The VLDB Journal (2010) 19:385–410
DOI 10.1007/s00778-009-0170-1
REGULAR PAPER
Suppressing microdata to prevent classification based inference
Ayça Azgin Hintoglu · Yücel Saygın
Received: 24 April 2008 / Revised: 11 August 2009 / Accepted: 3 October 2009 / Published online: 19 November 2009
© Springer-Verlag 2009
Abstract The revolution of the Internet together with the
progression in computer technology makes it easy for insti-
tutions to collect an unprecedented amount of personal data.
This pervasive data collection rally coupled with the increas-
ing necessity of dissemination and sharing of non-aggregated
data, i.e., microdata, raised a lot of concerns about privacy.
One method to ensure privacy is to selectively hide the con-
fidential, i.e. sensitive, information before disclosure. How-
ever, with data mining techniques, it is now possible for an
adversary to predict the hidden confidential information from
the disclosed data sets. In this paper, we concentrate on one
such data mining technique called classification. We extend
our previous work on microdata suppression to prevent both
probabilistic and decision tree classification based inference.
We also provide experimental results showing the effective-
ness of not only the proposed methods but also the hybrid
methods, i.e., methods suppressing microdata against both
classification models, on real-life data sets.
Keywords Privacy · Disclosure protection ·
Data suppression · Data perturbation · Data mining
This work was partially funded by the Information Society
Technologies programme of the European Commission, Future and
Emerging Technologies under the IST-6FP-014915 GeoPKDD project.
A. Azgin Hintoglu · Y. Saygın (B)
Sabancı University, Istanbul, Turkey
e-mail: ysaygin@sabanciuniv.edu
A. Azgin Hintoglu
e-mail: aycah@sabanciuniv.edu
1 Introduction
In tandem with the advances in networking and storage
technologies, the private sector as well as the public sector has
increased their efforts to gather, manipulate, and commodify
information on a large scale. Non-governmental organiza-
tions collect large amounts of personal information about
their customers or members for many reasons including bet-
ter customer relationship management and high-level deci-
sion making. Public safety, on the other hand, is the major
motivation for large-scale personal information collection
efforts initiated by governmental organizations. This perva-
sive data-harvesting effort coupled with the increasing need
to share the data with other institutions or with public raised
concerns about privacy. Privacy is the ability of an individ-
ual to prevent information about himself becoming known
to other people without his approval [1]. More specifically,
it is the right of individuals to have the control over the data
they provide. This includes controlling (1) how the data are
going to be used, (2) who is going to use it, and (3) for what
purpose.
Widespread usage of powerful data analysis tools and data
mining techniques, enabling institutions to extract previously
unknown and strategically useful information from huge col-
lections of data sets and thus gain competitive advantages,
has also contributed to the fears about privacy. Data min-
ing techniques can be used for many reasons including but
not limited to national security warning and national security
decision making [2] for government agencies, and providing
better business intelligence and customer relationship man-
agement for enterprises. On the other hand, they can also be
used by adversaries to infer hidden confidential information
about individuals from the disclosed data sets, and thus pose
a great threat to privacy. The security and privacy threats
due to use of data mining techniques was first pointed out
123
386 A. Azgin Hintoglu, Y. Saygın

Table 1 Academic health

medical records ID Name Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis

1 Alice 90302 Female 29 Y N Y Dyspepsia

2 Bob 90410 Male 22 N Y Y Angina Pectoris
3 John 90301 Male 27 Y N N Dyspepsia
4 Lisa 90310 Female 43 Y N N Gastritis
5 Chris 90301 Male 52 N Y Y Gastritis
6 Leo 90410 Male 47 Y Y Y Angina Pectoris
7 Prue 90305 Female 30 N N Y Angina Pectoris
8 Joe 90402 Male 36 N Y Y Angina Pectoris
8 Ross 90301 Male 52 Y Y Y Gastritis

Table 2 Academic health

medical records shared with Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis
Academic Research Institute
90302 Female 29 Y N Y Dyspepsia
90410 Male 22 N Y Y ?
90301 Male 27 Y N N Dyspepsia
90310 Female 43 Y N N Gastritis
90301 Male 52 N Y Y Gastritis
90410 Male 47 Y Y Y Angina Pectoris
90305 Female 30 N N Y Angina Pectoris
90402 Male 36 N Y Y Angina Pectoris
90301 Male 52 Y Y Y Gastritis

by O’Leary [3] and was discussed further in a symposium
on knowledge discovery in databases and personal privacy
[4–7]. Since then, privacy issues have become one of the most
important aspects of database and data mining research.
Example 1 Consider an on-line federation of hospitals and
research organizations collaborating with each other, named
HealthFed. Each federated hospital collects medical records
of their patients together with their privacy preferences, and
interacts with research organizations within the federation
to share this information. In particular, assume that the city
clinic Academic Health and Academic Research Institute,
both being part of the HealthFed federation, collaborate
with each other for research purposes. More specifically,
Academic Health shares patients’ medical records with
Academic Research Institute after ensuring the privacy pref-
erences of each patient is preserved. Table 1 shows such
patients who gave consent to Academic Health to disclose
their medical records to third persons for research purposes
provided that their ID and name attributes are removed before
disclosure. However, Bob, knowing that it might still be pos-
sible to link his medical records with other data sources
through potentially identifying attributes like gender, zip-
code, and age, required that not only his name but also his
diagnosis information to be hidden before disclosure.
Therefore, Academic Health removed not only the ID and
name attributes but also the diagnosis information from Bob’s
medical records before sharing it, as shown in Table 2. Unfor-
tunately, given these medical records, Academic Research
Institute can easily find Bob’s diagnosis to be Angina
Pectoris using a predictive data mining technique called clas-
sification.
In this paper, we address this particular problem of pri-
vacy preserving microdata diclosure. We assume that each
individual might have different preferences regarding their
privacy. Therefore, the confidential attributes might differ for
each individual. With such a setting, one method to ensure
privacy while disclosing a microdata set is to selectively
hide1 the confidential data values. This method ensures pri-
vacy from a micro-level perspective. But, this is not the
case for the macro-level perspective, as with powerful data
analysis tools and data mining techniques it is now possi-
ble for an adversary to predict hidden confidential infor-
mation using the rest of the disclosed data set. We concen-
trate on one such possible threat—classification—which is a
data mining technique widely used for prediction purposes.
We extend our previous work [8] on microdata suppression
1 Deleting or replacing with a symbol denoting unknown.

123
Suppressing microdata to prevent classification based inference
(1) to prevent not only probabilistic but also decision tree
classification based inference, and (2) to handle not only
single but also multiple confidential data value suppression
to reduce the side-effects. We achieve this by finding a set
of data values that might cause confidential information to
be disclosed from the released microdata set indirectly, i.e.,
through classification-based inference, and replacing them
with a symbol indicating suppression.
Much research has taken place in the area of disclosure
protection in order to preserve privacy. One such popular
disclosure protection approach is cell suppression [9,10].
The basic idea of cell suppression is to protect sensitive
information in aggregated data sets, i.e., statistical tables.
The problems addressed by cell suppression and microdata
suppression are quite similar in principal. Nevertheless, the
methodologies used are completely different, as the charac-
teristics of the data sets they are trying to protect are different.
In statistical tables, inference results from the marginal totals
given along with the aggregated data itself. On the other hand,
in a microdata set it results from the statistical correlations
between non-aggregated attributes.
Another method, specifically proposed to ensure privacy
of disclosed microdata sets, is anonymization. Ano-nymi-
zation aims at modifying microdata sets before disclosure
such that the identities of individuals cannot be recognized
using other microdata sets that are available to public. Var-
ious approaches [11–13,15,16], employing generalization
and suppression on potentially identifying portions of the
data sets, were proposed to address the anonymization prob-
lem. However, all of them have the inherent problem of
assuming that the set of potentially identifying attributes
is known in advance. This assumption is a strong one con-
sidering that we live in an internetworked society in which
institutions are increasingly required to make their data elec-
tronically available. For example, in United States, all gov-
ernmental records, except those covered by a specified set
of exceptions including The Privacy Act of 1974, are freely
available for public access according to Freedom of Infor-
mation Act. Examples of such records include birth, death,
and marriage records, drivers’ records, real estate ownership
records, court records, etc. [17,18]. With diverse sources of
information available online, mostly unanonymized, it is hard
to determine the potentially identifying attributes with 100%
confidence. Moreover, it has been shown in various works
that the proposed approaches to solve the anonymization
problem fail to provide anonymity, and hence do not protect
privacy [19–21]. Finally and most importantly, approaches
addressing anonymization assume that each individual hav-
ing a record in the microdata set has the same privacy pref-
erences, which is far from being realistic.
The remainder of this paper is organized as follows: Sect. 2
presents the probabilistic and decision tree classifiers, the
Microdata Suppression problem, the modification schemes,
387
and the evaluation metrics. The details of suppression algo-
rithms are described in Sect. 3. Section 4 provides a discus-
sion on the effectiveness of proposed suppression algorithms.
Sect. 5 reports on our emprical results. The related work on
data suppression and privacy is discussed in Sect. 6. Finally,
Sect. 7 concludes the paper and outlines future research direc-
tions of this study.
2 Preliminaries
2.1 Problem formulation
Let Λ = {α1 , α2 , . . . , αn } be the set of attributes with asso-
ciated domains 2 Vα1 , Vα2 , . . . , Vαn , and extended domains 3
eVα1 , eVα2 ,…, eVαn , respectively. Let D = {d1 , d2 , . . . , dm }
be the microdata set where each tuple di ∈ eVα1 × eVα2 ×
· · · × eVαn is an ordered list of values.
For each attribute α j ∈ Λ, there is a mapping α j [di ] :
eVα1 × eVα2 × · · · × eVαn → eVα j from eVα1 × eVα2 × · · · ×
eVαn into the extended domain eVα j . The mapping α j [di ]
represents the value of attribute α j of microdata tuple di .
Similarly, for each microdata set D, there is a mapping
D[constraint] : D → S ∈ 2 D from D = {d1 , d2 , ..., dm }
into S ∈ 2 D . The mapping D[constraint] represents the
set of all tuples satisfying the constraint, expressed in con-
junctive normal form, on attribute values. Examples of valid
constraint expressions include the following:
– α1 [d] = val1 ,
– ¬ α1 [d] = val1 ,
– αi [d] = vali ∧ ¬ α j [d] = val j , and
– α1 [d] = val1 ∧ α2 [d] = val2 ∧ · · · ∧ αn [d] = valn .
Definition 2.1 (Classifiers (Σ)) Σ denotes the set of all clas-
sifiers that aims to predict the value of a single attribute, i.e.,
the target attribute4 ατ , in terms of the predictor attributes.5
Each classifier ς ∈ Σ is defined in the context of a training
data set and a target attribute. For example, a classifier of type
Naı̈ve Bayesian built using the data set D with ατ ∈ Λ as the
D,ατ
target attribute is denoted as ςnb . If the type of the clas-
sifier, the training data set or the target attribute is unknown
or not relevant in a given context, then a special symbol ⊥
is used instead of the respective symbol. For example, ς⊥D,ατ
2 The domain of an attribute is represented by a finite set of discrete
values excluding the unknown (i.e. null) value denoted by ν.
3 The extended domain of an attribute is represented by a finite set of
discrete values including the unknown (i.e. null) value denoted by ν
such that eVα j = Vα j ∪ {ν}.
4
Also called the class attribute or the dependent attribute.
5 Also called the independent attributes.
123
388
denotes the set of all classifiers built using the data set D with
ατ ∈ Λ as the target attribute. Following the training phase,
each classifier ς ∈ Σ can be viewed as a function that takes
a microdata tuple and predicts the most probable value of the
target attribute based on other attributes’ values. For example,
if ς ∈ ς⊥⊥,ατ , then ς : (eVα1 × eVα2 × · · · × eVαn ) → Vατ .
Definition 2.2 (Naı̈ve Bayesian Classifier (Σnb )) Let the jth
attribute value of tuple di , that is α j [di ], is unknown. Accord-
ing to Bayes’ theorem the probability that α j [di ] has value
v ∈ Vα j is equal to the posterior probability of v conditioned
on di and is given by
p(v) p(di |v)
p(v|di ) = (1)
p(di )
where p(v) and p(di ) are the prior probabilities of v and
di , respectively, and p(di |v) is the posterior probability of
di conditioned on v. Naı̈ve Bayesian classifier is a proba-
bilistic classifier based on Bayes’ theorem with the class
conditional independence assumption, that is, the effect of
an attribute value on another attribute (i.e. class attribute) is
independent of the values of the remaining attributes. Due to
class conditional independence assumption, we can rewrite
the posterior probability p(di |v) as follows:

j−1 
n which can be built to predict the confidential data values.
p(di |v) = p(αk [di ]|v) p(αk [di ]|v) (2)
k=1 k= j+1
D−d ,α
The Naı̈ve Bayesian Classifier ςnb i j built using D − di
as the training data set will predict the most probable value
for α j [di ] as vπ ∈ Vα j if and only if the following condition
holds:
p(vπ |di ) > p(v|di ) | ∀v ∈ Vα j − vπ (3)
Since p(di ) is same for all v ∈ Vα j , it can be ignored as
shown below:
p(vπ ) p(di |vΠ ) > p(v) p(di |v) | ∀v ∈ Vα j − vπ (4)
Definition 2.3 (ID3 Classifier (Σid3 )) Let α j [di ] be
D−d ,α
unknown. The ID3 classifier ςid3 i j built using D − di
as the training data set is a decision tree where each internal
node represents a decision node, each branch represents an
outcome of the decision, and each leaf node represents a pos-
sible value v ∈ Vα j for α j [di ]. Such a classifier will predict
the most probable value for α j [di ] as vπ ∈ Vα j if and only if
the test of the remaining attributes of di against the decision
tree leads a path from the root node to a leaf node labeled
with vπ .
Definition 2.4 (Suppressing a Confidential Data Item) Let
D  be the microdata set after applying a set of modifications
to D. The confidential data value α j [di ] will be suppressed
with respect to D  , if and only if there exist no classifiers that
can correctly predict the confidential data value.
D  −di ,α j
ς (di ) = α j [di ] ∀ς ∈ ς⊥ (5)
123
A. Azgin Hintoglu, Y. Saygın
In this work, we relax the above statement such that there
exists no Naı̈ve Bayesian or ID3 classifier that can correctly
predict the confidential data value.
D  −di ,α j D  −di ,α j
ς (di ) = α j [di ] ∀ς ∈ ςnb ∪ ςid3 (6)
2.2 Modification strategies for microdata suppression
There are two possible modification strategies that can be
adopted to address the microdata suppression problem.
Modification Strategy 1. Deleting an Attribute Value. This
modification scheme, also referred to as hiding, involves
replacement of attribute values, including the confidential
data values, with a special symbol denoting the unknown
(i.e. null) value ν. Replacing attribute values with ν results in
uncertainty in the microdata set. For example, in the simplest
case of a binary attribute, an unknown value can be either 0
or 1. Assuming that the value was 0 will contribute to the
resulting classification model in a contradicting way com-
pared to the assumption that it was 1. By carefully selecting
the tuples and attributes to replace with an unknown value,
we can decrease the precision of the classification models
The details of how to select these values to replace with ν are
provided below in the form of downgrade strategies.
Modification Strategy 2. Generalizing an Attribute Value.
This modification scheme involves generalization of attribute
values, including the confidential data values, using a concept
hierarchy or an ontology.
Within the scope of this study, we proposed suppression
algorithms utilizing the deletion scheme, and leave the gen-
eralization scheme as part of our future work.
2.3 Downgrade strategies for microdata suppression
There are two possible downgrade strategies that can be
adopted to address the Microdata Suppression Problem.
Downgrade Strategy 1. Classification Model Downgrade.
Let D be the original microdata set with the confidential data
value α j [di ]. Classification model downgrade aims at trans-
forming the original microdata set D to D  that satisfies the
following constraints:
i. α j [di ] = ν,
ii. ∀α ∈ Λ − α j , α[di ] = α[di ],
D−di ,α j
iii. D − di = D  − di , iff ∃ς ∈ ς⊥ ς (di ) = α j [di ],
D  −di ,α j
iv. ∀ς ∈ ς⊥ ς (di ) = α j [di ].
This scheme aims at degrading all classification models ς ∈
D  −di ,α j
ς⊥ by modifying the tuples d ∈ D − di .
Suppressing microdata to prevent classification based inference 389

Downgrade Strategy 2. Microdata Tuple Downgrade. Let where

D be the original microdata set with the confidential data
value α j [di ]. Microdata tuple downgrade aims at transform-
ing the original microdata set D to D  that satisfy the follow-
ing constraints:
i. α j [di ] = ν,
D−di ,α j
ii. ∃α ∈ Λ−α j , α[di ] = α[di ], iff ∃ς ∈ ς⊥
α j [di ],
iii. D − di = D  − di ,
D  −di ,α j D−di ,α j
iv. ς⊥ = ς⊥ , and
D−d ,α
v. ∀ς ∈ ς⊥ i j ς (di ) = α j [di ].
Unlike the classification model downgrade, this scheme deg-
rades only the microdata tuple containing the confidential
D−d ,α
data value di such that the classification models ς ∈ ς⊥ i j
cannot correctly predict the confidential data value α j [di ].
Within the scope of this study, we proposed two suppres-
sion algorithms for downgrading the classification model and
two suppression algorithms for downgrading the microdata
tuple to prevent probabilistic and decision tree classification
based inference.
2.4 Evaluation measures
The two important issues in microdata suppression are (1)
minimization of information loss enabling further use of the
resulting microdata set, and (2) maximization of uncertainty
enabling protection of confidential data values from classi-
fication based inference. In the following, seven metrics for
measuring information loss and uncertainty incurred by the
suppression process are introduced, respectively.
2.4.1 Information loss metrics
In this work, three different metrics are used to measure the
information loss: the Direct Distance, Sum of Kullback Lei-
bler Distances and Average Change in Mutual Information.
The Direct Distance, the simplest of all information loss
metrics, basically counts the number of attribute values hid-
den during the suppression process.
Definition 2.5 (Direct Distance) Let D and D  be the orig-
inal and modified microdata sets, respectively. The direct
distance between D and D  can be defined as the number of
non-matching attribute values.

m 
n
D D(D, D  ) = disti j
i=1 j=1

0 if α j [di ] = α j [di ]
disti j =
1 otherwise
The second information loss metric, utilized within the
scope of this work, is the Sum of Kullback Leibler Distances.
This metric measures the information loss in terms of the
distance between the first-order probability distributions of
ς (di ) = the original and the modified microdata sets.
Definition 2.6 (Kullback Leibler Distance) Let D and D 
be the original and modified microdata sets, respectively. Let
α ∈ Λ be an attribute with probability distribution pα in
D and pα in D  . The Kullback Leibler distance between D
and D  in terms of attribute α can be defined as the distance
between the first-order probability distributions of α in D
and D  .

pα (v)
K L D(D, D  ) = D( pα || pα ) = pα (v)log  (8)
pα (v)
v∈Vα
Definition 2.7 (Sum of Kullback Leibler Distances) Let D
and D  be the original and modified microdata sets, respec-
tively. The sum of Kullback Leibler distances between D and
D  over all attributes α ∈ Λ can be defined as follows:

S K L D(D, D  ) = D( pα || pα ) (9)
α∈Λ
The last information loss metric used is the Average
Change in Mutual Information. This metric measures the
information loss by finding the average change in joint prob-
ability distributions of all attributes.
Definition 2.8 (Mutual Information) Let αk ∈ Λ and αl ∈ Λ
be two attributes of the microdata set D with probability dis-
tributions pαk and pαl , respectively, and joint probability dis-
tribution pαk ,αl . The mutual information between αk and αl
in D, measuring their mutual dependence, can be defined as
follows.
I D (αk , αl ) = D( pαk ,αl || pαk pαl )
  pα ,α (vk , vl )
= pαk ,αl (vk , vl )log k l (10)
pαk pαl
vk ∈Vαk vl ∈Vαl
Definition 2.9 (Average Change in Mutual Information) Let
D and D  be the original and modified microdata sets, respec-
tively. The average change in mutual information over all
attributes α ∈ Λ can be defined as follows:
n n I D (αi ;α j )
2 i=1 j=i I D  (αi ;α j )

AC M I (D, D ) = (11)
n(n − 1)
2.4.2 Uncertainty metrics
In this work, a single metric, the Sum of Conditional Entro-
(7) pies is used to measure the uncertainty introduced into the
modified data set. Higher uncertainty implies better privacy.

123
390
Fig. 1 Microdata suppression
algorithms
Definition 2.10 (Conditional Entropy) Let D and D  be the
original and modified microdata sets, respectively, and α ∈ Λ
be an attribute. Let X αD on Vα be a random variable with
instances α[d1 ], α[d2 ], ..., α[dm ] and probability distribution

pα . Let X αD on Vα be a random variable with instances
α[d1 ], α[d2 ], ..., α[dm ] and probability distribution pα . The

conditional entropy of X αD given X αD can be defined as fol-
lows:
  
H (X αD |X αD ) = − p(v, v  )log( p(v|v  )) (12)
v∈Vα v  ∈Vα
Definition 2.11 (Sum of Conditional Entropies) Let D and
D  be the original and modified microdata sets, respectively.
The sum of conditional entropies of D given D  can be
defined as follows:
 
SC E(D, D  ) = H (X αD |X αD ) (13)
α∈Λ
The detailed descriptions of the information theoretic met-
rics introduced in this section can be found in [22].
3 Our approaches for suppressing microdata
As pointed in Sect. 2, hiding a confidential data value alone
may not be enough to protect it, in case the whole data set is
going to be disclosed. This results from the fact that an adver-
sary can build a classification model using the rest of the data
set as the training data set and s/he could use it to predict the
actual confidential data value. In order to avoid such attacks,
we propose four algorithms suppressing only one confiden-
tial data value at a time, against two popular classifier types:
probabilistic and decision tree classifiers, as shown in Fig. 1.
We select Naı̈ve Bayesian and ID3 as typical representatives
of probabilistic and decision tree classifiers, respectively, and
developed our heuristics accordingly. Moreover, we propose
enhancement to two of the proposed algorithms to suppress
multiple confidential data values at a time to reduce the side
effects.
123
A. Azgin Hintoglu, Y. Saygın
3.1 Suppression against probabilistic classification models
In the following, we present three algorithms for preventing
probabilistic classification-based inference. The proposed
algorithms aim to suppress a confidential data value, such
that it is no longer among the Top-1 Probable value set.
Definition 3.1 (Top-k Probable) Let α j [di ] be confidential
and thus be replaced by ν. The Naı̈ve Bayesian Classifier
D−d ,α
ςnb i j built using D−di as the training data set will predict
α [d ]
the Top-k Probable value set for α j [di ] as Ωk j i ⊆ Vα j . The
Top-k Probable value set satisfies the following constraints:
i. Its size is equal to k.
 
 α j [di ] 
Ωk =k (14)
ii. The probability of α j [di ] being equal to the least proba-
ble value in the Top-k Probable value set is greater than
the probability of α j [di ] being equal to the most probable
value among the remaining attribute values.
α [di ] α [di ]
p(ω|di )>p(v|di ) | ∀v ∈ Vα j −Ωk j ∧ ω ∈ Ωk j
(15)
The proposed suppression algorithms aim at either reduc-
ing p(α j [di ]|di ) below that of a randomly selected attribute,
called the Random Next Best Guess, among Top-k Probable6
value set or increasing the probability of a set of selected attri-
butes, called the Next Best Guess Set, above p(α j [di ]|di ).
Definition 3.2 (Random Next Best Guess) The random
next best guess, vr nbg ∈ Vα j , is a randomly selected value
from Vα j satisfying the following conditions:
i. It is different from α j [di ].
vr nbg = α j [di ] (16)
6 The effect of changing k is further discussed in Sect. 4.
Suppressing microdata to prevent classification based inference 391

ii. It is among the Top-k Probable value set. p(α j [di ]) p(di |α j [di ])
p(α j [di ]|di ) =
p(di )
α [di ]
∼
= p(α j [di ]) p(di |α j [di ])
vr nbg ∈ Ωk j (17) α j [di ]
∼
= p(α j [di ]) p(α M I [di ]|α j [di ])

iii. The probability of α th × p(α[di ]|α j [di ])
j attribute of di being equal to vr nbg 
is smaller than that of confidential data value α j [di ] and α j [di ]
α∈Λ− α j ,α M I
greater than zero.
Let us assume that,
p(α j [di ]|di ) > p(vr nbg |di ) > 0 (18)
α [di ]
– the size of the microdata set D[α j [d] = α j [di ] ∧ α Mj I
3.1.1 DECP algorithm α [d ]
[d] = α Mj I i [di ]] − di be F α j [di ] , and
α j [di ],α M I
The DECP algorithm aims at suppressing the confidential – the size of the microdata set D[α j [d] = α j [di ]] − di be
data value α j [di ] so that it cannot be correctly predicted by Fα j [di ] .
D  −d ,α
the downgraded classification model ςnb i j . It accom-
plishes its goal by decreasing the probability p(α j [di ]|di ) Single replacement of a maximum impact data value causes
below that of the random next best guess vr nbg . α [d ]
p(α Mj I i [di ]|α j [di ]) to decrease from F α j [di ] / Fα j [di ]
α j [di ],α M I
to F α j [di ] − 1/Fα j [di ] . This, in turn decreases p(di |α j
Definition 3.3 (Maximum Impact Attribute) The attribute α j [di ],α M I
α [d ]
with maximum impact on p(α j [di ]|di ), denoted by α Mj I i , [di ]) by F α j [di ] − 1/F α j [di ] as shown below.
α j [di ],α M I α j [di ],α M I
is the one that satisfies the following conditions:
α [d ]
α [d ]   p  (di |α j [di ]) = p  (α Mj I i [di ]|α j [di ])
α Mj I i = arg min  D[α j [d]=α j [di ] ∧ α[d]=α[di ]]−di  
α∈Λ × p  (α[di ]|α j [di ])
  
∧  D[α j [d] = α j [di ] ∧ α[d] = α[di ]] − di  > 1 (19) α j [di ]
α∈Λ− α j ,α M I

Definition 3.4 (Maximum Impact Data Values) The maxi- F α j [di ] −1

α j [di ],α M I
α [d ]
mum impact data values are the instances of α Mj I i in tuples =
Fα j [di ]
d ∈ D[α j [d] =
α [d ]
α j [di ] ∧ α Mj I i [d] =
α [d ]
α Mj I i [di ]] excluding 
× p(α[di ]|α j [di ])
di . 
α j [di ]
α∈Λ− α j ,α M I

In each iteration, the DECP algorithm identifies the maxi- F α j [di ] F α j [di ] −1
α [d ] α j [di ],α M I α j [di ],α M I
mum impact attribute α Mj I i and modifies the tuples d, such =
α [d ] α [d ] F α j [di ] Fα j [di ]
that d ∈ D[α j [d] = α j [di ] ∧ α Mj I i [d] = α Mj I i [di ]] − di , α j [di ],α M I
α [d ] 
by replacing α Mj I i [d] with ν until the goal is achieved, that × p(α[di ]|α j [di ])
is, until p(α j [di ]|di ) becomes less than p(vr nbg |di ). Each 
α j [di ]
α∈Λ− α j ,α M I
such replacement results in the maximum possible reduction
in p(α j [di ]|di ), thus requiring less number of modifications. F α j [di ] −1
α j [di ],α M I α [d ]
= p(α Mj I i [di ]|α j [di ])
α [d ] F α j [di ]
Theorem 3.1 Let α Mj I i be the maximum impact attribute α j [di ],α M I

satisfying Equation (19). Then, every replacement of a maxi- × p(α[di ]|α j [di ])
mum impact data value with ν causes the maximum decrease 
α j [di ]
α∈Λ− α j ,α M I
in p(α j [di ]|di ), thus resulting in fewer data values to be mod-
ified. F α j [di ] −1
α j [di ],α M I
= p(di |α j [di ])
Proof Let us first find the effect of replacing a maximum F α j [di ]
α j [di ],α M I
impact data value with ν on p(α j [di ]) p(di |α j [di ]). Remem-
ber that, since p(di ) is same for all v ∈ Vα j , it can be ignored Now let us assume that there is another attribute αk which
α [d ]
when calculating p(α j [di ]|di ). decreases p(α j [di ]|di ) more than that of α Mj I i . This implies

123
392
the following:
F −1
α j [di ]
Fα j [di ],αk − 1 α j [di ],α M I
< Example 2 Now, let us illustrate how the DECP algorithm
Fα j [di ],αk F α j [di ]
α j [di ],α M I
(Fα j [di ],αk − 1)F α j [di ] < (F
α j [di ],α M I α j [di ],α M I
Fα j [di ],αk < F α j [di ]
α j [di ],α M I
which contradicts the definition of Maximum Impact Attri-
bute. So, we can conclude that every replacement of a max-
imum impact data value with ν causes the highest decrease
in p(α j [di ]|di ) which in turn implies that the number of data
values that should be modified is minimal. 
Step 2 The probability p(angina pectoris|d2 ) is greater
The algorithm works as follows: Let α j [di ] be confiden-
tial. As the first step, the algorithm verifies the need for sup-
pression. It finds p(v|di ) for all v ∈ Vα j and checks the truth
value of the following assertion:
p(α j [di ]|di ) > p(v|di )|∀v ∈ Vα j − α j [di ]
If Assertion (20) is true, it picks a random next best guess
vr nbg from Vα j . Next, in each iteration it finds the maximum
α [d ]
impact attribute α Mj I i and replaces the maximum impact
data values by ν as long as p(α j [di ]|di ) > p(vr nbg |di ). After
processing all maximum impact attributes, it re-checks the
truth value of Assertion (20). If Assertion (20) is still true, it
reverts all changes and deletes the tuple di from the microdata
set. An overview of the algorithm is depicted in Fig. 2a.
If |Vα j | = 2 is true, then suppressing the confidential
data value might result in an adversary guessing it correctly
with 100% confidence. Therefore, the decision to suppress
a confidential data value is randomized for the case where
|Vα j | = 2. This results in an adversary guessing the actual
confidential data value with 50% confidence which is the
maximum uncertainty that can be achieved under such cir-
cumstances.
Lemma 3.1 Let α j [di ] be the confidential data value, n be
the number of attributes, and N be the number of tuples
in D[α j [d] = α j [di ]] − di . Then, the upper bound for the
number of data values that can be modified by the DECP
algorithm is equal to (n − 1)(N − 1).
Proof The proof of this statement is straightforward. The
DECP algorithm modifies the maximum impact data val-
α [d ]
ues from the tuples d ∈ D[α j [d] = α j [di ] ∧ α Mj I i [d] =
α [d ] α [d ] α [d ]
α Mj I i [di ]]−di . As D[α j [d] = α j [di ]∧α Mj I i [d] = α Mj I i
[di ]] ⊆ D[α j [d] = α j [di ]], the number of tuples that can be
modified for each maximum impact attribute is bounded by
N − 1. At each iteration, the DECP algorithm picks a differ-
ent maximum impact attribute and replaces the instances of
this attribute with ν. Since there are n − 1 different alterna-
tives for a maximum impact attribute, we can conclude that
123
A. Azgin Hintoglu, Y. Saygın
the DECP algorithm can replace at most (n − 1)(N − 1) data
values with ν for suppressing a confidential data value.

suppress Bob’s confidential diagnosis.
α j [di ] − 1)Fα j [di ],αk Step 1 Initially, the Naı̈ve Bayesian classification model is
constructed to find the probabilities p(v|di ) for all v ∈ Vα j =
{dyspepsia, angina pectoris, gastritis}. The Naı̈ve
Bayesian classification model constructed using the medical
records of Table 2 is shown in Table 3. According to the model
the probabilities are p(dyspepsia|d2 ) = 0, p(angina
pectoris|d2 ) = 16 , and p(gastritis|d2 ) = 18 1
.
than both p(dyspepsia|d2 ) and p(gastritis|d2 ). As Bob’s
diagnosis can be correctly predicted, the suppression process
starts.
Step 3 Let us assume that gastritis is selected as the ran-
dom next best guess. From this point on the DECP algo-
(20)
rithm will try to decrease p(angina pectoris|d2 ) below
p(gastritis|d2 ).
Step 4 To select the maximum impact attribute, the counts
for each symptom attribute is found as follows:
– countindigestion = |D[diagnosis[d] = diagnosis[d2 ]
∧indigestion[d] = indigestion[d2 ]]| = 2
– countchest pain = |D[diagnosis[d] = diagnosis[d2 ]
∧chest pain[d] = chest pain[d2 ]]| = 2
– count palpitation = |D[diagnosis[d] = diagnosis[d2 ]
∧ palpitation[d] = palpitation[d2 ]]| = 3
Since they have the same minimum count, both indigestion
and chest pain can be the maximum impact attribute. Let us
assume that indigestion is selected as the maximum impact
attribute.
Step 5 All tuples d satisfying the constraint indigestion
[d] = N ∧ diagnosis[d] = angina pectoris is found.
Tuples 7 and 8 satisfy the aforementioned constraint.
Step 6 The indigestion attribute is hidden from tuple 7. With
this replacement p(angina pectoris|d2 ) decreases by 21 to
12 . As p(angina pectoris|d2 ) is still greater than
1
p(gastritis|d2 ), the suppression process continues with the
next maximum impact attribute which is chest pain.
Step 7 All tuples d satisfying the constraint chest pain[d]
= Y ∧ diagnosis[d] = angina pectoris is found. Tuples
6 and 8 satisfy the aforementioned constraint.
Step 8 The chest pain attribute is hidden from tuple 6. With
this replacement p(angina pectoris|d2 ) decreases by 21 to
24 . As p(angina pectoris|d2 ) is smaller than p(gastritis|
1
d2 ), the suppression process stops. The resulting microdata
can be seen in Table 4.
Suppressing microdata to prevent classification based inference 393

(a)

(b)
Fig. 2 Pseudocode of DECP and INCP algorithms. a. Pseudocode of DECP algorithm. b. Pseudocode of INCP algorithm

123
394 A. Azgin Hintoglu, Y. Saygın

Table 3 Naı̈ve Bayesian

Diagnosis p(Diagnosis) p(Symptom|Diagnosis) p(Diagnosis|d2 )
classification model constructed
using the medical records shown Indigestion Chest pain Palpitation
in Table 2
Dyspepsia 2/8 0 0 1/2 0
Gastritis 3/8 1/3 2/3 2/3 1/18
Angina pectoris 3/8 2/3 2/3 1 1/6

Table 4 Academic health

medical records after DECP Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis
execution
90302 Female 29 Y N Y Dyspepsia
90410 Male 22 N Y Y ?
90301 Male 27 Y N N Dyspepsia
90310 Female 43 Y N N Gastritis
90301 Male 52 N Y Y Gastritis
90410 Male 47 Y ? Y Angina Pectoris
90305 Female 30 ? N Y Angina Pectoris
90402 Male 36 N Y Y Angina Pectoris
90301 Male 52 Y Y Y Gastritis

3.1.2 INCP algorithm
The INCP algorithm aims at suppressing the confidential data
value α j [di ] so that it cannot be correctly predicted by the
D  −d ,α
downgraded classification model ςnb i j . It accomplishes
its goal, as its name implies, by increasing the probabili-
ties p(v|di ) for all v in the next best guess set,Snbg , above
p(α j [di ] | di ).
Definition 3.5 (Next Best Guess Set) The next best guess set,
Snbg ⊆ Vα j , for microdata tuple di is the set of all attribute
values v ∈ Vα j − α j [di ] satisfying the following condition:
Snbg = v|v ∈ Vα j − α j [di ] ∧ p(v|di ) ≥ p(vr nbg |di ) (21)
For each v ∈ Snbg , the INCP algorithm identifies the tuples
d ∈ D[α j [d] = v] having no common attribute value with
di and modifies them by replacing α j [d] with ν in order to
increase p(v|di ).
The algorithm works as follows: Let α j [di ] be confiden-
tial. As the first step, the algorithm verifies the need for sup-
pression. It finds p(v|di ) for all v ∈ Vα j and checks the truth
value of Assertion (20). If Assertion (20) is true, it picks a
random next best guess vr nbg from Vα j and forms Snbg by
finding the attribute values v ∈ Vα j satisfying p(v|di ) ≥
p(vr nbg |di ). Next, for each v ∈ Snbg , the algorithm finds
the tuples d ∈ D[¬ α1 [d] = α1 [di ] ∧ · · · ∧ ¬ α j−1 [d] =
α j−1 [di ] ∧ α j [d] = v ∧ ¬ α j+1 [d] = α j+1 [di ] ∧ · · · ∧
¬ αn [d] = αn [di ]] and modifies them by replacing α j [d]
with ν until the goal is achieved, that is, until p(v|di ) becomes
less than or equal to p(α j [di ]|di ). After processing all
attribute values v ∈ Snbg , it re-checks the truth value of
Assertion (20). If Assertion (20) is still true, then DECP algo-
rithm is executed to complete the algorithm. An overview of
the algorithm is depicted in Fig. 2b.
Lemma 3.2 Let α j [di ] be the confidential data value, m be
the number of tuples in D and N be the number of tuples
in D[α j [d] = α j [di ]] − di . Assuming that there are enough
number of tuples that can be used for the suppression pro-
cess (i.e. no need for executing DECP), the upper bound for
the number of data values that can be modified by the INCP
algorithm is equal to m − N − 1 − |Snbg |.
Proof The proof of this statement is straightforward. The
INCP algorithm modifies the tuples d ∈ D[¬ α1 [d] =
α1 [di ] ∧ · · · ∧ ¬ α j−1 [d] = α j−1 [di ] ∧ α j [d] = v ∧
¬ α j+1 [d] = α j+1 [di ] ∧ · · · ∧ ¬ αn [d] = αn [di ]] for each
v ∈ Snbg . In the worst case, Snbg contains all 
possible values

of attribute α j except α j [di ]. This implies v∈Snbg  D[α j

[d] = v] = m − N − 1. Moreover, due to the definition of
next best guess set and random next best guess the probabil-
ity p(v|di ) for each v ∈ Snbg must be greater than zero. This
implies that, in the worst case there exists at least one tuple
which has the same data values with di (except α j ) for each
v ∈ Snbg . So, we can conclude that the INCP algorithm can
replace at most m − N − 1 − |Snbg | data values with ν for
suppressing a confidential data value. 
Example 3 Now, let us illustrate how the INCP algorithm
suppress Bob’s confidential diagnosis.

123
Suppressing microdata to prevent classification based inference 395

Table 5 Academic health

medical records after INCP Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis
execution
90302 Female 29 Y N Y Dyspepsia
90410 Male 22 N Y Y ?
90301 Male 27 Y N N Dyspepsia
90310 Female 43 Y N N ?
90301 Male 52 N Y Y Gastritis
90410 Male 47 Y Y Y Angina Pectoris
90305 Female 30 ? N Y Angina Pectoris
90402 Male 36 N Y Y Angina Pectoris
90301 Male 52 Y Y Y Gastritis

Step 1 Initially, the Naı̈ve Bayesian classification model
is constructed to find the probabilities p(v|di ) for all v ∈
Vα j = {dyspepsia, angina pectoris, gastritis}. The
Naı̈ve Bayesian classification model constructed using the
medical records of Table 2 is shown in Table 3. According
to the model the probabilities are p(dyspepsia|d2 ) = 0,
p(anginapectoris|d2 ) = 16 , and p(gastritis|d2 ) = 18 1
. [d] = N ∧ diagnosis[d] = angina pectoris are found.
Step 2 The probability p(angina pectoris|d2 ) is greater
than both p(dyspepsia|d2 ) and p(gastritis|d2 ). As Bob’s
diagnosis can be correctly predicted, the suppression process
starts.
Since they have the same minimum count, both indigestion
and chest pain can be the maximum impact attribute. Let us
assume that indigestion is selected as the maximum impact
attribute.
Step 8 All tuples d satisfying the constraint indigestion
Tuples 7 and 8 satisfy the aforementioned constraint.
Step 9 The indigestion attribute is hidden from tuple 7. With
this replacement p(angina pectoris|d2 ) decreases by 21 to
21 . As p(angina pectoris|d2 ) is smaller than p(gastritis|
2

Step 3 Let us assume that gastritis is selected as the random d2 ), the suppression process stops. The resulting microdata
next best guess. From this point on, the INCP algorithm will can be seen in Table 5.
try to increase p(gastritis|d2 ) above p(an- ginapectoris|
d2 ). 3.1.3 DROPP algorithm

Step 4 All tuples d which have no common symptoms with
Bob among D[diagnosis[d] = gastritis] are found. Tuple
4 satisfies the aforementioned constraint.
Step 5 The diagnosis attribute is hidden from tuple 4. After
this replacement, p(gastritis|d2 ) increases to 17 , and
p(angina pectoris|d2 ) increases to 21 4
. As p(angina
pectoris|d2 ) is still greater than p(gastritis|d2 ), the sup-
pression process continues.
Step 6 Since there are no more tuples which have common
symptoms with Bob among D[diagnosis[d] = gastritis],
the suppression process continues with the DECP execution.
Step 7 To select the maximum impact attribute, the counts
for each symptom attribute are found as follows:
– countindigestion = |D[diagnosis[d] = diagnosis[d2 ]
The DROPP algorithm aims at suppressing the confidential
data value α j [di ] so that it cannot be correctly predicted
D−d ,α
by the classification model ςnb i j . It aims at dropping
the probability p(α j [di ]|di ) below that of the random next
best guess vr nbg so that it cannot be correctly predicted by
D−d ,α
the classification model ςnb i j . Unlike DECP and INCP
algorithms, it achieves its goal by downgrading the tuple di ,
D−d ,α
instead of downgrading classification model ςnb i j .
The algorithm employs the following modified definition
of Maximum Impact Attribute:
Definition 3.6 (Maximum Impact Attribute ) The attribute
with maximum impact on p(α j [di ]|di ), denoted by
α [d ]
α Mj I  i , is the one that satisfies the following conditions:
α [d ]
α Mj I  i = arg max
α∈Λ
∧indigestion[d] = indigestion[d2 ]]| = 2  

– countchest pain = |D[diagnosis[d] = diagnosis[d2 ]  D[α j [d] = α j [di ] ∧ α[d] = α[di ]] − di 
×  
∧chest pain[d] = chest pain[d2 ]]| = 2  D[α j [d] = vr nbg ∧ α[d] = α[di ]]
– count palpitation = |D[diagnosis[d] = diagnosis[d2 ] α [d ] α [d ]
∧ palpitation[d] = palpitation[d2 ]]| = 3 ∧ p(α Mj I  i [di ]|α j [di ]) > p(α Mj I  i [di ]|vr nbg ) (22)

123
396 A. Azgin Hintoglu, Y. Saygın

Definition 3.7 (Maximum Impact Data Value ) The Replacement of the maximum impact data value causes
F α j [di ]
maximum impact data value is the instance of maximum p(α j [di ]|di ) Fvr nbg α j [di ],α
MI
α [d ] to decrease by × as shown
impact data attribute α Mj I  i in tuple di . p(vr nbg |di ) Fα j [di ] F
vr nbg ,α
α j [di ]
MI
below.
It must be noted that, the maximum impact data values has
a higher probability of occurrence in tuples d ∈ D[α j [d] = p  (α j [di ]|di ) ∼
= p  (α j [di ]) p  (di |α j [di ])
α j [di ]] − di than that of tuples d ∈ D[α j [d] = vr nbg ]. 
= p(α j [di ]) × p(α[di ]|α j [di ])
Therefore, they are the key to decrease p(α j [di ]|di ) below 
α j [di ]
p(vr nbg |di ). α∈Λ− α j ,α M I 
α [d ]
In each iteration, the DROPP algorithm identifies α Mj I  i Fα j [di ]
α [d ]
and modifies the tuple di by replacing α Mj I  i [di ] with ν until = p(α j [di ]|di )
F α j [di ]
α j [di ],α M I 
the goal is achieved, that is, until p(α j [di ]|di ) becomes less
than p(vr nbg |di ). Each such replacement results in the max- p  (vr nbg |di ) ∼
= p  (vr nbg ) p  (di |vr nbg )
p(α [d ]|d ) 
imum possible reduction in p(vrj nbgi |dii) , thus requiring less = p(vr nbg ) × p(α[di ]|vr nbg )

number of modifications. α j [di ]
α∈Λ− α j ,α M I 
α [d ]
Theorem 3.2 Let α Mj I  i be the maximum impact attribute Fvr nbg
satisfying Eq. (22). Then, every replacement of a maximum = p(vr nbg |di )
F α j [di ]
impact data value with ν causes the maximum decrease in vr nbg ,α M I 
p(α j [di ]|di ) Fα j [di ]
p(vr nbg |di ) , thus resulting in fewer data values to be modified. p(α j [di ]|di ) F α j [di ]
p  (α j [di ]|di ) α j [di ],α
MI
Proof Let us first find the effect of replacing a maximum =
p  (vr nbg |di ) p(vr nbg |di ) F
Fvr nbg
impact data value with ν on p(α j [di ]|di ) and p(vr nbg |di ). α j [di ]
vr nbg ,α
Remember that, since p(di ) is same for all v ∈ Vα j , it can MI

be ignored when calculating p(α j [di ]|di ). F α j [di ]

p(α j [di ]|di ) Fα j [di ] vr nbg ,α M I 
= × ×
p(α j [di ]) p(di |α j [di ]) p(vr nbg |di ) Fvr nbg F α j [di ]
p(α j [di ]|di ) = α j [di ],α M I 
p(di ) F α j [di ]
∼
= p(α j i p(di |α j [di ])
[d ]) p(α j [di ]|di ) p  (α j [di ]|di ) Fvr nbg α j [di ],α M I 
/ = ×
∼ α j [di ] p(vr nbg |di ) p  (vr nbg |di ) Fα j [di ] F α j [di ]
= p(α j [di ]) p(α M I  [di ]|α j [di ]) vr nbg ,α M I 

× p(α[di ]|α j [di ]) Now, let us assume that there is another attribute αk which
 p(α [d ]|d ) α [d ]
α j [di ]
α∈Λ− α j ,α M I  decreases p(vrj nbgi |dii) more than that of α Mj I  i . This implies
the following:

Similarly, F α j [di ]
Fvr nbg Fα j [di ],αk Fvr nbg α j [di ],α M I 
× > ×
p(vr nbg ) p(di |vr nbg ) Fα j [di ] Fvr nbg ,αk Fα j [di ] F
vr nbg ,α M I 
α j [di ]
p(vr nbg |di ) =
p(di ) F α j [di ]
∼
= p(vr nbg ) p(di |vr nbg ) Fα j [di ],αk α j [di ],α M I 
vr nbg
>
∼
= p(vr nbg ) p(α M I  [di ]|vr nbg ) Fvr nbg ,αk F α j [di ]
vr nbg ,α M I 

× p(α[di ]|vr nbg ) However, this contradicts the definition of Maximum Impact
 vr nbg 
α∈Λ− α j ,α M I  Attribute . So, we can conclude that every replacement of
a maximum impact data value with ν causes the highest
p(α [d ]|d )
Let the size of the microdata set D[α j [d] = α j [di ] ∧ decrease in p(vrj nbgi |dii) , which in turn implies that the number
α [d ] α [d ] of data values that should be modified is minimal. 

α Mj I  i [d] = α Mj I  i [di ]] − di be F α j [di ] and the size
α j [di ],α M I 
of the microdata set D[α j [d] = α j [di ]] − di be Fα j [di ] . Let The algorithm works as follows: Let α j [di ] be confiden-
α [d ] tial. As the first step, the algorithm verifies the need for sup-
the size of the microdata set D[α j [d] = vr nbg ∧ α Mj I  i [d] =
α [d ] pression. It finds p(v|di ) for all v ∈ Vα j and checks the
α Mj I  i [di ]] be F α j [di ] and the size of the microdata set truth value of Assertion (20). If Assertion (20) is true, it
vr nbg ,α M I 
D[α j [d] = vr nbg ] be Fvr nbg . picks a random next best guess vr nbg from Vα j . Next, in each

123
Suppressing microdata to prevent classification based inference
Fig. 3 Pseudocode of DROPP algorithm
α [d ]
iteration it finds the maximum impact attribute α Mj I  i and
α [d ]
replaces the maximum impact data value α Mj I  i [di ]
by ν.
After each iteration, it re-checks the truth value of Assertion
(20) to decide whether to continue execution. If Assertion
(20) is still true after all possible maximum impact attributes
are processed, it reverts all changes and deletes the tuple
di from the microdata set. An overview of the algorithm is
depicted in Fig. 3.
Lemma 3.3 Let α j [di ] be the confidential data value and n
be the number of attributes. Then, the upper bound for the
number of data values that can be modified by the
DROPP algorithm is equal to n − 1.
Proof The proof of this statement is straightforward. The
DROPP algorithm modifies just the tuple di which has n − 1
data values excluding the confidential data value. So, we can
conclude that the DROPP algorithm can replace at most n −1
data values with ν for suppressing a confidential data value.

d2 ).
397
Example 4 Now, let us illustrate how the DROPP algorithm
suppress Bob’s confidential diagnosis.
Step 1 Initially, the Naı̈ve Bayesian classification model is
constructed to find the probabilities p(v|di ) for all v ∈ Vα j =
{dyspepsia, angina pectoris, gastritis}. The Na-ı̈ve
Bayesian classification model constructed using the medi-
cal records of Table 2 is shown in Table 3. According to the
model the probabilities are p(dyspepsia|d2 ) = 0, p(angina
pectoris|d2 ) = 16 , and p(gastritis|d2 ) = 18 1
.
Step 2 The probability p(angina pectoris|d2 ) is greater
than both p(dyspepsia|d2 ) and p(gastritis|d2 ). As Bob’s
diagnosis can be correctly predicted, the suppression process
starts.
Step 3 Let us assume that gastritis is selected as the random
next best guess. From this point on, the DROPP algorithm
will try to drop p(angina pectoris|d2 ) below p(gastritis|
123
398 A. Azgin Hintoglu, Y. Saygın

Table 6 Academic health

medical records after DROPP Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis
execution
90302 Female 29 Y N Y Dyspepsia
90410 Male 22 ? Y ? ?
90301 Male 27 Y N N Dyspepsia
90310 Female 43 Y N N Gastritis
90301 Male 52 N Y Y Gastritis
90410 Male 47 Y Y Y Angina Pectoris
90305 Female 30 N N Y Angina Pectoris
90402 Male 36 N Y Y Angina Pectoris
90301 Male 52 Y Y Y Gastritis

Step 4 To select the maximum impact attribute , the follow-
ing counts and ratios are found:
angina pectoris
– countindigestion = |D[diagnosis[d] = angina
pectoris ∧ indigestion[d] = indigestion[d2 ]]| = 2
gastritis
– countindigestion = |D[diagnosis[d] = gastritis
∧indigestion[d] = indigestion[d2 ]]| = 1
angina pectoris
– countchest pain = |D[diagnosis[d] = angina
pectoris ∧ chest pain[d] = chest pain[d2 ]]| = 2
gastritis
– countchest pain = |D[diagnosis[d] = gastritis
∧chest pain[d] = chest pain[d2 ]]| = 2
angina pectoris
– count palpitation = |D[diagnosis[d] = angina
pectoris ∧ palpitation[d] = palpitation[d2 ]]| = 3
gastritis
– count palpitation = |D[diagnosis[d] = gastritis∧
palpitation[d] = palpitation[d2 ]]| = 2
– ratiochest pain = 1
– ratioindigestion = 2
– ratio palpitation = 3/2
As, indigestion has the maximum ratio, it is selected as the
maximum impact attribute .
Step 5 The indigestion attribute is hidden from tuple 2. With
this replacement p(angina pectoris|d2 ) increases to 41 , and
p(gastritis|d2 ) increases to 16 . As p(angina pectoris|d2 )
is still greater than p(gastritis|d2 ), the suppression process
continues with the next maximum impact attribute which is
palpitation.
Step 6 The palpitation attribute is hidden from tuple 2. With
this replacement p(angina pectoris|d2 ) remains the same,
but p(gastritis|d2 ) increases to 41 . As p(angina pectoris|
d2 ) is equal to p(gastritis|d2 ), the suppression process
stops. The resulting microdata can be seen in Table 6.
3.2 Suppression against decision tree classification models
In the following, we present the HID3 algorithm for prevent-
ing decision tree classification based inference.
3.2.1 HID3 algorithm
The HID3 algorithm aims at suppressing the confidential data
D−d ,α
value α j [di ] so that the ID3 classification model ςid3 i j
cannot correctly predict its actual value. Similar to the
DROPP algorithm, it achieves its goal by downgrading the
tuple di .
The algorithm works as follows: Let α j [di ] be confiden-
tial. As the first step, the algorithm builds the decision tree
D−d ,α
using D−di and verifies the need for suppression. If ςid3 i j
can correctly predict the confidential data value it calls the
recursive ID3Hide function. Then, the ID3Hide function
checks whether the root node is a leaf. If it is a leaf and
its value is different from the confidential data value α j [di ]
it returns true, which in turn terminates the recursive func-
tion successfully. Or else, it returns false. If the root node is
not a leaf, then it finds the most probable value vπ ∈ Vα j for
α j [di ], and checks whether vπ is equal to α j [di ]. If the most
probable value vπ is not equal to the actual confidential data
value α j [di ] it returns true. Otherwise, it further explores the
child nodes of the root in order to suppress α j [di ]. Let the
decision attribute of the root node be αr oot , the most com-
mon child of the root (i.e. the child with highest training
population) be child MC and the child containing αr oot [di ]
be child Match . If αr oot [di ] = ν or child Match = child MC it
tries to suppress the confidential data value using child MC .
Or else, it uses child Match for suppression. After exploring
all possible sub-branches, if the algorithm fails to suppress
the confidential data value, it reverts all changes and deletes
the tuple di from the microdata set. An overview of the algo-
rithm is depicted in Fig. 4.

123
Suppressing microdata to prevent classification based inference
Fig. 4 Pseudocode of HID3 algorithm
If |Vα j | = 2 is true, then suppressing the confidential
data value might result in an adversary guessing it correctly
with 100% confidence. Therefore, the decision to suppress
a confidential data value is randomized for the case where
|Vα j | = 2. This results in an adversary guessing the actual
confidential data value with 50% confidence which is the
maximum uncertainty that can be achieved under such cir-
cumstances.
Lemma 3.4 Let α j [di ] be the confidential data value and
n be the number of attributes. Then, the upper bound for
the number of data values that can be modified by the HID3
algorithm is equal to n − 1.
Proof The proof of this statement is straightforward. The
HID3 algorithm modifies just the tuple di which has n − 1
data values excluding the confidential data value. So, we can
conclude that the HID3 algorithm can replace at most n − 1
data values with ν for suppressing a confidential data value.

Example 5 For this specific example, let us assume Bob does
not have any chest pain and illustrate how the HID3 algo-
rithm suppress his confidential diagnosis.
Step 1 Initially, the ID3 classification model shown in Fig. 5
is constructed based on the medical records shown in Table 2.
399
Fig. 5 Decision tree constructed using the medical records shown in
Table 2
Step 2 Starting from the root=node 1, the ID3Hide func-
tion checks whether it is possible to correctly predict Bob’s
diagnosis. Since Bob’s diagnosis can be correctly predicted
using the path chest pain = N ∧ indi- gestion = N , the
suppression process starts.
Step 3 Using the whole microdata the ID3Hide function
checks whether the majority of the tuples have chest pain =
N . Since, the number of tuples having chest pain = N is
equal to the number of tuples having chest pain = Y , the
function calls itself with root=node 3.
Step 4 Starting from the subtree root=node 3, the ID3- Hide
function checks whether it is possible to correctly predict
Bob’s diagnosis. Since Bob’s diagnosis can be correctly pre-
dicted using the path indigestion = N , the suppression
process continues.
Step 5 Using only the tuples with chest pain = N , the
ID3Hide function checks whether the majority of the tuples
have indigestion = N . Since the number of tuples having
indigestion = N is smaller than the number of tuples hav-
ing indigestion = Y , the function calls itself with root=
node 5.
Step 6 As node 5 is a leaf, the ID3Hide function checks
whether the most probable value, i.e., angina pectoris, and
the confidential diagnosis are equal. As they are equal, the
function returns from the recursive call signaling an unsuc-
cessful run.
Step 7 As the recursive call to ID3Hide was unsuccessful,
the current node’s attribute, i.e., the indigestion attribute, is
hidden from Bob’s tuple. Next, the function calls itself with
root=node 4, as tuples with indigestion = Y constitute the
majority among tuples with chest pain = N .
123
400 A. Azgin Hintoglu, Y. Saygın

Table 7 Academic health

medical records after HID3 Zipcode Gender Age Indigestion Chest pain Palpitation Diagnosis
execution
90302 Female 29 Y N Y Dyspepsia
90410 Male 22 ? Y Y ?
90301 Male 27 Y N N Dyspepsia
90310 Female 43 Y N N Gastritis
90301 Male 52 N Y Y Gastritis
90410 Male 47 Y Y Y Angina Pectoris
90305 Female 30 N N Y Angina Pectoris
90402 Male 36 N Y Y Angina Pectoris
90301 Male 52 Y Y Y Gastritis

Step 8 Starting from the subtree root=node 4, the ID3- Hide
function checks whether it is possible to correctly predict
Bob’s diagnosis. Since Bob’s diagnosis cannot be correctly
predicted using the path palpitation = Y , the suppression
process stops. The resulting microdata can be seen in Table 7.
3.3 Suppression of multiple confidential data values
In the following, we present the enhanced versions of DECP
and DROPP algorithms for preventing probabilistic classi-
fication based inference. The proposed algorithms aim to
reduce to side-effects while suppressing multiple confiden-
tial data values.
3.3.1 e-DECP algorithm
The enhanced DECP algorithm aims at suppressing multiple
confidential data values at a time so that none of them can be
correctly predicted by the downgraded classification model
D  ,α
ςnb j . The proposed algorithm reduces the side-effects of
the original DECP algorithm when (1) all confidential data
values belong to a single attribute, and (2) all confidential
data values have the same value. The generic case which
handles the suppression of multiple confidential values that
belong to different attributes require exhaustive modeling of
dependencies and will be investigated as part of our future
work.
The algorithm works as follows: Let α j be the confidential
attribute, S ⊂ D be the set of tuples for which α j , satisfy-
ing the constraint α j [d] = con f _value for all d ∈ S, is
confidential. As the first step, the algorithm replaces all con-
fidential data values with ν. Then, it identifies the candidate
maximum impact data values, and initializes their primary
and secondary impacts. The primary impact is the number
of tuples which will be affected (i.e. the probabilities will be
affected) if an instance of the maximum impact data value is
replaced with ν. The secondary impact, on the other hand, is
the number of tuples that support both the confidential data
value (i.e. α j = con f _value) and maximum impact data
value. Next, for each tuple d ∈ S, the need for suppression is
verified by finding p(v|d) for all v ∈ Vα j and checking the
truth value of the following assertion:
p(α j [d]|d) > p(v|d)|∀v ∈ Vα j − α j [d] (23)
If Assertion (23) is true for a tuple d ∈ S, it picks a random
next best guess vrdnbg , from Vα j . Next, the candidate maxi-
mum impact data values are sorted. Different from the orig-
inal DECP, which uses only the secondary impact to deter-
mine which maximum impact data value to use, e-DECP also
uses the primary impact in order to guarantee suppress of
maximum number of confidential data values with a single
iteration. With maximum impact values sorted, the rest of
the execution is quite similar to the original DECP which
involves replacement of maximum impact data value
instances, calculation of probabilities, and re-checking of
Assertion (23). An overview of the algorithm is depicted in
Fig. 6a.
3.3.2 e-DROPP algorithm
The enhanced DROPP algorithm aims at suppressing mul-
tiple confidential data values at a time so that none of them
can be correctly predicted by the corresponding classifica-
D,α
tion models ςnb . The proposed algorithm reduces the
side-effects of the original DROPP algorithm when all confi-
dential data values belong to a single tuple. The generic case
which handles the suppresion of multiple confidential values
that belong to multiple tuples require exhaustive modeling
of dependencies and will be investigated as part of our future
work.
The algorithm works as follows: Let [di ] be the tuple con-
taining multiple confidential data values, and S be the set
of attributes containing a confidential data value in di . As
the first step, the algorithm verifies the need for suppression
for each confidential data value. More specifically, for each
α ∈ S, it finds p(v|di ) where v ∈ Vα and checks the truth

123
Suppressing microdata to prevent classification based inference 401

(a)

(b)
Fig. 6 Pseudocode of e-DECP and e-DROPP algorithms. a. Pseudocode of e-DECP algorithm. b. Pseudocode of e-DROPP algorithm

value of the following assertion:
p(α[di ]|di ) > p(v|di )|∀v ∈ Vα − α[di ]
If Assertion (24) is true, it picks a random next best guess
vrvnbg
α
from Vα . Next, it identifies the candidate maximum
impact data values, and initializes their impacts on each
confidential value.7 To identify the maximum impact data
value in each iteration, the impacts of candidates are aver-
(24)
aged and sorted. With maximum impact values sorted, the
rest of the execution is quite similar to the original DROPP
7 Please refer to the Eq. (22) for the calculation of impact.

123
402
which involves replacement of maximum impact data value
instances from di , calculation of probabilities and re-check-
ing of Assertion (24). An overview of the algorithm is
depicted in Fig. 6b.
4 Discussion on the effectiveness of suppression
algorithms
The motivation of the suppression algorithms presented in
this paper is to make a given set of confidential data values
non-discoverable, while minimizing the effect on the use-
fulness of the data for purposes other than predicting the
confidential data values. But, how can we make sure that an
adversary would not be able to predict the suppressed con-
fidential data values? Certainly this might be a problem if
randomization is not employed in various stages of the algo-
rithms. Let us assume that an adversary knows not only D  ,
the transformed microdata set, but also Vα j , the domain of
the confidential data value α j [di ], and analyze how randomi-
zation avoids prediction of the actual confidential data value.
First, let us assume that a modified version of DECP is used
in order to suppress the confidential data value α j [di ]. This
version of DECP aims at decreasing p(α j [di ]|di ) below that
of the next best guess vnbg instead of vr nbg .
Definition 4.1 (Next Best Guess) The next best guess, vnbg
∈ Vα j , is a randomly selected value from Vα j satisfying the
following conditions:
i. It is different from α j [di ],
vnbg = α j [di ] (25)
ii. It is among the top-2 probable set,
α [di ]
vnbg ∈ Ω2 j (26)
iii. The probability of α th
j attribute of di being equal to vnbg
is smaller than that of confidential data value α j [di ] and
greater than zero.
p(α j [di ]|di ) > p(vnbg |di ) > 0 (27)
This leads to a change in the ordering of the top-2 probable
α [d ]
set Ω2 j i = α j [di ], vnbg . Knowing this fact, an adver-
sary can predict the actual confidential data value to be the
α [d ]
one with the second highest probability in Ω2 j i with a
confidence equal to the success rate of the algorithm. That is
to say, if the success rate of the algorithm is 100%, then the
adversary can predict the actual confidential data value with
100% confidence. This problem exists not only in DECP but
also in INCP and DROPP algorithms. Therefore, the random
123
A. Azgin Hintoglu, Y. Saygın
next best guess is employed during suppression in order to
reduce the confidence of an adversary predicting the actual
confidential value as shown below.
Success Rate
Confidence = (28)
k
The second issue, that is inherent in all suppression algo-
rithms, occurs when |Vα j | = 2. Let us assume that the
decision to suppress the confidential data value α j [di ] is not
randomized when |Vα j | = 2. In this case, the algorithms will
try to suppress the confidential data value with the maximum
possible success rate. Knowing this fact, an adversary can
predict the actual confidential data value to be the one with
the second highest probability in Vα j with a confidence equal
to the success rate of the algorithm. In order to avoid such
attacks, we randomly decide to suppress a confidential data
value for microdata sets with |Vα j | = 2.
Another issue is the effectiveness of the suppression algo-
rithms against different classification models. Remember that
two of the proposed algorithms, the DECP and INCP algo-
rithms, aim at downgrading the classification model by
modifying D − di . In the first method, the probability of
resemblance of the tuple containing the confidential data
value to other tuples d ∈ D satisfying α j [d] = α j [di ] is
reduced. And, in the latter method, the probability of resem-
blance of the tuple containing the confidential data value to
the tuples d ∈ D satisfying α j [d] = α j [di ] is increased.
On the other hand, the DROPP and HID3 algorithms aim at
downgrading the microdata tuple containing the confidential
data value. Both methods find the attributes that enables cor-
rect prediction of the actual confidential value and hide them
from the tuple containing the confidential data value. As a
result, the probability of similarity of the tuple containing the
confidential data value to the other tuples d ∈ D satisfying
α j [d] = α j [di ] is reduced. Since all classification methods
tend to find the target attribute value of a tuple based on its
resemblance to other tuples in the training data set, the pro-
posed suppression algorithms are expected to achieve their
goal even when used with other classification methods. In
order to verify this, we measured the effectiveness of each
algorithm against both Naı̈ve Bayesian and ID3 classifica-
tion. The results can be found in Sect. 5.
The final issue that needs to be discussed is the side effect
of the proposed algorithms which is related to the number of
attribute values hidden excluding the confidential data value.
Remember that, for each suppression algorithm we derived
an upper bound for the number of attribute values that will
be modified in the previous section. According to these der-
ivations we can conclude the following:
i. The upper bound for the number of data values that can
be modified by the INCP algorithm depends on m, the
number of tuples in D,
Suppressing microdata to prevent classification based inference 403

Table 8 Data sets used in the experiments

Data set No. of No. of No. of
instances attributes unknowns

Wisconsin breast cancer 699 10 16

Car evaluation 1,728 7 0

ii. the upper bound for the number of data values that
can be modified by the DROPP and HID3 algorithms
depends on n, the number of attributes in D,
iii. the upper bound for the number of data values that can
be modified by the DECP algorithm depends on n ∗ m,
the number of attributes in D times the number of tuples
in D,
Now, let us assume that m >> n. In this case, the worst case
performance of the DROPP and HID3 algorithms should be
much better than the worst case performance of the DECP and
INCP algorithms with respect to side effects. However, for
data sets satisfying n >> m, e.g., gene expression data, the
worst case performance of the INCP algorithm will outper-
form the DECP, DROPP, and HID3 algorithms with respect
to the side effects. Note that the DECP algorithm will per-
form slightly worse than the other algorithms it is grouped
with, as in both cases either m or n loses its significance with
respect to the other term.
5 Experimental results
This section presents the experimental results. The primary
objective of the experiments is to compare the suppression
algorithms in terms of CPU time performance, rate of suc-
cess, information loss, and uncertainty.
5.1 Data sets and implementation details
In order to conduct the experiments we selected two data sets
from the University of California at Irvine repository [28],
the Wisconsin Breast Cancer data set [24] and the Car Eval-
uation data set. Table 8 provides a description of the data sets
including the number of instances, the number of attributes,
and the number of unknowns.
We implemented the proposed algorithms using the C++
programming language. To evaluate the performance of the
algorithms, we performed experiments on a 2.20 GHz Cele-
ron PC with 256 MB of memory running the Windows oper-
ating system. As the suppression algorithms contain random
components, the experimental results presented are averages
of five realizations unless stated otherwise. Moreover, in
order to illustrate the power of the algorithms we choose
Fig. 7 Average execution times of proposed algorithms
to suppress confidential data values for which the domain
size of the corresponding attribute is greater than 2.
5.2 Results and analysis of algorithms
In this study, we first measured the average execution times8
required to suppress a confidential data value. The results,
as depicted in Fig. 7, shows that the suppression algorithms
performed remarkably similar with respect to execution time.
Another performance criterion is the percent of success-
ful suppressions.9 For each suppression algorithm, we first
measured the percent of successful suppressions against the
algorithm’s primary10 classification model. As illustrated in
Fig. 5a,b, the proposed algorithms successfully suppressed
all confidential data values with respect to their primary clas-
sification model.
Next, we investigated the correctness of the following
hypotheses:
Hypothesis 5.1 All proposed algorithms suppressing confi-
dential data values against probabilistic classification models
also blocks the decision tree classification based inference.
Hypothesis 5.2 All proposed algorithms suppressing confi-
dential data values against decision tree classification models
also blocks the probabilistic classification based inference.
Hypothesis 5.3 All proposed algorithms suppressing confi-
dential data values also blocks more complex classification
models (e.g. SVM) based inference.
8 In order to find the average execution times, we suppressed a data
value from each instance of the data sets and averaged the CPU time
results.
9 A successful suppression implies that the confidential data value is
suppressed without deleting the microdata tuple containing it.
10 Naı̈ve Bayesian classification model for DECP, INCP and DROPP
algorithms, and ID3 classification model for HID3 algorithm.

123
404 A. Azgin Hintoglu, Y. Saygın

Table 9 Success of proposed algorithms against different classification models

Algorithm Percent of successful suppressions
Against Naı̈ve Bayesian classification Against ID3 classification Against SVM

W. Breast Cancer (%) Car evaluation (%) W. Breast Cancer (%) Car evaluation (%) W. Breast Cancer (%) Car evaluation (%)

DECP 100 100 77 86 41 65

INCP 100 100 75 84 41 56
DROPP 100 100 90 85 89 88
HID3 84 65 100 100 86 80

We measured the percent of successful suppressions achi-

eved by each algorithm against (1) its secondary11 classifi-
cation model, and (2) SVM using the SVM-Struct [25], as it
is a more powerful classification technique. As illustrated in
Table 9, the proposed algorithms exceeded a success rate of
65% against their secondary classification models, thus prov-
ing the correctness of Hypotheses 5.1 and 5.2. For SVM, the
success rates range from 41 to 89%. This proves that the pro-
posed algorithms still provide a protection of the confidential
data values against more powerful classification techniques.
The next performance criterion is the information loss
caused by the suppression algorithms. We used three eval-
uation metrics in order to measure the information loss: the Fig. 8 Average direct distance results of proposed algorithms
Direct Distance, Sum of Kullback Leibler Distances and
Average Change in Mutual Information. The details of these
information loss metrics can be found in Sect. 2.4.1. As a
this experiment for two sets of confidential data values:12 one
benchmark, we used the Naı̈ve Row Deletion (NRD) algo-
randomly selected from the Wisconsin breast cancer data set
rithm. The NRD algorithm suppresses a confidential data
and one randomly selected from the Car Evaluation data set.
value via deleting the microdata tuple to which it belongs,
The results are shown in Fig. 9. Similar to the average direct
i.e., replacing each and every data value forming the micro-
distance results, the HID3 algorithm causes the least amount
data tuple, including the confidential data value, with ν.
of information loss in terms of direct distance followed by
The first information loss metric we used was the aver-
the DROPP, INCP and DECP algorithms.
age direct distance which measures the average number of
The second information loss metric we used was the sum
unknowns introduced due to suppression of a single confi-
of Kullback Leibler distances which measures the distance
dential data value. The average direct distance results for the
between the first order probability distributions13 of the orig-
suppression algorithms are shown in Fig. 8. As can be seen
inal and the new data sets. The performance of suppression
from the figure, the HID3 algorithm causes the least amount
algorithms in terms of sum of Kullback Leibler distances is
of information loss in terms of direct distance followed by
shown in Fig. 10. Similar to the direct distance results, the
the DROPP algorithm. Actually, both of these algorithms are
HID3 algorithm causes the least amount of information loss
bounded by the NRD algorithm, as they aim at downgrading
in terms of sum of Kullback Leibler distances followed by
the microdata tuple instead of the classification models. On
the DROPP and NRD algorithms. The DECP and INCP algo-
the other hand, the DECP and INCP algorithms perform rel-
rithms perform relatively worse than the other algorithms.
atively worse than the others, as they aim at downgrading the
The last information loss metric we used was the average
classification model instead. Apart from the average direct
change in mutual information which measures the average
distance, we also measured the total direct distance versus the
distance between the second-order probability distributions
number of confidential data values suppressed. We realized
12 Note that, the same set of confidential data values are used throughout
the rest of the experiments measuring the information loss and uncer-
tainty.
11ID3 classification model for DECP, INCP and DROPP, and Naı̈ve 13 The probability distributions of the original and new data sets is
Bayesian classification model for HID3. derived using the extended domains of the attributes.

123
Suppressing microdata to prevent classification based inference
Fig. 9 Total Direct Distance Results of Proposed Algorithms. (a) Car Evaluation Data Set. (b) Wisconsin Breast Cancer Data Set
Fig. 10 Sum of Kullback Leibler Distance results of proposed algorithms. a. Car evaluation data set. b. Wisconsin breast cancer data set
of the original and modified data sets. The performance of
suppression algorithms in terms of average change in mutual
information is shown in Fig. 11. The results show that (1) the
HID3 algorithm causes the least amount of change in the cor-
relations within the data sets followed by the DROPP, NRD,
INCP, and DECP algorithms, and (2) the DECP and INCP
algorithms prevent inference of confidential data values bet-
ter than the DROPP and HID3 algorithms against different
classification algorithms, as they distort correlations within
the data sets more.
The final performance criterion is the uncertainty intro-
duced by the suppression algorithms. We used the sum of
conditional entropies in order to measure the expected value
of uncertainty introduced into the modified data sets. The
performance of suppression algorithms in terms of sum of
conditional entropies is shown in Fig. 12. The results show
that (1) the HID3 algorithm introduces the least amount of
uncertainty in the modified data sets followed by the DROPP,
NRD, INCP, and DECP algorithms, and (2) the DECP and
INCP algorithms prevent inference of confidential data
values better than the DROPP and HID3 algorithms against
different classification algorithms, as they cause more uncer-
tainty within the data sets.
405
We can summarize the presented experimental results as
follows:
1. There is a tradeoff between the rate of successful suppres-
sions and the information loss caused by the suppression
process.
2. The DECP algorithm achieves the highest success rate
while causing the highest amount of information loss and
uncertainty. This justifies Lemma 3.1 which states that
the upper bound for the number of data values that can
be modified by the DECP algorithm is equal to (n − 1)
(N − 1) < nm.
3. The INCP algorithm achieves the second highest suc-
cess rate while causing the second highest information
loss and uncertainty. It is followed by the DROPP and
HID3 algorithms. This ordering is completely due to
(1) the characteristics of the Wisconsin Breast Cancer
and Car Evaluation data sets satisfying the inequality
m > > n, i.e., the number of transactions is much more
than the number of attributes, and (2) the upper bounds
for the number of data values that can be modified by the
algorithms. With a data set satisfying the inequality
n > > m, the ordering for success, information loss,
123
406 A. Azgin Hintoglu, Y. Saygın

Fig. 11 Average Change in Mutual Information Results of Proposed Algorithms. (a) Car Evaluation Data Set. (b) Wisconsin Breast Cancer Data
Set

Fig. 12 Sum of Conditional Entropy Results of Proposed Algorithms. (a) Car Evaluation Data Set. (b) Wisconsin Breast Cancer Data Set

and uncertainty will be reversed and be either DROPP-

HID3-INCP or HID3-DROPP-INCP.

5.3 Results and analysis of hybrid algorithms

In this study, we merged each Naı̈ve Bayesian suppression

algorithm with the Decision Tree suppression algorithm
HID3 in a round robin fashion,14 to demonstrate the perfor-
mance of the hybrid algorithms against both classification
methods.
First, we measured the average execution times required Fig. 13 Average execution times of hybrid algorithms
by each hybrid algorithm in order to suppress a confiden-
tial data value. The results, as depicted in Fig. 13, show that
the original and hybrid suppression algorithms performed average direct distance for the hybrid algorithms as shown in
remarkably similar with respect to execution time. Next, we Fig. 14. Similar to the previous results, the DROPP+HID3
measured the percent of successful suppressions achieved by algorithm caused the least amount of information loss in
each hybrid algorithm against both classification methods. terms of average direct distance followed by the INCP+ HID3
The hybrid algorithms successfully suppressed all confiden- and DECP+HID3 algorithms.
tial data values with respect to both classification models,
and achieved 100% success rate. Finally, we measured the 5.4 Results and analysis of e-DECP and e-DROPP
algorithms
14 For example, for HID3+DECP hybrid algorithm, first the HID3 algo-
rithm is executed to suppress the confidential data value against deci-
In this study, we also enhanced the DECP and DROPP algo-
sion tree classification based inference. Then, the DECP algorithm is
executed to suppress the confidential data value against probabilistic rithms to suppress multiple confidential data values at a time.
classification based inference. In order to demonstrate the performance of the enhanced

123
Suppressing microdata to prevent classification based inference
Fig. 14 Average direct distance results of hybrid algorithms
algorithms when compared to the original ones, we carried
out 1,000 trials with randomly chosen confidential data value
sets. We measured the average number of unknowns intro-
duced due to suppression of multiple confidential data values
excluding the confidential data values themselves. The results
showed that the enhanced algorithms performed remarkably
better than the original versions, and reduced the side-effects
by 50%.
6 Related work
The problem of protecting privacy while disclosing public-
use data sets were previously investigated in the context of
statistical databases (SDBs) as the statistical disclosure lim-
itation problem (also referred to as the inference problem)
[26,54]. The statistics literature, motivated by the need to
publish statistical data sets with one or more contingency
tables containing aggregate statistics, focused on identify-
ing and protecting sensitive cells which may lead to deri-
vation of aggregate confidential information. An extensive
survey of statistical database security can be found in [26]
and more recent work on disclosure control in statistical
databases can be found in [28,29]. According to [26] the
methods proposed for securing SDBs from inference attacks
can be mainly classified into four categories:conceptual,
query restriction, data perturbation and output perturba-
tion. Conceptual approaches include techniques that detect
and remove inference channels during the database design
mainly at the conceptual data model level. Query restriction
approaches provide protection by restricting the query set
size, controlling the overlap among successive queries, or
making query results of small size unavailable to users of the
database. On the other hand, data perturbation approaches
introduce noise in the data by transforming the original data-
base into a perturbed one. These approaches either replace
the whole data set with a new one coming from the same
407
probability distribution or perturb some of the attribute values
once and for all. Finally, the output perturbation approaches
perturb the answer to queries while leaving the data in the
database unchanged.
One popular disclosure protection approach is cell
suppression [9,10]. Cell suppression consists of two sub-
approaches:primary suppression and secondary (i.e.
complementary) suppression. The basic idea of primary cell
suppression is to find all sensitive cells that might cause con-
fidential information to be disclosed from the released sta-
tistical data set and replace them by a symbol indicating the
suppression. Yet, primary suppression itself is not enough
to protect the sensitive cells due to inference channels exist-
ing in the data set. In order to reach the desired protection
for sensitive cells, other cells, i.e., marginal totals, contain-
ing non-confidential information that might lead to inference
of suppressed sensitive cells also need to be suppressed; this
is called secondary (complementary) cell suppression. More-
over, while finding a set of complementary suppressions pro-
tecting all sensitive cells, the information loss associated with
the suppressed entries has to be minimized. This combinato-
rial optimization problem is known as the Cell Suppression
Problem (CSP) in statistics literature. Since CSP belongs to
the class of NP-hard problems [30–32], many heuristic meth-
ods have been proposed [9,10,32–34] (see Willenborg and
De Waal [35] for more references) to address the problem.
CSP problem is similar to the the Microdata Suppression
Problem (MSP),which this work is trying to address. Nev-
ertheless, the methodologies used to address these problems
are quite different due to the difference in the types of data
sets they are trying to protect. In statistical data sets, infer-
ence results from the marginal totals given along with the
data itself. On the other hand, in microdata sets, inference
results from the statistical correlations between attributes like
income and education.
Another popular disclosure protection approach that
belongs to data perturbation family is microaggregation
[36–43]. Different from cell suppression, microaggregation
aims at protecting numeric microdata by clustering individ-
ual records into small aggregates and replacing actual values
of individual records by group means prior to publication.
As Ferrer et al. pointed out in his work [36], microaggre-
gation assumes confidentiality rules in use allow publica-
tion of microdata sets if the individual records correspond
to groups of k or more individuals. While an efficient
polynomial algorithm exists for optimal univariate microag-
gregation [41], microaggregation of multivariate data guar-
anteeing minimum information loss is known to be NP-hard
[38]. Hence, several heuristic methods have been proposed
[36,42,43] to address this problem. Recently, new heuristics
employing genetic algorithms have been proposed to further
lower the information loss [39,40]. Moreover, microaggre-
gation has been extended to handle categorical data by means
123
408
of employing different clustering algorithms [37]. Different
from MSP problem, microaggregation assumes all respon-
dents contributing to the microdata set have the same pri-
vacy preferences. It is meaningful to use microaggregation
in such a setting where sensitive attributes are the same for
all respondents. Nevertheless, if respondents’ privacy pref-
erences differ, then it will result unnecessary attribute values
to be generalized which will result in more information loss.
The security and privacy issues arising from the infer-
ence problem, which results in private-sensitive data to be
inferred from public-insensitive data, have also been inves-
tigated by multilevel secure databases research [44–48] and
general purpose databases research [49–52]. Methods pro-
posed within the database context mainly focus on detec-
tion and removal of meta-data, i.e., database constraints like
functional and multi-valued dependencies, based inferences
either during database design [47–49,53] or during query
time [46,54,55]. However, they do not take into account the
statistical correlations among database attributes which can
be discovered by various data mining techniques and hence
result in imprecise inferences like the rule ‘A implies B’ with
25% confidence.
There are also other approaches investigating the privacy
issues arising during microdata disclosure within the scope
of anonymization problem. K-anonymity, [11–13], being one
of those approaches, aims at preserving the anonymity dur-
ing the data dissemination process using generalizations and
suppressions on potentially identifying portions of the data
set. Other approaches addressing the anonymization prob-
lem include [15,16,56,57]. In his work [15], Iyengar uses
suppression and generalization approaches to satisfy privacy
constraints. Moreover, he examines the tradeoff between pri-
vacy and information loss within different data usage con-
texts and proposes a genetic algorithm to find the optimal
anonymization. On the other hand, in [16] Ohrn uses bool-
ean reasoning, and in [56,57] Ferrer uses microaggregation
to address the anonymization problem. Besides the fact that
these approaches successfully preserve privacy through
anonymization, none of them addresses the inference threat
to privacy due to data mining approaches. Therefore, they
do not directly apply to MSP. Moreover, similar to the mic-
roaggregation, anonymization approaches assume that each
respondent contributed to the microdata set has the same pri-
vacy preferences, i.e., wants to be anonymous, which is not
realistic.
Another approach, proposed by Wang et al. [58], addresses
the threats caused by data mining abilities, using a template-
based approach. The proposed approach aims to (1) preserve
the information for a wanted classification analysis and (2)
limit the usefulness of unwanted sensitive inferences, i.e.,
classification rules, that may be derived from the data. More
specifically, it focuses on suppressing sensitive rules, instead
of sensitive data values.
123
A. Azgin Hintoglu, Y. Saygın
The work closest to ours is proposed by Chang et al. [59].
In his work, Chang proposes a new paradigm for dealing
with the inference problem, which combines the application
of decision tree analysis with the concept of parsimonious
downgrading. He shows how classification models can be
used to predict suppressed confidential data values and con-
cludes that some feedback mechanism is needed to protect
suppressed data values against classification models.
7 Conclusion
In this paper we pointed out the possible privacy breaches
induced by data mining algorithms on hidden microdata val-
ues. We considered two classification models that could be
used for prediction purposes by adversaries. As an initial step
to attack the problem, we proposed six heuristics to suppress
the selected confidential data values so that they cannot be
inferred using probabilistic and decision tree classification
models. Our methods are based on modifying the original
microdata set by inserting unknown values with as little dam-
age as possible. Naïve Bayesian and ID3 classification mod-
els were selected as representatives of the probabilistic and
decision tree classification models, respectively. Our experi-
ments with real data sets showed that the proposed algorithms
are effective in blocking the inference channels that are based
both on their target classification models and on their second-
ary classification model. And, this verifies our statement that
each of the suppression algorithms will also prevent infer-
ence when used with other classification methods. Moreover,
we measured the side effects of the algorithms using different
metrics and observed that there is a tradeoff between the rate
of successful suppressions and the information loss caused
by the suppression process. This observation together with
the experimental results verifies our discussion on the side
effects of the suppression algorithms:
– Side effects of the DECP algorithm depend both on the
number of attributes and the number of transactions,
ensuring that the success rate of the DECP algorithm
will always be higher than the other algorithms in any
situation.
– Side effects of the INCP algorithm depend on the number
of transactions, ensuring that the success rate of the INCP
algorithm will always be higher than the other algorithms
if the number of transactions is higher than the number
of attributes.
– Side effects of the DROPP and HID3 algorithms depend
on the number of attributes, ensuring that the success rate
of these algorithms will always be higher than the other
algorithms if the number of attributes is higher than the
number of transactions.
Suppressing microdata to prevent classification based inference
Next, to increase the success of the overall suppression
process with respect to both classification models, we used a
hybrid approach which suppresses against both classification
models. The experimental results for the hybrid algorithms
showed that the success rate with respect to both classifica-
tion methods is 100%, meaning all confidential data values
are successfully suppressed.
Finally, to decrease the side-effects of the overall suppres-
sion process, when there are multiple confidential data values
to suppress, we used the enhanced heuristics, e-DECP and
e-DROPP. The experimental results for the enhanced algo-
rithms showed that the side-effects can be reduced by more
than 50%.
As part of our future work, we plan to investigate the fol-
lowing:
– Suppressing confidential data values against other classi-
fication algorithms, e.g., logistic regression,
– Suppressing multiple confidential data values at a time
(generic version having no constraints),
409
12. Samarati, P.: Protecting respondents’ identities in microdata
release. IEEE Trans. Knowl. Data Eng. 13(6), 1010–1027 (2001)
13. Sweeney, L.: k-Anonymity: A model for protecting privacy. Int. J.
Uncertain. Fuzziness Knowl. Sys. 10(5), 557–570 (2002)
14. USC Annenberg School—Center for the Digital Future: The
Highlights of the Digital Future Report, Year Five, Ten
Years Ten Trends. Available at http://www.digitalcenter.org/pdf/
Center-for-the-Digital-Future-2005-Highlights.pdf
15. Iyengar, V.S.: Transforming data to satisfy privacy constraints.
SIGKDD (2002)
16. Øhrn, A., Ohno-Machado, L.: Using boolean reasoning to anony-
mize databases. Artif. Intell. Med. 15(3), 235–254 (1999)
17. Nissenbaum, H.: Protecting privacy in an information age: the prob-
lem of privacy in public. Law Philos. 17, 559–596 (1998)
18. Sweeney, L.: Information Explosion. In: Confidentiality, Disclo-
sure, and Data Access: Theory and Practical Applications for Sta-
tistical Agencies. Zayatz, L., Doyle, P., Theeuwes, J., Lane, J.,
(eds.) Urban Institute, Washington, DC (2001)
19. Dreiseitl, S., Vinterbo, S., Ohno-Machado, L.: Disambiguation
data: extracting information from anonymized sources. In: Pro-
ceedings of the 2001 American Medical Informatics Annual Sym-
posium, pp. 144–148 (2001)
20. Aggarwal, C.: On k-anonymity and the curse of dimensionality. In:
Proceedings of the 31st VLDB Conference (2005)
21. Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam,
– Developing a generic suppression technique, independent
from individual classification methods, based on informa-
tion theory,
– Using generalization as a fine grained method,and
– Suppressing evolving (i.e., continuously updated) micro-
data.
References
1. Wikipedia,: Privacy—Wikipedia, the free encyclopedia. Available
at http://en.wikipedia.org/wiki/Privacy (2005)
2. Report to Congress regarding the Terrorism Information Awareness
Program, May 20, 2003
3. O’Leary, D.E.: Knowledge discovery as a threat to database
security. In: Piatetsky-Shapiro, G., Frawley, W. (eds.) Knowledge
Discovery in Databases, pp. 507–516. AAAI Press, MIT Press,
Menlo Park, California (1991)
4. O’Leary, D.E.: Some privacy issues in knowledge discovery: the
OECD personal privacy guidelines. IEEE Expert: Intelligent Syst.
Appl. 10(2), 48–52 (1995)
5. Klosgen, W.: Knowledge discovery in databases and data privacy.
IEEE Expert, April 1995
6. Piatetsky-Shapiro, G.: Knowledge discovery in databases vs. per-
sonal privacy. IEEE Expert, April 1995
7. Selfridge, P.: Privacy and knowledge discovery in databases. IEEE
Expert, April 1995
8. Azgın Hintoǧlu, A., Saygın, Y.: Suppressing microdata to prevent
probabilistic classification based inference. In: Proceedings of the
Workshop on Secure Data Management (SDM’05) (2005)
9. Cox, L.H.: Suppression methodology and statistical disclosure con-
trol. J. Am. Stat. Assoc. 75(370), 377–385 (1980)
10. Sande, G.: Automated cell suppression to reserve confidentiality of
business statistics. In: Proceedings of the 2nd International Work-
shop on Statistical Database Management, pp. 346–353 (1983)
11. Samarati, P., Sweeney, L.: Protecting privacy when disclosing
information: k-anonymity and its enforcement through general-
ization and suppression. IEEE Sympos. Res. Security Privacy
(1998)
M.: -Diversity: privacy beyond k-anonymity. In: Proceedings of
the 22nd IEEE International Conference on Data Engineering
(2006)
22. Cover, T.M., Thomas, J.A.: Elements of information theory. Wiley,
New York (1991)
23. UCI Machine Learning Repository, http://www.ics.uci.edu/
~mlearn/MLSummary.html
24. Mangasarian, O.L., Wolberg, W.H.: Cancer diagnosis via linear
programming. SIAM News 23(5), 1–18 (1990)
25. Tsochantaridis, I., Joachims, T., Hofmann, T., Altun, Y.: Large mar-
gin methods for structured and interdependent output variables. J.
Mach. Learn. Res. 6, 1453–1484 (2005)
26. Adam, N.R., Wortmann, J.C.: Security-control methods for
statistical databases: a comparative study. ACM Comput.
Surv. 21(4), 515–556 (1989)
27. Denning, D.E.: Cryptography and Data Security. Addison-Wes-
ley, (1982)
28. Domingo-Ferrer, J.: (eds) Inference control in statistical databases.
Lecture Notes in Computer Science, vol. 2316. Springer-Verlag,
Berlin (2002)
29. Farkas, C., Jajodia, S.: The inference problem: a survey. SIGKDD
Explorations (2003)
30. Geurts, J.: Heuristics for cell suppression in tables. Technical Paper,
Netherlands Central Bureau of Statistics (1992)
31. Kao, M.Y.: Data security equals graph connectivity. SIAM J. Dis-
cret. Math. 9, 87–100 (1996)
32. Kelly, J.P., Golden, B.L., Assad, A.A.: Cell suppression: disclo-
sure protection for sensitive tabular data. Networks 22, 397–417
(1992)
33. Fischetti, M., Salazar, J.J.: Models and algortihms for the
2-dimensional cell suppression problem in statistical disclosure
control. Math. Program. 84, 283–312 (1999)
34. Fischetti, M., Salazar, J.J.: Models and algorithms for optimizing
cell suppression in tabular data with linear constraints. J. Am. Stat.
Assoc. 95(451), 916–928 (2000)
35. Willenborg, L., De Waal, T.: Statistical disclosure control in prac-
tice. Lecture Notes in Statistics, vol. 111. Springer Verlag, New
York (1996)
36. Domingo-Ferrer, J., Torra, V.: Practical data-oriented microaggre-
gation for statistical disclosure control. IEEE Trans. Knowl. Data
Eng. 14(1), 189–201 (2002)
123
410
37. Torra, V.: Microaggregation for categorical variables: a median
based approach. In: Domingo-Ferrer, J., Torra, V. (eds.), Privacy in
Statistical Databases, vol. 3050, pp. 162–174 (2004)
38. Oganian, A., Domingo-Ferrer, J.: On the complexity of optimal
microaggregation for statistical disclosure control. Stat. J. U.N.
Econ. Comm. Eur. 18(4), 345–354 (2001)
39. Solanas, A., Martinez-Balleste, A., Mateo-Sanz, J.M.,
Domingo-Ferrer, J.: Towards microaggregation with genetic
algorithms. In: Proceedings of the Third IEEE Conference on
Intelligent Systems, pp. 65–70 (2006)
40. Martinez-Balleste, A., Solanas, A., Domingo-Ferrer, J.,
Mateo-Sanz, J.M.: A Genetic approach to multivariate mic-
roaggregation for database privacy. In: Proceedings of 23rd IEEE
Internation Conference on Data Engineering, pp. 180–185 (2007)
41. Hansen, S.L., Mukherjee, S.: A polynomial algorithm for opti-
mal univariate microaggregation. IEEE Trans. Knowl. Data
Eng. 15(4), 1043–1044 (2003)
42. Laszlo, M., Mukherjee, S.: Minimum spanning tree partition-
ing algorithm for microaggregation. IEEE Trans. Knowl. Data
Eng. 17(7), 902–911 (2005)
43. Sande, G.: Exact and approximate methods for data directed micro-
aggregation in one or more dimensions. Int. J. Uncertain. Fuzziness
Knowl. Syst. 10(5), 459–476 (2002)
44. Jajodia, S., Meadows, C. : Inference problems in multilevel secure
database management systems. In: Abrams, M.D., Jajodia, S.,
Podell, H.J. (eds.) Information Security—An Integrated Collection
of Essays, pp. 570–584. IEEE C. S. Press, (1989)
45. Quian, X., Stickel, M.E., Karp, P.D., Lunt, T.F., Garvey, T.D.:
Detection and elimination of inference channels in multilevel rela-
tional database systems. In: Proceedings of IEEE Symp. Security
and Privacy, pp. 196–205 (1993)
46. Stachour, P., Thuraisingham, B.: Design of LDV: A multilevel
secure relational database management system. IEEE Trans.
Knowl. Data Eng. 2(2), 190–209 (1990)
47. Su, T., Ozsoyoglu, G.: Inference in MLS database systems. IEEE
Trans. Knowl. Data Eng. 3(2–3), 147–168 (1991)
48. Marks, D.: Inference in MLS database systems. IEEE Trans.
Knowl. Data Eng. 8(1), 46–55 (1996)
123
A. Azgin Hintoglu, Y. Saygın
49. Delugach, H., Hinke, T.: Wizard: A database inference analysis
and detection system. IEEE Trans. Knowl. Data Eng. 8(1), 56–
66 (1996)
50. Hinke, T., Delugach, H., Wolf, R.P.: Protecting databases from
inference attacks. Comput. Secur. 16(8), 687–708 (1997)
51. Dawson, S., di Vimercati, S.D.C., Lincoln, P., Samarati, P.: Minimal
data upgrading to prevent inference and association. In: Proceed-
ings of the Eighteenth ACM SIGACT-SIGMOD-SIGART Sympo-
sium on Principles of Database Systems, pp. 114–125. ACP Press,
(1999)
52. Brodsky, A., Farkas, C., Jajodia, A.: Secure databases: Constraints,
inference channels and monitoring disclosure. IEEE Trans. Knowl.
Data Eng. 12(6), 900–919 (2000)
53. Hinke, T.H., Delugach, H.S., Chandrasekhar, A.: A fast algorithm
for detecting second paths in database inference analysis. J. Com-
put. Secur. 3(2, 3), 147–168 (1995)
54. Denning, D.: Commutative filters for reducing inference threats in
multilevel database systems. In: Proceedings of IEEE Symposium
on Security and Privacy, pp. 134–146 (1985)
55. Thuraisingham, B.: Security checking in relational database man-
agement systems augmented with inference engines. Comput.
Secur. 6, 479–492 (1987)
56. Domingo-Ferrer, J., Torra, V.: Ordinal, continious and heterego-
neous k-anonymity through microaggregation. Data Min. Knowl.
Discov. 11(2), 195–212 (2005)
57. Domingo-Ferrer, J., Solanas, A., Martinez-Balleste, A.: Privacy
in statistical databases:k-anonymity through microaggregation. In:
Proceedings of IEEE Granular Computing (2006)
58. Wang, K., Fung, B.C.M., Yu, P.S.: Template-based privacy preser-
vation in classification problems. In: ICDM ’05: Proceedings of the
Fifth IEEE International Conference on Data Mining, pp. 466–473
(2005)
59. Chang, L., Moskowitz, I.S.: Parsimonious downgrading and deci-
sion trees applied to the inference problem. In: Proceedings of the
Workshop of New Security Paradigms, pp. 82–89 (1999)