PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion

Due to growing privacy concerns, decentralisation has emerged rapidly in personalised services.

Recent studies have shown that centralised models are vulnerable to poisoning attacks, compromising their integrity. In the context of recommender systems, a typical goal of such poisoning attacks is to promote the adversary's target items by interfering with the training dataset and/or process. 

Hence, a common practice is to subsume recommender systems under the decentralised federated learning paradigm, which enables all user devices to collaboratively learn a global recommender while retaining all the sensitive data locally. Without exposing the full knowledge of the recommender and entire dataset to end-users, such federated recommendation is widely regarded as 'safe' towards poisoning attacks.

In this paper, we present a systematic approach to back-dooring federated recommender systems for targeted item promotion.

The core tactic is to take advantage of the inherent popularity bias that commonly exists in data-driven recommenders. As popular items are more likely to appear in the recommendation list, our innovatively designed attack model enables the target item to have the characteristics of popular items in the embedding space.

Then, by uploading carefully crafted gradients via a small number of malicious users during the model update, we can effectively increase the exposure rate of a target (unpopular) item in the resulted federated recommender. Evaluations on two real-world datasets show that:

1) our attack model significantly boosts the exposure rate of the target item in a stealthy way, without harming the accuracy of the poisoned recommender; and

2) existing defenses are not effective enough, highlighting the need for new defenses against our local model poisoning attacks to federated recommender systems

This session will be conducted online via Zoom: https://uqz.zoom.us/j/89362232168

Host

Dr Rocky Chen

Speaker

Ms Shijie Zhang

Shijie is a PhD candidate within the Data Science (DAS) group under the supervision of Assoc. Professor Hongzhi Yin and Professor Helen Huang. She received her Masters degree in Information Technology from The University of Queensland and her Bachelors degree in Information and Computing Science from Shandong University, respectively. Her research interests includes recommender systems, network embedding, and deep learning.