Turning Privacy-preserving Mechanisms against Federated Learning

TL;DR

This paper reveals a security flaw in privacy-preserving federated learning for GNN-based recommender systems, demonstrating an attack that can significantly degrade or manipulate model performance despite defenses.

Contribution

It identifies a critical vulnerability in federated learning defenses and proposes an attack that can bypass privacy measures to impair or corrupt GNN models.

Findings

Attack causes 60% performance loss in adversarial mode

Backdoor attack is successful in 93% of cases

Vulnerability exists despite differential privacy and community-driven defenses

Abstract

Recently, researchers have successfully employed Graph Neural Networks (GNNs) to build enhanced recommender systems due to their capability to learn patterns from the interaction between involved entities. In addition, previous studies have investigated federated learning as the main solution to enable a native privacy-preserving mechanism for the construction of global GNN models without collecting sensitive data into a single computation unit. Still, privacy issues may arise as the analysis of local model updates produced by the federated clients can return information related to sensitive local data. For this reason, experts proposed solutions that combine federated learning with Differential Privacy strategies and community-driven approaches, which involve combining data from neighbor clients to make the individual local updates less dependent on local sensitive data. In this paper, we identify a crucial security flaw in such a configuration, and we design an attack capable of deceiving state-of-the-art defenses for federated learning. The proposed attack includes two operating modes, the first one focusing on convergence inhibition (Adversarial Mode), and the second one aiming at building a deceptive rating injection on the global federated model (Backdoor Mode). The experimental results show the effectiveness of our attack in both its modes, returning on average 60% performance detriment in all the tests on Adversarial Mode and fully effective backdoors in 93% of cases for the tests performed on Backdoor Mode.