Although local differential privacy (LDP) protects individual users' data from inference by an untrusted data curator, recent studies show that an attacker can launch a data poisoning attack from the user side to inject carefully-crafted bogus data into the LDP protocols in order to maximally skew the final estimate by the data curator. In this work, we further advance this knowledge by proposing a new fine-grained attack, which allows the attacker to fine-tune and simultaneously manipulate mean and variance estimations that are popular analytical tasks for many real-world applications. To accomplish this goal, the attack leverages the characteristics of LDP to inject fake data into the output domain of the local LDP instance. We call our attack the output poisoning attack (OPA). We observe a security-privacy consistency where a small privacy loss enhances the security of LDP, which contradicts the known security-privacy trade-off from prior work. We further study the consistency and reveal a more holistic view of the threat landscape of data poisoning attacks on LDP. We comprehensively evaluate our attack against a baseline attack that intuitively provides false input to LDP. The experimental results show that OPA outperforms the baseline on three real-world datasets. We also propose a novel defense method that can recover the result accuracy from polluted data collection and offer insight into the secure LDP design.

翻译：尽管本地差分隐私（LDP）通过防止不可信数据管理者推断个体用户数据来保护隐私，但近期研究表明，攻击者可从用户端发起数据投毒攻击，向LDP协议注入精心构造的虚假数据，从而最大程度地扭曲数据管理者的最终估计结果。本文通过提出一种新的细粒度攻击进一步拓展了这一认知：该攻击允许攻击者同时微调并操纵均值和方差估计——这两者是众多实际应用中常见的分析任务。为达成目标，攻击利用LDP的特性将虚假数据注入本地LDP实例的输出域，我们称之为输出投毒攻击（OPA）。研究发现存在一种安全-隐私一致性现象：较小的隐私损失反而能增强LDP的安全性，这与先前研究揭示的安全-隐私权衡机制相矛盾。我们进一步分析这种一致性，揭示了LDP数据投毒攻击威胁态势的全局图景。针对一种直观通过向LDP提供虚假输入进行攻击的基线方法，我们全面评估了OPA的性能。实验结果表明，在三个真实数据集上，OPA均优于基线方法。同时，我们提出了一种新型防御方法，可从受污染数据收集中恢复结果精度，并为LDP安全设计提供启示。