What scenario does the simple attack represent? #245
-
Hi, I have been exploring differential privacy and trying out the simple attack. I am wondering the significance of the simple attacks presented in the attack notebook at opendp/smartnoise-samples/attacks/ and what real life scenario this could represent? How could it be expanded into a more sophisticated attack? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
Hi Kratos, There are many more resources out there that bring this technique into more specialized niches, and it seems like everyone has a use-case once they have access to private data. There are also a ton of sequestered datasets out there that would have collective benefits if people with access to the data and access to the right DP tooling were to create differentially private releases. You also asked about more sophisticated attacks. This paper from Cynthia Dwork et al discusses some additional attacks. In addition, this paper talks about membership inference attacks specifically for machine learning. |
Beta Was this translation helpful? Give feedback.
-
I'd like to join this discussion if I may! I am familiar with the example in the "simple attack" notebook. In the notebook you allow the query to be run 10k times to demonstrate that even after that many examples, the attacker doesn't get the true POI salary. In the comments you say that the attacker in fact could only run the query once (using their epsilon of 1). How do you prevent them from running the query more than once? I guess my question is how do you actually enforce the budget? For example I might ask a very slightly different query each time (e.g. removing some other person from the data each time). How do you monitor that? It feels like I am missing a fundamental part of how SmartNoise works! Thanks and congratulations on the great work so far Tom |
Beta Was this translation helpful? Give feedback.
I'd like to join this discussion if I may!
I am familiar with the example in the "simple attack" notebook. In the notebook you allow the query to be run 10k times to demonstrate that even after that many examples, the attacker doesn't get the true POI salary. In the comments you say that the attacker in fact could only run the query once (using their epsilon of 1).
How do you prevent them from running the query more than once? I guess my question is how do you actually enforce the budget? For example I might ask a very slightly different query each time (e.g. removing some other person from the data each time). How do you monitor that? It feels like I am missing a fundamental part of how …