Enhancing Real-Time Traffic Data Sharing: A Differential Privacy-Based Scheme with Spatial Correlation

Abstract

The real-time sharing of traffic data can offer improved services to users and timely respond to environmental changes. However, this data often involves individuals’ sensitive information, raising substantial privacy concerns. It is imperative to find ways to protect the privacy of the shared traffic data while maintaining its ongoing data utility. In this paper, a Differential Privacy-based scheme with Spatial Correlation for Real-time traffic data (named as DP-SCR) is proposed. DP-SCR not only ensures the high data utility of shared traffic data, but also provides strong privacy protection. Specifically, DP-SCR is designed to adhere to w-event $\epsilon$-differential privacy, ensuring a high level of privacy protection. Subsequently, a novel adaptive allocation based on spatial correlation prediction is proposed to optimize the privacy budget allocation in differential privacy. In addition, a feasible dynamic clustering algorithm is developed to minimize the relative perturbation error, which further improves the quality of shared data. Finally, the analyses demonstrate that DP-SCR provides w-event privacy for the shared data of each section, and the spatial correlation is a more pronounced characteristic of the traffic data than other characteristics. Meanwhile, experiments conducted on real-world data show that the MAR and MER of the predicted data in DP-SCR are smaller than those in other baseline DP-based schemes. It indicates that the DP-SCR scheme proposed in this paper can provide more accurate shared data.

1. Introduction

As science and technology advance, various sensors collect traffic flows (i.e., a kind of traffic statistic) accurately and in real-time [1,2,3,4,5,6]. Real-time traffic data records the time sequence information of the road and can describe the traffic status in more detail. The real-time traffic data can be shared with other companies and organizations and are subsequently utilized in intelligent transportation systems (ITS), such as traffic light control [7], route planning [8], autonomous driving [9,10], and forecasts of electric vehicle energy consumption [11], ensuring these applications can provide more personalized services and timely respond to environmental changes. However, these traffic statistical data often contain individual sensitive information [12], e.g., location information and vehicle status, which will lead to considerable threats to individual privacy. For example, according to the uniqueness of the individuals’ mobility trace [13], an adversary can link back to the individuals’ ID information through some outside information when the trace information is published, and then the adversary may match the ID information with sensitive information to acquire individuals’ privacy.

To solve the issues of privacy leakage in data sharing, an insightful privacy protection model with strong theoretical support, called $\epsilon$-differential privacy, has been proposed in [14]. It ensures that the outcomes of any analyses on neighboring datasets (i.e., two datasets that have only one data difference) are difficult to distinguish. Based on differential privacy, a lot of varietal schemes have been proposed for privacy protection  [15,16,17,18,19,20,21,22]. However, most of them focus on either the user-level privacy on finite streams or the event-level privacy on infinite streams. However, applying these methods directly to protect real-time data often leads to inadequate protection or a notable reduction in data utility.

In view of this, Kellaris et al. [23] have proposed a novel model of differential privacy named w-event $\epsilon$-differential privacy (w-event privacy for short). The w-event privacy model fills the gap between the event-level and the user-level privacy, which can protect all events that happen at any successive w timestamps without sacrificing too much data utility. Using w-event privacy to protect the real-time data is a favorable option. The authors in [23] have designed two schemes based on w-event privacy, called budget distribution (BD) and budget absorption (BA), to protect any event sequence occurring at any successive w timestamps (i.e., a sliding window of size w).

Currently, numerous improved privacy-preserving schemes based on w-event privacy for real-time data sharing have been proposed [24,25,26,27,28,29]. To improve the accuracy of the shared traffic flows, Wang et al. [24] have proposed two schemes for privacy protection, i.e., RescueDP and E-RescueDP, which take into account data dynamics and can adaptively allocate privacy budgets for each section through proportional-integral-derivative control (PID control) or a recurrent neural network (RNN). Huo et al. [25] have proposed an adaptive w-event privacy for fog computing, which optimizes the prediction of E-RescueDP by using a long short-term memory. In contrast to the centralized differential privacy mentioned earlier, some w-event privacy schemes for real-time data release, based on local differential privacy (abbreviated as LCD), have been developed without the need for establishing a trusted server, as discussed in  [27,28,29].

In this paper, we focus on sharing real-time traffic flows that are used to serve the intelligent transportation system continually. However, if the real-time traffic flows of each road section are shared with the public directly, it can cause serious privacy issues, such as the disclosure of whereabouts. To ensure the shared traffic flows are protected by strong privacy, enabling the sharing of traffic flows that adhere to w-event privacy is essential.

1.1. Motivation

Nevertheless, the prior schemes that focus on real-time data sharing under the protection of w-event privacy have shown limitations in data utility, specifically in terms of the quality of the shared data. Data utility is a vital metric for assessing the quality of the shared data.

First, privacy protection for raw data significantly reduces data utility. In BD and BA schemes [23], they allocate an equivalent privacy budget for the traffic flows of each section. The LCD-based work in [29] divides privacy budgeting to different processing steps to satisfy more limited privacy guarantees. However, the above schemes tend to result in allocating low privacy budgets to traffic flows, which in turn leads to excessive noise introduced into the shared traffic flows. An reasonable allocation of privacy budget is a promising way to solve the above issues. In RescueDP and E-RescueDP in [24], an adaptive allocation is proposed, where the current raw traffic flows are replaced by the predicted traffic flows without consuming privacy budget. In any case, the more accurate the predicted traffic flows are, the more accurate the shared traffic flows also are. However, the calculation of predicted data in [24] is based on the temporal correlation between data, which may not be the best way to predict traffic flows.

Second, the difference in the privacy budget allocated to each section can introduce large relative perturbation error. The sections with small traffic flow produce a large relative perturbation error in the w-event privacy schemes, where the perturbation error is introduced by Laplace noise. To reduce the perturbation error, the mechanism for dynamic grouping in [24] partitions the sections with small traffic flows into different groups, which is based on the similarity of traffic flows. Furthermore, to satisfy w-event privacy, it uses the smallest privacy budget of the section as the privacy budget of all sections in the group. However, if the sections with a large different privacy budget are partitioned into the same group, it will cause a large perturbation error in all sections of the group. This will lead to a reduction in the accuracy of the shared traffic flows.

1.2. Contributions

Motivated by the above discussions, a scheme named DP-SCR is proposed in this paper to enhance the real-time traffic data sharing. In DP-SCR, we design an adaptive allocation of a privacy budget by using spatial correlation. Then, a novel dynamic clustering method based on k-means algorithm is developed, which takes the traffic flows and the difference in privacy budget into account. Finally, the proposed DP-SCR is proved to satisfy w-event privacy, providing a high level of privacy protection. This means that even if the attacker has background information about the user, they cannot obtain any additional information from the shared data.

Compared with the existing schemes that also satisfy w-event privacy, DP-SCR has the following three contributions:

• In DP-SCR, we prove that the spatial characteristic of traffic flows provides a more remarkable correlation than other characteristics of traffic flows. Then, the designed spatial correlation prediction in DP-SCR is used to adaptively allocate the privacy budget for traffic flows. It significantly improves the accuracy of the shared traffic flows;
• We design a novel dynamic clustering algorithm to aggregate the sections with similar traffic flow and privacy budget. It further improves the accuracy of the shared traffic flows by reducing the relative perturbation error caused by the small traffic flows.
• The experimental results with real-world traffic datasets demonstrate that DP-SCR outperforms baseline w-event privacy schemes in terms of data utility for real-time data release. Also, these experiments validate that DP-SCR is robust to the changes of $ϵ$ and w.

1.3. Organization

The rest of this paper is organized as follows. In Section 2, some preliminary knowledge of the proposed scheme is described. Then, the main problems of the sharing of real-time traffic flows are stated in Section 3. The construction of DP-SCR is established in Section 4, consisting of the adaptive allocation of privacy budgets, dynamic clustering, approximation and perturbation. In Section 5, we analyze the related performance of DP-SCR. The experiments are conducted to verify the high data utility of DP-SCR in Section 6. Finally, the conclusions and future work of this paper can be derived in Section 7.

2. Preliminaries

In this section, we review some basic preliminaries that are necessary for the rest of this paper, mainly including differential privacy, w-event privacy and the characteristics of traffic flows. Some mathematical notations are summarized in

Table 1. The mathematical notations.

Notations	Semantic Meanings
$M,Q,SC$	Laplace mechanism, query function and prediction function, respectively.
S, $S_t$	An infinite stream and the stream prefix of S at timestamp t, respectively.
$D_t$	The raw traffic data at timestamp t.
$F_i$, $F^{i,n}$	The raw traffic flows at timestamp i; the raw traffic flows of section i at successive n timestamps.
$f_k^i$,$f_k^{x,h}$,${\widehat{f}}_k^i$	The raw traffic flow of section i at timestamp k; $f_k^i$ at h-th cluster; the predicted traffic flow of section i at timestamp k.
$R_i$,$R^i$,$R^{i,n}$	The sanitized traffic flows at timestamp i, the sanitized traffic flows of section i at all timestamps, and the sanitized traffic flows of section i at successive n timestamps.
$r_k^i$, ${\overline{r}}_k^i\left(out\right)$	The sanitized traffic flows and the traffic outflow of section i at timestamp k, respectively.
$r{n}_{i,j}$, $RN$	The transition probability of that the traffic flows of section i enters to section j; the set of $r{n}_{i,j}$.
$t{p}_t^{i,j}$, $t{p}_t^i$	The traffic parameter between section i and section j at timestamp t; the set of the traffic parameters between section i and its linked sections at timestamp t.
$dis,SSE$	The dissimilarity between the predicted traffic flows and the last shared traffic flow; the squared error.
$V_{max}^i$, $V_t^i$	The maximal speed limit of section i; the average speed of section i at timestamp t.
$T_{samples}$	The sampling period of raw traffic data.
$C{A}_i$	The maximum capacity of section i.
${\theta }_i$, $\rho$	The scale factor of corrections.
$C_t^i$, $c_t^i$	The i-th cluster at timestamp t and the cluster center of $C_t^i$, respectively.
$CL{U}_t$	The set of clusters at timestamp t.
${\epsilon }_t^i$, ${\epsilon }_t^{x,i},{\widehat{\epsilon }}_i^j$	The privacy budget of section i at timestamp t; the privacy budget included in $C_t^i$; the privacy budget of $C_t^i$.
${\epsilon }_r$, ${\epsilon }_{max}$	The remaining privacy budget; the maximum privacy budget allowed for sections.
${\lambda }_i^j$	The perturbation error of section i at timestamp j.

.

2.1. Differential Privacy

Let $\mathcal{D}$ denote a set of datasets, and let Q be the query function. M represents the Laplace mechanism, and the set R denotes the range of $M(·)$.

Definition 1 

(Neighboring datasets [30]). For two datasets $D\in \mathcal{D}$ and $D^{\prime }\in \mathcal{D}$, if $D^{\prime }$ can be obtained from D by removing or adding any single record, D and $D^{\prime }$ are neighboring.

Definition 2 

(Sensitivity  [30]). Assume Q: $\mathcal{D}\to {\Re }^d$, then the sensitivity of Q with regard to $\mathcal{D}$ is

$$\Delta \left(Q\right)=\underset{D,D^{\prime }}{max}{\Vert Q\left(D\right)-Q\left(D^{\prime }\right)\Vert }_1,$$

where D and $D^{\prime }$ represent any pair of neighboring datasets of $\mathcal{D}$.

Definition 3 

(Laplace mechanism [30]). For Q: $\mathcal{D}\to {\Re }^d$, M adds noise into the results of $Q\left(D\right)$, where the noise conforms to the Laplace distribution. Formally, for any dataset $D\in \mathcal{D}$,

$$M\left(D\right)=Q\left(D\right)+{\langle Lap(\Delta \left(Q\right)/\epsilon )\rangle }^d,$$

where ε denotes privacy budget indicating the privacy level of mechanism M.

Definition 4 

(Differential privacy [31]). For any neighboring dataset D and $D^{\prime }$, and the set R, if

$$Pr[M\left(D\right)\in R]\le e^{\epsilon }Pr[M\left(D^{\prime }\right)\in R],$$

the mechanism M satisfies ε-differential privacy ($\epsilon >0$).

Take the traffic flows of section k at timestamp i as an sample. The queried result of the traffic flows from $D_i$ is represented as $Q_k\left(D_i\right)=f_i^k$, and the shared traffic flows after the processing of differential privacy can be rewritten as $r_i^k=f_i^k+\langle Lap(\Delta \left(Q_k\right)/\epsilon )\rangle$, where $D_i$ is the raw traffic data at timestamp i and $Q_k$ is the query function for section k.

Theorem 1 

(Sequential composition [32]). Assume that M includes a sequence of sub-mechanisms $M_1,M_2,\cdots ,M_r$ and each $M_i$ adds an independently random noise. If each mechanism $M_i$ satisfies ${\epsilon }_i$-differential privacy, the mechanism M satisfies (${\displaystyle \sum _{i=1}^r}{\epsilon }_i$)-differential privacy.

According to the above definitions and Theorem 1, it is obvious that the smaller $\epsilon$ or the higher $\Delta \left(Q\right)$ is, the larger the noise introduced. The privacy budget $\epsilon$ of M assigned to sub-mechanisms may be different.

2.2. w-Event Privacy

w-event privacy can protect all events that happen at any successive w timestamps. For a distinct description of w-event privacy, the traffic data are denoted as an infinite tuple $S=(D_1,D_2,\cdots )$, where $D_t$ represents the raw traffic data at timestamp t, and $S\left[i\right]$ is the i-th element of S. Then a stream prefix of S at timestamp t is denoted as $S_t=(D_1,D_2,\cdots ,D_t)$.

Definition 5 

($w$-neighboring [23]). Two stream prefixes $S_t$ and $S_t^{\prime }$ are w-neighboring, where w is a positive integer, if they satisfy the following conditions:

1. 

For each $S_t\left[i\right]$, $S_t^{\prime }\left[i\right]$ with $i\in \left[t\right]$ and $S_t\left[i\right]\ne S_t^{\prime }\left[i\right]$, it holds that $S_t\left[i\right]$, $S_t^{\prime }\left[i\right]$ are neighboring;

2. 

For each $S_t\left[i_1\right]$, $S_t\left[i_2\right]$, $S_t^{\prime }\left[i_1\right]$, $S_t^{\prime }\left[i_2\right]$, when $i_1<i_2$, $S_t\left[i_1\right]\ne S_t^{\prime }\left[i_1\right]$ and $S_t\left[i_2\right]\ne S_t^{\prime }\left[i_2\right]$, it holds that $i_2-i_1+1\le w$;

Definition 6 

($w$-event privacy [23]). Let $S_t\left[i\right]=D_i\in \mathcal{D}$ and one set $R\subset Range\left(M\right)$. For all w-neighboring stream prefixes $S_t$, $S_t^{\prime }$ and all t, if

$$Pr[M\left(S_t\right)\in R]\le e^{\epsilon }Pr[M\left(S_t^{\prime }\right)\in R],$$

the mechanism M satisfies w-event privacy.

Theorem 2. 

Let stream prefix $S_t$ denote the input of M, and the output of M is $\{R_1,R_2,\cdots ,R_t\}\subset Range\left(M\right)$. Suppose that the mechanism M includes t mechanisms $M_1,M_2,\cdots ,M_t$, and each $M_i\left(S_t\left[i\right]\right)$ achieves ${\epsilon }_i$-differential privacy. Then the mechanism M satisfies w-event privacy, if

$$\forall i\in \left[t\right],\sum _{k=i-w+1}^i{\epsilon }_k\le \epsilon .$$

2.3. Characteristics of Traffic Flows

Based on the analyses in Section 1,the proposed DP-SCR mainly considers the spatial correlation between traffic flows.

Definition 7 

(Spatial correlation [33]). A road network consists of multiple sections, and there exists a spatial correlation between sections. Formally, the algorithm $SC$ denotes the spatial correlation between the traffic flows. The predicted traffic flow ${\widehat{f}}_{t+1}^i$ can be calculated by ${\widehat{f}}_{t+1}^i=SC\left(t{p}_t^i\right)$, where $t{p}_t^i$ is the traffic parameter of section i at timestamp t. If the linked sections of section i are section j and section k, then $t{p}_t^i=\{t{p}_t^{i,j},t{p}_t^{i,k})\}$, where $t{p}_t^{i,k}$ consists of the shared traffic flow $r_t^{i,k}$ and some prior knowledge including the maximal speed limit $v_{max}^i$, the predefined sampling period, and the road networks $r{n}_{k,i}$.

The road networks link with all the sections and show the flow correlation between different sections. As shown in Figure 1, it is a part of the road networks, where each numeric value represents the probability that the traffic flow of one section enters its linked (adjacent) sections.

For example, there are half traffic flows of Section 5 that enter to Section 4, so the probability is 0.5 and is denoted as $r{n}_{5,4}$ in this paper. Obviously, the flow of traffic on any section will either stay in the same section or enter to another section, so the probability of section i satisfies the following relationship.

$$\sum _{j\in A_i}r{n}_{i,j}=1,$$

where $A_i$ is a set includes section i and its linked sections. The flow correlation is represented as $RN=\left\{r{n}_{i,j}\right|i,j\in Sec\}$, where $Sec$ is the set of all sections.

Mathematical notations: The mathematical notations and their semantic meanings used in this paper are summarized in Table 1.

3. Problems Statement

When real-time traffic flows are shared with the public, they may cause serious privacy issues. Therefore, in order to ensure the shared traffic flows with strong privacy protection, each section is required to satisfy w-event privacy. As shown in Figure 2, the traffic data are collected by various sensors and stored in the database. Then, the traffic flows for serving an intelligent transportation system will be processed to satisfy w-event privacy, so that the shared flows can not leak the privacy of users. To be more specific, let $F_k$ be the traffic flows of section k and $D_k$ be raw traffic data at timestamp k. Then, we have $F_k=Q\left(D_k\right)=(f_k^1,f_k^2,\cdots ,f_k^n)$, where n is the total number of sections at timestamp t, and $f_k^i$ is defined as the traffic flow of section i at timestamp k. In order to ensure the traffic flows are shared securely, the sanitized version of $f_k^i$, denoted by $r_k^i$, is used to replace $f_k^i$. Thus, the sanitized version of infinite time traffic flows at section i is denoted as $R^i=(r_1^i,r_2^i,\cdots ,r_k^i,\cdots )$.

In this paper, the problem concerning privacy protection is formally stated as follows.

Given an infinite time series of traffic flows $\mathbb{F}=(F_1,F_2,\cdots ,F_k,\cdots )$, denote its sanitized version as $\mathbb{R}=(R_1,R_2,\cdots ,R_k,\cdots )$. Then, a scheme is designed to make each infinite time section from $\mathbb{R}$, denoted as $R^i=(r_1^i,r_2^i,\cdots ,r_k^i,\cdots )$, which satisfies w-event privacy.

Since data utility is the main criterion for measuring the quality of a scheme, designing a mechanism to improve the data utility of the shared traffic flows is very meaningful. In this paper, the allocation of the privacy budget and the perturbation error will affect the accuracy of the shared traffic flows greatly. Therefore, the problem of the data utility can be described as follows.

(a) How to allocate the privacy budget reasonably. (b) How to reduce the absolute error (MAE) and relative error (MRE) of the shared traffic flows $\mathbb{R}$, where MAE and MRE are the representation of perturbation error.

4. The Design of DP-SCR

In this section, we propose a scheme, named DP-SCR, which satisfies w-event privacy and provides high accuracy of traffic flows. The proposed DP-SCR can achieve the adaptive allocation of privacy budget, where the spatial correlation prediction is used to improve the budget allocation. Additionally, dynamic clustering is proposed to reduce the perturbation error caused by the small traffic flows. Finally, a novel approximation method and the perturbation method are used to deal with the no sampled sections and sampled sections in DP-SCR, respectively. Figure 3 shows the flowchart of DP-SCR, where the sampling of sections is determined by $dis$ and ${\lambda }_{i+1}$. The $dis$ is the dissimilarity between the predicted traffic flow and the last shared traffic flow, and ${\lambda }_{t+1}$ is perturbation error.

Algorithm 1 gives an overall description of the proposed DP-SCR. The main processes of DP-SCR are described in detail as follows.   

Algorithm 1: DP-SCR.

Require: raw traffic data $D_{t+1}$, the shared traffic flows $R_t$, $t{p}_t=\{t{p}_t^i,\cdots ,t{p}_t^n\}$. Ensure: new shared traffic flows $R_{t+1}$. 1: Obtain traffic flows $F_{t+1}=Q\left(D_{t+1}\right)$; 2: for each section i at timestamp t do 3:     Calculate the predicted traffic flow ${\widehat{f}}_{t+1}^i$ according to $t{p}_t^i$, and then calculate $dis$; 4:     Calculate the privacy budget for each section at timestamp t; 5:     Sampling according to ${\widehat{f}}_{t+1}$. 6: end for (see Section 4.1) 7: For sampling points, do dynamic clustering for them at timestamp t + 1, and perturb their traffic flows by adopting Laplace mechanism; (see Section 4.2 and Section 4.3) 8: For non-sampled points, approximate current traffic flows with the corresponding predicted traffic flows; (see Section 4.3) 9: Obtain $R_{t+1}$ by combining the results at sampling points and the results at non-sampled points.

4.1. Adaptive Allocation of Privacy Budget

According to Theorems 1 and 2, if the sliding window size w is too large, the privacy budget allocated for the sections at each timestamp is small, which will result in a large magnitude of noise. Sampling is a promising way to reduce noise. Because the non-sampled points do not consume any privacy budget, more privacy budget will be allocated for the sampling points. Towards this end, an adaptive allocation of the privacy budget is proposed in the literature [24]. It adopts the temporal correlation to predict the value at the next timestamp, and the value is used for sampling, where the predicted value determines the quality of the sampling. Also, due to the spatial correlation between traffic flows, it can increase the accuracy of predicted traffic flows and make the sampling more reasonable.

Inspired by the above ideas, a mechanism for the adaptive allocation of the privacy budget based on spatial correlation is proposed in this paper. The mechanism includes three operations, which are described in detail as follows.

4.1.1. Spatial Correlation Prediction

In the phase of spatial correlation prediction, we note that $V_{max}^i$ is the maximal speed limit of section i, where the speed of all vehicles is assumed to be less than or equal to the maximum speed. The predefined $T_{Sample}$ is the sampling period of raw traffic data. According to Equation (9) of the work [34], the speed–flow relationship between $V_t^i$ and $r_t^i$ is $V_t^i={\theta }_1\times V_{max}^i/(1+{(r_t^i/C{A}_i)}^{\rho })$, $\rho ={\theta }_2+{\theta }_3\times {(r_t^i/C{A}_i)}^3$, where $V_t^i$ is the average vehicle speed in section i at timestamp t, $C{A}_i=V_{max}^i\times T_{Sample}$ is the maximum capacity of section i, and ${\theta }_i$$\{i=1,2,3\}$ and $\rho$ are scale factor corrections. It is obvious that the average vehicle speed is related to the shared traffic flows, the maximal speed limit of the section, and the predefined sampling period. However, the scale factors are hard to set artificially. Inspired by [34], we design a novel spatial correlation algorithm $SC$ to calculate the predicted traffic flows of section i. The goal of the method is to predict the traffic flow of section i at timestamp t + 1 based on $r_t^i$ and the prior knowledge $V_{max}^i$, $T_{Sample}$ and $r{n}_{k,i}$. Specific processes are described in the following three steps:

Step 1: To calculate $V_t^i$, we train a model $M_v$ to learning the relationship between $V_t^i$ and $r_t^i$, $V_{max}^i$ and $T_{Sample}$. Based on the trained model, we can obtain the average vehicle speed of each section at any timestamp by inputing the prior knowledge and the shared traffic flows.

Step 2: Based on the average speed of section i and the sampling period $T_{Sample}$, the traffic outflow ${\overline{r}}_t^i\left(out\right)$ of section i is calculated by

$${\overline{r}}_t^i\left(out\right)=V_t^i\times T_{Sample}.$$

Step 3: According to the actual situation, the predicted traffic flow (${\widehat{f}}_{t+1}^i$) of section i is the difference between the traffic outflow of section i and the traffic inflows of its linked sections. For example, if section j and section k are the linked sections of section i, the predicted traffic flow of section i is represented as the following formula.

$${\widehat{f}}_{t+1}^i=r{n}_{j,i}·{\overline{r}}_t^j\left(out\right)+r{n}_{k,i}·{\overline{r}}_t^k\left(out\right)-(1-r{n}_{i,i})·{\overline{r}}_t^i\left(out\right).$$

4.1.2. Calculation of Privacy Budget

In the calculation of the privacy budget, to satisfy w-event privacy, the total privacy budget of each section at any sliding window should be smaller than $\epsilon$. Here, assume that all sections at the next timestamp are sampling points. Thus, the privacy budget of all sections at the next timestamp should be calculated.

Without loss of generality, let the current timestamp be t; then, the privacy budget for section i at timestamp t + 1 is ${\epsilon }_{t+1}^i$. The remaining privacy budget ${\epsilon }_r$ in the sliding window $[t-w+2,t]$ is calculated by ${\epsilon }_r=\epsilon -{\displaystyle \sum _{j=t-w+2}^t}{\epsilon }_j^i$. Additionally, the sampling interval is $I=(t+1-l)$, where l is the last sampling point of section i. Then, a scale factor p, which determines how much privacy budget will be allocated for section i at timestamp t + 1, is calculated by

$$p=min(\phi \times ln(I+1),p_{max}),$$

where $\phi$ is defined as a scale factor varied in (0, 1], and $p_{max}$ is the maximum portion of privacy budget allocated for each sampling point. In the end, the privacy budget allocated for section i at timestamp t + 1 is calculated by

$${\epsilon }_{t+1}^i=min(p\times {\epsilon }_r,{\epsilon }_{max}),$$

where ${\epsilon }_{max}$ is the maximum privacy budget allocated for each sampling point. Two constraints (i.e., $p_{max}$ and ${\epsilon }_{max}$) are aimed at striking a good balance between the data utility and privacy protection of traffic flows.

4.1.3. Sampling with the Predicted Traffic Flows

The perturbation error of section i is ${\lambda }_{t+1}^i=1/{\epsilon }_{t+1}^i$, and the dissimilarity between the predicted traffic flow and the last shared traffic flow is $dis={\widehat{f}}_{t+1}^i-r_l^i$, where $r_l^i$ is the last shared traffic flow of section i. If ${\lambda }_{t+1}^i>dis$, the traffic flow at timestamp t + 1 is approximated by the predicted traffic flow. Then, the privacy budget of section i is withdrawn, i.e., section i at timestamp t + 1 is a non-sampled point, and its privacy budget is zero. Otherwise, section i at timestamp t + 1 is a sampling point, and its privacy budget remains unchanged. The mechanism for the adaptive allocation of the privacy budget is formally presented in Algorithm 2.

Algorithm 2: Adaptive allocation of privacy budget for section i at timestamp t + 1.

Require: privacy budget $\epsilon$, ${\epsilon }_{max}$, $p_{max}$, $r_l^i$, $RN$ and the traffic flows of section i and its linked sections at timestamp t. Ensure: the privacy budget of section i at timestamp t + 1.   1: Assume that section i at timestamp t + 1 is sampling point, and calculate privacy budget for it, then obtain ${\epsilon }_{t+1}^i=min(p\times {\epsilon }_r,{\epsilon }_{max})$, where $p=min(\phi \times ln(I+1),$ $p_{max})$ and $i=(t+1-l)$;   2: According to Spatial Correlation Prediction, calculate ${\widehat{f}}_{t+1}^i$ that is the predicted traffic flow of section i at timestamp t +1;   3: Calculate the dissimilarity between the predicted traffic flow and the last sharing $dis={\widehat{f}}_{t+1}^i-r_l^i$;   4: ${\lambda }_{t+1}^i=1/{\epsilon }_{t+1}^i$;   5: if $dis>{\lambda }_{t+1}^i$ then   6:     section i at timestamp t + 1 is sampling point;   7:     return ${\epsilon }_{t+1}^i$;   8: else   9:     section i at timestamp t + 1 is non-sampled point; 10:     return 0; 11: end if

4.2. Dynamic Clustering

As shown in the analyses in Section 1, the sections with small traffic flow can cause large relative perturbation error in the w-event privacy schemes. In this section, a dynamic clustering algorithm, i.e., bisecting k-means, is adopted to reduce the perturbation error. Specifically, the sections with similar traffic flow and privacy budget will be aggregated together to resist noise via the dynamic clustering.

First, it is necessary to determine which sections have small traffic flow before clustering. Here, the noise resistance threshold is defined as $\tau$, which reflects whether the traffic flows have sufficient capacity to resist noise. When the traffic flows are smaller than $\tau$, they are classified as small traffic flows. Then, the sections with small traffic flows will be saved in the cluster $C_{t+1}^0$.

Assume that the number of the sections with small traffic flow is n; then $C_{t+1}^0=\{y_{1,0},\cdots ,y_{n,0}\}$, $y_{x,0}=(f_{t+1}^{x,0},{\lambda }_{t+1}^{x,0})$, and ${\lambda }_{t+1}^{x,0}=1/{\epsilon }_{t+1}^{x,0}$, $x\in [1,n]$, where $f_{t+1}^{x,0}$ is the traffic flow $f_{t+1}^x$ of cluster $C_{t+1}^0$, and ${\lambda }_{t+1}^{x,0}$ is perturbation error. When ${\displaystyle \sum _{x\in C_{t+1}^h}}{f}_{t+1}^{x,h}\ge \tau$, the cluster at timestamp t + 1 can be denoted as $CL{U}_{t+1}=\{C_{t+1}^0,\cdots ,C_{t+1}^k\}$, $(k\le n)$. Also, the sum of the squared error ($SSE$) of $CL{U}_{t+1}$ is $SSE\left(CL{U}_{t+1}\right)={\displaystyle \sum _{h=1}^k}{\displaystyle \sum _{x\in C_{t+1}^h}}\left|\right|y_{x,h}-c_{t+1}^h{\left|\right|}^2$, where $c_{t+1}^h$ is the cluster center of $C_{t+1}^h$. As is well known, the smaller the $SSE$ is, the more similar the traffic flows and privacy budget of sections are. Thus, the dynamic clustering is aimed at finding the smallest $SSE$, which is described in Algorithm 3.

After dynamic clustering, suitable privacy budget should be allocated for each cluster in $CL{U}_{t+1}$. Without loss of generality, ${\displaystyle \sum _{j=0}^{w-1}}{\epsilon }_{t+j}^i$ is denoted as the total privacy budget for section i at any successive w timestamps. In order to ensure ${\displaystyle \sum _{j=0}^{w-1}}{\epsilon }_{t+j}^i\le \epsilon$, the privacy budget allocated for $C_{t+1}^i$ is equal to ${\widehat{\epsilon }}_{t+1}^i$, and the privacy budget of the sections in $C_{t+1}^i$ is also ${\widehat{\epsilon }}_{t+1}^i$, where ${\widehat{\epsilon }}_{t+1}^i=\underset{x\in C_{t+1}^i}{min}\left({\epsilon }_{t+1}^{x,i}\right)$.

Algorithm 3: Dynamic Clustering Algorithm at timestamp t + 1.

Require: $C_{t+1}^0$. Ensure: $CL{U}_{t+1}$. 1: Initialization: $Clu=C_{t+1}^0$, ${\displaystyle \sum _{x\in C_{t+1}^0}}{f}_{t+1}^{x,0}\le \tau$. 2: if ${\displaystyle \sum _{x\in C_{t+1}^0}}{f}_{t+1}^{x,0}\le \tau$ then 3:     return $Clu$; 4: end if 5: while 1 do 6:     $k=size\left(Clu\right)$; $Cl{u}_2=\{C_{t+1}^0,\cdots ,C_{t+1}^k\}$; 7:     for $i=0:k$ do 8:         do 2-$means$ for $C_{t+1}^i$ in $Clu$, then obtain new $C_{t+1}^i$ and $C_{t+1}^{k+1}$; 9:         if ${\displaystyle \sum _{x\in C_{t+1}^i}}{f}_{t+1}^{x,i}\ge \tau$ and ${\displaystyle \sum _{x\in C_{t+1}^{k+1}}}{f}_{t+1}^{x,k+1}\ge \tau$ then 10:            $Cl{u}_1=\{C_{t+1}^0,\cdots ,C_{t+1}^i,\cdots ,C_{t+1}^{k+1}\}$; (the clusters except $C_{t+1}^i$ and $C_{t+1}^{k+1}$ are from $Clu$) 11:            if $SSE\left(Cl{u}_1\right)<SSE\left(Cl{u}_2\right)$ then 12:                $Cl{u}_2=Cl{u}_1$ 13:            end if 14:         end if 15:     end for 16:     if $Clu\ne Cl{u}_2$ then 17:         $Clu=Cl{u}_2$; 18:     else 19:         return $Clu$; 20:     end if 21: end while 22: The function of 2-means is as follows. 23: Function: $(C_{t+1}^i,C_{t+1}^{k+1})$=2-$means$($C_{t+1}^i$) 24: 1: randomly select two objects from these k objects of $C_{t+1}^i$ as the initial cluster centers of the cluster A and the cluster B; 25: 2: calculate the similarity (Euclidean distance) between each object $y_{x,i}$ and the cluster center; (The smaller the value is, the closer the similarity is) 26: 3: all objects are divided into the cluster with closer similarity; 27: 4: recalculate the cluster centers of the cluster A and the cluster B; 28: 5: repeat step 2–step 4 until each cluster is not changing; 29: 6: $C_{t+1}^i=A$, and $C_{t+1}^{k+1}=B$; 30: 7: return $C_{t+1}^i$ and $C_{t+1}^{k+1}$. 31: end Function

4.3. Approximation and Perturbation

To ensure that each section satisfies w-event privacy, the noise that conforms to Laplace distribution is injected into each sampling section. In [24], it uses the last shared value to approximate non-sampled sections. Different from the approximation mechanism in [24], we propose a novel approximation mechanism that takes the predicted value as the value of non-sampled sections. The predicted values are used to approximate the real value in this paper. However, there exists a dissimilarity $dis$ between the last shared values and the predicted values, so the predicted values are closer to the real traffic flows of the section than to its last shared value. In any case, the predicted values are calculated based on the shared traffic flow at the previous timestamp. Thus, it also can protect real values and prevent privacy leakage.

In the perturbation mechanism, $D_{t+1}$ is the raw traffic data at timestamp t + 1, and $C_{t+1}^h$ is a cluster at timestamp t + 1 consisting of $n_h$ sections. As each vehicle can only appear in at most one section at each timestamp, the sensitivity of Q ($\Delta \left(Q\right)$) is 1. Then, the sanitized traffic flow of section i at timestamp t + 1 can be denoted as

$$M\left(D_{t+1}^i\right)=\left\{\begin{array}{c}Q\left(D_{t+1}^i\right)+Lap(\Delta \left(Q\right)/{\epsilon }_{t+1}^i),ifi\notin C_{t+1}^h\hfill \\ (Q\left(D_{t+1}^i\right)+Lap(\Delta \left(Q\right)/{\widehat{\epsilon }}_{t+1}^i))/n_h,otherwise.\hfill \end{array}\right.$$

If section $i\notin C_{t+1}^h$, the sanitized traffic flows are $Q\left(D_{t+1}^i\right)+Lap(\Delta \left(Q\right)/{\epsilon }_{t+1}^i)$. Otherwise, the sanitized traffic flows are $(Q\left(D_{t+1}^i\right)+Lap(\Delta \left(Q\right)/{\widehat{\epsilon }}_{t+1}^i))/n_h$.

5. Performance Analyses

In this section, we will analyze the privacy protection, the correlation of traffic flows and effects of filtering in DP-SCR.

5.1. Privacy Analyses

In this subsection, the privacy loss and privacy protection are analyzed.

5.1.1. Privacy Loss

Privacy loss is used to metric the privacy information leakage. According to the definition of differential privacy, we have the privacy loss

$$\begin{array}{cc}\hfill & ln\frac{Pr\left(M\right(D)=r)}{Pr(M\left(D^{\prime }\right)=r)}=ln\frac{Pr(Q\left(D\right)+{\langle Lap(\Delta \left(Q\right)/\epsilon )\rangle }^d=r)}{Pr(Q\left(D^{\prime }\right)+{\langle Lap(\Delta \left(Q\right)/\epsilon )\rangle }^d=r)}\hfill \\ \hfill & =ln\frac{Pr({\langle Lap(\Delta \left(Q\right)/\epsilon )\rangle }^d=r-Q\left(D\right))}{Pr({\langle Lap(\Delta \left(Q\right)/\epsilon )\rangle }^d=r-Q\left(D^{\prime }\right))}\hfill \\ \hfill & =ln\frac{exp(-|r-Q\left(D\right)|\epsilon /\Delta (Q\left)\right)}{exp(-|r-Q\left(D^{\prime }\right)|\epsilon /\Delta \left(Q\right))}\hfill \\ \hfill & =lnexp\left(\epsilon \right(|r-Q\left(D\right)|-|r-Q\left(D^{\prime }\right)\left|\right)/\Delta \left(Q\right))\hfill \\ \hfill & \le lnexp\left(\epsilon \right|Q\left(D\right)-Q\left(D^{\prime }\right)|/\Delta \left(Q\right))\hfill \\ \hfill & \le lnexp\left(\epsilon \right)\hfill \\ \hfill & \le \epsilon \hfill \end{array}$$

where r represents the output after the processing of differential privacy. Therefore, the privacy loss is determined by the allocated privacy budget $\epsilon$ and does not exceed $\epsilon$.

5.1.2. Privacy Protection

These schemes BA [23], BD [23], E-RescueDP [24] and CLDP [29] to be compared in this paper all satisfy w-event privacy. Here, we will prove whether the DP-SCR proposed in this paper satisfies w-event privacy.

Claim 1. 

The proposed DP-SCR satisfies w-event privacy.

Proof. 

In DP-SCR, the perturbation phase is the only one accessing raw traffic flow. If ${\displaystyle \sum _{j=t-w+1}^t}{\overline{\epsilon }}_j^i\le \epsilon$ for each section, Claim 1 holds, where ${\overline{\epsilon }}_j^i$ is the privacy budget allocated for section i at timestamp j in perturbation.

For section i, ${\epsilon }_t^i$ is the allocated privacy budget at timestamp t after the adaptive allocation of the privacy budget. Then, the budget privacy ${\epsilon }_t^i$ will be changed after dynamic clustering, and the changed privacy budget will be denoted as ${\overline{\epsilon }}_t^i$. If section i belongs to $C_t^h$, ${\overline{\epsilon }}_t^i={\widehat{\epsilon }}_t^h$, where ${\widehat{\epsilon }}_t^h=\underset{x\in C_t^h}{min}\left({\epsilon }_t^{x,i}\right)$, meaning ${\epsilon }_t^i\ge {\widehat{\epsilon }}_t^h$. Otherwise, ${\overline{\epsilon }}_t^i={\epsilon }_t^i$. Thus, ${\epsilon }_t^i\ge {\overline{\epsilon }}_t^h$ holds. Moreover, as ${\displaystyle \sum _{j=t-w+1}^t}{\epsilon }_j^i\le \epsilon$ for section i at any successive w timestamps has been required in the mechanism of the adaptive allocation of the privacy budget, ${\displaystyle \sum _{j=t-w+1}^t}{\overline{\epsilon }}_j^i\le \epsilon$ is tenable. Finally, according to Theorem 2, the proposed DP-SCR satisfies w-event privacy, so Claim 1 holds.    □

5.2. Correlation Analyses

Claim 2. 

The spatial correlation between traffic flows is more remarkable than other characteristics of traffic flows in the prediction.

Proof. 

Traffic flows have four characteristics, i.e., temporal correlation, spatial correlation, historical correlation and multistate. The authors in [33] indicated that the prediction for traffic flows is only related to the temporal, spatial and historical correlation between traffic flows, and they illustrated that the multistate is useless. Upon further analysis, the prediction for traffic flows also has little effect on the historical correlation between traffic flows due to the following reasons: (1) On-road traffic events, such as accidents and road closures, affect the traffic flows in the transportation system, and these effects cannot be predicted a priori [35]. (2) Off-road events have a major impact on the traffic flows and may not be included in the usual historical traffic flows [35]. (3) The timestamps of sampling are too short to predict the traffic flows at the next timestamp by using historical traffic flows in the sharing of real-time traffic flows. Thus, the prediction for traffic flows is mainly correlated with temporal and spatial characteristics. Also, the authors in [36,37] have also emphasized that most of the mechanisms on the prediction for traffic flows mainly are based on temporal correlation and spatial correlation. However, the spatial characteristics of traffic flows can reflect the correlation between traffic flows more distinctly than the temporal characteristics of traffic flows, which has been illustrated as follows.

The Pearson correlation coefficient is used to calculate the spatial correlation between traffic flows, i.e., ${\rho }_{X,Y}=COV(X,Y)/{\sigma }_X{\sigma }_Y$, where $COV$ is covariance, ${\sigma }_X$ and ${\sigma }_Y$ are, respectively, the standard deviation of X and Y. In the experiment, the traffic flows of the target section and the traffic flows of its linked sections at 160 successive timestamps are, respectively, served as X and Y. Then, the spatial correlation between traffic flows is 0.7072. Also, the autocorrelation coefficient is adopted to calculate the temporal correlation of the above-mentioned traffic flows, where the range of retardation timestamp is [0, 10], and the sample size is 10,000, which is large enough for the coefficient calculation. Figure 4 shows the temporal correlation of X, where all results are smaller than 0.3. As the larger correlation value means a more remarkable correlation, the spatial correlation between traffic flows is more striking than the temporal correlation between traffic flows.

That is, the prediction based on spatial correlation obtains more accurate results than that based on other characteristics of traffic flows. Thus, Claim 2 holds.   □

5.3. Effects of Filtering on DP-SCR

In many differential privacy schemes, the sanitized traffic flows can not be shared directly because the noise caused by perturbation may reduce the accuracy of the shared traffic flows. Thus, the filtering mechanism is used to improve the accuracy of the sanitized traffic flows after perturbation.

In E-RescueDP [24], it uses Kalman Filter to improve the accuracy of the sanitized traffic flows. To compare the effects of filtering in the proposed DP-SCR and E-RescueDP, we also use the Kalman Filter (KF) to deal with the noise in DP-SCR.

Inspired by the FAST algorithm [17], KF [38] is used to improve the accuracy of the sanitized traffic flows $M\left(D_{t+1}^i\right)$. The filtering mechanism includes two steps: $Predict$ and $Correct$, which are shown in Algorithm 4.

Algorithm 4: Filtering with KF for $M\left(D_{t+1}^i\right)$.

Require: the previous shared $r_t^i$ and noisy measurement $Z_{t+1}^i=M\left(D_{t+1}^i\right)$. Ensure: the posterior estimate ${\widehat{x}}_{t+1}^i$. 1: $KFPredict(t+1)$: 2: ${\overline{x}}_{t+1}^i=r_t^i$; 3: ${\overline{P}}_{t+1}^i=P_t^i+G$; 4: $KFCorrect(t+1)$: 5: $K_{t+1}^i={\overline{P}}_{t+1}^i/({\overline{P}}_{t+1}^i+H)$; 6: ${\widehat{x}}_{t+1}^i={\overline{x}}_{t+1}^i+K_{t+1}^i\left(z_{t+1}^i\right)-{\overline{x}}_{t+1}^i$; 7: $P_{t+1}^i=(1-K_{t+1}^i){\overline{P}}_t^i$.

The posterior estimate ${\widehat{x}}_{t+1}^i$ is the final shared traffic flow of section i at timestamp t + 1, i.e., $r_{t+1}^i={\widehat{x}}_{t+1}^i$. The detailed principles and processes of KF have been explained in FAST algorithm, the readers may refer to [17].

Some experiments on filtering are conducted in this paper. As shown in Figure 5, the $MRE$ of DP-SCR is slightly influenced by Kalman Filter and has a smaller value. It indicates that DP-SCR without Kalman Filter also has high accuracy. Thus, the sanitized traffic flows in DP-SCR without Kalman Filter can be shared directly.

In addition, the $MRE$ of E-RescueDP adopting and not adopting Kalman Filter are larger than that of DP-SCR. It indicates that DP-SCR is superior to E-RescueDP in terms of accuracy.

5.4. Complexity Analyses

The proposed DP-SCR scheme is compared with the other four schemes (i.e., BA, BD, E-RescueDP, and CLDP) in terms of time complexity, and the comparison results are shown in

Table 2. The comparison of complexity time.

schemes	BA [23]	BD [23]	E-RescueDP [24]	CLDP [29]	DP-SCR
complexity time	$\mathcal{O}\left(d\right)$	$\mathcal{O}\left(d\right)$	$\mathcal{O}\left(m{d}^2\right)$	$\mathcal{O}\left(d\right)$	$\mathcal{O}\left(mde\right)$

, where d is the number of sections, m is the number of groups/clusters in E-RescueDP and DP-SCR, and e represents the number of iterations required for the convergence of the 2-means in DP-SCR. As can be seen, BA, BD, and CLDP schemes are faster than E-RescueDP and DP-SCR, and DP-SCR may be faster than E-RescueDP when the number of sections is large.

6. Experimental Simulation and Evaluation

In this section, the related experiments are simulated on real-world datasets, and the performance of the proposed DP-SCR is compared with that of schemes E-RescueDP [24], BD [23] and BA [23]. All our experiments are run in Matlab 2018a platform on PC with Intel(R) Core(TM) i5-4590 CPU @ 3.30 GHz, 4.00 G main memory, and 500 GB hard disk with the Microsoft Windows 7 operating system.

The datasets of our experiments include the vehicular mobility dataset and the street layout dataset. The vehicular mobility dataset is mainly based on the real data collected by the General Departmental Council of Val de Marne (94) in France (Downloaded at http://vehicular-mobility-trace.github.io/ accessed on 2 March 2024). It comprises around 10,000 traces, over rush hour periods of two hours in the morning (7 a.m.–9 a.m.) and two hours in the evening (5 p.m.–7 p.m.). The real street layout of the Creteil roundabout area (sampled area) is obtained from the OpenStreetMap database, as shown in Figure 6. Here, each 400-m road is served as one section.

Subsequently, a traffic flow dataset with 160 timestamps for each section is created, which is sampled every 85 s from the vehicular mobility dataset. Moreover, the traffic flow dataset contains vehicle numbers, vehicle coordinates on the two-dimensional plane (x and y coordinates in meters), vehicle speed (in meters per second), and vehicle id. The target section is randomly selected from the sections generated by function Q. In any case, to ensure the credibility of our experiments, all experiments involving the Laplace mechanism are conducted 100 times, and the average value of these 100 experiment results is represented by the points in the figures.

6.1. Data Utility of the Shared Traffic Flow

In this section, we conduct experiments for the designed adaptive allocation of privacy budget and dynamic clustering to evaluate the superiority in terms of data utility. The accuracy of the shared traffic flows reflects the data utility. The mean absolute error ($MAE$) and the mean relative error ($MRE$) are served as an accuracy metric. Moreover, the smaller the $MAE$ and $MRE$ are, the more accurate the traffic flows are. Let $F^{i,n}=\{f_{1+m}^i,f_{2+m}^i,\cdots ,f_{n+m}^i\}$ be raw traffic flows, and let $R^{i,n}=\{r_{1+m}^i,r_{2+m}^i,\cdots ,r_{n+m}^i\}$ be the sanitized traffic flows of section i at successive n timestamps before Filtering. Then, the formulas for the $MAE$ and $MRE$, respectively, are

$$MAE(F^{i,n},R^{i,n})=(1/n)\times \sum _{j=1}^n|f_{j+m}^i-r_{j+m}^i|,\mathrm{and}$$

$$MRE(F^{i,n},R^{i,n})=\frac{(1/n)\times {\displaystyle \sum _{j=1}^n}\left(\right|f_{j+m}^i-r_{j+m}^i\left|\right)}{max(r_{j+m}^i,\delta )},$$

where $\delta$ is the bound of small traffic flows, which is used to reduce the effect of excessively small traffic flows and is equal to 0.1% of ${\displaystyle \sum _{j=1}^n}{f}_{j+m}^i$.

(1) Prediction accuracy evaluation for DP-SCR. The allocation for privacy budget affects the accuracy of the predicted traffic flows greatly. RescueDP and E-RescueDP are the baseline temporal-based schemes designed for the sharing of real-time data with w-event privacy. Due to the performance of E-RescueDP being better than that of RescueDP, we only compare our scheme with the preferable E-RescueDP in terms of the accuracy of prediction. In these experiments, the privacy budget is $\epsilon =1$.

E-RescueDP is based on the temporal correlation with the Elman network [39] (an RNN algorithm). In the Elman network, the number of neurons is 5 in the input layer, 18 in the hidden layer and 1 in the output layer, respectively. The designed diagram of the Elman network is shown in Figure 7. Moreover, the traffic flows at the first successive 80 timestamps of the target section is selected as the training sets, and the remaining traffic flows are taken as the testing sets. As depicted in Figure 8, the blue line represents the training loss (i.e., mean squared error) of the Elman network during training. It is noteworthy that the training loss remains stable and is equal to 0.012323 at 4997 epochs. In Figure 9, the blue dashed lines depict the raw traffic flows, while the orange solid lines represent the predicted traffic flows. Figure 9a displays the predicted results in the E-RescueDP scheme. The results show that there are significant differences between the predicted results of E-RescueDP and the raw traffic flows, where the $MAR$ and $MRE$ in E-RescueDP are 5.0875 and 0.4881, respectively.

In the proposed DP-SCR, the traffic data of the above target section and its linked sections at the last 80 timestamps are selected as experimental data. For fair comparison, the model $M_v$ is trained on Elman network also with the number of neurons is 18 in the hidden layer and 1 in the output layer, respectively. The number of neurons is 3 in the input layer, including the shared traffic flow, maximal speed limit, and sampling period. The prediction results of DP-SCR are shown in Figure 9b, where the predicted traffic flows match the raw traffic flows well. Moreover, the $MAR$ and $MRE$ in DP-SCR are 3.1000 and 0.2680, respectively.

In summary, the predicted results in DP-SCR are more accurate than that in E-RescueDP, which means the data utility of the proposed scheme is higher.

(2) Accuracy evaluation for dynamic clustering. The dynamic clustering based on bisecting k-means is adopted to reduce the perturbation error caused by the small traffic flows, which will result in the loss of data utility. In the experiments on dynamic clustering, an experimental dataset based on real data is created, where the dataset includes 5000 sections with small traffic flows that are allocated with a random privacy budget. The $MRE$ of the bisecting k-means is compared with that of non-partitioned operation and dynamic programming, where the dynamic programming is the partitioned operation in [24]. Figure 10 illustrates the $MRE$ results of different strategies with different sections. It observes that the $MRE$ of DP-SCR is smaller than that of other schemes, indicating the higher data utility of the shared traffic flows obtained by the dynamic clustering in DP-SCR compared to other partitioned operations.

6.2. Data Utility vs. Privacy Budget $\left(\epsilon \right)$

In this section, the experiments about the $MAE$ and $MRE$ are conducted when $\epsilon$ varies from 0.1 to 1.0. The $MAE$ and $MRE$ of DP-SCR are compared with those of schemes BA [23], BD [23], E-RescueDP [24] and CLDP [29]. BA and BD are baseline w-event privacy schemes for the real-time data release, and CLDP is the baseline w-event privacy scheme with local differential privacy. Figure 11 compares $MAE$ and $MRE$ for the shared traffic flows with $\epsilon$ changing, where w is fixed and equal to 10. The results indicate that the $MAE$ and $MRE$ of DP-SCR with any privacy budget are significantly smaller than those of other schemes. Moreover, the $MAE$ and $MRE$ of BA, BD and LCDP decrease as $\epsilon$ increases, and the magnitude of the decrease is also becoming smaller. The changes in the $MAE$ and $MRE$ of E-RescueDP and DP-SCR are little. There are three reasons for the above experimental results. First, BA, BD and CLDP allocate too small privacy budget for perturbation, which introduces more noise into the shared data. Second, the prediction of DP-SCR is more accurate than that of E-RescueDP, so the $MAR$ and $MER$ of DP-SCR are smaller than those of E-RescueDP. Third, since the adaptive allocation of budget privacy is adopted in E-RescueDP and DP-SCR, providing more reasonable privacy budgets, the $MAR$ and $MER$ of them are relatively stable when $\epsilon$ changes.

6.3. Data Utility vs. Sliding Window Size $\left(w\right)$

The data utility of DP-SCR is compared with that of schemes BA, BD, E-RescueDP and LCDP, where w varies from 5 to 45. The results are shown in Figure 12, where the $MAE$ and $MRE$ of DP-SCR are higher than those of other schemes. Also, the $MAE$ and $MRE$ of BA, BD and LCDP increase as w increases, and the $MAE$ and $MRE$ of E-RescueDP and DP-SCR are relatively stable. This is because the adaptive allocation of privacy budget and dynamic processing improve the accuracy of the shared traffic flows and make them robust to the changes in w.

7. Conclusions

In this paper, we propose a scheme, named DP-SCR, to ensure the sharing of real-time traffic flows with high data utility under privacy protection. DP-SCR consists of four key components: adaptive allocation of privacy budget, dynamic clustering, approximation and perturbation. In the proposed DP-SCR, we take advantage of the spatial correlation prediction and the novel clustering strategy to improve the accuracy of the shared traffic flows. Moreover, the results of the experiments on real-world datasets have also shown that the shared traffic flows in DP-SCR are more accurate than those in the existing baseline w-event privacy schemes. Also, in terms of privacy protection, DP-SCR has been proven to satisfy w-event privacy, which provides strong privacy protection to the shared traffic flows.

However, some aspects that still exist can be improved in future work. First, more characteristics of traffic flows may be considered together in prediction to improve the data utility. Second, genetic algorithms [40] may be used to improve the accuracy of the spatial correlation prediction. Finally, other privacy-preserving methods such as secure data deduplication [41], blockchain-based secure sharing scheme [42] and federated learning [43,44] can be used to enhance the data utility and security.