This paper studies the statistical characterization of detecting an adversary who wants to harm a dataset by altering the output of a differentially private mechanism in addition to discovering some information about such a dataset. An adversary who is able to modify the published information from a differentially private mechanism aims to maximize the possible damage to the system while remaining undetected. We present a trade-off between the privacy parameter of the system, the sensitivity and the attacker’s advantage (the bias) through determining the critical region of the hypothesis testing problem for deciding whether or not the adversary’s attack is detected. Such trade-offs are provided for Laplace mechanisms using both one-sided and two-sided hypothesis tests. Corresponding error probabilities are also presented and numerically evaluated for various levels of the sensitivity, the absolute mean of the attack and privacy parameter. Subsequently, we provide an interval for the bias induced by the adversary for Laplace mechanisms in terms of the error probabilities, global sensitivity of the system and the privacy budget so that the defender detects the attack. Lastly, we derive the Kullback-Leibler differential privacy for the addressed problem.
A statistical threshold for adversarial classification in laplace mechanisms
To be published, 2021
© 2021 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
PERMALINK : https://www.eurecom.fr/publication/6488