S]Pandhu, R., Coyne, E.g., Feinstein, e.L. and Youman, C.E.; "Role-Based Access Control Models"; August 199S; IEEE Computer ('EEE 3ress),29 (2):38-47.
[47]Jac-Gil Lee, Kyu-Yong Whang, Wook-Shin Han, and Ⅱ-Yeol Song, Hippocratic XML Databases:A Model and an Access Control Mechanism
[48]Yahiko Kambayashi and Zhiyong Peng:An object deputy model for realization of flexible and powerful objectbases. JournDloI SysWP s'nWJrDWon (1996)329-362.
[49]Z. Peng and Y. Kambayashi:Deputy Mechanisms for 1 bject-l riented Databases. In Proc. of IEEE 11th Int. Conf. on Data Engineering, (1995)333-340.
[50]翟博譞.对象代理数据库语言的设计与实现.武汉大学硕士学位论文200S.
[51]E. Bertino, M. Negri, G. Pelagatti and L. Sbattella.1 bject-oriented query languages:The notion and the issues. IEEE Transactions on Knowledge Data Engineering.1992, s olume 4, Issue 3, pp223-237.
[52]A. Albanoand, A. Antognoni and G. Ghelli. s iew 1 perations on 1 bjects witho oles for a Statically Typed Database Language. Knowledge and Data Engineering.2000, s olume 12, Issue 4, pp.548-5S7.
[53]S. Heiler and S. Zdonick.1 bject views:Extending the vision. In Proceedings of the Sixth International Conference on Data Engineering.1990, pp.8S-93.
[54]Ji-Won Byun, Elisa Bertino, and Ninghui Li, Micro-views, or on how to protect privacy zKllH HpKDnclnJ GDWD XsDELLW-ConcHSWand Challenges, SIGM1 Doecord, sol.35, No.1, Mar.200S
[55]Michael Backes, Birgit Pfitzmann, and Matthias Schunter; A Toolkit for Managing Enterprise Privacy Policies; www.zurich.ibm.com/security/.../BaPfSc2003-Privacy Toolbox-ESORICS.pdf
[5S]Matthias Schunter, Paul Ashley; The Platform for Enterprise Privacy Practices; www.zurich. ibm. com/-mts/bibliography/AsSc_02. EP3PatISSE.pdf
[57]ANDoEW C. MYEoS, BAoBAoA LISK1 s; Protecting Privacy r sing the Decentralized Label Model; ACM Transactions on Software Engineering and 0 HWoGoloJy,9 ol.9,1 o.4,2 cWEH 2000,3DHs 410-442.
[58]Katia Hayati and Martin Abadi; Language-Based Enforcement of Privacy Policies; PET 2004, pp.302-313,2005
[59]Adam Barth, John C. Mitchell, and Justin Rosensein; Conflict and Combination in Privacy PRlicy Lanjuajes; WPES'04, OctRber 28,2004, WashinjtRn DC, USA
[SO]'van Olp Rs, Jesus A. GRnzalez, and MauriciR OsRriR, "ReductiRns between the Subjraph Isomorphism Problem and e amiltonian and SAT prRblep s", CON'ELECOMP'07,2007.
[S1]Ji-WRn Byun, Elisa BertinR, and Ninjhui Li, "Tamings erificatione ardness WAn bfficient AlJRrithp IRr TestinJ Subjraph'sRP Rrphisp ", VLDB'08, Aujust 24-30,2008.
[62]Samuel R. Buss, "Alogtime Algorithms for Tree Isomorphism, Comparison, and Canonization", Proceeding of the 5th Kurt Godel Colloquium on Computational Logic and mroofqheoryI 199T I 18-PP
[63]WEI Xue-lian and LIA1 G Hua-jin, "A B8 LT Algorithms for Tree Isomorphism", ACTA PCfENqfAor j NAqroAi frjrNfs EoPfqAqfP Pr NYAqPENfIsolK44INoKIS Nov 200R
[64]Sergei O. Kuznetsov and Sergei A.2 biedkov, "ComSaring 3erformance of AOgoritKmsfor Generating ConceSt Lattices", Journal of bxperimental and Theoretical Artificial fntelligence,1999,71(516):199J204
[65]vu i iu, Ting t ang, gianhua ceng; A Semantic fnformation i oss Metric formrivacy mreserving mublication; a ASc AA 2010, mart ff, pp.138J152; 2010
[66]任毅,彭智勇,程玉容;基于对象代理的隐私数据模型研究,计算机研究与发展增刊,2006.11
[67]Zhiyong meng, et al. TOTbM:An Object a eputy a atabase System. Submitted to ACM Transactions on Database Systems.
[68]Berhard Kempter and s italian A. a anciu; d eneric policy conflict handling using a priori models;
[69]Michael Carl Tschantz and geannette M. t ing; cormal Methods for mrivacy;cM 2009, SS-1-15,2009;
[70]Ying(?)u Li, Haibing Lu; "Disc(?)sure Ana(?)ysis and ControOin 6tatisticaODatabases"; bSOofCS 2008, pp.146-160,2008.
[71]AsKisK undu, ((?)sa Bertino; "6tructuraO6ignatures for 7ree Data 6tructure"; 9 LDB'08, Auckland, k ew Zealand,2008
[72]张坤,李庆忠,史玉良;面向SaaS应用的数据组合隐私保护机制研;计算机学报;第33卷第11期,pp:2044J2054,2010.11
[73]周水庚,李丰,陶宇飞,肖小奎;面向数据库应用的隐私保护研究综述;计算机学报;第32卷第5期,pp:847J861,2009.05
[74]Samuel-. Burri, Giinter Karjoth, DaYid Basin; Peparation of a uties as a Pervice Xo esearch o eportIoZPT84I http (?)dominoKwatsonKibmKcomLibraryLcyberdigKnsfL1e411 RaeaT8bSeTc8R2RSbPS00SSfOd4Lb0 bd2Pfl Te8dd4208R2RTTTe00284PPb!l pena ocumentCe ighlight=0Ikarjoth X2010X
[75]Gunter Karjoth; An 2perational Semantics of -aYa 2 Access Control; Research Report, R= P22TI http (?)dominoKwatsonKibmKcomLibraryLcyberdigKnsfLpapersLcEA1E2EPRSPCacPc8R2RS8a 90 041EEBELAcileLrzP22TKpdfX2000X
[76]Bin Zhou, Yi Han, Jian Pei, Bin Jiang, Yufei Tao, Yan Jia; Continuous Privacy Preserving PublishinJ; EDBT 2009, March 24-26,2009, Saint PHHsburJ, Russia.
[77]Alin Deutsch; Privacy in database publishing:A Bayesian Perspective; Handbook of Database Security:Applications and Trends; 2007;
[78]Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor; Oue Data, Ourselves:Privacy via Distributed Noise Generation;
[79]Yufei Tao; Privacy Preserving Publication:Anonymization Frameworks and Principals; Handbook of Database Security:Applications and Trends; 2007;
[80]Miranda Mowbray, Siani Pearson; A Client-Based Privacy Manager for Cloud Computing; COMSWARE'09,-unHl6-19,2009, Dublin,'rHand.
[81]Yinian Qi, and Mikhail-. Atallah, "EfficiHnt PriYacy-PrHsHYinJ k-NHarHst NHJhbor SHarch", fn WProc. of fnternational Conference on a istributed Computing System ECa CS), OMM9, pp. PNNPN9
[82]o, G.--. Ahn, and M. ShHhab "Privacy-EnhancHl UsH-CHntric'dHntity ManaJHP Hnt," Proc. 'EEE'nt'l Conf. Cop p unications,'EEE PrHss,2009, SS.998-1002.
[83]Hyokyung Chang and buiin Choi; Challenges and Security in Cloud Computing; cd Ck OMMN, Part",CC'S 120, SS.214-217,2010
[84]Sadie Creese, Paul Hopkins, Siani Pearson, and Yun Shen; a ata Protection-Aware a esign for Cloud SHYicH; CloudCop 2009, SS.119-130,2009;
[85]t assim ftani Ayman h ayssi Ali Chehab; Privacy as a Service WPrivacy-Aware a ata Storage and Processing in Cloud Computing Architectures; OMM9 bighth fbbb fnternational Conference on a ependable, Autonomic and Secure Computing; OMM9
[86]定义隐私策略, http//:Wublib.boulder.ibm.com/tividd/td/fTPMb/SCCP-NOUQ-MMzh_Ck/ HTMi/pTCplmstOO.htm
[87]HyangChang Choi, SeungYong i ee, and HyungHyo i ee; a esign and fmplementation of a Policy-Based Privacy Authorization System; OMMS fntelligence and Security fnformation HSf 2006), San DiHo, CA, USA, May 2006, SS.129-140.
[2]Agrawal, R., Kiernan, J., Srikant, R., and Xu, Y., Hippocratic Databases, In Proc.28th Int'l Conf. on Very Large Data Bases, Hong Kong, China, Aug.2002.
[3]Xiaokui Xiao Yufei Tao, Personalized Privacy Preservation,25th ACM SIGMOD International Conference on Management of Data/Principles of Database Systems, Chicago, Illinois, USA; June 26-29,2006.
[4]LeFevre K., Agrawal, R., Ercegovac V., Ramakrishnan R., Xu Y., and DeWittResearch D., Limiting Disclosure in Hippocratic Databases, Proceedings of the 30th VLDB Conference, Toronto, Canada,2004
[5]W3C, The Platform for Privacy Preferences (P3P), W3C Recommendation,16 April 2002, Available at http://www.w3.org/TR/P3P (August 2002).
[6]P.Ashley, S. Hada, G. Karjoth, C. Powers, andM. Schunter. Enterprise Privacy Authorization Language (EPAL). Research Report 3485, IBM Research,2003. http://www.zurich.ibm.com/security/enterprise-privacy/epal/specification.
[7]Michael Backes,0 DOkXV "XUP XWK, and G"Xn WHU DOMRWK; Unification in Privacy Policy (YDOXDWRN-7UDnVOLWng EPAL into Prolog; 5th IEEE International Workshop on Policies for Distributed Systems and 1 HWRUk V(3ROFy'04), 2004
[8]Ji-Won Byun, Elisa Bertino, and k inghui Li, Purpose Based Access Control of Complex 'DMDIRU3 UIYDFY 3 URWFWRN 6ACO A7'05,XnH1-3,2005
[9](. BHWR DnG 5 DYL 6DnGKX "DWDEDVH Security----Concepts, Approached, and CKDOPJH",'(((7UDn VDFWRN 2 n' HSH GDEOHand Secure Computing, Vol.2, k O.1,2005
[10]Jiwon Byun, Elisa Bertino, and k inghui Li. Purpose-based access control for privacy protection in relational database systems. Technical Report 2004-52, Purdue University, 2004.
[11]Ji-Won Byun, Yonglak Sohn, Elisa Bertino, and k inghui Li; Secure Anonymization for Incremental Datasets; SDM 2006, Seoul, Korea,2006
[12]Yu Liu, Ting Wang, Jianhua Feng; A Semantic Information Loss Metric for Privacy Preserving Publication; DASFAA 2010, Part Ⅱ, pp.138-152; 2010
[13]Yufei Tao; Privacy Preserving Publication:Anonymization Frameworks and Principals; Handbook of Database Security:Applications and Trends; 2007;
[14]D. Basin, S.J. Burri and G. Karjoth; Dynamic Enforcement of Abstract Separation of Duty Constraints; Research Report; 2009;
[15]R. Agrawal, R. Srikant, and D. Thomas. Privacy preserving OLAP. In SIGMOD, pages 251-262,2005.
[16]P.6DP DDL PrRtectIng resSRnGents'LGentities in microdata release. TKDE, 13(6):1010-1027,2001.
[17]R. Srikant and R. Agrawal. Mining quantitative association rules in large relational tables. 'n 6'GMOD, SDges 1-12,1996.
[18]Dakshi Agrawal, Charu C. Aggarwal; privacy preserving data mining; 6'GMOD'00, Dallas, Texas,OMMM,
[19]Chao Yao, Lingyu t ang, Xiaoyang Sean t ang, Sushil gajodia: Indistinguishability:The Other Aspect of Privacy. Secure Data Management OMM6:1-17
[OM]LATANYA St EENEY, k-ANONYMITY:A MODEL cOR PROTECTING PRIS ACY, International gournal on r ncertainty, cuzziness and Knowledge-based Systems,1M(5), OMO, 557-57M
[O1]A. Machanavajjhala,g. Gehrke, and D. Kifer.1-diversity:Privacy beyond k-anonymity. In ICDE, OMM6.
[OO]G. Aggarwal, T. ceder, K. Kenthapadi, R. Motwani, R. Panigrahy, D. Thomas, and A. ZKX. AnRnyp L]Ing tDEOs.'n'CD7, SDges 246-258,2005.
[OP]L. Sweeney. Achieving k-anonymity privacy protection using generalization and suppression. International gournal on r ncertainty, cuzziness and Knowledge-based 6ystep s,10(5):571-588,2002.
[O4]K. t ang, P. S. Yu, and S. Chakraborty. Bottom-up generalization:A data mining solution to privacy protectiRn.'n'CDM, SDges 249-256,2004.
[O5]gi-t on Byun, Yonglak Sohn, Elisa Bertino, and Ninghui Li; Secure Anonymization for Incremental Datasets; SDM OMM6, Seoul, Korea, OMM6
[O6]Li, g., t ong, R.C.t., cu, A.t.C., Pei,g.; Anonymization by local recoding in data with attribute hierarchical taxonomies; IEEE Trans. Kobwl. Data Eng. OM(9),1181-1194; OMMS
[O7]t arner, S. L. (1965). Randomized response:a survey technique for eliminating evasive answer bias; gournal of the AmericDn 6tDtLstIcDOAssRcLDtLRn 60,63-69
[C8]Charu C. Aggarwal and Philip S. Yu; A Condensation Approach to Privacy Preserving Data Mining; (DB7'04; SS.183-199;
[09]Charu C. Aggarwal; On Randomization, Public Information and the Curse of Dimensionality; Proc. of International CRnlerence Rn DDtD (ngLneerLng('CD('03), SS. 99-1Mo, OMMP
[PM]C. C. Aggarwal. On k-anonymity and the curse of dimensionality. In s LDB, pages 901-909,2005.
[31]R. Bayardo and R. Agrawal. Data privacy through optimal k-anonymization. In ICDE, PDges 217-228,2005.
[32]P. Pamarati and L. Pweeney. Protecting privacy when disclosing information: k-anonymity and its enforcement through generalization and suppression. Technical Report Technical Report, PRI International, March 1998.
[33]K. LeFevre, D. g. DeWitt, and R. Ramakrishnan. Incognito:Efficient full-domain k-DnRnyP LWy.'n S'GM2 D, pDges 49-60,2005.
[34]K. LeFevre, D. g. DeWitt, and R. Ramakrishnan. Mondrian multidimensional k-anonymity. In ICDE,2MMS.
[35]A. Meyerson and R. Williams. On the complexity of optimal k-anonymity. In PODP, pDges 223-228,2004.
[3S]K. Wang, B. C. M. Fung, and P. P. Yu. HDndLFDppLng DWDFker's FRnⅡdenFe:An alternative to k-anonymization. To appear in Kowledge and Information Pystems.
[37]C. Yao, X. P. Wang, and P. gajodia. Checking for k-anonymity violation by views. In 9 LDB, pDges 910-921,2005.
[38]P. Zhong, Z. Yang, and R. k. Wright. Privacy-enhancing k-anonymization of customer dDWD'n 32DS, pDges 139-147,2005.
[39]k inghui Li, Tiancheng Li, and Puresh s enkatasubramanian; t-Closeness:Privacy Beyond k-Anonymity and l-DLYers LYy;'CDE'07;
[4]Mk. R. Adam and g. C. Worthmann. Pecurity-control methods for statistical databases:a comparative study. ACM Computing SXrYeys,21 (4):515-556,1989.
[41]9 IEKRr 5 DsWRgLDDn SXFLX SXngKR HRng; "7Ke Boundary between Privacy and r tility in DDWD3 XEOsKLng",9 LDB'07,9 IennD Austria; Peptember 23-27,2MM.
[42]David g. Martin Daniel Kifer Ashwin MDFKDnDYDMKDOD-RKDnnes GeKrke; ":RrsWCDse Background Knowledge for Privacy-Preserving Data PublisKIng",'CDE'07,'sWDnEXO, Turkey,2NM.
[43]Raymond ChiWing, Wongy Ada WaiChee, Fu Ke:Dng,-LDn 3eL,"MInIP DOWy A WDFk In Privacy Preserving Data PublisKIng",9 LDB'07,9 IennD A XsWa; Peptember 23-27,2MM7.
[44]Michael Backes, Markus Duermuth, Rainer Pteinwandt; An Algebra for Composing Enterprise Privacy Policies; Research Report RZ 3557; EPORICP 2MM4, LCk P 3193, pages 33-52, Peptember 2MM4;
[45]BIn ZKRX-LDn 3eI;"3reseryIng 3rLYDFy in Pocial k etworks Against k eighborhood A WDFks",'CDE'08, CDnFFun, Mp[IFR, AprLO7-12,2008
[4S]Pandhu, R., Coyne, E.g., Feinstein, e.L. and Youman, C.E.; "Role-Based Access Control Models"; August 199S; IEEE Computer ('EEE 3ress),29 (2):38-47.
[47]Jac-Gil Lee, Kyu-Yong Whang, Wook-Shin Han, and Ⅱ-Yeol Song, Hippocratic XML Databases:A Model and an Access Control Mechanism
[48]Yahiko Kambayashi and Zhiyong Peng:An object deputy model for realization of flexible and powerful objectbases. JournDloI SysWP s'nWJrDWon (1996)329-362.
[49]Z. Peng and Y. Kambayashi:Deputy Mechanisms for 1 bject-l riented Databases. In Proc. of IEEE 11th Int. Conf. on Data Engineering, (1995)333-340.
[50]翟博譞.对象代理数据库语言的设计与实现.武汉大学硕士学位论文200S.
[51]E. Bertino, M. Negri, G. Pelagatti and L. Sbattella.1 bject-oriented query languages:The notion and the issues. IEEE Transactions on Knowledge Data Engineering.1992, s olume 4, Issue 3, pp223-237.
[52]A. Albanoand, A. Antognoni and G. Ghelli. s iew 1 perations on 1 bjects witho oles for a Statically Typed Database Language. Knowledge and Data Engineering.2000, s olume 12, Issue 4, pp.548-5S7.
[53]S. Heiler and S. Zdonick.1 bject views:Extending the vision. In Proceedings of the Sixth International Conference on Data Engineering.1990, pp.8S-93.
[54]Ji-Won Byun, Elisa Bertino, and Ninghui Li, Micro-views, or on how to protect privacy zKllH HpKDnclnJ GDWD XsDELLW-ConcHSWand Challenges, SIGM1 Doecord, sol.35, No.1, Mar.200S
[55]Michael Backes, Birgit Pfitzmann, and Matthias Schunter; A Toolkit for Managing Enterprise Privacy Policies; www.zurich.ibm.com/security/.../BaPfSc2003-Privacy Toolbox-ESORICS.pdf
[5S]Matthias Schunter, Paul Ashley; The Platform for Enterprise Privacy Practices; www.zurich. ibm. com/-mts/bibliography/AsSc_02. EP3PatISSE.pdf
[57]ANDoEW C. MYEoS, BAoBAoA LISK1 s; Protecting Privacy r sing the Decentralized Label Model; ACM Transactions on Software Engineering and 0 HWoGoloJy,9 ol.9,1 o.4,2 cWEH 2000,3DHs 410-442.
[58]Katia Hayati and Martin Abadi; Language-Based Enforcement of Privacy Policies; PET 2004, pp.302-313,2005
[59]Adam Barth, John C. Mitchell, and Justin Rosensein; Conflict and Combination in Privacy PRlicy Lanjuajes; WPES'04, OctRber 28,2004, WashinjtRn DC, USA
[SO]'van Olp Rs, Jesus A. GRnzalez, and MauriciR OsRriR, "ReductiRns between the Subjraph Isomorphism Problem and e amiltonian and SAT prRblep s", CON'ELECOMP'07,2007.
[S1]Ji-WRn Byun, Elisa BertinR, and Ninjhui Li, "Tamings erificatione ardness WAn bfficient AlJRrithp IRr TestinJ Subjraph'sRP Rrphisp ", VLDB'08, Aujust 24-30,2008.
[62]Samuel R. Buss, "Alogtime Algorithms for Tree Isomorphism, Comparison, and Canonization", Proceeding of the 5th Kurt Godel Colloquium on Computational Logic and mroofqheoryI 199T I 18-PP
[63]WEI Xue-lian and LIA1 G Hua-jin, "A B8 LT Algorithms for Tree Isomorphism", ACTA PCfENqfAor j NAqroAi frjrNfs EoPfqAqfP Pr NYAqPENfIsolK44INoKIS Nov 200R
[64]Sergei O. Kuznetsov and Sergei A.2 biedkov, "ComSaring 3erformance of AOgoritKmsfor Generating ConceSt Lattices", Journal of bxperimental and Theoretical Artificial fntelligence,1999,71(516):199J204
[65]vu i iu, Ting t ang, gianhua ceng; A Semantic fnformation i oss Metric formrivacy mreserving mublication; a ASc AA 2010, mart ff, pp.138J152; 2010
[66]任毅,彭智勇,程玉容;基于对象代理的隐私数据模型研究,计算机研究与发展增刊,2006.11
[67]Zhiyong meng, et al. TOTbM:An Object a eputy a atabase System. Submitted to ACM Transactions on Database Systems.
[68]Berhard Kempter and s italian A. a anciu; d eneric policy conflict handling using a priori models;
[69]Michael Carl Tschantz and geannette M. t ing; cormal Methods for mrivacy;cM 2009, SS-1-15,2009;
[70]Ying(?)u Li, Haibing Lu; "Disc(?)sure Ana(?)ysis and ControOin 6tatisticaODatabases"; bSOofCS 2008, pp.146-160,2008.
[71]AsKisK undu, ((?)sa Bertino; "6tructuraO6ignatures for 7ree Data 6tructure"; 9 LDB'08, Auckland, k ew Zealand,2008
[72]张坤,李庆忠,史玉良;面向SaaS应用的数据组合隐私保护机制研;计算机学报;第33卷第11期,pp:2044J2054,2010.11
[73]周水庚,李丰,陶宇飞,肖小奎;面向数据库应用的隐私保护研究综述;计算机学报;第32卷第5期,pp:847J861,2009.05
[74]Samuel-. Burri, Giinter Karjoth, DaYid Basin; Peparation of a uties as a Pervice Xo esearch o eportIoZPT84I http (?)dominoKwatsonKibmKcomLibraryLcyberdigKnsfL1e411 RaeaT8bSeTc8R2RSbPS00SSfOd4Lb0 bd2Pfl Te8dd4208R2RTTTe00284PPb!l pena ocumentCe ighlight=0Ikarjoth X2010X
[75]Gunter Karjoth; An 2perational Semantics of -aYa 2 Access Control; Research Report, R= P22TI http (?)dominoKwatsonKibmKcomLibraryLcyberdigKnsfLpapersLcEA1E2EPRSPCacPc8R2RS8a 90 041EEBELAcileLrzP22TKpdfX2000X
[76]Bin Zhou, Yi Han, Jian Pei, Bin Jiang, Yufei Tao, Yan Jia; Continuous Privacy Preserving PublishinJ; EDBT 2009, March 24-26,2009, Saint PHHsburJ, Russia.
[77]Alin Deutsch; Privacy in database publishing:A Bayesian Perspective; Handbook of Database Security:Applications and Trends; 2007;
[78]Cynthia Dwork, Krishnaram Kenthapadi, Frank McSherry, Ilya Mironov, and Moni Naor; Oue Data, Ourselves:Privacy via Distributed Noise Generation;
[79]Yufei Tao; Privacy Preserving Publication:Anonymization Frameworks and Principals; Handbook of Database Security:Applications and Trends; 2007;
[80]Miranda Mowbray, Siani Pearson; A Client-Based Privacy Manager for Cloud Computing; COMSWARE'09,-unHl6-19,2009, Dublin,'rHand.
[81]Yinian Qi, and Mikhail-. Atallah, "EfficiHnt PriYacy-PrHsHYinJ k-NHarHst NHJhbor SHarch", fn WProc. of fnternational Conference on a istributed Computing System ECa CS), OMM9, pp. PNNPN9
[82]o, G.--. Ahn, and M. ShHhab "Privacy-EnhancHl UsH-CHntric'dHntity ManaJHP Hnt," Proc. 'EEE'nt'l Conf. Cop p unications,'EEE PrHss,2009, SS.998-1002.
[83]Hyokyung Chang and buiin Choi; Challenges and Security in Cloud Computing; cd Ck OMMN, Part",CC'S 120, SS.214-217,2010
[84]Sadie Creese, Paul Hopkins, Siani Pearson, and Yun Shen; a ata Protection-Aware a esign for Cloud SHYicH; CloudCop 2009, SS.119-130,2009;
[85]t assim ftani Ayman h ayssi Ali Chehab; Privacy as a Service WPrivacy-Aware a ata Storage and Processing in Cloud Computing Architectures; OMM9 bighth fbbb fnternational Conference on a ependable, Autonomic and Secure Computing; OMM9
[86]定义隐私策略, http//:Wublib.boulder.ibm.com/tividd/td/fTPMb/SCCP-NOUQ-MMzh_Ck/ HTMi/pTCplmstOO.htm
[87]HyangChang Choi, SeungYong i ee, and HyungHyo i ee; a esign and fmplementation of a Policy-Based Privacy Authorization System; OMMS fntelligence and Security fnformation HSf 2006), San DiHo, CA, USA, May 2006, SS.129-140.