Poisoning Decentralized Collaborative Recommender System and Its Countermeasures

TL;DR

This work addresses security in decentralized collaborative recommender systems (DecRecs) by revealing their susceptibility to model poisoning under neighbor-based gradient sharing. It introduces PAMN, a poisoning method where adversaries adaptively mimic benign neighbors, diversify embeddings, and use substitute items to promote target items while preserving overall utility; it further proposes UCSU, a user-level defense that clips and sparsifies gradients to limit adversarial influence with minimal degradation to recommendations. Experiments on MovieLens-1M and Amazon Digital Music show PAMN can significantly increase target-item exposure (ER@$K$) with little impact on Hit Rate (HR@$K$), while UCSU effectively suppresses such exposure increases and maintains pruning of poisoned updates. The results underscore the need for decentralized security controls and offer practical, deployable defense mechanisms tailored to DecRecs, enabling privacy-preserving, efficient personalized recommendations with robust resilience to poisoning.

Abstract

To make room for privacy and efficiency, the deployment of many recommender systems is experiencing a shift from central servers to personal devices, where the federated recommender systems (FedRecs) and decentralized collaborative recommender systems (DecRecs) are arguably the two most representative paradigms. While both leverage knowledge (e.g., gradients) sharing to facilitate learning local models, FedRecs rely on a central server to coordinate the optimization process, yet in DecRecs, the knowledge sharing directly happens between clients. Knowledge sharing also opens a backdoor for model poisoning attacks, where adversaries disguise themselves as benign clients and disseminate polluted knowledge to achieve malicious goals like promoting an item's exposure rate. Although research on such poisoning attacks provides valuable insights into finding security loopholes and corresponding countermeasures, existing attacks mostly focus on FedRecs, and are either inapplicable or ineffective for DecRecs. Compared with FedRecs where the tampered information can be universally distributed to all clients once uploaded to the cloud, each adversary in DecRecs can only communicate with neighbor clients of a small size, confining its impact to a limited range. To fill the gap, we present a novel attack method named Poisoning with Adaptive Malicious Neighbors (PAMN). With item promotion in top-K recommendation as the attack objective, PAMN effectively boosts target items' ranks with several adversaries that emulate benign clients and transfers adaptively crafted gradients conditioned on each adversary's neighbors. Moreover, with the vulnerabilities of DecRecs uncovered, a dedicated defensive mechanism based on user-level gradient clipping with sparsified updating is proposed. Extensive experiments demonstrate the effectiveness of the poisoning attack and the robustness of our defensive mechanism.

Figures (4)

• Figure 1: The overview of PAMN. The cloud server assigns users to neighbors who share similar item embedding tables. For the attack, a) The adversary receives gradients from their neighbors to update the user and item embeddings, effectively mimicking the user profiles of these neighbors. b) Adversary fine-tunes item embeddings by optimizing the local ranking of the target items with its fixed user embedding. c) Adversary transfers the gradients of the local item embedding table to promote the ranking of target items for other users within the collaborative network.
• Figure 2: The performance defense method UCSU and defense baselines on MovieLens dataset, represented by HR@20 and ER@20.
• Figure 3: Result of ablation experiment on different variants of PAMN and UCSU on MovieLens dataset.
• Figure 4: PAMN performance for different numbers of malicious neighbors on MovieLens dataset, represented by HR@20 and ER@20.