Federated recommender systems (FedRec) have emerged as a promising approach to provide personalized recommendations while protecting user privacy. However, recent studies have shown their vulnerability to poisoning attacks, where malicious clients inject crafted gradients to promote target items to benign users. Existing attacks typically target the full user group, which compromises stealth and increases detection risk. In contrast, real-world adversaries may prefer to target specific user subgroups, such as promoting health supplements to older individuals, to maximize effectiveness while preserving stealth. Motivated by this gap, we introduce Spattack, the first poisoning attack designed to manipulate recommendations for specific user subgroups in federated settings. Spattack adopts an approximate-and-promote paradigm, which approximates user embeddings of target and non-target subgroups and then promotes target items to the target subgroup. We further reveal a trade-off between strong attack performance on the target subgroup and limited impact on the non-target subgroup. To achieve a better trade-off, we propose enhanced approximation and promotion strategies. For approximation, we push embeddings of different subgroups apart via contrastive learning and augment the target subgroup's relevant item set through clustering. For promotion, we align embeddings of target items and relevant items to strengthen their semantic connections, together with an adaptive weighting strategy to balance effects across subgroups. Experiments on three real-world datasets demonstrate that Spattack achieves strong attack performance on the target subgroup with minimal impact on non-target users, even when only 0.1% of users are malicious. Moreover, Spattack maintains competitive recommendation performance and shows strong resilience against mainstream defenses.
翻译:联邦推荐系统(FedRec)作为一种在保护用户隐私的同时提供个性化推荐的有前景方法而兴起。然而,最近的研究揭示了其面对投毒攻击的脆弱性,即恶意客户端通过注入精心设计的梯度,将目标物品推荐给良性用户。现有攻击通常针对全体用户群体,这会损害攻击的隐蔽性并增加被检测的风险。相比之下,现实世界的攻击者可能更倾向于针对特定的用户子群(例如向老年群体推广保健品),以在保持隐蔽性的同时最大化攻击效果。基于这一差距,我们提出了Spattack,这是首个旨在联邦学习环境下操纵特定用户子群推荐结果的投毒攻击。Spattack采用"近似与提升"范式,即先近似目标与非目标子群的用户嵌入,然后将目标物品向目标子群进行推广。我们进一步揭示了在目标子群上实现强攻击性能与对非目标子群产生有限影响之间存在权衡。为达成更好的权衡,我们提出了增强的近似与提升策略。在近似方面,我们通过对比学习将不同子群的嵌入推离,并通过聚类扩充目标子群的相关物品集。在提升方面,我们通过对齐目标物品与相关物品的嵌入来强化其语义关联,并结合自适应加权策略以平衡跨子群的影响。在三个真实数据集上的实验表明,即使仅有0.1%的用户为恶意用户,Spattack也能在目标子群上实现强攻击性能,同时对非目标用户的影响极小。此外,Spattack保持了有竞争力的推荐性能,并对主流防御方法展现出强大的抵抗力。