Triple Adversarial Learning for Influence based Poisoning Attack in Recommender Systems

Wu, Chenwang; Lian, Defu; Ge, Yong; Zhu, Zhihao; Chen, Enhong

doi:10.1145/3447548.3467335

Cited by 40 publications

(19 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Inspired by the GAN's application [28] in the recommendation, some work [7,29] used GAN to generate real-like fake ratings to bypass the detection. To address traditional GAN's inability to evaluate attacking damage, Wu et al [5] drew inspiration from TripleGAN [30] and introduced an attack module that conducts triple adversarial learning to generate malicious users. Advancements in deep learning have led Huang et al [18] to propose a poison attack on DL-based RSs.…”

Section: Poisoning Attacks In Recommender Systemsmentioning

confidence: 99%

See 1 more Smart Citation

Securing Recommender System via Cooperative Training

Wang

Lian

et al. 2023

Preprint

Self Cite

View full text Add to dashboard Cite

Recommender systems are often susceptible to well-crafted fake profiles, leading to biased recommendations. Among existing defense methods, data-processing based methods inevitably exclude normal samples, while model-based methods struggle to enjoy both generalization and robustness. To this end, we suggest integrating data processing and the robust model to propose a general framework, Triple Cooperative Defense (TCD), which employs three cooperative models that mutually enhance data and thereby improve recommendation robustness. Furthermore, Considering that existing attacks struggle to balance bi-level optimization and efficiency, we revisit poisoning attacks in recommender systems and introduce an efficient attack strategy, Co-training Attack (Co-Attack), which cooperatively optimizes the attack optimization and model training, considering the bi-level setting while maintaining attack efficiency. Moreover, we reveal a potential reason for the insufficient threat of existing attacks is their default assumption of optimizing attacks in undefended scenarios. This overly optimistic setting limits the potential of attacks. Consequently, we put forth a Game-based Co-training Attack (GCoAttack), which frames the proposed CoAttack and TCD as a game-theoretic process, thoroughly exploring CoAttack’s attack potential in the cooperative training of attack and defense. Extensive experiments on three real datasets demonstrate TCD’s superiority in enhancing model robustness. Additionally, we verify that the two proposed attack strategies significantly out perform existing attacks, with game-based GCoAttack posing a greater poisoning threat than CoAttack.

show abstract

Section: Poisoning Attacks In Recommender Systemsmentioning

confidence: 99%

“…In comparison to heuristic attacks, optimization-based poisoning attacks constitute a more efficacious approach for adapting to a broader spectrum of recommendation patterns [5]. However, existing work ignores the bi-level setting of poisoning attacks, which limits the attack performance.…”

Section: Cooperative Training Attackmentioning

confidence: 99%

Securing Recommender System via Cooperative Training

Wang

Lian

et al. 2023

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [6,22], they propose GANs-based models to approximate the distribution of real users to generate fake user profiles based on estimated gradients. TripleAttack [35] further extends GANs to efficiently generate fake user profiles based on TripleGAN model. However, these white-box and grey-box attacking methods require full or partial knowledge about the target system and training dataset, which are difficult to be carried over to the real world due to security and privacy concerns.…”

Section: Related Workmentioning

confidence: 99%

Knowledge-enhanced Black-box Attacks for Recommendations

Chen¹,

Fan²,

Zhu³

et al. 2022

Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining

View full text Add to dashboard Cite

Recent studies have shown that deep neural networks-based recommender systems are vulnerable to adversarial attacks, where attackers can inject carefully crafted fake user profiles (i.e., a set of items that fake users have interacted with) into a target recommender system to achieve malicious purposes, such as promote or demote a set of target items. Due to the security and privacy concerns, it is more practical to perform adversarial attacks under the black-box setting, where the architecture/parameters and training data of target systems cannot be easily accessed by attackers. However, generating high-quality fake user profiles under black-box setting is rather challenging with limited resources to target systems. To address this challenge, in this work, we introduce a novel strategy by leveraging items' attribute information (i.e., items' knowledge graph), which can be publicly accessible and provide rich auxiliary knowledge to enhance the generation of fake user profiles. More specifically, we propose a knowledge graph-enhanced blackbox attacking framework (KGAttack) to effectively learn attacking policies through deep reinforcement learning techniques, in which knowledge graph is seamlessly integrated into hierarchical policy networks to generate fake user profiles for performing adversarial black-box attacks. Comprehensive experiments on various realworld datasets demonstrate the effectiveness of the proposed attacking framework under the black-box setting. CCS CONCEPTS• Information systems → Recommender systems; • Security and privacy → Web application security.

show abstract

“…Different from poisoning attack on general classification models, recommender system poisoning methods may aim to promote a set of target items due to financial incentives [7,37,46,58,59]. For example, Li et al [18] proposed to generate malicious samples that optimize the tradeoff between maximizing overall benign recommendation errors and promoting ratings of target items.…”

Section: Related Workmentioning

confidence: 99%

FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling

Wu¹,

Wu²,

Qi³

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning (FL) is a feasible technique to learn personalized recommendation models from decentralized user data. Unfortunately, federated recommender systems are vulnerable to poisoning attacks by malicious clients. Existing recommender system poisoning methods mainly focus on promoting the recommendation chances of target items due to financial incentives. In fact, in real-world scenarios, the attacker may also attempt to degrade the overall performance of recommender systems. However, existing general FL poisoning methods for degrading model performance are either ineffective or not concealed in poisoning federated recommender systems. In this paper, we propose a simple yet effective and covert poisoning attack method on federated recommendation, named FedAttack. Its core idea is using globally hardest samples to subvert model training. More specifically, the malicious clients first infer user embeddings based on local user profiles. Next, they choose the candidate items that are most relevant to the user embeddings as hardest negative samples, and find the candidates farthest from the user embeddings as hardest positive samples. The model gradients inferred from these poisoned samples are then uploaded to the server for aggregation and model update. Since the behaviors of malicious clients are somewhat similar to users with diverse interests, they cannot be effectively distinguished from normal clients by the server. Extensive experiments on two benchmark datasets show that FedAttack can effectively degrade the performance of various federated recommender systems, meanwhile cannot be effectively detected nor defended by many existing methods.

show abstract

Triple Adversarial Learning for Influence based Poisoning Attack in Recommender Systems

Cited by 40 publications

References 25 publications

Securing Recommender System via Cooperative Training

Securing Recommender System via Cooperative Training

Knowledge-enhanced Black-box Attacks for Recommendations

FedAttack: Effective and Covert Poisoning Attack on Federated Recommendation via Hard Sampling

Contact Info

Product

Resources

About