Dazhong Rong,Shuai Ye,Ruoyan Zhao,Hon Ning Yuen,Jianhai Chen,Qinming He

DOI: https://doi.org/10.1109/icde53745.2022.00243

2022-01-01

Abstract:Federated Recommendation (FR) has received considerable popularity and attention in the past few years. In FR, for each user, its feature vector and interaction data are kept locally on its own client thus are private to others. Without the access to above information, most existing poisoning attacks against recommender systems or federated learning lose validity. Benifiting from this characteristic, FR is commonly considered fairly secured. However, we argue that there is still possible and necessary security improvement could be made in FR. To prove our opinion, in this paper we present FedRecAttack, a model poisoning attack to FR aiming to raise the exposure ratio of target items. In most recommendation scenarios, apart from private user-item interactions (e.g., clicks, watches and purchases), some interactions are public (e.g., likes, follows and comments). Motivated by this point, in FedRecAttack we make use of the public interactions to approximate users' feature vectors, thereby attacker can generate poisoned gradients accordingly and control malicious users to upload the poisoned gradients in a well-designed way. To evaluate the effectiveness and side effects of FedRecAttack, we conduct extensive experiments on three real-world datasets of different sizes from two completely different scenarios. Experimental results demonstrate that our proposed FedRecAttack achieves the state-of-the-art effectiveness while its side effects are negligible. Moreover, even with small proportion (3%) of malicious users and small proportion (1%) of public interactions, FedRecAttack remains highly effective, which reveals that FR is more vulnerable to attack than people commonly considered.

Dazhong Rong,Qinming He,Jianhai Chen

DOI: https://doi.org/10.24963/ijcai.2022/306

2022-01-01

Abstract:Various attack methods against recommender systems have been proposed in the past years, and the security issues of recommender systems have drawn considerable attention. Traditional attacks attempt to make target items recommended to as many users as possible by poisoning the training data. Benifiting from the feature of protecting users' private data, federated recommendation can effectively defend such attacks. Therefore, quite a few works have devoted themselves to developing federated recommender systems. For proving current federated recommendation is still vulnerable, in this work we probe to design attack approaches targeting deep learning based recommender models in federated learning scenarios. Specifically, our attacks generate poisoned gradients for manipulated malicious users to upload based on two strategies (i.e., random approximation and hard user mining). Extensive experiments show that our well-designed attacks can effectively poison the target models, and the attack effectiveness sets the state-of-the-art.

Yang Yu,Qi Liu,Likang Wu,Runlong Yu,Sanshi Lei Yu,Zaixi Zhang

DOI: https://doi.org/10.1609/aaai.v37i4.25611

2023-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Federated recommendation (FedRec) can train personalized recommenders without collecting user data, but the decentralized nature makes it susceptible to poisoning attacks. Most previous studies focus on the targeted attack to promote certain items, while the untargeted attack that aims to degrade the overall performance of the FedRec system remains less explored. In fact, untargeted attacks can disrupt the user experience and bring severe financial loss to the service provider. However, existing untargeted attack methods are either inapplicable or ineffective against FedRec systems. In this paper, we delve into the untargeted attack and its defense for FedRec systems. (i) We propose ClusterAttack, a novel untargeted attack method. It uploads poisonous gradients that converge the item embeddings into several dense clusters, which make the recommender generate similar scores for these items in the same cluster and perturb the ranking order. (ii) We propose a uniformity-based defense mechanism (UNION) to protect FedRec systems from such attacks. We design a contrastive learning task that regularizes the item embeddings toward a uniform distribution. Then the server filters out these malicious gradients by estimating the uniformity of updated item embeddings. Experiments on two public datasets show that ClusterAttack can effectively degrade the performance of FedRec systems while circumventing many defense methods, and UNION can improve the resistance of the system against various untargeted attacks, including our ClusterAttack.

Shijie Zhang,Hongzhi Yin,Tong Chen,Zi Huang,Quoc Viet Hung Nguyen,Lizhen Cui

DOI: https://doi.org/10.48550/arXiv.2110.10926

2021-10-21

Abstract:Due to the growing privacy concerns, decentralization emerges rapidly in personalized services, especially recommendation. Also, recent studies have shown that centralized models are vulnerable to poisoning attacks, compromising their integrity. In the context of recommender systems, a typical goal of such poisoning attacks is to promote the adversary's target items by interfering with the training dataset and/or process. Hence, a common practice is to subsume recommender systems under the decentralized federated learning paradigm, which enables all user devices to collaboratively learn a global recommender while retaining all the sensitive data locally. Without exposing the full knowledge of the recommender and entire dataset to end-users, such federated recommendation is widely regarded `safe' towards poisoning attacks. In this paper, we present a systematic approach to backdooring federated recommender systems for targeted item promotion. The core tactic is to take advantage of the inherent popularity bias that commonly exists in data-driven recommenders. As popular items are more likely to appear in the recommendation list, our innovatively designed attack model enables the target item to have the characteristics of popular items in the embedding space. Then, by uploading carefully crafted gradients via a small number of malicious users during the model update, we can effectively increase the exposure rate of a target (unpopular) item in the resulted federated recommender. Evaluations on two real-world datasets show that 1) our attack model significantly boosts the exposure rate of the target item in a stealthy way, without harming the accuracy of the poisoned recommender; and 2) existing defenses are not effective enough, highlighting the need for new defenses against our local model poisoning attacks to federated recommender systems.

Information Retrieval,Artificial Intelligence

Wei Yuan,Quoc Viet Hung Nguyen,Tieke He,Liang Chen,Hongzhi Yin

2023-04-15

Abstract:Federated Recommender Systems (FedRecs) are considered privacy-preserving techniques to collaboratively learn a recommendation model without sharing user data. Since all participants can directly influence the systems by uploading gradients, FedRecs are vulnerable to poisoning attacks of malicious clients. However, most existing poisoning attacks on FedRecs are either based on some prior knowledge or with less effectiveness. To reveal the real vulnerability of FedRecs, in this paper, we present a new poisoning attack method to manipulate target items' ranks and exposure rates effectively in the top-$K$ recommendation without relying on any prior knowledge. Specifically, our attack manipulates target items' exposure rate by a group of synthetic malicious users who upload poisoned gradients considering target items' alternative products. We conduct extensive experiments with two widely used FedRecs (Fed-NCF and Fed-LightGCN) on two real-world recommendation datasets. The experimental results show that our attack can significantly improve the exposure rate of unpopular target items with extremely fewer malicious users and fewer global epochs than state-of-the-art attacks. In addition to disclosing the security hole, we design a novel countermeasure for poisoning attacks on FedRecs. Specifically, we propose a hierarchical gradient clipping with sparsified updating to defend against existing poisoning attacks. The empirical results demonstrate that the proposed defending mechanism improves the robustness of FedRecs.

Information Retrieval

Ming Yin,Yichang Xu,Minghong Fang,Neil Zhenqiang Gong

2024-02-19

Abstract:Federated recommendation is a prominent use case within federated learning, yet it remains susceptible to various attacks, from user to server-side vulnerabilities. Poisoning attacks are particularly notable among user-side attacks, as participants upload malicious model updates to deceive the global model, often intending to promote or demote specific targeted items. This study investigates strategies for executing promotion attacks in federated recommender systems. Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity. However, such information is challenging for the potential attacker to obtain. Thus, there is a need to develop an attack that requires no extra information apart from item embeddings obtained from the server. In this paper, we introduce a novel fake user based poisoning attack named PoisonFRS to promote the attacker-chosen targeted item in federated recommender systems without requiring knowledge about user-item rating data, user attributes, or the aggregation rule used by the server. Extensive experiments on multiple real-world datasets demonstrate that PoisonFRS can effectively promote the attacker-chosen targeted item to a large portion of genuine users and outperform current benchmarks that rely on additional information about the system. We further observe that the model updates from both genuine and fake users are indistinguishable within the latent space.

Cryptography and Security,Information Retrieval,Machine Learning

Ruiqi Zheng,Liang Qu,Tong Chen,Kai Zheng,Yuhui Shi,Hongzhi Yin

2024-04-01

Abstract:To make room for privacy and efficiency, the deployment of many recommender systems is experiencing a shift from central servers to personal devices, where the federated recommender systems (FedRecs) and decentralized collaborative recommender systems (DecRecs) are arguably the two most representative paradigms. While both leverage knowledge (e.g., gradients) sharing to facilitate learning local models, FedRecs rely on a central server to coordinate the optimization process, yet in DecRecs, the knowledge sharing directly happens between clients. Knowledge sharing also opens a backdoor for model poisoning attacks, where adversaries disguise themselves as benign clients and disseminate polluted knowledge to achieve malicious goals like promoting an item's exposure rate. Although research on such poisoning attacks provides valuable insights into finding security loopholes and corresponding countermeasures, existing attacks mostly focus on FedRecs, and are either inapplicable or ineffective for DecRecs. Compared with FedRecs where the tampered information can be universally distributed to all clients once uploaded to the cloud, each adversary in DecRecs can only communicate with neighbor clients of a small size, confining its impact to a limited range. To fill the gap, we present a novel attack method named Poisoning with Adaptive Malicious Neighbors (PAMN). With item promotion in top-K recommendation as the attack objective, PAMN effectively boosts target items' ranks with several adversaries that emulate benign clients and transfers adaptively crafted gradients conditioned on each adversary's neighbors. Moreover, with the vulnerabilities of DecRecs uncovered, a dedicated defensive mechanism based on user-level gradient clipping with sparsified updating is proposed. Extensive experiments demonstrate the effectiveness of the poisoning attack and the robustness of our defensive mechanism.

Cryptography and Security,Information Retrieval

Chuhan Wu,Fangzhao Wu,Tao Qi,Yongfeng Huang,Xing Xie

DOI: https://doi.org/10.48550/arXiv.2202.04975

2022-02-10

Abstract:Federated learning (FL) is a feasible technique to learn personalized recommendation models from decentralized user data. Unfortunately, federated recommender systems are vulnerable to poisoning attacks by malicious clients. Existing recommender system poisoning methods mainly focus on promoting the recommendation chances of target items due to financial incentives. In fact, in real-world scenarios, the attacker may also attempt to degrade the overall performance of recommender systems. However, existing general FL poisoning methods for degrading model performance are either ineffective or not concealed in poisoning federated recommender systems. In this paper, we propose a simple yet effective and covert poisoning attack method on federated recommendation, named FedAttack. Its core idea is using globally hardest samples to subvert model training. More specifically, the malicious clients first infer user embeddings based on local user profiles. Next, they choose the candidate items that are most relevant to the user embeddings as hardest negative samples, and find the candidates farthest from the user embeddings as hardest positive samples. The model gradients inferred from these poisoned samples are then uploaded to the server for aggregation and model update. Since the behaviors of malicious clients are somewhat similar to users with diverse interests, they cannot be effectively distinguished from normal clients by the server. Extensive experiments on two benchmark datasets show that FedAttack can effectively degrade the performance of various federated recommender systems, meanwhile cannot be effectively detected nor defended by many existing methods.

Information Retrieval

Chen Chen,Zhang Jingfeng,Tung Anthony K. H.,Kankanhalli Mohan,Chen Gang

2020-01-01

Abstract: Federated recommendation systems can provide good performance without collecting users' private data, making them attractive. However, they are susceptible to low-cost poisoning attacks that can degrade their performance. In this paper, we develop a novel federated recommendation technique that is robust against the poisoning attack where Byzantine clients prevail. We argue that the key to Byzantine detection is monitoring of gradients of the model parameters of clients. We then propose a robust learning strategy where instead of using model parameters, the central server computes and utilizes the gradients to filter out Byzantine clients. Theoretically, we justify our robust learning strategy by our proposed definition of Byzantine resilience. Empirically, we confirm the efficacy of our robust learning strategy employing four datasets in a federated recommendation system.

Wei Yuan,Chaoqun Yang,Liang Qu,Guanhua Ye,Quoc Viet Hung Nguyen,Hongzhi Yin

2024-03-29

Abstract:Federated Recommender Systems (FedRecs) have garnered increasing attention recently, thanks to their privacy-preserving benefits. However, the decentralized and open characteristics of current FedRecs present two dilemmas. First, the performance of FedRecs is compromised due to highly sparse on-device data for each client. Second, the system's robustness is undermined by the vulnerability to model poisoning attacks launched by malicious users. In this paper, we introduce a novel contrastive learning framework designed to fully leverage the client's sparse data through embedding augmentation, referred to as CL4FedRec. Unlike previous contrastive learning approaches in FedRecs that necessitate clients to share their private parameters, our CL4FedRec aligns with the basic FedRec learning protocol, ensuring compatibility with most existing FedRec implementations. We then evaluate the robustness of FedRecs equipped with CL4FedRec by subjecting it to several state-of-the-art model poisoning attacks. Surprisingly, our observations reveal that contrastive learning tends to exacerbate the vulnerability of FedRecs to these attacks. This is attributed to the enhanced embedding uniformity, making the polluted target item embedding easily proximate to popular items. Based on this insight, we propose an enhanced and robust version of CL4FedRec (rCL4FedRec) by introducing a regularizer to maintain the distance among item embeddings with different popularity levels. Extensive experiments conducted on four commonly used recommendation datasets demonstrate that CL4FedRec significantly enhances both the model's performance and the robustness of FedRecs.

Information Retrieval

Wei Yuan,Shilong Yuan,Chaoqun Yang,Quoc Viet Hung Nguyen,Hongzhi Yin

DOI: https://doi.org/10.48550/arXiv.2305.08183

2023-05-17

Abstract:Federated recommender systems (FedRecs) have been widely explored recently due to their ability to protect user data privacy. In FedRecs, a central server collaboratively learns recommendation models by sharing model public parameters with clients, thereby offering a privacy-preserving solution. Unfortunately, the exposure of model parameters leaves a backdoor for adversaries to manipulate FedRecs. Existing works about FedRec security already reveal that items can easily be promoted by malicious users via model poisoning attacks, but all of them mainly focus on FedRecs with only collaborative information (i.e., user-item interactions). We argue that these attacks are effective because of the data sparsity of collaborative signals. In practice, auxiliary information, such as products' visual descriptions, is used to alleviate collaborative filtering data's sparsity. Therefore, when incorporating visual information in FedRecs, all existing model poisoning attacks' effectiveness becomes questionable. In this paper, we conduct extensive experiments to verify that incorporating visual information can beat existing state-of-the-art attacks in reasonable settings. However, since visual information is usually provided by external sources, simply including it will create new security problems. Specifically, we propose a new kind of poisoning attack for visually-aware FedRecs, namely image poisoning attacks, where adversaries can gradually modify the uploaded image to manipulate item ranks during FedRecs' training process. Furthermore, we reveal that the potential collaboration between image poisoning attacks and model poisoning attacks will make visually-aware FedRecs more vulnerable to being manipulated. To safely use visual information, we employ a diffusion model in visually-aware FedRecs to purify each uploaded image and detect the adversarial images.

Information Retrieval

Geming Xia,Jian Chen,Xinyi Huang,Chaodong Yu,Zhong Zhang

DOI: https://doi.org/10.1109/compsac57700.2023.00101

2023-01-01

Abstract:Federated learning allows participants to share models (gradients) rather than raw data to collaboratively train a global model, enhancing participants' privacy protection but making the global model more vulnerable to poisoning attacks. Poisoning attacks not only lead to the degradation of model performance but also cause a security risk. A mainstream defense strategy against poisoning attacks is that the server identifies malicious models by analyzing the models uploaded by participants. However, the attackers can use the models uploaded by the participants to recover their privacy data, leading to a privacy disclosure. Therefore, participants need to encrypt or perturb the models before uploading them so that all individuals, including the server, cannot access the model, which poses a great challenge for the defense against poisoning attacks. Moreover, many existing defense strategies against poisoning attacks only work well when the data distribution is non-independently and identically distributed. To address these issues, we propose a novel defense strategy for poisoning attacks of federated learning called FL-PTD, which can judge whether the global model is subjected to poisoning attacks without accessing the participant's local model. Besides, Our method incorporates a trust evaluation mechanism, which computes reputation scores based on the historical behavior of participants to identify malicious participants. Finally, we verify our proposed method on several real world datasets. The experimental results show that our method can effectively defend against poisoning attacks and accurately identify attackers without compromising the model's performance.

Qi Hu,Yangqiu Song

DOI: https://doi.org/10.1145/3616855.3635830

2023-12-23

Abstract:Recommender systems can be privacy-sensitive. To protect users' private historical interactions, federated learning has been proposed in distributed learning for user representations. Using federated recommender (FedRec) systems, users can train a shared recommendation model on local devices and prevent raw data transmissions and collections. However, the recommendation model learned by a common FedRec may still be vulnerable to private information leakage risks, particularly attribute inference attacks, which means that the attacker can easily infer users' personal attributes from the learned model. Additionally, traditional FedRecs seldom consider the diverse privacy preference of users, leading to difficulties in balancing the recommendation utility and privacy preservation. Consequently, FedRecs may suffer from unnecessary recommendation performance loss due to over-protection and private information leakage simultaneously. In this work, we propose a novel user-consented federated recommendation system (UC-FedRec) to flexibly satisfy the different privacy needs of users by paying a minimum recommendation accuracy price. UC-FedRec allows users to self-define their privacy preferences to meet various demands and makes recommendations with user consent. Experiments conducted on different real-world datasets demonstrate that our framework is more efficient and flexible compared to baselines.

Information Retrieval,Cryptography and Security,Machine Learning

Wei Yuan,Chaoqun Yang,Quoc Viet Hung Nguyen,Lizhen Cui,Tieke He,Hongzhi Yin

DOI: https://doi.org/10.1145/3543507.3583359

2023-01-01

Abstract:The marriage of federated learning and recommender system (FedRec) has been widely used to address the growing data privacy concerns in personalized recommendation services. In FedRecs, users' attribute information and behavior data (i.e., user-item interaction data) are kept locally on their personal devices, therefore, it is considered a fairly secure approach to protect user privacy. As a result, the privacy issue of FedRecs is rarely explored. Unfortunately, several recent studies reveal that FedRecs are vulnerable to user attribute inference attacks, highlighting the privacy concerns of FedRecs. In this paper, we further investigate the privacy problem of user behavior data (i.e., user-item interactions) in FedRecs. Specifically, we perform the first systematic study on interaction-level membership inference attacks on FedRecs. An interaction-level membership inference attacker is first designed, and then the classical privacy protection mechanism, Local Differential Privacy (LDP), is adopted to defend against the membership inference attack. Unfortunately, the empirical analysis shows that LDP is not effective against such new attacks unless the recommendation performance is largely compromised. To mitigate the interaction-level membership attack threats, we design a simple yet effective defense method to significantly reduce the attacker's inference accuracy without losing recommendation performance. Extensive experiments are conducted with two widely used FedRecs (Fed-NCF and Fed-LightGCN) on three real-world recommendation datasets (MovieLens-100K, Steam-200K, and Amazon Cell Phone), and the experimental results show the effectiveness of our solutions.

Jinyuan Jia,Yupei Liu,Yuepeng Hu,Neil Zhenqiang Gong

DOI: https://doi.org/10.48550/arXiv.2303.14601

2023-03-26

Abstract:Data poisoning attacks spoof a recommender system to make arbitrary, attacker-desired recommendations via injecting fake users with carefully crafted rating scores into the recommender system. We envision a cat-and-mouse game for such data poisoning attacks and their defenses, i.e., new defenses are designed to defend against existing attacks and new attacks are designed to break them. To prevent such a cat-and-mouse game, we propose PORE, the first framework to build provably robust recommender systems in this work. PORE can transform any existing recommender system to be provably robust against any untargeted data poisoning attacks, which aim to reduce the overall performance of a recommender system. Suppose PORE recommends top-$N$ items to a user when there is no attack. We prove that PORE still recommends at least $r$ of the $N$ items to the user under any data poisoning attack, where $r$ is a function of the number of fake users in the attack. Moreover, we design an efficient algorithm to compute $r$ for each user. We empirically evaluate PORE on popular benchmark datasets.

Cryptography and Security,Information Retrieval,Machine Learning

Thar Baker,Tong Li,Jingyu Jia,Baolei Zhang,Chang Tan,Albert Y. Zomaya

DOI: https://doi.org/10.1109/tdsc.2024.3354462

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Personalized recommendation is deemed ubiquitous. Indeed, it has been applied to several online services (e.g., E-commerce, advertising, and social media applications, to name a few). Learning unknown user preferences from user-provided data lies at the core of modern collaborative filtering recommender systems. However, there is an incentive for malicious attackers to manipulate the learned preferences, which could affect business decision making, by injecting poisoned data. In the face of such a poisoning attack, while previous works have proposed a number of defense methods succeeding in other machine learning (ML) tasks, little is effective for collaborative filtering (CF). Thereof, we present a new defense scheme called poison-tolerant collaborative filtering (PTCF), which is highly robust against poisoning attacks on collaborative filtering. Different from the defenses that remove outliers or search a min-loss subset, the PTCF scheme enables collaborative filtering on an attacked training dataset while guarantees system's availability and integrity. We evaluate extensively the PTCF scheme on a public dataset (Jester) and two real-world datasets (Movie and E-Shopping), and demonstrate that the PTCF scheme is significantly effective in providing robustness.

computer science, information systems, software engineering, hardware & architecture

Yuni Lai,Yulin Zhu,Wenqi Fan,Xiaoge Zhang,Kai Zhou

DOI: https://doi.org/10.48550/arXiv.2211.11534

2023-05-20

Abstract:The robustness of recommender systems under node injection attacks has garnered significant attention. Recently, GraphRfi, a GNN-based recommender system, was proposed and shown to effectively mitigate the impact of injected fake users. However, we demonstrate that GraphRfi remains vulnerable to attacks due to the supervised nature of its fraudster detection component, where obtaining clean labels is challenging in practice. In particular, we propose a powerful poisoning attack, MetaC, against both GNN-based and MF-based recommender systems. Furthermore, we analyze why GraphRfi fails under such an attack. Then, based on our insights obtained from vulnerability analysis, we design an adaptive fraudster detection module that explicitly considers label uncertainty. This module can serve as a plug-in for different recommender systems, resulting in a robust framework named PDR. Comprehensive experiments show that our defense approach outperforms other benchmark methods under attacks. Overall, our research presents an effective framework for integrating fraudster detection into recommendation systems to achieve adversarial robustness.

Information Retrieval,Artificial Intelligence,Cryptography and Security,Machine Learning

Xiuwen Liu,Yanjiao Chen,Shanchen Pang

DOI: https://doi.org/10.1109/tifs.2024.3453031

IF: 7.231

2024-09-14

IEEE Transactions on Information Forensics and Security

Abstract:When it comes to the marriage of federated learning and personalized recommendation services (FedRec), characterizing user-item interaction behaviors is a long-standing and unresolved issue, highlighting the growing data privacy concerns due to the inherent openness of recommender systems. As the new interaction-level membership inference attacks on FedRecs have recently surfaced, quite possibly such adversarial attacks act as the hidden confounders lying behind the interactive recommendation, resulting in the obstruction of the causal effect disentanglement on long-term user satisfaction. As such, tailored to the specifics of private learning, we propose a counterfactual interactive recommendation system that builds a differentially private representation learning based defender (CIRDP) to capture and mitigate the adversarial threats, augmenting causal inference-based interactive recommendation of FedRecs. When characterizing interaction-level membership inference attacks of the hidden eavesdropping adversary as the primary cause of adversarial effect on user satisfaction, CIRDP incorporates causal inference-augmented offline reinforcement learning (offline RL) into FedRecs. CIRDP innovatively provides counterfactual satisfaction by optimizing a sensitivity-guided disentangled representation module with an innovative two-fold mutual information objective. As such, CIRDP introduces a differentially private representation learning based defender, guaranteeing interaction behavior-level differential privacy (DP) with a significant reduction in privacy costs. Extensive comparisons demonstrate CIRDP's superiority over the state-of-the-art baselines in reducing inference attack threats and improving long-term success in the interactive recommendation.

computer science, theory & methods,engineering, electrical & electronic

Yinbin Miao,Xinru Yan,Xinghua Li,Shujiang Xu,Ximeng Liu,Hongwei Li,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2024.3402113

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Federated learning not only realizes collaborative training of models, but also effectively maintains user privacy. However, with the widespread application of privacy-preserving federated learning, poisoning attacks threaten the model utility. Existing defense schemes suffer from a series of problems, including low accuracy, low robustness and reliance on strong assumptions, which limit the practicability of federated learning. To solve these problems, we propose a Robustness-enhanced privacy-preserving Federated learning with scaled dot-product attention (RFed) under dual-server model. Specifically, we design a highly robust defense mechanism that uses a dual-server model instead of traditional single-server model to significantly improve model accuracy and completely eliminate the reliance on strong assumptions. Formal security analysis proves that our scheme achieves convergence and provides privacy protection, and extensive experiments demonstrate that our scheme reduces high computational overhead while guaranteeing privacy preservation and model accuracy, and ensures that the failure rate of poisoning attacks is higher than 96%.

computer science, theory & methods,engineering, electrical & electronic

Honglei Zhang,Xin Zhou,Zhiqi Shen,Yidong Li

DOI: https://doi.org/10.1109/TNNLS.2024.3387757

2024-04-22

Abstract:Federated recommender systems (FRSs), with their improved privacy-preserving advantages to jointly train recommendation models from numerous devices while keeping user data distributed, have been widely explored in modern recommender systems (RSs). However, conventional FRSs require transmitting the entire model between the server and clients, which brings a huge carbon footprint for cost-conscious cross-device learning tasks. While several efforts have been dedicated to improving the efficiency of FRSs, it's suboptimal to treat the whole model as the objective of compact design. Besides, current research fails to handle the out-of-vocabulary (OOV) issue in real-world FRSs, where the items only occasionally appear in the testing phase but were not observed during the training process, which is another practical challenge and has not been well studied yet. To this end, we propose a privacy-enhanced federated recommendation framework with shared hash embedding, PrivFR, in cross-device settings, which is an efficient representation mechanism specialized for the embedding parameters without compromising the model capability. Specifically, it represents items in a resource-efficient way by delicately utilizing shared hash embedding and multiple hash functions. As such, it just maintains a small shared pool of hash embedding in local clients, rather than fitting all embedding vectors for each item, which can exactly achieve the dual advantages of conserving resources and handling the OOV issue. What's more, we prove that this mechanism can protect the data privacy of local clients from a theoretical perspective. Extensive experiments show that our method not only effectively reduces storage and communication overheads, but also outperforms state-of-the-art FRSs.