Data poisoning attacks on neighborhood‐based recommender systems

Chen, Liang; Xu, Yangjun; Xie, Fei; Huang, Min; Zheng, Zibin

doi:10.1002/ett.3872

Cited by 26 publications

(11 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, random attacks just choose rated items at random from the whole item set for fake users, and bandwagon attacks tend to select certain items with high popularity in the dataset for fake users. The algorithm-specific data poisoning attacks are optimized to a specific type of recommender systems and have been developed for graph-based recommender systems [13], association-rule-based recommender systems [46], matrix-factorization-based recommender systems [12], [28], and neighborhood-based recommender systems [4]. As these attacks are optimized, they often are more effective.…”

Section: B Attacks To Recommender Systemsmentioning

confidence: 99%

Data Poisoning Attacks to Deep Learning Based Recommender Systems

Huang¹,

Gong

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Recommender systems play a crucial role in helping users to find their interested information in various web services such as Amazon, YouTube, and Google News. Various recommender systems, ranging from neighborhood-based, associationrule-based, matrix-factorization-based, to deep learning based, have been developed and deployed in industry. Among them, deep learning based recommender systems become increasingly popular due to their superior performance. In this work, we conduct the first systematic study on data poisoning attacks to deep learning based recommender systems. An attacker's goal is to manipulate a recommender system such that the attacker-chosen target items are recommended to many users. To achieve this goal, our attack injects fake users with carefully crafted ratings to a recommender system. Specifically, we formulate our attack as an optimization problem, such that the injected ratings would maximize the number of normal users to whom the target items are recommended. However, it is challenging to solve the optimization problem because it is a non-convex integer programming problem. To address the challenge, we develop multiple techniques to approximately solve the optimization problem. Our experimental results on three realworld datasets, including small and large datasets, show that our attack is effective and outperforms existing attacks. Moreover, we attempt to detect fake users via statistical analysis of the rating patterns of normal and fake users. Our results show that our attack is still effective and outperforms existing attacks even if such a detector is deployed.

show abstract

Section: B Attacks To Recommender Systemsmentioning

confidence: 99%

Data Poisoning Attacks to Deep Learning Based Recommender Systems

Huang¹,

Gong

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Adversaries often regard the GCN model as their attack target, due to its outstanding performance on node classification. Traditionally, a GCN model with two layers is represented by: z = sof tmax( Âσ( ÂXW (1) )W (2) ),…”

Section: Nettackmentioning

confidence: 99%

“…Using different adversarial attack methods, adversaries can downgrade the performance of graph data mining algorithms by adding or removing some nodes or links. For example, adversaries can register fake accounts and add some fake records to mislead a recommendation system to recommend illegal products to ordinary users, leading to serious consequences [1], [2].…”

Section: Introductionmentioning

confidence: 99%

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

Zhu,

Shan,

Wang

et al. 2021

Preprint

View full text Add to dashboard Cite

With the rapid development of artificial intelligence, a number of machine learning algorithms, such as graph neural networks have been proposed to facilitate network analysis or graph data mining. Although effective, recent studies show that these advanced methods may suffer from adversarial attacks, i.e., they may lose effectiveness when only a small fraction of links are unexpectedly changed. This paper investigates three well-known adversarial attack methods, i.e., Nettack, Meta Attack, and GradArgmax. It is found that different attack methods have their specific attack preferences on changing the target network structures. Such attack patterns are further verified by experimental results on some real-world networks, revealing that generally the top four most important network attributes on detecting adversarial samples suffice to explain the preference of an attack method. Based on these findings, the network attributes are utilized to design machine learning models for adversarial sample detection and attack method recognition with outstanding performance.

show abstract

“…The recommendation list is the suggestion provided by the recommender. Personalized recommendation refers to providing recommendations that meet the user's preferences based on understanding the user 1,2 …”

Section: Introductionmentioning

confidence: 99%

Re‐ranking with multiple objective optimization in recommender system

Liu

Wang

Bhuiyan

2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

The ranking algorithm in the recommender system aims at optimizing accuracy during training so that it pays too much attention to the relevance of the individual and ignores the mutual influence between the items in the list. In response to this problem, we propose dither, a re‐ranking model for the recommender system. We deploy the re‐ranking algorithm as an independent module after the ranking algorithm to achieve the function of decoupling from it. Our model formalizes the re‐ranking problem as a multi‐objective optimization problem. It re‐ranks the initial ranking list by balancing multiple indicators to generate an improved list and updates the list during frequent user interactions with the system. Through a case study on the MovieLens 100 K data set, the workflow, and effects of the dither model are demonstrated. In addition, the re‐ranking algorithm shows the performance advantages of our model over existing methods.

show abstract

Data poisoning attacks on neighborhood‐based recommender systems

Cited by 26 publications

References 34 publications

Data Poisoning Attacks to Deep Learning Based Recommender Systems

Data Poisoning Attacks to Deep Learning Based Recommender Systems

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

Re‐ranking with multiple objective optimization in recommender system

Contact Info

Product

Resources

About