Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System

Kaike Zhang,Qi Cao,Yunfan Wu,Fei Sun,Huawei Shen,Xueqi Cheng
DOI: https://doi.org/10.1145/3640457.3688120
2024-09-26
Abstract:Recommender systems play a pivotal role in mitigating information overload in various fields. Nonetheless, the inherent openness of these systems introduces vulnerabilities, allowing attackers to insert fake users into the system's training data to skew the exposure of certain items, known as poisoning attacks. Adversarial training has emerged as a notable defense mechanism against such poisoning attacks within recommender systems. Existing adversarial training methods apply perturbations of the same magnitude across all users to enhance system robustness against attacks. Yet, in reality, we find that attacks often affect only a subset of users who are vulnerable. These perturbations of indiscriminate magnitude make it difficult to balance effective protection for vulnerable users without degrading recommendation quality for those who are not affected. To address this issue, our research delves into understanding user vulnerability. Considering that poisoning attacks pollute the training data, we note that the higher degree to which a recommender system fits users' training data correlates with an increased likelihood of users incorporating attack information, indicating their vulnerability. Leveraging these insights, we introduce the Vulnerability-aware Adversarial Training (VAT), designed to defend against poisoning attacks in recommender systems. VAT employs a novel vulnerability-aware function to estimate users' vulnerability based on the degree to which the system fits them. Guided by this estimation, VAT applies perturbations of adaptive magnitude to each user, not only reducing the success ratio of attacks but also preserving, and potentially enhancing, the quality of recommendations. Comprehensive experiments confirm VAT's superior defensive capabilities across different recommendation models and against various types of attacks.
Information Retrieval
What problem does this paper attempt to address?
This paper attempts to address the issue of Poisoning Attacks in recommendation systems. Specifically, due to their openness, recommendation systems are susceptible to attackers manipulating the exposure of certain items by injecting fake user data, thereby affecting the recommendation results. Existing adversarial training methods typically apply the same intensity of perturbation to all users to enhance system robustness. However, this approach has two main problems: first, it overprotects unaffected users, potentially leading to a decline in recommendation quality; second, it underprotects vulnerable users, failing to effectively defend against attacks. To solve these problems, this paper proposes a Vulnerability-Aware Adversarial Training (VAT) method. VAT assesses user vulnerability and applies adaptive intensity perturbations to different users. Specifically, VAT introduces a vulnerability-aware function that estimates user vulnerability based on the degree of fit of the recommendation system to the user and adjusts the perturbation intensity accordingly. In this way, VAT can not only reduce the success rate of attacks but also maintain or even improve recommendation quality. ### Main Contributions 1. **Empirical Analysis**: Through extensive empirical analysis, it was found that "users with a higher degree of fit in the recommendation system are more susceptible to attacks." 2. **New Method**: A new vulnerability-aware adversarial training method (VAT) is proposed, which applies adaptive intensity perturbations based on user vulnerability. 3. **Experimental Validation**: The effectiveness of VAT is validated through multiple recommendation models and different types of attack experiments, significantly improving the robustness of the recommendation system (reducing the attack success rate by an average of 21.53%) while avoiding a decline in recommendation performance (even improving the average recommendation performance of the backbone model by 12.36%). ### Method Overview 1. **Volatility of User Vulnerability**: Experiments show that user vulnerability fluctuates during the training process of the recommendation system and is not static. 2. **Relationship Between Fit Degree and Vulnerability**: It is observed that users with a higher degree of fit are more susceptible to attacks. 3. **Vulnerability-Aware Adversarial Training (VAT)**: A vulnerability-aware function is designed to adjust the perturbation intensity based on the user's degree of fit, thereby protecting vulnerable users while maintaining the recommendation quality for other users. ### Experimental Results - **Defense Capability**: VAT performs excellently under various recommendation models and attack types, significantly reducing the success rate of attacks. - **Recommendation Performance**: VAT not only improves the system's robustness but also maintains or even enhances recommendation performance. In summary, by introducing the concept of user vulnerability, this paper proposes a new adversarial training method that effectively addresses the issue of poisoning attacks in recommendation systems, providing a new solution for the security of recommendation systems.