Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LDPRecover: Recovering Frequencies from Poisoning Attacks against Local Differential Privacy

Xinyue Sun, Qingqing Ye, Haibo Hu, Jiawei Duan, Tianyu Wo, Jie Xu, Renyu Yang

TL;DR

LDPRecover addresses the vulnerability of frequency-estimation in Local Differential Privacy to poisoning attacks by modeling poisoned aggregates as a mixture of genuine and malicious frequencies and introducing a genuine-frequency estimator. It learns malicious-frequency statistics via an adaptive attack and casts recovery as a constraint-inference problem, enabling accurate reconstruction of genuine frequencies even without attack details; partial attacker knowledge further improves results. The approach is validated on two real-world datasets and three LDP protocols against untargeted, targeted, and adaptive attacks, showing robust accuracy and reduced frequency gains for targets. This work offers a practical, attack-agnostic paradigm for robust LDP deployments and lays groundwork for extending recovery to other aggregation tasks and defenses against input poisoning.

Abstract

Local differential privacy (LDP), which enables an untrusted server to collect aggregated statistics from distributed users while protecting the privacy of those users, has been widely deployed in practice. However, LDP protocols for frequency estimation are vulnerable to poisoning attacks, in which an attacker can poison the aggregated frequencies by manipulating the data sent from malicious users. Therefore, it is an open challenge to recover the accurate aggregated frequencies from poisoned ones. In this work, we propose LDPRecover, a method that can recover accurate aggregated frequencies from poisoning attacks, even if the server does not learn the details of the attacks. In LDPRecover, we establish a genuine frequency estimator that theoretically guides the server to recover the frequencies aggregated from genuine users' data by eliminating the impact of malicious users' data in poisoned frequencies. Since the server has no idea of the attacks, we propose an adaptive attack to unify existing attacks and learn the statistics of the malicious data within this adaptive attack by exploiting the properties of LDP protocols. By taking the estimator and the learning statistics as constraints, we formulate the problem of recovering aggregated frequencies to approach the genuine ones as a constraint inference (CI) problem. Consequently, the server can obtain accurate aggregated frequencies by solving this problem optimally. Moreover, LDPRecover can serve as a frequency recovery paradigm that recovers more accurate aggregated frequencies by integrating attack details as new constraints in the CI problem. Our evaluation on two real-world datasets, three LDP protocols, and untargeted and targeted poisoning attacks shows that LDPRecover is both accurate and widely applicable against various poisoning attacks.

LDPRecover: Recovering Frequencies from Poisoning Attacks against Local Differential Privacy

TL;DR

LDPRecover addresses the vulnerability of frequency-estimation in Local Differential Privacy to poisoning attacks by modeling poisoned aggregates as a mixture of genuine and malicious frequencies and introducing a genuine-frequency estimator. It learns malicious-frequency statistics via an adaptive attack and casts recovery as a constraint-inference problem, enabling accurate reconstruction of genuine frequencies even without attack details; partial attacker knowledge further improves results. The approach is validated on two real-world datasets and three LDP protocols against untargeted, targeted, and adaptive attacks, showing robust accuracy and reduced frequency gains for targets. This work offers a practical, attack-agnostic paradigm for robust LDP deployments and lays groundwork for extending recovery to other aggregation tasks and defenses against input poisoning.

Abstract

Local differential privacy (LDP), which enables an untrusted server to collect aggregated statistics from distributed users while protecting the privacy of those users, has been widely deployed in practice. However, LDP protocols for frequency estimation are vulnerable to poisoning attacks, in which an attacker can poison the aggregated frequencies by manipulating the data sent from malicious users. Therefore, it is an open challenge to recover the accurate aggregated frequencies from poisoned ones. In this work, we propose LDPRecover, a method that can recover accurate aggregated frequencies from poisoning attacks, even if the server does not learn the details of the attacks. In LDPRecover, we establish a genuine frequency estimator that theoretically guides the server to recover the frequencies aggregated from genuine users' data by eliminating the impact of malicious users' data in poisoned frequencies. Since the server has no idea of the attacks, we propose an adaptive attack to unify existing attacks and learn the statistics of the malicious data within this adaptive attack by exploiting the properties of LDP protocols. By taking the estimator and the learning statistics as constraints, we formulate the problem of recovering aggregated frequencies to approach the genuine ones as a constraint inference (CI) problem. Consequently, the server can obtain accurate aggregated frequencies by solving this problem optimally. Moreover, LDPRecover can serve as a frequency recovery paradigm that recovers more accurate aggregated frequencies by integrating attack details as new constraints in the CI problem. Our evaluation on two real-world datasets, three LDP protocols, and untargeted and targeted poisoning attacks shows that LDPRecover is both accurate and widely applicable against various poisoning attacks.
Paper Structure (32 sections, 7 theorems, 33 equations, 10 figures, 1 table, 1 algorithm)

This paper contains 32 sections, 7 theorems, 33 equations, 10 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related work
  3. Preliminaries
  4. Local Differential Privacy
  5. LDP Protocols for Frequency Estimation
  6. Summary of Common Properties of LDP Protocols
  7. Problem Definition
  8. Threat Model
  9. Design Goals
  10. LDPRecover
  11. Overview
  12. Estimator Construction
  13. Analytical Framework for Poisoning Attacks
  14. Estimator Construction
  15. Malicious Frequency Learning
  16. ...and 17 more sections

Key Result

Lemma 1

The asymptotic distribution $\tilde{f}_{Y}(v)$ is $\mathcal{N}(\mu_y, \sigma_y^2)$, $\lim\limits_{m \to \infty} \tilde{f}_{Y}(v) \sim \mathcal{N}(\mu_y, \sigma_y^2)$, where $\mathcal{N}$ denotes a normal distribution, $\mu_y = \mathbf{E}[\Phi_{\epsilon, y}(v)]$, and $\sigma_y^2= \mathbf{Var}[\Phi_{\

Figures (10)

  • Figure 1: Illustration of poisoning attack against LDP-based frequency estimation and our frequency recovery.
  • Figure 2: The general process of poisoning attacks against LDP protocols.
  • Figure 3: The mean squared error (MSE) of LDPRecover and LDPRecover$^*$ for two datasets, three LDP protocols, and three attacks. "-Manip", "-MGA", and "-AA" represents the results for recovery from Manip, MGA, and AA, respectively.
  • Figure 4: The frequency gain (FG) of LDPRecover and LDPRecover$^*$ for two datasets, three LDP protocols, and three attacks. "-Manip", "-MGA", and "-AA" represents the results for recovery from Manip, MGA, and AA, respectively.
  • Figure 5: Impact of differential parameters ($\beta, \epsilon, \eta$) on recovery from AA on IPUMS dataset in terms of MSE.
  • ...and 5 more figures

Theorems & Definitions (14)

  • Definition 1: $\epsilon$-Local Differential Privacy duchi2013local
  • Lemma 1
  • proof
  • Lemma 2
  • proof
  • Theorem 1
  • proof
  • Theorem 2
  • proof
  • Theorem 3
  • ...and 4 more