A High-Utility Differentially Private Mechanism for Space Information Networks

Abstract

Nowadays, Space Information Networks represented by the satellite internet are developing rapidly. For example, the Starlink of SpaceX plans to provide network access services worldwide and has drawn much attention. To operate and maintain Space Information Networks, e.g., performing collision avoidance maneuvers and forensic investigation, statistic information on networks such as the average of orbital inclination needs to be shared with analysts. However, for some particular reasons, such as safety or confidentiality, accurate information on networks cannot be shared with analysts. To solve this contradiction, we design a differentially private mechanism for the Space Information Network so that the entities of a network can keep accurate information privacy while sharing statistic information. In particular, we extend differentially private mechanisms based on personalized sampling to distributed communication systems such as Space Information Networks. In comparison with other mechanisms, the proposed mechanism has better data utility. Moreover, the proposed mechanism has a hierarchical privacy guarantee. In particular, there are differences between the privacy guarantees made between system entities and between the system and the user.

1. Introduction

Revolutionary distributed communication infrastructures called Space Information Networks (SINs) are made up of satellites, stratospheric airships, unmanned aerial vehicles (UAV), and other platforms. SINs are distinct from multi-layered satellite networks. They are heterogeneous integrated information networks, including terrestrial Internet, Deep Space Network (DSN), Near-Earth Network (NEN), and satellite networks as the backbone. As a result, they have a variety of unique characteristics, such as heterogeneous network integration, dynamically changing network topology, extraordinarily long and variable propagation latency, asymmetrical forward and reverse link capacities, high bit error rate, intermittent link connectivity, lack of fixed communication resources, good network scalability, etc. Applications of SINs include satellite location, navigation, timing, and Internet access, in addition to satellite communication and remote sensing. SINs intend to achieve the networking and integration of space satellite systems, efficiently arrange the system’s nodes via satellite-terrestrial and interstellar linkages, and increase the system’s adaptability, mobility, and intelligence. Due to Space Information Networks’ advantages such as long-distance message delivery, they have been applied to many scenarios, including emergency communications, marine operations, aircraft communications, specific military missions, and so on [1]. Space Information Networks have developed rapidly in recent years. For example, dozens of satellite internet emerge such as SpaceX’s Starlink [2], the British government’s OneWeb [3], and Amazon’s Kuiper [4]. So far, the Starlink has more than 1700 active satellites, and it plants to increase its bandwidth from 150 Mbps to 300 Mbps at the end of 2021.

Privacy issues emerge in the process of maintaining Space Information Networks. In particular, some information on Space Information Networks needs to be shared for the sake of operation and maintenance, but accurate information should not be shared for the sake of safety. For example, the location of satellites needs to be public so that the user knows which satellite and how many satellites are available. However, the accurate location of satellites needs to be private in case the adversary attacks satellites for particular reasons such as political issues. Similarly, other statistical information such as the average of power consumption, the number of active satellites, and so on also needs to be available for analysts so that they can analyze the operation of the satellites, but for safety reasons, these analysts do not have to know the information on an individual satellite.

Differential privacy a technology that allows data analysis while keeping individuals’ information private. In particular, differential privacy allows analysts to analyze statistic information such as average, frequency, and standard deviation, while it keeps the individuals’ information private. In this paper, we design a differentially private mechanism for distributed communication systems such that entities of systems can communicate with each other while their privacy is protected. Although we take the Space Information Networks as an example, the proposed differentially private mechanism also can be applied into other distributed communication systems such as edge computing, ad-hoc networks, and so on.

1.1. Related Works

In distributed communication systems, for example Space Information Networks, the deluge of data generated by the terminal poses a serious threat to its privacy. The distributed communications systems have advantages that every entity can control its own data. Distributed communication systems also need to consider privacy protection in their foundations so that they can provide user-centric support for privacy [5].

Many technologies have been applied to distributed communication systems to solve privacy issues. For example, the secure multi-party computation was used to protect the privacy of transform protocols [6,7]. Blockchain technology was introduced into satellite communication networks to solve privacy issues [8]. Homomorphic encryption was used by the nodes in distributed communication systems to perform integer operations (additions only or additions and multiplications) in a privacy-preserving manner to calculate the average of their integer initial values [3]. Deep learning of layer-partitioned training with step-wise activation functions was used to safeguard sensitive information [9].

Compared with cryptography tools such as secure multi-party computation, differential privacy is a promising technology, which can solve privacy problems of distributed communication systems with the lower power consumption. Differential privacy was proposed by Dwork et al. from a sequence of papers [10,11,12]. Then, differential privacy was extended to local differential privacy [13] so that it can be used in a distributed architecture. However, local differential privacy suffered from low data utility [14]. To improve the utility, many new concepts were proposed such as elastic sensitivity [15], record sensitivity [16]. Furthermore, many other technologies were combined to differential privacy to improve its data utility. Anonymous communication such as Mix Networks [17] was combined to differential privacy to improve data utility [18,19]. Sampling technology was introduced into differential privacy by Nissim et al. [20]. Wen et al. introduced personalized sampling into differential privacy to further improve the data utility of differential privacy [21,22].

Compared to the previous work, we extend differentially private mechanisms based on personalized sampling to distributed communication systems such as Space Information Network. On the one hand, through comparing with other mechanisms, the proposed mechanism has better data utility. On the other hand, the proposed mechanism has a hierarchical privacy guarantee.

1.2. Organization

The first section gives a quick summary of how geographic information networks are currently progressing as well as the significance of privacy protection problems in these networks. Additionally, Section 1 provides a quick summary of the related work that has been completed thus far. Section 2 of the background information is where the Space Information Networks and differential privacy are briefly discussed. In Section 3, the proposed mechanism is elaborated. The suggested differential privacy protection system is presented in Section 3. In Section 4, the experiment’s fourth component is given. In Section 5, conclusions are offered.

2. Background Knowledge

2.1. Space Information Networks

The coined SINs paradigm is an integrated high-speed self-organizing hyper network consisting of terrestrial ground-based information networks, e.g., Internet, mobile communication networks, sensor networks, etc., and space-and deep space-based entities within outer space, e.g., satellites, robotic spacecraft, crewed vehicles, rovers, landers, sensors, etc., to provide maximum network capacity [23,24]. The Space Information Network consists of the space-based backbone network, space-based access network, and ground-based node network. Its structure is shown in Figure 1a. The space-based backbone network consists of GEO (Geosynchronous Earth Orbit) satellites and their laser links. The space-based backbone network is responsible for remote transmission, control, and data exchange. The space-based access network consists of air floating platforms and LEO (Low Earth Orbit) satellites. The space-based access network provides access for many communication systems’ entities including specialized sub-networks, entities in near space, air-based entities, ground-based entities, sea-based entities and so on. The ground-based node network comprises ground stations (gateways), internet, and mobile telecommunication networks.

The complete Space Information Network is made up of GEO satellites, MEO (Medium Earth Orbit), and LEO satellites, as shown in Figure 1b. GEO satellites make up the majority of the space-based backbone network because they are required for broadcasting events. LEO and MEO satellites serve as the space-based access networks since they are required for real-time services. SpaceX’s project Starlink provides high-speed Internet service via LEO communication satellites. In this paper, experiments are considered on 1665 satellites of Starlink in a two-line element set, which CelesTrak collects.

2.2. Differential Privacy

Differential privacy is a method of protecting data sharing. It may be accomplished by withholding personally identifiable information about particular people and just giving statistical data that can be used to define the database as a whole. Differential privacy is the theory that if the impact of inserting a single random replacement in the database is tiny enough, the query result cannot be utilized to infer a lot about a specific person and so offers privacy. The following is a formal definition of differential privacy.

$$Pr\left\{A\left(D\right)=O\right\}\le e^{\epsilon }·Pr\left\{A\left(D^{\prime }\right)=O\right\}$$

(1)

The two output distributions derived for a randomized algorithm A acting on two neighboring data sets, D and $D^{\prime }$, are identical. The randomized algorithm indicates that given a specific input, the algorithm’s output is not a fixed value but follows a particular probability distribution.

Differential privacy is also the state-of-the-art technology of privacy preservation. There are various differentially private mechanisms for various application scenarios. It is not only in SINs but also in other scenarios in healthcare, finance, insurance, and public safety, where differential privacy technologies are needed to protect clients’ private information. For instance, a significant proportion of CTs collected by patients are awaiting analysis and diagnosis by physicians because of the recent COVID-19 pandemic. Based on CT pictures, an AI system may assess whether a patient has COVID-19 (positive or negative). The hospital gives computer vision technology-equipped third-party professional organization access to the tagged data, which includes the patient’s name, gender, and even address. It would compromise the patient’s privacy and maybe breach various data protection laws and regulations while significantly increasing the diagnosis’s accuracy and effectiveness. Differentiated privacy aims to safeguard patient privacy while developing deep-learning models for hospitals. Google employs localized differential privacy to gather data on the Chrome browser used by more than 14 million people daily. Apple safeguards user privacy on iOS and macOS via localized differential privacy approaches. The sampling and aggregation method, the Laplace mechanism for distributed systems, and other differentially private techniques that may be used in a distributed setting are the main topics of this work.

Laplace mechanism [25]. The outcome of the Laplace mechanism M is Equation (2) for a given database D, a query q, and privacy budget $ϵ$.

$$M(q,D,ϵ)=q(D)+Lap(0,\frac{\Delta D}{ϵ})$$

(2)

Here, $ϵ$ is the privacy budget, which controls the privacy guarantee of differentially private mechanisms. Specifically, the privacy guarantee is stronger when the value of privacy budget is smaller. $Lap(0,\Delta D/ϵ)$ represents a number (which is named noise in the context of differential privacy) from the Laplace distribution with location parameter 0 and scale parameter $\Delta D/ϵ$. Global sensitivity, also known as $\Delta D$, measures the largest difference brought on by the presence or absence of a single data record.

Global sensitivity [21]. The global sensitivity indicated by $\Delta D$ for a given database D and query q may be determined using Equation (3).

$$\Delta D=\underset{D\sim D^{\prime }}{max}|q(D)-q(D^{\prime })|$$

(3)

Here, $D^{\prime }$ is the dataset that is different from D on only one data record.

Sample and aggregation mechanism. The sample and aggregation mechanism based on random sampling method was proposed by Nissim et al. [22]. This mechanism is shown in Figure 2. The target queries are calculated across each of the n subsets of the dataset. An aggregation function computes the outcome in a way that satisfies differential privacy.

3. Proposed Mechanism

Differentiating privacy strategies are applied to address the privacy leakage issue brought on by a minor change in the data source. It should consider that the nodes in SINs are exposed to an open space environment and produce a significant quantity of remote sensing data. Owners of satellites, observers, and attackers may mine and analyze the remote sensing data to get important information. However, remote sensing data may include sensitive user information, and for end users, the danger of acute information exposure or leakage emerges if the info above affects privacy or security. Therefore, preventing the leakage of remote sensing data while allowing for data sharing after differential privacy processing may promote remote sensing data mining. Therefore, this section elaborates the proposed mechanism. First, the simplified system structure of Space Information Network is introduced. Then, the proposed mechanisms is elaborated. Finally, analyses of privacy guarantee are given.

3.1. System Structure

The system structure diagram of Space Information Network is shown in Figure 3. The Space Information Network has three entities including the user, the master satellite, and satellites.

The user is the person who uses the Space Information Network. The user can be operation and maintenance personnel who send management commands such as counting query to figure out how many satellites are active. The user can also be someone who uses the Space Information Network to communicate.

Master satellite is the satellite that is directly connected to the user. In the Space Information Network, satellites keep moving and many of them are out of the user’s reach. Thus, the user’s messages or commands need a satellite to forward such that these messages or commands can be sent to satellites out of reach. In the context of this paper, the satellite which is responsible for interacting with the user is named the master satellite.

Satellites are components of the Space Information Network. Satellites execute specific functions such as calculating queries sent by the user.

3.2. Proposed Differentially Private Mechanism

In order to safeguard the privacy of the Space Information Networks, this study integrates customized sampling technology into local differentially private processes and makes use of distributed noise. Based on personalized sampling and distributed noise, this paper proposes a new differentially private mechanism with high data utility. Figure 4 shows how the proposed mechanism handles queries from the user.

In particular, the user sends a query q to the master satellite. Then, the master satellite draws a number $B_{n-1}$ obeying the Beta distribution. The master satellite sends the query q together with the square root of drawn number $B_{n-1}$ to other satellites.

The number $B_{n-1}$ is used to generate a number obeying a particular Laplace distribution in a distributed way. Specifically, generating a number obeying a particular Laplace distribution can be simulated by generating other numbers obeying the same Laplace distribution, as defined by the following formula [26]

$$l=\sqrt{B_{n-1}}\sum _i^n{l}_i$$

(4)

Notably, the target Laplace distribution’s mean needs to be zero. The number $B_{n-1}$ follows the Beta distribution and has a probability density function $f(x)=(n-1){(1-x)}^{n-2}$. $B_{n-1}$ is the same for every satellite so it is generated and distributed by the master satellite in the proposed mechanism.

When receiving a query q together with a number $\sqrt{B_{n-1}}$ from the master satellite, the ith satellite calculates each record’s sampling probability in his dataset $D_i$. The complete process of the proposed differentiated private mechanism M can be represented by the following Algorithm 1 pseudo-code.

Algorithm 1 Proposed differentially private mechanism M

Require:      n datasets $D_1$,$D_2$,⋯,$D_n$;   n local balance parameters $c_1$,$c_2$,⋯,$c_n$;   privacy budget $ϵ$;   a linear query q; Ensure:       $q(D_1\cup D_2\cdots \cup D_n)$;   1: a user sends a linear query q to the master satellite;   2: the master satellite generates a number $B_{n-1}$ obeying the Beta distribution with probability density function $f(x)=(n-1){(1-x)}^{n-2}$;   3: the master satellite sends $\sqrt{B_{n-1}}$ together with q to other satellites;   4: for$i=1$ to n do   5:  for $x\in D_i$ do   6:   the ith satellite calculates local record sensitivity $LR{S}_x=|q(D_{i+x})-q(D_{i-x})|$;   7:   then, calculates sampling probability ${\pi }_x$;   $${\pi }_x=\left\{\begin{array}{cc}\hfill \frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}},& LR{S}_x\ge c_i\\ \hfill 1,& LR{S}_x<c_i\end{array}\right.$$   8:  end for   9:  the ith satellite obtains new data set $\overline{D}$ by the sampling process S with sampling probabilities $\left\{{\pi }_x\right|x\in D_i\}$, namely $\overline{D_i}=S(D_i)$; 10:  the ith satellites computes $q(\overline{D_i})$; 11:  the ith satellites generates $l_i$ obeying the Laplace distribution with probability density function $f(x)=\frac{ϵ}{2c}{e}^{-\frac{ϵ\left|x\right|}{c}}$, where $c=max(c_1,\cdots ,c_i,\cdots ,c_n)$; 12:  then sends $a_i=q(\overline{D_i})+\sqrt{B_{n-1}}{l}_i$ to the master satellite; 13: end for 14: the master satellite computes $a={\sum }_{i=0}^n{a}_i$ ; 15: returna

It is necessary to provide the sample probability for each data record in order to increase the data usefulness of the suggested technique. To offset the largest change brought on by the existence or absence of a single data record, noise is injected in differentially private techniques. The suggested technique provides a comparatively lesser sample probability to data records, which causes a relatively higher difference on queries’ results if these data records are available, in order to decrease the necessary noise. In order to measure the impact of the presence or absence of any particular record on the outcomes of the queries, we first propose a notion called local record sensitivity.

Definition 1 (Local record sensitivity). 

Assume that x represents a single record in the database $D_i$. The local record sensitivity of the record x for dataset $D_i$ of the ith satellite and query q is Equation (5).

$$LR{S}_x=|q(D\cup \left\{x\right\})-q(D\backslash \left\{x\right\})|$$

(5)

The specific formula of calculating sampling probability of record $x\in D_i$ is

$${\pi }_x=\left\{\begin{array}{cc}\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}},& LR{S}_x\ge c_i\hfill \\ 1& ,LR{S}_x<c_i\hfill \end{array}\right.$$

(6)

Here, $c_i$ is named balance parameter, which is used to maximize the utility of the proposed mechanism, and it may be determined using Equation (7) if the original dataset is $D_i$ and the dataset generated by sampling is ${\overline{D}}_i$ [21,22].

$$c_i=arg\underset{c}{max}\frac{1}{2}\sum _{{\overline{D}}_i\in \left\{S\left(D_i\right)\right\}}\prod _{x\in {\overline{D}}_i\backslash D_c}\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c}}}\prod _{x\in D_i\backslash {\overline{D}}_i}(\frac{e^{ϵ}-e^{ϵ\frac{LR{S}_x}{c}}}{1-e^{ϵ\frac{LR{S}_x}{c}}})·(e^{-\frac{ϵ(\alpha +q(D_i)-q({\overline{D}}_i))\}}{c}}+e^{-\frac{ϵ(\alpha -q(D_i)+q({\overline{D}}_i))\}}{c}})$$

(7)

Here, $D_c$ represents the set of data records with $LRS>c_i$. $\alpha$ is the error boundary.

The ith satellite samples the dataset $D_i$ into ${\overline{D}}_i$ through the sampling process S with calculated sampling probabilities $\left\{{\pi }_x\right|x\in D_i\}$ and calculates $q({\overline{D}}_i)$. The ith satellite then generates a number with probability density function $f(x)=\frac{ϵ}{2c}{e}^{-\frac{ϵ\left|x\right|}{c}}$ and obeys the Laplace distribution, where $c=max(c_1,\cdots ,c_i,\cdots ,c_n)$. Finally, the ith satellite calculates $a_i=q(\overline{D_i})+\sqrt{B_{n-1}}{l}_i$ and then sends $a_i$ to the master satellite.

After receiving $a_1,\cdots ,a_i,\cdots ,a_n$ from all n satellites, the master satellite calculates $a={\sum }_{i=0}^n{a}_i$ and returns the calculated sum to the user as the answer to the query submitted by the user.

Notably, the query q is the linear query. For the linear query, the following Equation (8)

$$q(D_1\cup D_2\cdots \cup D_i\cdots \cup D_n)=q(D_1)+q(D_2)+\cdots +q(D_i)+\cdots +q(D_n)$$

(8)

holds provided that $\forall i\ne j,0<i\le n,0<j\le n,$$D_i\cap D_j=Ø$. This equation makes it possible to calculate the correct answer to query $q(D)$ by the master satellite through returned values $q(D_1)$, $q(D_2)$, ⋯, $q(D_i)$, ⋯, $q(D_n)$.

For the non-linear query, the proposed differentially private mechanism also works if existing an aggregation function f such that

$$q(D_1\cup D_2\cdots \cup D_i\cdots \cup D_n)\approx f(q(D_1),q(D_2),\cdots ,q(D_i),\cdots ,q(D_n))$$

(9)

The characteristic of the non-linear query determines which aggregation function should be used. The average function, mod function, median function, and other aggregation functions are often employed.

3.3. Privacy Analyses

This subsection analyzes the proposed mechanism in terms of the privacy guarantee. In particular, Theorem 1 analyzes the privacy guarantee aspect to the user, and Theorem 2 analyzes the privacy guarantee between each satellite and the master satellite.

Theorem 1. 

The proposed mechanism M is a ϵ differentially private mechanism.

Proof. 

For the output a of the proposed mechanism M, we have

$$\begin{array}{cc}\hfill a& =\sum _{i=0}^n{a}_i\hfill \\ \hfill & =\sum _{i=0}^n(q(\overline{D_i})+\sqrt{B_{n-1}}{l}_i)\hfill \\ \hfill & =\sum _{i=0}^{n}q(\overline{D_i})+\sqrt{B_{n-1}}\sum _{i=0}^n{l}_i\hfill \end{array}$$

(10)

Let $\overline{D}=\overline{D_1}\cup \cdots \overline{D_i}\cup \cdots \overline{D_n}$ and $l=\sqrt{B_{n-1}}{\sum }_{i=0}^n{l}_i$. Due to the linear property of query q, we have

$$\begin{array}{cc}\hfill a& =q(\overline{D_1}\cup \cdots \overline{D_i}\cup \cdots \overline{D_n})+\sqrt{B_{n-1}}\sum _{i=0}^n{l}_i\hfill \\ \hfill & =q(\overline{D})+l\hfill \end{array}$$

(11)

The record x is in a dataset, as indicated by the index $+x$. For instance, the record x in $\overline{D}$ is indicated by the notation ${\overline{D}}_{+x}$. The record x is not in a dataset, as shown by the index $-x$. Record x, for instance, is not in $\overline{D}$, which is shown by ${\overline{D}}_{-x}$. In the case when the dataset acquired by the sampling procedure S is ${\overline{D}}_{+x}$, let $Lap({\overline{D}}_{+x})$ represent the output a.

When x is in $\overline{D}$, we have

$$Lap({\overline{D}}_{+x})=a=q({\overline{D}}_{+x})+l$$

(12)

Therefore,

$$Pr\{Lap({\overline{D}}_{+x})=a=q({\overline{D}}_{+x})+l\}=Pr\{l=Lap({\overline{D}}_{+x})-q({\overline{D}}_{+x})\}$$

(13)

Let $c=max(c_1,\cdots ,c_i,\cdots ,c_n)$. l complies with probability density function $f(x)=\frac{ϵ}{2c}{e}^{-\frac{ϵ\left|x\right|}{c}}$ and the Laplace distribution. Therefore,

$$Pr\{Lap({\overline{D}}_{+x})=a=q({\overline{D}}_{+x})+l\}=\frac{ϵ}{2c}{e}^{-\frac{ϵ|Lap({\overline{D}}_{+x})-q({\overline{D}}_{+x})|}{c}}$$

(14)

Similarly, when x is not in $\overline{D}$, we have

$$Pr\{Lap({\overline{D}}_{-x})=a=q({\overline{D}}_{-x})+l\}=\frac{ϵ}{2c}{e}^{-\frac{ϵ|Lap({\overline{D}}_{-x})-q({\overline{D}}_{-x})|}{c}}$$

(15)

Therefore, we have

$$\begin{array}{cc}\hfill & \frac{Pr\{Lap({\overline{D}}_{-x})=a\}}{Pr\{Lap({\overline{D}}_{+x})=a\}}\hfill \\ \hfill =& e^{\frac{ϵ}{c}(|Lap({\overline{D}}_{+x})-q({\overline{D}}_{+x})|-|Lap({\overline{D}}_{-x})-q({\overline{D}}_{-x})|)}\hfill \\ \hfill =& e^{\frac{ϵ}{c}(|a-q({\overline{D}}_{+x})|-|a-q({\overline{D}}_{-x})|)}\hfill \\ \hfill \le & e^{\frac{ϵ}{c}(|a-q({\overline{D}}_{+x})-a+q({\overline{D}}_{-x})|)}\hfill \\ \hfill =& e^{\frac{ϵ}{c}(|q({\overline{D}}_{-x})-q({\overline{D}}_{+x})|)}\hfill \\ \hfill \le & e^{\frac{ϵ}{c}LR{S}_x}\hfill \end{array}$$

(16)

For the symmetry, we have

$$\frac{Pr\{Lap({\overline{D}}_{+x})=a\}}{Pr\{Lap({\overline{D}}_{-x})=a\}}\le e^{\frac{ϵ}{c}LR{S}_x}$$

(17)

Let $D=D_1\cup \cdots D_i\cdots \cup D_n$. Without loss of generality, we assume $x\in D_i$. For the proposed mechanism M, we have

$$\begin{array}{cc}\hfill & Pr\{M(D_1\cup \dots D_{i+x}\dots \cup D_n)=a\}\hfill \\ \hfill =& Pr\{S(D_1)={\overline{D}}_1\}\dots Pr\{S(D_{i+x})={\overline{D}}_{i+x}\}\dots Pr\{S(D_n)={\overline{D}}_n\}Pr\{Lap({\overline{D}}_1\cup \dots {\overline{D}}_{i+x}\dots \cup {\overline{D}}_n)=a\}\hfill \\ \hfill +& Pr\{S(D_1)={\overline{D}}_1\}\dots Pr\{S(D_{i+x})={\overline{D}}_{i-x}\}\dots Pr\{S(D_n)={\overline{D}}_n\}Pr\{Lap({\overline{D}}_1\cup \dots {\overline{D}}_{i-x}\dots \cup {\overline{D}}_n)=a\}\hfill \\ \hfill =& Pr\{S(D_1\cup \dots D_{i+x}\dots \cup D_n)={\overline{D}}_1\cup \dots {\overline{D}}_{i+x}\dots \cup {\overline{D}}_n\}Pr\{Lap({\overline{D}}_{+x})=a\}\hfill \\ \hfill +& Pr\{S(D_1\cup \dots D_{i+x}\dots \cup D_n)={\overline{D}}_1\cup \dots {\overline{D}}_{i-x}\dots \cup {\overline{D}}_n\}Pr\{Lap({\overline{D}}_{-x})=a\}\hfill \\ \hfill =& Pr\{S(D_{+x})={\overline{D}}_{+x}\}Pr\{Lap({\overline{D}}_{+x})=a\}+Pr\{S(D_{+x})={\overline{D}}_{-x}\}Pr\{Lap({\overline{D}}_{-x})=a\}\hfill \\ \hfill =& {\pi }_{x}Pr\{S(D_{-x})={\overline{D}}_{-x}\}Pr\{Lap({\overline{D}}_{+x})=a\}+(1-{\pi }_x)Pr\{S(D_{-x})={\overline{D}}_{-x}\}Pr\{Lap({\overline{D}}_{-x})=a\}\hfill \\ \hfill \le & {\pi }_{x}Pr\{S(D_{-x})={\overline{D}}_{-x}\}{e}^{\frac{ϵ}{c}LR{S}_x}Pr\{Lap({\overline{D}}_{-x})=a\}+(1-{\pi }_x)Pr\{S(D_{-x})={\overline{D}}_{-x}\}Pr\{Lap({\overline{D}}_{-x})=a\}\hfill \\ \hfill =& (1-{\pi }_x+{\pi }_x{e}^{\frac{ϵ}{c}LR{S}_x})Pr\{S(D_{-x})={\overline{D}}_{-x}\}Pr\{Lap({\overline{D}}_{-x})=a\}\hfill \\ \hfill =& (1-{\pi }_x+{\pi }_x{e}^{\frac{ϵ}{c}LR{S}_x})Pr\{M(D_{-x})=a\}\hfill \end{array}$$

(18)

For $LR{S}_x\ge c_i$, the ${\pi }_x=\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}$. We have

$$\begin{array}{cc}\hfill & 1-{\pi }_x+{\pi }_x{e}^{ϵ\frac{LR{S}_x}{c}}\hfill \\ \hfill =& 1-\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}+\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}{e}^{ϵ\frac{lR{S}_x}{c}}\hfill \\ \hfill \le & 1-\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}+\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}{e}^{ϵ\frac{lR{S}_x}{c_i}}\hfill \\ \hfill =& e^{ϵ}\hfill \end{array}$$

(19)

For $LR{S}_x<c_i$, the ${\pi }_x=1$ we have

$$\begin{array}{cc}\hfill & 1-{\pi }_x+{\pi }_x{e}^{ϵ\frac{LR{S}_x}{c}}\hfill \\ \hfill =& e^{ϵ\frac{LR{S}_x}{c}}\hfill \\ \hfill \le & e^{ϵ\frac{LR{S}_x}{c_i}}\hfill \\ \hfill <& e^{ϵ}\hfill \end{array}$$

(20)

Therefore, we have

$$Pr\{M(D_{+x})=a\}\le e^{ϵ}Pr\{M(D_{-x})=a\}$$

(21)

Because of the symmetry, we have

$$Pr\{M(D_{-x})=a\}\le e^{ϵ}Pr\{M(D_{+x})=a\}$$

(22)

Consequently, the suggested mechanism M is a distinct private mechanism that complies with $ϵ$. □

Theorem 2. 

The output of each satellite satisfies $e^{\frac{ϵLR{S}_x}{c_i\sqrt{B_{n-1}}}}$ differential privacy.

Proof. 

For output $a_i$ of ith satellite, we have

$$a_i=q(\overline{D_i})+\sqrt{B_{n-1}}{l}_i$$

(23)

The record x is indicated by the index $+x$ of datasets as being in those datasets, while the record x is indicated by the index $-x$ as not being in those datasets.

In the event that the dataset acquired from $D_i$ by sampling procedure S is ${\overline{D}}_i$, let $La{p}_i({\overline{D}}_i)$ represent the output $a_i$. We have Equation (24) when record x is present in dataset ${\overline{D}}_i$.

$$Pr\{La{p}_i({\overline{D}}_{i+x})=a_i=q({\overline{D}}_{i+x})+\sqrt{B_{n-1}}{l}_i\}=Pr\{l_i=\frac{La{p}_i({\overline{D}}_{i+x})-q({\overline{D}}_{i+x})}{\sqrt{B_{n-1}}}\}$$

(24)

Due to $l_i$ complies with probability density function $f(x)=\frac{ϵ}{2c}{e}^{-\frac{ϵ\left|x\right|}{c}}$ and the Laplace distribution, where $c=max(c_1,\cdots ,c_i,\cdots ,c_n)$. Therefore,

$$Pr\{La{p}_i({\overline{D}}_{i+x})=a_i=q({\overline{D}}_{i+x})+\sqrt{B_{n-1}}{l}_i\}=\frac{ϵ}{2c}{e}^{-\frac{ϵ|La{p}_i({\overline{D}}_{i+x})-q({\overline{D}}_{i+x})|}{c\sqrt{B_{n-1}}}}$$

(25)

Similarly, When a record x is not in dataset ${\overline{D}}_i$, we have

$$Pr\{La{p}_i({\overline{D}}_{i-x})=a_i=q({\overline{D}}_{i-x})+\sqrt{B_{n-1}}{l}_i\}=\frac{ϵ}{2c}{e}^{-\frac{ϵ|La{p}_i({\overline{D}}_{i-x})-q({\overline{D}}_{i-x})|}{c\sqrt{B_{n-1}}}}$$

(26)

Therefore, we have

$$\begin{array}{cc}\hfill & \frac{Pr\{La{p}_i({\overline{D}}_{i+x})=a_i\}}{Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}}\hfill \\ \hfill =& e^{\frac{ϵ|La{p}_i({\overline{D}}_{i-x})-q({\overline{D}}_{i-x})|}{c\sqrt{B_{n-1}}}-\frac{ϵ|La{p}_i({\overline{D}}_{i+x})-q({\overline{D}}_{i+x})|}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill =& e^{\frac{ϵ(|La{p}_i({\overline{D}}_{i-x})-q({\overline{D}}_{i-x})|-|La{p}_i({\overline{D}}_{i+x})-q({\overline{D}}_{i+x})|)}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill =& e^{\frac{ϵ(|a_i-q({\overline{D}}_{i-x})|-|a_i-q({\overline{D}}_{i+x})|)}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill \le & e^{\frac{ϵ(|a_i-q({\overline{D}}_{i-x})-a_i+q({\overline{D}}_{i+x})|)}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill =& e^{\frac{ϵLR{S}_x}{c\sqrt{B_{n-1}}}}\hfill \end{array}$$

(27)

Let $M_i$ represent local differentially private mechanism used by the ith satellite. We have

$$\begin{array}{cc}\hfill & Pr\{M_i(D_{i+x})=a_i\}\hfill \\ \hfill =& Pr\{S(D_{i+x})={\overline{D}}_{i+x}\}Pr\{La{p}_i({\overline{D}}_{i+x})=a_i\}+Pr\{S(D_{i+x})={\overline{D}}_{i-x}\}Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}\hfill \\ \hfill =& {\pi }_{x}Pr\{S(D_{i-x})={\overline{D}}_{i-x}\}Pr\{La{p}_i({\overline{D}}_{i+x})=a_i\}+(1-{\pi }_x)Pr\{S(D_{i-x})={\overline{D}}_{i-x}\}Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}\hfill \\ \hfill \le & {\pi }_{x}Pr\{S(D_{i-x})={\overline{D}}_{i-x}\}{e}^{\frac{ϵLR{S}_x}{c\sqrt{B_{n-1}}}}Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}+(1-{\pi }_x)Pr\{S(D_{i-x})={\overline{D}}_{i-x}\}Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}\hfill \\ \hfill =& (1-{\pi }_x+{\pi }_x{e}^{\frac{ϵLR{S}_x}{c\sqrt{B_{n-1}}}})Pr\{S(D_{i-x})={\overline{D}}_{i-x}\}Pr\{La{p}_i({\overline{D}}_{i-x})=a_i\}\hfill \end{array}$$

(28)

For $LR{S}_x\ge c_i$, the ${\pi }_x=\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}$ we have

$$\begin{array}{cc}\hfill & 1-{\pi }_x+{\pi }_x{e}^{ϵ\frac{LR{S}_x}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill =& 1-\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}+\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}{e}^{ϵ\frac{lR{S}_x}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill \le & 1-\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}+\frac{1-e^{ϵ}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}{e}^{ϵ\frac{lR{S}_x}{c_i\sqrt{B_{n-1}}}}\hfill \\ \hfill =& 1+(e^{ϵ}-1)\frac{1-e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}}{1-e^{ϵ\frac{LR{S}_x}{c_i}}}\hfill \\ \hfill \le & 1+(e^{ϵ}-1)\frac{1-e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}}{1-e^{ϵ}}\hfill \\ \hfill =& e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}\hfill \end{array}$$

(29)

For $LR{S}_x<c_i$, the ${\pi }_x=1$ we have

$$\begin{array}{cc}\hfill & 1-{\pi }_x+{\pi }_x{e}^{ϵ\frac{LR{S}_x}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill =& e^{ϵ\frac{LR{S}_x}{c\sqrt{B_{n-1}}}}\hfill \\ \hfill \le & e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}\hfill \end{array}$$

(30)

Therefore, we have

$$Pr\{M_i(D_{i+x})=a\}\le e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}Pr\{M_i(D_{i-x})=a\}$$

(31)

For the symmetry, we have

$$Pr\{M_i(D_{i-x})=a\}\le e^{ϵ\frac{LR{S}_x}{c_i\sqrt{B_{n-1}}}}Pr\{M_i(D_{i+x})=a\}$$

(32)

Therefore, the mechanism $M_i$ is a $e^{\frac{ϵLR{S}_x}{c_i\sqrt{B_{n-1}}}}$ differentially private mechanism. That is, the output of each satellite satisfies $e^{\frac{ϵLR{S}_x}{c_i\sqrt{B_{n-1}}}}$ differential privacy. □

According to Theorem 1 and Theorem 2, the proposed mechanism is hierarchical in terms of privacy guarantee. Specifically, the privacy guarantee between each satellite and the master satellite is $e^{\frac{ϵLR{S}_x}{c_i\sqrt{B_{n-1}}}}$. Moreover, the privacy guarantee between the whole system and the user is $ϵ$.

4. Experiments

The sampling and aggregation mechanism, the Laplace mechanism, and the suggested mechanism are three differentially private mechanisms that are compared in this section. The robustness of these processes is another major topic in this area. This section specifically looks at the effects of the number of subgroups and the amount of records in each subset.

4.1. Datasets and Experimental Setup

The dataset used in experiments is on 1665 satellites of Starlink in two-line element set, which is collected by CelesTrak. CelesTrak provides SOCRATES-Satellite Orbital Conjunction Reports Assessing Threatening Encounters in Space as a service to the satellite operator community. On 24 March 2005, Air Force Space Command gave CelesTrak the go-ahead to offer TLEs in support of SOCRATES. A list of an object’s orbital components is encoded using the TLE (Two-Line Element set) data format. TLE data can be used to estimate the state(position and velocity) of satellites. Therefore, by foreseeing the orbital pathways of space debris in the future, TLE data are utilized to perform risk analysis, close approach analysis, collision avoidance measures, and forensic investigation. The TLE consists of three rows of data, and each row has 69 characters. The first row has a satellite’s name; the second and third rows provide information on the satellite, including its orbital inclination, ascending node’s right ascension, perigee’s argument, orbital eccentricity, semi-major axis, true anomaly, etc.

The used queries in experiments are the average function and standard deviation function. They were picked because many real-world application situations make use of them. The standard deviation function is non-linear, whereas the average function is linear. The values of privacy budget are from 0.1 to 0.5, which are suitable values in most application scenarios in terms of privacy preservation. The root means square error (RMSE) is used in the experiments in this part as a standard for comparing errors. RMSE is the squared sum of the squared root of the mean difference between the value of the function without privacy protection and the value of the position that received privacy protection. A smaller RMSE indicates better data utility as opposed to a bigger RMSE.

4.2. Results and Discussion

The first experiment focuses on the influence of the number of records in each subset. The chosen values of the number of records in each subset are 50, 100, and 150. The experiment was repeated 500 times, and the average outcome was determined. The experiment results are shown in Figure 5.

The results of Figure 5 show that the proposed method has greater data usefulness than the other two techniques. No matter how many data records are in each subset, when the privacy budget is 0.1, the RMSE of the mechanism proposed in this paper is half of the Laplace mechanism and much lower than that of the sampling and aggregation mechanisms. As would be predicted, the inaccuracy diminishes as the privacy budget increases. The comparison between Figure 5a–c shows that the resilience of the three techniques, and that the amount of records in each subgroup practically has no affects on the inaccuracy.

The effects of the subset size are the main topic of the second experiment. Figure 6 displays the test’s findings. The suggested mechanism outperforms the other two mechanisms in terms of data usefulness, according to the findings of the experiment. The number of subgroups affects the Laplace mechanism because of the comparisons between Figure 6a–c and Figure 6d–f. The error decreases as the number of subsets increases. The sample and aggregation mechanism is not robust enough for the standard deviation function. In particular, the error fluctuates as the number of subsets increases.

The related RMSE deterioration rates for various subsets and their data records for linear and nonlinear query functions are shown in

Table 1. RMSE degradation rates corresponding to linear and nonlinear query functions for different data records.

Mechanism	50 Data Records	100 Data Records	150 Data Records
Sampling and aggregation	−72.46%	−75%	−71.43%
	−76.74%	−77.53%	−77.27%
Laplace	−33.92%	−33.92%	−30%
	−5.26%	−5.26%	−11.1%
Proposed mechanism	−66.7%	−66.7%	−66.7%
	−3.38%	−3.63%	−3.38%

and

Table 2. RMSE degradation rates corresponding to linear and nonlinear query functions for different subset number.

Mechanism	50 Data Records	100 Data Records	150 Data Records
Sampling and aggregation	−74.77%	−69.36%	−74.44%
	−72.91%	−75.61%	−77.53%
Laplace	−57.14%	−55.56%	−43.39%
	−54.05%	−44.44%	−5.26%
Proposed mechanism	−36.34%	−54.56%	−16.67%
	−39.78%	−17.41%	−25%

, respectively. Since the proposed mechanism and the other two mechanisms in the comparison have a similar pattern of change, it virtually has the same data used as the other two mechanisms. It demonstrates the resilience of the method this research proposes. The technique suggested in this research is deployable for actual SINs because of the robustness illustrated by the experimental findings.

5. Conclusions

In this paper, we design a differential privacy mechanism for distributed communication systems and demonstrate the proposed mechanism with the example of space information networks. Comparing the proposed mechanism to Laplace, sampling, and aggregation mechanisms reveals that it is more beneficial for data. Additionally, the technique allows network nodes to exchange statistical data while preserving correct information privacy. 1665 Starlink satellites are used in this paper’s investigations on a bilinear element set gathered by CelesTrak. By comparing the suggested mechanism to existing mechanisms, it is discovered that it has superior data usefulness, excellent robustness and stability. Just as differential privacy can be applied to many fields, it can also be used to other distributed communication systems, not only space information networks, for solving privacy data problems.