Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols

Wei Tong, Haoyu Chen, Jiacheng Niu, Sheng Zhong

TL;DR

This work addresses the vulnerability of locally differentially private frequent itemset mining to data poisoning. It introduces Adaptive Orchestration Attack (AOA), a unified framework built from Attack Resource Estimation, Target Set Refinement, and Poisoned Data Generation, and shows how to compromise state-of-the-art protocols like LDPMiner, SVIM, SVSM, and FIML under various threat models, including limited knowledge and MITM scenarios. The authors provide extensive experiments across multiple real-world datasets, demonstrating that AOA can significantly degrade top‑k results, often outperforming baseline attacks. They also discuss defenses, including FO-level protections and protocol randomness, but find that robust, universally effective defenses remain an open challenge, underscoring the need for more resilient LDP mining systems in practice.

Abstract

Local differential privacy (LDP) provides a way for an untrusted data collector to aggregate users' data without violating their privacy. Various privacy-preserving data analysis tasks have been studied under the protection of LDP, such as frequency estimation, frequent itemset mining, and machine learning. Despite its privacy-preserving properties, recent research has demonstrated the vulnerability of certain LDP protocols to data poisoning attacks. However, existing data poisoning attacks are focused on basic statistics under LDP, such as frequency estimation and mean/variance estimation. As an important data analysis task, the security of LDP frequent itemset mining has yet to be thoroughly examined. In this paper, we aim to address this issue by presenting novel and practical data poisoning attacks against LDP frequent itemset mining protocols. By introducing a unified attack framework with composable attack operations, our data poisoning attack can successfully manipulate the state-of-the-art LDP frequent itemset mining protocols and has the potential to be adapted to other protocols with similar structures. We conduct extensive experiments on three datasets to compare the proposed attack with four baseline attacks. The results demonstrate the severity of the threat and the effectiveness of the proposed attack.

Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols

TL;DR

This work addresses the vulnerability of locally differentially private frequent itemset mining to data poisoning. It introduces Adaptive Orchestration Attack (AOA), a unified framework built from Attack Resource Estimation, Target Set Refinement, and Poisoned Data Generation, and shows how to compromise state-of-the-art protocols like LDPMiner, SVIM, SVSM, and FIML under various threat models, including limited knowledge and MITM scenarios. The authors provide extensive experiments across multiple real-world datasets, demonstrating that AOA can significantly degrade top‑k results, often outperforming baseline attacks. They also discuss defenses, including FO-level protections and protocol randomness, but find that robust, universally effective defenses remain an open challenge, underscoring the need for more resilient LDP mining systems in practice.

Abstract

Local differential privacy (LDP) provides a way for an untrusted data collector to aggregate users' data without violating their privacy. Various privacy-preserving data analysis tasks have been studied under the protection of LDP, such as frequency estimation, frequent itemset mining, and machine learning. Despite its privacy-preserving properties, recent research has demonstrated the vulnerability of certain LDP protocols to data poisoning attacks. However, existing data poisoning attacks are focused on basic statistics under LDP, such as frequency estimation and mean/variance estimation. As an important data analysis task, the security of LDP frequent itemset mining has yet to be thoroughly examined. In this paper, we aim to address this issue by presenting novel and practical data poisoning attacks against LDP frequent itemset mining protocols. By introducing a unified attack framework with composable attack operations, our data poisoning attack can successfully manipulate the state-of-the-art LDP frequent itemset mining protocols and has the potential to be adapted to other protocols with similar structures. We conduct extensive experiments on three datasets to compare the proposed attack with four baseline attacks. The results demonstrate the severity of the threat and the effectiveness of the proposed attack.
Paper Structure (33 sections, 20 equations, 24 figures, 1 table, 1 algorithm)

This paper contains 33 sections, 20 equations, 24 figures, 1 table, 1 algorithm.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Local Differential Privacy
  4. Set-Valued Frequent Itemset Mining
  5. Threat Model
  6. Attack Framework and Operations
  7. Overview
  8. Attack Resource Estimation
  9. Target Set Refinement
  10. Poisoned Data Generation
  11. Attacking LDP Frequent Itemset Mining Protocols
  12. Attacking LDPMiner
  13. Attacking SVIM
  14. Attacking SVSM
  15. Attacking FIML
  16. ...and 18 more sections

Figures (24)

  • Figure 1: Attacking SVSM, with $k = 32$, $\epsilon=4.0$ (black dashed line - no attack).
  • Figure 2: Attacking FIML-IS, with $k = 32$, $\epsilon=4.0$ (black dashed line - no attack).
  • Figure 3: Attacking LDPMiner, with $k = 32$, $\epsilon=4.0$ (black dashed line - no attack).
  • Figure 4: Attacking SVIM, with $k = 32$, $\epsilon=4.0$ (black dashed line - no attack).
  • Figure 5: AOA on BMS-POS with changing $\epsilon$ and $k$; Default: $\gamma = 0.01$, $k=32$, and $\epsilon=4.0$. The $y$-axis is ACC/NCR.
  • ...and 19 more figures

Theorems & Definitions (1)

  • Definition 1: Local Differential Privacy