Poisoning Federated Recommender Systems with Fake Users

TL;DR

This paper presents PoisonFRS, a novel attack method that promotes targeted items in federated recommender systems without needing extra data, outperforming existing methods and making detection difficult.

Contribution

PoisonFRS is the first attack that promotes items without requiring knowledge of user data or server aggregation rules, enhancing attack effectiveness and stealth.

Findings

PoisonFRS effectively promotes targeted items in real-world datasets.

It outperforms benchmark attacks relying on additional information.

Fake user updates are indistinguishable from genuine ones in latent space.

Abstract

Federated recommendation is a prominent use case within federated learning, yet it remains susceptible to various attacks, from user to server-side vulnerabilities. Poisoning attacks are particularly notable among user-side attacks, as participants upload malicious model updates to deceive the global model, often intending to promote or demote specific targeted items. This study investigates strategies for executing promotion attacks in federated recommender systems. Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity. However, such information is challenging for the potential attacker to obtain. Thus, there is a need to develop an attack that requires no extra information apart from item embeddings obtained from the server. In this paper, we introduce a novel fake user based poisoning attack named PoisonFRS to promote the attacker-chosen targeted item in federated recommender systems without requiring knowledge about user-item rating data, user attributes, or the aggregation rule used by the server. Extensive experiments on multiple real-world datasets demonstrate that PoisonFRS can effectively promote the attacker-chosen targeted item to a large portion of genuine users and outperform current benchmarks that rely on additional information about the system. We further observe that the model updates from both genuine and fake users are indistinguishable within the latent space.