資料載入中.....
|
請使用永久網址來引用或連結此文件:
https://nccur.lib.nccu.edu.tw/handle/140.119/159409
|
| 題名: | 基於多中心聚合方法的聯邦推薦系統數據中毒防護研究
Mitigating Data Poisoning in Federated Recommender Systems Using Multi-Center Aggregation Methods |
| 作者: | 朱進益
Zhu, Jin-Yi |
| 貢獻者: | 蔡子傑
Tsai, Tzu-Chieh
朱進益
Zhu, Jin-Yi |
| 關鍵詞: | 聯邦學習
個性化聯邦學習
推薦系統
數據中毒攻擊
多中心聚合
Federated Learning
Personalized Federated Learning
Recommendation System
Data Poisoning Attack
Multi-center Aggregation |
| 日期: | 2025 |
| 上傳時間: | 2025-09-01 16:56:15 (UTC+8) |
| 摘要: | 聯邦推薦系統在保護用戶隱私的同時提供個性化服務,但易受數據中毒攻擊的威脅。攻擊者可注入精心設計的惡意數據,污染全局模型,進而操縱推薦結果,損害系統的公正性與可信度。針對此問題,本研究提出一種基於多中心的個性化聯邦學習框架,旨在不依賴主動異常檢測的前提下,天然地削弱數據中毒攻擊的影響。
本研究的核心思想是將傳統的單一全局模型,轉變為一個由多個中心模型和個性化層組成的分層架構。其運作機制如下:
基於相似性的中心劃分: 根據用戶的歷史行為或屬性相似性,將整個用戶群體劃分為若干個獨立的中心(Cluster)。此步驟旨在將興趣相似的用戶聚合,為後續的精準個性化建模奠定基礎。
多中心協同與個性化訓練: 各中心基於其內部成員的數據,協同訓練一個專屬的「中心模型」。在此基礎上,系統進一步為每個用戶(或小組)學習一個最終的個性化推薦模型。該個性化模型融合了其所屬的中心模型參數和用戶自身的數據特徵。
以個性化實現攻擊隔離: 這種架構的防禦能力源於其天然的隔離效應。數據中毒攻擊即使在某個中心內發生,其惡意影響也主要被限制在該中心的模型以及與其關聯性強的少數用戶上。對於其他中心的用戶而言,由於他們的個性化模型更多地依賴於自身所在中心的良性數據,因此能夠有效抵禦來自惡意中心的污染,從而實現了通過個性化來隔離攻擊影響的目標。
我們使用MovieLens 1M數據集上進行了實驗,並以受攻擊的特定項目的全局平均排名作為核心評估指標。結果表明,與傳統的中心化聯邦推薦系統相比,本方法在遭受數據中毒攻擊時表現出極高的穩健性。儘管攻擊行為可能在惡意用戶所屬的中心內取得局部成功(即在該中心內降低了目標項目的排名),但我們的多中心個性化架構能有效阻止此惡意影響跨中心傳播。因此,在全局範圍內,受攻擊項目的平均排名能維持在一個較低的穩定水平,這意味著攻擊者推廣特定項目的目標被成功瓦解,從而直接證明了本框架在防禦數據中毒攻擊上的有效性。
Federated recommender systems provide personalized services while protecting user privacy but are vulnerable to data poisoning attacks. Attackers can inject carefully crafted malicious data to contaminate the global model, manipulate recommendation outcomes, and damage system fairness and credibility. To address this issue, this study proposes a multi-center personalized federated learning framework designed to naturally mitigate the effects of data poisoning attacks without relying on active anomaly detection.
The core idea of this study transforms the traditional single global model into a hierarchical architecture composed of multiple central models and personalized layers. The operational mechanism is as follows:
Similarity-based Center Partitioning: Users are partitioned into several independent clusters based on similarity in historical behavior or attributes. This step aggregates users with similar interests, laying the foundation for precise personalization modeling.
Multi-center Collaboration and Personalized Training: Each cluster collaboratively trains a dedicated "center model" using its internal member data. Subsequently, the system further learns an ultimate personalized recommendation model for each user (or subgroup). This personalized model combines parameters from its center model and individual user-specific data features.
Attack Isolation via Personalization: The defensive capability of this architecture stems from its inherent isolation effect. Even if a data poisoning attack occurs within a particular center, its malicious impact remains largely confined to that center's model and closely related users. For users in other clusters, their personalized models rely predominantly on benign data from their respective centers, effectively resisting contamination from malicious clusters. This achieves the goal of isolating attack impacts through personalization.
Experiments conducted on multiple benchmark datasets, using the global average ranking of targeted items under attack as a key evaluation metric, demonstrate the method’s robustness compared to traditional centralized federated recommendation systems. Although the attacks may locally succeed within malicious users' clusters (i.e., decreasing the targeted item’s ranking within that center), the proposed multi-center personalized framework effectively prevents such malicious effects from spreading across clusters. Consequently, on a global scale, the average ranking of attacked items remains stably low, successfully thwarting the attacker’s strategic goal of promoting specific items. This result directly confirms the framework’s effectiveness in defending against data poisoning attacks. |
| 參考文獻: | [1] S. P. Karimireddy, S. Kale, M. Mohri, S. Reddi, S. Stich, and A. T. Suresh, “SCAFFOLD: Stochastic Controlled Averaging for Federated Learning,” in Proceedings of the 37th International Conference on Machine Learning, PMLR, Nov. 2020, pp. 5132–5143. Accessed: Aug. 25, 2025. [Online]. Available: https://proceedings.mlr.press/v119/karimireddy20a.html
[2] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-Efficient Learning of Deep Networks from Decentralized Data,” in Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, PMLR, Apr. 2017, pp. 1273–1282. Accessed: Aug. 25, 2025. [Online]. Available: https://proceedings.mlr.press/v54/mcmahan17a.html
[3] V. Perifanis and P. S. Efraimidis, “Federated Neural Collaborative Filtering,” Knowl.-Based Syst., vol. 242, p. 108441, Apr. 2022, doi: 10.1016/j.knosys.2022.108441.
[4] M. Ammad-ud-din et al., “Federated Collaborative Filtering for Privacy-Preserving Personalized Recommendation System,” Jan. 29, 2019, arXiv: arXiv:1901.09888. doi: 10.48550/arXiv.1901.09888.
[5] C. Wu, F. Wu, T. Qi, Y. Huang, and X. Xie, “FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling,” in Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, in KDD ’22. New York, NY, USA: Association for Computing Machinery, 14 2022, pp. 4164–4172. doi: 10.1145/3534678.3539119.
[6] S. Zhang, H. Yin, T. Chen, Z. Huang, Q. V. H. Nguyen, and L. Cui, “PipAttack: Poisoning Federated Recommender Systems for Manipulating Item Promotion,” in Proceedings of the Fifteenth ACM International Conference on Web Search and Data Mining, in WSDM ’22. New York, NY, USA: Association for Computing Machinery, 15 2022, pp. 1415–1423. doi: 10.1145/3488560.3498386.
[7] C. Briggs, Z. Fan, and P. Andras, “Federated learning with hierarchical clustering of local updates to improve training on non-IID data,” in 2020 International Joint Conference on Neural Networks (IJCNN), July 2020, pp. 1–9. doi: 10.1109/IJCNN48605.2020.9207469.
[8] Q. Li, Y. Diao, Q. Chen, and B. He, “Federated Learning on Non-IID Data Silos: An Experimental Study,” in 2022 IEEE 38th International Conference on Data Engineering (ICDE), May 2022, pp. 965–978. doi: 10.1109/ICDE53745.2022.00077.
[9] Y. Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V. Chandra, “Federated Learning with Non-IID Data,” 2018, doi: 10.48550/arXiv.1806.00582.
[10] A. Z. Tan, H. Yu, L. Cui, and Q. Yang, “Towards Personalized Federated Learning,” IEEE Trans. Neural Netw. Learn. Syst., vol. 34, no. 12, pp. 9587–9603, Feb. 2023, doi: 10.1109/TNNLS.2022.3160699.
[11] G. Long, M. Xie, T. Shen, T. Zhou, X. Wang, and J. Jiang, “Multi-center federated learning: clients clustering for better personalization,” World Wide Web, vol. 26, no. 1, pp. 481–500, Jan. 2023, doi: 10.1007/s11280-022-01046-x.
[12] J. A. Hartigan and M. A. Wong, “Algorithm AS 136: A K-Means Clustering Algorithm,” J. R. Stat. Soc. Ser. C Appl. Stat., vol. 28, no. 1, pp. 100–108, 1979, doi: 10.2307/2346830.
[13] M. Yin, Y. Xu, M. Fang, and N. Z. Gong, “Poisoning Federated Recommender Systems with Fake Users,” in Proceedings of the ACM Web Conference 2024, in WWW ’24. New York, NY, USA: Association for Computing Machinery, 13 2024, pp. 3555–3565. doi: 10.1145/3589334.3645492.
[14] “The MovieLens Datasets: History and Context: ACM Transactions on Interactive Intelligent Systems: Vol 5, No 4.” Accessed: Aug. 25, 2025. [Online]. Available: https://dl.acm.org/doi/abs/10.1145/2827872
[15] X. He, L. Liao, H. Zhang, L. Nie, X. Hu, and T.-S. Chua, “Neural Collaborative Filtering,” in Proceedings of the 26th International Conference on World Wide Web, in WWW ’17. Republic and Canton of Geneva, CHE: International World Wide Web Conferences Steering Committee, Autumn 2017, pp. 173–182. doi: 10.1145/3038912.3052569. |
| 描述: | 碩士
國立政治大學
資訊科學系
110753144 |
| 資料來源: | http://thesis.lib.nccu.edu.tw/record/#G0110753144 |
| 資料類型: | thesis |
| 顯示於類別: | [資訊科學系] 學位論文
|
文件中的檔案:
| 檔案 |
大小 | 格式 | 瀏覽次數 |
|---|
| 314401.pdf | 1278Kb | Adobe PDF | 0 | 檢視/開啟 |
|
在政大典藏中所有的資料項目都受到原著作權保護.
|
