Jiarong Xu,Junru Chen,Siqi You,Zhiqing Xiao,Yang,Jiangang Lu

DOI: https://doi.org/10.1016/j.aiopen.2021.05.002

2021-01-01

AI Open

Abstract:Machine learning (ML) technologies have achieved significant success in various downstream tasks, e.g., node classification, link prediction, community detection, graph classification and graph clustering. However, many studies have shown that the models built upon ML technologies are vulnerable to noises and adversarial attacks. A number of works have studied the robust models against noise or adversarial examples in image domains and text processing domains, however, it is more challenging to learn robust models in graph domains. Adding noises or perturbations on graph data will make the robustness even harder to enhance – the noises and perturbations of edges or node attributes are easy to propagate to other neighbors via the relational information on a graph. In this paper, we investigate and summarize the existing works that study the robust deep learning models against adversarial attacks or noises on graphs, namely the robust learning (models) on graphs. Specifically, we first provide some robustness evaluation metrics of model robustness on graphs. Then, we comprehensively provide a taxonomy which groups robust models on graphs into five categories: anomaly detection, adversarial training, pre-processing, attention mechanism, and certifiable robustness. Besides, we emphasize some promising future directions in learning robust models on graphs. Hopefully, our works can offer insights for the relevant researchers, thus providing assistance for their studies.

Jiarong Xu,Yang,Junru Chen,Xin Jiang,Chunping Wang,Jiangang Lu,Yizhou Sun

DOI: https://doi.org/10.1609/aaai.v36i4.20349

2020-01-01

Abstract:Unsupervised/self-supervised pre-training methods for graph representation learning have recently attracted increasing research interests, and they are shown to be able to generalize to various downstream applications. Yet, the adversarial robustness of such pre-trained graph learning models remains largely unexplored. More importantly, most existing defense techniques designed for end-to-end graph representation learning methods require pre-specified label definitions, and thus cannot be directly applied to the pre-training methods. In this paper, we propose an unsupervised defense technique to robustify pre-trained deep graph models, so that the perturbations on the input graph can be successfully identified and blocked before the model is applied to different downstream tasks. Specifically, we introduce a mutual information-based measure, graph representation vulnerability (GRV), to quantify the robustness of graph encoders on the representation space. We then formulate an optimization problem to learn the graph representation by carefully balancing the trade-off between the expressive power and the robustness (i.e., GRV) of the graph encoder. The discrete nature of graph topology and the joint space of graph data make the optimization problem intractable to solve. To handle the above difficulty and to reduce computational expense, we further relax the problem and thus provide an approximate solution. Additionally, we explore a provable connection between the robustness of the unsupervised graph encoder and that of models on downstream tasks. Extensive experiments demonstrate that even without access to labels and tasks, our model is still able to enhance robustness against adversarial attacks on three downstream tasks (node classification, link prediction, and community detection) by an average of +16.5% compared with existing methods.

Chen Chen,Zhang Jingfeng,Tung Anthony K. H.,Kankanhalli Mohan,Chen Gang

2020-01-01

Abstract: Federated recommendation systems can provide good performance without collecting users' private data, making them attractive. However, they are susceptible to low-cost poisoning attacks that can degrade their performance. In this paper, we develop a novel federated recommendation technique that is robust against the poisoning attack where Byzantine clients prevail. We argue that the key to Byzantine detection is monitoring of gradients of the model parameters of clients. We then propose a robust learning strategy where instead of using model parameters, the central server computes and utilizes the gradients to filter out Byzantine clients. Theoretically, we justify our robust learning strategy by our proposed definition of Byzantine resilience. Empirically, we confirm the efficacy of our robust learning strategy employing four datasets in a federated recommendation system.

Yuni Lai,Yulin Zhu,Wenqi Fan,Xiaoge Zhang,Kai Zhou

DOI: https://doi.org/10.48550/arXiv.2211.11534

2023-05-20

Abstract:The robustness of recommender systems under node injection attacks has garnered significant attention. Recently, GraphRfi, a GNN-based recommender system, was proposed and shown to effectively mitigate the impact of injected fake users. However, we demonstrate that GraphRfi remains vulnerable to attacks due to the supervised nature of its fraudster detection component, where obtaining clean labels is challenging in practice. In particular, we propose a powerful poisoning attack, MetaC, against both GNN-based and MF-based recommender systems. Furthermore, we analyze why GraphRfi fails under such an attack. Then, based on our insights obtained from vulnerability analysis, we design an adaptive fraudster detection module that explicitly considers label uncertainty. This module can serve as a plug-in for different recommender systems, resulting in a robust framework named PDR. Comprehensive experiments show that our defense approach outperforms other benchmark methods under attacks. Overall, our research presents an effective framework for integrating fraudster detection into recommendation systems to achieve adversarial robustness.

Information Retrieval,Artificial Intelligence,Cryptography and Security,Machine Learning

Xianfeng Tang,Yandong Li,Yiwei Sun,Huaxiu Yao,Prasenjit Mitra,Suhang Wang

DOI: https://doi.org/10.1145/3336191.3371851

2020-02-27

Abstract:Graph neural networks (GNNs) are widely used in many applications. However, their robustness against adversarial attacks is criticized. Prior studies show that using unnoticeable modifications on graph topology or nodal features can significantly reduce the performances of GNNs. It is very challenging to design robust graph neural networks against poisoning attack and several efforts have been taken. Existing work aims at reducing the negative impact from adversarial edges only with the poisoned graph, which is sub-optimal since they fail to discriminate adversarial edges from normal ones. On the other hand, clean graphs from similar domains as the target poisoned graph are usually available in the real world. By perturbing these clean graphs, we create supervised knowledge to train the ability to detect adversarial edges so that the robustness of GNNs is elevated. However, such potential for clean graphs is neglected by existing work. To this end, we investigate a novel problem of improving the robustness of GNNs against poisoning attacks by exploring clean graphs. Specifically, we propose PA-GNN, which relies on a penalized aggregation mechanism that directly restrict the negative impact of adversarial edges by assigning them lower attention coefficients. To optimize PA-GNN for a poisoned graph, we design a meta-optimization algorithm that trains PA-GNN to penalize perturbations using clean graphs and their adversarial counterparts, and transfers such ability to improve the robustness of PA-GNN on the poisoned graph. Experimental results on four real-world datasets demonstrate the robustness of PA-GNN against poisoning attacks on graphs. Code and data are available here: <a class="link-external link-https" href="https://github.com/tangxianfeng/PA-GNN" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security,Social and Information Networks

Zhiwei Zhang,Minhua Lin,Junjie Xu,Zongyu Wu,Enyan Dai,Suhang Wang

2024-06-14

Abstract:Graph Neural Networks (GNNs) have achieved promising results in tasks such as node classification and graph classification. However, recent studies reveal that GNNs are vulnerable to backdoor attacks, posing a significant threat to their real-world adoption. Despite initial efforts to defend against specific graph backdoor attacks, there is no work on defending against various types of backdoor attacks where generated triggers have different properties. Hence, we first empirically verify that prediction variance under edge dropping is a crucial indicator for identifying poisoned nodes. With this observation, we propose using random edge dropping to detect backdoors and theoretically show that it can efficiently distinguish poisoned nodes from clean ones. Furthermore, we introduce a novel robust training strategy to efficiently counteract the impact of the triggers. Extensive experiments on real-world datasets show that our framework can effectively identify poisoned nodes, significantly degrade the attack success rate, and maintain clean accuracy when defending against various types of graph backdoor attacks with different properties.

Machine Learning,Cryptography and Security

Xiaoyu You,Chi Li,Daizong Ding,Mi Zhang,Fuli Feng,Xudong Pan,Min Yang

DOI: https://doi.org/10.1145/3543507.3583289

2023-01-01

Abstract:Graph neural network (GNN) based recommendation models are observed to be more vulnerable against carefully-designed malicious records injected into the system, i.e., shilling attacks, which manipulate the recommendation to common users and therefore impair user trust. In this paper, we for the first time conduct a systematic study on the vulnerability of GNN based recommendation model against the shilling attack. With the aid of theoretical analysis, we attribute the root cause of the vulnerability to its neighborhood aggregation mechanism, which could make the negative impact of attacks propagate rapidly in the system. To restore the robustness of GNN based recommendation model, the key factor lies in detecting malicious records in the system and preventing the propagation of misinformation. To this end, we construct a user-user graph to capture the patterns of malicious behaviors and design a novel GNN based detector to identify fake users. Furthermore, we develop a data augmentation strategy and a joint learning paradigm to train the recommender model and the proposed detector. Extensive experiments on benchmark datasets validate the enhanced robustness of the proposed method in resisting various types of shilling attacks and identifying fake users, e.g., our proposed method fully mitigating the impact of popularity attacks on target items up to , and improving the accuracy of detecting fake users on the Gowalla dataset by .

Jacob Dineen,A S M Ahsan-Ul Haque,Matthew Bielskas

DOI: https://doi.org/10.1007/978-3-030-80387-2_14

2021-02-13

Abstract:Adversarial Machine Learning has emerged as a substantial subfield of Computer Science due to a lack of robustness in the models we train along with crowdsourcing practices that enable attackers to tamper with data. In the last two years, interest has surged in adversarial attacks on graphs yet the Graph Classification setting remains nearly untouched. Since a Graph Classification dataset consists of discrete graphs with class labels, related work has forgone direct gradient optimization in favor of an indirect Reinforcement Learning approach. We will study the novel problem of Data Poisoning (training time) attack on Neural Networks for Graph Classification using Reinforcement Learning Agents.

Machine Learning,Artificial Intelligence,Cryptography and Security

Toan Nguyen Thanh,Nguyen Duc Khang Quach,Thanh Tam Nguyen,Thanh Trung Huynh,Viet Hung Vu,Phi Le Nguyen,Jun Jo,Quoc Viet Hung Nguyen

DOI: https://doi.org/10.1145/3567420

IF: 4.657

2023-02-07

ACM Transactions on Information Systems

Abstract:With recent advancements in graph neural networks (GNN), GNN-based recommender systems (gRS) have achieved remarkable success in the past few years. Despite this success, existing research reveals that gRSs are still vulnerable to poison attacks , in which the attackers inject fake data to manipulate recommendation results as they desire. This might be due to the fact that existing poison attacks (and countermeasures) are either model-agnostic or specifically designed for traditional recommender algorithms (e.g., neighborhood-based, matrix-factorization-based, or deep-learning-based RSs) that are not gRS. As gRSs are widely adopted in the industry, the problem of how to design poison attacks for gRSs has become a need for robust user experience. Herein, we focus on the use of poison attacks to manipulate item promotion in gRSs. Compared to standard GNNs, attacking gRSs is more challenging due to the heterogeneity of network structure and the entanglement between users and items. To overcome such challenges, we propose GSPAttack —a generative surrogate-based poison attack framework for gRSs. GSPAttack tailors a learning process to surrogate a recommendation model as well as generate fake users and user-item interactions while preserving the data correlation between users and items for recommendation accuracy. Although maintaining high accuracy for other items rather than the target item seems counterintuitive, it is equally crucial to the success of a poison attack. Extensive evaluations on four real-world datasets revealed that GSPAttack outperforms all baselines with competent recommendation performance and is resistant to various countermeasures.

computer science, information systems

Minghong Fang,Guolei Yang,Neil Zhenqiang Gong,Jia Liu

DOI: https://doi.org/10.1145/3274694.3274706

2018-09-12

Abstract:Recommender system is an important component of many web services to help users locate items that match their interests. Several studies showed that recommender systems are vulnerable to poisoning attacks, in which an attacker injects fake data to a given system such that the system makes recommendations as the attacker desires. However, these poisoning attacks are either agnostic to recommendation algorithms or optimized to recommender systems that are not graph-based. Like association-rule-based and matrix-factorization-based recommender systems, graph-based recommender system is also deployed in practice, e.g., eBay, Huawei App Store. However, how to design optimized poisoning attacks for graph-based recommender systems is still an open problem. In this work, we perform a systematic study on poisoning attacks to graph-based recommender systems. Due to limited resources and to avoid detection, we assume the number of fake users that can be injected into the system is bounded. The key challenge is how to assign rating scores to the fake users such that the target item is recommended to as many normal users as possible. To address the challenge, we formulate the poisoning attacks as an optimization problem, solving which determines the rating scores for the fake users. We also propose techniques to solve the optimization problem. We evaluate our attacks and compare them with existing attacks under white-box (recommendation algorithm and its parameters are known), gray-box (recommendation algorithm is known but its parameters are unknown), and black-box (recommendation algorithm is unknown) settings using two real-world datasets. Our results show that our attack is effective and outperforms existing attacks for graph-based recommender systems. For instance, when 1% fake users are injected, our attack can make a target item recommended to 580 times more normal users in certain scenarios.

Information Retrieval,Cryptography and Security,Machine Learning

Chenhui Deng,Xiuyu Li,Zhuo Feng,Zhiru Zhang

DOI: https://doi.org/10.48550/arXiv.2201.12741

2023-01-08

Abstract:Graph neural networks (GNNs) have been increasingly deployed in various applications that involve learning on non-Euclidean data. However, recent studies show that GNNs are vulnerable to graph adversarial attacks. Although there are several defense methods to improve GNN robustness by eliminating adversarial components, they may also impair the underlying clean graph structure that contributes to GNN training. In addition, few of those defense models can scale to large graphs due to their high computational complexity and memory usage. In this paper, we propose GARNET, a scalable spectral method to boost the adversarial robustness of GNN models. GARNET first leverages weighted spectral embedding to construct a base graph, which is not only resistant to adversarial attacks but also contains critical (clean) graph structure for GNN training. Next, GARNET further refines the base graph by pruning additional uncritical edges based on probabilistic graphical model. GARNET has been evaluated on various datasets, including a large graph with millions of nodes. Our extensive experiment results show that GARNET achieves adversarial accuracy improvement and runtime speedup over state-of-the-art GNN (defense) models by up to 13.27% and 14.7x, respectively.

Machine Learning

Uday Shankar Shanthamallu,Jayaraman J. Thiagarajan,Andreas Spanias

DOI: https://doi.org/10.48550/arXiv.2009.14455

2020-09-30

Abstract:Graph Neural Networks (GNNs), a generalization of neural networks to graph-structured data, are often implemented using message passes between entities of a graph. While GNNs are effective for node classification, link prediction and graph classification, they are vulnerable to adversarial attacks, i.e., a small perturbation to the structure can lead to a non-trivial performance degradation. In this work, we propose Uncertainty Matching GNN (UM-GNN), that is aimed at improving the robustness of GNN models, particularly against poisoning attacks to the graph structure, by leveraging epistemic uncertainties from the message passing framework. More specifically, we propose to build a surrogate predictor that does not directly access the graph structure, but systematically extracts reliable knowledge from a standard GNN through a novel uncertainty-matching strategy. Interestingly, this uncoupling makes UM-GNN immune to evasion attacks by design, and achieves significantly improved robustness against poisoning attacks. Using empirical studies with standard benchmarks and a suite of global and target attacks, we demonstrate the effectiveness of UM-GNN, when compared to existing baselines including the state-of-the-art robust GCN.

Machine Learning,Cryptography and Security

Tao Wu,Canyixing Cui,Xingping Xian,Shaojie Qiao,Chao Wang,Lin Yuan,Shui Yu

2024-06-20

Abstract:Graph neural networks (GNNs) have achieved tremendous success, but recent studies have shown that GNNs are vulnerable to adversarial attacks, which significantly hinders their use in safety-critical scenarios. Therefore, the design of robust GNNs has attracted increasing attention. However, existing research has mainly been conducted via experimental trial and error, and thus far, there remains a lack of a comprehensive understanding of the vulnerability of GNNs. To address this limitation, we systematically investigate the adversarial robustness of GNNs by considering graph data patterns, model-specific factors, and the transferability of adversarial examples. Through extensive experiments, a set of principled guidelines is obtained for improving the adversarial robustness of GNNs, for example: (i) rather than highly regular graphs, the training graph data with diverse structural patterns is crucial for model robustness, which is consistent with the concept of adversarial training; (ii) the large model capacity of GNNs with sufficient training data has a positive effect on model robustness, and only a small percentage of neurons in GNNs are affected by adversarial attacks; (iii) adversarial transfer is not symmetric and the adversarial examples produced by the small-capacity model have stronger adversarial transferability. This work illuminates the vulnerabilities of GNNs and opens many promising avenues for designing robust GNNs.

Machine Learning,Social and Information Networks

Lukas Gosch,Mahalakshmi Sabanayagam,Debarghya Ghoshdastidar,Stephan Günnemann

2024-10-14

Abstract:Generalization of machine learning models can be severely compromised by data poisoning, where adversarial changes are applied to the training data. This vulnerability has led to interest in certifying (i.e., proving) that such changes up to a certain magnitude do not affect test predictions. We, for the first time, certify Graph Neural Networks (GNNs) against poisoning attacks, including backdoors, targeting the node features of a given graph. Our certificates are white-box and based upon $(i)$ the neural tangent kernel, which characterizes the training dynamics of sufficiently wide networks; and $(ii)$ a novel reformulation of the bilevel optimization problem describing poisoning as a mixed-integer linear program. Consequently, we leverage our framework to provide fundamental insights into the role of graph structure and its connectivity on the worst-case robustness behavior of convolution-based and PageRank-based GNNs. We note that our framework is more general and constitutes the first approach to derive white-box poisoning certificates for NNs, which can be of independent interest beyond graph-related tasks.

Machine Learning,Cryptography and Security

Jiahui Zhao,Nan Jiang,Kanglu Pei,Jie Wen,Hualin Zhan,Ziang Tu

DOI: https://doi.org/10.3390/math12121813

IF: 2.4

2024-06-12

Mathematics

Abstract:In online social networks, users can vote on different trust levels for each other to indicate how much they trust their friends. Researchers have improved their ability to predict social trust relationships through a variety of methods, one of which is the graph neural network (GNN) method, but they have also brought the vulnerability of the GNN method into the social trust network model. We propose a data-poisoning attack method for GNN-based social trust models based on the characteristics of social trust networks. We used a two-sample test for power-law distributions of discrete data to avoid changes in the dataset being detected and used an enhanced surrogate model to generate poisoned samples. We further tested the effectiveness of our approach on three real-world datasets and compared it with two other methods. The experimental results using three datasets show that our method can effectively avoid detection. We also used three metrics to illustrate the effectiveness of our attack, and the experimental results show that our attack stayed ahead of the other two methods in all three datasets. In terms of one of our metrics, our attack method decreased the accuracies of the attacked models by 12.6%, 22.8%, and 13.8%.

mathematics

Yiwei Sun,Suhang Wang,Xianfeng Tang,Tsung-Yu Hsieh,Vasant Honavar

DOI: https://doi.org/10.1145/3366423.3380149

2020-04-19

Abstract:Graph Neural Networks (GNN) offer the powerful approach to node classification in complex networks across many domains including social media, E-commerce, and FinTech. However, recent studies show that GNNs are vulnerable to attacks aimed at adversely impacting their node classification performance. Existing studies of adversarial attacks on GNN focus primarily on manipulating the connectivity between existing nodes, a task that requires greater effort on the part of the attacker in real-world applications. In contrast, it is much more expedient on the part of the attacker to inject adversarial nodes, e.g., fake profiles with forged links, into existing graphs so as to reduce the performance of the GNN in classifying existing nodes. Hence, we consider a novel form of node injection poisoning attacks on graph data. We model the key steps of a node injection attack, e.g., establishing links between the injected adversarial nodes and other nodes, choosing the label of an injected node, etc. by a Markov Decision Process. We propose a novel reinforcement learning method for Node Injection Poisoning Attacks (NIPA), to sequentially modify the labels and links of the injected nodes, without changing the connectivity between existing nodes. Specifically, we introduce a hierarchical Q-learning network to manipulate the labels of the adversarial nodes and their links with other nodes in the graph, and design an appropriate reward function to guide the reinforcement learning agent to reduce the node classification performance of GNN. The results of the experiments show that NIPA is consistently more effective than the baseline node injection attack methods for poisoning graph data on three benchmark datasets.

Bohao Wang,Jiawei Chen,Changdong Li,Sheng Zhou,Qihao Shi,Yang Gao,Yan Feng,Chun Chen,Can Wang

DOI: https://doi.org/10.1145/3589334.3645598

2024-01-01

Abstract:With the capacity to capture high-order collaborative signals, Graph NeuralNetworks (GNNs) have emerged as powerful methods in Recommender Systems (RS).However, their efficacy often hinges on the assumption that training andtesting data share the same distribution (a.k.a. IID assumption), and exhibitssignificant declines under distribution shifts. Distribution shifts commonlyarises in RS, often attributed to the dynamic nature of user preferences orubiquitous biases during data collection in RS. Despite its significance,researches on GNN-based recommendation against distribution shift are stillsparse. To bridge this gap, we propose Distributionally Robust GNN (DR-GNN)that incorporates Distributional Robust Optimization (DRO) into the GNN-basedrecommendation. DR-GNN addresses two core challenges: 1) To enable DRO to caterto graph data intertwined with GNN, we reinterpret GNN as a graph smoothingregularizer, thereby facilitating the nuanced application of DRO; 2) Given thetypically sparse nature of recommendation data, which might impede robustoptimization, we introduce slight perturbations in the training distribution toexpand its support. Notably, while DR-GNN involves complex optimization, it canbe implemented easily and efficiently. Our extensive experiments validate theeffectiveness of DR-GNN against three typical distribution shifts. The code isavailable at https://github.com/WANGBohaO-jpg/DR-GNN .

Zhili Qin,Han Wang,Zhongjing Yu,Qinli Yang,Junming Shao

DOI: https://doi.org/10.1016/j.ins.2024.120942

IF: 8.1

2024-06-23

Information Sciences

Abstract:The quality of graphs directly affects the result of graph embedding since most existing models are vulnerable and highly sensitive to harmful/missing edges and imperceptible attacks. In this study, we propose a new robust graph embedding approach from a different point of view: Attack-aid Graph Denoising (AGD). AGD mitigates the impact of harmful and missing edges by leveraging adversarial attacks. Initially, AGD generates some auxiliary attacks on the topology by investigating their harm to classification accuracy. Subsequently, we derive a denoised adjacency matrix by removing these similar harmful edges and supplementing missing edges with flipping operations. Finally, we further extract the knowledge of topology to eliminate the influence of remaining harmful edges on the final embedding with Kullback-Leibler divergence. Extensive experiments have demonstrated that AGD not only shows its superiority over many state-of-the-art algorithms on the classification tasks but is also robust to various attacks.

computer science, information systems

Zhichao Hou,Xitong Zhang,Wei Wang,Charu C. Aggarwal,Xiaorui Liu

2023-06-03

Abstract:The existing research on robust Graph Neural Networks (GNNs) fails to acknowledge the significance of directed graphs in providing rich information about networks' inherent structure. This work presents the first investigation into the robustness of GNNs in the context of directed graphs, aiming to harness the profound trust implications offered by directed graphs to bolster the robustness and resilience of GNNs. Our study reveals that existing directed GNNs are not adversarially robust. In pursuit of our goal, we introduce a new and realistic directed graph attack setting and propose an innovative, universal, and efficient message-passing framework as a plug-in layer to significantly enhance the robustness of GNNs. Combined with existing defense strategies, this framework achieves outstanding clean accuracy and state-of-the-art robust performance, offering superior defense against both transfer and adaptive attacks. The findings in this study reveal a novel and promising direction for this crucial research area. The code will be made publicly available upon the acceptance of this work.

Machine Learning,Artificial Intelligence,Cryptography and Security

Shijie Zhang,Hongzhi Yin,Tong Chen,Zi Huang,Lizhen Cui,Xiangliang Zhang

DOI: https://doi.org/10.48550/arXiv.2101.12549

2021-01-29

Abstract:In recent years, recommender systems play a pivotal role in helping users identify the most suitable items that satisfy personal preferences. As user-item interactions can be naturally modelled as graph-structured data, variants of graph convolutional networks (GCNs) have become a well-established building block in the latest recommenders. Due to the wide utilization of sensitive user profile data, existing recommendation paradigms are likely to expose users to the threat of privacy breach, and GCN-based recommenders are no exception. Apart from the leakage of raw user data, the fragility of current recommenders under inference attacks offers malicious attackers a backdoor to estimate users' private attributes via their behavioral footprints and the recommendation results. However, little attention has been paid to developing recommender systems that can defend such attribute inference attacks, and existing works achieve attack resistance by either sacrificing considerable recommendation accuracy or only covering specific attack models or protected information. In our paper, we propose GERAI, a novel differentially private graph convolutional network to address such limitations. Specifically, in GERAI, we bind the information perturbation mechanism in differential privacy with the recommendation capability of graph convolutional networks. Furthermore, based on local differential privacy and functional mechanism, we innovatively devise a dual-stage encryption paradigm to simultaneously enforce privacy guarantee on users' sensitive features and the model optimization process. Extensive experiments show the superiority of GERAI in terms of its resistance to attribute inference attacks and recommendation effectiveness.

Information Retrieval