Recent studies reveal that local differential privacy (LDP) protocols are vulnerable to data poisoning attacks where an attacker can manipulate the final estimate on the server by leveraging the characteristics of LDP and sending carefully crafted data from a small fraction of controlled local clients. This vulnerability raises concerns regarding the robustness and reliability of LDP in hostile environments. In this paper, we conduct a systematic investigation of the robustness of state-of-the-art LDP protocols for numerical attributes, i.e., categorical frequency oracles (CFOs) with binning and consistency, and distribution reconstruction. We evaluate protocol robustness through an attack-driven approach and propose new metrics for cross-protocol attack gain measurement. The results indicate that Square Wave and CFO-based protocols in the Server setting are more robust against the attack compared to the CFO-based protocols in the User setting. Our evaluation also unfolds new relationships between LDP security and its inherent design choices. We found that the hash domain size in local-hashing-based LDP has a profound impact on protocol robustness beyond the well-known effect on utility. Further, we propose a zero-shot attack detection by leveraging the rich reconstructed distribution information. The experiment show that our detection significantly improves the existing methods and effectively identifies data manipulation in challenging scenarios.

翻译：近期研究表明，本地差分隐私（LDP）协议易受数据投毒攻击——攻击者通过利用LDP的特性，从少量受控客户端精心构造数据，进而操纵服务器端的最终估计结果。这一脆弱性引发了人们对LDP在对抗环境中的鲁棒性与可靠性的关注。本文系统研究了面向数值属性的最新LDP协议（即基于分箱与一致性的类别频率或acles（CFOs）以及分布重构方法）的鲁棒性。我们通过攻击驱动的方法评估协议鲁棒性，并提出了跨协议攻击增益度量的新指标。实验结果表明，服务器模式下基于Square Wave和CFO的协议比用户模式下基于CFO的协议具有更强的抗攻击鲁棒性。评估还揭示了LDP安全性与其固有设计选择之间的新型关联：基于局部哈希的LDP中哈希域大小对协议鲁棒性存在深远影响，其作用远超已知的效用效应。此外，我们利用重构的丰富分布信息提出了一种零样本攻击检测方法。实验证明，该方法显著优于现有检测方案，能够在复杂场景下有效识别数据篡改行为。