Untargeted Attack against Federated Recommendation Systems via Poisonous Item Embeddings and the Defense

Authors

  • Yang Yu University of Science and Technology of China State Key Laboratory of Cognitive Intelligence
  • Qi Liu University of Science and Technology of China State Key Laboratory of Cognitive Intelligence
  • Likang Wu University of Science and Technology of China State Key Laboratory of Cognitive Intelligence
  • Runlong Yu University of Science and Technology of China State Key Laboratory of Cognitive Intelligence
  • Sanshi Lei Yu University of Science and Technology of China State Key Laboratory of Cognitive Intelligence
  • Zaixi Zhang University of Science and Technology of China State Key Laboratory of Cognitive Intelligence

DOI:

https://doi.org/10.1609/aaai.v37i4.25611

Keywords:

DMKM: Recommender Systems, ML: Distributed Machine Learning & Federated Learning

Abstract

Federated recommendation (FedRec) can train personalized recommenders without collecting user data, but the decentralized nature makes it susceptible to poisoning attacks. Most previous studies focus on the targeted attack to promote certain items, while the untargeted attack that aims to degrade the overall performance of the FedRec system remains less explored. In fact, untargeted attacks can disrupt the user experience and bring severe financial loss to the service provider. However, existing untargeted attack methods are either inapplicable or ineffective against FedRec systems. In this paper, we delve into the untargeted attack and its defense for FedRec systems. (i) We propose ClusterAttack, a novel untargeted attack method. It uploads poisonous gradients that converge the item embeddings into several dense clusters, which make the recommender generate similar scores for these items in the same cluster and perturb the ranking order. (ii) We propose a uniformity-based defense mechanism (UNION) to protect FedRec systems from such attacks. We design a contrastive learning task that regularizes the item embeddings toward a uniform distribution. Then the server filters out these malicious gradients by estimating the uniformity of updated item embeddings. Experiments on two public datasets show that ClusterAttack can effectively degrade the performance of FedRec systems while circumventing many defense methods, and UNION can improve the resistance of the system against various untargeted attacks, including our ClusterAttack.
AAAI-23 Proceedings Cover

Downloads

Published

2023-06-26

How to Cite

Yu, Y., Liu, Q., Wu, L., Yu, R., Yu, S. L., & Zhang, Z. (2023). Untargeted Attack against Federated Recommendation Systems via Poisonous Item Embeddings and the Defense. Proceedings of the AAAI Conference on Artificial Intelligence, 37(4), 4854–4863. https://doi.org/10.1609/aaai.v37i4.25611

Issue

Vol. 37 No. 4: AAAI-23 Technical Tracks 4

Section

AAAI Technical Track on Data Mining and Knowledge Management