Federated Recommender Systems (FedRecs) are considered privacy-preserving techniques to collaboratively learn a recommendation model without sharing user data. Since all participants can directly influence the systems by uploading gradients, FedRecs are vulnerable to poisoning attacks of malicious clients. However, most existing poisoning attacks on FedRecs are either based on some prior knowledge or with less effectiveness. To reveal the real vulnerability of FedRecs, in this paper, we present a new poisoning attack method to manipulate target items' ranks and exposure rates effectively in the top-$K$ recommendation without relying on any prior knowledge. Specifically, our attack manipulates target items' exposure rate by a group of synthetic malicious users who upload poisoned gradients considering target items' alternative products. We conduct extensive experiments with two widely used FedRecs (Fed-NCF and Fed-LightGCN) on two real-world recommendation datasets. The experimental results show that our attack can significantly improve the exposure rate of unpopular target items with extremely fewer malicious users and fewer global epochs than state-of-the-art attacks. In addition to disclosing the security hole, we design a novel countermeasure for poisoning attacks on FedRecs. Specifically, we propose a hierarchical gradient clipping with sparsified updating to defend against existing poisoning attacks. The empirical results demonstrate that the proposed defending mechanism improves the robustness of FedRecs.
翻译:Federated 推荐系统(FedRecs)是一种隐私保护技术,可以在不共享用户数据的情况下协同学习推荐模型。由于所有参与者都可以通过上传梯度直接影响系统,因此 FedRecs 容易受到恶意客户端的攻击。然而,大多数现有的 FedRecs 攻击要么基于某些先前的知识,要么攻击效果有限。为了揭示 FedRecs 的实际漏洞,本文提出了一种新的攻击方法,可以在不依赖任何先行知识的情况下,有效地操纵前 K 个推荐物品的排名和曝光率。具体而言,攻击通过一组合成的恶意用户去上传针对目标物品的毒瘤梯度,考虑了目标物品的可替代产品。我们在两个广泛使用的 FedRecs(Fed-NCF 和 Fed-LightGCN)上进行了广泛的实验,使用了两个实际推荐数据集。实验结果表明,我们的攻击可以在极少数的恶意用户和更少的全局时代的情况下,显着提高不受欢迎的目标物品的曝光率,但攻击效果比现有的攻击方法更好。除了揭示安全漏洞外,我们还设计了一种针对 FedRecs 污染攻击的新颖对策。具体而言,我们提出了一种分层梯度裁剪和稀疏更新的防御机制来抵御现有的攻击。经验结果表明,所提出的防御机制可以提高 FedRecs 的鲁棒性。