Federated Recommendation (FedRec) has been widely applied recently for realizing privacy preservation in recommender systems. However, due to direct uploads of model gradients from all clients, FedRec is vulnerable to potential poisoning attacks. In this paper, we focus on the targeted model poisoning attacks in FedRec, which aims to raise the exposure ratio of specific target items by generating poisoned gradients to influence global training. Challenges emerge when implementing this kind of attack. On the one hand, simulating authentic users on the malicious clients for downstream poisoning is hard when access to prior knowledge is limited. On the other hand, distinguished item attributes and personalized user preferences require the attack to be adaptive to complex distributions. To this end, we propose a novel attack DuAda with two modules, i.e., dummy user simulator and adaptive distribution attacker . The dummy user simulator is designed to generate malicious users with characteristics similar to real users, which exploits authentic user representations and preference labels simultaneously through two-stage inversion optimization. The attacker first extracts heterogeneous distributions by a special multi-prototype clustering method, and then conducts adaptive attacks from both explicit and implicit promotion perspectives. The explicit promotion raises the prediction scores of target items based on the inherent characteristics, while the implicit promotion imbues them with the features of popular items. Targeted at our proposed attack method, we also design a merged adaptive defense mechanism to fight against DuAda and conduct defensive experiments. Empirical studies on four real-world datasets demonstrate the effectiveness and interpretability of DuAda.
Su et al. (Tue,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: