Quick and accurate attack detection in recommender systems through user attributes

Aktukmak, Mehmet; Yılmaz, Yasin; Uysal, Ismail

doi:10.1145/3298689.3347050

Cited by 20 publications

(17 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Variational Bayesian Principal Component Analysis (VBPCA) is a fully bayesian treatment of the linear latent variable model defined above, specifically proposed for missing value estimation [15]. Bayesian treatment is especially beneficial for application domains containing high fraction of missing values such as Recommender systems [30], [31]. Unlike PPCA models [29], VBPCA algorithm treats all the model parameters as random variables in addition to the factors.…”

Section: ) Bayesian Methodsmentioning

confidence: 99%

Self-Supervised Feature Specific Neural Matrix Completion

2020

Self Cite

View full text Add to dashboard Cite

Unsupervised matrix completion algorithms mostly model the data generation process by using linear latent variable models. Recently proposed algorithms introduce non-linearity via multi-layer perceptrons (MLP), and self-supervision by setting separate linear regression frameworks for each feature to estimate the missing values. In this paper, we introduce an MLP based algorithm called feature-specific neural matrix completion (FSNMC), which combines self-supervised and non-linear methods. The model parameters are estimated by a rotational scheme which separates the parameter and missing value updates sequentially with additional heuristic steps to prevent over-fitting and speed up convergence. The proposed algorithm specifically targets small to medium sized datasets. Experimental results on real-world and synthetic datasets varying in size with a range of missing value percentages demonstrate the superior accuracy for FSNMC, especially at low sparsities when compared to popular methods in the literature. The proposed method has particular potential in estimating missing data collected via real experimentation in fundamental life sciences.

show abstract

Section: ) Bayesian Methodsmentioning

confidence: 99%

Self-Supervised Feature Specific Neural Matrix Completion

2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, a lot of defense approaches against injecting fake users also have been proposed, including attack detection (Kumar, Garg, and Rana 2015;Aktukmak, Yilmaz, and Uysal 2019) and adversarial training (Wu et al 2021a,b). By applying these defense methods can mitigate the issues from fake users.…”

Section: Data Poisoning On Recommendation Systemmentioning

confidence: 99%

“…For news recommendation systems, we can inject fake users to achieve the goal of poisoning. However, some recent studies propose defense methods, such as detect fake users (Kumar, Garg, and Rana 2015;Aktukmak, Yilmaz, and Uysal 2019) and adversarial train (Wu et al 2021a,b), which mitigate the damage of poisoning. Nevertheless, news recommendation is different from other scenarios, because the item for recommendation is news, which contains more information and provides more spaces to be perturbed.…”

Section: Introductionmentioning

confidence: 99%

Targeted Data Poisoning Attack on News Recommendation System by Content Perturbation

Zhang¹,

Wang²,

Zhao³

et al. 2022

Preprint

View full text Add to dashboard Cite

News Recommendation System(NRS) has become a fundamental technology to many online news services. Meanwhile, several studies show that recommendation systems(RS) are vulnerable to data poisoning attacks, and the attackers have the ability to mislead the system to perform as their desires. A widely studied attack approach, injecting fake users, can be applied on the NRS when the NRS is treated the same as the other systems whose items are fixed. However, in the NRS, as each item (i.e. news) is more informative, we propose a novel approach to poison the NRS, which is to perturb contents of some browsed news that results in the manipulation of the rank of the target news. Intuitively, an attack is useless if it is highly likely to be caught, i.e., exposed. To address this, we introduce a notion of the exposure risk and propose a novel problem of attacking a history news dataset by means of perturbations where the goal is to maximize the manipulation of the target news' rank while keeping the risk of exposure under a given budget. We design a reinforcement learning framework, called TDP-CP, which contains a twostage hierarchical model to reduce the searching space. Meanwhile, influence estimation is also applied to save the time on retraining the NRS for rewards. We test the performance of TDP-CP under three NRSs and on different target news. Our experiments show that TDP-CP can increase the rank of the target news successfully with a limited exposure budget.

show abstract

“…Few existing algorithms, such as CF-attack [36] and RL-attack [8], provide untargeted perturbations for recommender systems that reduce the model's prediction accuracy significantly. However, those methods do not work on deep sequential recommendation models, focus on attacking the model's prediction accuracy but not the ranked lists of all users, or are easily detectable as they make user or item perturbations [4,15]. Poisoning Attacks and Perturbations in Other Domains.…”

Section: Related Workmentioning

confidence: 99%

“…While existing work focuses on targeted attacks [8,12,16,18,19,39,49,59,68,69], and most work is on traditional non-deep recommendation systems [18,36,59,60] with detectable user or item perturbations [4,15], new methods are needed to study the impact of untargeted perturbations on deep sequential recommenders using minor interaction-level perturbations.…”

Section: Introductionmentioning

confidence: 99%

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Oh¹,

Kumar²

2022

Preprint

View full text Add to dashboard Cite

While deep learning-based sequential recommender systems are widely used in practice, their sensitivity to untargeted training data perturbations is unknown. Untargeted perturbations aim to modify ranked recommendation lists for all users at test time, by inserting imperceptible input perturbations during training time. Existing perturbation methods are mostly targeted attacks optimized to change ranks of target items, but not suitable for untargeted scenarios. In this paper, we develop a novel framework in which user-item training interactions are perturbed in unintentional and adversarial settings. First, through comprehensive experiments on four datasets, we show that four popular recommender models are unstable against even one random perturbation. Second, we establish a cascading effect in which minor manipulations of early training interactions can cause extensive changes to the model and the generated recommendations for all users. Leveraging this effect, we propose an adversarial perturbation method CASPER which identifies and perturbs an interaction that induces the maximal cascading effect. Experimentally, we demonstrate that CASPER reduces the stability of recommendation models the most, compared to several baselines and state-of-the-art methods. Finally, we show the runtime and success of CASPER scale near-linearly with the dataset size and the number of perturbations, respectively.

show abstract

Quick and accurate attack detection in recommender systems through user attributes

Cited by 20 publications

References 19 publications

Self-Supervised Feature Specific Neural Matrix Completion

Self-Supervised Feature Specific Neural Matrix Completion

Targeted Data Poisoning Attack on News Recommendation System by Content Perturbation

Rank List Sensitivity of Recommender Systems to Interaction Perturbations

Contact Info

Product

Resources

About