Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols
Pages 3555 - 3569
Abstract
Local differential privacy (LDP) provides a way for an untrusted data collector to aggregate users' data without violating their privacy. Various privacy-preserving data analysis tasks have been studied under the protection of LDP, such as frequency estimation, frequent itemset mining, and machine learning. Despite its privacy-preserving properties, recent research has demonstrated the vulnerability of certain LDP protocols to data poisoning attacks. However, existing data poisoning attacks are focused on basic statistics under LDP, such as frequency estimation and mean/variance estimation. As an important data analysis task, the security of LDP frequent itemset mining has yet to be thoroughly examined. In this paper, we aim to address this issue by presenting novel and practical data poisoning attacks against LDP frequent itemset mining protocols. By introducing a unified attack framework with composable attack operations, our data poisoning attack can successfully manipulate the state-of-the-art LDP frequent itemset mining protocols and has the potential to be adapted to other protocols with similar structures. We conduct extensive experiments on three datasets to compare the proposed attack with four baseline attacks. The results demonstrate the severity of the threat and the effectiveness of the proposed attack.
References
[1]
Rakesh Agrawal, Heikki Mannila, Ramakrishnan Srikant, Hannu Toivonen, and A. Inkeri Verkamo. 1996. Fast Discovery of Association Rules. In Advances in Knowledge Discovery and Data Mining. AAAI/MIT Press, USA, 307--328.
[2]
Andris Ambainis, Markus Jakobsson, and Helger Lipmaa. 2004. Cryptographic Randomized Response Techniques. In Public Key Cryptography - PKC 2004, 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, March 1--4, 2004, Vol. 2947. Springer, Berlin, Heidelberg, 425--438.
[3]
Apple. 2017. Apple Differential Privacy Technical Overview. https://www.apple.com/privacy/docs/Differential_Privacy_Overview.pdf
[4]
Héber Hwang Arcolezi, Sébastien Gambs, Jean-François Couchot, and Catuscia Palamidessi. 2023. On the Risks of Collecting Multidimensional Data Under Local Differential Privacy. Proc. VLDB Endow. 16, 5 (2023), 1126--1139.
[5]
Raef Bassily, Kobbi Nissim, Uri Stemmer, and Abhradeep Guha Thakurta. 2017. Practical Locally Private Heavy Hitters. In Advances in Neural Information Processing Systems 30: NeurIPS 2017, Long Beach, CA, USA, December 4--9, 2017. Neural Information Processing Systems Foundation, USA, 2288--2296.
[6]
Raef Bassily and Adam D. Smith. 2015. Local, Private, Efficient Protocols for Succinct Histograms. In Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, June 14--17, 2015. ACM, USA, 127--135.
[7]
Austin R. Benson, Ravi Kumar, and Andrew Tomkins. 2018. A Discrete Choice Model for Subset Selection. In Proceedings of the Eleventh ACM International Conference on Web Search and Data Mining, WSDM 2018, Marina Del Rey, CA, USA, February 5--9, 2018. ACM, USA, 37--45.
[8]
Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning Attacks against Support Vector Machines. In Proceedings of the 29th International Conference on Machine Learning, ICML 2012, Edinburgh, Scotland, UK, June 26 - July 1, 2012. icml.cc / Omnipress, USA, 1467--1474.
[9]
Jonas Böhler and Florian Kerschbaum. 2020. Secure Multi-party Computation of Differentially Private Median. In 29th USENIX Security Symposium, USENIX Security 2020, August 12--14, 2020. USENIX Association, USA, 2147--2164.
[10]
Jonas Böhler and Florian Kerschbaum. 2021. Secure Multi-party Computation of Differentially Private Heavy Hitters. In CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, Republic of Korea, November 15 - 19, 2021. ACM, USA, 2361--2377.
[11]
Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2021. Data Poisoning Attacks to Local Differential Privacy Protocols. In 30th USENIX Security Symposium, USENIX Security 2021, August 11--13, 2021. USENIX Association, USA, 947--964.
[12]
Albert Cheu, Adam D. Smith, and Jonathan R. Ullman. 2021. Manipulation Attacks in Local Differential Privacy. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24--27 May 2021. IEEE, USA, 883--900.
[13]
Bolin Ding, Janardhan Kulkarni, and Sergey Yekhanin. 2017. Collecting Telemetry Data Privately. In Advances in Neural Information Processing Systems 30: NeurIPS 2017, Long Beach, CA, USA, December 4--9, 2017. Neural Information Processing Systems Foundation, USA, 3571--3580.
[14]
Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam D. Smith. 2006. Calibrating Noise to Sensitivity in Private Data Analysis. In Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, New York, NY, USA, March 4--7, 2006, Proceedings, Vol. 3876. Springer, Germany, 265--284.
[15]
Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam D. Smith. 2016. Calibrating Noise to Sensitivity in Private Data Analysis. J. Priv. Confidentiality 7, 3 (2016), 17--51.
[16]
Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. Found. Trends Theor. Comput. Sci. 9, 3--4 (2014), 211--407.
[17]
Úlfar Erlingsson, Vasyl Pihur, and Aleksandra Korolova. 2014. What Can We Learn Privately: Randomized Aggregatable Privacy-Preserving Ordinal Response. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014. ACM, USA, 1054--1067.
[18]
Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2020. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. In 29th USENIX Security Symposium, USENIX Security 2020, August 12--14, 2020. USENIX Association, USA, 1605--1622.
[19]
Minghong Fang, Minghao Sun, Qi Li, Neil Zhenqiang Gong, Jin Tian, and Jia Liu. 2021. Data Poisoning Attacks and Defenses to Crowdsourcing Systems. In WWW '21: The Web Conference 2021, Virtual Event / Ljubljana, Slovenia, April 19--23, 2021. ACM / IW3C2, USA, 969--980.
[20]
Justin Hsu, Sanjeev Khanna, and Aaron Roth. 2012. Distributed Private Heavy Hitters. In Automata, Languages, and Programming - 39th International Colloquium, ICALP 2012, Warwick, UK, July 9--13, 2012, Proceedings, Part I, Vol. 7391. Springer, Germany, 461--472.
[21]
Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, San Francisco, CA, USA, 21--23 May 2018. IEEE Computer Society, USA, 19--35.
[22]
Shiva Prasad Kasiviswanathan, Homin K. Lee, Kobbi Nissim, Sofya Raskhodnikova, and Adam D. Smith. 2008. What Can We Learn Privately?. In 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, Philadelphia, PA, USA, October 25--28, 2008. IEEE Computer Society, USA, 531--540.
[23]
Fumiyuki Kato, Yang Cao, and Masatoshi Yoshikawa. 2021. Preventing Manipulation Attack in Local Differential Privacy Using Verifiable Randomization Mechanism. In Data and Applications Security and Privacy XXXV - 35th Annual IFIP WG 11.3 Conference, DBSec 2021, Calgary, Canada, July 19--20, 2021, Vol. 12840. Springer, Berlin, Heidelberg, 43--60.
[24]
KDD Cup 2000. 2000. BMS-POS: Online retailer website clickstream analysis. https://www.kdd.org/kdd-cup/view/kdd-cup-2000
[25]
Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data Poisoning Attacks on Factorization-Based Collaborative Filtering. In Annual Conference on Neural Information Processing Systems 2016, Barcelona, Spain, December 5--10, 2016. Neural Information Processing Systems Foundation, USA, 1885--1893.
[26]
Junhui Li, Wensheng Gan, Yijie Gui, Yongdong Wu, and Philip S. Yu. 2022. Frequent Itemset Mining with Local Differential Privacy. In Proceedings of the 31st ACM International Conference on Information & Knowledge Management, Atlanta, GA, USA, October 17--21, 2022. ACM, USA, 1146--1155.
[27]
Xiaoguang Li, Ninghui Li, Wenhai Sun, Neil Zhenqiang Gong, and Hui Li. 2023. Fine-grained poisoning attack to local differential privacy protocols for mean and variance estimation. In Proceedings of the 32nd USENIX Conference on Security Symposium, Anaheim, CA, USA. USENIX Association, USA, Article 98, 18 pages.
[28]
Ruixuan Liu, Yang Cao, Masatoshi Yoshikawa, and Hong Chen. 2020. FedSel: Federated SGD Under Local Differential Privacy with Top-k Dimension Selection. In Database Systems for Advanced Applications - 25th International Conference, DAS-FAA 2020, Jeju, South Korea, September 24--27, 2020, Proceedings, Part I, Vol. 12112. Springer, Germany, 485--501.
[29]
Vasyl Pihur, Aleksandra Korolova, Frederick Liu, Subhash Sankuratripati, Moti Yung, Dachuan Huang, and Ruogu Zeng. 2022. Differentially-Private "Draw and Discard" Machine Learning: Training Distributed Model from Enormous Crowds. In Cyber Security, Cryptology, and Machine Learning - 6th International Symposium, CSCML 2022, Be?er Sheva, Israel, June 30 - July 1, 2022, Proceedings (Lecture Notes in Computer Science, Vol. 13301). Springer, Cham, 468--486.
[30]
Zhan Qin, Yin Yang, Ting Yu, Issa Khalil, Xiaokui Xiao, and Kui Ren. 2016. Heavy Hitter Estimation over Set-Valued Data with Local Differential Privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24--28, 2016. ACM, USA, 192--203.
[31]
Shaorui Song, Lei Xu, and Liehuang Zhu. 2023. Efficient Defenses Against Output Poisoning Attacks on Local Differential Privacy. IEEE Trans. Inf. Forensics Secur. 18 (2023), 5506--5521.
[32]
Lichao Sun, Jianwei Qian, and Xun Chen. 2021. LDP-FL: Practical Private Aggregation in Federated Learning with Local Differential Privacy. In Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, Virtual Event / Montreal, Canada, IJCAI 2021, 19--27 August 2021. ijcai.org, USA, 1571--1578.
[33]
Zhiyi Tian, Lei Cui, Jie Liang, and Shui Yu. 2023. A Comprehensive Survey on Poisoning Attacks and Countermeasures in Machine Learning. ACM Comput. Surv. 55, 8 (2023), 166:1--166:35.
[34]
Wei Tong, Haoyu Chen, Jiacheng Niu, and Sheng Zhong. 2024. Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols. https://drive.google.com/file/d/1gzp00t1fMjmx9ShuxlCxhPgCDNOa2Jmh/view?usp=drive_link. [Online; accessed 28-June-2024].
[35]
Shaowei Wang, Liusheng Huang, Yiwen Nie, Pengzhan Wang, Hongli Xu, and Wei Yang. 2018. PrivSet: Set-Valued Data Analyses with Locale Differential Privacy. In 2018 IEEE Conference on Computer Communications, INFOCOM 2018, Honolulu, HI, USA, April 16--19, 2018. IEEE, USA, 1088--1096.
[36]
Shaowei Wang, Yuqiu Qian, Jiachun Du, Wei Yang, Liusheng Huang, and Hongli Xu. 2020. Set-valued Data Publication with Local Privacy: Tight Error Bounds and Efficient Mechanisms. Proc. VLDB Endow. 13, 8 (2020), 1234--1247.
[37]
Tianhao Wang, Jeremiah Blocki, Ninghui Li, and Somesh Jha. 2017. Locally Differentially Private Protocols for Frequency Estimation. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16--18, 2017. USENIX Association, USA, 729--745.
[38]
Tianhao Wang, Ninghui Li, and Somesh Jha. 2018. Locally Differentially Private Frequent Itemset Mining. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, San Francisco, CA,USA, 21--23 May 2018. IEEE Computer Society, USA, 127--143.
[39]
Tianhao Wang, Ninghui Li, and Somesh Jha. 2021. Locally Differentially Private Heavy Hitter Identification. IEEE Trans. Dependable Secur. Comput. 18, 2 (2021), 982--993.
[40]
Tianhao Wang, Milan Lopuhaä-Zwakenberg, Zitao Li, Boris Skoric, and Ninghui Li. 2020. Locally Differentially Private Frequency Estimation with Consistency. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, CA, USA, February 23--26, 2020. The Internet Society, USA, 16 pages.
[41]
Yongji Wu, Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2022. Poisoning Attacks to Local Differential Privacy Protocols for Key-Value Data. In 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10--12, 2022. USENIX Association, USA, 519--536.
[42]
Qingqing Ye, Haibo Hu, Xiaofeng Meng, and Huadi Zheng. 2019. PrivKV: Key-Value Data Collection with Local Differential Privacy. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19--23, 2019. IEEE, USA, 317--331.
[43]
Youwen Zhu, Yiran Cao, Qiao Xue, Qihui Wu, and Yushu Zhang. 2024. Heavy Hitter Identification Over Large-Domain Set-Valued Data With Local Differential Privacy. IEEE Trans. Inf. Forensics Secur. 19 (2024), 414--426.
Index Terms
- Data Poisoning Attacks to Locally Differentially Private Frequent Itemset Mining Protocols
Recommendations
Private Frequent Itemset Mining in the Local Setting
Wireless Algorithms, Systems, and ApplicationsAbstractSet-valued data, which is useful for representing user-generated data, becomes ubiquitous in numerous online services. Service provider profits by learning patterns and associations from users’ set-valued data. However, it comes with privacy ...
Frequent itemset mining using cellular learning automata
A core issue of the association rule extracting process in the data mining field is to find the frequent patterns in the database of operational transactions. If these patterns discovered, the decision making process and determining strategies in ...
Differentially Private Frequent Itemset Mining via Transaction Splitting
Recently, there has been a growing interest in designing differentially private data mining algorithms. Frequent itemset mining (FIM) is one of the most fundamental problems in data mining. In this paper, we explore the possibility of designing a ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 178Total Downloads
- Downloads (Last 12 months)178
- Downloads (Last 6 weeks)59
Reflects downloads up to 02 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in