Differentially Private Runtime Monitoring

TL;DR

This paper introduces a method to enforce differential privacy in stream-based runtime monitors by analyzing temporal dependencies and injecting calibrated noise, balancing privacy with utility.

Contribution

It presents an automated approach to enforce differential privacy in runtime monitoring specifications, addressing challenges posed by temporal dependencies and repeated disclosures.

Findings

Successfully applied to monitoring public transportation usage

Effectively balances privacy protection with output utility

Uses tree-based mechanisms to reduce accuracy loss

Abstract

Modern stream-based monitors collect detailed statistics of the runtime behavior of the system under observation. If the system runs in a privacy-sensitive context, this poses the risk of disclosing sensitive information. Differential privacy is the state-of-the-art approach for protecting sensitive information, however, integrating it into runtime monitoring is challenging: temporal operators can cause individual input values to influence multiple outputs over time, leading to repeated disclosure of private information. We propose an approach that automatically enforces differential privacy in stream-based monitoring specifications by analyzing temporal dependencies and injecting carefully calibrated noise into the specification. To preserve the utility of the outputs, we identify strategically chosen positions in the specification for noise injection and leverage tree-based mechanisms to mitigate the accuracy loss caused by noise injected into aggregation operators. We demonstrate the practicality and effectiveness of our approach in a case study on monitoring public transportation usage.