Attacking Recommender Systems with Augmented User Profiles

Lin, Chen; Chen, Si; Li, Hui; Li, Lianyun; Yang, Qian

doi:10.1145/3340531.3411884

Cited by 53 publications

(41 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Adversaries often regard the GCN model as their attack target, due to its outstanding performance on node classification. Traditionally, a GCN model with two layers is represented by: z = sof tmax( Âσ( ÂXW (1) )W (2) ),…”

Section: Nettackmentioning

confidence: 99%

“…Using different adversarial attack methods, adversaries can downgrade the performance of graph data mining algorithms by adding or removing some nodes or links. For example, adversaries can register fake accounts and add some fake records to mislead a recommendation system to recommend illegal products to ordinary users, leading to serious consequences [1], [2].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

Zhu,

Shan,

Wang

et al. 2021

Preprint

View full text Add to dashboard Cite

With the rapid development of artificial intelligence, a number of machine learning algorithms, such as graph neural networks have been proposed to facilitate network analysis or graph data mining. Although effective, recent studies show that these advanced methods may suffer from adversarial attacks, i.e., they may lose effectiveness when only a small fraction of links are unexpectedly changed. This paper investigates three well-known adversarial attack methods, i.e., Nettack, Meta Attack, and GradArgmax. It is found that different attack methods have their specific attack preferences on changing the target network structures. Such attack patterns are further verified by experimental results on some real-world networks, revealing that generally the top four most important network attributes on detecting adversarial samples suffice to explain the preference of an attack method. Based on these findings, the network attributes are utilized to design machine learning models for adversarial sample detection and attack method recognition with outstanding performance.

show abstract

Section: Nettackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

Zhu,

Shan,

Wang

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…the correctness of the learned recommender in the presence of malicious users, where the trained model can be induced to deliver altered results as the adversary desires, e.g., promoting a target product 1 such that it gets more exposures in the item lists recommended to users. This is termed poisoning attack [12,25], which is usually driven by financial incentives but incurs strong unfairness in a trained recommender. In light of both privacy and security issues, there has been a recent surge in decentralizing recommender systems, where federated learning [28,33,34] appears to be one of the most representative solutions.…”

Section: Introductionmentioning

confidence: 99%

“…Moreover, it also prevents a recommender from being poisoned. The rationale is, in recommendation, the predominant poisoning method for manipulating item promotion is data poisoning, where the adversary manipulates malicious users to generate fake yet plausible user-item interactions (e.g., ratings), making the trained recommender biased towards the target item [12,13,25,36]. However, these aforementioned data poisoning attacks operate under the assumption that the adversary has prior knowledge about the entire training dataset.…”

Section: Introductionmentioning

confidence: 99%

“…Apparently, such assumption is voided in federated recommendation as the user data is distributively held, thus restricting the adversary's access to the entire dataset. Though the adversary can still conduct data poisoning by increasing the amount of fake interactions and/or malicious user accounts, it inevitably makes the attack more identifiable from either the abnormal user behavioral footprints [23,38] or heavily impaired recommendation accuracy [25]. Thus, we aim to answer this challenging question: can we backdoor federated recommender systems via poisoning attacks?…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PipAttack: Poisoning Federated Recommender Systems forManipulating Item Promotion

Zhang¹,

Yin²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Due to the growing privacy concerns, decentralization emerges rapidly in personalized services, especially recommendation. Also, recent studies have shown that centralized models are vulnerable to poisoning attacks, compromising their integrity. In the context of recommender systems, a typical goal of such poisoning attacks is to promote the adversary's target items by interfering with the training dataset and/or process. Hence, a common practice is to subsume recommender systems under the decentralized federated learning paradigm, which enables all user devices to collaboratively learn a global recommender while retaining all the sensitive data locally. Without exposing the full knowledge of the recommender and entire dataset to end-users, such federated recommendation is widely regarded 'safe' towards poisoning attacks. In this paper, we present a systematic approach to backdooring federated recommender systems for targeted item promotion. The core tactic is to take advantage of the inherent popularity bias that commonly exists in data-driven recommenders. As popular items are more likely to appear in the recommendation list, our innovatively designed attack model enables the target item to have the characteristics of popular items in the embedding space. Then, by uploading carefully crafted gradients via a small number of malicious users during the model update, we can effectively increase the exposure rate of a target (unpopular) item in the resulted federated recommender. Evaluations on two real-world datasets show that 1) our attack model significantly boosts the exposure rate of the target item in a stealthy way, without harming the accuracy of the poisoned recommender; and 2) existing defenses are not effective enough, highlighting the need for new defenses against our local model poisoning attacks to federated recommender systems. CCS CONCEPTS• Information systems → Collaborative filtering.

show abstract

PATR: A Novel Poisoning Attack Based on Triangle Relations Against Deep Learning-Based Recommender Systems

Chao

Gao

Zhang

et al. 2021

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Attacking Recommender Systems with Augmented User Profiles

Cited by 53 publications

References 33 publications

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

DeepInsight: Interpretability Assisting Detection of Adversarial Samples on Graphs

PipAttack: Poisoning Federated Recommender Systems forManipulating Item Promotion

PATR: A Novel Poisoning Attack Based on Triangle Relations Against Deep Learning-Based Recommender Systems

Contact Info

Product

Resources

About