research-article

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Authors:

Ke WangAuthors Info & Claims

RecSys '20: Proceedings of the 14th ACM Conference on Recommender Systems

Pages 318 - 327

https://doi.org/10.1145/3383313.3412243

Published: 22 September 2020 Publication History

Abstract

Recommender systems play an important role in modern information and e-commerce applications. While increasing research is dedicated to improving the relevance and diversity of the recommendations, the potential risks of state-of-the-art recommendation models are under-explored, that is, these models could be subject to attacks from malicious third parties, through injecting fake user interactions to achieve their purposes. This paper revisits the adversarially-learned injection attack problem, where the injected fake user ‘behaviors’ are learned locally by the attackers with their own model – one that is potentially different from the model under attack, but shares similar properties to allow attack transfer. We found that most existing works in literature suffer from two major limitations: (1) they do not solve the optimization problem precisely, making the attack less harmful than it could be, (2) they assume perfect knowledge for the attack, causing the lack of understanding for realistic attack capabilities. We demonstrate that the exact solution for generating fake users as an optimization problem could lead to a much larger impact. Our experiments on a real-world dataset reveal important properties of the attack, including attack transferability and its limitations. These findings can inspire useful defensive methods against this possible existing attack.

References

[1]

Martín Abadi, Paul Barham, Jianmin Chen, Zhifeng Chen, Andy Davis, Jeffrey Dean, Matthieu Devin, Sanjay Ghemawat, Geoffrey Irving, Michael Isard, [n.d.]. Tensorflow: a system for large-scale machine learning.

[2]

Jie Bao, Yu Zheng, and Mohamed F Mokbel. 2012. Location-based and preference-aware recommendation using sparse geo-social networking data. In Proceedings of the 20th international conference on advances in geographic information systems.

Digital Library

[3]

Atılım Günes Baydin, Barak A Pearlmutter, Alexey Andreyevich Radul, and Jeffrey Mark Siskind. 2017. Automatic differentiation in machine learning: a survey. The Journal of Machine Learning Research 18, 1 (2017), 5595–5637.

Digital Library

[4]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2013. Security evaluation of pattern classifiers under attack. IEEE transactions on knowledge and data engineering 26, 4(2013), 984–996.

[5]

Robin Burke, Bamshad Mobasher, and Runa Bhaumik. 2005. Limited knowledge shilling attacks in collaborative filtering systems.

[6]

Robin Burke, Michael P O’Mahony, and Neil J Hurley. 2015. Robust collaborative recommendation. In Recommender systems handbook. Springer, 961–995.

[7]

Carlos Castillo, Brian D Davison, 2011. Adversarial web search. Foundations and trends® in information retrieval 4, 5(2011), 377–486.

[8]

Yihong Chen, Bei Chen, Xiangnan He, Chen Gao, Yong Li, Jian-Guang Lou, and Yue Wang. 2019. λOpt: Learn to Regularize Recommender Models in Finer Levels. In ACM SIGKDD International Conference on Knowledge Discovery and Data Mining.

Digital Library

[9]

Heng-Tze Cheng, Levent Koc, Jeremiah Harmsen, Tal Shaked, Tushar Chandra, Hrishi Aradhye, Glen Anderson, Greg Corrado, Wei Chai, Mustafa Ispir, 2016. Wide & deep learning for recommender systems. In Proceedings of the 1st Workshop on Deep Learning for Recommender Systems. ACM, 7–10.

Digital Library

[10]

Eunjoon Cho, Seth A Myers, and Jure Leskovec. 2011. Friendship and mobility: user movement in location-based social networks. In ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 1082–1090.

Digital Library

[11]

Konstantina Christakopoulou and Arindam Banerjee. 2019. Adversarial attacks on an oblivious recommender. In Proceedings of the 13th ACM Conference on Recommender Systems. ACM, 322–330.

Digital Library

[12]

Benoît Colson, Patrice Marcotte, and Gilles Savard. 2007. An overview of bilevel optimization. Annals of operations research 153, 1 (2007), 235–256.

[13]

Minghong Fang, Neil Zhenqiang Gong, and Jia Liu. 2020. Influence Function based Data Poisoning Attacks to Top-N Recommender Systems. In Proceedings of The Web Conference 2020. 3019–3025.

Digital Library

[14]

Minghong Fang, Guolei Yang, Neil Zhenqiang Gong, and Jia Liu. 2018. Poisoning Attacks to Graph-Based Recommender Systems. In Proceedings of the 34th Annual Computer Security Applications Conference. ACM, 381–392.

Digital Library

[15]

Chelsea Finn, Pieter Abbeel, and Sergey Levine. 2017. Model-agnostic meta-learning for fast adaptation of deep networks. In Proceedings of the 34th International Conference on Machine Learning-Volume 70. JMLR. org, 1126–1135.

Digital Library

[16]

Luca Franceschi, Paolo Frasconi, Saverio Salzo, Riccardo Grazzi, and Massimilano Pontil. 2018. Bilevel programming for hyperparameter optimization and meta-learning. arXiv preprint arXiv:1806.04910(2018).

[17]

Ian Goodfellow, Jon Shlens, and Christian Szegedy. 2014. Explaining and Harnessing Adversarial Examples. arXiv preprint arXiv:1412.6572(2014).

[18]

Edward Grefenstette, Brandon Amos, Denis Yarats, Phu Mon Htut, Artem Molchanov, Franziska Meier, Douwe Kiela, Kyunghyun Cho, and Soumith Chintala. 2019. Generalized Inner Loop Meta-Learning. arXiv preprint arXiv:1910.01727(2019).

[19]

Xiangnan He, Lizi Liao, Hanwang Zhang, Liqiang Nie, Xia Hu, and Tat-Seng Chua. 2017. Neural collaborative filtering. In International Conference on World Wide Web. ACM, 173–182.

Digital Library

[20]

Cheng-Kang Hsieh, Longqi Yang, Yin Cui, Tsung-Yi Lin, Serge Belongie, and Deborah Estrin. 2017. Collaborative metric learning. In International conference on world wide web. ACM, 193–201.

Digital Library

[21]

Yifan Hu, Yehuda Koren, and Chris Volinsky. 2008. Collaborative filtering for implicit feedback datasets. In International Conference on Data Mining. IEEE.

Digital Library

[22]

Diederik Kingma and Jimmy Ba. 2014. Adam: A method for stochastic optimization. arXiv preprint arXiv:1412.6980(2014).

[23]

Yehuda Koren, Robert Bell, and Chris Volinsky. 2009. Matrix factorization techniques for recommender systems. Computer 42, 8 (2009).

[24]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533(2016).

[25]

Shyong K Lam and John Riedl. 2004. Shilling recommender systems for fun and profit. In International conference on World Wide Web. ACM.

Digital Library

[26]

Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data poisoning attacks on factorization-based collaborative filtering. In Advances in neural information processing systems. 1885–1893.

[27]

Dawen Liang, Rahul G Krishnan, Matthew D Hoffman, and Tony Jebara. 2018. Variational Autoencoders for Collaborative Filtering. In Proceedings of the 2018 World Wide Web Conference on World Wide Web. 689–698.

Digital Library

[28]

Bhaskar Mehta and Thomas Hofmann. 2008. A Survey of Attack-Resistant Collaborative Filtering Algorithms.IEEE Data Eng. Bull. 31, 2 (2008), 14–22.

[29]

Shike Mei and Xiaojin Zhu. 2015. Using Machine Teaching to Identify Optimal Training-Set Attacks on Machine Learners.

[30]

Chenglin Miao, Qi Li, Lu Su, Mengdi Huai, Wenjun Jiang, and Jing Gao. 2018. Attack under Disguise: An Intelligent Data Poisoning Attack Mechanism in Crowdsourcing. In International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 13–22.

Digital Library

[31]

Luis Muñoz-González, Battista Biggio, Ambra Demontis, Andrea Paudice, Vasin Wongrassamee, Emil C Lupu, and Fabio Roli. 2017. Towards poisoning of deep learning algorithms with back-gradient optimization. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security. 27–38.

Digital Library

[32]

Rong Pan, Yunhong Zhou, Bin Cao, Nathan N Liu, Rajan Lukose, Martin Scholz, and Qiang Yang. 2008. One-class collaborative filtering. In International Conference on Data Mining. IEEE, 502–511.

Digital Library

[33]

Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. 2016. Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277(2016).

[34]

Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 506–519.

Digital Library

[35]

Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, 2019. PyTorch: An imperative style, high-performance deep learning library. In Advances in Neural Information Processing Systems. 8024–8035.

[36]

Aravind Rajeswaran, Chelsea Finn, Sham M Kakade, and Sergey Levine. 2019. Meta-learning with implicit gradients. In Advances in Neural Information Processing Systems. 113–124.

[37]

Steffen Rendle, Christoph Freudenthaler, Zeno Gantner, and Lars Schmidt-Thieme. 2009. BPR: Bayesian personalized ranking from implicit feedback. In Conference on Uncertainty in Artificial Intelligence. AUAI Press, 452–461.

Digital Library

[38]

Badrul Sarwar, George Karypis, Joseph Konstan, and John Riedl. 2001. Item-based collaborative filtering recommendation algorithms. In International Conference on World Wide Web. ACM, 285–295.

Digital Library

[39]

Suvash Sedhain, Aditya Krishna Menon, Scott Sanner, and Lexing Xie. 2015. Autorec: Autoencoders meet collaborative filtering. In International Conference on World Wide Web. ACM, 111–112.

Digital Library

[40]

Jacob Steinhardt, Pang Wei W Koh, and Percy S Liang. 2017. Certified defenses for data poisoning attacks. In Advances in neural information processing systems. 3517–3529.

[41]

Jiaxi Tang and Ke Wang. 2018. Personalized Top-N Sequential Recommendation via Convolutional Sequence Embedding. In International Conference on Web Search and Data Mining. IEEE, 565–573.

Digital Library

[42]

Ziwei Zhu, Jianling Wang, and James Caverlee. 2019. Improving top-k recommendation via jointcollaborative autoencoders. In The World Wide Web Conference. 3483–3482.

Digital Library

[43]

Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. 2018. Adversarial Attacks on Classification Models for Graphs. arXiv preprint arXiv:1805.07984(2018).

Cited By

Nawara DAly AKashef R(2025)Shilling Attacks and Fake Reviews Injection: Principles, Models, and DatasetsIEEE Transactions on Computational Social Systems10.1109/TCSS.2024.346500812:1(362-375)Online publication date: Feb-2025
https://doi.org/10.1109/TCSS.2024.3465008
Wang SFan WWei XMei XLin SLi Q(2024)Multi-Agent Attacks for Black-Box Social RecommendationsACM Transactions on Information Systems10.1145/369610543:1(1-26)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3696105
Oh SUstun BMcauley JKumar S(2024)FINEST: Stabilizing Recommendations by Rank-Preserving Fine-TuningACM Transactions on Knowledge Discovery from Data10.1145/369525618:9(1-22)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1145/3695256
Show More Cited By

Recommendations

Poisoning Attacks to Graph-Based Recommender Systems
ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Recommender system is an important component of many web services to help users locate items that match their interests. Several studies showed that recommender systems are vulnerable to poisoning attacks, in which an attacker injects fake data to a ...
Single-User Injection for Invisible Shilling Attack against Recommender Systems
CIKM '23: Proceedings of the 32nd ACM International Conference on Information and Knowledge Management

Recommendation systems (RS) are crucial for alleviating the information overload problem. Due to its pivotal role in guiding users to make decisions, unscrupulous parties are lured to launch attacks against RS to affect the decisions of normal users and ...
Adversarial attacks to API recommender systems: time to wake up and smell the coffee?
ASE '21: Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering

Recommender systems in software engineering provide developers with a wide range of valuable items to help them complete their tasks. Among others, API recommender systems have gained momentum in recent years as they became more successful at suggesting ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

RecSys '20: Proceedings of the 14th ACM Conference on Recommender Systems

September 2020

796 pages

ISBN:9781450375832

DOI:10.1145/3383313

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 September 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Natural Sciences and Engineering Research Council of Canada

Conference

RecSys '20

Sponsor:

RecSys '20: Fourteenth ACM Conference on Recommender Systems

September 22 - 26, 2020

Virtual Event, Brazil

Acceptance Rates

Overall Acceptance Rate 254 of 1,295 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

44
Total Citations
View Citations
739
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)7

Reflects downloads up to 30 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Nawara DAly AKashef R(2025)Shilling Attacks and Fake Reviews Injection: Principles, Models, and DatasetsIEEE Transactions on Computational Social Systems10.1109/TCSS.2024.346500812:1(362-375)Online publication date: Feb-2025
https://doi.org/10.1109/TCSS.2024.3465008
Wang SFan WWei XMei XLin SLi Q(2024)Multi-Agent Attacks for Black-Box Social RecommendationsACM Transactions on Information Systems10.1145/369610543:1(1-26)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3696105
Oh SUstun BMcauley JKumar S(2024)FINEST: Stabilizing Recommendations by Rank-Preserving Fine-TuningACM Transactions on Knowledge Discovery from Data10.1145/369525618:9(1-22)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1145/3695256
Nguyen TQuoc Viet hung NNguyen THuynh TNguyen TWeidlich MYin H(2024)Manipulating Recommender Systems: A Survey of Poisoning Attacks and CountermeasuresACM Computing Surveys10.1145/367732857:1(1-39)Online publication date: 7-Oct-2024
https://dl.acm.org/doi/10.1145/3677328
Lu QGao M(2024)A Research on Shilling Attacks Based on Variational graph auto-encoders for Improving the Robustness of Recommendation SystemsProceedings of the 2024 International Conference on Generative Artificial Intelligence and Information Security10.1145/3665348.3665370(120-126)Online publication date: 10-May-2024
https://dl.acm.org/doi/10.1145/3665348.3665370
Duan MLi KZhang WQin JXiao B(2024)Attacking Click-through Rate Predictors via Generating Realistic Fake SamplesACM Transactions on Knowledge Discovery from Data10.1145/364368518:5(1-24)Online publication date: 28-Feb-2024
https://dl.acm.org/doi/10.1145/3643685
Concone FGaglio SGiammanco ARe GMorana M(2024)AdverSPAM: Adversarial SPam Account Manipulation in Online Social NetworksACM Transactions on Privacy and Security10.1145/364356327:2(1-31)Online publication date: 26-Jan-2024
https://dl.acm.org/doi/10.1145/3643563
Wu YCao QTao SZhang KSun FShen H(2024)Accelerating the Surrogate Retraining for Poisoning Attacks against Recommender SystemsProceedings of the 18th ACM Conference on Recommender Systems10.1145/3640457.3688148(701-711)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3640457.3688148
Zhang KCao QWu YSun FShen HCheng X(2024)Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender SystemProceedings of the 18th ACM Conference on Recommender Systems10.1145/3640457.3688120(680-689)Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3640457.3688120
Yang SWang CXu XZhu LYao LSerra ESpezzano F(2024)Attacking Visually-aware Recommender Systems with Transferable and Imperceptible Adversarial StylesProceedings of the 33rd ACM International Conference on Information and Knowledge Management10.1145/3627673.3679828(2900-2909)Online publication date: 21-Oct-2024
https://dl.acm.org/doi/10.1145/3627673.3679828
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten