Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning Federated Recommender Systems with Fake Users

Ming Yin, Yichang Xu, Minghong Fang, Neil Zhenqiang Gong

TL;DR

This paper tackles poisoning of federated recommender systems by introducing PoisonFRS, a fake-user based attack that promotes a chosen item without access to genuine user data or server-side aggregation rules. PoisonFRS crafts per-round updates by estimating popular items from server item embeddings, constructing a targeted item embedding amplified by a factor $\lambda$, and sending updates through fake users along with filler-item updates. Empirical results across four real-world datasets and seven aggregation rules show PoisonFRS significantly outperforms baselines, with the targeted item achieving high promotion even at very small attack sizes, and updates from fake and genuine users indistinguishable in latent space. The work highlights practical vulnerabilities in FedRecs and underscores the need for robust defenses beyond traditional Byzantine-robust aggregators, including improved detection and dynamic defense strategies.

Abstract

Federated recommendation is a prominent use case within federated learning, yet it remains susceptible to various attacks, from user to server-side vulnerabilities. Poisoning attacks are particularly notable among user-side attacks, as participants upload malicious model updates to deceive the global model, often intending to promote or demote specific targeted items. This study investigates strategies for executing promotion attacks in federated recommender systems. Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity. However, such information is challenging for the potential attacker to obtain. Thus, there is a need to develop an attack that requires no extra information apart from item embeddings obtained from the server. In this paper, we introduce a novel fake user based poisoning attack named PoisonFRS to promote the attacker-chosen targeted item in federated recommender systems without requiring knowledge about user-item rating data, user attributes, or the aggregation rule used by the server. Extensive experiments on multiple real-world datasets demonstrate that PoisonFRS can effectively promote the attacker-chosen targeted item to a large portion of genuine users and outperform current benchmarks that rely on additional information about the system. We further observe that the model updates from both genuine and fake users are indistinguishable within the latent space.

Poisoning Federated Recommender Systems with Fake Users

TL;DR

This paper tackles poisoning of federated recommender systems by introducing PoisonFRS, a fake-user based attack that promotes a chosen item without access to genuine user data or server-side aggregation rules. PoisonFRS crafts per-round updates by estimating popular items from server item embeddings, constructing a targeted item embedding amplified by a factor , and sending updates through fake users along with filler-item updates. Empirical results across four real-world datasets and seven aggregation rules show PoisonFRS significantly outperforms baselines, with the targeted item achieving high promotion even at very small attack sizes, and updates from fake and genuine users indistinguishable in latent space. The work highlights practical vulnerabilities in FedRecs and underscores the need for robust defenses beyond traditional Byzantine-robust aggregators, including improved detection and dynamic defense strategies.

Abstract

Federated recommendation is a prominent use case within federated learning, yet it remains susceptible to various attacks, from user to server-side vulnerabilities. Poisoning attacks are particularly notable among user-side attacks, as participants upload malicious model updates to deceive the global model, often intending to promote or demote specific targeted items. This study investigates strategies for executing promotion attacks in federated recommender systems. Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity. However, such information is challenging for the potential attacker to obtain. Thus, there is a need to develop an attack that requires no extra information apart from item embeddings obtained from the server. In this paper, we introduce a novel fake user based poisoning attack named PoisonFRS to promote the attacker-chosen targeted item in federated recommender systems without requiring knowledge about user-item rating data, user attributes, or the aggregation rule used by the server. Extensive experiments on multiple real-world datasets demonstrate that PoisonFRS can effectively promote the attacker-chosen targeted item to a large portion of genuine users and outperform current benchmarks that rely on additional information about the system. We further observe that the model updates from both genuine and fake users are indistinguishable within the latent space.
Paper Structure (24 sections, 6 equations, 4 figures, 7 tables, 3 algorithms)

This paper contains 24 sections, 6 equations, 4 figures, 7 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Federated Recommender Systems
  4. Poisoning Attacks to FedRecs
  5. Byzantine-robust Aggregation Rules
  6. Threat Model
  7. Attacker's Goal
  8. Attacker's Knowledge
  9. Attacker's Capabilities
  10. Our Attack
  11. Motivation
  12. Description
  13. Estimating $k$ Popular Items
  14. Constructing the targeted item embedding
  15. Select filler items
  16. ...and 9 more sections

Figures (4)

  • Figure 1: Illustration of three steps in FedRecs.
  • Figure 2: Distribution of the total number of unique updated items in all global rounds for genuine users.
  • Figure 3: Result of ablation studies on Yelp dataset, where FedAvg aggregation rule is considered.
  • Figure 4: Genuine and fake users in the latent space.