These attacks aim to spoof a recommender system such that a target item is recommended to as many or few users as possible. Specifically, poisoning attacks (also known as shilling attacks) aim to inject fake users with fake rating scores to the system such that a bad recommender system is learnt from the user-item rating score matrix.
Poisoning attacks were first studied more than a decade ago (O’Mahony et al.). However, these attacks are heuristics-driven and are not optimized to a particular type of recommender systems. For instance, in random attacks (Lam and Riedl, 2004), given the number of fake users an attacker can inject into the system, the attacker randomly selects some items for each fake user and then generates a rating score for each selected item from a normal distribution, whose mean and variance are calculated from the rating scores in the entire user-item rating score matrix. In average attacks (Lam and Riedl, 2004), the attacker generates a rating score for a selected item from a normal distribution, whose mean and variance are computed from the rating scores to the selected item in the user-item rating score matrix.
More recent poisoning attacks (Li et al.2016) generate fake rating scores or behavior that are optimized to a particular type of recommender systems.User injects fake co-visitations between items instead of fake rating scores to items. We aim to study optimized poisoning attacks to graph-based recommender systems.
Profile pollution attacks: With a polluted user profile, the attacker can recommend arbitrary items to the user. They showed that popular web services including YouTube, Amazon, and Google search are vulnerable to the attacks.
Item inference attacks: Calandrino et al. (Calandrino et al., 2011) proposed privacy attacks to infer the items that a target user has rated before, e.g., such items could be products that the target user purchased on Amazon, music the target user liked on Last.fm, and books the target user read on LibraryThing. The key intuition of their attacks is that a collaborative filtering recommender system makes recommendations based on users’ past behavior. Therefore, the recommendations made by a recommender system include information about users’ past behavior. Via tracking and analyzing the publicly available recommendations over time, an attacker could infer a target user’s past behavior, e.g., the items the user rated.
Attribute inference attacks: A user’s rating behavior (e.g., rating scores to items, page likes on Facebook) is essentially statistically correlated to the user’s attributes (e.g., gender, political view, sexual orientation, interests, and location). Therefore, an attacker could infer a user’s private attributes based on its rating behavior via machine learning techniques, which capture the statistical correlations between rating behavior and attributes. Such attacks are called attribute inference attacks . A notable example of real-world attribute inference attacks is that Cambridge Analytica leveraged Facebook users’ rating behavior (e.g., page likes) to infer users’ attributes.
Joseph A. Calandrino, Ann Kilzer, Arvind Narayanan, Edward W. Felten, and Vitaly Shmatikov. 2011. “You Might Also Like:” Privacy Risks of Collaborative Filtering. In IEEE Symposium on Security and Privacy.
Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data Poisoning Attacks on Factorization-Based Collaborative Filtering. In NIPS.
M. O’Mahony, N. Hurley, N. Kushmerick, and G. Silvestre. 2004. Collaborative Recommendation: A Robustness Analysis. ACM Transactions on Internet Technology 4, 4 (2004), 344-377.
Shyong K Lam and John Riedl. 2004. Shilling recommender systems for fun and profit. In WWW.