To prevent the DLD provider from gaining knowledge of
sensitive data during the detection process, we need to set up a
privacy goal that is complementary to the security goal above.
We model the DLD provider as a semi-honest adversary,
who follows our protocol to carry out the operations, but
may attempt to gain knowledge about the sensitive data of
the data owner. Our privacy goal is defined as follows. The
DLD provider is given digests of sensitive data from the data
owner and the content of network traffic to be examined. The
DLD provider should not find out the exact value of a piece of
sensitive data with a probability greater than 1K
, where K is an
integer representing the number of all possible sensitive-data
candidates that can be inferred by the DLD provider.