Spattack: Subgroup Poisoning Attacks on Federated Recommender Systems
July 07, 2025 Β· Declared Dead Β· π WWW 2026
"No code URL or promise found in abstract"
Evidence collected by the PWNC Scanner
Authors
Bo Yan, Yurong Hao, Dingqi Liu, Huabin Sun, Pengpeng Qiao, Wei Yang Bryan Lim, Yang Cao, Chuan Shi
arXiv ID
2507.06258
Category
cs.CR: Cryptography & Security
Cross-listed
cs.AI,
cs.DC,
cs.IR
Citations
0
Venue
WWW 2026
Last Checked
4 months ago
Abstract
Federated recommender systems (FedRec) have emerged as a promising approach to provide personalized recommendations while protecting user privacy. However, recent studies have shown their vulnerability to poisoning attacks, where malicious clients inject crafted gradients to promote target items to benign users. Existing attacks typically target the full user group, which compromises stealth and increases detection risk. In contrast, real-world adversaries may prefer to target specific user subgroups, such as promoting health supplements to older individuals, to maximize effectiveness while preserving stealth. Motivated by this gap, we introduce Spattack, the first poisoning attack designed to manipulate recommendations for specific user subgroups in federated settings. Spattack adopts an approximate-and-promote paradigm, which approximates user embeddings of target and non-target subgroups and then promotes target items to the target subgroup. We further reveal a trade-off between strong attack performance on the target subgroup and limited impact on the non-target subgroup. To achieve a better trade-off, we propose enhanced approximation and promotion strategies. For approximation, we push embeddings of different subgroups apart via contrastive learning and augment the target subgroup's relevant item set through clustering. For promotion, we align embeddings of target items and relevant items to strengthen their semantic connections, together with an adaptive weighting strategy to balance effects across subgroups. Experiments on three real-world datasets demonstrate that Spattack achieves strong attack performance on the target subgroup with minimal impact on non-target users, even when only 0.1% of users are malicious. Moreover, Spattack maintains competitive recommendation performance and shows strong resilience against mainstream defenses.
Community Contributions
Found the code? Know the venue? Think something is wrong? Let us know!
π Similar Papers
In the same crypt β Cryptography & Security
R.I.P.
π»
Ghosted
R.I.P.
π»
Ghosted
The Limitations of Deep Learning in Adversarial Settings
R.I.P.
π»
Ghosted
Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks
R.I.P.
π»
Ghosted
Spectre Attacks: Exploiting Speculative Execution
R.I.P.
π»
Ghosted
How To Backdoor Federated Learning
R.I.P.
π»
Ghosted
Evasion Attacks against Machine Learning at Test Time
Died the same way β π» Ghosted
R.I.P.
π»
Ghosted
Federated Learning: Strategies for Improving Communication Efficiency
R.I.P.
π»
Ghosted
In-Datacenter Performance Analysis of a Tensor Processing Unit
R.I.P.
π»
Ghosted
Deep Convolutional Neural Networks for Computer-Aided Detection: CNN Architectures, Dataset Characteristics and Transfer Learning
R.I.P.
π»
Ghosted