Yun Mai
July 6, 2017
Read the following article and consider how to handle attacks on recommendation systems. The article: Wisdom of the crowd? IMDb users gang up on Christian Bale's new movie before it even opens. (https://www.washingtonpost.com/news/morning-mix/wp/2017/04/19/wisdom-of-the-crowd-imdb-users-gang-up-on-the-promise-before-it-even-opens/?utm_term=.ee51f7620658) Can you think of a similar example where a collective effort to alter the working of content recommendations have been successful? How would you design a system to prevent this kind of abuse?
Recommendation systems have been very helpful to both users an retail companies. To user, recommendation systems are beneficial as they help people out form the information overload. To companies, recommendation systems increase sales, cross-sales and perhaps customer retention. But as recommender system operated in an open manner, it could become unstable as ulterior users can easily insert fake data into a system to manipulate the recommendation results.
This article is an example that angry people used the minimum rating to sink a movie. The other example was company generated fake recommendations to consumers in 2001 by using bogus data to promote the newly released films. To e-commerce companies, like eBay, whose users' reputation generated by their recommender systems, the unethical manipulation of the ratings have been a problem. Some sellers even purchase good ratings from other members to increase their reputation.
Commonly, there are two types of attack: product push and product nuke, which is aim to promote or demote the predictions for targeted items respectively. The inserted data will comprise faked user, selected items, and related ratings. As mentioned in the reference, the selection of items could be done in three strategies; population attack strategy, probe attack strategy, and rating strategy. The first strategy is to choose popular items as it is cheap and easy to get high similarities. The second strategy is to use recommendations as mean to filter items. There are high similarities between genuine and attack profiles as attacker mimic the real distribution of ratings. The third strategy is to manipulate the ratings by assigning the minimum ratings to the disliked items, ratings to liked items, and maximum ratings to the targeted item in a push attack, for example.
It has been shown that not only the collaborative recommender systems but also the content-based algorithm, which was thought to be relatively tough, are vulnerable to the reduced-knowledge attack. But using model-based or hybrid algorithms combining collaborative recommendation and other types of recommendation algorithm could effectively make the system more defensive to attack. Model-based or hybrid algorithms have comparable accuracy with that of collaborative approaches. More importantly, they can increase the profile insertion costs.
Monitoring the recommender systems and detecting the attack is also very important to prevent the system subversion and to keep the systems healthy. Statistical methods could be used to detect the attack, including detecting the groups of users who push or nuke items, monitoring the development of ratings for an item, and using machine-learning methods to discriminate real from fake profiles. Obfuscate ratings by applying random data perturbation to prevent the hacker to approximate the real data, distributing knowledge to many places, distributing collaborative filtering with estimated concordance measures other than standard similarity measure, and building community to exclude the outsider users are ideas to protect recommender system from attacking.
Shyong (Tony) K. Lam. John Riedl. GroupLens Research. Computer Science and Engineering. 2004. Shilling Recommender Systems for Fun and Profit.
Michael P. O'Mahony and Neil J. Hurley and Gu´enol´e C.M. Silvestr. 2005, American Association for Artificial Intelligence.Recommender Systems: Attack Types and Strategies.