Spattack: Subgroup Poisoning Attacks on Federated Recommender Systems
Bo Yan, Yurong Hao, Dingqi Liu, Huabin Sun, Pengpeng Qiao, Wei Yang Bryan Lim, Yang Cao, Chuan Shi
TL;DR
Spattack addresses a realistic threat model for federated recommender systems by targeting user subgroups rather than the entire user base. It introduces an approximate-and-promote framework, with enhancements in both approximation (contrastive repulsion and clustering-based item augmentation) and promotion (item-embedding alignment and adaptive weighting) to balance impact across target and non-target groups. The approach achieves strong exposure of target items for the targeted subgroup with minimal disruption to others, demonstrated across three real-world datasets and multiple defenses, and includes extensive ablation and parameter analyses. The work highlights substantial privacy and security implications for FedRec deployments and offers a framework for evaluating subgroup-specific vulnerabilities and defenses.
Abstract
Federated recommender systems (FedRec) have emerged as a promising approach to provide personalized recommendations while protecting user privacy. However, recent studies have shown their vulnerability to poisoning attacks, where malicious clients inject crafted gradients to promote target items to benign users. Existing attacks typically target the full user group, which compromises stealth and increases detection risk. In contrast, real-world adversaries may prefer to target specific user subgroups, such as promoting health supplements to older individuals, to maximize effectiveness while preserving stealth. Motivated by this gap, we introduce Spattack, the first poisoning attack designed to manipulate recommendations for specific user subgroups in federated settings. Spattack adopts an approximate-and-promote paradigm, which approximates user embeddings of target and non-target subgroups and then promotes target items to the target subgroup. We further reveal a trade-off between strong attack performance on the target subgroup and limited impact on the non-target subgroup. To achieve a better trade-off, we propose enhanced approximation and promotion strategies. For approximation, we push embeddings of different subgroups apart via contrastive learning and augment the target subgroup's relevant item set through clustering. For promotion, we align embeddings of target items and relevant items to strengthen their semantic connections, together with an adaptive weighting strategy to balance effects across subgroups. Experiments on three real-world datasets demonstrate that Spattack achieves strong attack performance on the target subgroup with minimal impact on non-target users, even when only 0.1% of users are malicious. Moreover, Spattack maintains competitive recommendation performance and shows strong resilience against mainstream defenses.