This paper studies the statistical characterization of detecting an adversary who wants to harm some computation such as machine learning models or aggregation by altering the output of a differentially private mechanism in addition to discovering some information about the underlying dataset. An adversary who is able to modify the published information from a differentially private mechanism aims to maximize the possible damage to the system while remaining undetected. We present a trade-off between the privacy parameter of the system, the sensitivity and the attacker's advantage (the bias) through determining the threshold for the best critical region of the hypothesis testing problem for deciding whether or not the adversary's attack is detected. Such trade-offs are provided for Laplace mechanisms using one-sided and two-sided hypothesis tests. Corresponding error probabilities are analytically derived and ROC curves are presented for various levels of the sensitivity, the absolute mean of the attack and the privacy parameter. Subsequently, we provide an interval for the bias induced by the adversary so that the defender detects the attack. Finally, we adapt the Kullback-Leibler differential privacy to adversarial classification.
翻译:本文研究通过改变不同私人机制的输出以及发现有关基础数据集的一些信息,发现想要损害机器学习模型或聚合等某些计算结果的对手的统计特征; 能够从不同私人机制修改公布的信息的对手,目的是尽量扩大对系统可能造成的损害,同时不被发现; 我们从系统隐私参数、敏感度和攻击者的优势(偏差)之间取舍,确定假设测试问题最关键区域的阈值,以确定是否发现了攻击对手的攻击; 利用片面和两面假设测试,为拉比机制提供这种权衡; 分析得出相应的错误概率,并给出ROC曲线,说明敏感度、攻击绝对值和隐私参数的不同层面。 我们随后为敌人的偏差提供一个间隔,以便捍卫者探测攻击。 最后, 我们调整了 Kullback-Lebleper 隐私差异, 以适应对抗性分类。