Federated recommender systems (FedRecs) have been widely explored recently due to their ability to protect user data privacy. In FedRecs, a central server collaboratively learns recommendation models by sharing model public parameters with clients, thereby offering a privacy-preserving solution. Unfortunately, the exposure of model parameters leaves a backdoor for adversaries to manipulate FedRecs. Existing works about FedRec security already reveal that items can easily be promoted by malicious users via model poisoning attacks, but all of them mainly focus on FedRecs with only collaborative information (i.e., user-item interactions). We argue that these attacks are effective because of the data sparsity of collaborative signals. In practice, auxiliary information, such as products' visual descriptions, is used to alleviate collaborative filtering data's sparsity. Therefore, when incorporating visual information in FedRecs, all existing model poisoning attacks' effectiveness becomes questionable. In this paper, we conduct extensive experiments to verify that incorporating visual information can beat existing state-of-the-art attacks in reasonable settings. However, since visual information is usually provided by external sources, simply including it will create new security problems. Specifically, we propose a new kind of poisoning attack for visually-aware FedRecs, namely image poisoning attacks, where adversaries can gradually modify the uploaded image to manipulate item ranks during FedRecs' training process. Furthermore, we reveal that the potential collaboration between image poisoning attacks and model poisoning attacks will make visually-aware FedRecs more vulnerable to being manipulated. To safely use visual information, we employ a diffusion model in visually-aware FedRecs to purify each uploaded image and detect the adversarial images.

翻译：联邦推荐系统（FedRecs）因其保护用户数据隐私的能力而得到广泛探索。在FedRecs中，中央服务器通过与客户端共享模型公共参数来协同学习推荐模型，从而提供一种隐私保护的解决方案。不幸的是，模型参数的暴露为攻击者操纵FedRecs留下了后门。现有的关于FedRec安全的研究已经揭示，恶意用户可以通过模型投毒攻击轻易推广物品，但这些研究主要集中在仅利用协同信息（即用户-物品交互）的FedRecs上。我们认为这些攻击之所以有效，是因为协同信号的数据稀疏性。在实践中，辅助信息（如产品的视觉描述）被用于缓解协同过滤数据的稀疏性。因此，当在FedRecs中融入视觉信息时，所有现有模型投毒攻击的有效性都变得可疑。本文中，我们进行大量实验，验证了在合理设置下融入视觉信息能够击败现有的最先进攻击。然而，由于视觉信息通常由外部来源提供，简单地纳入它会产生新的安全问题。具体来说，我们针对视觉感知的FedRecs提出一种新型投毒攻击，即图像投毒攻击，攻击者可以在FedRecs的训练过程中逐步修改上传的图像以操纵物品排名。此外，我们揭示图像投毒攻击与模型投毒攻击之间的潜在协作将使视觉感知的FedRecs更易受操纵。为了安全地使用视觉信息，我们在视觉感知的FedRecs中采用扩散模型来净化每个上传的图像并检测对抗性图像。