Abstract:Recommendation systems (RS) have become indispensable tools for web services to address information overload, thus enhancing user experiences and bolstering platforms' revenues. However, with their increasing ubiquity, security concerns have also emerged. As the public accessibility of RS, they are susceptible to specific malicious attacks where adversaries can manipulate user profiles, leading to biased recommendations. Recent research often integrates additional modules using generative models to craft these deceptive user profiles, ensuring them are imperceptible while causing the intended harm. Albeit their efficacy, these models face challenges of unstable training and the exploration-exploitation dilemma, which can lead to suboptimal results. In this paper, we pioneer to investigate the potential of diffusion models (DMs), for shilling attacks. Specifically, we propose a novel Target-oriented Diffusion Attack model (ToDA). It incorporates a pre-trained autoencoder that transforms user profiles into a high dimensional space, paired with a Latent Diffusion Attacker (LDA)-the core component of ToDA. LDA introduces noise into the profiles within this latent space, adeptly steering the approximation towards targeted items through cross-attention mechanisms. The global horizon, implemented by a bipartite graph, is involved in LDA and derived from the encoded user profile feature. This makes LDA possible to extend the generation outwards the on-processing user feature itself, and bridges the gap between diffused user features and target item features. Extensive experiments compared to several SOTA baselines demonstrate ToDA's effectiveness. Specific studies exploit the elaborative design of ToDA and underscore the potency of advanced generative models in such contexts.

What problem does this paper attempt to address?

### The Problem the Paper Aims to Solve The paper aims to address the issue of malicious attacks in Recommendation Systems (RS), particularly the so-called "Shilling Attack." Recommendation systems predict potential items that may attract users by capturing their historical interaction data, effectively addressing the problem of information overload, enhancing user experience, and increasing platform revenue. However, due to the public accessibility of recommendation systems, they are susceptible to specific malicious attacks where attackers can manipulate user profiles to influence recommendation results, leading to biased recommendations. Although existing research has used generative models and additional modules to create deceptive user profiles, ensuring these profiles cause the intended harm without being detected, these models still face learning difficulties and lack flexibility, resulting in suboptimal performance. Therefore, the paper proposes a new Target-oriented Diffusion Attacker (ToDA) model, exploring for the first time the potential of Diffusion Models (DMs) in shilling attacks. Specifically, the ToDA model addresses the shortcomings of existing methods in the following ways: 1. **Utilizing the generative capabilities of diffusion models**: Diffusion models have demonstrated exceptional capabilities in fields such as image synthesis, recommendation systems, and adversarial attacks, providing finer control over the generative process. 2. **Overcoming the benign nature of diffusion models**: Diffusion models are inherently benign, designed to understand and replicate patterns without malicious intent. ToDA introduces a pre-trained autoencoder to transform user profiles into high-dimensional space and adds noise in the latent space, guiding the generative process towards target items. 3. **Extending local view to global view**: Diffusion models typically focus on the generation of individual samples (i.e., local view), while shilling attacks require a broader perspective to identify auxiliary items (i.e., global view). ToDA achieves this through a bipartite graph (user-item graph), enabling the generative process to go beyond the current user features being processed, generating more diverse and relevant target item features. Through extensive experiments, the paper demonstrates the significant advantages of ToDA in terms of efficiency and effectiveness, highlighting its potential in the fields of diffusion models and shilling attacks.

ToDA: Target-oriented Diffusion Attacker against Recommendation System

D-DAE: Defense-Penetrating Model Extraction Attacks.

Exploiting Structural and Temporal Influence for Dynamic Social-Aware Recommendation

Attacking Black-box Recommendations via Copying Cross-domain User Profiles

DV-FSR: A Dual-View Target Attack Framework for Federated Sequential Recommendation

Securing Recommender System via Cooperative Training

Diffusion Policy Attacker: Crafting Adversarial Attacks for Diffusion-based Policies

Directional Adversarial Training for Recommender Systems.

Model Stealing Attack against Recommender System

Adversarial Robustness of Deep Reinforcement Learning based Dynamic Recommender Systems

DM4Steal: Diffusion Model For Link Stealing Attack On Graph Neural Networks

DTA: distribution transform-based attack for query-limited scenario

PipAttack: Poisoning Federated Recommender Systems forManipulating Item Promotion

Perturbing Attention Gives You More Bang for the Buck: Subtle Imaging Perturbations That Efficiently Fool Customized Diffusion Models

Data Poisoning Attacks to Deep Learning Based Recommender Systems

Attacking Recommender Systems with Augmented User Profiles

GADT: Enhancing Transferable Adversarial Attacks through Gradient-guided Adversarial Data Transformation

Revisiting Adversarially Learned Injection Attacks Against Recommender Systems

Toward effective protection against diffusion based mimicry through score distillation

Adversarial Attacks and Detection on Reinforcement Learning-Based Interactive Recommender Systems

Diffusion Recommender Model