Hong Zhong

Mengnan Zhao, Lihe Zhang, Bo Wang et al.

Fast Adversarial Training (FAT) has proven effective in enhancing model robustness by encouraging networks to learn perturbation-invariant representations. However, FAT often suffers from catastrophic overfitting (CO), where the model overfits to the training attack and fails to generalize to unseen ones. Moreover, robustness oriented optimization typically leads to notable performance degradation on clean inputs, and such degradation becomes increasingly severe as the perturbation budget grows. In this work, we conduct a comprehensive analysis of how guidance strength affects model performance by modulating perturbation and supervision levels across distinct confidence groups. The findings reveal that low confidence samples are the primary contributors to CO and the robustness accuracy trade off. Building on this insight, we propose a Distribution-aware Dynamic Guidance (DDG) strategy that dynamically adjusts both the perturbation budget and supervision signal. Specifically, DDG scales the perturbation magnitude according to the sample confidence at the ground truth class, thereby guiding samples toward consistent decision boundaries while mitigating the influence of learning spurious correlations. Simultaneously, it dynamically adjusts the supervision signal based on the prediction state of each sample, preventing overemphasis on incorrect signals. To alleviate potential gradient instability arising from dynamic guidance, we further design a weighted regularization constraint. Extensive experiments on standard benchmarks demonstrate that DDG effectively alleviates both CO and the robustness accuracy trade off.

Depeng Chen, Hao Chen, Hulin Jin et al.

Membership inference attacks (MIAs) are critical tools for assessing privacy risks and ensuring compliance with regulations like the General Data Protection Regulation (GDPR). However, their potential for auditing unauthorized use of data remains under explored. To bridge this gap, we propose a novel clean-label backdoor-based approach for MIAs, designed specifically for robust and stealthy data auditing. Unlike conventional methods that rely on detectable poisoned samples with altered labels, our approach retains natural labels, enhancing stealthiness even at low poisoning rates. Our approach employs an optimal trigger generated by a shadow model that mimics the target model's behavior. This design minimizes the feature-space distance between triggered samples and the source class while preserving the original data labels. The result is a powerful and undetectable auditing mechanism that overcomes limitations of existing approaches, such as label inconsistencies and visual artifacts in poisoned samples. The proposed method enables robust data auditing through black-box access, achieving high attack success rates across diverse datasets and model architectures. Additionally, it addresses challenges related to trigger stealthiness and poisoning durability, establishing itself as a practical and effective solution for data auditing. Comprehensive experiments validate the efficacy and generalizability of our approach, outperforming several baseline methods in both stealth and attack success metrics.

Depeng Chen, Xiao Liu, Jie Cui et al.

Since machine learning model is often trained on a limited data set, the model is trained multiple times on the same data sample, which causes the model to memorize most of the training set data. Membership Inference Attacks (MIAs) exploit this feature to determine whether a data sample is used for training a machine learning model. However, in realistic scenarios, it is difficult for the adversary to obtain enough qualified samples that mark accurate identity information, especially since most samples are non-members in real world applications. To address this limitation, in this paper, we propose a new attack method called CLMIA, which uses unsupervised contrastive learning to train an attack model without using extra membership status information. Meanwhile, in CLMIA, we require only a small amount of data with known membership status to fine-tune the attack model. Experimental results demonstrate that CLMIA performs better than existing attack methods for different datasets and model structures, especially with data with less marked identity information. In addition, we experimentally find that the attack performs differently for different proportions of labeled identity information for member and non-member data. More analysis proves that our attack method performs better with less labeled identity information, which applies to more realistic scenarios.

Shun Zhang, Pengfei Lan, Benfei Duan et al.

The popularity of cyber-physical systems is fueling the rapid growth of location-based services. This poses the risk of location privacy disclosure. Effective privacy preservation is foremost for various mobile applications. Recently, geo-indistinguishability and expected inference error are proposed for limiting location leakages. In this paper, we argue that personalization means regionalization for geo-indistinguishability, and we propose a regionalized location obfuscation mechanism called DPIVE with personalized utility sensitivities. This substantially corrects the differential and distortion privacy problem of PIVE framework proposed by Yu et al. on NDSS 2017. We develop DPIVE with two phases. In Phase I, we determine disjoint sets by partitioning all possible positions such that different locations in the same set share the Protection Location Set (PLS). In Phase II, we construct a probability distribution matrix in which the rows corresponding to the same PLS have their own sensitivity of utility (PLS diameter). Moreover, by designing QK-means algorithm for more search space in 2-D space, we improve DPIVE with refined location partition and present fine-grained personalization, enabling each location to have its own privacy level endowed with a customized privacy budget. Experiments with two public datasets demonstrate that our mechanisms have the superior performance, typically on skewed locations.

Tianjiao Ni, Minghao Qiao, Zhili Chen et al.

Differential privacy is widely used in data analysis. State-of-the-art $k$-means clustering algorithms with differential privacy typically add an equal amount of noise to centroids for each iterative computation. In this paper, we propose a novel differentially private $k$-means clustering algorithm, DP-KCCM, that significantly improves the utility of clustering by adding adaptive noise and merging clusters. Specifically, to obtain $k$ clusters with differential privacy, the algorithm first generates $n \times k$ initial centroids, adds adaptive noise for each iteration to get $n \times k$ clusters, and finally merges these clusters into $k$ ones. We theoretically prove the differential privacy of the proposed algorithm. Surprisingly, extensive experimental results show that: 1) cluster merging with equal amounts of noise improves the utility somewhat; 2) although adding adaptive noise only does not improve the utility, combining both cluster merging and adaptive noise further improves the utility significantly.

Shun Zhang, Benfei Duan, Zhili Chen et al.

Spatial crowdsourcing (SC) is an increasing popular category of crowdsourcing in the era of mobile Internet and sharing economy. It requires workers to arrive at a particular location for task fulfillment. Effective protection of location privacy is essential for workers' enthusiasm and valid task assignment. However, existing SC models with differential privacy usually perturb real-time location data for both partition and data publication. Such a way may produce large perturbations to counting queries that affect assignment success rate and allocation accuracy. This paper proposes a framework (R-HT) for protecting location privacy of workers taking advantage of both real-time and historical data. We simulate locations by sampling the probability distribution learned from historical data, use them for grid partition, and then publish real-time data under this partitioning with differential privacy. This realizes that most privacy budget is allocated to the worker count of each cell and yields an improved Private Spatial Decomposition approach. Moreover, we introduce some strategies for geocast region construction, including quality scoring function and local maximum geocast radius. A series of experimental results on real-world datasets shows that R-HT attains a stable success rate of task assignment, saves performance overhead and fits for dynamic assignment on crowdsourcing platforms.

Zhili Chen, Wei Ding, Yan Xu et al.

Cloud auctions provide cost-effective strategies for cloud VM allocation. Most existing cloud auctions simply assume that the auctioneer is trustable, and thus the fairness of auctions can be easily achieved. However, in fact, such a trustable auctioneer may not exist, and the fairness is non-trivial to guarantee. In this work, for the first time, we propose a decentralized cloud VM auction and trade framework based on blockchain. We realize both auction fairness and trade fairness among participants (e.g., cloud provider and cloud users) in this system, which guarantees the interest of each party will not suffer any loss as long as it follows the protocol. Furthermore, we implement our system through the local blockchain and Ethereum official test blockchain, carry out experimental simulations, and demonstrate the feasibility of our system.

Tianjiao Ni, Zhili Chen, Lin Chen et al.

Cloud service providers typically provide different types of virtual machines (VMs) to cloud users with various requirements. Thanks to its effectiveness and fairness, auction has been widely applied in this heterogeneous resource allocation. Recently, several strategy-proof combinatorial cloud auction mechanisms have been proposed. However, they fail to protect the bid privacy of users from being inferred from the auction results. In this paper, we design a differentially private combinatorial cloud auction mechanism (DPCA) to address this privacy issue. Technically, we employ the exponential mechanism to compute a clearing unit price vector with a probability proportional to the corresponding revenue. We further improve the mechanism to reduce the running time while maintaining high revenues, by computing a single clearing unit price, or a subgroup of clearing unit prices at a time, resulting in the improved mechanisms DPCA-S and its generalized version DPCA-M, respectively. We theoretically prove that our mechanisms can guarantee differential privacy, approximate truthfulness and high revenue. Extensive experimental results demonstrate that DPCA can generate near-optimal revenues at the price of relatively high time complexity, while the improved mechanisms achieve a tunable trade-off between auction revenue and running time.

Yin Xu, Zhili Chen, Hong Zhong

As an effective resource allocation approach, double auctions (DAs) have been extensively studied in electronic commerce. Most previous studies have focused on how to design strategy-proof DA mechanisms, while not much research effort has been done concerning privacy and security issues. However, security, especially privacy issues have become such a public concern that the European governments lay down the law to enforce the privacy guarantees recently. In this paper, to address the privacy issue in electronic auctions, we concentrate on how to design a privacy-preserving mechanism for double auctions by employing Goldwasser-Micali homomorphic encryption and sorting networks. We achieve provable privacy such that the auctions do not reveal any bid information except the auction results, resulting in a strict privacy guarantee. Moreover, to achieve practical system performance, we compare different sorting algorithms, and suggest using the faster ones. Experimental results show that different sorting algorithms may have great effect on the performance of our mechanism, and demonstrate the practicality of our protocol for real-world applications in electronic commerce.

Zhili Chen, Xiaoli Kan, Shun Zhang et al.

With the rapid development of GPS enabled devices (smartphones) and location-based applications, location privacy is increasingly concerned. Intuitively, it is widely believed that location privacy can be preserved by publishing aggregated mobility data, such as the number of users in an area at some time. However, a recent attack shows that these aggregated mobility data can be exploited to recover individual trajectories. In this paper, we first propose two differentially private basic schemes for aggregated mobility data publication, namely direct perturbation and threshold perturbation, which preserve location privacy of users and especially resist the trajectory recovery attack. Then, we explore the moving characteristics of mobile users, and design an improved scheme named static hybrid perturbation by combining the two basic schemes according to the moving characteristics. Since static hybrid perturbation works only for static data, which are entirely available before publishing, we further adapt the static hybrid perturbation by combining it with linear regression, and yield another improved scheme named dynamic hybrid perturbation. The dynamic hybrid perturbation works also for dynamic data, which are generated on the fly during publication. Privacy analysis shows that the proposed schemes achieve differential privacy. Extensive experiments on both simulated and real datasets demonstrate that all proposed schemes resist the trajectory recovery attack well, and the improved schemes significantly outperform the basic schemes.

Zhili Chen, Yu Wang, Shun Zhang et al.

Collaborative filtering (CF) recommendation algorithms are well-known for their outstanding recommendation performances, but previous researches showed that they could cause privacy leakage for users due to k-nearest neighboring (KNN) attacks. Recently, the notion of differential privacy (DP) has been applied to privacy preservation for collaborative filtering recommendation algorithms. However, as far as we know, existing differentially private CF recommendation schemes degraded the recommendation performance (such as recall and precision) to an unacceptable level. In this paper, in order to address the performance degradation problem, we propose a differentially private user-based collaborative filtering recommendation scheme based on k-means clustering (KDPCF). Specifically, to improve the recommendation performance, we first cluster the dataset into categories by k-means clustering and appropriately adjust the size of the target category to which the target user belongs, so that only users in the well-sized target category can be used for recommendations. Then we efficiently select a set of neighbors from the target category at one time by employing only one exponential mechanism instead of the composition of multiple ones, and base on the neighbor set to recommend. We theoretically prove that our scheme achieves differential privacy. Empirically, we use the MovieLens dataset to evaluate our recommendation system. The experimental results demonstrate a significant performance gain compared to existing schemes.

Shun Zhang, Laixiang Liu, Zhili Chen et al.

Probabilistic matrix factorization (PMF) plays a crucial role in recommendation systems. It requires a large amount of user data (such as user shopping records and movie ratings) to predict personal preferences, and thereby provides users high-quality recommendation services, which expose the risk of leakage of user privacy. Differential privacy, as a provable privacy protection framework, has been applied widely to recommendation systems. It is common that different individuals have different levels of privacy requirements on items. However, traditional differential privacy can only provide a uniform level of privacy protection for all users. In this paper, we mainly propose a probabilistic matrix factorization recommendation scheme with personalized differential privacy (PDP-PMF). It aims to meet users' privacy requirements specified at the item-level instead of giving the same level of privacy guarantees for all. We then develop a modified sampling mechanism (with bounded differential privacy) for achieving PDP. We also perform a theoretical analysis of the PDP-PMF scheme and demonstrate the privacy of the PDP-PMF scheme. In addition, we implement the probabilistic matrix factorization schemes both with traditional and with personalized differential privacy (DP-PMF, PDP-PMF) and compare them through a series of experiments. The results show that the PDP-PMF scheme performs well on protecting the privacy of each user and its recommendation quality is much better than the DP-PMF scheme.

Zhili Chen, Sheng Chen, Hong Zhong et al.

Auction is widely regarded as an effective way in dynamic spectrum redistribution. Recently, considerable research efforts have been devoted to designing privacy-preserving spectrum auctions in a variety of auction settings. However, none of existing work has addressed the privacy issue in the most generic scenario, double spectrum auctions where each seller sells multiple channels and each buyer buys multiple channels. To fill this gap, in this paper we propose PP-MCSA, a Privacy Preserving mechanism for Multi-Channel double Spectrum Auctions. Technically, by leveraging garbled circuits, we manage to protect the privacy of both sellers' requests and buyers' bids in multi-channel double spectrum auctions. As far as we know, PP-MCSA is the first privacy-preserving solution for multi-channel double spectrum auctions. We further theoretically demonstrate the privacy guarantee of PP-MCSA, and extensively evaluate its performance via experiments. Experimental results show that PP-MCSA incurs only moderate communication and computation overhead.

Zhili Chen, Xuemei Wei, Hong Zhong et al.

Truthful spectrum auction is believed to be an effective method for spectrum redistribution. However, privacy concerns have largely hampered the practical applications of truthful spectrum auctions. In this paper, to make the applications of double spectrum auctions practical, we present a privacy-preserving and socially efficient double spectrum auction design, SDSA. Specifically, by combining three security techniques: homomorphic encryption, secret sharing and garbled circuits, we design a secure two-party protocol computing a socially efficient double spectrum auction, TDSA, without leaking any information about sellers' requests or buyers' bids beyond the auction outcome. We give the formal security definition in our context, and theoretically prove the security that our design achieves. Experimental results show that our design is also efficient in performance, even for large-scale double spectrum auctions.

Zhili Chen, Tianjiao Ni, Hong Zhong et al.

Spectrum auction is an effective approach to improving spectrum utilization, by leasing idle spectrum from primary users to secondary users. Recently, a few differentially private spectrum auction mechanisms have been proposed, but, as far as we know, none of them addressed the differential privacy in the setting of double spectrum auctions. In this paper, we combine the concept of differential privacy with double spectrum auction design, and present a Differentially private Double spectrum auction mechanism with approximate Social welfare Maximization (DDSM). Specifically, we design the mechanism by employing the exponential mechanism to select clearing prices for the double spectrum auction with probabilities exponentially proportional to the related social welfare values, and then improve the mechanism in several aspects like the designs of the auction algorithm, the utility function and the buyer grouping algorithm. Through theoretical analysis, we prove that DDSM achieves differential privacy, approximate truthfulness, approximate social welfare maximization. Extensive experimental evaluations show that DDSM achieves a good performance in term of social welfare.