Heterogeneous Anonymization Methods

• Heterogeneous anonymization is a technique ensuring privacy by enforcing k-anonymity across datasets with mixed formats, including relational, textual, and graph data.
• Methodologies involve persistent homology, optimization, and adapted partitioning algorithms to form equivalence classes that balance utility and privacy.
• Key challenges include managing information loss, designing composite quasi-identifiers, and scaling algorithms for complex, multi-modal data environments.

Heterogeneous anonymization refers to methodologies designed to achieve privacy guarantees, such as $k$-anonymity, in data that is not homogeneously structured. This encompasses datasets where records mix numerical, categorical, and textual attributes—as well as complex networks, such as multi-layer or time-varying social graphs. Heterogeneous anonymization aims to prevent re-identification even when quasi-identifiers are distributed across diverse and interdependent data modalities. Recent research leverages algebraic topology, advanced combinatorial optimization, and adaptive partitioning algorithms to systematically anonymize such complex datasets while minimizing information loss (Speranzon et al., 2016, Rossi et al., 2015, Singhofer et al., 2021).

1. Formal Definition and Scope

A heterogeneous dataset typically includes attributes and structures of varying types:

• Relational components: e.g., numeric, ordinal, or nominal attributes.
• Unstructured or semi-structured components: e.g., free-text fields.
• Complex relational structures: e.g., temporal networks or multi-layer graphs.

The classical notion of $k$-anonymity requires that, for all quasi-identifier (QID) patterns, every combination observed in the released data appears in at least $k$ records. For heterogeneous data, the QID may be a composite involving multiple modalities (numerical vectors, categorical hierarchies, sets of textual tokens, temporal degree sequences). In this setting, the equivalence class for $k$-anonymity is defined as the set of records sharing identical values for all QIDs, including, for instance, both quasi-identifier tuples and non-redundant sets of sensitive textual terms (Singhofer et al., 2021). In time-varying graphs, $k$-anonymity demands that a node's degree vector is shared by at least $k-1$ other nodes (Rossi et al., 2015).

2. Methodologies for Heterogeneous Anonymization

2.1 Algebraic Topological Methods

Algebraic topology, and specifically persistent homology, enables anonymization by constructing a filtration of simplicial complexes representing QID similarity at varying generalization levels. Each database record is mapped to a vertex; higher-dimensional simplices represent sets of records within a specified proximity in the joint attribute space. For mixed-type data, the metric is replaced with a product of Euclidean balls (numerics) and generalization tree nodes (categorials). A one- or two-parameter filtration yields the "anonymity complex," and $k$-anonymity is achieved at parameter values where every connected component contains at least $k$ vertices and higher homology groups vanish. The weighted $H_0$-barcode encodes the full anonymization spectrum across all settings (Speranzon et al., 2016).

2.2 Optimization and Partitioning Approaches

Optimization-based strategies, like the assignment formulation for multi-layer graphs, generalize $k$-anonymity to domains where the notion of QID involves vectors (e.g., degree distributions over layers or time). The anonymization problem reduces to clustering node vectors in $l_1$-space with constraints on minimum cluster size ($\ge k$), followed by adjustment for realizability—ensuring that anonymized vectors correspond to valid underlying structures (e.g., graphical sequences) (Rossi et al., 2015).

Partitioning algorithms such as the modified Mondrian framework support weighted balancing between structured (relational) and unstructured (textual) attributes. A parameter $\lambda$ specifies the emphasis placed on relational versus textual splits. Partitioning proceeds by greedily isolating attributes (or terms) with maximal normalized spread, yielding equivalence classes supporting $k$-anonymity under the composite QID definition (Singhofer et al., 2021).

2.3 Textual and Semi-Structured Data Handling

Sensitive term extraction employs entity recognizers to label tokens in free-text attributes. Redundant information is eliminated by cross-referencing structured attributes with term entity types, ensuring only truly additional sensitive content is considered. Equivalence classes for anonymization must then achieve set-equality of both structured attributes and the curated set of sensitive terms; generalization or suppression applies if sensitive terms are not common to all records in a class (Singhofer et al., 2021).

3. Privacy Models and Analytic Guarantees

The primary privacy model is $k$-anonymity, extended so that combinations of relational QIDs and sensitive term sets (in heterogeneous tables) or temporal/multilayer degree vectors (in graphs) cannot be uniquely associated with fewer than $k$ individuals or entities. For algebraic topological approaches, $k$-anonymity is certified when the anonymity complex comprises only connected components of size $\ge k$ and has vanishing higher homology; this analytic condition is both necessary and sufficient. In optimization-based methodologies, assignment and realization steps explicitly maintain the $k$-anonymity guarantee under the new composite QID definitions (Speranzon et al., 2016, Singhofer et al., 2021, Rossi et al., 2015).

4. Algorithmic Frameworks and Complexity

4.1 Topological Persistent Homology Algorithms

The construction and filtration of nerve complexes are feasible for datasets up to several thousand records in moderate dimension, using Vietoris–Rips or full Čech approximations. Persistent homology computations (using packages such as Perseus or Dipha) output barcode diagrams; extracting weighted $H_0$-bars and verifying the absence of nontrivial $H_i$ for $i > 0$ identify valid $(k,\epsilon)$ anonymity regimes. The computational cost is dominated by simplicial enumeration and barcode calculation, scaling to $N \approx 10^4$ in practical scenarios (Speranzon et al., 2016).

4.2 Assignment and Linear Programming in Graphs

Heterogeneous graph anonymization employs a generalized assignment problem (GAP) to partition node degree vectors, solved by exact or greedy heuristics (the latter giving near-optimal costs at much lower runtimes for large $n$). Ensuing iterated linear programming adjusts group degree sequences to satisfy graphical (Erdős–Gallai) constraints. The problem benefits from totally unimodular formulations, yielding integral solutions without resort to ILP. Anonymization of $10^5$ nodes across tens of slices scales to hours; smaller datasets complete object anonymization in seconds to minutes (Rossi et al., 2015).

4.3 Parameterized Partitioning for Tabular+Textual Data

Modified Mondrian anonymization on heterogeneous records partitions on both structured and textual features, guided by a tunable $\lambda$ parameter. Information loss is quantified by a normalized certainty penalty (NCP), decomposed over structured and textual dimensions, with recoding/suppression minimizing loss for designated priorities. Partitioning counts and equivalence class sizes are controlled to support balanced data utility and privacy metrics (Singhofer et al., 2021).

Method	Data Type	Scalability
Persistent Homology	Mixed (tabular)	$N \approx 10^4$
GAP + LP (Graph)	Graph sequences	$n \approx 10^5$
Partitioning (rx-anon)	Tabular + text	$|D| \gg 10^5$

5. Utility and Information Loss Trade-offs

The introduction of generalization or suppression mechanisms directly impacts the data utility post-anonymization. In topological approaches, the choice of scale parameter $\epsilon$ modulates the size and granularity of anonymity clusters, balancing anonymity with data loss. Weighted barcode diagrams enable a precise visual assessment of regimes of optimal trade-off. In Mondrian-type partitioning, the trade-off can be parameterized by $\lambda$, with empirical results showing usable "trade-off curves" between structured and unstructured information loss. The normalized certainty penalty (NCP) aggregates per-attribute loss—in structured features via interval width or set size, and in text by suppression frequencies.

In graph scenarios, anonymization costs (normalized $l_1$-distance) decrease sharply when attributes across slices (time or layers) are strongly correlated, and PageRank preservation remains high with small $k$. Finer temporal resolution produces sparser, more naturally anonymous slices, shrinking the utility cost for stricter anonymity requirements (Rossi et al., 2015, Speranzon et al., 2016, Singhofer et al., 2021).

6. Extensions and Framework Adaptability

Heterogeneous anonymization frameworks are generally extensible to richer privacy models (e.g., $\ell$-diversity, $t$-closeness, differential privacy) and to alternative recoding or clustering schemes. Textual similarity measures, advanced entity extraction, and transformer-based NER can be applied to improve sensitive term handling; other approaches include global recoding via fixed hierarchies or bottom-up, clustering-based anonymization. The rx-anon framework explicitly exposes plug-in interfaces for data ingestion, term extraction and redundancy filtering, parameterized partitioning, recoding, and utility scoring, and supports alternative privacy models via modular extension (Singhofer et al., 2021). Open problems identified in the literature include node-specific $k$ (heterogeneous group privacy), improved heuristics for large-scale problems, and richer attacker models (Rossi et al., 2015, Singhofer et al., 2021).