Federated recommendation is a prominent use case within federated learning, yet it remains susceptible to various attacks, from user to server-side vulnerabilities. Poisoning attacks are particularly notable among user-side attacks, as participants upload malicious model updates to deceive the global model, often intending to promote or demote specific targeted items. This study investigates strategies for executing promotion attacks in federated recommender systems. Current poisoning attacks on federated recommender systems often rely on additional information, such as the local training data of genuine users or item popularity. However, such information is challenging for the potential attacker to obtain. Thus, there is a need to develop an attack that requires no extra information apart from item embeddings obtained from the server. In this paper, we introduce a novel fake user based poisoning attack named PoisonFRS to promote the attacker-chosen targeted item in federated recommender systems without requiring knowledge about user-item rating data, user attributes, or the aggregation rule used by the server. Extensive experiments on multiple real-world datasets demonstrate that PoisonFRS can effectively promote the attacker-chosen targeted item to a large portion of genuine users and outperform current benchmarks that rely on additional information about the system. We further observe that the model updates from both genuine and fake users are indistinguishable within the latent space.

翻译：联邦推荐是联邦学习中的一个重要应用场景，但仍易受到从用户端到服务器端的多种攻击。其中，投毒攻击在用户端攻击中尤为突出：参与者上传恶意模型更新以欺骗全局模型，通常旨在推广或打压特定目标项目。本研究探讨了在联邦推荐系统中实施推广攻击的策略。当前针对联邦推荐系统的投毒攻击往往依赖额外信息（如真实用户的本地训练数据或项目流行度），但这些信息对潜在攻击者而言难以获取。因此，亟需开发一种无需额外信息（仅需从服务器获取的项目嵌入）的攻击方法。本文提出一种名为PoisonFRS的基于虚假用户的新型投毒攻击，可在无需知晓用户-项目评分数据、用户属性或服务器聚合规则的情况下，在联邦推荐系统中推广攻击者指定的目标项目。在多个真实数据集上的大量实验表明，PoisonFRS能有效将攻击者选定的目标项目推广至大量真实用户，且性能优于依赖系统额外信息的现有基准方法。我们进一步观察到，在潜在空间中，真实用户与虚假用户的模型更新难以区分。