Modern stream-based monitors collect detailed statistics of the runtime behavior of the system under observation. If the system runs in a privacy-sensitive context, this poses the risk of disclosing sensitive information. Differential privacy is the state-of-the-art approach for protecting sensitive information, however, integrating it into runtime monitoring is challenging: temporal operators can cause individual input values to influence multiple outputs over time, leading to repeated disclosure of private information. We propose an approach that automatically enforces differential privacy in stream-based monitoring specifications by analyzing temporal dependencies and injecting carefully calibrated noise into the specification. To preserve the utility of the outputs, we identify strategically chosen positions in the specification for noise injection and leverage tree-based mechanisms to mitigate the accuracy loss caused by noise injected into aggregation operators. We demonstrate the practicality and effectiveness of our approach in a case study on monitoring public transportation usage.

翻译：现代基于流的监控器会收集受观测系统运行时行为的详细统计数据。若系统在隐私敏感的环境中运行，这便存在泄露敏感信息的风险。差分隐私是保护敏感信息的前沿方法，然而将其集成至运行时监控中颇具挑战：时序算子可能导致单个输入值随时间影响多个输出，从而造成隐私信息的重复泄露。我们提出了一种方法，通过分析时序依赖关系并向规范中注入精心校准的噪声，自动在基于流的监控规范中实施差分隐私。为保持输出结果的实用性，我们识别出规范中适合噪声注入的策略性位置，并利用基于树的机制来缓解因向聚合算子注入噪声而导致的精度损失。我们通过一个公共交通使用监控案例研究，证明了该方法的实用性与有效性。