Preventing the Popular Item Embedding Based Attack in Federated Recommendations

TL;DR

This paper introduces PIECK, a model-agnostic, prior-knowledge-free attack on federated recommender systems that exploits popular item embeddings, and proposes a novel defense method to mitigate this attack.

Contribution

The paper presents PIECK, a new practical attack method on FRS that is model-agnostic and does not require prior knowledge, along with an effective defense strategy.

Findings

PIECK effectively identifies popular items during FRS training.

Existing defenses are ineffective against PIECK.

The proposed regularization-based defense improves robustness.

Abstract

Privacy concerns have led to the rise of federated recommender systems (FRS), which can create personalized models across distributed clients. However, FRS is vulnerable to poisoning attacks, where malicious users manipulate gradients to promote their target items intentionally. Existing attacks against FRS have limitations, as they depend on specific models and prior knowledge, restricting their real-world applicability. In our exploration of practical FRS vulnerabilities, we devise a model-agnostic and prior-knowledge-free attack, named PIECK (Popular Item Embedding based Attack). The core module of PIECK is popular item mining, which leverages embedding changes during FRS training to effectively identify the popular items. Built upon the core module, PIECK branches into two diverse solutions: The PIECKIPE solution employs an item popularity enhancement module, which aligns the embeddings of targeted items with the mined popular items to increase item exposure. The PIECKUEA further enhances the robustness of the attack by using a user embedding approximation module, which approximates private user embeddings using mined popular items. Upon identifying PIECK, we evaluate existing federated defense methods and find them ineffective against PIECK, as poisonous gradients inevitably overwhelm the cold target items. We then propose a novel defense method by introducing two regularization terms during user training, which constrain item popularity enhancement and user embedding approximation while preserving FRS performance. We evaluate PIECK and its defense across two base models, three real datasets, four top-tier attacks, and six general defense methods, affirming the efficacy of both PIECK and its defense.