Recently, researchers have successfully employed Graph Neural Networks (GNNs) to build enhanced recommender systems due to their capability to learn patterns from the interaction between involved entities. In addition, previous studies have investigated federated learning as the main solution to enable a native privacy-preserving mechanism for the construction of global GNN models without collecting sensitive data into a single computation unit. Still, privacy issues may arise as the analysis of local model updates produced by the federated clients can return information related to sensitive local data. For this reason, experts proposed solutions that combine federated learning with Differential Privacy strategies and community-driven approaches, which involve combining data from neighbor clients to make the individual local updates less dependent on local sensitive data. In this paper, we identify a crucial security flaw in such a configuration, and we design an attack capable of deceiving state-of-the-art defenses for federated learning. The proposed attack includes two operating modes, the first one focusing on convergence inhibition (Adversarial Mode), and the second one aiming at building a deceptive rating injection on the global federated model (Backdoor Mode). The experimental results show the effectiveness of our attack in both its modes, returning on average 60% performance detriment in all the tests on Adversarial Mode and fully effective backdoors in 93% of cases for the tests performed on Backdoor Mode.

翻译：近期，研究人员成功利用图神经网络（GNNs）构建了增强型推荐系统，因其能够从相关实体的交互中学习模式。此外，先前研究将联邦学习作为主要解决方案，以实现原生隐私保护机制，在不将敏感数据收集到单一计算单元的情况下构建全局GNN模型。然而，由于对联邦客户端产生的本地模型更新进行分析可能返回与敏感本地数据相关的信息，隐私问题仍然可能出现。为此，专家提出了结合联邦学习与差分隐私策略及社区驱动方法的解决方案，该方法通过整合相邻客户端的数据，使个体本地更新对本地敏感数据的依赖降低。本文发现了此类配置中的关键安全漏洞，并设计了一种能够欺骗联邦学习最新防御机制的攻击。所提出的攻击包含两种运行模式：第一种专注于抑制收敛（对抗模式），第二种旨在全局联邦模型上构建欺骗性的评分注入（后门模式）。实验结果表明，我们的攻击在两种模式下均有效，对抗模式在所有测试中平均导致60%的性能下降，后门模式在93%的测试案例中成功植入完全有效的后门。