LDPRecover: Recovering Frequencies from Poisoning Attacks against Local Differential Privacy

Xinyue Sun,Qingqing Ye,Haibo Hu,Jiawei Duan,Tianyu Wo,Jie Xu,Renyu Yang
2024-07-10
Abstract:Local differential privacy (LDP), which enables an untrusted server to collect aggregated statistics from distributed users while protecting the privacy of those users, has been widely deployed in practice. However, LDP protocols for frequency estimation are vulnerable to poisoning attacks, in which an attacker can poison the aggregated frequencies by manipulating the data sent from malicious users. Therefore, it is an open challenge to recover the accurate aggregated frequencies from poisoned ones. In this work, we propose LDPRecover, a method that can recover accurate aggregated frequencies from poisoning attacks, even if the server does not learn the details of the attacks. In LDPRecover, we establish a genuine frequency estimator that theoretically guides the server to recover the frequencies aggregated from genuine users' data by eliminating the impact of malicious users' data in poisoned frequencies. Since the server has no idea of the attacks, we propose an adaptive attack to unify existing attacks and learn the statistics of the malicious data within this adaptive attack by exploiting the properties of LDP protocols. By taking the estimator and the learning statistics as constraints, we formulate the problem of recovering aggregated frequencies to approach the genuine ones as a constraint inference (CI) problem. Consequently, the server can obtain accurate aggregated frequencies by solving this problem optimally. Moreover, LDPRecover can serve as a frequency recovery paradigm that recovers more accurate aggregated frequencies by integrating attack details as new constraints in the CI problem. Our evaluation on two real-world datasets, three LDP protocols, and untargeted and targeted poisoning attacks shows that LDPRecover is both accurate and widely applicable against various poisoning attacks.
Cryptography and Security
What problem does this paper attempt to address?
### What problem does this paper attempt to solve? This paper aims to solve the problem of poisoning attacks faced by local differential privacy (LDP) protocols in frequency estimation. Specifically, LDP allows untrusted servers to collect aggregated statistics from distributed users while protecting users' privacy. However, LDP protocols are vulnerable to poisoning attacks, in which an attacker pollutes the aggregated frequency by manipulating the data sent by malicious users. Therefore, the main goal of the paper is to propose a method that enables the server to recover the accurate aggregated frequency from the polluted frequency without knowing the details of the attack. To achieve this goal, the authors propose the **LDPRecover** method, which can: 1. **Establish a true frequency estimator**: This estimator can guide the server to recover the true frequency from the real - user data by eliminating the influence of malicious user data. 2. **Learn the malicious frequency**: Since the server does not know the details of the attack, the authors propose an adaptive attack model, which unifies the existing non - target and target poisoning attacks and uses the characteristics of the LDP protocol to learn the statistical information of malicious data. 3. **Formulate the frequency recovery problem as a Constrained Inference (CI) problem**: By using the above - mentioned estimator and the learned malicious statistical data as constraints, the frequency recovery problem is transformed into an optimization problem, so that the server can obtain the accurate aggregated frequency by solving this problem. ### Method overview The specific steps of LDPRecover are as follows: 1. **Estimator construction**: First, the authors propose an analysis framework that generalizes the poisoning attacks on the LDP protocol and derives the theoretical relationships between the polluted, true, and malicious frequencies. Based on this, a true frequency estimator is established, and its expected value and variance are analyzed. 2. **Malicious frequency learning**: Since the server has no specific information about the attack, it cannot directly obtain the malicious frequency. For this reason, the authors design an adaptive attack that unifies the existing attacks and uses the aggregation characteristics of the LDP protocol to learn the statistical information of the malicious frequency, especially its sum. 3. **True frequency recovery**: Using the true frequency estimator and the statistical information of the malicious frequency as constraints, the frequency recovery problem is transformed into a constrained inference problem. By solving this problem, the server can obtain an aggregated frequency close to the true frequency. ### Experimental verification The authors evaluated the effectiveness of LDPRecover on two real - world datasets, using three popular LDP protocols (GRR, OUE, OLH), and tested non - target and target poisoning attacks. The experimental results show that LDPRecover can not only recover the accurate aggregated frequency from the polluted frequency, but also significantly reduce the frequency gain of specific items in target poisoning attacks. ### Summary In general, this paper solves the problem of how to recover the accurate aggregated frequency when the LDP protocol is faced with poisoning attacks, and proposes a general and effective solution - LDPRecover. This method can be applied to various types of poisoning attacks and can work effectively when the server does not know the details of the attack.