Differential Privacy-Based Spatial-Temporal Trajectory Clustering Scheme for LBSNs

Abstract

Location privacy preserving for location-based social networks (LBSNs) has been attracting a great deal of attention. Existing location privacy protection methods are disadvantaged by issues such as information leakage and low data availability, which are no longer suitable for the current diverse and personalized location-based services. To address these issues, we propose a differential privacy-based spatial-temporal trajectory clustering (DP-STTC) scheme, which mainly transforms the existing location privacy protection mechanism into a spatial-temporal trajectory protection mechanism by adjusting the privacy parameters. Then, the trajectories were clustered to uncover users with similar trajectory characteristics. Finally, experiments were conducted on two real datasets. The experimental results show that our DP-STTC scheme can not only achieve better accuracy in trajectory clustering, but also protect user privacy.

1. Introduction

Location-based social networks (LBSNs) have undergone development in recent years due to the widespread usage of various mobile devices and the rapid development of location technology. According to surveys, approximately 80% of applications people use in their daily lives are related to location-based services, such as entertainment services, navigation services, and services provided by wearable devices [1,2,3].

However, while LBSNs offer users a positive experience, they frequently request user location information and generate user behavioral trajectory data. In order to achieve potential economic value, LBS service providers offer the collected user trajectory data to corresponding research institutions for data mining and analysis, so as to achieve accurate recommendations and personalized services. When trajectory data are released, there may be major privacy leaks because they contain a lot of sensitive information and spatial-temporal information [4,5,6]. Attackers can not only obtain users’ geographical activity location data through the original trajectory dataset, but also deduce their interests, habits, health status, social relationships, and home address through big data analysis, which may lead to serious consequences.

In LBSNs, mobile clients generate mobile trajectory sequences by connecting the location data accessed by users in a chronological order. The majority of current location privacy protection systems ignore spatial-temporal correlation in favor of protecting specific places or trajectories. Based on our observation, the method of generating virtual location protection proposed in articles [7,8], and the geographical indistinguishability method presented in article [9] solely address spatial information between locations and disregard the protection of time information. Similarly, the location obfuscation protection method suggested in article [10] solely takes spatial information into account, whereas article [11] exclusively considers time information. This makes it easy for attackers to infer user behavior patterns and fails to protect sensitive information about user spatial-temporal activities. These mechanisms are no longer capable of meeting the future development needs of diverse and personalized location services. To address this problem, a differential privacy-based spatial-temporal trajectory clustering (DP-STTC) scheme is proposed in this paper. First, the mobile client processes each user’s initial location. The location privacy protection based on spatial-temporal activity is realized by adjusting the privacy parameters. Then, the disturbed trajectory sequences are generated according to the time characteristic of locations. Finally, the disturbed trajectory sequences are uploaded by the mobile client to the server, aiming to obtain clustering outcomes from the server side.

The significant contributions brought forward by this paper are as follows:

(1)

We constructed a differential privacy-based spatial-temporal trajectory protection framework. The spatial-temporal activity privacy protection mechanism was proposed to achieve the protection of users’ spatial-temporal activity privacy;

(2)

We proposed a trajectory clustering technology that groups trajectories into different clusters through considering the semantic distance between trajectories;

(3)

We conducted an extensive experimental study to verify the functions and performance of the proposed DP-STTC scheme on two real datasets. The experiment results show that our DP-STTC scheme can cluster the trajectories privately.

2. Background and Related Work

2.1. Trajectory Clustering

The process of grouping the trajectory objects into different clusters based on how similar their trajectories are is known as trajectory clustering. Based on the clustering model, the clustering algorithm can be divided into four aspects: partitional clustering [12], density clustering [13], grid clustering, and hierarchical clustering [14]. In addition to introducing the idea of trajectory segment similarity for the first time, Lee et al. [15] also provided a framework for trajectory clustering based on grouping. The trajectory is divided into multiple trajectory segments using the local characteristics of the trajectory, and the similar trajectory segments are clustered to find common sub-trajectories. Cheng et al. [16] improved the previous work [15] by proposing a clustering method based on the temporal and spatial similarity between sub-trajectories. First, each sub-distance of spatial distance is defined and calculated to obtain the spatial similarity measure. Then, the temporal similarity formula based on the LCSS model is proposed considering the time factor. During clustering, Wang et al.’s suggested trajectory similarity assessment methodology [17] accounted for trajectories’ form characteristics in addition to their temporal and spatial components. A semantic trajectory clustering approach that combines the similarity matrix with the k-NN algorithm was outlined by Qiao et al. [18]. Xu et al. [19] proposed a trajectory clustering algorithm which considers semantic and geographical distances. Using this approach, the trajectories are organized into various clusters based on the potential distance. A machine-learning-based approach for anonymizing trajectory data was proposed by Shaham et al. [20]. The authors utilized the k-means algorithm to cluster trajectories while safeguarding against sensitive data leakage through an enhanced version of the k-means algorithm.

2.2. Privacy Preserving of Trajectories

The existing methods for trajectory privacy protection are mainly divided into three aspects: fake trajectories, trajectory generalization, and suppression technology. The fake trajectory technique [21] generates fake trajectories based on original user trajectories and publishes them to the server. The basic principle of the trajectory generalization technique [22] is similar to the location generalization technique, and the commonly used method is k-anonymity. To accomplish trajectory privacy protection, the trajectory suppression approach [23] directly eliminates or conceals some sensitive locations in the trajectory. These privacy-preserving approaches discussed above require previous knowledge of the background information which the attacker possesses, and do not offer quantitative privacy guarantees.

The privacy-preserving model named differential privacy was proposed by Dwork et al. [24] in 2006, which solves two shortcomings of traditional privacy-preserving models. It has a strict mathematical definition and does not need to take the attacker’s prior information into account. The geographic indistinguishability mechanism was proposed by Andrés [9] et al. To increase time efficiency, Hua et al. [25] suggested a location generalization approach based on differential privacy utilizing a K-means clustering algorithm. In order to satisfy differential privacy and safeguard potential social relationships between two user trajectories, Ou et al. [26] presented an N-body Laplacian architecture. Yang et al. [27] presented a quadtree indexing technique for perturbing trajectory data through location generalization and local differential privacy strategies. The approach considers the correlation between neighboring spatial and temporal nodes, while safeguarding the privacy of the user’s trajectory. Zheng et al. [28] presented a privacy-preserving location trajectory data sharing technique that is sensitive to semantics. This method simultaneously safeguards both user data privacy and semantic privacy, achieving an improved equilibrium between privacy and utility. Wu et al. [29] proposed a trajectory-related privacy protection mechanism that satisfies differential privacy. This method considers the trajectory association problem between multiple users and realizes the protection of trajectory correlation between multiple users.

2.3. Spatial-Temporal Data Privacy Preservation

Trajectories exhibit high temporal and spatial correlation, and users’ daily trajectories also usually show regular changes. It is simple for attackers to infer behavioral activity patterns if they have certain background information. Hence, safeguarding users’ spatial-temporal data is crucial. A predictive perturbation method based on the correlation between different locations was proposed by Chatzikokolakis et al. [30]. The technique predicts a new location based on the previous one, enabling continuous sharing of spatial-temporal data while protecting privacy. Xiao et al. [31] introduced the concept of $\delta$-Location Set and suggested a novel location perturbation method, PIM, to assure the availability of data by lowering the magnitude of added noise. This was carried out according to the location correlation of spatial-temporal data. The idea of sequence indistinguishability was developed by Wang and Xu [32], who also put forward a plan for distributing correlated time series data based on differential privacy. This scheme prevents attackers from distinguishing between the noisy sequence and the original sequence. The ConTPL technique was suggested by Cao et al. [33] after they examined the privacy-leaking issue of conventional differential privacy under temporal correlation. Ghane et al. [34] introduced a novel trajectory generation algorithm called TGM. This algorithm retains both the spatial and temporal information of the trajectories generated within the dataset, while also ensuring the provision of a differential privacy guarantee.

3. Overview of the DP-STTC Scheme

3.1. Problem Definition

Definition 1 

($ϵ$-differential privacy [35]). The randomized algorithm $F$ satisfies $ϵ$-differential privacy if, and only if, any possible output outcome $Y$ on adjacent data set  $D_1$ and  $D_2$ satisfies:

$$\mathrm{Pr}\left[F\left(D_1\right)\in Y\right]\le \exp \left(ϵ\right)\mathrm{Pr}\left[F\left(D_2\right)\in Y\right],$$

(1)

where datasets $D_1$ and $D_2$ are adjacent datasets, which differ by one record from each other at most.

According to the Definition 1, the Global sensitivity of $F$ can be computed as:

$$\Delta F=\underset{D_1,D_2}{\max }‖F\left(D_1\right)-F\left(D_2\right)‖,$$

(2)

where $‖F\left(D_1\right)-F\left(D_2\right)‖$ is the first-order norm distance between $F\left(D_1\right)$ and $F\left(D_2\right)$.

Definition 2 

(δ-Location Set [31]). Let $P_t^{-}\left[i\right]=\mathrm{Pr}\left(L_t=s_i|L_{t-1}{}^{\ast },\dots ,L_1{}^{\ast }\right)$ be the prior probability of the user’s location at timestamp  $t$. $\delta$-Location Set (denoted as  $\Delta X_t$) is a set containing the minimum number of locations that have a prior probability sum of no less than  $1-\delta$. The specific formula is as follows:

$$\Delta X_t=\min \left\{s_i|{\displaystyle \sum _{s_i}{P}_t^{-}\left[i\right]\ge 1-\delta }\right\},$$

(3)

where $p_t^{-}\left[i\right]$ represents the i-th element in $p_t^{-}$, while $L$ and $L^{*}$ represent the actual location and the disturbed location, respectively. For example, if $p_t^{-}=\left[0.1,0.5,0.3,0.02,0.03,0.05\right]$ corresponding to $\left[s_1,s_2,s_3,s_4,s_5,s_6\right]$, then $\Delta X=\left\{s_2,s_3\right\}$ when $\delta =0.2$; $\Delta X=\left\{s_2,s_3,s_1\right\}$ when $\delta =0.1$.

According to the formula of the $\delta$-Location Set, the parameter $\delta$ is inversely proportional to the size of location set $\left|\Delta X_t\right|$. When $\delta$ is larger, $\left|\Delta X_t\right|$ is smaller, and vice versa: the smaller $\delta$ is, the larger $\left|\Delta X_t\right|$ is.

Definition 3 

(location points). Each trajectory location point $L$ consists of a quaternion $〈lon,lat,time,type〉$, where $〈lon,lat,time〉$ denotes the longitude and latitude of the location and the time of passing through the location point, respectively, and  $type$ denotes the semantic description information corresponding to the location.

Definition 4 

(trajectory sequence). The trajectory sequence $T$ is generated by linking the location data accessed by the user in chronological order throughout the day, and can be expressed as:

$$T=L_1\to L_2\to \dots \to L_n$$

(4)

Spatiotemporal activity: The privacy of a participant with a specific pattern of behavior in the real world. For example, “go to the gym every weekend” or “commute between work and home every 8 a.m. and 6 p.m.”. Let $S=\left\{s_1,s_2,\dots ,s_m\right\}$ stand for all possible spatial domains, where $m$ denotes the domain’s size and $s_i$ denotes a location within the domain. $L_t=s_i$ can be used to indicate the situation if the participant is in location $s_i$ at time $t$. In the spatiotemporal activity protection phase, only the location of the location point with respect to time is considered. The exact definition will be given below.

Definition 5 

(spatiotemporal activity). The spatiotemporal activity can consist of a binary group $〈loc,time〉$ or multiple binary equations connected by the Boolean logic operators $AND$, $OR$, $NOT$.

Spatiotemporal activities defined using Boolean expressions enable users to customize their privacy needs in a variety of real-world activities, enabling personalized privacy protection. Spatiotemporal activities often consist of sensitive areas that people need to protect in their daily lives. If a user is present in a sensitive area during a certain time period, it is referred to as a PRESENCE EVENT. If a user visits multiple sensitive areas in consecutive time periods, it is referred to as a PATTERN EVENT. The following are the precise definitions.

Definition 6  

(PRESENCE EVENT [36]). If the user appears in the specified spatial region $S=\left\{s_1,s_2,\dots ,s_m\right\}$ at least once during the provided time period  $T=\left\{t_1,t_2,\dots ,t_n\right\}$, the activity is labeled as $PRESENCE\left(S,T\right)$. For example, if $S=\left\{s_1,s_2\right\}$, $T=\left\{1,2\right\}$, then the PRESENCE EVNET can be expressed as $\left(L_1=s_1\right)\vee \left(L_1=s_2\right)\vee \left(L_2=s_1\right)\vee \left(L_2=s_2\right)$.

Definition 7  

(PATTERN EVENT [36]). If the user appears successively in the specified spatial region $S=\left\{s_1,s_2,\dots ,s_m\right\}$ during the provided time period $T=\left\{t_1,t_2,\dots ,t_n\right\}$, the activity is labeled as $PATTERN\left(S,T\right)$. For example, if $S=\left\{s_1,s_2\right\}$, $T=\left\{1,2\right\}$, then the PATTERN EVNET can be expressed as$\left(\left(L_1=s_1\right)\vee \left(L_1=s_2\right)\right)\wedge \left(\left(L_2=s_1\right)\vee \left(L_2=s_2\right)\right)$.

Definition 8 

($ϵ$-spatiotemporal activity privacy). According to the definition of differential privacy, spatiotemporal activity privacy can be defined as follows: a mechanism satisfies $ϵ$-spatiotemporal activity privacy if, and only if, any observation $\left\{L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }\right\}$ given at any moment  $t$ of  $\left\{1,2,\dots ,T\right\}$ satisfy:

$$Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)\le e^{ϵ}Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|!EVENT\right),$$

(5)

where $EVENT$ is the temporal activity template that the user needs to protect, $!EVENT$ denotes the negation of the activity, and $Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)$ denotes the probability of publishing a location as $L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }$ given the temporal activity template.

3.2. Scheme Design

The architecture of the DP-STTC primarily comprises the mobile client and server. The workflow of the DP-STTC is divided into four stages: acquiring a spatiotemporal activity template, protecting spatiotemporal activity, disturbed trajectory generation, and trajectory clustering. The comprehensive elaborations of the four stages are given as follows:

(1)

Acquiring a spatiotemporal activity template

First, users can customize the privacy information requiring protection in the location-based social network server. Afterward, the LBSN server generates a personalized spatiotemporal activity template based on users’ privacy preferences. The spatiotemporal activity template encompasses one or more spatiotemporal activities that users specify for protection, such as their daily commute between home and the company at 8 a.m. and 5 p.m., and their weekly hospital visits every Monday.

(2)

Protecting spatiotemporal activity

This stage will protect the user’s spatiotemporal activity privacy. The fundamental concept is to transform the existing location privacy protection mechanism into a spatial-temporal activity privacy protection mechanism by adjusting the privacy level. The actual location data collected from the user’s mobile client serves as the original dataset. First, the actual location of the user undergoes processing, and the location privacy protection mechanism is employed to generate the perturbed location. Then, the personalized spatial-temporal activity template is downloaded from the LBSN server, and the disturbance location is quantified by combining the observation sequence and the spatiotemporal activity template to determine whether the $ϵ$-spatiotemporal activity privacy is full. If the conditions are met, the perturbed location can be directly published. Conversely, if the condition is unsatisfied, the privacy parameters of the location privacy protection mechanism need to be adjusted to perturb again until the condition is satisfied.

(3)

Disturbed trajectory generation

During this stage, the mobile client connects the perturbed locations chronologically to create a sequence of perturbed trajectories. The perturbed trajectory sequence is then uploaded to the LBSN server. This process enhances the protection of user privacy.

(4)

Trajectory clustering

This stage is completed on the LBSN server. The mobile client uploads the perturbed trajectory sequence to the server, which calculates the semantic distance to cluster the disturbance trajectory sequence into different clusters.

As depicted in Figure 1, in the mobile client, the user’s actual location data are first processed for spatial-temporal activity protection. This procedure encompasses several steps: processing the user’s actual location data using the location privacy protection mechanism, quantitatively processing it with the template downloaded from the server, and generating perturbed locations. Subsequently, the perturbed locations are connected to form the perturbed trajectory, which is then uploaded to the LBSN server. On the server side, user-defined information is utilized to create a protection template, which is then transmitted to the mobile client. The uploaded disturbance trajectory data from the mobile client are clustered on the server, and the resulting clusters are put out. This process effectively safeguards the user’s trajectory privacy information and prevents attackers from acquiring the user’s genuine trajectory details during both the upload process and on the server side.

3.3. Attack Hypothesis

In general, the attacker’s goal is to steal the real location information of the targeted user, which may be an untrusted third-party server, a participating user, or an external attacker. The attacker may have rich background knowledge such as the user’s historical movement trajectory and the user’s movement preferences, combined with the time information of each trajectory point, the user’s home address, physical health condition, personal hobbies, social relationships, and other sensitive personal information that can be inferred.

4. Models and Algorithms

4.1. Mobile Inference Models and $\delta$-Location Set

Protecting spatial-temporal activities first requires a location privacy protection mechanism that provides general protection for users’ location privacy against unknown risks. The temporal correlation of mobile user locations is not considered by numerous existing location-based privacy-preserving algorithms. The spatial-temporal data, in turn, are highly spatiotemporally correlated and vulnerable to various inference attacks; therefore, the $\delta$-Location Set is chosen to be used as the location privacy protection mechanism. The $\delta$-Location Set is based on a mobile inference model that infers the set of all possible locations of the user at each moment by exploiting the temporal correlation between successive locations of the user. The key idea of the $\delta$-Location Set is to hide the user’s true location within any impossible location, where any location pair is indistinguishable in the set.

The hidden Markov model (HMM) contains multiple mutually independent hidden (true locations) and explicit states (perturbed locations), and its three important parameters are the initial state probability, the transfer matrix, and the emission matrix. We use a vector, $p_t$, to denote the probability distribution of a user’s location. Formally, $P_t\left[i\right]=\mathrm{Pr}\left(L_t=s_i\right)$. Given the probability vector $p_{t-1}$, the probability at timestamp $t$ becomes $p_t=p_{t-1}M$, where matrix $M$ represents the probability that the user moves from one location to another. If given an actual location, $L_t$, and the mechanism releases a perturbed location $L_t{}^{*}$, the emission probability can be expressed as $\mathrm{Pr}\left(L_t{}^{*}\left|L_t=s_i\right.\right)$. The mobile inference model is obtained through the evolution of the HMM inference, assuming that $p_t^{-}$ denotes the prior probability of the location and $p_t^{+}$ denotes the posterior probability of the location. At any moment $t$, the prior probability can be obtained from the posterior probability at the moment $t-1$ after calculation, i.e., $p_t^{-}=p_{t-1}^{+}M$. According to Bayes’ rule, given a perturbed location $L_t{}^{\ast }$, the posterior probability can be obtained by calculating:

$$P_t^{+}\left[i\right]=\mathrm{Pr}\left(L_t=s_i|L_t{}^{\ast }\right)=\frac{\mathrm{Pr}\left(L_t{}^{\ast }|L_t=s_i\right)P_t^{-}\left[i\right]}{{\displaystyle \sum _j\mathrm{Pr}\left(L_t{}^{\ast }|L_t=s_j\right)P_t^{-}\left[j\right]}}$$

(6)

At any moment, this derivation process can be efficiently implemented through the forward–backward algorithm of the HMM.

4.2. Spatial-Temporal Activity Privacy Protection Mechanism

An improved location privacy protection model is proposed and the location privacy protection mechanism (LPPM) is converted into a spatial-temporal activity privacy protection mechanism by adjusting its privacy level. Figure 2 depicts the protection structure, which primarily consists of two components: the quantification method and the location privacy protection mechanism. First, the real location of each time point is generated as perturbation location $L_t{}^{\ast }$ via the LPPM and passed to the quantization mechanism. The quantization mechanism needs to check whether the generated perturbed location $L_t{}^{\ast }$ satisfies the definition by combining the observation sequence and the EVENT template of the spatial-temporal activities provided by Definition 8. If the condition is satisfied, the perturbed location can be published directly; if not, the privacy parameters of the location privacy protection mechanism need to be adjusted to generate a new perturbed location.

The Laplace mechanism is used to add the noise for disturbed location generation. In the DP-STTC scheme, the location privacy protection is performed in the time domain. For the real time $t_i$, the disturbed time $t_i^{*}$ can be computed as:

$$t_i^{*}=t_i+Lap\left(\frac{\Delta F}{{ϵ}_i}\right),$$

(7)

where $\frac{\Delta F}{{ϵ}_i}$ is the parameter of Laplace and ${ϵ}_i$ is the privacy budget of different users. The privacy budget can satisfy different demands of privacy protection, which supports the custom privacy preferences of target user.

In order to ensure the privacy of users and the effectiveness of the data, the proof is necessary for the DP-STTC scheme.

Proof  

(Laplace noise satisfies the ${ϵ}_i$-personalized local differential privacy). In the Laplace mechanism, we let $\lambda =\frac{\Delta F}{{ϵ}_i}$. For any $t^{\prime }\in ℝ$, and any two numerical values $t_i,t_i^{*}\in D$, the following inequality can be acquired as:

$$\frac{Lap\left(t^{\prime }|t_i\right)}{Lap\left(t^{\prime }|t_i^{*}\right)}=\frac{Lap\left(t^{\prime }-t_i\right)}{Lap\left(t^{\prime }-t_i^{*}\right)}=e^{\frac{\left|t^{\prime }-t_i\right|-\left|t^{\prime }-t_i^{*}\right|}{\lambda }}\le e^{{ϵ}_i}$$

(8)

Therefore, the Laplace noise satisfies the ${ϵ}_i$-personalized local differential privacy. □

Referring to previous research [36], an improved spatial-temporal activity privacy protection algorithm is proposed in this paper. The privacy parameters can be adjusted according to a use-defined template. If the generated disturbed location does not meet the $ϵ$-spatiotemporal activity privacy, the disturbed location can be regenerated by user demand. Algorithm 1 illustrates the procedure of improved spatial-temporal activity privacy protection.

Algorithm 1. Improved Spatial-Temporal Activity Privacy Protection Algorithm

Input: Actual Location $L_t$, $ϵ$, LPPM, $M$, $EVENT$ Output: Disturbed location $L_t{}^{\ast }$ 1: if t in $\left\{1,2,\dots ,T\right\}$ then 2: for t in $\left\{1,2,\dots ,T\right\}$ do 3:  generate disturbed location $L_t{}^{\ast }$ from real location with LPPM; 4:  while $ϵ$-spatiotemporal activity privacy is not satisfied do 5:   adjusting privacy parameters and generate $L_t{}^{\ast }$; 6:  end while 7:  release $L_t{}^{\ast }$ 8:    end for 9: else 10:    generate disturbed location $L_t{}^{\ast }$ from real location with LPPM; 11:    release $L_t{}^{\ast }$; 12: end if

As shown in Algorithm 1, line 3 is mainly to generate the disturbed location corresponding to the real location using the LPPM. The main principle of the LPPM is that the Markov model is firstly utilized to generate the $\delta$-location set, which can hide the real location in any impossible locations. Then, the Laplace mechanism is applied to perturb the $\delta$-location set. Finally, the perturbed location $L_t{}^{\ast }$ can be generated from the perturbed $\delta$-location set. In line 5, it is used to adjust the privacy parameters when the perturbed location fails to meet the demand of $ϵ$-spatiotemporal activity privacy. The strategy for adjustment involves the exponential decay of privacy parameters, as smaller values correspond to stronger protection of location privacy and reduced privacy leakage. In DP-STTC, the attenuation rate is set as $\frac{1}{2}$. Although using a smaller value can expedite algorithm convergence, it might lead to excessive interference. On the other hand, larger values can enhance availability.

For example, the given privacy parameter is $\alpha$. First, the perturbed location is generated using the LPPM. Then, if it satisfies the $ϵ$-spatiotemporal activity privacy, it is directly disclosed. However, if it fails to satisfy the demand, the privacy budget $\alpha$ is halved. A new perturbed location is generated. The entire process is then reiterated. From Algorithm 1, we can see that the spatial-temporal activity privacy protection and the location privacy protection are orthogonal. Location privacy protection can provide users with general protection against unknown risks. The privacy protection of spatial-temporal activities can provide users with protection for spatial-temporal activities. When the real location needs to be protected, the used privacy protection mechanism should satisfy $ϵ$-differential privacy, which is defined based on the concept of differential privacy. Similar to the definition that precludes differentiation between any two adjacent datasets, when the perturbed location that satisfies the $ϵ$-spatiotemporal activity privacy is published, potential attackers are rendered incapable of distinguishing the authenticity of the spatial-temporal activity. This comprehensive process maintains the principles of differential privacy.

4.3. Spatial-Temporal Activity Privacy Protection Mechanism

In this paper, we only discuss two types of spatial-temporal activity templates: $PRESENCE$ and $PATTERN$. We assume that the template is defined within continuous time, employing $start$ and $end$ to symbolize the initiation and conclusion of the activity, respectively. Quantization of $ϵ$-spatiotemporal activity privacy determines whether the perturbed location $L_t{}^{\ast }$ generated through the location privacy protection mechanism satisfies inequality $Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)\le e^{ϵ}Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|!EVENT\right)$. Given that the input at moment $t$ is the user’s real location $L_t$ and the output is the emission matrix of the location privacy protection mechanism for the disturbed location $L_t{}^{\ast }$, quantifying $ϵ$-spatiotemporal activity privacy is equivalent to computing the maximum ratio of $\frac{Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)}{Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|!EVENT\right)}$ given any $L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }$. If the correlation between $L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }$ and the actual location is unspecified, calculating this ratio directly from the emission matrix becomes challenging. Because the relationship between the disturbed location $L_t{}^{\ast }$ and EVENT cannot be determined, and the tuples in the EVENT may not be independent.

If the observed $L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }$ and prior probability $P^{-}$ are provided, $Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)$ can be computed using Equation (6).

$$Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)=\frac{Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast },EVENT\right)}{Pr\left(EVENT\right)},$$

(9)

where $Pr\left(EVENT\right)$ is the prior probability of the activity and $Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast },EVENT\right)$ is the joint probability of the activities. Equation (6) can be derived from the conditional probability formula.

The above is based on quantifying the given prior probabilities $P^{-}$ and $L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }$, with some limitations. Next, arbitrary prior probabilities will be discussed in order to restrict the attacker from any prior knowledge of the user.

By setting the prior probability $P^{-}$ as a variable, the $ϵ$-spatiotemporal activity privacy quantification problem can be transformed into a problem of computing the maximum value of

$$\frac{Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|EVENT\right)}{Pr\left(L_1{}^{\ast },L_2{}^{\ast },\dots ,L_t{}^{\ast }|!EVENT\right)}-e^{ϵ},$$

(10)

and requires that the highest value will never be greater than 0 or equal to 0. According to the research of Cao et al. [37], in order to ensure that $ϵ$-spatiotemporal activity privacy is fulfilled at any time, the published disturbed location $L_i{}^{\ast }$ needs to satisfy the following inequality:

$$P^{-}\left(\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]\left(\left(e^{ϵ}-1\right)a^{T}b-e^{ϵ}{a}^{T}c\right){\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]}^T\right)P^{{-}^T}+P^{-}\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]\left(b^T\right)\le 0,$$

(11)

$$P^{-}\left(\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]\left(\left(e^{ϵ}-1\right)a^{T}b+a^{T}c\right){\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]}^T\right)P^{{-}^T}-P^{-}\left[\stackrel{\wedge }{1},\stackrel{\wedge }{0}\right]\left(e^{ϵ}{b}^T\right)\le 0,$$

(12)

where

$$a={{\displaystyle \prod _{i=1}^{k-1}{M}_i\left[0,1\right]}}^T.$$

(13)

For $t\le k$

$$b^T={\stackrel{\wedge }{P}}_{L_1^{*}}{\displaystyle \prod _{i=2}^t\left(M_{i-1}{\stackrel{\wedge }{P}}_{L_i^{*}}\right)}{\displaystyle \prod _{i=t}^{k-1}{M}_i{\left[0,1\right]}^T{c}^T}={\stackrel{\wedge }{P}}_{L_1^{*}}{\displaystyle \prod _{i=2}^t\left(M_{i-1}{\stackrel{\wedge }{P}}_{L_i^{*}}\right)}{\left[1,1\right]}^T.$$

(14)

For $t>k$

$$b^T={\stackrel{\wedge }{P}}_{L_1^{*}}{\displaystyle \prod _{i=2}^t\left(M_{i-1}{\stackrel{\wedge }{P}}_{L_i^{*}}\right)}{\left(\left[1,1\right]{\displaystyle \prod _{i=t-1}^k\left({\stackrel{\wedge }{P}}_{L_{i+1}^{*}}{M}_i^T\right)}\ast \left[0,1\right]\right)}^T,$$

(15)

$$c^T={\stackrel{\wedge }{P}}_{L_1^{*}}{\displaystyle \prod _{i=2}^k\left(M_{i-1}{\stackrel{\wedge }{P}}_{L_i^{*}}\right)}{\left(\left[1,1\right]{\displaystyle \prod _{i=t-1}^k\left({\stackrel{\wedge }{P}}_{L_{i+1}^{*}}{M}_i^T\right)}\ast \left[1,1\right]\right)}^T,$$

(16)

where $a$ is the prior probability of the activity, $b$ is the joint probability of the activity, $c$ is the emission probability given observation $L_t{}^{\ast }$, and $k$ is the last location of the trajectory sequence.

The maximum value problem can be resolved using the quadratic programming approach, because it can be written in the form of $P^{-}A{P}^{{-}^T}=\frac{1}{2}{P}^{-}\left(A+A^T\right)P^{{-}^T}$, where $A$ is a matrix.

4.4. Disturbed Trajectory Generation

This process generates a sequence of perturbed trajectories by connecting the location points after perturbation in the mobile client in the chronological order of the day. Algorithm 2 displays the perturbed trajectory-generating algorithm.

Algorithm 2. Disturbed Trajectory Generation

Input: Disturbed location $L_t{}^{\ast }$ Output: Disturbed trajectory $T^{\ast }$ 1: Initialize $T^{\ast }\leftarrow \varnothing$; Location collection $L\leftarrow \varnothing$ 2: add $L_t{}^{\ast }$ into Location collection $L$; 3: sorting $L$ in chronological order throughout the day; 4: for $L_t{}^{\ast }$ in $L$ do 5:  add $L_t{}^{\ast }$ into $T^{\ast }$; 6: end for 7: Return $T^{\ast }$

4.5. Trajectory Clustering

The location social network server estimates the potential distance between two trajectories by taking into account the semantic distance after receiving the sequence of perturbed trajectories uploaded by the mobile client, and then clustering the trajectories into several clusters.

According to our previous research [19], the semantic distance between trajectory sequences can be calculated using the following formula:

$$SEM\left(T_i^{*},T_j^{*}\right)=\frac{\left|T_i^{*}\cap T_j^{*}\right|}{\left|T_i^{*}\right|+\left|T_j^{*}\right|}$$

(17)

where $\left|T^{*}\right|$ represents the number of trajectory sequence segments, and $\left|T_i^{*}\cap T_j^{*}\right|$ represents the number of common trajectory sequence segments between $T_i^{*}$ and $T_j^{*}$. If two trajectory sequences have more common sub-sequences in semantical space, their semantic distance is reduced.

Algorithm 3 depicts the trajectory clustering process.

Algorithm 3. Trajectory Clustering

Input: Trajectory sequences set $T=\left\{T_1,T_2,\dots ,T_n\right\}$ Output: Trajectory clusters set $C=\left\{C_1,C_2,\dots ,C_k\right\}$ 1: Define $len$ is the length of trajectory sequence, $l$ is the number of common sub-sequence between two trajectories 2: l = 0; 3: for i in $\left\{1,2,\dots ,n\right\}$ do 4:  for j in $\left\{1,2,\dots ,\left(n-1\right)\right\}$ do 5:    $m=\min \left[len\left(T_i\right),len\left(T_j\right)\right]$; 6:   for j in $\left\{1,2,\dots ,\left(m-1\right)\right\}$ do 7:    l = l + 1; 8:   end for 9:   $SEM=\frac{l}{len\left(T_i\right)+len\left(T_j\right)}$ 10:   if $i==1$ then 11:    Put $T_1$ into $C_1$; 12:   else if ${\min }_{i}SEM\left(T_i,C_k\right)\le {\theta }_t$ then 13:    Put $T_i$ into $C_k$; 14:   else if ${\min }_{i}SEM\left(T_i,C_k\right)>{\theta }_t$ then 15:    Create $C_{k+1}$, Put $T_i$ into $C_{k+1}$; 16:  end if 17:  end for 18: end for 19: Return $C$

5. Performance Evaluation

5.1. Experimental Setup

In this study, MatLab is used to analyze the location data and evaluate the effectiveness of the DP-STTC scheme. The initial user trajectory data are obtained from the GPS trajectory dataset of the GeoLife project at the Microsoft Asia Research Institute [38]. First, the data points with longitudes ranging from 115.4 to 117.6 and latitudes ranging from 39.4 to 41.1 are chosen because location data within Beijing is specifically considered for the experiment. Second, 20 × 20 location units of the same size are divided to create the computation disturbance location template. Finally, the Beijing POI dataset is used to tag the semantic information of each location according to the TF-IDF model and our previous study [39]. This dataset is categorized into 20 service types, encompassing the location data of the majority of Beijing’s points of interest. Figure 3 illustrates the generated locations and their corresponding semantic tagging for a specific user. It is evident that the user has visited seven different types of semantic locations within the trajectory sequence. This information can be utilized for trajectory clustering.

The training and testing sets were created from the GPS trajectory dataset. The training set includes 80% of the location data of the trajectory dataset, which can be used to construct a global prior. It can be taken as the average of the individual prior probabilities of all users visiting the area. Then, the obtained average value is used in the post-mapping mechanism to obtain the location of the optimal service quality loss. The testing set includes 20% of the location data of the trajectory dataset, which can be used to evaluate the mechanisms. It constructs a user-specific prior for at least 20 users and measures the service quality loss of the mechanism when users use their own prior.

As to the experimental methods of $PATTERN$ and $PRESENCE$ being the same, only the $PRESENCE$ event is used for simulation experiments in this section. It is presented through parameters $S$ and $T$. For example, $PRESENCE\left(S=\left\{1:10\right\},T=\left\{4:8\right\}\right)$ indicates that the target user has visited the region $\left\{s_1,s_2,\dots ,s_{10}\right\}$ during the time $\left\{4,5,\dots ,8\right\}$.

5.2. Evaluation Metrics

The evaluation metrics for trajectory clustering include precision, recall, and the F1-score. We utilize location data with semantic tagging, as established in our previous research [40,41], given the absence of an approach to group users within the Geolife datasets into diverse clusters. This experiment aims to compare the performance of trajectory clustering and privacy security for ILP [18], BU [42], SP-tree [43], DP-LTOD [19], N-gram [44], and NPT [45], respectively.

The schemes of ILP, BU, and SP-tree are used to compare the performance of trajectory clustering with our proposed DP-STTC scheme. The ILP scheme mainly clusters the trajectories according to the labeled location information. The BU scheme can select suitable travel partners for users based on the trajectory sequence uploaded by them. The SP-tree scheme can determine users with similar mobile behaviors based on their mobile behavior and cluster them into the same community. Furthermore, the schemes of DP-LTOD, N-gram, and NPT are used to compare the performance of privacy security with our proposed DP-STTC scheme. The DP-LTOP scheme mainly protects user privacy by considering the generalized trajectory segment. The N-gram scheme can generate anonymous trajectory sequences using N-grams with variable length. The NPT scheme can generate generalized trajectory sequences using noisy prefix trees. The metrics of precision, recall and F1-score are used to evaluate the performance of trajectory clustering. Relative error is used to evaluate the performance of privacy security.

(1)

Precision

The precision of trajectory clustering schemes can be computed as:

$$Precision@k=\frac{\mathrm{A}\cap \mathrm{{\rm B}}}{k},$$

(18)

where $\mathrm{{\rm B}}$ stands for the set of clustered trajectories in the testing set and $\mathrm{A}$ stands for the set of clusters in the training set. Parameter k denotes the number of clusters.

(2)

Recall

The recall of the trajectory clustering scheme can be calculated using the following formula:

$$Recall@k=\frac{\mathrm{A}\cap \mathrm{{\rm B}}}{\left|{\mathrm{{\rm B}}}^{\prime }\right|},$$

(19)

where ${\mathrm{{\rm B}}}^{\prime }$ denotes the set of positive clusters in the training set and $\left|{\mathrm{{\rm B}}}^{\prime }\right|$ is the number of positive clusters.

(3)

F1-Score

To synthetically evaluate the stability of trajectory clustering systems, the F1-Score may be calculated as follows:

$$F1\left(\mathrm{A},\mathrm{{\rm B}}\right)=2\cdot \frac{Precision\cdot Recall}{Precision+Recall},$$

(20)

(4)

Relative Error

The usefulness of a counting query $Q$ across the sets of obfuscated trajectories $T^{*}$ and original trajectories $T$ is assessed using the relative error (RE). This equation may be used to calculate the relative error in relation to accuracy:

$$RE=\frac{\left|Q\left(T^{*}\right)-Q\left(T\right)\right|}{\max \left\{Q\left(T\right),s\right\}},$$

(21)

where $s$ denotes the sanity bound to effectively mitigate the influence of the queries with negligibly small selectivity.

5.3. Experimental Results and Performance Analysis

The proposed DP-STTC scheme is compared with different schemes using evaluation criteria in the following domains: the impact of percentages of training data, the impact of the number of discovered clusters, the impact of the number of positive clusters, and the impact of the privacy budget.

(1)

Effect of percentages of training data

Certain sensitive location data within the trajectory sequence will remain unpublished until users upload authentic trajectory data, as a precaution to safeguard users’ personal privacy on LBSNs. Consequently, the LBSN server receives limited data. Figure 4 shows the comparison of precision, recall, and F1-score of the trajectory clustering schemes in terms of the proportion of training data to the total data. It is evident from Figure 4a–c that the DP-STTC strategy suggested in this paper is superior to the other three schemes. For determining travel companions, the BU system uses density-based clustering, which takes into account factors such as the size, distance, duration, and density, among others. However, if the trajectory data uploaded by the user are sparse, the BU scheme will not be able to determine suitable partners for the target user. It will result in the scheme’s performance degradation. The continuous probability tree approach is used in the SP-tree strategy to build the user model and mine the trajectory clusters based on mobile behavior. However, the SP-tree technique will not offer efficient trajectory clustering when the trajectory data are sparse or partial, since it only takes the user’s geographic location sequence into account when building the user model. The DP-STTC approach outlined in this paper takes into account both the semantic type of each location, as well as the geographic distance between location sequences. Trajectories are classified into distinct types of clusters, in which users in each cluster have similar interests or preferences, through mining user movement patterns. Since the DP-STTC and the ILP schemes both take the semantic information of the location into account, these two schemes still have good trajectory clustering performance under the condition of data sparsity. In spite of this, the ILP scheme lacks consideration of user movement patterns. It cannot cluster users with similar characteristics well, resulting in lower precision and recall than those of the DP-STTC scheme.

(2)

Effect of the number of discovered clusters

In the process of trajectory clustering, the different number of clusters found reflects the different granularity of trajectory clustering schemes. Coarse-grained tasks find users with similar movement behaviors. Fine-grained tasks can further determine users with similar interests or preferences (e.g., behavior patterns, lifestyle habits, etc.). For LBSNs, it is of great significance to determine potential friends with similar interests or preferences through fine-grained trajectory clustering methods [46]. In terms of the number of clusters found, Figure 5 compares the accuracy, recall, and F1-score of several trajectory clustering algorithms. As depicted in Figure 5a–c, the precision of the DP-STTC scheme, ILP scheme, BU scheme, and SP-tree scheme gradually declines while the recall steadily increases as the number of clusters detected grows. However, compared to the other three techniques, the DP-STTC strategy suggested in this study performs better overall. The reason is that the DP-STTC scheme mines users’ interests or preferences from the perspective of semantic space, which can be better applied to fine-grained trajectory clustering tasks. Although the ILP scheme also considers the semantic information of locations, it lacks consideration of user movement patterns, resulting in lower clustering accuracy than that of the DP-STTC scheme. From the experimental findings, we can also observe that the SP-tree strategy outperforms the BU method. The primary rationale for this is attributed to the utilization of continuous probability trees in the SP-tree scheme for constructing user models. The continuous probability trees can mine the frequent activity patterns of users in a geographical space to identify users with similar mobile behaviors.

(3)

Effect of the number of positive clusters

In the process of trajectory clustering, positive clusters refer to clusters that already exist in the training set; that is, we already know that a certain number of users belong to several different communities before conducting trajectory clustering. Positive clusters will help improve the precision of trajectory clustering, but reduce the recall, because the server will produce higher false negative rates as more positive clusters are included in the training set. Figure 6 compares the trajectory clustering systems’ precision, recall, and F1-score in terms of the quantity of positive clusters. As depicted in Figure 6a–c, with the gradual increase in the number of positive clusters, the precision of the DP-STTC, ILP, BU, and SP-tree schemes gradually increases, while the recall rate gradually decreases. The DP-STTC strategy suggested in this study performs better overall than the other three systems. As discussed above, the DP-STTC scheme considers the geographic information and semantic information of the location to mine users with similar interests or preferences and cluster them. Compared with the ILP scheme, the BU, SP-tree, and DP-STTC schemes consider more factors to achieve better accuracy. Additionally, Figure 6c shows that the value of the F1-score for the DP-STTC scheme does not fluctuate significantly when the number of positive clusters rises, demonstrating that the DP-STTC scheme has higher stability.

(4)

Effect of the privacy budget

This study evaluates the performance of four privacy protection schemes in accordance with various privacy budgets, $ϵ$, in order to validate the privacy performance of the DP-STTC, DP-LTOD, N-gram, and NPT schemes. Figure 7 shows the comparison of precision, recall, F1-score, and the average relative error of trajectory privacy protection schemes in terms of privacy budget, $ϵ$. It can be seen that as the value $ϵ$ increases, the performance of the DP-STTC, DP-LTOD, N-gram, and NPT schemes for trajectory clustering continue improving. The fundamental reason is that the privacy protection strength decreases with increasing value $ϵ$; in other words, as less noise is provided, the performance of target clustering improves. Moreover, under the same privacy protection strength, the DP- STTC scheme has better trajectory clustering performance than the other three methods. The main reason for this is that the DP-STTC scheme establishes the user’s spatial-temporal template by considering the factors of time and space, and better mines the user’s preference characteristics to provide personalized privacy protection. Although the DP-LTOD scheme considers the semantic information of locations, it lacks consideration of the influence of the time factor on user behavior preference. The N-gram scheme uses the variable length N-gram model to extract sensitive information in the trajectory sequence, and then adaptively increases the noise for each datum in the sequence. The NPT scheme constructs a prefix tree model for the initial trajectory sequence and subsequently introduces noise for each node within the prefix tree. There are some differences between the trajectory sequence and the original trajectory sequence in the geographic space and semantic space, because the N-gram scheme and the NPT method do not take into account the semantic information of locations and the geographic distance between the trajectory segments. By using the user movement pattern template, the DP-STTC scheme suggested in this paper ensures that the generalized trajectory sequence has a good similarity with the original trajectory sequence, allowing for the LBSN server to precisely mine users with similar interests or preferences according to the generalized trajectory sequence at the trajectory clustering stage. Figure 7d especially shows that the DP-STTC scheme can achieve a lower average relative error as the privacy budget value $ϵ$ increases.

6. Conclusions and Future Work

This paper addresses the issue of personalized trajectory privacy protection within the trajectory clustering process in LBSNs. We introduced a differential privacy-based spatial-temporal trajectory clustering (DP-STTC) scheme. First, the scheme transforms the existing location privacy protection mechanism into a spatial-temporal trajectory privacy protection mechanism by adjusting the privacy parameters while considering the user’s privacy preferences during the quantization process. Subsequently, we incorporated semantic distance during the trajectory clustering stage. Finally, we validated the proposed DP-STTC scheme using two real datasets. The results show that the technique improves user privacy protection and trajectory clustering accuracy when compared to previous approaches. Looking ahead, we plan to explore flexible and customizable location privacy protection schemes to mitigate the risk of privacy leakage when users cluster trajectories more effectively.