New Study Introduces Targeted Poisoning Attack on Federated Recommender Systems

Global: New Study Introduces Targeted Poisoning Attack on Federated Recommender Systems

A team of machine learning researchers has unveiled a novel poisoning technique that specifically manipulates recommendations for designated user subgroups within federated recommender systems. The method, detailed in a preprint posted to arXiv in July 2025, aims to exploit privacy-preserving collaborative filtering while remaining covert. By focusing on subpopulations rather than the entire user base, the attack seeks to increase effectiveness and reduce detection risk.

Federated recommender systems enable personalized content delivery without centralizing user data, thereby enhancing privacy. Nonetheless, prior research has demonstrated that malicious participants can inject crafted gradient updates to bias recommendations across all users. Such broad‑scope attacks often raise suspicion and are more readily identified by existing defense mechanisms.

Limitations of Existing Poisoning Strategies

Earlier attacks typically target the full user group, which compromises stealth and elevates the likelihood of detection. Moreover, indiscriminate manipulation can degrade overall recommendation quality, prompting platform operators to investigate anomalies more aggressively.

Introducing Spattack

The newly proposed approach, named Spattack, adopts an “approximate‑and‑promote” paradigm. It first approximates the latent embeddings of both target and non‑target subgroups, then deliberately promotes items of interest to the target subgroup. This two‑step process enables precise influence over a narrow user segment while leaving the broader population largely unaffected.

Technical Enhancements

To improve the trade‑off between attack potency and collateral impact, the authors integrate contrastive learning to push subgroup embeddings apart and employ clustering to expand the target subgroup’s relevant item set. Additionally, they align embeddings of target items with related items and apply an adaptive weighting scheme that balances promotional effects across subgroups.

Empirical Evaluation

Experiments conducted on three real‑world datasets reveal that Spattack can achieve strong recommendation bias for the target subgroup even when only 0.1% of participants act maliciously. The attack produces minimal degradation for non‑target users and preserves overall recommendation accuracy, according to the reported metrics.

Robustness and Defense

Further testing indicates that Spattack remains effective against several mainstream defense strategies, including robust aggregation and anomaly detection techniques. The authors also note that the attack does not significantly impair the system’s baseline performance, which may complicate detection efforts.

Implications for Federated Learning Security

The findings highlight an emerging threat vector for privacy‑preserving recommendation platforms. Stakeholders may need to develop subgroup‑aware monitoring tools and refine aggregation protocols to mitigate targeted poisoning without sacrificing the benefits of federated learning.

This report is based on information from arXiv, licensed under See original source. Source attribution required.