Chen Lin,Si Chen,Meifang Zeng,Sheng Zhang,Min Gao,Hui Li

DOI: https://doi.org/10.1109/tnnls.2022.3183210

IF: 14.255

2022-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Due to the pivotal role of recommender systems (RS) in guiding customers toward the purchase, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this article, we study shilling attacks where an adversarial party injects a number of fake user profiles for improper purposes. Conventional Shilling Attack approaches lack attack transferability (i.e., attacks are not effective on some victim RS models) and/or attack invisibility (i.e., injected profiles can be easily detected). To overcome these issues, we present learning to generate fake user profiles (Leg-UP), a novel attack model based on the generative adversarial network. Leg-UP learns user behavior patterns from real users in the sampled "templates" and constructs fake user profiles. To simulate real users, the generator in Leg-UP directly outputs discrete ratings. To enhance attack transferability, the parameters of the generator are optimized by maximizing the attack performance on a surrogate RS model. To improve attack invisibility, Leg-UP adopts a discriminator to guide the generator to generate undetectable fake user profiles. Experiments on benchmarks have shown that Leg-UP exceeds state-of-the-art shilling attack methods on a wide range of victim RS models. The source code of our work is available at: https://github.com/XMUDM/ShillingAttack.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Chen Lin,Si Chen,Hui Li,Yanghua Xiao,Lianyun Li,Qian Yang

DOI: https://doi.org/10.1145/3340531.3411884

2020-01-01

Abstract:Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role in guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper, we study the shilling attack: a subsistent and profitable attack where an adversarial party injects a number of user profiles to promote or demote a target item. Conventional shilling attack models are based on simple heuristics that can be easily detected, or directly adopt adversarial attack methods without a special design for RS. Moreover, the study on the attack impact on deep learning based RS is missing in the literature, making the effects of shilling attack against real RS doubtful. We present a novel Augmented Shilling Attack framework (AUSH) and implement it with the idea of Generative Adversarial Network. AUSH is capable of tailoring attacks against RS according to budget and complex attack goals, such as targeting a specific user group. We experimentally show that the attack impact of AUSH is noticeable on a wide range of RS including both classic and modern deep learning based RS, while it is virtually undetectable by the state-ofthe-art attack detection model.

Shiyi Yang,Lina Yao,Chen Wang,Xiwei Xu,Liming Zhu

2024-02-14

Abstract:Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks. Understanding attack tactics helps improve the robustness of RSs. We intend to develop efficient attack methods that use limited resources to generate high-quality fake user profiles to achieve 1) transferability among black-box RSs 2) and imperceptibility among detectors. In order to achieve these goals, we introduce textual reviews of products to enhance the generation quality of the profiles. Specifically, we propose a novel attack framework named R-Trojan, which formulates the attack objectives as an optimization problem and adopts a tailored transformer-based generative adversarial network (GAN) to solve it so that high-quality attack profiles can be produced. Comprehensive experiments on real-world datasets demonstrate that R-Trojan greatly outperforms state-of-the-art attack methods on various victim RSs under black-box settings and show its good imperceptibility.

Cryptography and Security,Artificial Intelligence

Zongwei Wang,Min Gao,Jundong Li,Junwei Zhang,Jiang Zhong

DOI: https://doi.org/10.1145/3512352

IF: 5

2022-03-22

ACM Transactions on Intelligent Systems and Technology

Abstract:Recommender systems are essential components of many information services, which aim to find relevant items that match user preferences. Several studies have shown shilling attacks can significantly weaken the robustness of recommender systems by injecting fake user profiles. Traditional shilling attacks focus on creating hand-engineered fake user profiles, but these profiles can be detected effortlessly by advanced detection methods. Adversarial learning, emerged in recent years, can be leveraged to generate powerful and intelligent attack models. To this end, in this paper, we explore potential risks of recommender systems and shed light on a gray-box shilling attack model based on generative adversarial networks, named GSA-GANs. Specifically, we aim to generate fake user profiles that can achieve two goals: unnoticeable and offensive. Towards these goals, there are several challenges that we need to address: (1) learn complex user behaviors from user-item rating data; (2) adversely influence the recommendation results without knowing the underlying recommendation algorithms. To tackle these challenges, two essential GAN modules are respectively designed to make generated fake profiles more similar to real ones and harmful to recommendation results. Experimental results on three public datasets demonstrate that the proposed GSA-GANs framework outperforms baseline models in attack effectiveness, transferability, and camouflage. In the end, we also provide several possible defensive strategies against GSA-GANs. The exploration and analysis in our work will contribute to the defense research of recommender systems.

computer science, information systems, artificial intelligence

Jianyu Wang,Rui Wen,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3383756

2020-01-01

Abstract:The online review system provides a platform for consumers to express their opinions and make decisions. However, the spam review has become a widespread problem recently. Existing detection systems are mostly designed for fraudsters who write fake reviews to promote their products or mislead consumers in E-commerce (e.g., Amazon, Yelp, Alibaba). In this paper, we focus on spams in the large-scale online app review platform. Through an in-depth analysis of 5 million reviews from the Tencent App store, we find almost half of the reviews are spams. Even worse, most of the reviews are deliberately designed by fraud reviewers for misleading classifiers. Specially, we conclude three popular patterns of generating adversarial spams by attackers. Considering the characteristics of spam reviews are adversarial, irregular, and distributed. Human labeling is costly. We build our detection system by utilizing a collective method to spot suspicious users and reviews. First, we trained our two models based on the Behavior-Based Module (BBM) and Content-Based Module (CBM) individually. Then, they are co-trained by getting the feedback from each other. Experiment results show that our method outperforms the state-of-the-art baselines in identifying adversarial examples. Besides, the scalability and effectiveness of our approach have also been demonstrated by deploying it on Tencent Beacon Anti-Fraud System.

Yongfeng Zhang,Yunzhi Tan,Min Zhang,Yiqun Liu,Tat-Seng Chua,Shaoping Ma

2015-01-01

Abstract:Many e-commerce systems allow users to express their opinions towards products through user reviews systems. The user generated reviews not only help other users to gain a more insightful view of the products, but also help online businesses to make targeted improvements on the products or services. Besides, they compose the key component of various personalized recommender systems. However, the existence of spam user accounts in the review systems introduce unfavourable disturbances into personalized recommendation by promoting or degrading targeted items intentionally through fraudulent reviews. Previous shilling attack detection algorithms usually deal with a specific kind of attacking strategy, and are exhausted to handle with the continuously emerging new cheating methods. In this work, we propose to conduct shilling attack detection for more informed recommendation by fraudulent action propagation on the reviews themselves, without caring about the specific underlying cheating strategy, which allows us a unified and flexible framework to detect the spam users.

Aditya Chichani,Juzer Golwala,Tejas Gundecha,Kiran Gawande

DOI: https://doi.org/10.1109/ICCCNT.2018.8494141

2024-04-25

Abstract:Considering the premise that the number of products offered grow in an exponential fashion and the amount of data that a user can assimilate before making a decision is relatively small, recommender systems help in categorizing content according to user preferences. Collaborative filtering is a widely used method for computing recommendations due to its good performance. But, this method makes the system vulnerable to attacks which try to bias the recommendations. These attacks, known as 'shilling attacks' are performed to push an item or nuke an item in the system. This paper proposes an algorithm to detect such shilling profiles in the system accurately and also study the effects of such profiles on the recommendations.

Information Retrieval,Artificial Intelligence,Cryptography and Security,Machine Learning

Yuanshun Yao,Bimal Viswanath,Jenna Cryan,Haitao Zheng,Ben Y. Zhao

DOI: https://doi.org/10.48550/arXiv.1708.08151

2017-09-08

Abstract:Malicious crowdsourcing forums are gaining traction as sources of spreading misinformation online, but are limited by the costs of hiring and managing human workers. In this paper, we identify a new class of attacks that leverage deep learning language models (Recurrent Neural Networks or RNNs) to automate the generation of fake online reviews for products and services. Not only are these attacks cheap and therefore more scalable, but they can control rate of content output to eliminate the signature burstiness that makes crowdsourced campaigns easy to detect. Using Yelp reviews as an example platform, we show how a two phased review generation and customization attack can produce reviews that are indistinguishable by state-of-the-art statistical detectors. We conduct a survey-based user study to show these reviews not only evade human detection, but also score high on "usefulness" metrics by users. Finally, we develop novel automated defenses against these attacks, by leveraging the lossy transformation introduced by the RNN training and generation cycle. We consider countermeasures against our mechanisms, show that they produce unattractive cost-benefit tradeoffs for attackers, and that they can be further curtailed by simple constraints imposed by online service providers.

Cryptography and Security,Social and Information Networks

Fan Wu,Min Gao,Junliang Yu,Zongwei Wang,Kecheng Liu,Xu Wang

DOI: https://doi.org/10.1016/j.ins.2021.07.041

IF: 8.1

2021-01-01

Information Sciences

Abstract:To explore the robustness of recommender systems, researchers have proposed various shilling attack models and analyzed their adverse effects. Primitive attacks are highly fea-sible but less effective due to simplistic handcrafted rules, while upgraded attacks are more powerful but costly and difficult to deploy because they require more knowledge from rec-ommendations. In this paper, we explore a novel shilling attack called Graph cOnvolution-based generative shilling ATtack (GOAT) to balance the attacks' feasibility and effective-ness. GOAT adopts the primitive attacks' paradigm that assigns items for fake users by sampling and the upgraded attacks' paradigm that generates fake ratings by a deep learning-based model. It deploys a generative adversarial network (GAN) that learns the real rating distribution to generate fake ratings. Additionally, the generator combines a tai-lored graph convolution structure that leverages the correlations between co-rated items to smoothen the fake ratings and enhance their authenticity. The extensive experiments on two public datasets evaluate GOAT's performance from multiple perspectives. Our study of the GOAT demonstrates technical feasibility for building a more powerful and intelligent attack model with a much-reduced cost, enables analysis the threat of such an attack and guides for investigating necessary prevention measures. (c) 2021 Elsevier Inc. All rights reserved.

Rami Cohen,Oren Sar Shalom,Dietmar Jannach,Amihood Amir

DOI: https://doi.org/10.48550/arXiv.2011.02701

2020-11-05

Abstract:Due to the advances in deep learning, visually-aware recommender systems (RS) have recently attracted increased research interest. Such systems combine collaborative signals with images, usually represented as feature vectors outputted by pre-trained image models. Since item catalogs can be huge, recommendation service providers often rely on images that are supplied by the item providers. In this work, we show that relying on such external sources can make an RS vulnerable to attacks, where the goal of the attacker is to unfairly promote certain pushed items. Specifically, we demonstrate how a new visual attack model can effectively influence the item scores and rankings in a black-box approach, i.e., without knowing the parameters of the model. The main underlying idea is to systematically create small human-imperceptible perturbations of the pushed item image and to devise appropriate gradient approximation methods to incrementally raise the pushed item's score. Experimental evaluations on two datasets show that the novel attack model is effective even when the contribution of the visual features to the overall performance of the recommender system is modest.

Machine Learning

Keke Chen,Patrick P. K. Chan,Fei Zhang,Qiaoqiao Li

DOI: https://doi.org/10.1007/s13042-018-0861-2

2019-01-01

International Journal of Machine Learning and Cybernetics

Abstract:Although collaborative filtering achieves satisfying performance in recommender systems, many studies suggest that it is vulnerable by shilling attack aimed to manipulate the recommending frequency of a target item by injecting malicious user profiles. The existing attack methods usually generate malicious profiles by rating the item selected randomly. However, as these rating patterns are different from the real users, who have their own preferences on items, these attack methods can be easily detected by shilling attack detection, which significantly reduces the attack ability. Although some attack methods consider disguise ability, these methods require too much information from real users. This study proposes a shilling attack which generates malicious samples with strong attack ability and similarity to real users. To imitate the rating behavior of genuine users, our attack model considers both rated item correlation and item popularity when choosing items to rate. The profiles generated by our attack model is expected to be more similar to real user profiles, which increases the disguise ability. We also investigate whether and how rated item correlation of real user profiles is different from the ones generated by our method and the existing shilling attack. The experimental results confirm that our method achieves the highest attack ability after removing the suspected profiles identified by PCA-based and SVM-based shilling attack detection. The study confirms the correlation of rated item is a critical factor of the robustness of recommender systems.

Chengzhi Huang,Hui Li

2023-08-21

Abstract:Recommendation systems (RS) are crucial for alleviating the information overload problem. Due to its pivotal role in guiding users to make decisions, unscrupulous parties are lured to launch attacks against RS to affect the decisions of normal users and gain illegal profits. Among various types of attacks, shilling attack is one of the most subsistent and profitable attacks. In shilling attack, an adversarial party injects a number of well-designed fake user profiles into the system to mislead RS so that the attack goal can be achieved. Although existing shilling attack methods have achieved promising results, they all adopt the attack paradigm of multi-user injection, where some fake user profiles are required. This paper provides the first study of shilling attack in an extremely limited scenario: only one fake user profile is injected into the victim RS to launch shilling attacks (i.e., single-user injection). We propose a novel single-user injection method SUI-Attack for invisible shilling attack. SUI-Attack is a graph based attack method that models shilling attack as a node generation task over the user-item bipartite graph of the victim RS, and it constructs the fake user profile by generating user features and edges that link the fake user to items. Extensive experiments demonstrate that SUI-Attack can achieve promising attack results in single-user injection. In addition to its attack power, SUI-Attack increases the stealthiness of shilling attack and reduces the risk of being detected. We provide our implementation at: <a class="link-external link-https" href="https://github.com/KDEGroup/SUI-Attack" rel="external noopener nofollow">this https URL</a>.

Information Retrieval,Cryptography and Security

Wei Zhou,Junhao Wen,Yun Sing Koh,Qingyu Xiong,Min Gao,Gillian Dobbie,Shafiq Alam

DOI: https://doi.org/10.1371/journal.pone.0130968

IF: 3.7

2015-07-29

PLoS ONE

Abstract:Recommender systems are highly vulnerable to shilling attacks, both by individuals and groups. Attackers who introduce biased ratings in order to affect recommendations, have been shown to negatively affect collaborative filtering (CF) algorithms. Previous research focuses only on the differences between genuine profiles and attack profiles, ignoring the group characteristics in attack profiles. In this paper, we study the use of statistical metrics to detect rating patterns of attackers and group characteristics in attack profiles. Another question is that most existing detecting methods are model specific. Two metrics, Rating Deviation from Mean Agreement (RDMA) and Degree of Similarity with Top Neighbors (DegSim), are used for analyzing rating patterns between malicious profiles and genuine profiles in attack models. Building upon this, we also propose and evaluate a detection structure called RD-TIA for detecting shilling attacks in recommender systems using a statistical approach. In order to detect more complicated attack models, we propose a novel metric called DegSim' based on DegSim. The experimental results show that our detection model based on target item analysis is an effective approach for detecting shilling attacks.

Wei Zhou,Junhao Wen,Qiang Qu,Jun Zeng,Tian Cheng

DOI: https://doi.org/10.1371/journal.pone.0196533

IF: 3.7

2018-05-09

PLoS ONE

Abstract:Recommender systems are vulnerable to shilling attacks. Forged user-generated content data, such as user ratings and reviews, are used by attackers to manipulate recommendation rankings. Shilling attack detection in recommender systems is of great significance to maintain the fairness and sustainability of recommender systems. The current studies have problems in terms of the poor universality of algorithms, difficulty in selection of user profile attributes, and lack of an optimization mechanism. In this paper, a shilling behaviour detection structure based on abnormal group user findings and rating time series analysis is proposed. This paper adds to the current understanding in the field by studying the credibility evaluation model in-depth based on the rating prediction model to derive proximity-based predictions. A method for detecting suspicious ratings based on suspicious time windows and target item analysis is proposed. Suspicious rating time segments are determined by constructing a time series, and data streams of the rating items are examined and suspicious rating segments are checked. To analyse features of shilling attacks by a group user&#x27;s credibility, an abnormal group user discovery method based on time series and time window is proposed. Standard testing datasets are used to verify the effect of the proposed method.

multidisciplinary sciences

Xian Wu,Yuxiao Dong,Jun Tao,Chao Huang,Nitesh V. Chawla

DOI: https://doi.org/10.1109/bigdata.2017.8257963

2017-01-01

Abstract:Fake reviews have become a pervasive problem in online review systems, wherein fraudulent users manipulate the perception of an object (e.g., a restaurant) by fabricating fake reviews. Extensive work has been devoted to identifying fake reviews via modeling different factors separately, such as user features, object characteristics, and user-object bipartite relations. However, this problem remains challenging due to the fact that more advanced camouflage strategies are utilized by malicious users. In real-world scenarios, spammers may pretend to be normal users by giving fake reviews with the similar score distribution as normal users. To address these issues, we propose to explore the temporal patterns of users' review behavior, because spammers prefer to promote or demote the target businesses in a short period of time. In this work, we present a unified framework Reliable Fake Review Detection (RFRD) that explicitly models temporal patterns of users' review behavior into a probabilistic generative model. Moreover, the RFRD framework models users' underlying review credibility and objects' highly-skewed review distributions. We conduct experiments on two Yelp datasets, demonstrating the effectiveness of the proposed RFRD framework.

高鹏,骆源

DOI: https://doi.org/10.3969/j.issn.1002-0802.2013.04.004

2013-01-01

Abstract:Collaborative filtering systems are vulnerable to manipulation by malicious social elements such as shilling attack. Malicious user votes and profiles could be injected into a collaborative recommender system, with either multiple identities or by involving more people, and this would significantly affect the robustness and accuracy of the system or algorithm, the shilling attack is analyzed in an in-depth way, and a novel robust collaborative filtering system, is proposed in combination with principal component analysis and variable selection, thus to protect recommender system from shilling attack. Finally the experiment indicates that this filtering system could achieve a fairly high detection accuracy.

Cong Li,Zhigang Luo

DOI: https://doi.org/10.1109/socpar.2011.6089138

2011-01-01

Abstract:Collaborative filtering recommender systems are essentially information systems which are capable of combining the judgment of a large group of people to make personalized recommendations and thereby alleviate the so-called information overload problem. However,collaborative filtering recommender systems are generally vulnerable to shilling attacks. Attackers can inject carefully chosen profiles into recommender systems in order to bias the recommendation results to their benefits. This may lead to a significant negative impact on the robustness of the systems. The main contribution of this paper is to build a probabilistic model for attack detection in the framework of probabilistic generative model. Experimental results show that this model can effectively detect shilling attacks of typical types.

Qingxian Wang,Meng Wan,Mingsheng Shang,Shimin Cai

DOI: https://doi.org/10.6138/jit.2017.18.5.20130715

2015-01-01

Abstract:Collaborative filtering is a technique widely used in online recommendation systems nowadays. However, it is vulnerable from manipulation by malicious users who often create some fake account (or shilling) profiles to influence the results of recommender systems. To identify the fake users, existing algorithms usually utilize certain characteristics of shilling profiles, of which the drawbacks are the low precision and the requirement of a large size of training set. In this paper, we develop a clustering based method to find the shilling attackers by incorporating the information of user ratings and the attribute of user profiles. The users are firstly self-organizedly clustered into several groups based on the integrated information of the rating features and the attributes of user profile, then the malicious user group is identified through the GRDMA (Group Rating Deviation from Mean Agreement) values of user group. Instead of identifying attacker one by one, the proposed algorithm finds the malicious users at the collective level, which provids a novel way to analyse and detect shilling attack. The experimental results performed on MovieLens dataset demonstrate that the proposed algorithm is effective and robust in three typical kinds of shilling attack models, especially when the attack size and the filler size are sufficiently high.

Filippo Betello

2024-10-14

Abstract:Sequential Recommender Systems (SRSs) are widely used to model user behavior over time, yet their robustness remains an under-explored area of research. In this paper, we conduct an empirical study to assess how the presence of fake users, who engage in random interactions, follow popular or unpopular items, or focus on a single genre, impacts the performance of SRSs in real-world scenarios. We evaluate two SRS models across multiple datasets, using established metrics such as Normalized Discounted Cumulative Gain (NDCG) and Rank Sensitivity List (RLS) to measure performance. While traditional metrics like NDCG remain relatively stable, our findings reveal that the presence of fake users severely degrades RLS metrics, often reducing them to near-zero values. These results highlight the need for further investigation into the effects of fake users on training data and emphasize the importance of developing more resilient SRSs that can withstand different types of adversarial attacks.

Information Retrieval

Xuxin Zhang,Jian Chen,Rui Zhang,Chen Wang,Ling Liu

DOI: https://doi.org/10.1109/tifs.2021.3117078

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Recommender systems (RS) have become an essential component of web services due to their excellent performance. Despite their great success, RS have proved to be vulnerable to data poisoning attacks, which inject well-crafted fake profiles into RS, so that the target items can be maliciously recommended. In this paper, we first reveal that existing poisoning attacks in RS can be detected effortlessly, as the features of the generated fake profiles cannot be inconsistent with those of normal profiles all the time. We further propose RecUP, a poisoning attack in RS that can generate plausible profiles whose features stay almost the same as the normal ones, based on Generative Adversarial Networks (GAN). To tailor GAN for poisoning in RS, we develop HRGAN and devise a loss function to guide the training of the generator, along with a masking operation with selected potentially powerful profiles, so that the final generated profiles can perform malicious recommendations as expected. Evaluations against various defense methods using three real-world datasets show that, RecUP can generate the most plausible profiles while maintaining comparable attacking performance compared with state-of-the-art attacks.

computer science, theory & methods,engineering, electrical & electronic