Privacy-Preserving Bin-Packing With Differential Privacy

With the emerging of e-commerce, package theft is at a high level: It is reported that 1.7 million packages are stolen or lost every day in the U.S. in 2020, which costs $25 million every day for the lost packages and the service. Information leakage during transportation is an important reason for theft since thieves can identify which truck is the target that contains the valuable products. In this paper, we address the privacy and security issues in bin-packing, which is an algorithm used in delivery centers to determine which packages should be loaded together to a certain truck. Data such as the weight of the packages is needed when assigning items into trucks, which can be called bins. However, the information is sensitive and can be used to identify the contents in the package. To provide security and privacy during bin-packing, we propose two different privacy-preserving data publishing methods. Both approaches use differential privacy (DP) to hide the existence of any speciﬁc package to prevent it from being identiﬁed by malicious users. The ﬁrst approach combines differential privacy with k-anonymity, and the other one applies clustering before differential privacy. Our extensive analyses and experimental results clearly show that our proposed approaches have better privacy guarantees, better efﬁciency, and better performance than the existing works that use either differential privacy or k-anonymity


I. INTRODUCTION
Today, data plays an important role in our modern society.Many services such as transportation, supply chain logistics and healthcare are heavily dependent on data.On the one hand, more data improve the quality of services and even enable personalized ones.On the other hand, the collected data pose a serious threat in terms of privacy violations since the collected data are mostly privacy-sensitive or commercially valuable [1].Considering container management systems for the transportation of goods, in the largest ports around the world, thousands of containers per day are being transported [2].Trucks bring containers in and out, and while doing so, it is commercially important to use the container space as much as possible.To utilize the container space efficiently, different companies share the trucks to transport their products, and optimization algorithms are proposed to arrange the packages in containers [3], [4].While doing so, it is also important to protect the commercially sensitive package data since such data can be obtained by malicious entities, resulting in the theft of certain products from the ports [5], [6].As reported in a survey with 2000 respondents who have shopped online in the last 12 months [7], 43% of them experienced package stolen in 2020.Among them, 64% had more than one packages stolen.Also, it is mentioned that information leakage is an important reason for truck theft, and thieves know which truck is the target that contains the valuable products [5].In some cases, only the targeted products are stolen [8].
There are different processes during the transportation of packages that may leak information.In this paper, we address the privacy and security issues in bin-packing.The information of packages is needed when assigning items into bins.However, the information is sensitive and can be used to identify the contents in the package.Thieves can infer an iPhone or a MacBook in the package with a specific weight and volume since it always has the same weight and volume.
To protect data privacy and simultaneously use the optimization algorithm for better container management, the authors in [9] proposed a method to solve the bin-packing problem under privacy-preservation.In that work, k-anonymity, which is a well-known technique for data anonymization [10], is used to publish anonymous container data.The authors use two k-anonymous algorithms: k-Optimize [11] and Flash [12], to publish data in a privacy-preserving manner.For every record in the dataset, there are k − 1 same other records in the same dataset so that the record is indistinguishable.The authors use stochastic programming and robust optimization to address the uncertainty introduced by the k-anonymous published data that are fed to the optimizer.The authors clearly point out the trade-off between privacy guarantees and accuracy.However, the work completes computation in the order of minutes to hours for 25 or 50 items, which is with low efficiency.Meanwhile, the work is sensitive to the homogeneity attack since attackers can know the sensitive information if all the k tuples of quasi-identifiers share the same value in the sensitive attribute.Also, it is sensitive to the background knowledge attack since attackers can know the sensitive information based on some background knowledge.For example, there are k same packages, but the attacker knows the destination of the targeted package, and only one out of the k packages is heading to the targeted destination [13].
Besides approaches using k-anonymity, there are different privacy-preserving optimization methods, such as [14]- [16], in which only the optimization process is privacy-preserving.In these works, the optimizer knows the original information of packages and containers, which raises privacy risks in that the optimizer can be malicious by misusing the data or leaking information to other malicious users.
In this paper, we address the bin-packing problem as in [9].We assume that data is firstly anonymized and then fed to the optimizer as also suggested in [9].However, unlike that work that relies on k-anonymity, we are focusing on Differential Privacy (DP) [17], [18] for two reasons: 1) to provide better privacy protection and 2) to achieve better efficiency in terms of run-time such that our proposals can be considered feasible in practice.We propose two algorithms based on DP: r Differential privacy with k-anonymity: We first generate a lattice including all the possible generalization results of the input dataset with a given hierarchy, and then use the exponential mechanism [19] to output a specific generalization according to the utility.This method adds noise to the mapping function, which involves sampling, suppression and generalization selection.This method can reach a low value of for differential privacy and show low uncertainty based on the preset generalization hierarchy.However, the sampling and suppression result in only a proportion of data being processed.
r Differential privacy with clustering: We first cluster the data based on the number of occurrences, and then add Laplacian noise [18] to each cluster.This method directly adds noise to the data, resulting in a shorter runtime but introducing more noise, which has an impact on the performance.Our security analysis and experimental results clearly show that our proposed methods provide better privacy and security guarantees than the previous work by comparing the probability of identifying the targeted package.The experiments show that the run-time of our proposed methods is significantly low, 0.1 seconds for 50 packages, while the previous work [9] needs several minutes or hours for anonymization.Also, the proposed methods achieve a comparable packing performance to the previous work [9].
The rest of the paper is organized as follows.In Section II, we explain the preliminaries including differential privacy and k-anonymity.In Section III, we present related works about the existing privacy-preserving data publishing methods and optimization methods.Then Section IV shows our two differential privacy-based data publishing methods followed by the security analysis in Section V and experimental results and analysis in Section VI.Finally, we give the conclusion and discussions in VII.

II. PRELIMINARIES A. DIFFERENTIAL PRIVACY
Two datasets D and D are neighbouring datasets if they only differ in one or zero rows of data, and an algorithm A satisfies -differential privacy ( -DP) if and only if for neighbouring datasets D, D and any set O ⊆ range(A) [17], [18]: (1) However, the guarantee is so strong that it is very hard to be implemented, and it is excessive in many situations [20].To make it more practical, parameter δ serves as a small error factor in the equation.A satisfies ( , δ)-differential privacy if: Based on the definition, the Laplace Mechanism and the Exponential Mechanism are two widely used mechanisms that satisfy differential privacy.

1) THE LAPLACE MECHANISM
It is the most general mechanism for differential privacy, and it adds Laplace noise [18].To add the noise, the mechanism applied Laplace distribution which is centred at zero with a scale parameter b: We use Lap(b) to denote density Lap(x | μ = 0, b).Then for the query f : D N → R k , a randomized algorithm A satisfies -differential privacy if > 0, k is the dimension of the dataset, and y i is the noise added to dimension i: In ( 4), f is the sensitivity for the query f : D N → R k , and the l 1 -sensitivity ( f ) is defined as: 2) THE EXPONENTIAL MECHANISM The exponential mechanism [19] is a technique for designing algorithms with differential privacy.In the exponential mechanism, a utility function u : D N × R → R is defined to access the utility of each element input n ∈ R, where D is the domain and R is a range.Then a measure μ is used to assign a large probability of elements with a large utility.
With the utility function u, we calculate the sensitivity ( u) of the utility function as: (6) and the output probability of the exponential mechanism is defined as: which satisfies -DP (where = 2 u).

B. BIN-PACKING PROBLEM
The bin-packing problem is an NP-hard optimization problem [21].A real example is how to load packages into a minimum number of containers while avoiding overloading nor oversizing.The problem can be considered with different dimensions: weight and volume (height, width and length), which means that the problem can be with 1-D (weight or volume), 2-D (weight and volume) or 4-D (weight, height, width and length).
In this paper, we formulate the bin-packing problem as proposed in [22].Considering 1-D bin-packing problem, for n items (or packages), we load them into the minimum number of bins (or containers).w j is the weight of item j ∈ N, where N = {0, 1, 2, . .., n}, and all the bins have capacity c.We define the decision variables y i and x i, j as follows: Given y i and x i, j , as shown in ( 8) and ( 9), the formulation of the 1-D bin-packing problem is: In (10), the objective is to minimize the number of bins, and the two constraints ensure that every bin is not overloaded and one item can only be loaded into one bin.

C. THE FRAMEWORK FOR BIN-PACKING
Fig. 1 shows the framework used in this paper.The framework was proposed in [9], including two modules: the data publishing module and the optimizer module.In the data publishing module, we apply anonymization methods to the private dataset and publish the differentially private (DP) dataset to the public.Then the optimizer module gets data from the public and applies optimization to solve the bin-packing problem using the anonymous data.The whole framework is privacypreserving since the optimization is based on anonymous data.

III. RELATED WORK
Data anonymization is a technique to achieve privacy protection in data mining.The idea is to analyze data without revealing users' sensitive information [23].Among many approaches, data perturbation methods [24], [25] attracted significant attention in recent years.By applying data perturbation, a certain amount of noise is added to the raw dataset to achieve data anonymization.The noise decreases the utility of the dataset while preserving users' privacy by adding uncertainty to the dataset.Two widely used methods are kanonymity [10] and differential privacy [17], [18], which are based on data generalization and adding random noise.
The concept of k-anonymity was introduced by Samarati and Sweeney in 1998 [10].A dataset is k-anonymous if, for each individual in the dataset, there are at least k − 1 other individuals which show the same value.There are a variety of k-anonymous algorithms for data anonymization.For example, Datafly [26] is a heuristic k-anonymous algorithm, which generalizes the quasi-identifiers showing the most distinct values.Mondrian [27] is another modern k-anonymous algorithm proposed by LeFevre et al.By using kd-tree, Mondrian splits the dataset and reconstruct it with equivalence classes whose size is at least k.Also, Emam et al. [28] proposed OLA, which achieves k-anonymity by using a pre-defined generalization hierarchy with generalization rules for each attribute.
In 2019, Hoogervorst et al. [9] applied k-anonymity to the bin-packing problem to publish the weights of packages.The authors used full domain generalization and partition-based single-dimensional recoding to generalize the data.Also, two k-anonymous algorithms: k-Optimize [11] and Flash [12], are evaluated.However, k-anonymity is sensitive to the homogeneity attack and the background knowledge attack [13].Meanwhile, k-anonymity brings uncertainty for the optimization, so the authors also applied stochastic programming and robust optimization to improve the performance of binpacking.As far as we know, this is the only literature which applied anonymization techniques to the input data for binpacking instead of proposing a privacy-preserving optimizer.
Different from k-anonymity, differential privacy aims to hide the existence of any single row of data in the dataset.Differential privacy can be applied to either add noise to the output of a certain query (such as the optimization in [14]) or add noise to the dataset [24], [29]- [32].The work of [31] and [32] consider the trajectory data release using differential privacy.Hyukki Lee and Yon Dohn Chung [24] released the medical micro-data in a differentially private way.They applied generalization, suppression and insertion to add noise to the data.Moreover, they used the exponential mechanism to maximize the utility of the output dataset.The CASTLEGUARD [30] applied the Laplace mechanism to the numerical data to get a differentially private dataset, but the output is noisy and sparse with a low value of .Also, Holohan et al. [29] applied k-anonymity to part of the attributes and differential privacy to the rest.Similar to the work of CASTLEGUARD, they also applied the Laplace mechanism to the numerical data.Besides, they gave a confidence interval for the perturbation.In our work, we used this method in Section IV-B.
Overall, from the literature, there are two main techniques for data anonymization: k-anonymity and differential privacy.However, k-anonymity based approaches are sensitive to background knowledge attacks and need a long run time (several minutes or hours) to find the optimal.Meanwhile, existing differential privacy based methods introduce large noise to the dataset for bin-packing problems, which can influence the performance.To achieve better efficiency, better privacy guarantees (compared to k-anonymity solutions) and better performance for bin-packing (compared to the existing differential privacy solutions), we propose two different approaches by (1) combining the use of k-anonymity and differential privacy and (2) applying clustering with differential privacy.

IV. DATA ANONYMIZATION USING DIFFERENTIAL PRIVACY
In this section, we present two data anonymization methods based on differential privacy with different approaches and strengths.The first method combines differential privacy and k-anonymity using preset generalization hierarchy and the differentially private node selection method, which shows better privacy guarantee but lower efficiency.The second method adds Laplace noise to the data in each cluster, which works more efficiently since all items are considered each time, but it is with a lower privacy guarantee.

A. DIFFERENTIAL PRIVACY WITH K-ANONYMITY
This subsection shows a data anonymization method that combines differential privacy with k-anonymity.We firstly generalize data based on the full-domain generalization method and construct a differential private mapping function based on a k-anonymous algorithm OLA [28].Then we prove that the new k-anonymization method satisfies differential privacy.

1) FULL-DOMAIN GENERALIZATION
Full-domain generalization [33] is a widely used method for recoding [10].For different quasi-identifier attributes Q i , a generalization function φ i is defined as For each value q ∈ D Q i , φ i maps it to g ∈ D G i , and we can get that g ∈ γ + (q) (which means that g is a generalization of q), or g = q.In a full-domain generalization, all values q for all attributes Q i are replaced by φ i (q).In Fig. 2, we give an example of the possible generalization of four values {12, 14, 16, 18}.For the value 12, we can generalize it into "11-13" or "11-15" or "11-19" or remain as "12".By generalization, we add some uncertainty to the data, which can decrease the utility but better protect privacy.The generalization is independent of data distribution, and instead, it is determined by the attribute.Also, with the generalization, the generalized value of different inputs may be the same, such as "12" and "14" may both output "11-15".The full-domain generalization method is used for k-anonymity since it reduces utility (with more generalization) to achieve k-anonymity.However, the generalization can only be used for 1-D bin-packing problems, since it is not possible to generalize a 2-D tuple in a same way.In this paper, we combined OLA and differential privacy to show a solution.

2) LATTICE-BASED STRUCTURE
Firstly, we define different levels to show how much an attribute is generalized.As shown in Fig. 2, level zero means that no generalization is applied, and level three means that the data is fully generalized.Based on the definition, we use a lattice-based structure to decide how many generalizations should be applied when using the full-domain generalization.The structure is proposed in a k-anonymous algorithm  OLA [28].Fig. 3 gives an example when there is only one attribute, and < 0 >, < 1 >, < 2 > are all the nodes in the lattice.
Then we expand it to be with two attributes as shown in Fig. 4.Each node indicates a different generalization of an attribute.The lattice becomes larger with a deeper full-domain generalization hierarchy or more attributes.

3) APPLICATION OF DIFFERENTIAL PRIVACY
Li et al. [20] give the idea of differential privacy undersampling (β, , δ)-DPS where β is the sampling factor, is the privacy budget, and δ is the small error factor for differential privacy.The sampling means that every record is only with probability β being selected from the original dataset, otherwise it is removed.For an algorithm A, if A β is -DP, A satisfies (β, , δ)-DPS.A β means that the dataset is firstly sampled with probability β, and a smaller β results in a smaller .The same paper also proves that if the mapping function A m of a k-anonymization algorithm satisfies 1 -DP, the k-anonymization algorithm satisfies (β, , δ)-DPS where  15) 4: Compute the probability for every node to be selected as the output (using the exponential mechanism with 1 ) 5: Randomly pick a node n i according to the probability 6: Generalize the dataset D out for n i 7: Suppress the records which do not satisfy k-anonymity 8: return D out 9: Note: sensitivity u can be calculated anywhere and the algorithm satisfies 2 1 u-DP.
in which f ( j; n, β) returns the probability of achieving j successes in n trials and the probability of a successful trial is β.
Based on the definition of -DP k-anonymization algorithm, we present Algorithm 1.We firstly apply the sampling, which means that every record is with a probability β being selected from the original dataset.In the second step, we generate the lattice based on the generalization hierarchies.Then in step 3 in Algorithm 1, we calculate the utility of each node using the utility function in (15) with consideration of privacy and information loss.Intuitively, we want the algorithm with a higher privacy guarantee and lower information loss.For the privacy part sup(D, n), we consider k-anonymity in terms of the proportion of the suppressed data.For the information loss part gen(D, n), we consider how many levels have been generalized. where ) Equation (15) shows the trade-off between the information loss (gen(D, n)) and the privacy concern (sup(D, n)).Ideally, the output node is with the highest utility value.In (16), we choose the remaining proportion of the dataset to ensure that a higher value of sup(D, n) represents better privacy guarantee.In (17), N A is the number of attributes, n A i is the generalized level, and |F DG A i | is the fully generalized level.
Based on the utility function and ( 7), we can calculate the output probability of the exponential mechanism in step 4 in Algorithm 1 as shown in (18).With the output probability for each node, a node is selected as the output node.
(18) Equation ( 18) satisfies -differential privacy (where = 2 u), and the sensitivity ( u) of the utility function is: The sensitivity shows the maximum change of the value of the utility function if we change only one row of data in the dataset.For the utility function in (15), With the equations, the mapping function satisfies 1 -DP with the exponential mechanism, so Algorithm 1 satisfies (β, , δ)-DPS as in (13).

4) DISCUSSIONS
The proposed method can be expanded to be used for different data anonymization tasks with both categorical and numerical data.Also, the method can be applied to datasets with different dimensions.The proposed method can be used as a general scheme, but we only consider it for the bin-packing use case in this paper.
Meanwhile, the complexity of the approach is influenced by the number of attributes and records of a dataset.When the number of attributes increases, the lattice will increase exponentially, resulting in a long run time.

B. DIFFERENTIAL PRIVACY WITH CLUSTERING
This subsection shows another anonymization method in which we adopt clustering before applying the Laplace mechanism, as shown in Algorithm 2.
Section III shows that we can add noise to the raw dataset to satisfy differential privacy, which is used in [29] and [30].In the bin-packing problem, all the attributes are numerical, so we can add Laplace noise to the value of each attribute (v i ) as: where Here the sensitivity is defined as the difference between the largest and lowest possible weight.If the weight is anonymous among this range, it is anonymous among all the packages.By adding Laplace noise, the output v i satisfies -DP.However, sometimes customers do not want to change the value of their products.For example, the weight is 10kg and the volume is 1m 3 , and we publish it as 12kg and 0.8m 3 .However, for express or logistics, the price is based on weight and volume.It can cause a problem if the differentially private value is not close to the accurate one.Considering this problem, the published dataset is only used to optimize the bin-packing problem, such as how to load packages into a minimum number of containers.Also, we introduce a confidence c ∈ [0, 1], and Holohan et al. [29] show that the probability where By applying that, we can publish an interval instead of a single value.With the confidence c, we can control the probability of whether the accurate value is in the interval.
Equation (21) shows that the noise is influenced by outliers, such as the extremely large or heavy packages.In order to reduce the influence of outliers, we adopt clustering before applying differential privacy.
Here the clustering is based on the proportion of occurrence.For example, we can divide the input dataset into five parts by 5%, 30%, 30%, 30% and 5%.By applying the clustering, we can ease the problem of outliers, but it only satisfies differential privacy within each cluster.Most data are anonymous among the 30% records, which show similar weights or volumes.
To some extent, the clustering method extends the restriction of differential privacy.The proposed method anonymizes any single record among its cluster instead of the whole dataset.It is a trade-off between utility and privacy.There are thousands of packages in real use, and being anonymous among its cluster, which is with hundreds of packages, is still secure, as shown in Section V.
In Algorithm 2, the sensitivity is calculated for each cluster with complexity O(n c ), and the noise is added to the weight of each package with complexity is O(n p ), so the complexity for Algorithm 2 is O(n c ) + O(n p ) where n c is the number of clusters and n p is the number of packages.
Also, the differential privacy with clustering method can be expanded to different data anonymization tasks, but it is restrictive since only numerical data with low dimensions can be considered.With high dimensions, there are a large number of clusters, and only a few records are in each cluster, which makes it infeasible.In this paper, we consider the bin-packing problem, which is a suitable use case for the approach.

V. SECURITY ANALYSIS
This section analyzes and compares the privacy guarantees provided by the k-anonymity method in [9], the DP with k-anonymity method and the DP with clustering method in Section IV.As mentioned in Section III, the work of [9] is the only literature which considered privacy in bin-packing.There are other works which applied differential privacy for anonymization such as [29], but the privacy guarantee is the same as our proposed approaches since differential privacy is applied to all of them.For that work, the performance for bin-packing is further compared in Section VI.
In this paper, we assume that the adversary knows the accurate information of one package, and he wants to identify this package from the anonymous output.If the adversary can identify the package, he knows which container the package is loading to, and thus he can track this package.To quantify how well privacy is protected concerning this scenario, we compare the probability that an adversary can identify the correct package from the output dataset.In the work of [9], only k-anonymity is considered.Each row of data occurs at least k times in the output dataset.We can calculate the probability of identifying the same package from the output dataset given the information of the target package, as shown in (24).In the scenario, the adversary knows the original weight a i (such as a i = 12), and he wants to identify which b i is its output.He firstly finds all possible b i which show the correct generalization for a i (such as [10,15]).Based on the definition of k-anonymity, there are at least k possible b i showing the same generalization [10,15], so the probability is at most 1/k.

Pr[identify correct
In the differential privacy with k-anonymity method in Section IV-A, we add uncertainty to the dataset using sampling, generalization and suppression.Compared to the work of [9], this approach applies β random sampling and differentially private mapping, which achieves (β, , δ)-DP.On the one hand, in the output dataset, every single row of data is hidden in a crowd.Based on the definition of differential privacy, the probability of outputting a specific record changes less than e if we change any record in the input dataset.On the other hand, this approach applies k-anonymity with sampling and differentially private mapping.The β sampling adds more uncertainty in that the adversary does not know whether the target package is in the input dataset or not.Even if the adversary gets all the possible b i , he does not know whether the correct data is included.Equation (25) shows the new probability equation and 0 < β < 1.

Pr[identify correct
Besides, the differentially private mapping function provides stronger privacy guarantees.In k-anonymous algorithms, the mapping is usually based on the existence of a few values [20].For example, if the dataset is {1, 2, 3, 5, 7, 9} and k = 3, one of the possible generalizations is {[1, 3], [5,9]}, which shows the existence of "1, 3, 5, 9" in the input dataset.The differentially private mapping does not overly depend on any single record in the input dataset.Each possible generalization can be chosen as the final output concerning their probability from the exponential mechanism [20].As a result, the mapping function enhances the privacy guarantee, but it cannot be shown in (25).
In the differential privacy with clustering method in Section IV-B, we add Laplace noise to each cluster to hide the existence of any single row of data in each cluster.For example, if we have a dataset D: {a 0 , a 1 , . .., a 5 } with two clusters C 1 : {a 0 , a 1 , a 2 } and C 2 : {a 3 , a 4 , a 5 }.The output dataset is D : where the sensitivity Assume that the adversary knows x target = x 2 from D and the output dataset D .He wants to identify x 2 from D , so he calculates the difference between the accurate data and the output data, getting: where a i = a target − a i .
If the adversary infers that the noise is generated by the Laplace mechanism, he knows the probability density function for Laplace distribution: Based on the probability density function, the adversary can get the probability equation: However, in (30), the adversary cannot get access to the value of δ and , so he cannot get the result of the probability.Meanwhile, (30) shows that Lap(δ i / ) influences the output probability.With a high sensitivity δ i or a low , the variance of the Laplace noise is large.The result of the Lap(δ i / ) counts equally or more than a i , which can hide any record in the cluster.
In conclusion, both our proposed methods show better privacy guarantees, which can lower the probability that a potential attacker identifies targeted packages from the group.

VI. EXPERIMENTAL EVALUATION
This section shows the experimental evaluation of the proposed methods in Section IV.We use Python to implement both methods on a laptop with Windows 10 Pro, Intel Core i7-10710 U CPU and 16.0 GB RAM.We use Google Or-Tools [34] for optimization.We have compared the performance of our proposed methods to the existing methods using k-anonymity [9] or differential privacy [29] with seven different synthetic datasets.BPPLIB [35] has given different benchmarks for bin-packing, such as Falkenauer [36], Scholl [37], and the Randomly Generated Instances [38].Among them, the datasets are generated following the uniform distribution with a different number of items (n), capacity (c), minimum (l) and maximum (u) values.These datasets have a variety of combinations of these four factors (n, c, l, u) to test the performance of the optimization algorithms for bin-packing.However, this paper focuses on evaluating the proposed anonymization algorithms in terms of the performance for bin-packing, feasibility and run-time, instead of assessing the optimization methods.In the experiments, we consider more distributions such as normal distributions and uniform distributions, but fewer combinations of the four factors.To properly evaluate both proposed approaches, different instance settings are applied, and the settings are further introduced in Tables 1 and 2.
This section first shows the optimization methods for binpacking and introduces the factors to evaluate the performance.After that, we demonstrate the performance of the proposed methods, in which the instance setting and performance analysis are included.Finally, we compare the performance of our proposed approaches to the existing works.

A. OPTIMIZATION METHODS
Equation (10) shows how the standard optimization works, and the optimization result is the number of bins needed to load all the items.Note that the bin-packing problem is computationally NP-hard.The optimization method is how the problem is solved, so the optimization methods influence the global performance in terms of run time and whether the optimal is found.There are different optimization methods for bin-packing, such as the work of [3], [4].In this paper, the performance of the optimization methods is not our focus, and we choose a widely used optimization tool (Google Or-Tools) in all the experiments and set a time limit (1 minute) for optimization.
In the experiments, we can apply the upper bound or the mean value to the standard optimization for the anonymous data.With the upper bound, the optimization for Algorithm 1 is ensured to be feasible for the containers.The optimization for Algorithm 2 is feasible with at least the probability of the confidence c in (22).With the upper bound, the solution is feasible to the containers, but it can also lead to container space waste since the weights can be largely overestimated.With the mean value of the interval, we can avoid the overestimated weights.However, it also increases the risk that the container is overloaded, making the solution infeasible to the constraints.

B. PERFORMANCE METRICS
To evaluate the performance of the proposed methods, we introduce different factors.Also, to mitigate the influence of the randomness for differential privacy, every experiment is carried out ten times, and the average is used as the result.
Objective ratio (o/o n ): o is the optimization result using the output data from the proposed algorithms, and o n is the optimization result using the original data.The optimal objective ratio is 1, since a ratio larger than 1 means more bins are used, and a ratio less than 1 means some bins must have violated the restrictions.
Feasibility f : For each bin b i , the optimization result using the anonymous data can violate the constraints in (10).For example, two anonymous items whose weights show as {11.2, 13.6} are loaded to a container with capacity = 25, but the accurate weights of these items are {12, 15}, which violates the constraint.To evaluate how often the violation happens, we use the feasibility value f to represent the proportion of the bins that satisfies all the constraints using the accurate data.If B = {b 0 , b 1 . .., b m } is the optimization result that uses m bins to load all the items and D(b i ) is the accurate weights of the items in bin i, then where Anonymization time t a : The run-time to run the proposed methods.We use the anonymization time to evaluate the efficiency of the methods.
Suppression rate: We introduce the suppression rate to evaluate how much data is suppressed in the differential privacy with k-anonymity method.

C. PERFORMANCE OF DIFFERENTIAL PRIVACY WITH K-ANONYMITY 1) INSTANCE SETTINGS
Seven different instance settings are evaluated, as shown in Table 1.Similar to the benchmarks in BPPLIB, we consider uniform distribution in instances I to IV with the same distribution as the instances used in the work of [9].Setting I and II have different numbers of medium and large items with uniform distribution (U).Similarly, we increase the capacity from 500 to 2500 to evaluate the small items in setting III and IV.Also, we add the normal distribution to consider a different distribution.Instance VI is with a combination of two uniformly distributed sub-sets, which is also with the same distribution as used in [9].It is with 25% large items and 75% small items.Instance VII is generated by [37] with more items (200) and the optimization is hard to be solved.This instance is supposed to show how well different algorithms work on a larger dataset.
In Table 1, c is the capacity of the bins; the weights of all the items are in the range of [l • c, u • c]; n is the number of items.Due to the suppression by k-anonymity, the number of items is larger than the settings for the clustering method in Table 2.In the settings, 'L' means large items, 'U' means uniform distribution, and 'N' means normal distribution.

2) PARAMETER SETTINGS
In the (β, , δ)-DP with k-anonymity method, ( 13) and (20) show that: where β is the sampling rate and 1 = 2 u is for the 1 -DP mapping function.In the evaluation, we assume that the instances in Table 1 are after the β sampling.We choose the number of k ∈ [2,6] as the independent variable to evaluate the performance since the value of (in (33)) and δ (in ( 14)) are both dependent on k.Meanwhile, we set = 3 to achieve a relatively small value of .For example, with k = 4, |D| = 40, β = 0.7, we can get ≈ 1.8.Due to the randomness of differential privacy, we carry out every experiment ten times and use the average value for evaluation.Also, it is time-consuming to get the optimal solution for an optimization problem, so we set a time limit of 1 minute for the standard optimization.
3) PERFORMANCE ANALYSIS Fig. 5 shows the performance of the differential privacy with k-anonymity method.We use both the average (avg) and the upper bound (max) of the output intervals as the input to the standard optimizer.The average performs better than the upper bound in terms of objective ratio at the cost of feasibility.The weights of items are overestimated with the upper bound, leading to a larger objective ratio ranging from 1.0 to 1.2 (k = 6).For the same reason, the optimization results using the upper bound always satisfy all the constraints.On the contrary, the average weights are closer to the real, but the weights can be underestimated, resulting in overloaded bins.
For most settings with the upper bound, the objective ratio increases with a higher value of k.With a larger k, the exponential mechanism is more likely to choose a node with more generalization to keep a low suppression proportion.With more generalization, the upper bound is more overestimated, which increases the objective ratio.Meanwhile, the objective ratio is more close to 1 with a larger dataset.For instance setting VII, the objective ratio is close to 1 even using the upper bound.
For the flexibility, it is not always equal to 1 if the average bound is applied.The probability of violation is around 10% to 20%.To mitigate this problem, we can set the capacity a bit smaller than the real capacity.Also, in practice, we can drop some products to satisfy the constraints.
The suppression rates are different among different distributions.For uniform distributions, the suppression is around 10% to 25%, which means that only a small proportion of data are suppressed.For the normal distribution in setting V, the suppression rises to around 30% since weights are sparse for the large/small items.For a similar reason, values are sparse for the large items with the nonuniform distribution, resulting in a higher suppression (20% to 30%).When the number of items increases, the suppression rate is only with around 10% even when k = 35, which shows its advantages in large datasets.
The suppression also introduces a problem that not all the items are considered for bin-packing.To deal with that, there are three different approaches: r Keep the items into the next pool and wait for k items with the same range for k-anonymity.
r Apply differential privacy directly or apply Algorithm 2 to the suppressed data.
r Consider more about the suppression in the utility func- tion, so the utility function can guarantee that the output is with a low suppression.Both the low suppression rates and the low objective ratio show that the proposed utility function works well.Also, the run-time for the anonymization algorithm is less than 0.1 seconds to output an anonymous dataset.Equation (33) shows that a smaller k means a smaller , but this is with limits.When we calculate δ using ( 14), if k is small, the value of δ is large.Dwork et al. [39] show that δ should be smaller than 1/|D|, where |D| is the number of records in the dataset.The value of δ is large with a small-scale dataset and a small k, but δ can satisfy it with a large dataset and a suitable k.For example, if |D| = 1000, β = 0.7, k = 40, 1 = 1, we can get δ ≤ 6.8 × 10 −4 < 1/|D|.In real use, there are thousands of items being loaded everyday.We can select the minimum k, which satisfies the restriction.

D. PERFORMANCE OF DIFFERENTIAL PRIVACY WITH CLUSTERING 1) EXPERIMENTAL SETTINGS
Table 2 shows the instance setting, which is similar to the previous method.We only change the number of attributes since no suppression nor sampling is applied here.
In the evaluation, ∈ [0.5, 1, 2, 3, 4, 5] is the independent variable.We evaluate the performance with different confidence factors c ∈ [0, 0.5, 0.7, 0.9].We use the upper bound for all the intervals as the input to the optimizer.Also, we carry out every experiment ten times and set a time limit of 1 minute for standard optimization.
2) PERFORMANCE ANALYSIS Fig. 6 shows the performance of the differential privacy with clustering method.The approach with a low confidence factor shows a better objective ratio but lower feasibility.Moreover, all the approaches are robust with different distributions.When c = 0, the output data is {v i + Lap( / )}, which is also the average of the intervals when c = 0.When the value of c increases, the intervals become larger, and it is more probable that the accurate data is in the interval.As a result, the increasing upper bounds increase both the objective ratios and the feasibility.Also, the confidence factor can improve the feasibility at a small cost of the objective ratio when is small.For example, when c = 0.7, the objective ratio is around 1.2, and the feasibility is around 0.9.Although the feasibility is not always equal to 1, we can mitigate it using a smaller capacity than the real capacity.Also, in practice, the trucks can remove some products to meet the constraints.
When increases, all the objective ratios are closer to 1, and all the feasibility increases.If keeps increasing, both the feasibility and the objective ratio can converge at 1.This shows a trade-off between the privacy concern and the utility for optimization.With a larger , less noise is added to the accurate data, so the algorithm has a weak privacy guarantee and good utility for the optimization work.Also, the anonymization can be finished within 3 ms.

E. COMPARISON RESULT 1) EXPERIMENTAL SETTINGS
In this section, we compare the performance of our proposed methods to the differential privacy without clustering approach as used in the work of [29] (in Fig. 7), and the work of [9] (in Fig. 8), which applies two different k-anonymous algorithms (k-Optimize [11] and Flash [12]) to achieve privacypreserving data publishing.The experimental results show that k-Optimize shows the overall best performance [9], so we consider k-Optimize as the comparison method.Meanwhile, we set the minimum interval as 4 (e.g. 10 → [8, 14] → [8,22]. ..).A smaller minimum interval means a more optimized k-anonymous output, but the run-time becomes longer.
The instance setting is the same as the differential privacy with clustering method in Table 2. Considering the randomness from the input dataset, we carry out each comparison experiment ten times and use the average as results.
2) PERFORMANCE COMPARISON Fig. 7 shows the result if only differential privacy is applied with confidence factors.It shows a similar result compared to the proposed differential privacy with clustering method.However, the clustering shows a better objective ratio.The   objective ratio is around 1.2 when c = 0.7 (with clustering), but without clustering, the objective ratio is around 1.4 when c = 0.7, and even higher with an increasing number of items.Meanwhile, the feasibility is closer to 1 when clustering is applied.The result shows that the proposed clustering method can improve the original differentially private method in terms of objective ratio and feasibility.Compared to the differential privacy with k-anonymity method, our proposed method has better objective ratio (always between 1 and 1.2) and similar flexibility.
Fig. 8 shows the performance of the k-Optimize method with the standard optimizer.We use both the average (avg) and the upper bound (max) of the intervals to show how well it works.The average shows a better objective ratio at the cost of the feasibility.The objective ratio using the upper bound of the k-Optimize output ranges from 1.1 to 1.3 for large items, and is very close to one for small items.Meanwhile, the feasibility of using the average values range from 0.8 to 0.9 for most settings, while it is very close to one for setting III and smaller than 0.8 for setting V.For all settings, a larger k always leads to an increase of the objective ratio since a larger k always means larger intervals in the output of the k-anonymous algorithm.The run-time for k-Optimize ranges from 10 0 to more than 10 3 seconds with 25 or 50 items.
The differential privacy with k-anonymity method and the k-Optimize method have shown very similar objective ratios and feasibility.Meanwhile, the differential privacy with k-anonymity method runs much faster than the k-Optimize, which means that we can expand the proposed method to 2-D or 4-D packing problems while k-Optimize can not.However, the proposed method is with suppression, while the k-Optimize considers all the input data.Because of the suppression, the number of rows of the input data is not the same for both methods, resulting in the differential privacy with k-anonymity method outperforms the k-Optimize.To better compare these methods, we compare the result of setting I for the proposed method in Fig. 5 to the result of setting II for the proposed method in Fig. 5.The proposed method is with fewer records in the input dataset, but it shows better feasibility and better objective ratio when k ≤ 4. As a result, the proposed method can show a comparable result to the k-Optimize in terms of objective ratio and feasibility while it is much faster.
Compared to the differential privacy with clustering method, the k-Optimize method also shows a similar result.For example, when = 1 and c = 0.5, the proposed method shows comparable objective ratios and better feasibility than the k-Optimize method (k = 4).With larger and smaller k, the proposed method also shows better objective ratios and feasibility than the k-Optimize method.With both the higher privacy guarantee or lower privacy guarantee, the proposed method can outperform or show comparable performance in terms of objective ratio and feasibility.Meanwhile, the proposed method is much faster.

VII. CONCLUSION AND DISCUSSION
We propose two different privacy-preserving data publishing approaches using differential privacy to solve bin-packing problems under privacy-preserving.By calculating the probability of identifying the correct item, we prove that both proposed methods can provide better privacy guarantees than the previous work using k-anonymity.Using differential privacy, each item is supposed to be hidden among a group of items instead of only k items by using k-anonymity.Also, we carry out seven different experiments based on different data distributions and a different number of inputs.The results show that our proposed methods are much faster than the k-anonymous approach (from 10 3 s to less than 0.1 s) without any cost of objective ratio or feasibility.And the proposed methods are with better performance (lower objective ratio and higher or similar feasibility) than the approach only applying differential privacy.In conclusion, both proposed methods show advantages in privacy preservation and run-time over previous approaches that only apply k-anonymity or differential privacy while showing comparable objective ratio and feasibility.Meanwhile, both proposed methods can be used to solve 2-D or 4-D bin-packing problems, and we leave them as future works.
When we apply privacy-preserving methods, the better privacy guarantee always means the less useful output, so it is important to find the trade-off between these two aspects.In this paper, we use experiments to show the relationship between privacy guarantees (k and ) and performance (o/o n and f ).With some performance cost (10% − 20% o/o n and f ), the proposed methods can provide good privacy guarantees (such as = 1).A better utility function or a better clustering method can help improve the performance of both proposed methods, and it remains as future works to find how much the utility function and the clustering can influence the performance factors.

FIGURE 3 .
FIGURE 3. Example lattice with level 2 for one attribute.

FIGURE 4 .
FIGURE 4. Example lattice with level 2 for two attributes.

Algorithm 1 :
Differential Privacy with k-Anonymity.Input: Input dataset D in , privacy budget 1 Output: Differentially private dataset D out 1: Apply the β sampling to D in , and get D in 2: Construct the lattice generalizations for attributes of D in 3: Calculate the utility of each node by (

Algorithm 2 :
Differential Privacy with Clustering.Input: Input dataset for de-identification D in Output: Output dataset D out 1: Sort D in 2: Apply clustering to D in based on the proportion of occurrence 3: Calculate v i for each cluster 4: Calculate v i by adding Laplace noise to each cluster using (21) 5: Calculate the interval of each v i using (22) and (23) 6: Get D out by combining the output of each cluster 7: return D out

FIGURE 5 .
FIGURE 5. Performance of the differential privacy with k-anonymity method using the average or the upper bound of intervals (with = 3).The x-axis is k, and the y-axis is: the objective ratio o/o n , the feasibility f , the anonymization time t a (s), and the proportion of the remaining data 1 − suppression.

FIGURE 6 .
FIGURE 6. Performance of the differential privacy with clustering method with different confidence factor c. The x-axis is , and the y-axis is: the objective ratio o/o n , the feasibility f , and the anonymization time t a (ms).

FIGURE 7 .
FIGURE 7. Performance of the comparison method (differential privacy without clustering).The x-axis is , and the y-axis is: the objective ratio o/o n , the feasibility f , and the anonymization time t a (ms).

FIGURE 8 .
FIGURE 8. Performance of the comparison method (k-Optimize with standard optimizer).The x-axis is k, and the y-axis is: the objective ratio o/o n , the feasibility f , and the anonymization time t a (s).