Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Tang, Jiaxi; Wen, Hongyi; Wang, Ke

doi:10.1145/3383313.3412243

Cited by 51 publications

(54 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Rev.Adv. [53] perturbation: This method is the state-of-the-art data poisoning attack that inserts a fake user with interactions crafted via a bi-level optimization problem. To adapt it for our deletion and replacement perturbation settings, we first find the most similar user in the training data to the fake user, and perform deletion or item replacement of the earliest or random interaction of that user, respectively.…”

Section: Baseline Methodsmentioning

confidence: 99%

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Oh¹,

Kumar²

2022

Preprint

View full text Add to dashboard Cite

While deep learning-based sequential recommender systems are widely used in practice, their sensitivity to untargeted training data perturbations is unknown. Untargeted perturbations aim to modify ranked recommendation lists for all users at test time, by inserting imperceptible input perturbations during training time. Existing perturbation methods are mostly targeted attacks optimized to change ranks of target items, but not suitable for untargeted scenarios. In this paper, we develop a novel framework in which user-item training interactions are perturbed in unintentional and adversarial settings. First, through comprehensive experiments on four datasets, we show that four popular recommender models are unstable against even one random perturbation. Second, we establish a cascading effect in which minor manipulations of early training interactions can cause extensive changes to the model and the generated recommendations for all users. Leveraging this effect, we propose an adversarial perturbation method CASPER which identifies and perturbs an interaction that induces the maximal cascading effect. Experimentally, we demonstrate that CASPER reduces the stability of recommendation models the most, compared to several baselines and state-of-the-art methods. Finally, we show the runtime and success of CASPER scale near-linearly with the dataset size and the number of perturbations, respectively.

show abstract

Section: Baseline Methodsmentioning

confidence: 99%

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Oh¹,

Kumar²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…We follow [17,37] to set allowed sequence lengths of ML-1M, Steam and Beauty as {200, 50, 50} respectively, which are also applied as our generated sequence lengths. We follow [39] Table 3. Configurations.…”

Section: Implementation Detailsmentioning

confidence: 99%

“…Then, the black-box recommender is retrained once and tested on each of the target items, we present the average results in Figure 6. We follow [39] to generate profiles equivalent to 1% of the number of users from the original dataset and adopt the same baseline methods in profile pollution.…”

Section: Rq3: Can We Perform Profile Pollution Attacks Using the Extracted Model?mentioning

confidence: 99%

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Yue

Zeng

et al. 2021

Fifteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

We investigate whether model extraction can be used to 'steal' the weights of sequential recommender systems, and the potential threats posed to victims of such attacks. This type of risk has attracted attention in image and text classification, but to our knowledge not in recommender systems. We argue that sequential recommender systems are subject to unique vulnerabilities due to the specific autoregressive regimes used to train them. Unlike many existing recommender attackers, which assume the dataset used to train the victim model is exposed to attackers, we consider a data-free setting, where training data are not accessible. Under this setting, we propose an API-based model extraction method via limited-budget synthetic data generation and knowledge distillation. We investigate state-of-the-art models for sequential recommendation and show their vulnerability under model extraction and downstream attacks.We perform attacks in two stages. (1) Model extraction: given different types of synthetic data and their labels retrieved from a black-box recommender, we extract the black-box model to a white-box model via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.

show abstract

“…They also propose to generate fake user-item interactions based on influence function [15]. Tang et al [43] propose effective transfer-based poisoning attacks against recommender systems, but they mention that their approach is less effective on cold items. Our "item representation attack" is distinct from a "profile injection attack" or "poisoning attack", but both kinds of attacks have similar impacts, namely, pushing items that have been targeted for promotion.…”

Section: Related Work 21 Robustness Of Recommender Systemmentioning

confidence: 99%

“…Our work is part of the long tradition of research devoted to the security and robustness of recommender system algorithms [5,9,15,16,27,29,33,35,43]. Most work, however, focuses on vulnerabilities related to user profiles.…”

mentioning

confidence: 99%

Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start

Liu

Larson

2021

Proceedings of the Web Conference 2021

View full text Add to dashboard Cite

E-commerce platforms provide their customers with ranked lists of recommended items matching the customers' preferences. Merchants on e-commerce platforms would like their items to appear as high as possible in the top-N of these ranked lists. In this paper, we demonstrate how unscrupulous merchants can create item images that artificially promote their products, improving their rankings. Recommender systems that use images to address the cold start problem are vulnerable to this security risk. We describe a new type of attack, Adversarial Item Promotion (AIP), that strikes directly at the core of Top-N recommenders: the ranking mechanism itself. Existing work on adversarial images in recommender systems investigates the implications of conventional attacks, which target deep learning classifiers. In contrast, our AIP attacks are embedding attacks that seek to push features representations in a way that fools the ranker (not a classifier) and directly leads to item promotion. We introduce three AIP attacks insider attack, expert attack, and semantic attack, which are defined with respect to three successively more realistic attack models. Our experiments evaluate the danger of these attacks when mounted against three representative visually-aware recommender algorithms in a framework that uses images to address cold start. We also evaluate potential defenses, including adversarial training and find that common, currentlyexisting, techniques do not eliminate the danger of AIP attacks. In sum, we show that using images to address cold start opens recommender systems to potential threats with clear practical implications. CCS CONCEPTS• Information systems → Recommender systems; • Security and privacy → Web application security.

show abstract

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Cited by 51 publications

References 35 publications

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Adversarial Item Promotion: Vulnerabilities at the Core of Top-N Recommenders that Use Images to Address Cold Start

Contact Info

Product

Resources

About