PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems

Song, Junshuai; Li, Zhao; Hu, Zehong; Wu, Yichao; Li, Jian; Gao, Jun

doi:10.1109/icde48307.2020.00021

Cited by 61 publications

(38 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are several advanced recommendation technologies proposed in recent years, such as the deep-learning based models (Zhang et al, 2019;Tang et al, 2019). Accordingly, data poisoning attacks including PoisonRec and LOKI (Song et al, 2020) against deep-learning based recommendation techniques have also been developed. In this paper, we only focus on the attack detection problem in collaborative filtering recommendations, which remains the malicious threats on other advanced recommendation techniques unconsidered.…”

Section: Discussion and Limitationmentioning

confidence: 99%

Rating behavior evaluation and abnormality forensics analysis for injection attack detection

et al. 2021

View full text Add to dashboard Cite

Collaborative recommender systems (CRSs) have become an essential component in a wide range of e-commerce systems. However, CRSs are also easy to suffer from malicious attacks due to the fundamental vulnerability of recommender systems. Facing with the limited representative of rating behavior and the unbalanced distribution of rating profiles, how to further improve detection performance and deal with unlabeled real-world data is a longstanding but unresolved issue. This paper develops a new detection approach to defend anomalous threats for recommender systems. First, eliminating the influence of disturbed rating profiles on abnormality detection is analyzed in order to reduce the unbalanced distribution as far as possible. Based on the remaining rating profiles, secondly, rating behaviors which belong to the same dense region using standard distance measures are further partitioned by exploiting a probability mass-based dissimilarity mechanism. To reduce the scope of determining suspicious items while keeping the advantage of target item analysis (TIA), thirdly, suspected items captured by TIA are empirically converted into an associated item-item graph according to frequent patterns of rating distributions. Finally, concerned attackers can be detected based on the determined suspicious items. Extensive experiments on synthetic data demonstrate the effectiveness of the proposed detection approach compared with benchmarks. In addition, discovering interesting findings such as suspected items or ratings on four different real-world datasets is also analyzed and discussed.

show abstract

Section: Discussion and Limitationmentioning

confidence: 99%

Rating behavior evaluation and abnormality forensics analysis for injection attack detection

et al. 2021

View full text Add to dashboard Cite

show abstract

“…In this case, we follow co-visitation approach [36,42] and apply adversarial example techniques [8] Note that though the alternating pattern of co-visitation seems detectable, we can control the proportion of target items (apply noise or add 'user-like' generated data) to avoid this rigid pattern and make it less noticeable. Gradient information from the white-box model also empowers more tailored sequential-recommendation poisoning methods.…”

Section: Datamentioning

confidence: 99%

“…We avoid repeating targets in injection items to rule out trivial solutions like sequence of solely target items. Based on this setting, we introduce the following baseline methods: (1) RandAlter: alternating interactions with random items and target item(s) [36]; Items w/ Different Popularities. Table 7 shows our profile pollution attacks to items with different popularities.…”

Section: Rq3: Can We Perform Profile Pollution Attacks Using the Extracted Model?mentioning

confidence: 99%

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Yue

Zeng

et al. 2021

Fifteenth ACM Conference on Recommender Systems

View full text Add to dashboard Cite

We investigate whether model extraction can be used to 'steal' the weights of sequential recommender systems, and the potential threats posed to victims of such attacks. This type of risk has attracted attention in image and text classification, but to our knowledge not in recommender systems. We argue that sequential recommender systems are subject to unique vulnerabilities due to the specific autoregressive regimes used to train them. Unlike many existing recommender attackers, which assume the dataset used to train the victim model is exposed to attackers, we consider a data-free setting, where training data are not accessible. Under this setting, we propose an API-based model extraction method via limited-budget synthetic data generation and knowledge distillation. We investigate state-of-the-art models for sequential recommendation and show their vulnerability under model extraction and downstream attacks.We perform attacks in two stages. (1) Model extraction: given different types of synthetic data and their labels retrieved from a black-box recommender, we extract the black-box model to a white-box model via distillation. (2) Downstream attacks: we attack the black-box model with adversarial samples generated by the white-box recommender. Experiments show the effectiveness of our data-free model extraction and downstream attacks on sequential recommenders in both profile pollution and data poisoning settings.

show abstract

“…Song et al [150] proposed an adaptive data poisoning framework named PoisonRec, it leverages reinforcement learning to inject false user data into the recommendation system, which can automatically learn effective attack strategies for various recommendation systems with very limited knowledge.…”

Section: Adversarial Attacksmentioning

confidence: 99%

“…In terms of text adversarial generation, many studies [133,138,139,141] try to get the keywords in the sentence by frequently querying the target model, however, the action of the frequent query is easy to be detected and defended when the attack is performed on the real system. In terms of adversarial example generation in the recommendation system, the attacker poisons the recommendation system by modifying the edge and attribute information of some nodes in the social network graph [146,147,150,151], however, in the real social network, the node that the attacker chooses to modify may be a node that is not controlled by the attacker. Therefore, in the subsequent research on adversarial example generation algorithms in the field of social networks, more consideration should be given to the limitations in real scenarios.…”

Section: Constraints For Attacks On Real Systemsmentioning

confidence: 99%

Adversarial Machine Learning on Social Network: A Survey

Guo

2021

Front. Phys.

View full text Add to dashboard Cite

In recent years, machine learning technology has made great improvements in social networks applications such as social network recommendation systems, sentiment analysis, and text generation. However, it cannot be ignored that machine learning algorithms are vulnerable to adversarial examples, that is, adding perturbations that are imperceptible to the human eye to the original data can cause machine learning algorithms to make wrong outputs with high probability. This also restricts the widespread use of machine learning algorithms in real life. In this paper, we focus on adversarial machine learning algorithms on social networks in recent years from three aspects: sentiment analysis, recommendation system, and spam detection, We review some typical applications of machine learning algorithms and adversarial example generation and defense algorithms for machine learning algorithms in the above three aspects in recent years. besides, we also analyze the current research progress and prospects for the directions of future research.

show abstract

PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems

Cited by 61 publications

References 23 publications

Rating behavior evaluation and abnormality forensics analysis for injection attack detection

Rating behavior evaluation and abnormality forensics analysis for injection attack detection

Black-Box Attacks on Sequential Recommenders via Data-Free Model Extraction

Adversarial Machine Learning on Social Network: A Survey

Contact Info

Product

Resources

About