Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FedAU2: Attribute Unlearning for User-Level Federated Recommender Systems with Adaptive and Robust Adversarial Training

Yuyuan Li, Junjie Fang, Fengyuan Yu, Xichun Sheng, Tianyu Du, Xuyang Teng, Shaowei Jiang, Linbo Jiang, Jianan Lin, Chaochao Chen

TL;DR

This work tackles attribute leakage in user-level FedRecs by introducing FedAU2, which combines an adaptive Selective Unlearning Trigger with a Dual-Stochastic Variational AutoEncoder to stabilize adversarial training and mask gradient information. The approach directly targets two core challenges: training stability under heterogeneous client data and preventing gradient-based attribute leakage. Extensive experiments on three real-world datasets across multiple FedRec models show that FedAU2 substantially improves unlearning effectiveness with minimal degradation to recommendation performance, outperforming DP-based baselines. The results highlight the practical impact of per-user adaptive defenses for privacy-preserving recommender systems in highly decentralized environments.

Abstract

Federated Recommender Systems (FedRecs) leverage federated learning to protect user privacy by retaining data locally. However, user embeddings in FedRecs often encode sensitive attribute information, rendering them vulnerable to attribute inference attacks. Attribute unlearning has emerged as a promising approach to mitigate this issue. In this paper, we focus on user-level FedRecs, which is a more practical yet challenging setting compared to group-level FedRecs. Adversarial training emerges as the most feasible approach within this context. We identify two key challenges in implementing adversarial training-based attribute unlearning for user-level FedRecs: i) mitigating training instability caused by user data heterogeneity, and ii) preventing attribute information leakage through gradients. To address these challenges, we propose FedAU2, an attribute unlearning method for user-level FedRecs. For CH1, we propose an adaptive adversarial training strategy, where the training dynamics are adjusted in response to local optimization behavior. For CH2, we propose a dual-stochastic variational autoencoder to perturb the adversarial model, effectively preventing gradient-based information leakage. Extensive experiments on three real-world datasets demonstrate that our proposed FedAU2 achieves superior performance in unlearning effectiveness and recommendation performance compared to existing baselines.

FedAU2: Attribute Unlearning for User-Level Federated Recommender Systems with Adaptive and Robust Adversarial Training

TL;DR

This work tackles attribute leakage in user-level FedRecs by introducing FedAU2, which combines an adaptive Selective Unlearning Trigger with a Dual-Stochastic Variational AutoEncoder to stabilize adversarial training and mask gradient information. The approach directly targets two core challenges: training stability under heterogeneous client data and preventing gradient-based attribute leakage. Extensive experiments on three real-world datasets across multiple FedRec models show that FedAU2 substantially improves unlearning effectiveness with minimal degradation to recommendation performance, outperforming DP-based baselines. The results highlight the practical impact of per-user adaptive defenses for privacy-preserving recommender systems in highly decentralized environments.

Abstract

Federated Recommender Systems (FedRecs) leverage federated learning to protect user privacy by retaining data locally. However, user embeddings in FedRecs often encode sensitive attribute information, rendering them vulnerable to attribute inference attacks. Attribute unlearning has emerged as a promising approach to mitigate this issue. In this paper, we focus on user-level FedRecs, which is a more practical yet challenging setting compared to group-level FedRecs. Adversarial training emerges as the most feasible approach within this context. We identify two key challenges in implementing adversarial training-based attribute unlearning for user-level FedRecs: i) mitigating training instability caused by user data heterogeneity, and ii) preventing attribute information leakage through gradients. To address these challenges, we propose FedAU2, an attribute unlearning method for user-level FedRecs. For CH1, we propose an adaptive adversarial training strategy, where the training dynamics are adjusted in response to local optimization behavior. For CH2, we propose a dual-stochastic variational autoencoder to perturb the adversarial model, effectively preventing gradient-based information leakage. Extensive experiments on three real-world datasets demonstrate that our proposed FedAU2 achieves superior performance in unlearning effectiveness and recommendation performance compared to existing baselines.

Paper Structure

This paper contains 42 sections, 4 theorems, 25 equations, 4 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Federated Recommendation Systems
  4. Recommendation Attribute Unlearning
  5. Gradient-based Reconstruction Attacks
  6. Preliminaries
  7. User-level Federated Recommendation
  8. Adversarial Training
  9. Reconstructing Data via DLG
  10. Methodology
  11. Overview of FedAU2
  12. Selective Unlearning Trigger
  13. Dual-Stochastic Variational Autoencoder
  14. Original MLP
  15. MLP with VAE
  16. ...and 27 more sections

Key Result

Theorem 1

Given a class $i$, let $\hat{y}_i'$ denote the predicted probability during the reconstruction attack, $\nabla W_i$ the observed gradient of the final layer, and $y_i^*$ the optimal dummy label. Then, $y_i^*$ admits the following closed-form solution: where $\delta_i = \mathcal{G}(\nabla W_i)$, a function with of the gradient $\nabla W_i$.

Figures (4)

  • Figure 1: Comparison of three user device types in federated recommendation. i) on the left, standard clients expose attribute information in embeddings; ii) in the middle, adversarial clients can prevent embedding leakage but still suffer from gradient leakage; and iii) on the right, our proposed FedAU$^2$ eliminates information leakage from both embeddings and gradients.
  • Figure 2: Workflow of FedAU$^2$. During the forward pass, DSVAE injects dual-stochasticity , effectively masking attribute information embedded in the gradients. During the backward pass, SUT dynamically adjusts the perturbation budget based on the prediction outcomes, enabling stable adversarial training.
  • Figure 3: Ablation analysis of SUT. Recommendation (NDCG@10 $\uparrow$) and unlearning (BAcc $\downarrow$) performance under different adversarial training strategies on ML-1M (gender).
  • Figure 4: Ablation analysis of DSVAE, conducted on ML-1M (gender). (a) Gradient unlearning performance across three models. (b) Component reconstruction analysis in FedVAE. (c) Effect of the stochasticity coefficient $\lambda$ on recommendation (NDCG@10 $\uparrow$), attribute unlearning (BAcc $\downarrow$), and gradient unlearning (Acc $\downarrow$) performance in FedVAE.

Theorems & Definitions (12)

  • Theorem 1
  • proof
  • Corollary 1
  • proof
  • Corollary 2
  • proof
  • Corollary 3
  • proof
  • proof
  • proof
  • ...and 2 more