LDPCD: A Novel Method for Locally Differentially Private Community Detection

As one of the cores of data analysis in large social networks, community detection has become a hot research topic in recent years. However, user's real social relationship may be at risk of privacy leakage and threatened by inference attacks because of the semitrusted server. As a result, community detection in social graphs under local differential privacy has gradually aroused the interest of industry and academia. On the one hand, the distortion of user's real data caused by existing privacy-preserving mechanisms can have a serious impact on the mining process of densely connected local graph structure, resulting in low utility of the final community division. On the other hand, private community detection requires to use the results of multiple user-server interactions to adjust user's partition, which inevitably leads to excessive allocation of privacy budget and large error of perturbed data. For these reasons, a new community detection method based on the local differential privacy model (named LDPCD) is proposed in this paper. Due to the introduction of truncated Laplace mechanism, the accuracy of user perturbation data is improved. In addition, the community divisive algorithm based on extremal optimization (EO) is also reﬁned to reduce the number of interactions between users and the server. Thus, the total privacy overhead is reduced and strong privacy protection is guaranteed. Finally, LDPCD is applied in two commonly used real-world datasets, and its advantage is experimentally validated compared with two state-of-the-art methods.


Introduction
Due to the rapid development of Internet technology, APPs with various functions have brought great convenience to the daily interaction among users. After integration, these relationship data of users can be exploited to build social graphs, from which service providers can mine valuable information such as frequent subgraphs [1,2], average path length among users [3], and the community structure of users [4][5][6]. In particular, community structure is an important feature of social graphs. On the one hand, based on network topology architecture and user attributes, various user communities and interest groups will be mined for the futural personalized recommendations [7,8]. On the other hand, as an important manifestation of topological features, community structure has a significant guiding role in creating synthetic social graphs [9]. erefore, the exploration of community information from social networks has attracted extensive attention in the field of academy and industry.
Community detection on the social graph requires the collection of users' social relationships. However, most social links among users are sensitive and private information. If the user uploads such data without reservation or the server does not take any privacy protection measures in the centralized data analysis, the user's local information may be exposed to the risk of leakage and inference attack. For example, in 2018, Facebook was accused of leaking tens of millions of user personal information to the UK-based thirdparty firm Cambridge Analytica [10]. is privacy scandal indicates that one of the main problems to be solved in the community mining of social networks is the privacy protection during the collection of user relationship data.
As far as we know, a promising model which can be utilized to resolve the privacy issue posed by the untrusted service provider is local differential privacy (LDP) [11]. LDP is a privacy protection framework inherited from centralized differential privacy (DP or CDP) for privacy protection during data collection. e real data are perturbed by the user on the local terminal and then uploaded to the data curator. Both in industrial production areas and academic research studies [12][13][14][15][16][17][18], this model has been widely utilized because of its strong resistance to attack based on any background knowledge and its exclusion of the assumption of a fully trusted server.
At present, community detection based on LDP has become a research hotspot in privacy protection of big data [8,19,20]. In this context, the protective measures of social relationship data are transferred from centralized overall processing to distributed processing by each user. is data collection pattern poses a key problem for the community detection task of social graphs. Since most of the community detection algorithms of graph data require that the real and specific structure of the entire network be known, under the local privacy protection, it is difficult for the server to directly conduct community detection algorithm with false information uploaded by users instead of a true social graph. Moreover, serious damage to the network topology will be posed when the users independently add noise to their local relationship data. is will eventually cause excessive loss of graph structure information and seriously affect the utility of community detection results [19][20][21]. erefore, it is speculated that studying the community detection problem of the social graph under LDP is difficult.
is paper intends to respectively modify existing community detection method of graph data and perturbation method of users' local data under LDP. us, a novel privacy protection community detection method is designed, which is named LDPCD. In its framework, a community divisive algorithm based on extremal optimization (EO) is used as the basis of the community detection method. When executing the EO algorithm, the total number of queries on the user's degree vector and the times of grouping adjustment will increase sharply with the network scale. erefore, under a limited total privacy budget, there exists a problem of extremely large errors in the results of a single query. In this regard, the truncated Laplace mechanism is used to limit the disturbance range of the user's degree, thereby reducing the calculation error of the user's fitness value. Appropriate refinements are also made to the existing EO algorithm under the protection of LDP to significantly reduce the total interaction times between users and the server. Finally, LDPCD is adopted to conduct community detection on two social network datasets to prove its effectiveness. In summary, the following contributions of this paper are made: (1 )A novel community detection method LDPCD under local differential privacy protection is proposed, which can obtain better community detection results under higher local privacy protection requirements. (2) In order to solve the problem of large error caused by Laplace mechanism, the truncated Laplace mechanism is introduced to optimize the local perturbation of user's degree vector. Moreover, we provide rigorous theoretical proof that the new noise addition method satisfies ε-LDP. (3) By refining the community divisive algorithm based on extremal optimization, the interaction times between users and the server as well as the total privacy cost are reduced, and the utility of community division is also guaranteed. (4) rough experimental evaluation on two commonly used social network datasets, the community detection results of LDPCD are compared with those of two state-of-the-art methods of graph data analysis under LDP [19,20] to demonstrate the accuracy and effectiveness of our proposed method. e rest of the paper is structured as follows. Section 2 introduces the research status of LDP in graph data analysis. Section 3 elaborates the preliminary knowledge of community detection and LDP protection on graph data and gives the definition of the problem in this paper. Section 4 describes the framework of LDPCD and its implementation details. Section 5 presents and analyzes the experimental results. Finally, Section 6 draws the conclusion.

Related Works
In recent years, research studies on protecting the topological characters and user relationships in social graph data under LDP have attracted widespread attention of scholars [8,19,20,[22][23][24][25][26][27][28]. According to different analysis objects of social graph data, the existing work can be summarized in two aspects, which are statistical graph metrics estimation and synthetic social graph generation.

e Application of LDP in Statistical Graph Metrics Estimation.
e statistical metrics of the social graph are important objects of graph data mining. As coarse-grained information, these statistical metrics highly condense certain properties of the social graph, which can express complex topological relationships through simple numerical values. erefore, some studies adopted LDP mechanisms to perturb user's social data and analyzed many types of statistical graph metrics such as degree distribution [8,29], clustering coefficient distribution [20,30], edge weight distribution [31], and modularity [20].
Jacob et al. [23] proposed a method for estimating the frequency of subgraphs based on LDP. e central server aggregates this local statistical information with calibrated noise after interacting with the users to estimate the total number of k-stars and triangles in the entire graph. Sun et al. [25] formulated a stringent definition of decentralized differential privacy to provide adequate protection for the information of each user and her neighbors. e total frequency of triangles, three-hop paths, and k-clique in the social graph is thus precisely estimated using a noise injection method that satisfies this privacy definition. Wei et al. [8] proposed using LDP in the collection of attribute graph data. After the random-jump perturbation to the user's degree and the randomized response mechanism to the user's binary attribute value, the original degree distribution and the joint distribution of attribute data are, respectively, restored by unbiased estimation and EM algorithm. For the social graph with edge attributes, Liu et al. [24] proposed a novel privacy definition (attribute-wise LDP) with stronger protection than edge differential privacy. Accordingly, a novel perturbation mechanism was designed to protect all edges with the same attribute for each user. e corresponding method for the restoration of statistical metrics was also proposed to estimate the frequency of nodes with certain attribute edges and the degree-attribute joint distribution of the social graph. Ye et al. [20,27] argued that, for the estimation of most statistical graph metrics (such as node clustering coefficient and subgraph modularity) under LDP, it is sufficient to only query the noisy degree and adjacent bit vector of each user. Based on this point, they proposed a general framework LFGDPR, which analyzes the optimal allocation scheme of privacy budget to separately perturb the two items and provides the corresponding unbiased estimation algorithm for different graph metrics.

2.2.
e Application of LDP in Synthetic Social Graph Generation. In the various applications of differential privacy on social graph data, it is a popular but challenging research task to use appropriate graph generation models to generate a synthetic and privacy-guaranteed social graph for its publishing to third parties [22,32]. With the rise of social graph analysis based on LDP, the research on the synthesis of a private graph based on the user's decentralized perturbed information is also gradually unfolding [8,19,28].
Qin et al. [19] conducted pioneering research on this field and proposed a graph data collection and synthetic graph generation method under LDP, which is named LDPGen. In more detail, each time LDPGen partitions all users into disjoint groups and queries each user for her perturbed degrees under the grouping, users with similar degree vectors are clustered together to form a new user partition. is process of grouping-inquiry-grouping iterates until the privacy budget is depleted. Based on the final partition, a synthetic social graph is generated by using the graph-generating model of Chung-Lu [33] for further analysis. With the same research object as in [19], Zhang et al. [28] proposed to collect users' noisy degrees by means of secure multiparty computation to form several user groups. en, each user adopts an optimized randomized response scheme to perturb its adjacency vectors in different groups. Finally, the synthetic social graph is generated through the synthesized adjacency matrix after aggregating the perturbed bit vectors of all users. Based on the collected noisy data from all users, Wei et al. [8] used the attribute graph model (AGM) [34] and takes the estimated distribution of degrees and attribute values as input parameters to generate the initial seed graph. In order to preserve the structure and community information of the original graph, the community detection algorithm of CESNA [6] is adopted.
rough continuous iterative community detection of the seed graph and the modification of the edges and attribute values in it, the convergent synthetic attribute graph with high utility is finally generated. In addition, Ye et al. [20] proposed the LFGDPR framework that can be applied to the unbiased estimation of the modularity of any subgraph. On this basis, the Louvain community detection algorithm [4] is used to divide users into communities, and a new synthetic social graph is generated based on the community detection results.
In general, the existing work can analyze some commonly used statistical metrics of graph data and generate synthetic social graphs under LDP. However, in some of it, the problem of community detection is mostly presented as a part of the whole research content and closely connected with the final synthetic graphs, which means that the quality of the graphs will have a significant impact on the utility of the community division result. In this paper, we attempt to design a more straightforward method without private graph generation and gradually restore the community structure through multiple user-server interactions.

Problem Definition
In this section, we briefly introduce the prerequisite knowledge of community detection and local differential privacy for graph data; then, we give a detailed definition of the considered problem. Table 1 describes the meaning of some notations used in this study.

Nonprivate Community Detection in Social Graphs.
Many research studies have been conducted on the community detection of social graphs. Most classical methods of community detection are dedicated to optimizing the modularity of the community division of the entire graph. Among them, the EO-based heuristic algorithm has been widely used owing to its high computational efficiency and fast convergence speed [5].
In the method of EO-based community detection, the global variable is the modularity Q of a community division of all users, whereas the local variables are the contribution of each node to the total modularity. e contribution q i of node i is as follows: where δ c(i) represents the number of edges connected between a node i belonging to community c and the other nodes in the same community, δ i represents the total degree of node i, and a c(i) represents the proportion of the degree sum of all nodes in community c to the degree sum of all nodes in the entire network. e relationship between the modularity Q as a global variable and the local variable q i is as follows: where L c and L represent the number of edges in community c and the total edges in the entire network, respectively. Since the value range of Q is [− 1/2, 1], to maintain the Computational Intelligence and Neuroscience 3 consistency, the local variable is normalized as λ i with the same range, which is defined as the fitness of user i: erefore, the greater the fitness value of a node, the greater its contribution to the modularity of the community structure.
After defining the fitness of each user, the heuristic divisive algorithm of EO can be described as follows: (1) Initialization: the entire network is randomly divided into two groups, each of which has the same number of nodes. is is regarded as the initial community structure of the network. (2) Iteration: in each iteration, after the fitness values of all users have been calculated and sorted, the node with the lowest fitness is considered to contribute the least to the modularity of current bipartition of users and is moved to the other group. After each move, calculating the new two-dimensional degree vector of all users based on the original graph and updating their fitness accordingly is necessary.
By repeating step (2), an optimal bipartition state will be finally obtained. In addition, its modularity Q b (also defined as bipartition modularity) reaches a locally optimal value and no longer increases. Afterward, all edges between the two resulting groups are removed, and the abovementioned initialization grouping and iteration process is independently continued in each subgraph formed by the final groups (each with their own Q b when divided into two parts), thereby further splitting the users' community.

3.2.
reat Model. e community detection algorithm described in this paper involves multiple rounds of interaction between two participants, i.e., the user and the server. e user is considered to be trusted because she only keeps her social relationship data locally. However, the server is considered semitrusted. On the one hand, the central server collects true relationship data uploaded by users and reconstructs the real social graph to provide users with personalized services based on the mining results of it. On the other hand, the users' real data may be disclosed to other untrusted third parties. In addition, even if a user only uploads the true statistical values of some coarse-grained information (such as user's degree), the central server will infer whether there is a social link between this user and another targeted user based on his existing background knowledge or true information provided from other users in collusion.

Privacy Definition.
Based on the threat model described in Section 3.2, to collect user's private social relationships without relying on a trusted server, we should resort to LDP mechanisms for the protection of each user's local and limited information.
In the graph data analysis of LDP, privacy definitions are generally divided into the node LDP and edge LDP [19]. In our scenario, whether two targeted users have a friendly relationship is considered private information to be protected, which coincides with the definition of edge LDP. Considering that any edge in a social graph can affect at most one bit of each user's neighbor list, edge LDP is defined as follows: Definition 1 (edge LDP, see [19]). For a social network with N user nodes, a randomized mechanism M defined on 0, 1 { } N satisfies ε-edge LDP if any user i and her two neighbor lists l i , l i ′ differ only in one bit, as well as any possible output subset S ∈ Range(M). e following probability inequality holds: Regarding the EO-based community detection algorithm adopted in this paper, the calculation of user fitness mainly involves the user's degree vector for a certain grouping situation. us, we adopt the degree perturbation mechanism proposed in [19]. In particular, the central server divides all users into k groups, denoted as ξ � U 1 , . . . , U k . After the grouping information is distributed to all users, each user tallies her degree in each group and obtains the corresponding degree vector presence or absence of an edge in the social graph will affect at most one degree value in the degree vector of each user by 1, the user adds independent Laplace noise with a mean value of 0 and a scaling parameter of 1/ε to each dimension of the degree vector, i.e., erefore, if the neighboring degree vectors δ i and δ j satisfy δ r i � δ r j for r ∈ [1, k] and r ≠ m, as well as is shows that the degree vector perturbation mechanism satisfies ε-edge LDP.
In addition, considering our community detection scenario, the user and the server interact several times in the iterative process of fitness calculation and grouping adjustment. Since any relationship edge of one user affects the degree results for each query of the server to the greatest extent, according to the sequential composition property of DP [35], in the entire process of community detection, the total privacy cost for each user is equal to the sum of all the privacy budget consumed by her interactions with the server.

Accuracy Definition.
e community detection on a real social network can get the community division of users close to the facts. In this study, we use the community detection result of a real social network based on the EO algorithm as the ground truth, denoted by C t . e result of community detection under LDP is expressed as C p . For a certain deviation between C p and C t , the accuracy of privacy-preserving community detection is measured using three metrics: modularity, ARI, and AMI. ese three metrics are described in detail in Section 5.1.3.

Problem Statement.
In this study, we aim to find a tradeoff between the privacy protection of user social relationship data and the utility of community detection results. Based on the definitions of privacy and accuracy given in Sections 3.3 and 3.4, as well as the EO-based community detection method, in this section, we formally describe the problem of the community detection for social networks under LDP guarantees.
Definition 2 (community detection for social networks under LDP). In this study, LDPCD, a novel framework, is designed for community detection on social networks under LDP.
(1) e framework guarantees that any relationship data of each user satisfies ε-differential privacy for the other users and the server (2) Based on the EO algorithm, the framework exploits the degree vector information uploaded by users and uses a community divisive algorithm to divide users into several communities (3) e framework improves the existing classical data perturbation mechanism to ensure that the results of community detection can achieve reasonable utility under strong privacy protection Studying community detection under LDP protection is challenging because of two main reasons. First, the central server cannot use agglomerative algorithms to cluster users into communities, which is because these algorithms cannot be implemented by correctly inferring the truthfulness of the perturbed links in the local region with high probability, thereby affecting the fusion process of nodes and communities based on the greedy algorithm. Second, in the context of LDP, each user interacts with the server several times to continuously optimize the community division results. For a moderate total privacy budget, overly small distributed budget may result in the utility of community division to not significantly improve with the increase in the number of interactions. erefore, in response to the first one, the community divisive algorithm is used as our basic method, and user statistics such as the degree vector are exploited to guide the division and adjustment of user communities. To mitigate the large perturbation error caused by excessive interactions, the conventional data perturbation mechanism is improved to enhance the accuracy of community detection under reasonable privacy protection strength.

Methods
In this section, we propose LDPCD, a novel framework, for community detection of social graphs under LDP protection. First, this framework is described in detail. en, the drawbacks of directly applying the existing noise injection method of LDP to the EO-based community detection algorithm are analyzed. Finally, a modified data perturbation satisfying LDP and a refined EO-based community detection algorithm are proposed. Figure 1, LDPCD mainly comprises two building blocks: the multiple interactions between users and the server and the server-side iterative processes of the generation of user communities. e userside operation mainly comprises the calculation and local perturbation of the degree vector. e iterative processes comprise the multiple degree queries and iterative adjustment of user's bipartition until the bipartition modularity converges, and the iterative optimal bipartition of user's community until the user partition is stable.

Framework. As shown in
At the user side, user i receives the bipartite grouping G from the server, generates her true degree vector δ i , and Computational Intelligence and Neuroscience perturbs it according to the assigned privacy budget ε and then uploads the perturbed degree vector δ i (step ②).
At the server side, the overall data operation process is shown in steps ① and ③ to ⑥ in Figure 1. In the input step, the server gets the ID information of all surveyed users and forms a user set U 0 . Meanwhile, a community division C 0 is initialized, where C 0 � U 0 . Next, the server performs multiple rounds of bipartition to divide all users into several communities. In particular, when the bipartition process reaches the rth round, the server starts from the user community division result of the previous round and initializes the rth round's community as C r � ∅, then sets each subset in C r− 1 as an independent user community U, and performs the bipartition operation separately.
In the initial case of the bipartition operation, the server side randomly bisects U and obtains the initial bipartite grouping G � U 1 , U 2 (step ①). After querying the perturbed degree vectors of all users (step ②), the server collects them and computes the corresponding fitness for each user in the EO-based algorithm and the bipartition modularity value of the current grouping (step ③). Afterward, the server iteratively sorts the users' fitness to obtain the sequence λ, adjusts the bipartite grouping according to λ, and recalculates the fitness of each user until the grouping situation stabilizes (step ④). e stabilized G and privacy budget ε are distributed by the server to each user in U for the next query regarding degree vectors (step ②). After collecting all perturbed data, the server repeats the computation of fitness as well as bipartition modularity and the iterative adjustment of the user's grouping. e adjustment-query-adjustment process for the final bipartition result will last until the bipartition modularities obtained by two neighboring queries have a subtle gap, which indicates that the optimal bipartition of U is finally obtained and its final grouping G f is thus formed (step ③).
During the rth round of user community division, after judging that the optimal bipartition of each subset U r− 1 ∈ C r− 1 is completed (step ③), checking whether its G f can cause an increase in the total modularity Q compared to itself without bipartition (step ⑤) is necessary. If the gain is greater than a certain expected error, C r � C r ∪ G f is computed to update the rth round's community division. Otherwise, C r � C r ∪ U r− 1 is executed, indicating that any bipartition cannot pose an obvious gain in Q. Whether to perform a new round of community bipartition is decided based on the comparison result of C r− 1 with C r (step ⑥).
us, in the entire process of the community divisive algorithm based on EO, the server side iteratively performs the optimal bipartition of user subsets (also as communities) for several rounds, which start from the first round of community bipartition on all users and finally ends when the user community divisions of two neighboring rounds are identical, and the total modularity stabilizes to get the final community detection result of all surveyed users.

A Naive Method.
Since Laplace mechanism is commonly used for differential privacy protection of numerical data, an intuitive approach is to inject Laplace noise in user's true degree vector (as mentioned in Section 3.3). After making minor adjustments to user groups based on user perturbation data, the server needs to inform all users within the bipartite grouping about the migrated users, thus making all users update their degree vectors according to the new grouping situation. On this basis, we refer to the classical EO algorithm [5] in our naive method and only move the user with the lowest fitness to the other group in each grouping adjustment and continue the query for the user's updated perturbed degree vectors. As we can imagine, the migration of one user only results in a slight change in the degree vectors of some users. However, determining whether and to what extent the degree vector of the other nodes that have not been moved have changed is impossible for the server because he has no access to the true social graph of the surveyed users under LDP.   Computational Intelligence and Neuroscience erefore, each time of user grouping adjustment has to be allocated some privacy budget for querying about the updated degree vectors.

Problems of the Naive Method.
In the abovementioned naive method, the conventional Laplace mechanism is used for data perturbation. e server executes the iterative process of the classical EO algorithm by multiple interactions with users and using the perturbed data for fitness calculation and node migration. Two main problems are encountered in this process. On the one hand, with excessively small privacy budget distributed for each query, the addition of Laplace noise can considerably distort the true degree vector when there is no limitation of output range for the noisy degree. e perturbed data with large error will considerably affect the grouping adjustment process, resulting in low modularity and poor utility of the subsequent community division results. On the other hand, the classical EO algorithm requires that every time a single user node changes its group, the information of each user is requeried, which significantly increases communication cost between users and the server. erefore, applying this naive approach to practical community detection under LDP protection is nearly impossible.

Data Perturbation.
Considering the limitations of Laplace mechanism when applied to the EO-based community detection algorithm, the truncated Laplace mechanism [36] which restricts the perturbation range of user's degree is used as our data noising scheme, thereby resolving the problem of the poor utility of the community division result caused by the large error under low privacy budget.
In the Laplace distribution f(x) � e − |x− μ|/σ /2σ, the output range is the real domain. However, to ensure that the result of user degree is meaningful after perturbation, the output range of the LDP-based mechanism should be limited from 0 to the total number of users or to an even shorter interval of the degree value, which can prevent a small degree from being perturbed under the conventional Laplace mechanism and resulting in a negative one with large absolute value and seriously affecting the estimation accuracy of user fitness. In this regard, the truncated Laplace mechanism [36], as an improved method of Laplace mechanism, truncates the infinite range of perturbation results. Moreover, to ensure that the integral of the output probability density of all values in the truncated range is equal to 1, the probability density function f(x) is multiplied by a normalization parameter, which guarantees that the true degree results are always output with the maximum probability and meanwhile increases the output probability of all values within the output interval. e integral of probability density function in this interval is 1, whereas the output probability of all values outside this truncated range is 0, thus improving data accuracy after perturbation.
As shown in Figure 2, when the users use the truncated Laplace mechanism to perform degree perturbation locally, the limit output range should be determined according to the true value of the user, and it is expressed by (L, R), where L, R ∈ N (here, the symbols L and R, respectively, denote the left and right boundary of the output range, and the true degree δ satisfies L < δ < R). Because the information that users need to protect is the existence or absence of an edge in the true social graph, the sensitivity of each dimension of the local degree vector is Δδ � 1. Given the privacy budget ε of each time of query, the scaling parameter σ in the truncated Laplace distribution function is obtained, i.e., (In Section 4.5.1, we give detailed proof of the value of σ ). en, the integral on the intervals (− ∞, L) and (R, +∞) is calculated according to the probability density function of the Laplace distribution, i.e., To make the integral of the probability density function on the truncated range equal to 1, the output probability density f(x) of any real number x ∈ [L, R] is multiplied by the normalization coefficient n δ , which is calculated according to n δ � 1/(1 − I L − I R ), and a normalized probability density p(x) is obtained, i.e., Correspondingly, the red/blue curve in Figure 2 represents the probability density function of the Laplace/truncated and normalized Laplace distribution, respectively. In the latter one, the output range of the perturbation result is considerably narrowed, and the probability of the output result near the true value remains the maximum. e truncated Laplace distribution curve is not symmetrical like the conventional Laplace distribution under certain parameter conditions, which leads to the deviation between the  Computational Intelligence and Neuroscience expected value and the true degree. Nevertheless, because of the limitation of the output range, truncated Laplace has a smaller mean square error than the conventional mechanism under a low privacy budget. us, we can infer that the limitation of the length of output interval for user's degree perturbation will greatly affect the utility of the noisy degree vector and the accuracy of the community detection results.
Algorithm 1 describes the local perturbation process in detail. In particular, during each round of user community bipartition, user i will receive a bipartite grouping G of the user subset U including herself from the server for multiple times. Each time, she keeps her personal social data locally and calculates the corresponding true degree vector according to the grouping situation (Line 1). When delivering G to the users, the server will notify user i of the length of the truncated range, which is denoted as l. Based on this, user i generates two sequences of output intervals with the same length of truncation corresponding to U 1 and U 2 (Line 2) and obtains the output interval for each dimension according to her true degree vector (Line 3). Afterward, user i spends privacy budget ε to perturb each dimension.
rough the true degree δ, the left boundary L and the right boundary R of the output interval, the scaling parameter σ, and the normalization coefficient n δ , as well as the probability density function p(x|x ∈ [L, R]), can be calculated (Line 7). To ensure that the perturbation result is meaningful, the output probability of any integer in the output interval is calculated according to the data perturbation steps shown in lines 8-11 to make that any real result obtained by the truncated Laplace mechanism are rounded, which still satisfies ε-LDP for each query.

Refined EO Algorithm.
As mentioned in Section 4.2.1, directly performing the grouping adjustment of the classical EO algorithm and the recalculation of user fitness in the application scenario of LDP will not only cause the excessive allocation of the privacy budget but also lead to a catastrophic increase in the cost of user-server communication. For solving this problem, we attempt to make full use of the uploaded data and propose to form an iterative process inside the server based on the perturbed degree vectors and the corresponding user grouping, thereby greatly reducing the total number of interactions between users and the server during the process of optimal bipartition for each community. Specifically, we assume that the degree vector of all users remains unchanged after any number of users are migrated to the other group; then, the change in fitness is only related to the calculable a c(i) . After the move of user i, the sum of user degrees in the original group, where user i is located, needs to be subtracted by i's perturbed degree, and the sum of degrees in i's current group needs to be added with i's degree value accordingly. erefore, the changes of a 1 and a 2 of the two groups can be calculated correspondingly, and the fitness of all users can also be updated according to (3).
In Algorithm 2, we describe the whole process consisting of the server-side migration of users in bipartite grouping and several interactions of degree query to finally obtain an optimal grouping with converged bipartite modularity.
Initially, after setting the length of the truncated range and the privacy budget of a single query, the server bisects the user subset U randomly into two groups (line 1), followed by sending all this information to the users. Each user substitutes the above privacy protection parameters into Algorithm 1 to obtain her perturbed degree vector and uploads it to the center (line 4). After that, the server aggregates these noisy data to directly calculate the total number of edges, a 1 and a 2 , the fitness of each user, and the bipartition modularity of the initial grouping (lines 5-10).
en, the server performs the grouping adjustment step shown in lines 12-21 of Algorithm 2. e user m ′ with the lowest fitness is migrated to the other group. Based on the noisy degree vector uploaded by users and the fine-tuned a 1 and a 2 after the migration of m ′ (lines [16][17][18][19], the fitness of all users is updated, and the user with the lowest fitness is found out and migrated again. is process will continue to iterate, during which the server only uses the perturbed degree vectors uploaded by users according to the initial random grouping and does not consume any additional privacy budget. From the classical EO algorithm, it can be inferred that the ultimate goal of the iteration is to make the fitness of all users in the final convergent grouping situation greater than 0, which means that the bipartition modularity no longer increases. Considering that this situation may not be reached in the end, the convergence conditions are relaxed. When the last two search results are the same user with the minimum fitness (line 14), the migration iteration of users can be stopped for this time.
Considering the degree vector of each user is in fact changing implicitly in the continuous adjustment of user grouping, the iterative migration of users based on the degree vectors of the initial grouping cannot derive the expected near-optimal bipartition of U. For this problem, another iterative process of degree query between users and the server is constructed. After the server performs the steps in lines 12-21 based on the initial grouping and the corresponding degree vector, the formed convergent grouping will continue to be delivered to all users as the baseline grouping of a new query to obtain the next new perturbed degree vectors (line 22), and from it, the server will perform the user migration iterative process of the next time (in Algorithm 2, we take s to denote the number of degree queries).
erefore, a small iterative migration process is nested in a larger iterative process of degree query. In this way, the number of user interactions with the server and the consumption of the privacy budget can ultimately be greatly reduced. When the algorithm is executed until the bipartition modularity of user convergent grouping G does not increase (line 23), the ideal division result of the user subset U is obtained.
According to the description of the framework in Section 4.1, when each user subset U r− 1 in the initial community division C r− 1 of the rth round does not increase the total modularity after completing the optimal bipartition, the iteratively splitting process of user subset gets terminated. 8 Computational Intelligence and Neuroscience erefore, it is necessary to estimate the modularity gain ΔQ after each execution of Algorithm 2. To obtain unbiased estimation results, each user is required to consume additional privacy budget ε f and utilize Laplace mechanism to add calibrated noise on her true degree vector, which is based on the optimal bipartition result of the user subset including her (also as G f ). According to this, the user degree in the subset U and the total number of edges L of the user subset can be derived by referring to lines 4 and 5 in Algorithm 2. e total number of edges L 1 and L 2 within each one of the final groups can also be directly calculated, i.e., We also use the noisy degree vectors with Laplace noise from the first round's optimal bipartition for all users to calculate the total degree of each user and the total number of edges in the entire network. Here, we slightly abuse the Input: user i's adjacent bit vector B i ∈ 0, 1 { } N , the division of the group U where user i is located G � U 1 , U 2 , the truncated interval length given by the server l, privacy budget ε Output: perturbed degree vector δ i of user i under the grouping G (1) Calculate the true degree vector δ i � δ 1 i , δ 2 i based on B i and G; (2) Generate I 1 and I 2 corresponding to U 1 and U 2 , respectively, according to l, which is I 1 � [0, l), [l, 2l), . . . , [⌊|U 1 |/l⌋ · l, |U 1 | and and [L 2 , R 2 ) in I 1 and I 2 , respectively, to satisfy that f , U 2 f , privacy cost ε cos t (1) Initialize random bisection of the server G 0 � U 1 0 , U 2 0 , and set s � 0; (2) e server delivers grouping G s to users in U; (3) for i ∈ U do (4) User i executes Algorithm 1 (with input parameters B i , G s , l, and ε) and obtains δ i as well as δ i � δ 1 i + δ 2 i to upload to the server; (5) e server calculates the total number of edges L � i δ i /2, as well as a 1 � j∈U 1 s δ j /2L and a 2 � k∈U 2 s δ k /2L; (6) for j ∈ U 1 s do (7) Calculate the fitness λ j � δ  (15) m � m′; (16) if m ∈ U 1 , then (17) Recalculate according to lines 6-9, and repeat the step in line 12; (21) Get the stable grouping G � U 1 , U 2 , let s � s + 1 and set G s � G; (22) Repeat the steps in lines 2-10; (24) e final group G f � G s , privacy cost ε cos t � sε. Computational Intelligence and Neuroscience 9 notations by using δ t i and L t to denote them, respectively, and in which the three items on the right side are mutually independently perturbed with Laplace mechanism. According to the definition of modularity, the estimated gain of Q after the optimal bipartition of user subset U can be calculated, i.e., Since each item of equation (13) is an unbiased estimation of its corresponding true value, it can be observed that if its numerator is larger than 0 by the value of its standard deviation, the optimal bipartition will cause positive gain in the total modularity with an adequate probability. us, considering that the Laplace noise of δ t i and L t is independent of that injected to δ 2 j and δ 1 k and by using equation (12), we attempt to derive the specific form of its variance as follows: Var Noticing that the variance of Laplace noise with privacy budget ε and sensitivity Δf is 2(Δf/ε) 2 , we can solve all the variance item in equation (14) and reach the final expression as Var After the server obtains the optimal bipartition of U and receives corresponding noisy degree vector from each user in U, also with their noisy total degrees as well as the total edges, we can simply calculate the estimation value of equation (13) numerator. If it is greater than the square root of the right side of equation (15), the modularity gain caused by U's division is considered positive, and the bipartition U 1 f , U 2 f will be accepted to replace U { } in the community division of the entire graph.

Proof of ε-LDP Guarantee.
is section will prove that the truncated Laplace mechanism proposed in Section 4.3 satisfies ε-LDP.
In the process of degree perturbation by users, it is assumed that the local relationship data of each user in two adjacent graphs (differed by any single edge) are D 1 and D 2 , which are either the same or different by one bit. e function f(D) is the degree query function. erefore, the local sensitivity is Δf � max According to the step of truncated interval selection, it is assumed that both f(D 1 ) and f(D 2 ) are in the interval [L, R]; thus, any result s ∈ R obtained by the perturbation also satisfies s ∈ [L, R]. e truncated Laplace mechanism is set to be M. According to Definition 1, it is necessary to prove that the following inequality is always valid: Without loss of generality, as shown in Figure 3, it is assumed that e following theorems are given and proved below. Proof. Replace the probability expression in equation (16) with equation (10). en, replace I L2 and I R2 with I L1 and I R1 , and use the triangle inequality, and we can obtain To prove that the left side is smaller than e ε , it is attempted to prove that the right side does not exceed e iε on i ∈ [0, 1].
us, taking i ∈ [0, 1] as the independent variable, let By careful observation, when By solving the inequality, the value range of σ is obtained, i.e., In order to ensure that F ′ (i) does not exceed R ′ (i) when i > 0, the secondary derivatives of these two functions are calculated as follows: According to equation (8) and equation (9), it can be known that I L1 + I R1 < 1 is always valid. erefore, when i > 0, we can infer that F ″ (i) < 0 and R ″ (i) ≥ 0, which means that F ′ (i) is monotonically decreasing and R ′ (i) is monotonically increasing. Because σ satisfies equation (19) to is always true for i ≥ 0. us, it can be inferred that F(i) ≤ R(i) always holds on i ∈ [0, 1], and accordingly, Similarly, the above deducing process can also be used to prove the validity of the left half of equation (16) under the following condition: erefore, if truncated Laplace mechanism is to strictly satisfy ε-LDP, σ must simultaneously satisfy Finally, extreme cases are used to find the strict lower bound of σ, which happens when ΔL 1 � 0 or ΔR 2 � 0, and accordingly, erefore, if σ satisfies equation (24), it must also satisfy equation (23). e conclusion is thus proved.
□ Computational Intelligence and Neuroscience

Experiments
In this section, the experiments are performed to evaluate our proposed method. (1) Facebook dataset [37]: this dataset contains 4039 Facebook users and 88234 relationship edges (undirected edges) formed among them. In addition, this dataset is one of the classic datasets employed for complex network community detection. (2) Facebook page network dataset about the government [38]: this dataset involves 7057 web pages about government information, and the edges between the web pages represent their mutual likes (undirected edges). After removing the self-loop edges in the original data, the total number of edges in the network is 89429.

Compared Methods.
In order to evaluate the performance of LDPCD, the proposed method is compared with the following two methods.
(1) LDPGen [19]: with this method, a synthetic private social graph under LDP protection is generated. Besides, the experiment in our paper still follows the parameter settings of LDPGen, in which two times of queries on user degree vectors and user clustering based on the k-means method in terms of degree vectors are implemented, and the total privacy budget is evenly distributed. en, based on the generated synthetic social graph, the Louvain community detection algorithm is finally adopted.
(2) LFGDPR [20]: using this method, a variety of statistical graph metrics, including clustering coefficient distribution and subgraph modularity, are estimated under LDP. In accordance with all its technical details, the experiment in our paper optimally allocates the total privacy budget and then perturbs the user's total degree and adjacency bit vector, respectively. Furthermore, according to the proposed Louvain community detection algorithm based on LFGDPR, the network community is divided.

Utility
Metrics. According to Section 3.4, the specific meanings of the three utility metrics, namely, modularity, ARI (adjusted random index), and AMI (adjusted mutual information), are elaborated. Modularity: the function of modu(C) is to calculate the total modularity of a community division result C based on the original real network. erefore, modu(C p ) is taken as the evaluation index for the quality of community detection results under privacy protection, with the value range of [− 1/2, 1].
ARI and AMI: given all users u 1 , . . . , u N and their two grouping conditions X � x 1 , . . . , x u and Y � y 1 , . . . , y v , n ij represents the number of users shared by group x i and group y j , that is, n ij � |X i ∩ Y j |, and 1 ≤ i ≤ u and 1 ≤ j ≤ v. In addition, let a i � j n ij and b j � i n ij , and define the index to measure the similarity between groupings X and Y as Among them, (a i + b j − N) + means max(1, a i + b j − N). Specifically, ARI represents the frequency of agreements between the two obtained groupings over all element pairs, and AMI quantitatively refers to the amount of information shared by the two groupings X and Y. In the case of the same grouping, AMI is usually higher than ARI, both with the value range of [0, 1]. Higher values of ARI and AMI mean that two groupings of the same user set are more similar. erefore, in the experiment, higher ARI(C p , C t ) or AMI(C p , C t ) indicates that the community detection result under LDP has higher accuracy.

Parameter Settings.
In this paper, the parameter settings of the LDP-based community detection algorithm are as follows.
As shown in Algorithm 2, each time the server queries user degree, the assigned privacy budget is equal, which is denoted as ε. Other than that, calculating the total modularity gain also requires to be allocated a certain privacy budget ε f so as to query the degree vector perturbed by Laplace mechanism under the final bipartition G f . us, we set the value range of ε f within 0.02 to 0.1, while in contrast, that of ε is from 0 to 0.05. If the total number of rounds for the division of user communities is r and the number of times that user i uploads data to the server in each round of bipartite division is listed as s i 1 , s i 2 , . . . , s i r , the total privacy cost is ε total � max (ε r n�1 s j n + rε f ). Besides, in the truncated Laplace mechanism, the length of truncated range l is one of the key parameters that needs to be explored. On the one hand, the degree distribution of complex social networks is usually expressed as power-law distribution [29], in which the total degree of most users is below the average. erefore, in this experiment, the maximum value of l for the Facebook dataset (average degree of 42) and the Government dataset (average degree of 25) are set to 30 and 20, respectively. On the other hand, excessively small l will cause the perturbed degree to be too close to the true one, which can lead to the privacy disclosure. Considering that, the minimum value of l is set to 5.
In terms of the total privacy budget/cost, considering when the value of it is greater than 2.5 in [20], the probability of each bit in the adjacency vector not to be flipped exceeds 90%, which will expose the privacy concerning most of the user's connected edges (for the Facebook dataset, the allocated privacy budget for perturbing user's bit vector is 2.225. Since the ratio of bit flipping probability to the unflipping probability is e − 2.225 according to the definition of LDP, we can easily understand that the perturbed bit remains unchanged with a probability of e 2.225 /(1 + e 2.225 ) � 0.902472 ). In this case, in order to ensure an appropriate protection strength of LDP, the total privacy budget in the contrast experiments is limited to 0.1-2.5.

Experimental
Setting. Based on the given total privacy budget ε total , LDPGen and LFGDPR are separately tested 100 times in our experiment. en, the average values of modularity, ARI and AMI, from all community detection results are taken as the final result. While for LDPCD, the average result of the three measurement metrics obtained by 100 times of experiments with their actual total privacy cost in the range of ε total ± 0.05 is considered as the final result of our method.

Experimental
Results. In this part of the paper, we will present detailed experimental results and corresponding analysis to demonstrate the feasibility of our proposed method. Firstly, some general but necessary data are enumerated, which give a brief outline of the comparison between the classical EO algorithm and LDPCD when they are separately employed in the datasets. en, deeper discussions about the influence of parameters and the contrast result of LDPCD with two state-of-the-art methods will be elaborated according to the figures.
For the Facebook (Government) dataset, although the average modularity of the community partition results by classical EO algorithm reaches up to 0.813 (0.682) (see Figure 4(b)), the total times of user migration and recalculation of degree vectors exceed 20000 (35000). In contrast, under different parameter settings of LDPCD, the average modularity is within the range of 0.51-0.79 (0.31-0.63), with the total times of degree queries from 25 to 50 (from 40 to 70). In terms of the community numbers, the EO algorithm finally outputs 15 (29) user subsets as the ground truth, while LDPCD partitions all users into 8-16 (15)(16)(17)(18)(19)(20)(21)(22)(23)(24)(25)(26)(27)(28)(29)(30)(31)(32) groups. From the abovementioned data, it can be obviously observed that our method simplifies the implementation of EO community divisive algorithm to a considerable extent and significantly reduce the communication cost of user-server interactions, which, in the same time, obtains utility-guaranteed results similar to the ground truth.

Questions about the Experiment.
In the following sections, the effectiveness of LDPCD is verified based on experimental results. Besides, through the results, the following two questions are answered: (1) EQ 1: how do the length of truncated range and the total privacy cost affect the accuracy of community detection of LDPCD separately? (2) EQ 2: what are the advantages of the proposed method LDPCD compared with the existing methods under privacy protection of the same strength?

Influence of Experimental Parameters on the Results.
From Figure 4, it can be seen that the length of the truncated output range has a more significant impact on the community division result than the total privacy cost. With the same privacy cost in the Facebook dataset (Government dataset), the average value concerning maximal changes of modularity, ARI, and AMI under the influence of l is 0.242, 0.322, and 0.367 (0.272, 0.173, and 0.253); while under the same output interval length, the average value of maximal changes in modularity, ARI, and AMI under the influence of total privacy cost ε total is Computational Intelligence and Neuroscience  Figures 4(a), 4(b), and 4(c), respectively. For these observed results, there are two main reasons. Firstly, with the introduction of the truncated Laplace mechanism, the variance of degree and the expected error of fitness λ are limited and closely related to l. Besides, the smaller the l, the smaller the perturbation noise of the degree vector and the total degree. If the true degree is large enough when compared with l, the deviation of fitness λ relative to its true value will be significantly reduced, and the probability of incorrect migration of the user during grouping adjustment will also decrease. As a result, the utility of community division will improve to a great extent with the decrease of l. Secondly, since multiple rounds of bipartition and several times of degree query in each round will consume privacy budget; even if the final total privacy cost experiences obvious increase, the privacy budget allocated for a single query remains relatively limited. us, the accuracy of the perturbation result by truncated Laplace mechanism is slightly enhanced (as shown in Table 2). In this case, the accuracy of community detection increases steadily with the rise of total privacy cost.
Moreover, by comparing the graphs in Figures 4(a), 4(b), and 4(c) separately, it can be seen that, under the same l and ε total , the community detection results of the Facebook dataset are more similar to their ground truth than the Government dataset. e main reason is that the average degree of users in the Facebook dataset is higher. With similar total number of edges, the user nodes in the Government dataset is 1.75 times that of the Facebook dataset and its network structure is sparser; thus, the nodes with small total degree account for a larger proportion in it (for example, the ratio of nodes with their degree below 5 and 10 in the Facebook/Government dataset are 0.113 and 0.238/ 0.232 and 0.398, respectively). erefore, under the same setting of l, more nodes in the Government dataset will be distributed in the output interval very close to [0, l]. Meanwhile, we note that the closer the output interval to [0, l] is, the greater the deviation of the noisy fitness λ from its true value will be, resulting in a larger probability of incorrect node migration during the grouping adjustment. In that case, under the same privacy parameter settings, the utility of the community division result of the Government dataset will decrease more than that of the Facebook dataset.

Comparison with the State-of-the-Art Methods.
In this section, the experimental results of our proposed method are compared with those of the classical methods, namely, LDPGen [19] and LFGDPR [20]. e contrast results are shown in Figure 5.
rough a comprehensive analysis in Figure 5, it can be found that the result of LDPCD under all settings of l is better than that of the LDPGen method under the same total privacy budget/cost. e similarity between LDPGen and our method is that both enquire the user degree vector in a certain grouping situation, and the processed relationship data are all coarse-grained statistics, thus inevitably leading to the loss of some local information in the original social graph. Whereas, the difference is that LDPGen clusters users from the perspective of the similarity of the degree vector instead of their contribution to the total modularity, and based on the final grouping, a synthetic social graph is generated by the Chung-Lu probability model for further analysis of community structure. However, the user clustering and graph generation methods result in low utility of the community division under LDP, for the Chung-Lu model randomly connects user node pairs in the same group or different groups, which weakens the distinctiveness of densely connected node clusters in the original network and destroys the community features.
is can be observed in Figures 5(b) and 5(c) that with the increase of the total privacy budget, even if the accuracy of the degree vector is gradually improved, the utility of the community detection result on the synthetic social graph is still in a low state and not significantly enhanced. In this case, it indicates that LDPGen cannot well balance the relationship between the strength of privacy protection and the accuracy of community mining results. In contrast, by using LDPCD, the user's contribution to the total modularity is calculated with the degree vector, and the community structure of the original network is gradually restored through multiple times of degree query and grouping adjustment. Otherwise, as mentioned in Section 5.2.2 that l plays a leading role in the experimental results, the utility of the community division obtained by LDPCD can maintain a relatively high level under different total privacy costs.
For LFGDPR, the perturbation object is the user's total degree and the most fine-grained adjacent bit. Since the processed data involve sensitive neighboring information, the privacy budget in the LFGDPR method should be adjusted to a small value to satisfy the requirement of sufficient privacy protection strength. As shown in Figures 5(a), 5(b), and 5(c), when the total privacy budget/cost of the Facebook dataset and the Government dataset is below 1.5 and 2.0, respectively, the accuracy of the community detection results given by LDPCD is higher than that of the LFGDPR method under all settings of l. Especially, when ε total is less than 1.0 and the privacy protection is strong enough, LDPCD has obvious advantages over LFGDPR. When ε total � 1, the worst ARI/AMI value of the community detection result of the Facebook (Government) dataset of our proposed method is 1.89/2.03 (14.00/11.97) times that of LFGDPR (see Figures 5(b) and 5(c)), which also reflects that the LFGDPR method with low privacy budget has unsatisfactory effect on community detection in sparser social networks. When the privacy budget/cost is higher (ε total > 2.0), the utility of the community detection result by LFGDPR is slightly better than that of some groups of experiments with larger l. However, we should note that when LFGDPR is adopted in the Facebook dataset (the Government dataset) with ε total � 2.0, the probability of a single bit remaining unflipped is 5.81 (5.26) times than that of being flipped, respectively. is means LFGDPR is more liable to expose privacy under such privacy parameter settings.
us, in contrast, LDPCD is superior to the LFGDPR method in terms of both the utility of the community detection results and the strength of privacy protection.   Furthermore, it should be emphasized that although the community detection accuracy of LDPCD improves slightly with the increase of the total privacy cost under a fixed truncated interval length l, in practical applications, appropriately increasing l can be considered when ε total is low while reducing l can be taken into account when ε total is high, so as to achieve a better tradeoff between the strength of privacy protection and the quality of community division results.

Conclusion
In this paper, LDPCD, a novel community detection method, is proposed based on the local differential privacy model. In the framework of LDPCD, the truncated Laplace mechanism with local differential privacy is employed to enhance the accuracy of user perturbation data. Other than that, by refining the community divisive algorithm based on extremal optimization, the number of interactions between users and the server is reduced, thus reducing the total privacy cost and ensuring strong privacy protection. Based on the above data perturbation and community detection algorithms, the community detection results with high utility are finally obtained. Furthermore, according to the experimental results on two realworld datasets, it can be concluded that LDPCD has the same or higher accuracy of community detection compared with the state-of-the-art methods under different settings of privacy protection parameters. In addition, LDPCD is featured with obvious superiority under strong privacy protection.

Data Availability
e experimental data used to support the findings of this study are available upon request to the author.

Conflicts of Interest
e author declares that there are no conflicts of interest regarding this work. Computational Intelligence and Neuroscience