Spattack: Subgroup Poisoning Attacks on Federated Recommender Systems

Federated recommender systems (FedRec) have emerged as a promising approach to provide personalized recommendations while protecting user privacy. However, recent studies have shown their vulnerability to poisoning attacks, where malicious clients inject crafted gradients to promote target items to benign users. Existing attacks typically target the full user group, which compromises stealth and increases detection risk. In contrast, real-world adversaries may prefer to target specific user subgroups, such as promoting health supplements to older individuals, to maximize effectiveness while preserving stealth. Motivated by this gap, we introduce Spattack, the first poisoning attack designed to manipulate recommendations for specific user subgroups in federated settings. Spattack adopts an approximate-and-promote paradigm, which approximates user embeddings of target and non-target subgroups and then promotes target items to the target subgroup. We further reveal a trade-off between strong attack performance on the target subgroup and limited impact on the non-target subgroup. To achieve a better trade-off, we propose enhanced approximation and promotion strategies. For approximation, we push embeddings of different subgroups apart via contrastive learning and augment the target subgroup’s relevant item set through clustering. For promotion, we align embeddings of target items and relevant items to strengthen their semantic connections, together with an adaptive weighting strategy to balance effects across subgroups. Experiments on three real-world datasets demonstrate that Spattack achieves strong attack performance on the target subgroup with minimal impact on non-target users, even when only 0.1% of users are malicious. Moreover, Spattack maintains competitive recommendation performance and shows strong resilience against mainstream defenses.

💡 Research Summary

The paper introduces Spattack, the first poisoning attack that specifically targets user sub‑groups in federated recommender systems (FedRec). While prior work focuses on full‑group attacks that try to promote a target item to all benign users, Spattack aims to maximize exposure of the target item for a chosen subgroup (e.g., older adults) while keeping its impact on the remaining users negligible, thereby improving stealth and effectiveness.

Spattack follows an “approximate‑and‑promote” pipeline. In the approximation phase, the attacker uses a set of “interested items” V_in that are highly relevant to the target subgroup. By treating V_in as positive interactions and the target items V_op as negative samples, the attacker optimizes user‑embedding vectors u_t (for the target group) and u_n (for the non‑target group) through two loss functions (Eq. 4 and Eq. 5). To further separate the two groups in the embedding space, a contrastive‑learning based repulsion term pushes u_t and u_n apart, and a clustering step expands V_in with semantically similar items V_rel, improving the discriminability of the approximated groups.

In the promotion phase, the attacker freezes the approximated user embeddings and updates the target‑item embeddings e_V together with the global model parameters Θ. For the target group, V_op is used as a positive sample (Eq. 7) to pull the item embeddings closer to u_t; for the non‑target group, V_op is treated as a negative sample (Eq. 8) to push them away from u_n. The two objectives are combined with an adaptive weighting coefficient α that is dynamically tuned each federated round based on the observed Exposure Ratio at rank K (ER@K) for both groups. This adaptive scheme balances the trade‑off between maximizing ER@K for the target subgroup and minimizing it for the non‑target subgroup.

Experiments on three real‑world datasets (ML‑100K, MovieLens‑1M, Steam) evaluate Spattack under malicious client ratios ranging from 0.1 % to 5 %. The key findings are: (1) Even with only 0.1 % malicious users, Spattack achieves ER@5 ≈ 0.85 for the target subgroup while keeping ER@5 ≈ 0.15 for the non‑target subgroup, outperforming full‑group baselines by 30‑40 % on the target metric. (2) The proposed γ‑Group Exposure Ratio (γ‑GER@K) consistently exceeds 0.9, indicating an excellent balance between promotion and stealth. (3) Overall recommendation quality (NDCG@10, Hit@10) drops by less than 2 %, demonstrating that the attack does not noticeably degrade service performance. (4) Spattack remains robust against mainstream federated defenses such as Krum, Median, and Trimmed Mean, largely because the contrastive repulsion and clustering steps generate gradients that resemble benign updates.

The authors also conduct an ablation study showing that (i) the quality of the clustering‑derived relevant item set V_rel, (ii) the margin in the contrastive loss, and (iii) the initialization of the adaptive α all significantly affect the attack’s success. They discuss potential defenses, suggesting that regularizing user embeddings, enforcing tighter inter‑group distance constraints, or detecting anomalous gradient patterns linked to subgroup‑specific item promotion could mitigate Spattack.

In summary, Spattack demonstrates that an adversary can efficiently and stealthily manipulate federated recommender systems to favor a specific demographic or interest group without substantially harming overall recommendation performance, thereby exposing a realistic and previously unstudied threat vector in privacy‑preserving recommendation.