Anonymization system, anonymization method, and program

The anonymization system addresses the need for improved transaction data anonymization by replacing user IDs with group IDs using k-anonymization or clustering, achieving efficient and cost-effective anonymization.

JP2026112459APending Publication Date: 2026-07-07CO CO LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
CO CO LTD
Filing Date
2024-12-25
Publication Date
2026-07-07

Smart Images

  • Figure 2026112459000001_ABST
    Figure 2026112459000001_ABST
Patent Text Reader

Abstract

To anonymize transaction data in a cost-effective and convenient manner. [Solution] The anonymization system has at least one control unit. The control unit acquires multiple transaction data. Transaction data is data that records each individual action. Transaction data includes user identification information related to the action. The control unit performs a grouping process on multiple master data. Master data is data that indicates the attributes of a user. Master data includes user identification information. Grouped master data includes group identification information. The control unit replaces the user identification information in the transaction data with the identification information of the corresponding group in the grouped master data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to an anonymization system, an anonymization method, and a program.

Background Art

[0002] Patent Document 1 discloses a purchase support system devised to promote purchases by linking both in-store book purchases and online purchases.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] There is room for improvement in the anonymization of transaction data.

Means for Solving the Problems

[0005] According to one aspect of the present invention, an anonymization system is provided. The anonymization system has at least one or more control units. The control unit acquires a plurality of transaction data. The transaction data is data that records each action. The transaction data includes identification information of the user related to the action. The control unit executes a grouping process on a plurality of master data. The master data is data indicating the attributes of the user. The master data includes identification information of the user. The grouped master data includes group identification information. The control unit replaces the identification information of the user in the transaction data with the corresponding group identification information of the grouped master data.

Brief Description of the Drawings

[0006] [Figure 1] Figure 1 shows an example of the system configuration of an information processing system. [Figure 2] Figure 2 shows an example of the hardware configuration of a server device. [Figure 3] Figure 3 shows an example of the hardware configuration of a client device. [Figure 4] Figure 4 is a flowchart illustrating an example of information processing related to the anonymization of transaction data performed by a server device. [Figure 5] Figure 5 shows an example of transaction data. [Figure 6] Figure 6 shows an example of master data. [Figure 7] Figure 7 shows an example of grouped master data. [Figure 8] Figure 8 shows an example of transaction data where the ID has been replaced with the group ID. [Figure 9] Figure 9 shows an example of the generated attribute data. [Figure 10] Figure 10 is a flowchart showing an example of information processing related to the anonymization of transaction data performed by the server device of Modification 2. [Modes for carrying out the invention]

[0007] Embodiments of the present invention will be described below with reference to the drawings. The various features shown in the embodiments below (including modified examples; the same applies hereinafter) can be combined with each other.

[0008] <Embodiment> 1. Information Processing System Figure 1 shows an example of the system configuration of the information processing system 1000. As shown in Figure 1, the information processing system 1000 includes a server device 100 and a client device 110 as its system configuration. The server device 100 is an example of a computer. The server device 100 and the client device 110 are connected to each other via a network 150. The network 150 includes a WAN (Wide Area Network), a LAN (Local Area Network), and the Internet, or any combination thereof. The network 150 is configured to allow communication between devices connected to the network 150 via wired and / or wireless connections. The information processing system 1000 is a system that provides so-called SaaS (Software as a Service) functionality.

[0009] The server device 100 performs the anonymization process for transaction data. Details of the server device 100's processing will be explained later using flowcharts such as those in Figures 4 and 10. The information processing system 1000 may include one server device or multiple server devices. If the information processing system 1000 includes multiple server devices, the functions of the server device 100 are provided as a so-called distributed system.

[0010] The client device 110 is a device operated by an operator and utilizes the functions provided by the server device 100. In Figure 1, a PC (Personal Computer) is shown as an example of the client device 110, but the client device 110 is not limited to a PC and may be a tablet terminal device or a smartphone, etc. Any device that can input operator information and display the results of processing in the server device 100 is acceptable. In Figure 1, only one client device 110 is shown as an example included in the information processing system 1000, but multiple client devices 110 may be included in the information processing system 1000.

[0011] Here, the anonymization system described in the claims may consist of multiple devices or of a single device. If the anonymization system described in the claims consists of a single device, an example of such device is, for example, a server device 100. If the anonymization system described in the claims consists of multiple devices, examples of multiple devices are, for example, a distributed system that provides the functions of the server device 100, or a server device 100 and a client device 110.

[0012] 2. Hardware Configuration Diagram (1) Hardware configuration of server device 100 Figure 2 shows an example of the hardware configuration of server device 100. As shown in Figure 2, the server device 100 includes, as a hardware configuration, a control unit 210, a storage unit 220, a communication unit 230, and an internal bus 240. The control unit 210, the storage unit 220, and the communication unit 230 are electrically connected via the internal bus 240.

[0013] The control unit 210 is a CPU (Central Processing Unit) or the like, and controls the entire server device 100.

[0014] The storage unit 220 is one of the following: HDD (Hard Disk Drive), ROM (Read Only Memory), RAM (Random Access Memory), SSD (Solid State Drive), or any combination thereof, and stores the program and data used by the control unit 210 when executing processing based on the program (for example, transaction data, master data, etc., as described later). The transaction data and master data may be generated by the server device 100 and stored in the storage unit 220, or they may be generated by another server device, etc., and received by the server device 100 and stored in the storage unit 220.

[0015] The storage unit 220 is an example of a storage medium. In the specification, it is described that the data used when the control unit 210 executes processing based on a program is stored in the storage unit 220, but it may be stored in the storage unit of another device that can communicate with the server device 100. That is, the data may be stored in the storage unit of any device as long as the control unit 210 can refer to and / or acquire it. By the control unit 210 executing processing based on the program stored in the storage unit 220, the functions of the server device 100 and the processing of the flowcharts shown in FIGS. 4 and 10 described later are realized.

[0016] The communication unit 230 connects the server device 100 to a network and controls communication with other devices (for example, other server devices and / or client devices 110, etc.).

[0017] The server device 100 may include a plurality of each hardware configuration shown in FIG. 1. For example, the server device 100 may have a plurality of control units. (2) Hardware Configuration of Client Device 110 FIG. 3 is a diagram showing an example of the hardware configuration of the client device 110. As shown in FIG. 3, the client device 110 includes, as a hardware configuration, a control unit 310, a storage unit 320, an input unit 330, an output unit 340, a communication unit 350, and an internal bus 360. The control unit 310, the storage unit 320, the input unit 330, the output unit 340, and the communication unit 350 are electrically connected via the internal bus 360.

[0018] The control unit 310 is a CPU or the like and controls the entire client device 110.

[0019] The storage unit 320 is any one of an HDD, a ROM, a RAM, an SSD, etc., or any combination thereof, and stores a program, data, etc. used when the control unit 310 executes processing based on the program. The storage unit 320 is an example of a storage medium.

[0020] In this specification, the data used by the control unit 310 when executing processing based on the program is described as being stored in the storage unit 320, but it may also be stored in the storage unit of another device that can communicate with the client device 110. The data may be stored in the storage unit of any device as long as the control unit 310 can access and / or retrieve it. The functions of the client device 110 are realized when the control unit 310 executes processing based on the program stored in the storage unit 320.

[0021] The input unit 330 is a device that inputs information to the client device 110 in response to the operator's actions. The input unit 330 receives operation inputs made by the user. The user is the operator who operates the client device 110. The operation input is transferred to the control unit 310 as a command signal via the internal bus 360. The control unit 310 can, if necessary, perform predetermined controls and / or calculations based on the transferred command signals. The input unit 330 may be included in the housing of the client device 110 or it may be externally mounted. For example, the input unit 330 may be implemented as a touch panel integrated with the output unit 340. When the input unit 330 is implemented as a touch panel, the user can input tap operations, swipe operations, etc. to the input unit 330. The input unit 330 may be a switch button, mouse, trackpad, keyboard, etc. instead of a touch panel.

[0022] The output unit 340 is, for example, a display unit, which outputs (displays) information as a screen of a graphical user interface (GUI) that can be operated by the user. The output unit 340 may be included in the housing of the client device 110 or it may be externally attached. More specifically, the output unit 340 may be implemented as a display device such as a liquid crystal display, an organic EL (Electron-Luminescence) display, or a plasma display. It is preferable that these display devices be used and implemented according to the type of client device 110.

[0023] The communications unit 350 connects the client device 110 to the network 150 and manages communication with other devices.

[0024] 3. Information Processing (1) Overview of the process The control unit 210 acquires multiple transaction data. Transaction data is data that records each individual action. An action can also be defined as a transaction or event that occurs in business operations. Transaction data includes user identification information related to the action. User identification information will also be simply referred to as ID below. The control unit 210 performs a grouping process on multiple master data. Master data is data that indicates the attributes of a user. Master data includes user identification information. Grouped master data includes group identification information. Group identification information will also be simply referred to as Group ID below. The control unit 210 replaces the user identification information in the transaction data with the identification information of the corresponding group in the grouped master data.

[0025] By performing this type of processing, transaction data can be anonymized easily and at a reduced cost.

[0026] (2) Details of the process Figure 4 is a flowchart illustrating an example of information processing related to the anonymization of transaction data performed by the server device 100. In step S410, the control unit 210 retrieves multiple transaction data from the storage unit 220.

[0027] Figure 5 shows an example of transaction data. Each record in transaction table 500 represents one transaction data. As shown in Figure 5, the transaction table 500 includes the following items: ID, purchase month, major category, medium category, minor category, detailed category, number purchased, quantity purchased, and purchase amount. The ID is the user's identification information. In the statement, the user is the person who purchased the goods related to the transaction data. The purchase month is the year and month in which the user purchased the goods. The major category is the largest category relating to the goods in the transaction data. Examples of major categories include food, fresh produce / prepared foods, eating out, etc. The medium category is a category that further subdivides the major category. Examples of medium categories include processed foods, beverages / alcoholic drinks, fresh seafood, cooked dishes, etc. The minor category is a category that further subdivides the medium category. Examples of minor categories include seasonings, alcoholic beverages, sashimi, rice bowls, etc. The detailed category is a category that further subdivides the minor category. Examples of detailed categories include soy sauce, beer, sugar, tuna, beef bowl, pork bowl, etc. The number purchased is the number of goods purchased by the user. The quantity purchased is the amount of goods purchased by the user. The purchase amount represents the range of prices that users paid for the products.

[0028] In step S420, the control unit 210 acquires multiple master data from the storage unit 220.

[0029] Figure 6 shows an example of master data. Each record in the master table 600 represents one piece of master data. As shown in Figure 6, the master table 600 includes the following items: ID, year of birth, gender, place of residence, annual income, savings, marital status, number of children, and number of cars owned. ID is the user's identification information. Year of birth is the year the user was born. Gender is the user's gender. Place of residence is the user's place of residence. Annual income is the user's annual income. Savings is the user's savings amount (in 10,000 yen). Marital status indicates whether the user is married or single. Number of children is the number of children the user has. Number of cars owned is the number of cars the user owns.

[0030] In step S430, the control unit 210 performs a grouping process on the multiple master data acquired in step S420. As one example, the control unit 210 performs grouping by applying a k-anonymization algorithm to multiple master data. More specifically, the control unit 210 may group the master data using Mondrian's algorithm, or it may use an algorithm called Scalable K Anonymity (SKA) using MapReduce, or it may use Incognito's algorithm.

[0031] As another example, the control unit 210 performs grouping by applying a clustering algorithm to multiple master data. More specifically, the control unit 210 may group the master data using the k-means algorithm, the k-means++ algorithm, the mini-batch k-means algorithm, the Constrained k-means algorithm, the Balanced k-means algorithm, the EM algorithm, the DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm, or the OPTICS (Ordering Points To Identify the Clustering Structure) algorithm.

[0032] Figure 7 shows an example of grouped master data. Master table 700 has a group ID added compared to master table 600. The group ID is identification information that identifies the group. In the example in Figure 5, IDs A and E belong to the same group (group ID 1), and IDs B, C, and D belong to the same group (group ID 2).

[0033] In step S440, the control unit 210 replaces the transaction data ID with the corresponding group ID of the grouped master data.

[0034] Figure 8 shows an example of transaction data where IDs have been replaced with group IDs. In transaction table 800 in Figure 8, the IDs of the items have been replaced with group IDs compared to transaction table 500 in Figure 5. Transaction data like that shown in Figure 8 is also called k-anonymized transaction data.

[0035] In step S450, the control unit 210 outputs transaction data (k-anonymized transaction data) in which the ID is replaced with a group ID. For example, the control unit 210 may output the transaction data by sending the data shown in Figure 8 to the client device 110, or it may output the transaction data by storing it in a predetermined storage area. The process in step S450 is an example of a process that outputs transaction data in which the user's identification information has been replaced with the group's identification information. As another example, the control unit 210 may output k-anonymized transaction data along with master data that does not include IDs (k-anonymized master data), as shown in Figure 7.

[0036] According to the processing method of this embodiment, transaction data can be anonymized in a cost-effective and convenient manner.

[0037] (Variation 1) The following describes Modification 1 of Embodiment 1. Modification 1 is included in Embodiment 1 and is not a different embodiment from Embodiment 1. Configurations and processes not described in Modification 1 are the same as in Embodiment 1. The same applies to the other modifications shown below.

[0038] The control unit 210 of Modification 1 (hereinafter simply referred to as the control unit 210) generates one or more attributes based on multiple transaction data as shown in Figure 5. Figure 9 shows an example of generated attribute data. Each record in attribute table 900 is one attribute data. Attribute table 900 includes the following items: ID, whether the user eats out, frequently purchased subcategories, and purchase count. Whether the user eats out, frequently purchased subcategories, and purchase count are the generated attributes. ID is the user's identification information. Whether the user eats out indicates whether they eat out or not. 1 is stored if they eat out, and 0 if they do not. Frequently purchased subcategories are subcategories determined to be frequently purchased. For example, the control unit 210 determines that the subcategories of products the user purchased most frequently during a predetermined period are the frequently purchased subcategories for that user.

[0039] Note that the generated attributes are not limited to those shown in Figure 9. For example, examples of generated attributes include flag attributes, category attributes (statistical values), numerical attributes (statistical values), etc. The flag attribute assigns a value of 1 if a condition is met, and 0 otherwise. Examples include, in the case of purchase history, whether the user has a wide range of activity (whether the number of cities and towns visited exceeds 3 based on the regional information of the stores where purchases were made), and in the case of viewing history, whether the user is easily bored (whether the number of programs that have not been watched exceeds 50% of the total). Category attributes are assigned values ​​that meet specific criteria. For example, in purchase history, this might be the product category with the highest purchase frequency; in viewing history, it might be the day of the week with the longest viewing time. Numerical attributes provide statistical values ​​for items that meet certain criteria. Examples include the average total purchase amount per week in the case of purchase history, and the average total viewing time per week in the case of viewing history.

[0040] The control unit 210 adds one or more attributes, as shown in Figure 9, generated to the multiple master data shown in Figure 6, to create multiple new master data. The control unit 210 then performs a grouping process on the multiple new master data. By using a variety of attributes, it becomes possible to differentiate into more granular groups. Furthermore, because data can be observed from various angles, deeper level-level analysis becomes possible. When the control unit 210 outputs k-anonymized master data, it may output it without including the attributes generated from the transaction data, or it may output it with the attributes generated from the transaction data.

[0041] (Modification 2) Figure 10 is a flowchart showing an example of information processing related to the anonymization of transaction data performed by the server device 100 in Modification 2. Processes similar to those in Figure 4 are denoted by the same reference numerals and their explanations are omitted. In step S1010, the control unit 210 of the modified example 2 (hereinafter simply referred to as the control unit 210) determines whether or not master data exists. If the master data is not stored in a predetermined storage area such as the storage unit 220, the control unit 210 determines that master data does not exist and proceeds to step S1020 of the flowchart processing. If the master data is stored in a predetermined storage area such as the storage unit 220, the control unit 210 determines that master data exists and proceeds to step S420 of the flowchart processing.

[0042] In step S1020, the control unit 210 generates multiple attributes based on multiple transaction data as shown in Figure 5, and uses the ID and the generated multiple attributes as master data. For example, the control unit 210 uses data as shown in Figure 9 as master data. The process in step S1020 is an example of a process that generates multiple attributes based on multiple transaction data, and uses these multiple attributes and user identification information as master data. The control unit 210 generates multiple attributes based on multiple transaction data. Then, the control unit 210 generates master data consisting of the generated multiple attributes and an ID. In such cases, the control unit 210 may also perform a process to rewrite the attributes extracted from the transaction data to representative values ​​for the group.

[0043] According to the processing method of Modification 2, even if master data does not exist, master data can be generated from transaction data, the generated master data can be grouped, and transaction data can be anonymized in a cost-effective and convenient manner.

[0044] <Note> This embodiment includes the following disclosures.

[0045] (Note 1) It is an anonymization system, Having at least one control unit, The control unit, Retrieve multiple transaction data, The aforementioned transaction data is data that records each individual action, The transaction data includes user identification information related to the action, Perform a grouping process on multiple master data sets. The aforementioned master data is data that indicates the user's attributes. The aforementioned master data includes user identification information. The grouped master data includes group identification information. The user identification information of the transaction data is replaced with the identification information of the corresponding group in the grouped master data. An anonymization system.

[0046] (Note 2) The anonymization system described in Appendix 1, The control unit, Output the transaction data in which the user's identification information has been replaced with the group's identification information. An anonymization system.

[0047] (Note 3) The anonymization system described in Appendix 2, The control unit, Outputting the transaction data and anonymized master data obtained by removing the user identification information from the master data. An anonymization system.

[0048] (Note 4) An anonymization system described in any one of the appendices 1 to 3, The control unit, Based on the multiple transaction data, one or more attributes are generated, By adding one or more of the generated attributes to multiple master data sets, multiple new master data sets are created. Perform a grouping process on multiple of the aforementioned new master data. An anonymization system.

[0049] (Note 5) An anonymization system described in any one of the appendices 1 to 4, The control unit, Multiple attributes are generated based on the aforementioned transaction data, Multiple attributes and user identification information are used as the master data. An anonymization system.

[0050] (Note 6) An anonymization system described in any one of the appendices 1 to 5, The control unit, Grouping is performed by applying a k-anonymization algorithm to multiple master data sets. An anonymization system.

[0051] (Note 7) An anonymization system described in any one of the appendices 1 through 6, The control unit, Grouping is performed by applying a clustering algorithm to multiple master data sets. An anonymization system.

[0052] (Note 8) An anonymization method performed by an anonymization system, Retrieve multiple transaction data, The aforementioned transaction data is data that records each individual action, The transaction data includes user identification information related to the action, Perform a grouping process on multiple master data sets. The aforementioned master data is data that indicates the user's attributes. The aforementioned master data includes user identification information. The grouped master data includes group identification information. The user identification information of the transaction data is replaced with the identification information of the corresponding group in the grouped master data. Anonymization method.

[0053] (Note 9) It is a program, Computers, A program to function as an anonymization system as described in any one of the appendices 1 through 7.

[0054] Although embodiments have been described above, these are presented as examples and are not intended to limit the scope of the invention. Novel embodiments can be implemented in various other forms, and various omissions, substitutions, and modifications can be made without departing from the spirit of the invention. The embodiments are included in the scope and spirit of the invention, as well as in the claims of the invention and its equivalents. [Explanation of symbols]

[0055] 100: Server device 110: Client device 150: Network 210: Control Unit 220: Storage section 230: Communications Department 1000: Information Processing System

Claims

1. It is an anonymization system, Having at least one control unit, The control unit, Retrieve multiple transaction data, The aforementioned transaction data is data that records each individual action, The transaction data includes user identification information related to the action, Perform a grouping process on multiple master data sets. The aforementioned master data is data that indicates the user's attributes. The aforementioned master data includes user identification information. The grouped master data includes group identification information. The user identification information of the transaction data is replaced with the identification information of the corresponding group in the grouped master data. An anonymization system.

2. An anonymization system according to claim 1, The control unit, Output the transaction data in which the user's identification information has been replaced with the group's identification information. An anonymization system.

3. The anonymization system according to claim 2, The control unit, Outputting the transaction data and anonymized master data obtained by removing the user identification information from the master data. An anonymization system.

4. An anonymization system according to claim 1, The control unit, Based on the multiple transaction data, one or more attributes are generated, By adding one or more of the generated attributes to multiple master data sets, multiple new master data sets are created. Perform a grouping process on multiple of the aforementioned new master data. An anonymization system.

5. An anonymization system according to claim 1, The control unit, Multiple attributes are generated based on the aforementioned transaction data, Multiple attributes and user identification information are used as the master data. An anonymization system.

6. An anonymization system according to claim 1, The control unit, Grouping is performed by applying a k-anonymization algorithm to multiple master data sets. An anonymization system.

7. An anonymization system according to claim 1, The control unit, Grouping is performed by applying a clustering algorithm to multiple master data sets. An anonymization system.

8. An anonymization method performed by an anonymization system, Retrieve multiple transaction data, The aforementioned transaction data is data that records each individual action, The transaction data includes user identification information related to the action, Perform a grouping process on multiple master data sets. The aforementioned master data is data that indicates the user's attributes. The aforementioned master data includes user identification information. The grouped master data includes group identification information. The user identification information of the transaction data is replaced with the identification information of the corresponding group in the grouped master data. Anonymization method.

9. It is a program, Computers, A program for functioning as an anonymization system according to any one of claims 1 to 7.