Preventing the Popular Item Embedding Based Attack in Federated Recommendations
Jun Zhang, Huan Li, Dazhong Rong, Yan Zhao, Ke Chen, Lidan Shou
TL;DR
The paper tackles privacy-preserving federated recommender systems by introducing PIECK, a model-agnostic, prior-knowledge-free targeted poisoning attack that exploits popular-item embedding dynamics. PIECK combines three modules—popular item mining, item popularity enhancement (PieckIpe), and user embedding approximation (PieckUea)—to inflate target items' exposure without accessing benign embeddings. It also analyzes why standard defenses fail against such attacks and proposes a defense with two regularization terms that preserve recommendation quality while mitigating poisoning. Extensive experiments across MF-FRS and DL-FRS on three real datasets show PIECK's effectiveness and the defense's robustness against multiple attacks, with favorable trade-offs in performance and cost. The work highlights practical security risks in FRS and offers actionable defense mechanisms, prompting further work on combined server-client defenses and extensions to content-based federated settings.
Abstract
Privacy concerns have led to the rise of federated recommender systems (FRS), which can create personalized models across distributed clients. However, FRS is vulnerable to poisoning attacks, where malicious users manipulate gradients to promote their target items intentionally. Existing attacks against FRS have limitations, as they depend on specific models and prior knowledge, restricting their real-world applicability. In our exploration of practical FRS vulnerabilities, we devise a model-agnostic and prior-knowledge-free attack, named PIECK (Popular Item Embedding based Attack). The core module of PIECK is popular item mining, which leverages embedding changes during FRS training to effectively identify the popular items. Built upon the core module, PIECK branches into two diverse solutions: The PIECKIPE solution employs an item popularity enhancement module, which aligns the embeddings of targeted items with the mined popular items to increase item exposure. The PIECKUEA further enhances the robustness of the attack by using a user embedding approximation module, which approximates private user embeddings using mined popular items. Upon identifying PIECK, we evaluate existing federated defense methods and find them ineffective against PIECK, as poisonous gradients inevitably overwhelm the cold target items. We then propose a novel defense method by introducing two regularization terms during user training, which constrain item popularity enhancement and user embedding approximation while preserving FRS performance. We evaluate PIECK and its defense across two base models, three real datasets, four top-tier attacks, and six general defense methods, affirming the efficacy of both PIECK and its defense.