Recent studies reveal that local differential privacy (LDP) protocols are vulnerable to data poisoning attacks where an attacker can manipulate the final estimate on the server by leveraging the characteristics of LDP and sending carefully crafted data from a small fraction of controlled local clients. This vulnerability raises concerns regarding the robustness and reliability of LDP in hostile environments. In this paper, we conduct a systematic investigation of the robustness of state-of-the-art LDP protocols for numerical attributes, i.e., categorical frequency oracles (CFOs) with binning and consistency, and distribution reconstruction. We evaluate protocol robustness through an attack-driven approach and propose new metrics for cross-protocol attack gain measurement. The results indicate that Square Wave and CFO-based protocols in the Server setting are more robust against the attack compared to the CFO-based protocols in the User setting. Our evaluation also unfolds new relationships between LDP security and its inherent design choices. We found that the hash domain size in local-hashing-based LDP has a profound impact on protocol robustness beyond the well-known effect on utility. Further, we propose a zero-shot attack detection by leveraging the rich reconstructed distribution information. The experiment show that our detection significantly improves the existing methods and effectively identifies data manipulation in challenging scenarios.

翻译：近期研究表明，本地差分隐私（LDP）协议易受数据投毒攻击的影响，攻击者可利用LDP特性，通过控制少量本地客户端发送精心构造的数据，从而操纵服务器端的最终估计结果。这种脆弱性引发了关于LDP在敌对环境中鲁棒性与可靠性的担忧。本文对数值属性最先进LDP协议的鲁棒性进行了系统研究，具体包括采用分箱一致性机制的分类频率预言机（CFOs）及分布重建协议。我们通过攻击驱动的方法评估协议鲁棒性，并提出了跨协议攻击增益测量的新指标。结果表明，与用户端设置的CFO协议相比，服务器端设置的方波协议和CFO协议对攻击具有更强的抵抗力。我们的评估还揭示了LDP安全性与其固有设计选择之间的新关系：发现基于局部哈希的LDP中哈希域大小对协议鲁棒性具有深远影响，其作用远超已知的效用影响。此外，我们利用丰富的重建分布信息提出了零样本攻击检测方法。实验表明，该检测方法显著改进了现有方案，并能在具有挑战性的场景中有效识别数据篡改行为。