Federated learning (FL) is a feasible technique to learn personalized recommendation models from decentralized user data. Unfortunately, federated recommender systems are vulnerable to poisoning attacks by malicious clients. Existing recommender system poisoning methods mainly focus on promoting the recommendation chances of target items due to financial incentives. In fact, in real-world scenarios, the attacker may also attempt to degrade the overall performance of recommender systems. However, existing general FL poisoning methods for degrading model performance are either ineffective or not concealed in poisoning federated recommender systems. In this paper, we propose a simple yet effective and covert poisoning attack method on federated recommendation, named FedAttack. Its core idea is using globally hardest samples to subvert model training. More specifically, the malicious clients first infer user embeddings based on local user profiles. Next, they choose the candidate items that are most relevant to the user embeddings as hardest negative samples, and find the candidates farthest from the user embeddings as hardest positive samples. The model gradients inferred from these poisoned samples are then uploaded to the server for aggregation and model update. Since the behaviors of malicious clients are somewhat similar to users with diverse interests, they cannot be effectively distinguished from normal clients by the server. Extensive experiments on two benchmark datasets show that FedAttack can effectively degrade the performance of various federated recommender systems, meanwhile cannot be effectively detected nor defended by many existing methods.
翻译:联邦学习是一种从分散用户数据中学习个性化建议模型的可行方法。 不幸的是,联邦推荐人系统很容易受到恶意客户的毒害。 现有的推荐人系统中毒方法主要侧重于通过财政激励促进目标项目的建议机会。 事实上,在现实世界的情景中,攻击人也可能试图降低推荐人系统的整体性能。 然而,现有的一般FL中毒模式性能方法要么无效,要么没有隐藏在中毒联合会式推荐人系统中。 在本文中,我们提议一种简单而有效且隐蔽的毒害攻击方法,在联合建议(名为FedAttack)中很容易被毒害。其核心想法是使用全球最难的样本来破坏示范培训。 更具体地说,恶意客户首先根据当地用户的概况推断用户嵌入用户。 其次,他们选择与用户嵌入的最坏的候选项目,作为最难的负面样本,发现用户中最远的被嵌入者是最难的肯定样本。 从这些毒的样本中推断出的梯度随后被上传到服务器进行汇总和模型更新。 由于恶意客户的行为实际上无法在正常的服务器上真正地反映不同的利益。