Page 312 - 《软件学报》2025年第5期

P. 312

软件学报 ISSN 1000-9825, CODEN RUXUEW E-mail: jos@iscas.ac.cn
2025,36(5):2212−2228 [doi: 10.13328/j.cnki.jos.007179] [CSTR: 32375.14.jos.007179] http://www.jos.org.cn
©中国科学院软件研究所版权所有. Tel: +86-10-62562563

*
本地差分隐私频率估计伪数据攻击及防御方法

王源源 1 , 朱友文 1 , 吴启晖 2 , 王威 2 , 王箭 1

1
(南京航空航天大学计算机科学与技术学院, 江苏南京 211106)
2
(南京航空航天大学电子信息工程学院, 江苏南京 211106)
通信作者: 朱友文, E-mail: zhuyw@nuaa.edu.cn

摘要: 本地差分隐私被广泛地应用于保护用户隐私的同时收集和分析敏感数据, 但是也易于受到恶意用户的伪
数据攻击. 子集选择机制和环机制是具有最优效用的频率估计本地差分隐私方案, 然而, 它们的抗伪数据攻击能力
尚缺少深入地分析和评估. 因此, 针对子集选择机制和环机制, 设计伪数据攻击方法, 以评估其抗伪造攻击的能力.
首先讨论随机扰动攻击和随机项目攻击, 然后构建针对子集选择机制和环机制的攻击效用最大化伪数据攻击方法.
攻击者可以利用该攻击方法, 通过假用户向数据收集方发送精心制作的伪数据, 最大化地提高攻击者所选目标值
的频率. 理论上严格分析和对比攻击效用, 并通过实验评估伪数据攻击效果, 展示伪数据攻击对子集选择机制和环
机制的影响. 最后, 提出防御措施, 可缓解伪数据攻击的效果.
关键词: 本地差分隐私; 伪数据攻击; 防御; 子集选择机制; 环机制
中图法分类号: TP309

中文引用格式王源源, 朱友文, 吴启晖, 王威, 王箭. 本地差分隐私频率估计伪数据攻击及防御方法. 软件学报, 2025,
36(5): 2212–2228. http://www.jos.org.cn/1000-9825/7179.htm
英文引用格式: Wang YY, Zhu YW, Wu QH, Wang W, Wang J. Data Poisoning Attacks and Defense Methods for Frequency
Estimation in Local Differential Privacy. Ruan Jian Xue Bao/Journal of Software, 2025, 36(5): 2212–2228 (in Chinese). http://www.jos.
org.cn/1000-9825/7179.htm

Data Poisoning Attacks and Defense Methods for Frequency Estimation in Local Differential
Privacy
1
1
2
2
WANG Yuan-Yuan , ZHU You-Wen , WU Qi-Hui , WANG Wei , WANG Jian 1
1
(College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China)
2
(College of Electronic and Information Engineering, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China)
Abstract: Local differential privacy (LDP) is widely used to collect and analyze sensitive data while protecting user privacy. However, it
is vulnerable to data poisoning attacks by malicious users. The k-subset mechanism and the wheel mechanism are LDP schemes with
optimal utility for frequency estimation. Yet, their resistance to data poisoning attacks lacks in-depth analysis and evaluation. Therefore,
data poisoning attack methods are designed to assess the resistance to data poisoning attacks of both the k-subset mechanism and the
wheel mechanism. First, the random perturbed-value attack and random item attack are discussed, and then the maximal gain attack
methods against the k-subset mechanism and the wheel mechanism are constructed. The attack methods can be exploited to maximize the
frequencies of target items selected by attackers, which is achieved by sending carefully crafted poisoning data to the data collector via
fake users. Theoretically, the attack gains are rigorously analyzed and compared, and the effects of data poisoning attacks are
experimentally evaluated, demonstrating their impact on the k-subset mechanism and the wheel mechanism. Finally, defensive measures are
proposed to mitigate the effects of data poisoning attacks.
Key words: local differential privacy (LDP); data poisoning attack; defense; k-subset mechanism; wheel mechanism

* 基金项目: 国家重点研发计划 (2021YFB3100400)
收稿时间: 2023-08-02; 修改时间: 2023-10-12; 采用时间: 2024-03-05; jos 在线出版时间: 2024-08-21
CNKI 网络首发时间: 2024-08-22

307 308 309 310 311 312 313 314 315 316 317