Differentially Private Runtime Monitoring
For developers of privacy-sensitive monitoring systems, this work provides an automated method to integrate differential privacy into stream-based monitors, addressing a known bottleneck in temporal privacy protection.
The paper addresses the challenge of enforcing differential privacy in stream-based runtime monitoring, where temporal operators cause repeated disclosure of private information. It proposes an automatic approach that analyzes temporal dependencies and injects calibrated noise into specifications, demonstrating practicality in a case study on public transportation usage.
Modern stream-based monitors collect detailed statistics of the runtime behavior of the system under observation. If the system runs in a privacy-sensitive context, this poses the risk of disclosing sensitive information. Differential privacy is the state-of-the-art approach for protecting sensitive information, however, integrating it into runtime monitoring is challenging: temporal operators can cause individual input values to influence multiple outputs over time, leading to repeated disclosure of private information. We propose an approach that automatically enforces differential privacy in stream-based monitoring specifications by analyzing temporal dependencies and injecting carefully calibrated noise into the specification. To preserve the utility of the outputs, we identify strategically chosen positions in the specification for noise injection and leverage tree-based mechanisms to mitigate the accuracy loss caused by noise injected into aggregation operators. We demonstrate the practicality and effectiveness of our approach in a case study on monitoring public transportation usage.