Although local differential privacy (LDP) protects individual users' data from inference by an untrusted data curator, recent studies show that an attacker can launch a data poisoning attack from the user side to inject carefully-crafted bogus data into the LDP protocols in order to maximally skew the final estimate by the data curator. In this work, we further advance this knowledge by proposing a new fine-grained attack, which allows the attacker to fine-tune and simultaneously manipulate mean and variance estimations that are popular analytical tasks for many real-world applications. To accomplish this goal, the attack leverages the characteristics of LDP to inject fake data into the output domain of the local LDP instance. We call our attack the output poisoning attack (OPA). We observe a security-privacy consistency where a small privacy loss enhances the security of LDP, which contradicts the known security-privacy trade-off from prior work. We further study the consistency and reveal a more holistic view of the threat landscape of data poisoning attacks on LDP. We comprehensively evaluate our attack against a baseline attack that intuitively provides false input to LDP. The experimental results show that OPA outperforms the baseline on three real-world datasets. We also propose a novel defense method that can recover the result accuracy from polluted data collection and offer insight into the secure LDP design.

翻译：虽然局部差分隐私（LDP）通过保护个体用户数据免受不可信数据管理者的推断，但近期研究表明，攻击者可从用户端发起数据投毒攻击，向LDP协议中注入精心构造的虚假数据，以最大程度地扭曲数据管理者的最终估计结果。本研究进一步推进该领域认知，提出一种新型细粒度攻击方法，使攻击者能够精细调控并同时操纵均值和方差估计——这两者是许多实际应用中常见的分析任务。为实现该目标，攻击利用LDP的特性，在本地LDP实例的输出域中注入虚假数据。我们将此攻击称为输出投毒攻击（OPA）。我们观察到一种安全-隐私一致性现象：较小的隐私损失反而提升了LDP的安全性，这与先前研究中已知的安全-隐私权衡相矛盾。我们进一步研究该一致性，揭示出针对LDP的数据投毒攻击威胁全景的更全面视角。我们以直观地向LDP提供虚假输入的基线攻击为对照，全面评估了所提攻击的性能。实验结果表明，在三个真实数据集上，OPA优于基线攻击。我们还提出了一种新型防御方法，能够从受污染数据收集中恢复结果准确性，并为安全LDP设计提供见解。