Robust Federated Contrastive Recommender System against Model Poisoning Attack

TL;DR

The paper tackles privacy-preserving federated recommender systems challenged by sparse local data and model poisoning threats. It introduces CL4FedRec, a privacy-friendly contrastive learning framework that builds user and item views without sharing private parameters by leveraging server-generated synthetic users and local embedding augmentations, and jointly optimizes with the recommendation task via $ \mathcal{L} = \mathcal{L}^{rec} + \lambda_1 \mathcal{L}^{uc} + \lambda_2 \mathcal{L}^{ic}$. A key finding is that vanilla contrastive learning can increase poisoning vulnerability due to embedding uniformity; to address this, the authors propose rCL4FedRec, which adds a popularity-based regularizer on the server to separate hot (popular) items from normal items. Experiments on four datasets demonstrate that CL4FedRec improves recommendation performance and that rCL4FedRec significantly enhances robustness against state-of-the-art model poisoning attacks, highlighting practical impact for secure, privacy-aware FedRecs.

Abstract

Federated Recommender Systems (FedRecs) have garnered increasing attention recently, thanks to their privacy-preserving benefits. However, the decentralized and open characteristics of current FedRecs present two dilemmas. First, the performance of FedRecs is compromised due to highly sparse on-device data for each client. Second, the system's robustness is undermined by the vulnerability to model poisoning attacks launched by malicious users. In this paper, we introduce a novel contrastive learning framework designed to fully leverage the client's sparse data through embedding augmentation, referred to as CL4FedRec. Unlike previous contrastive learning approaches in FedRecs that necessitate clients to share their private parameters, our CL4FedRec aligns with the basic FedRec learning protocol, ensuring compatibility with most existing FedRec implementations. We then evaluate the robustness of FedRecs equipped with CL4FedRec by subjecting it to several state-of-the-art model poisoning attacks. Surprisingly, our observations reveal that contrastive learning tends to exacerbate the vulnerability of FedRecs to these attacks. This is attributed to the enhanced embedding uniformity, making the polluted target item embedding easily proximate to popular items. Based on this insight, we propose an enhanced and robust version of CL4FedRec (rCL4FedRec) by introducing a regularizer to maintain the distance among item embeddings with different popularity levels. Extensive experiments conducted on four commonly used recommendation datasets demonstrate that CL4FedRec significantly enhances both the model's performance and the robustness of FedRecs.

Figures (5)

• Figure 1: ER@5 scores of A-hum attack FedRec with and without contrastive learning methods on different recommendation datasets.
• Figure 2: Item representation distribution on MovieLens-1M for FedRecs with and without different contrastive learning methods. We define the top 100 items that have the most number of interactions as "hot item".
• Figure 3: Proof-of-concept. More uniform distribution (i.e., larger $\alpha$) weakens the robustness of FedRecs to model poisoning attacks.
• Figure 4: The comparison of our regularizer with other defense baselines against state-of-the-art attacks.
• Figure 5: The performance trend w.r.t. the change of synthetic user numbers $\left|\mathcal{U}_{syn}\right|$ on MovieLens-1M and Amazon-Video.