DPADL
Data Poisoning Attacks to Deep Learning Based Recommender Systems
Data poisoning attacks inject fake users to a recommender system and thereby modify the recommendation lists. Specifically, to construct a poisoning attack, the attacker first needs to register a number of fake users in a web service associated with the recommender system. Each fake user generates well-crafted rating scores for a chosen subset of items. These fake data will be included in the training dataset of the target recommender system and then poisons the training process.
Particularly, in a data poisoning attack, an attacker injects fake users with carefully crafted ratings to a recommender system such that the recommender system makes recommendations as the attacker desires, e.g., an attacker-chosen target item is recommended to many normal users. Data poisoning attacks pose severe threats to the trustworthiness of recommender systems and could manipulate Internet opinions. For instance, if an attacker manipulates a news recommender system such that a particular type of news are always recommended to users, then the attacker may be able to manipulate the users’ opinions. However, existing data poisoning attacks are either agnostic to recommender system algorithms, or optimized to traditional recommender system algorithms such as association-rule-based, graph-based, and matrix factorization based. Although deep learning based recommender systems gain increasing attention and are deployed in industry, their security against data poisoning attacks is largely unknown.
According to whether data poisoning attacks are focused on a specific type of recommender system, we can divide them into two categories: algorithm-agnostic and algorithm-specific. The former (e.g., types of shilling attacks like random attacks and bandwagon attacks) does not consider the algorithm used by the recommender system and therefore often has limited effectiveness. For instance, random attacks just choose rated items at random from the whole item set for fake users, and bandwagon attacks tend to select certain items with high popularity in the dataset for fake users. The algorithm-specific data poisoning attacks are optimized to a specific type of recommender systems and have been developed for graph-based recommender systems, association-rule-based recommender systems, matrix-factorization-based recommender systems, and neighborhood-based recommender systems.
We first use approximation methods to transform the optimization problem into a tractable one and obtain a loss function. Second, according to the obtained loss function, the algorithm used in the target recommender system, and the training dataset, we train a poison model that simulates the compromised target recommender system. Third, we select filler items according to the predicted rankings generated by the poison model and the selection probability. Note that, we will repeat the second and third steps until enough fake users are generated to construct the attack, and the selection probability will be updated in each iteration.
