This work addresses the challenge of repeated leakage of sensitive information in privacy-sensitive streaming runtime monitoring, where temporal operations inherently amplify privacy risks. It presents the first approach to automatically integrate differential privacy into stream monitoring specifications by analyzing temporal dependencies and strategically injecting noise at critical points. To minimize aggregation error, the method incorporates a tree-based mechanism that jointly optimizes privacy guarantees and monitoring utility. The effectiveness of this approach is demonstrated in a public transportation usage monitoring case study, where it significantly preserves output accuracy while rigorously adhering to differential privacy constraints.

Modern stream-based monitors collect detailed statistics of the runtime behavior of the system under observation. If the system runs in a privacy-sensitive context, this poses the risk of disclosing sensitive information. Differential privacy is the state-of-the-art approach for protecting sensitive information, however, integrating it into runtime monitoring is challenging: temporal operators can cause individual input values to influence multiple outputs over time, leading to repeated disclosure of private information. We propose an approach that automatically enforces differential privacy in stream-based monitoring specifications by analyzing temporal dependencies and injecting carefully calibrated noise into the specification. To preserve the utility of the outputs, we identify strategically chosen positions in the specification for noise injection and leverage tree-based mechanisms to mitigate the accuracy loss caused by noise injected into aggregation operators. We demonstrate the practicality and effectiveness of our approach in a case study on monitoring public transportation usage.