skip to main content
10.1145/3488560.3498386acmconferencesArticle/Chapter ViewAbstractPublication PageswsdmConference Proceedingsconference-collections
research-article

PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion

Published: 15 February 2022 Publication History

Abstract

Due to the growing privacy concerns, decentralization emerges rapidly in personalized services, especially recommendation. Also, recent studies have shown that centralized models are vulnerable to poisoning attacks, compromising their integrity. In the context of recommender systems, a typical goal of such poisoning attacks is to promote the adversary's target items by interfering with the training dataset and/or process. Hence, a common practice is to subsume recommender systems under the decentralized federated learning paradigm, which enables all user devices to collaboratively learn a global recommender while retaining all the sensitive data locally. Without exposing the full knowledge of the recommender and entire dataset to end-users, such federated recommendation is widely regarded 'safe' towards poisoning attacks. In this paper, we present a systematic approach to backdooring federated recommender systems for targeted item promotion. The core tactic is to take advantage of the inherent popularity bias that commonly exists in data-driven recommenders. As popular items are more likely to appear in the recommendation list, our innovatively designed attack model enables the target item to have the characteristics of popular items in the embedding space. Then, by uploading carefully crafted gradients via a small number of malicious users during the model update, we can effectively increase the exposure rate of a target (unpopular) item in the resulted federated recommender. Evaluations on two real-world datasets show that 1) our attack model significantly boosts the exposure rate of the target item in a stealthy way, without harming the accuracy of the poisoned recommender; and 2) existing defenses are not effective enough, highlighting the need for new defenses against our local model poisoning attacks to federated recommender systems.

Supplementary Material

MP4 File (WSDM22-fp139.mp4)
In this presentation, we introduce a systematic approach to backdooring federated recommender systems for targeted item promotion. The core tactic is to take advantage of the inherent popularity bias that commonly exists in data-driven recommenders. Then, by uploading carefully crafted gradients via a small number of malicious users during the model update, we can effectively increase the exposure rate of a target (unpopular) item in the resulted federated recommender. Evaluations on two real-world datasets show that 1) our attack model significantly boosts the exposure rate of the target item in a stealthy way, without harming the accuracy of the poisoned recommender; and 2) existing defenses are not effective enough, highlighting the need for new defenses against our local model poisoning attacks to federated recommender systems.

References

[1]
Himan Abdollahpouri, Robin Burke, and Bamshad Mobasher. 2017. Controlling popularity bias in learning-to-rank recommendation. In RecSys . 42--46.
[2]
Himan Abdollahpouri, Masoud Mansoury, Robin Burke, and Bamshad Mobasher. 2019. The unfairness of popularity bias in recommendation. In RMSE Workshop .
[3]
Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. 2020. How to backdoor federated learning. In AISTATS. 2938--2948.
[4]
Gilad Baruch, Moran Baruch, and Yoav Goldberg. 2019. A Little Is Enough: Circumventing Defenses For Distributed Learning. In NeurIPS . 8632--8642.
[5]
Arjun Nitin Bhagoji, Supriyo Chakraborty, Prateek Mittal, and Seraphin Calo. 2019. Analyzing federated learning through an adversarial lens. In ICML. 634--643.
[6]
Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. 2017. Machine learning with adversaries: Byzantine tolerant gradient descent. In NeurIPS . 118--128.
[7]
Robin Burke, Bamshad Mobasher, and Runa Bhaumik. 2005. Limited knowledge shilling attacks in collaborative filtering systems. In ITWP 2005 . 17--24.
[8]
Di Chai, Leye Wang, Kai Chen, and Qiang Yang. 2020. Secure federated matrix factorization. IEEE Intelligent Systems (2020).
[9]
Konstantina Christakopoulou and Arindam Banerjee. 2019. Adversarial attacks on an oblivious recommender. In RecSys. 322--330.
[10]
Wenqi Fan, Tyler Derr, Xiangyu Zhao, Yao Ma, Hui Liu, Jianping Wang, Jiliang Tang, and Qing Li. 2021. Attacking Black-box Recommendations via Copying Cross-domain User Profiles. In ICDE . 1583--1594.
[11]
Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Gong. 2020 a. Local model poisoning attacks to byzantine-robust federated learning. In USENIX . 1605--1622.
[12]
Minghong Fang, Neil Zhenqiang Gong, and Jia Liu. 2020 b. Influence function based data poisoning attacks to top-n recommender systems. In WWW . 3019--3025.
[13]
Minghong Fang, Guolei Yang, Neil Zhenqiang Gong, and Jia Liu. 2018. Poisoning attacks to graph-based recommender systems. In ACSAC. 381--392.
[14]
Rachid Guerraoui, Sébastien Rouault, et al. 2018. The hidden vulnerability of distributed learning in byzantium. In ICML. 3521--3530.
[15]
Ihsan Gunes, Cihan Kaleli, Alper Bilge, and Huseyin Polat. 2014. Shilling attacks against recommender systems: a comprehensive survey. Artificial Intelligence Review (2014), 767--799.
[16]
F Maxwell Harper and Joseph A Konstan. 2015. The movielens datasets: History and context. Acm transactions on interactive intelligent systems (2015), 1--19.
[17]
Ruining He and Julian McAuley. 2016. Ups and downs: Modeling the visual evolution of fashion trends with one-class collaborative filtering. In WWW. 507--517.
[18]
Xiangnan He and Tat-Seng Chua. 2017. Neural Factorization Machines for Sparse Predictive Analytics. In SIGIR. 355--364.
[19]
Xiangnan He, Kuan Deng, Xiang Wang, Yan Li, Yongdong Zhang, and Meng Wang. 2020. Lightgcn: Simplifying and powering graph convolution network for recommendation. In SIGIR. 639--648.
[20]
Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. 2017. Neural collaborative filtering. In WWW. 173--182.
[21]
Xiangnan He, Hanwang Zhang, Min-Yen Kan, and Tat-Seng Chua. 2016. Fast Matrix Factorization for Online Recommendation with Implicit Feedback. In SIGIR . 549--558.
[22]
Nguyen Quoc Viet Hung, Huynh Huu Viet, Nguyen Thanh Tam, Matthias Weidlich, Hongzhi Yin, and Xiaofang Zhou. 2018. Computing Crowd Consensus with Partial Agreement. IEEE Transactions on Knowledge and Data Engineering (2018), 1--14.
[23]
Srijan Kumar, Bryan Hooi, Disha Makhija, Mohit Kumar, Christos Faloutsos, and VS Subrahmanian. 2018. Rev2: Fraudulent user prediction in rating platforms. In WSDM. 333--341.
[24]
Shyong K Lam and John Riedl. 2004. Shilling recommender systems for fun and profit. In WWW. 393--402.
[25]
Chen Lin, Si Chen, Hui Li, Yanghua Xiao, Lianyun Li, and Qian Yang. 2020 a. Attacking recommender systems with augmented user profiles. In CIKM. 855--864.
[26]
Yujie Lin, Pengjie Ren, Zhumin Chen, Zhaochun Ren, Dongxiao Yu, Jun Ma, Maarten de Rijke, and Xiuzhen Cheng. 2020 b. Meta Matrix Factorization for Federated Rating Predictions. In SIGIR . 981--990.
[27]
Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. 2017. Communication-efficient learning of deep networks from decentralized data. In AISTATS . 1273--1282.
[28]
Khalil Muhammad, Qinqin Wang, Diarmuid O'Reilly-Morgan, Elias Tragos, Barry Smyth, Neil Hurley, James Geraci, and Aonghus Lawlor. 2020. Fedfast: Going beyond average for faster training of federated recommender systems. In SIGKDD . 1234--1242.
[29]
Quoc Viet Nguyen, Chi Thang Duong, Thanh Tam Nguyen, Matthias Weidlich, Karl Aberer, Hongzhi Yin, and Xiaofang Zhou. 2017. Argument Discovery via Crowdsourcing. VLDBJ (2017), 511--535.
[30]
Tao Qi, Fangzhao Wu, Chuhan Wu, Yongfeng Huang, and Xing Xie. 2020. Privacy-Preserving News Recommendation Model Learning. In EMNLP. 1423--1432.
[31]
Steffen Rendle, Christoph Freudenthaler, Zeno Gantner, and Lars Schmidt-Thieme. 2009. BPR: Bayesian Personalized Ranking from Implicit Feedback. In UAI. 452--461.
[32]
Steffen Rendle, Zeno Gantner, Christoph Freudenthaler, and Lars Schmidt-Thieme. 2011. Fast context-aware recommendations with factorization machines. In SIGIR . 635--644.
[33]
Qinyong Wang, Hongzhi Yin, Tong Chen, Junliang Yu, Alexander Zhou, and Xiangliang Zhang. 2021. Fast-adapting and Privacy-preserving Federated Recommender System. VLDBJ (2021).
[34]
Chuhan Wu, Fangzhao Wu, Yang Cao, Yongfeng Huang, and Xing Xie. 2021. Fedgnn: Federated graph neural network for privacy-preserving recommendation. arXiv preprint arXiv:2102.04925 (2021).
[35]
Dong Yin, Yudong Chen, Ramchandran Kannan, and Peter Bartlett. 2018. Byzantine-robust distributed learning: Towards optimal statistical rates. In ICML . 5650--5659.
[36]
Hengtong Zhang, Yaliang Li, Bolin Ding, and Jing Gao. 2020 a. Practical data poisoning attack against next-item recommendation. In WWW . 2458--2464.
[37]
Shijie Zhang, Hongzhi Yin, Tong Chen, Zi Huang, Lizhen Cui, and Xiangliang Zhang. 2021 b. Graph Embedding for Recommendation against Attribute Inference Attacks. In WWW . 3002--3014.
[38]
Shijie Zhang, Hongzhi Yin, Tong Chen, Quoc Viet Nguyen Hung, Zi Huang, and Lizhen Cui. 2020 b. Gcn-based user representation learning for unifying robust recommendation and fraudster detection. In SIGIR. 689--698.
[39]
Yang Zhang, Fuli Feng, Xiangnan He, Tianxin Wei, Chonggang Song, Guohui Ling, and Yongdong Zhang. 2021 a. Causal Intervention for Leveraging Popularity Bias in Recommendation. In SIGIR . 11--20.
[40]
Yan Zhang, Hongzhi Yin, Zi Huang, Xingzhong Du, Guowu Yang, and Defu Lian. 2018. Discrete Deep Learning for Fast Content-Aware Recommendation. In WSDM . 717--726.
[41]
Ziwei Zhu, Yun He, Xing Zhao, Yin Zhang, Jianling Wang, and James Caverlee. 2021. Popularity-Opportunity Bias in Collaborative Filtering. In WSDM. 85--93.
[42]
Ziwei Zhu, Jianling Wang, and James Caverlee. 2020. Measuring and mitigating item under-recommendation bias in personalized ranking systems. In SIGIR . 449--458.

Cited By

View all
  • (2025)Privacy-preserved and Responsible Recommenders: From Conventional Defense to Federated Learning and BlockchainACM Computing Surveys10.1145/370898257:5(1-35)Online publication date: 9-Jan-2025
  • (2025)A Survey on Federated Recommendation SystemsIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2024.335492436:1(6-20)Online publication date: Jan-2025
  • (2025)HidAttack: An Effective and Undetectable Model Poisoning Attack to Federated RecommendersIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2024.352276337:3(1227-1240)Online publication date: Mar-2025
  • Show More Cited By

Index Terms

  1. PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WSDM '22: Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining
    February 2022
    1690 pages
    ISBN:9781450391320
    DOI:10.1145/3488560
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 15 February 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. deep learning
    2. federated recommender system
    3. poisoning attack

    Qualifiers

    • Research-article

    Funding Sources

    Conference

    WSDM '22

    Acceptance Rates

    Overall Acceptance Rate 498 of 2,863 submissions, 17%

    Upcoming Conference

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)204
    • Downloads (Last 6 weeks)15
    Reflects downloads up to 13 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Privacy-preserved and Responsible Recommenders: From Conventional Defense to Federated Learning and BlockchainACM Computing Surveys10.1145/370898257:5(1-35)Online publication date: 9-Jan-2025
    • (2025)A Survey on Federated Recommendation SystemsIEEE Transactions on Neural Networks and Learning Systems10.1109/TNNLS.2024.335492436:1(6-20)Online publication date: Jan-2025
    • (2025)HidAttack: An Effective and Undetectable Model Poisoning Attack to Federated RecommendersIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2024.352276337:3(1227-1240)Online publication date: Mar-2025
    • (2024)PTF-FSR: A Parameter Transmission-Free Federated Sequential Recommender SystemACM Transactions on Information Systems10.1145/370834443:2(1-24)Online publication date: 12-Dec-2024
    • (2024)Defending Federated Recommender Systems against Untargeted Attacks: A Contribution-Aware Robust Aggregation SchemeACM Transactions on Knowledge Discovery from Data10.1145/370611219:1(1-28)Online publication date: 28-Nov-2024
    • (2024)Manipulating Recommender Systems: A Survey of Poisoning Attacks and CountermeasuresACM Computing Surveys10.1145/367732857:1(1-39)Online publication date: 7-Oct-2024
    • (2024)Adversarial Item Promotion on Visually-Aware Recommender Systems by Guided DiffusionACM Transactions on Information Systems10.1145/366608842:6(1-26)Online publication date: 19-Aug-2024
    • (2024)Not One Less: Exploring Interplay between User Profiles and Items in Untargeted Attacks against Federated RecommendationProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670365(2889-2903)Online publication date: 2-Dec-2024
    • (2024)Horizontal Federated Recommender System: A SurveyACM Computing Surveys10.1145/365616556:9(1-42)Online publication date: 8-May-2024
    • (2024)A Survey on Trustworthy Recommender SystemsACM Transactions on Recommender Systems10.1145/36528913:2(1-68)Online publication date: 13-Apr-2024
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media