Wei Zhou,Junhao Wen,Qiang Qu,Jun Zeng,Tian Cheng

DOI: https://doi.org/10.1371/journal.pone.0196533

IF: 3.7

2018-05-09

PLoS ONE

Abstract:Recommender systems are vulnerable to shilling attacks. Forged user-generated content data, such as user ratings and reviews, are used by attackers to manipulate recommendation rankings. Shilling attack detection in recommender systems is of great significance to maintain the fairness and sustainability of recommender systems. The current studies have problems in terms of the poor universality of algorithms, difficulty in selection of user profile attributes, and lack of an optimization mechanism. In this paper, a shilling behaviour detection structure based on abnormal group user findings and rating time series analysis is proposed. This paper adds to the current understanding in the field by studying the credibility evaluation model in-depth based on the rating prediction model to derive proximity-based predictions. A method for detecting suspicious ratings based on suspicious time windows and target item analysis is proposed. Suspicious rating time segments are determined by constructing a time series, and data streams of the rating items are examined and suspicious rating segments are checked. To analyse features of shilling attacks by a group user's credibility, an abnormal group user discovery method based on time series and time window is proposed. Standard testing datasets are used to verify the effect of the proposed method.

multidisciplinary sciences

Keke Chen,Patrick P. K. Chan,Fei Zhang,Qiaoqiao Li

DOI: https://doi.org/10.1007/s13042-018-0861-2

2019-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Although collaborative filtering achieves satisfying performance in recommender systems, many studies suggest that it is vulnerable by shilling attack aimed to manipulate the recommending frequency of a target item by injecting malicious user profiles. The existing attack methods usually generate malicious profiles by rating the item selected randomly. However, as these rating patterns are different from the real users, who have their own preferences on items, these attack methods can be easily detected by shilling attack detection, which significantly reduces the attack ability. Although some attack methods consider disguise ability, these methods require too much information from real users. This study proposes a shilling attack which generates malicious samples with strong attack ability and similarity to real users. To imitate the rating behavior of genuine users, our attack model considers both rated item correlation and item popularity when choosing items to rate. The profiles generated by our attack model is expected to be more similar to real user profiles, which increases the disguise ability. We also investigate whether and how rated item correlation of real user profiles is different from the ones generated by our method and the existing shilling attack. The experimental results confirm that our method achieves the highest attack ability after removing the suspected profiles identified by PCA-based and SVM-based shilling attack detection. The study confirms the correlation of rated item is a critical factor of the robustness of recommender systems.

Qingxian Wang,Meng Wan,Mingsheng Shang,Shimin Cai

DOI: https://doi.org/10.6138/jit.2017.18.5.20130715

2015-01-01

Abstract:Collaborative filtering is a technique widely used in online recommendation systems nowadays. However, it is vulnerable from manipulation by malicious users who often create some fake account (or shilling) profiles to influence the results of recommender systems. To identify the fake users, existing algorithms usually utilize certain characteristics of shilling profiles, of which the drawbacks are the low precision and the requirement of a large size of training set. In this paper, we develop a clustering based method to find the shilling attackers by incorporating the information of user ratings and the attribute of user profiles. The users are firstly self-organizedly clustered into several groups based on the integrated information of the rating features and the attributes of user profile, then the malicious user group is identified through the GRDMA (Group Rating Deviation from Mean Agreement) values of user group. Instead of identifying attacker one by one, the proposed algorithm finds the malicious users at the collective level, which provids a novel way to analyse and detect shilling attack. The experimental results performed on MovieLens dataset demonstrate that the proposed algorithm is effective and robust in three typical kinds of shilling attack models, especially when the attack size and the filler size are sufficiently high.

Keke Chen,Patrick P. K. Chan,Daniel S. Yeung

DOI: https://doi.org/10.1109/SMC.2018.00601

2018-01-01

Abstract:Collaborative filtering (CF) is vulnerable under shilling attack, which misleads recommendation of CF by injecting well-crafted profiles to a targeted system. Although a number of supervised learning based shilling attack detection methods are proposed, their features mainly measure rating values and items of a profile individually, but ignore the relation between items. This study aims to enhance the robustness of CF against shilling attack by considering the rated item correlation. Real users rate items based on their preferences, but rated items are randomly selected for malicious users profiles in most shilling attack. Therefore, the rated item correlation of real and malicious profiles is different. Three features are proposed to capture the information from different intervals of the distribution of rated item correlation in terms of Cosine Association (CA). A benchmark dataset, MovieLens 100K, is used to evaluate the proposed features. The discrimination ability of the proposed features is also illustrated. The experimental results suggest that the proposed features have significant contribution on shilling attack detection.

Reda A. Zayed,Lamiaa Fattouh Ibrahim,Hesham A. Hefny,Hesham A. Salman,Abdulaziz AlMohimeed,Lamiaa F. Ibrahim

DOI: https://doi.org/10.1109/access.2023.3289404

IF: 3.9

2023-01-01

IEEE Access

Abstract:The stability and reliability of filtration and recommender systems are crucial for continuous operation. The presence of fake profiles, known as “shilling attacks,” can undermine the reliability of these systems. Therefore, it is important to detect and classify these attacks. Numerous techniques for detecting shilling attacks have been proposed, including supervised, semi-supervised, unsupervised, Deep Learning, and hyper deep learning methods. These techniques utilize well-known shilling attack models to target collaborative recommender systems. While previous research has focused on evaluating shilling attack strategies from a global perspective, considering factors such as attack size and attacker’s knowledge, there is a lack of comparative studies on the various existing and commonly used attack detection methods. This paper aims to fill this gap by providing a comprehensive survey of shilling attack models, detection attributes, and detection algorithms. Furthermore, we explore the traits of injected profiles that are exploited by detection algorithms, which has not been thoroughly investigated in prior works. We also conduct experimental studies on popular attack detection methods. Our experimental results reveal that hybrid deep learning algorithms exhibit the highest performance in shilling detection, followed by supervised learning algorithms and semi-supervised learning algorithms. In contrast, the unsupervised technique performs poorly. The deep learning-based Shilling Attack Detection demonstrates accuracy and quality in accurately identifying a variety of mixed attacks. This study provides valuable insights into shilling attack models, detection attributes, and detection algorithms. Our findings highlight the superior performance of hybrid deep learning algorithms in shilling detection, as well as the limitations of unsupervised techniques. Deep learning-based Shilling Attack Detection showcases its effectiveness and accuracy in identifying various types of attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Gaofeng Cao,Huan Zhang,Yuyou Fan,Li Kuang

DOI: https://doi.org/10.18293/seke2018-134

2018-01-01

Abstract:Recommender system is widely used as an important tool in various fields for effectively dealing with information overload, and collaborative filtering algorithm plays a vital role in the system.However, such system is highly vulnerable to malicious attacks, especially shilling attack because of data openness and independence.Therefore, detecting shilling attack has become an important issue to ensure the security of recommender system.Most of existing methods for detecting shilling attack are based on rating classification features and their limitation is that they are easily to be interfered by obfuscation techniques.Moreover, traditional detection algorithms can not handle multiple types of shilling attack flexibly.In order to solve these problems, in this paper, we propose an outlier degree shilling attack detection algorithm based on dynamic feature selection.By considering the differences of user choosing items and taking user popularity as a detection metric, as well as using information entropy to select detection metrics dynamically, a variety of shilling attack models can be dealt with flexibly.Experiments show that the algorithm has stronger detection performance and interference immunity in shilling attack detection.

Gaofeng Cao,Huan Zhang,Jianbo Zheng,Li Kuang,Yu Duan

DOI: https://doi.org/10.1142/s0218194019500360

IF: 1.007

2019-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Recommender system is widely used in various fields for dealing with information overload effectively, and collaborative filtering plays a vital role in the system. However, recommender system suffers from its vulnerabilities by malicious attacks significantly, especially, shilling attacks because of the open nature of recommender system and the dependence on data. Therefore, detecting shilling attack has become an important issue to ensure the security of recommender system. Most of the existing methods of detecting shilling attack are based on user ratings, and one limitation is that they are likely to be interfered by obfuscation techniques. Moreover, traditional detection algorithms cannot handle different types of shilling attacks flexibly. In order to solve the problems, we proposed an outlier degree shilling attack detection algorithm by using dynamic feature selection. Considering the differences when users choose items, we combined rating-based indicators with user popularity, and utilized the information entropy to select detection indicators dynamically. Therefore, a variety of shilling attack models can be dealt with flexibility in this way. The experiments show that the proposed algorithm can achieve better detection performance and interference immunity.

Cong Li,Zhigang Luo

DOI: https://doi.org/10.1109/socpar.2011.6089138

2011-01-01

Abstract:Collaborative filtering recommender systems are essentially information systems which are capable of combining the judgment of a large group of people to make personalized recommendations and thereby alleviate the so-called information overload problem. However,collaborative filtering recommender systems are generally vulnerable to shilling attacks. Attackers can inject carefully chosen profiles into recommender systems in order to bias the recommendation results to their benefits. This may lead to a significant negative impact on the robustness of the systems. The main contribution of this paper is to build a probabilistic model for attack detection in the framework of probabilistic generative model. Experimental results show that this model can effectively detect shilling attacks of typical types.

Aditya Chichani,Juzer Golwala,Tejas Gundecha,Kiran Gawande

DOI: https://doi.org/10.1109/ICCCNT.2018.8494141

2024-04-25

Abstract:Considering the premise that the number of products offered grow in an exponential fashion and the amount of data that a user can assimilate before making a decision is relatively small, recommender systems help in categorizing content according to user preferences. Collaborative filtering is a widely used method for computing recommendations due to its good performance. But, this method makes the system vulnerable to attacks which try to bias the recommendations. These attacks, known as 'shilling attacks' are performed to push an item or nuke an item in the system. This paper proposes an algorithm to detect such shilling profiles in the system accurately and also study the effects of such profiles on the recommendations.

Information Retrieval,Artificial Intelligence,Cryptography and Security,Machine Learning

Yaojun Hao,Fuzhi Zhang

DOI: https://doi.org/10.1049/iet-ifs.2017.0012

2018-07-01

IET Information Security

Abstract:To defend recommender systems, various methods have been proposed to detect shilling profiles, which can be categorised as user‐ and item‐based detection methods. Most of the user‐based methods identify shilling profiles via statistical signatures of rating values and suffer from low precision when detecting different types of attacks. Most of the item‐based methods use temporal information to detect the anomaly items, but they assume that the fake ratings were injected in short periods. So they are invalid for the long duration and decentralised injection attacks. To address these limitations, the authors extract the multidimensional profile temporal features and present a shilling detection method. First, from the user profile view, user rating behaviours are characterised by corrected conditional entropy and the dissimilarity with the rest‐rating model. Second, from the item profile view, the user features are extracted according to item temporal popularity. Third, the features based on weighted deviation from dynamic mean are extracted according to the fact that the items mean changes with time. Finally, support vector machine is exploited to detect shilling profiles based on the proposed features. Experimental results on the Netflix dataset indicate that the performance of the proposed method is better than that of the benchmark methods.

computer science, information systems, theory & methods

LI Cong,LUO Zhi-Gang,SHI Jin-Long

DOI: https://doi.org/10.3724/sp.j.1004.2011.00160

2011-01-01

ACTA AUTOMATICA SINICA

Abstract:Shilling attack is one of the significant security problems involved in recommender systems. Developing detection algorithms against shilling attacks has become the key to guaranteeing both the preciseness and robustness of recommender systems. Considering the low degree of unsupervised features the existing algorithms suffer from, this paper proposes an iterative Bayesian inference genetic detection algorithm (IBIGDA) through the introduction of the quantitative metric for the group effect of attack profiles and the corresponding object function for genetic optimization. This algorithm combines the posterior inference for the adaptive parameters with the process of attack detection, thus relaxes the dependence of the detection performance on the relating prior knowledge of the systems. Experimental results show that this algorithm can effectively detect shilling attacks of typical types.

Fei Zhang,Patrick P.K. Chan,Zhi-Min He,Daniel S. Yeung

DOI: https://doi.org/10.3233/ida-230575

IF: 1.7

2024-01-01

Intelligent Data Analysis

Abstract:A recommender system is susceptible to manipulation through the injection of carefully crafted profiles. Some recent profile identification methods only perform well in specific attack scenarios. A general attack detection method is usually complicated or requires label samples. Such methods are prone to overtraining easily, and the process of annotation incurs high expenses. This study proposes an unsupervised divide-and-conquer method aiming to identify attack profiles, utilizing a specifically designed model for each kind of shilling attack. Initially, our method categorizes the profile set into two attack types, namely Standard and Obfuscated Behavior Attacks. Subsequently, profiles are separated into clusters within the extracted feature space based on the identified attack type. The selection of attack profiles is then determined through target item analysis within the suspected cluster. Notably, our method offers the advantage of requiring no prior knowledge or annotation. Furthermore, the precision is heightened as the identification method is designed to a specific attack type, employing a less complicated model. The outstanding performance of our model, validated through experimental results on MovieLens-100K and Netflix under various attack settings, demonstrates superior accuracy and reduced running time compared to current detection methods in identifying Standard and Obfuscated Behavior Attacks.

Xufa Wang

2009-01-01

Computer Engineering and Applications Journal

Abstract:Collaborative filtering is a vital central technology in personalized recommendation,but it is so sensitive to user profiles,that shilling attackers can easily inject biased profiles in an attempt to force a system to adapt in a manner advantageous to them.Recent research shows that the model and the cost of shilling attacks have different impacts on attack performance.This paper analyzes the attack effectiveness of different attack models on a SVD-based collaborative filtering algorithm,and the performances of attack models with different fill sizes and attack sizes using three evaluation parameters.

Zhihai Yang,Zhongmin Cai,Yuan Yang

DOI: https://doi.org/10.1016/j.neucom.2017.02.052

IF: 6

2017-01-01

Neurocomputing

Abstract:Online rating systems play an important role in recommender systems. Collaborative filtering recommender systems are highly vulnerable to shilling attacks in reality. Although attack detection based on the attacks have been extensively researched over the last decade, the studies on this issue have not reached an end. Furthermore, only using the existing features is not easy to improve their detection performance. In this paper, we present an unsupervised detection method to defend such attacks, which consists of two stages. Based on the existing features of user and item, more effective features are selected using adaptive structure learning which takes advantage of adaptive local and global structure learning. In the first stage, suspected users are determined by exploiting a density-based clustering method based on the selected features. Then, the selected features of item are applied to find out suspicious items in order to further spot the concerned attackers based on the result of the first stage. Finally, the attackers can be detected. Extensive experiments on the MovieLens-100K dataset demonstrate the effectiveness of the proposed approach as compare to competing methods. It is noteworthy that discovering interesting findings including anomalous ratings and items on Amazon dataset also is investigated.

Honghao Gao,Xinheng Wang,Yuyu Yin,Muddesar Iqbal

DOI: https://doi.org/10.1007/978-3-030-12981-1

2019-01-01

Abstract:Nowadays, collaborative filtering methods have been widely applied to E-commerce platforms. However, due to its openness, a large number of spammers attack those systems to manipulate the recommendation results to earn huge profits. The shilling attack has become a major threat to collaborative filtering systems. Therefore, effectively detecting shilling attacks is a crucial task. Most existing detection methods based on statistical-based features or unsupervised methods rely on a priori knowledge about attack size. Besides, the majority of work focuses on rating attack and ignore the relation attack. In this paper, motivated by the success of heterogeneous information network and oriented towards the hybrid attack, we propose an approach DMD to detect shilling attack based on meta-path and matrix factorization. At first, we concatenate the user-item bipartite network and user-user relation network as a whole. Next, we design several meta-paths to guide the random walk to product node sequences and utilize the skip-gram model to generate user embeddings. Meanwhile, users’ latent factors are decomposed by matrix factorization. Finally, we incorporate these embeddings and factors to joint train the detector. Extensive experimental analysis on two public datasets demonstrate the superiority of the proposed method and show the effectiveness of different attack strategies and various attack sizes.

Keke Chen,Patrick R. K. Chan,Daniel S. Yeung

DOI: https://doi.org/10.1109/icmlc.2018.8526971

2018-01-01

Abstract:Collaborative filtering is one of the most effective methods to deal with the information overload problem by providing a suitable recommendation to users. Recent research indicates that collaborative filtering is vulnerable to shilling attack which aims at manipulating the recommendation result through injecting malicious profiles. Our previous study suggests that applying the rated item correlation to supervised learning increases the accuracy of shilling attack detection. However, label information collection is one drawback of the supervised learning. In this study, an unsupervised detection based on the rated item correlation analysis is devised. The influence of the parameters on the detection accuracy is also discussed. The experimental results demonstrate that our proposed unsupervised detection model achieve a satisfying performance in shilling detection in MovieLens 100K dataset.

高鹏,骆源

DOI: https://doi.org/10.3969/j.issn.1002-0802.2013.04.004

2013-01-01

Abstract:Collaborative filtering systems are vulnerable to manipulation by malicious social elements such as shilling attack. Malicious user votes and profiles could be injected into a collaborative recommender system, with either multiple identities or by involving more people, and this would significantly affect the robustness and accuracy of the system or algorithm, the shilling attack is analyzed in an in-depth way, and a novel robust collaborative filtering system, is proposed in combination with principal component analysis and variable selection, thus to protect recommender system from shilling attack. Finally the experiment indicates that this filtering system could achieve a fairly high detection accuracy.

Neil Hurley,Zunping Cheng,Mi Zhang

DOI: https://doi.org/10.1145/1639714.1639740

2009-01-01

Abstract:It has been shown in recent years that effective profile injection or shilling attacks can be mounted on standard recommendation algorithms. These attacks consist of the insertion of bogus user profiles into the system database in order to manipulate the recommendation output, for example to promote or demote the predicted ratings for a particular product. A number of attack models have been proposed and some detection strategies to identify these attacks have been empirically evaluated. In this paper we show that the standard attack models can be readily detected using statistical detection techniques. We argue that insufficient consideration of the effectiveness of attacks under a constraint of statistical invariance has been taken in past research. In fact, it is possible to create effective attacks that are undetectable using the detection strategies proposed to date, including the PCA-based clustering strategy which has shown excellent performance against standard attacks. Nevertheless, these more advanced attacks can also be detected with careful design of a statistical detector. The question posed for future research is whether attack models that produce effective attack profiles that are statistically identical to genuine profiles are really possible.

Hao Li,Min Gao,Fengtao Zhou,Yueyang Wang,Qilin Fan,Linda Yang

DOI: https://doi.org/10.1016/j.jisa.2021.103051

IF: 4.96

2021-12-01

Journal of Information Security and Applications

Abstract:Recommender systems can effectively improve user experience, but they are vulnerable to shilling attacks due to their open nature. Attackers inject fake user profiles to destroy the security and reliability of the recommender systems. Therefore, it is crucial to detect shilling attacks effectively. The primitive detection models are feasible but costly because of the dependence on plenty of hand-engineered explicit features based on statistical measures. Even though the upgraded models based on learning embeddings of the implicit features are more general, they fail to take some distinct features in distinguishing fake users into consideration. Moreover, these primitive and upgraded models are difficult to capture the high order relationships between users and items as the models usually learn the embedding from the first-order interactions. The representation and similarity information learned from the first-order interactions are not comprehensive enough, limiting the detection task. To this end, we propose a novel shilling attack detection model by fusing hypergraph spectral features (SpDetector). The proposed model combines the explicit and implicit features to balance the effectiveness and generality and deal with the high order relationships by hypergraphs-based embedding. From the implicit perspective, SpDetector constructs user hypergraphs and item hypergraphs for the high-order relationships hidden in the interaction and extracts spectral features from hypergraphs to capture high-order similarity for users and items, respectively. From the explicit perspective, it extracts two kinds of explicit features: item similarity offsets (ISO) based on item spectral features and rating prediction errors (RPE), for all users as their distinct capability of distinguishing fake users. Finally, the SpDetector learns to distinguish fake users by training a deep neural network with those features. Experiments conducted on MovieLens and Amazon datasets show that SpDetector outperforms state-of-the-art detection models.

computer science, information systems

Chen Lin,Si Chen,Hui Li,Yanghua Xiao,Lianyun Li,Qian Yang

DOI: https://doi.org/10.1145/3340531.3411884

2020-01-01

Abstract:Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role in guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper, we study the shilling attack: a subsistent and profitable attack where an adversarial party injects a number of user profiles to promote or demote a target item. Conventional shilling attack models are based on simple heuristics that can be easily detected, or directly adopt adversarial attack methods without a special design for RS. Moreover, the study on the attack impact on deep learning based RS is missing in the literature, making the effects of shilling attack against real RS doubtful. We present a novel Augmented Shilling Attack framework (AUSH) and implement it with the idea of Generative Adversarial Network. AUSH is capable of tailoring attacks against RS according to budget and complex attack goals, such as targeting a specific user group. We experimentally show that the attack impact of AUSH is noticeable on a wide range of RS including both classic and modern deep learning based RS, while it is virtually undetectable by the state-ofthe-art attack detection model.