A Privacy Protection Model of Data Publication Based on Game Theory

. With the rapid development of sensor acquisition technology, more and more data are collected, analyzed, and encapsulated into application services. However, most of applications are developed by untrusted third parties. Therefore, it has become an urgent problem to protect users’ privacy in data publication. Since the attacker may identify the user based on the combination of user’s quasi-identifiers and the fewer quasi-identifier fields result in a lower probability of privacy leaks, therefore, in this paper, we aim to investigate an optimal number of quasi-identifier fields under the constraint of trade-offs between service quality and privacy protection. We first propose modelling the service development process as a cooperative game between the data owner and consumers and employing the Stackelberg game model to determine the number of quasi-identifiers that are published to the data developmentorganization. Wethen propose a way to identify when thenew data should be learned, as well, a way toupdatethe parameters involved in the model, so that the new strategy on quasi-identifier fields can be delivered. The experiment first analyses the validity of our proposed model and then compares it with the traditional privacy protection approach, and the experiment shows that the data loss of our model is less than that of the traditional k-anonymity especially when strong privacy protection is applied.


Introduction
The rapid development of sensor networks and cloud computing has pushed the emergence of a great deal of data innovation applications for the IoT and other intelligent network systems in the fields of urban transportation, education, medical treatment, and living [1][2][3].Most service development processes involve users, data collection organizations, and data development organizations.Data collection organizations are usually trusted by users, but data development organizations are likely to be untrusted by users.With the frequent leakage of sensitive data, individuals and society are paying more attention to the protection of privacy information.It has become a meaningful and challenging problem to resolve the contradiction between the privacy protection required by individuals and the data availability required by data development organizations [4][5][6].
In a dataset that contains privacy information, the attributes can be summarized into three categories: identification attributes, quasi-identification attributes, and sensitive attributes [7].Identification attributes are those that can directly distinguish an individual's identity.Quasi-identification attributes (also known as nonsensitive attributes) are multiple attributes that together may infer the identity of an individual.Sensitive attributes are those that contain privacy data.Identification attributes are removed before the dataset is published, but simply hiding the identification attributes does not guarantee privacy because attackers may infer identification attributes based on quasi-identification attributes when attackers adopt link attacks or have users' background knowledge.If the quasi-identification attribute and the identification attribute are hidden together, although it is not possible to deduce a one-to-one association between privacy information and personal identification, the dataset with sensitive attributes becomes useless.
The approaches related to the issue can be roughly divided into three kinds: data distortion, secure multiparty computing, and data anonymity.The algorithm of data distortion randomly modifies the sensitive data, and it has a high degree of data distortion and strong data dependence.The algorithm of secure multiparty computing forces untrusted third parties to complete data mining work without the direct communication of detailed data through data nodes, and it is very expensive in terms of calculation and communication overhead.At present, most scholars are investigating variations of k-anonymity algorithm, which guarantee that only groups of a minimum size k can be identified, rather than individuals [8].However, it is proved to be a NPhard problem to find the optimal information loss and time complexity based on k -anonymity.
For the development of big data-driven services in smart environments, the existing privacy protection algorithms about data publishing have the following deficiencies: (1) the time complexity of most algorithms are relatively high, so they are hard to apply in practice and (2) service development involves many factors, such as the profit of services, quality of services, and privacy and security; however, existing algorithms have not taken the trade-offs between the factors into consideration comprehensively.
Since the attacker identifies the user based on the combination of user's quasi-identifiers and the fewer quasiidentifier fields result in a lower probability of privacy leaks, therefore, in this paper, we aim to investigate an optimal number of quasi-identifier fields under the constraint of trade-offs between service quality and privacy protection.In the initial phase, we first construct a loss function for privacy leakage and a rating function for service quality and then model the service development process as a cooperative game between the data owner and consumers.The Stackelberg game model is employed to get the global optimal solution based on historical data, which comprehensively considers the service quality, privacy leakage loss, and service revenue, so that the number of quasi-identifier fields can be determined.Since the functions of the game model may be biased from reality, we then design a way to determine whether the new data need to be learned and a way to adjust weights of historical data and new data in the update phase, and game model is then used repeatedly to get the new strategy on quasi-identifier fields delivery.
The rest of the paper is organized as follows: Section 2 discusses the work related to data publication with privacy protection.Section 3 introduces the preliminary knowledge about game theory.Section 4 defines the problem and explains our proposed privacy protection model.Section 5 presents the experiments and analyses the results.Section 6 gives the conclusions and future work.

Related Work
Many scholars have conducted a series of research work on privacy protection in data publication.Their approaches can be mainly divided into three kinds: data distortion, data encryption, and data anonymization.
Approaches based on data distortion protect the privacy information by disturbing the original data.The attacker cannot reconstruct the original data through the published distorted data, while some information obtained from the distorted data is approximately equivalent to the information obtained from the original data.This kind of approaches [9][10][11][12][13] mainly studies how to perform data perturbation and how to mine the perturbed data, so that people cannot get the value of original data but can get high-quality mining results from the perturbed data.Since the distribution of the perturbed data is almost the same as the original data, the perturbed data can be used to train the learning models well [9].The method focuses on the goal of preserving privacy by suppressing and perturbing the quasi-identifiers in the data without causing any loss to the information in the process [14].However, such kind of approaches has a high degree of data loss and strong data dependence.
Approaches based on data encryption define privacybased data mining applications as a secure multiparty computing problem involving untrusted third parties in many distributed environments.Each part only knows its own input data and the final results of all calculations among two or more sites are communicated through some kind of protocol.In secure multiparty computing [15][16][17][18], data are distributed and stored on multiple nodes.Each data node wants to perform data mining on the global data but does not want to disclose its own data.Therefore, information exchange protocols based on secure multiparty computing should be designed.Each data node does not exchange the detailed data samples directly, but it uses the protocols to exchange the information needed by the data mining algorithms in the absence of details of other nodes.However, such kind of approaches has a high computational and communication overhead.
At present, data anonymization is investigated widely and becomes the mainstream way to privacy protection.The kanonymity model originally proposed by Sweeney [19] is used to defend against background knowledge attacks and link attacks, and generalization and compression techniques are widely used to achieve k-anonymity [20,21].Since Aggrawal [22] proved that the clustering method can achieve anonymity in a more efficient way, researchers began to investigate on clustering anonymity algorithm in privacy data publication.Li et al. [23] proposed anonymity scheme that applied the clustering idea, and the anonymity process merges the equivalence classes repeatedly and selects a certain equivalence class according to the principle of the minimum amount of loss of the consolidated generalization until all equivalence classes contain more than k tuples.Zhihui Wang and et al. [24] proposed an L-clustering method that could classify quasi-identifier attributes, they measure the degree of uncertainty of attribute values before and after generalization, and give us a measure of information loss that transformed the data anonymity problem into a clustering problem with specific constraints.
To enhance the performance on time efficiency and information loss in k-anonymity, Zhang et al. [25] proposed a k-anonymity clustering algorithm based on information entropy, and the first step is to divide the table data into a number of record subsets according to the principle of the minimum average distance on quasi-identification attribute values, while the second step is to merge and split the subsets as appropriate so that the number of records for each subset is between k and 2k.Huowen Jiang et al. [7] proposed a greedy clustering anonymization method based on the idea of the greedy method and clustering and they separately measured the information loss of the quasi-identifier, and the distances between tuples and the distances between tuples and equivalence classes.The methods mentioned above try to optimize the performance of k-anonymity algorithm, but the optimal information loss and time complexity for kanonymity algorithm have been proved to be a NP-hard problem, and there is still space for improving the performance of existing algorithms.

Introduction to Game Theory
Game theory is originated from "Game Theory and Economic Behaviours," which was coauthored by von Neumann and Morgen stern in 1944 [26].For the first time, this book presents a complete and clear description of the research framework of game theory and expounds the basic axioms.For a long time, the study of game theory focused only on the double zero-sum game.In the early 1950s, Nash [27] proposed the most important theory in game theory called the Nash Equilibrium, which determined the form and theoretical foundation of the noncooperative game and extended the research field of game theory to noncooperative games and nonzero-sum games.Game theory is suitable for solving conflicts and seeking a Nash equilibrium solution for the problem.In the problem of data publication, we need to publish the user's data to develop smart services, and untrusted data developers may leverage user's private information.Therefore, it is a conflict issue to publish user data for service development, and game theory can be used for modeling.
Game theory is about how smart and self-interested people act in the strategic layout and interact with their opponents.It has three parts: (1) a group of participants; (2) the actions that participants can take; (3) the benefits that participants may get.Each participant chooses the best action for their maximum benefit, and each participant will always think that other participants are also trying to get the best result.If game theory can provide a unique solution to the game problem, the solution must be a Nash equilibrium.The strategy chosen by each participant must be the optimal response to the strategy chosen by the other participants, and no participant is willing to abandon his selected strategy alone.
According to whether there is a binding agreement between the two parties, game theory can be divided into cooperative game and non-cooperative game; according to whether the sum of the revenue of both players is zero, game theory can be divided into zero sum game and nonzero sum game; according to the decision order of the players in the game, game theory can be divided into static games and dynamic games; according to whether the two parties understand the each other's strategy and revenue function, game theory can be divided into complete information game and incomplete information game.We model the problem of privacy data publishing as a cooperative game problem between data collector and data developer and establish the strategy space and revenue function of both parties.The game sequence is that the data collector first publishes privacy data, and then the data developer performs service development based on the data.

Privacy Protection Model
Based on Game Theory Assume we have historical records of service development  = { 1 ,  2 ,  3 , ......,   }, where r i is the loss, investment, revenue, and rating score of the service when delivering 'quasi number' pieces of quasi-identifiers on datasets with sensitive attribute 'privacy type,' and r i can be expressed as a 7-tuple r i =<privacy type, quasi number, privacy loss, technique investment, A revenue, B revenue, score>.'privacy loss' is the loss of privacy, which consists of direct losses and indirect losses incurred by data collectors.The direct losses include users' privacy disclosure by competitors, and indirect losses include complaints and claims from users.'Technique investment' is the technique costs contributed by data developer.'A revenue' and 'B revenue' are the revenues of the data application services achieved by data collectors and data developers, respectively, and 'score' is the quality score of the service.The samples are shown in Table 2.
The identifying attributes have been removed from Table 1, so that a specific field in the table cannot be mapped to a specific individual.However, simply hiding the identifying attribute does not guarantee privacy security when the attacker knows some background knowledge of the user, for example, the combination of age, sex, and zip code.Under this circumstance, the attacker may also infer and identify a person, which leads to personal privacy disclosure.In the development model of existing services, data collection organizations are trusted by users; however, data development organizations are likely to be untrusted by users.
Given R, we need to perform privacy protection on T assuming that the data developer is not credible; that is, we need to determine an optimal number of quasi-identifier fields under the constraint of trade-offs between service quality and privacy protection.

The Framework of Privacy Protection Model.
In order to ensure the data availability for high service quality and to protect users' privacy at the same time, we design a privacy protection model for data publication as shown in Figure 1.The model consists of two phases, namely, service development and service update.In the initial phase of service development, we define the relevant function of the service development to simulate the problem firstly, which includes the revenue functions of the game participants and the variables on which the revenue functions depend.Then we employ the game theory to model the problem and obtain a balanced solution that both parties are willing to accept, and publish the data according to the strategy.In the following phase of service update, we adopt statistical method to detect the constantly updated data, determining whether the service needs to learn the new data.Then, we design an adjustment way of the parameters in the functions based on the actual results in the previous development phase and analyze the data publishing strategy for service update.
In the following sections, we will illustrate the game process of the data collectors and data developer by four parts: (1) the establishment of complete information; (2) the strategy generation in service development based on Stackelberg game model; (3) the detection of the need for service update; (4) the renewal strategy generation in service update.

The Establishment of Complete Information on Both Sides of the Game.
Strategic space is a collection of actions that are available to the parties of the game, and each strategy corresponds to a result.Since the data collector and the data developer cooperate to complete the service development, in this section we need to determine the strategic space and the revenue function of both parties.
We use the new strategic cooperation model which widely used in game theory economics to establish the cooperative relationship between data collector and data developer.
Because the dominant party in the cooperation model will subsidize the other party to achieve better cooperation result, we set (Q, k) to represent the strategy combination of the data collector, where 'Q' is the loss of privacy information leakage, and 'k' is the percentage of the economic subsidy to the technology investment.The strategy of the data developer is the investment cost of data mining technology 'a' .
Furthermore, we also need to define the expression of privacy leakage loss 'Q' .The basic principle is that the loss is proportional to the probability of privacy leakage P. In order to obtain the relationship between the probability of privacy leakage and the number of quasi-identifiers, we use Taylor's third-order function to model it.The expression of Q is given in formula (1): where: x represents the number of quasi-identifiers;  0 ,  1 ,  2 ,  3 represent the pending parameters in the third-order Taylor formula; P is the probability of privacy leakage; u q represents a positive coefficient between P and Q.
We assume that service quality score for data developer is affected by the amount of data information and the investment cost of mining technology.Because the privacy leakage loss Q is defined by the number of quasi-identifiers, and the more the quasi-identifiers, and the amount of information in the data set can be expressed by the number of quasiidentifiers, we need to define the quality of service score as an increasing function of privacy leakage loss 'Q' and mining technology investment cost 'a' , and the maximum value of the function is the highest score of service quality.Then, we need to set the parameters to indicate the impact of 'Q' and 'a' on the function and consider the interaction between the two variables which show a complementary relationship to quality of service score function.We consider quality of service score function as shown in where  represents the saturation value of the service level,  represents a normal number,  represents the impact factor of a, and  represents the impact factor of Q.
The return of both sides is proportional to the service quality score, and the form of revenue function is income minus cost.We define the revenue function of data collector   as (3), where ka and Q are the costs of the data collector.The revenue function of the data developer   is as (4), where (1-k)a is the cost of service development.
where S(Q,a) represents the score of service quality, Q represents the loss of privacy leakage, a represents the mining technology investment, k represents the proportion of subsidies to the data development organization, and  and  represent direct proportionality coefficient.

Strategy Generation in Service Development Based on
Stackelberg Game Model.We then aim to describe the process how data collector and data developer play the Stackelberg master-slave game.The data collector first proposes a cooperation program, and then data developer makes decisions based on the behavior of data collector.In the first phase of the game, data collector determines the proportion of economic subsidy for technique inputs to encourage service development, as well as the loss of the privacy leakage by quasi-identifier fields.In the second phase of the game, the data developer decides to invest the technique based on the data collector's program.Due to the sequence of actions, data collector makes decisions first, and data developer makes corresponding decisions based on the data collector's decision.This is a two-stage game problem that can be solved by inverse induction.
In order to obtain the Nash equilibrium solution, we consider the revenue function of data developer   first and get the response function of the data developer about Q(the loss of privacy leakage) and k(the proportion of subsidies to the data developer) by deriving   and the process is as follows: From ( 5), we can obtain the response function of the data developer: After obtaining the reaction function (6) of the data developer, we eliminate the parameter a in the revenue function of the data collector   and then find the partial derivative of the variables in function   , the process is as follows: From ( 6) and ( 7), we can obtain the value of Q and k of the data collectors  1 and  1 : After getting the value of Q, we can get the number of quasi-identifiers through (1) in data publication.

Detection of the Need for Service Update.
We then aim to build a dynamic mathematical model for the constantly update data and analyze, diagnose, predict, and optimize the system based on the model.We construct a statistical model to identify the extent of the data changes.
To achieve this goal, we construct a unilateral hypothesis test about mean  when the variance  2 is unknown.First, we get the model error evaluation index   of the ith test set.Then, we calculate the average error of the model according to Definition 1 and finally construct the distribution function according to Definition 2. Definition 1.The XinQin Law of Large Numbers state that if {  } is an independent and identically distributed random variable sequence and   =  exists, then Definition 2. The Central Limit Theorem states that regardless of   ∼ (,  2 ), in the case of large samples Definition 1 indicates that when the random variables are independent and identically distributed, the average of the random variables tends to the true average with a certain probability p, and the larger the value of n, the closer the value of p is to 1.We derive the mean of the error evaluation criteria on the original test data set from Definition 1 as shown in Definition 2 means that it is not necessary to consider the original distribution of the random variables.In the case of large samples, the average of n random variables obeys the normal distribution.Collecting the data sample of a certain time interval, we can get the error evaluation criterion  +1 of the model.Then, we establish two assumptions  0 :  ≤  0 and  1 :  >  0 and construct the statistics as shown in (13), where S represents the sample variance and n represents the sample size.
When the level of significance (0 <  < 1) is given, we can get the rejection domain of  0 :  ≤  0 as  = { >   (− 1)}.If T falls into the denial domain, it explains that because of the big data dynamic characteristic, the performance of the model with the original knowledge is not within our expectation and the new knowledge needs to be learned.The specific process of update algorithm is shown in Algorithm 1.

The Renewal Strategy Generation in Service Update.
Since the initial model is trained by historical development records of similar services, it may not be consistent with the actual service development; therefore, we need to adjust the weights of new samples according to the accuracy of the learned model.The real values of service score  and the income   ,   of both parties will be generated in the previous service lifecycle, we can compare the predicted values  * ,   * ,   * with the real ones and adjust the weight of new sample data for training involved in the game model.When the difference between the real value and the predicted value is within a specified range, we believe that the historical data of similar services can train the modeling functions well, so we can add the new data sample using the same weight with the historical data.When the difference exceeds the specified range, the historical data cannot reasonably train the modeling functions, so we adjust the weight of the new sample, making it appear more times so that the new sample will have more important impact on the training process.In formulas ( 14)-( 16),  1 ,  2 , and  3 represent the weights of the new sample in the training process of the correlative functions ( 2)-( 4), respectively,  1 ,  2 , and  3 are the corresponding prediction error threshold values, and N is the number of historical training samples.
The Nash equilibrium of Stackelberg model is unique.If there is a unique Nash equilibrium in the staged game, Security and Communication Networks the Nash equilibrium solution of each stage in a game with repeated times is the same solution as the one-time game; therefore, in the next life cycle of the data application service, the decision expression is the same as that in the previous stage.

Experiment
In the experiment, we use Adult dataset as the dataset T with sensitive information, which is the protection target.The original dataset has a total of 15 fields, 32561 records.We remove the nonquasi-identifier attributes and add a field of user's ID.A sample data set is shown in Table 3.We then simulate and generate the historical records of service development R, in which parameters are set according to the relevant literature [28,29].Table 4 shows the six sets of simulation parameters in the functions.
In the following experiment, we first aim to analyze the rationality of modeling functions and Nash equilibrium solution under the constraints of service quality and privacy protection in Section 5.1, and we then visualize the process that when we have a biased estimate of the functions, the estimation curve will approximate the actual curve by parameters adjustment in Section 5.2.At last, we compare the proposed model with the traditional k-anonymity method in Section 5.3.
We adopt GCP (Global Certainty Penalty) [30] to compare the proposed method with the traditional k-anonymity method and to measure the data availability under the same level of privacy protection.The range of GCP is [0, 1], where 0 means no information loss and 1 means total information loss.

Analysis of Modelling Functions.
We randomly extract 80 sets of samples from Table 3, and each set has 100 records.The extracted sets of samples are used to calculate the probability of identifying a specific user based on the combination of quasi-identifier fields.The detailed process is to (1) calculate the probability that identifies each user in the samples according to the quasi-identifier fields and (2) calculate the average probability of all users.For example, when calculating the average probability of identifying a user in the samples under one quasi-identifier, we randomly select a quasi-identifier in the dataset and calculate the probability that value of the selected quasi-identifier for each user can identify the user, and the average probability of identifying a specific user under different numbers of quasi-identifier fields is shown in Table 5.
We aim to prove that the Taylor third-order function mentioned in formula (1) can well simulate the relationship between the probability of privacy leakage and the number of quasi-identifiers first.In Figure 2, the red dot identifies the real sampling points, which are calculated from Adult dataset, and the blue curve is third-order Taylor function (the value of parameters can be determined by red dots:  3 = 0.0049,  2 = -0.0454, 1 = 0.1248, and  0 = -0.0921).We can see that the function curve fits the data very well, and it is reasonable to use the Taylor function to model the target variables.
We then aim to prove that the quality of service function and the Nash equilibrium solution are consistent with the reality, which is mentioned in formula (2), Section 4.3.As shown in Figure 3, we perform visual analysis of the quality of service function, and we can see that the curves under six sets of parameters in Table 4 basically follow the similar shape.The quality of service increases with the increase of a (mining technology investment) and Q (the loss of privacy leakage), and the function curve increases rapidly first, then the growth tends to be gentle.During the growth of the curve, the value tends to reach the highest service quality score, i.e., the full score  in the function.Considering the user's privacy and the   response strategy of the data developer, the Nash equilibrium strategy is not close to the strategy combination with the highest service quality score, and the strategy takes a high point rather than the optimal point.In the untrustworthy cooperation process of reality, our intuition is that the target variable increases with the increase of both sides, the target variable will gradually approach the maximum value of the target variable, and because the two sides do not trust each other, they cannot achieve the best solution and the quality of service function can reasonably simulate the cooperation between data developer and data collector.Next, we aim to prove that the profit function is reasonable and the maximum point is the Nash equilibrium solution.Since the revenue function of the data collector is related to three variables as shown in formula (3), Section 4.3, it is necessary to eliminate one variable a according to formula (6), Section 4.4.We then plot equivalent profit curves under (Q, k) space in Figure 4. We can find the six curves are all convex, and the Nash equilibrium of all curves corresponds to the maximum values.The profit of data collector increases first with respect to Q and k (the proportion of subsidies to the data developer), and the rate of increase becomes smaller as Q and k increase, and when it increases to the highest point, the function curve begins to drop.The revenue function of the data collector takes into account the quality of service, the loss of privacy leakage, and the strategic variables of the data developer, the maximum value of the function corresponds to the Nash equilibrium solution.The function curve is consistent with our expectation as follows: (1) the function value increases with the service quality score and (2) it is a convex function about the input cost.

Analyze the Iterative Process.
In this section, we aim to prove that the training after sample weight adjustment can approximate the real function when the initial modeling is biased from reality, and the actual parameters of the functions in the experiment are  = 246,  = 82,  = 50,  = 10,  = 0.2, and  = 0.4.
When the absolute difference between the real value and the estimated value is greater than the specified threshold, we will adjust the weights of the new samples.As shown in Figure 5(a), we mark the real function curve and set the threshold of error to 2. We use MATLAB randomly generate 20 reasonable sample scatter points larger than the threshold and draw the initial estimation curve by gradient descent algorithm.At the end of the service, a real sample scatter is generated, so we take the point on the real curve and use the gradient descent algorithm to estimate the curve by the sample weight adjustment method in Section 4.6.When the function simulation curve is corrected several times according to the real data, the error between the predicted value and the true value is less than the threshold and the sample weight is no longer changed.Figure 5(b) represents the revenue function of the data collector, and the threshold is set to 100 and the iterative simulation process is similar with Figure 5(a).

Effectiveness Analysis of Privacy Protection.
We aim to compare the effect of privacy protection of our proposed model with the traditional method k-anonymity, and the result is shown as Table 6, where P is the probability of privacy leakage and K presents the size of anonymity group when kanonymity achieves the same privacy protection.We compare     the two methods from the GCP and time complexity.In our approach, reduced number of fields represents the number of quasi-identifier fields that are reduced.
In data applications, deleting the appropriate quasiidentifier fields will not affect the data mining results, but deleting too many quasi-identifier fields will reduce the upper bound of the accuracy.When k-anonymity algorithm is used for privacy protection, no matter how much K is equal to, it will cause loss of data information which limits the application of mining algorithm and the upper bound of accuracy.Generally, P is thought to be weak when P is between [0.1, 0.5], middle when P is [0.01, 0.1), and strong  when P is 0.01).GCP represents the information loss, 0 means no information loss and 1 means total information loss.The less the GCP, the better the data availability.
From Table 6 we can see that the GCP of k-anonymity increases stably when P changes from weak to strong, as well, and the size of k increases from 2 to 1000.The GCP of our proposed model also increases with P, and the reduced number of quasi-identifiers increases from 3 to 8. When users need week privacy protection, the GCP of k-anonymity is smaller than game theory model, and it is appropriate to select k-anonymity to process the data.But when users need middle privacy protection, our model performs better than k-anonymity.On the other hand, we calculate the number of published quasi-identifiers through the privacy protection model, and the data developer selects the corresponding number of quasi-identifier field from the source data fields, and when data needs to be applied with week privacy protection, fewer quasi-identifier fields need to be reduced and the truncated fields may have little impact on the target variable in practice.Furthermore, we compare the time complexity of the two methods.Because our proposed privacy protection model relies on modeling functions, where the unknown parameters of the functions can be determined by gradient descent algorithm, we can use the stochastic gradient descent (SGD) [31] to solve the problem in practice and the time complexity of the SGD is ().We use an improved k-anonymous algorithm [7] for comparison, and its time complexity is ( 2 ).Therefore, the game theory method is simple to implement in practical application and can adapt to the large amount of data.

Summary
This paper introduces the developmental characteristics of the data application service in the intelligent network system and analyzes the shortcomings of the privacy protection algorithm in solving such problems.On this basis, this paper proposes a privacy protection model based on game theory, which protects users' sensitive information by reducing the number of quasi-identifier fields in the released data table, and the strategy calculated by the game model can simultaneously protect user privacy and service quality.This paper introduces the proposed architecture of the privacy protection model that is based on game theory and contains the realization of the process.Finally, we verify by experiments that the proposed privacy protection model can effectively protect the user privacy and service quality.However, in the development of the big data services of the intelligent network system, there is still a lack of algorithms and models that are effective and have the greatest degree of protection for user privacy.To achieve the maximum privacy and security of users, the relevant laws need to be further improved and a deeper study of the relevant issues in the industry is needed.

Figure 1 :
Figure 1: The framework of privacy protection model.
There are a set of datasets with sensitive information for publication, and each dataset can be expressed as  = { 1 ,  2 . . .  }, where t 4.1.Problem Definition.i is the ith record, and each record consists of q quasi-identifying attributes and one sensitive attribute, i.e.,   = (  ,   ), where   = { 1 ,  2 . ..} denotes all the quasi-identifying attributes in the data table and A s is the sensitive attribute in the table.Table1shows an illustrating example of the dataset containing privacy information, where age, sex, and zip code are quasi-identifier attributes and disease is the sensitive attribute.The set of datasets can be classified by the sensitive attribute, such as disease, property, and religious beliefs.

Table 1 :
Example of a dataset with sensitive information.

Table 2 :
History usage records for the privacy field.

Table 3 :
The sample of adult data set.

Table 4 :
The simulation of parameters in the functions.

Table 5 :
The average probability of identifying specific users.

Table 6 :
Comparison of the two methods.