Adversarial attacks on an oblivious recommender

Christakopoulou, Konstantina; Banerjee, Arindam

doi:10.1145/3298689.3347031

Cited by 82 publications

(77 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first part (partial derivative ∂L adv /∂ X ) assumes X is independent to other variables, while the second part suggests θ * can be also a function containing X . Among all existing studies [11,13,14,26], we found the second part in Eq. 4has been completely ignored.…”

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 86%

“…As we can see from Algorithm 1, solving the inner objective for surrogate model training is simple and conventional, while the challenge comes from obtaining the adversarial gradient ∇ X L adv to update fake data. In the literature, existing works either tried to estimate this gradient [11], or tried to directly compute it [13,14,26]. But under the problem formulation in Eqs.…”

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 99%

“…Lacking vital experimental studies. Another major limitation in all previous experimental studies [11,13,14,26], is that the target model is set to be identical to the surrogate model, which is known as "white-box attack". One could think this is an extreme case where target model is visible to the adversary and this can serve as a upper bound of the attack capability.…”

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 99%

See 2 more Smart Citations

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Tang

Wen

Wang

2020

Fourteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

Recommender systems play an important role in modern information and e-commerce applications. While increasing research is dedicated to improving the relevance and diversity of the recommendations, the potential risks of state-of-the-art recommendation models are under-explored, that is, these models could be subject to attacks from malicious third parties, through injecting fake user interactions to achieve their purposes. This paper revisits the adversarially-learned injection attack problem, where the injected fake user 'behaviors' are learned locally by the attackers with their own model-one that is potentially different from the model under attack, but shares similar properties to allow attack transfer. We found that most existing works in literature suffer from two major limitations: (1) they do not solve the optimization problem precisely, making the attack less harmful than it could be, (2) they assume perfect knowledge for the attack, causing the lack of understanding for realistic attack capabilities. We demonstrate that the exact solution for generating fake users as an optimization problem could lead to a much larger impact. Our experiments on a real-world dataset reveal important properties of the attack, including attack transferability and its limitations. These findings can inspire useful defensive methods against this possible existing attack. CCS CONCEPTS • Information systems → Recommender systems; • Security and privacy → Web application security.

show abstract

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 86%

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 99%

Section: Limitations In Existing Studies and Our Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Tang

Wen

Wang

2020

Fourteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

show abstract

“…Inspired by the success of GAN, a few works turn to leverage GAN for shilling attack task [15,16]. However, directly adopting existing GAN methods for generating adversarial examples, without special designs (like AUSH) to tailor them for RS, will not provide satisfactory results in shilling attacks as shown in our experiments.…”

Section: Shilling Attacks Against Rsmentioning

confidence: 93%

“…Consequently, special designs are required to balance and achieve multiple attack goals simultaneously, while keeping the attack undetectable. Due to the aforementioned challenges, only a few recent works [15,16] consider directly adopting the idea of adversarial attacks for shilling attack, and they do not show satisfactory attack effects on a wide range of RS as illustrated later in our experiments. In addition to these methods, most existing shilling attack methods create injection profiles based on some global statistics, e.g., average rating value [4,9] and rating variance [14] for each item.…”

Section: Introductionmentioning

confidence: 96%

Attacking Recommender Systems with Augmented User Profiles

Lin

Chen

et al. 2020

Proceedings of the 29th ACM International Conference on Information &Amp; Knowledge Management

View full text Add to dashboard Cite

Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role in guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper, we study the shilling attack: a subsistent and profitable attack where an adversarial party injects a number of user profiles to promote or demote a target item. Conventional shilling attack models are based on simple heuristics that can be easily detected, or directly adopt adversarial attack methods without a special design for RS. Moreover, the study on the attack impact on deep learning based RS is missing in the literature, making the effects of shilling attack against real RS doubtful. We present a novel Augmented Shilling Attack framework (AUSH) and implement it with the idea of Generative Adversarial Network. AUSH is capable of tailoring attacks against RS according to budget and complex attack goals, such as targeting a specific user group. We experimentally show that the attack impact of AUSH is noticeable on a wide range of RS including both classic and modern deep learning based RS, while it is virtually undetectable by the state-ofthe-art attack detection model.

show abstract

Machine Learning Adversarial Attacks: A Survey Beyond

Magoo¹,

Garg²

2021

Machine Learning Techniques and Analytics for Cloud Security

View full text Add to dashboard Cite

Adversarial attacks on an oblivious recommender

Cited by 82 publications

References 20 publications

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Attacking Recommender Systems with Augmented User Profiles

Machine Learning Adversarial Attacks: A Survey Beyond

Contact Info

Product

Resources

About