Attacking Recommender Systems with Augmented User Profiles

05/17/2020 ∙ by Chen Lin, et al. ∙ Xiamen University FUDAN University 0

Recommendation Systems (RS) have become an essential part of many online services. Due to its pivotal role of guiding customers towards purchasing, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper we study the shilling attack: a subsistent and profitable attack where an adversarial party injects a number of user profiles to promote or demote a target item. Conventional shilling attack models are based on simple heuristics that can be easily detected, or directly adopt adversarial attack methods without a special design for RS. Moreover, the study on the attack impact on deep learning based RS is missing in the literature, making the effects of shilling attack against real RS doubtful. We present a novel Augmented Shilling Attack framework (AUSH) and implement it with the idea of Generative Adversarial Network. AUSH is capable of tailoring attacks against RS according to budget and complex attack goals such as targeting on a specific user group. We experimentally show that the attack impact of AUSH is noticeable on a wide range of RS including both classic and modern deep learning based RS, while it is virtually undetectable by the state-of-the-art attack detection model.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

The history of Recommender Systems (RS) can be traced back to the beginning of e-commerce (SmithL17). The ability of RS to assist users in finding the desirable targets makes it an important tool for alleviating information overload problem. As a result, RS has been prevalently deployed in industries (e.g., Amazon, Facebook and Netflix (Aggarwal16)). Not only is RS beneficial to customers, but also RS helps retail companies and producers promote their products and increase sales. Consequently, there is a strong intention for unscrupulous parties to attack RS in order to maximize their malicious objectives.

Due to RS’s pivotal role in e-commerce, much effort has been devoted to studying how to spoof RS in order to give insights into the defense against malicious attacks. Various attacks, such as unorganized malicious attack (i.e., several attackers individually attack RS without an organizer) (Pang0TZ18) and sybil attack (i.e., illegally infer a user’s preference) (CalandrinoKNFS11), have been studied. This paper focuses on a subsistent and profitable attack, i.e., shilling attack, where an adversarial party produces a number of user profiles using some strategies to promote or demote an item (GunesKBP14) in order to have their own products recommended more often than those of their competitors. Shilling attack is also called data poisoning (LiWSV16) or profile injection attack (BurkeMBW05) in the literature. Researchers have successfully performed shilling attacks against real-world RS such as YouTube, Google Search, Amazon and Yelp in experiments (XingMDSFL13; YangGC17). Large companies like Sony, Amazon and eBay have reported that they suffered from such attacks in practice (LamR04).

Shilling attack is the specific application of adversarial attack (abs-1810-00069; YuanHZL19)

in the domain of recommender systems. Adversarial attack uses crafted adversarial examples to mislead machine learning models. A tremendous amount of work in adversarial attack is against image classification 

(SuVS19), or text classification (AlzantotSEHSC18). However, they cannot be directly employed in shilling attack at full power, due to the following challenges:

  1. [label=(0),leftmargin=15pt,topsep=2pt]

  2. Data correlation in RS: RS relies on capturing the correlations between users and items for recommendations and such relations enhance the robustness of RS. The recommendation targeting at a specific user is typically made based on the information from multiple user-item pairs (i.e., collaborative filtering (Aggarwal16)) instead of a single data sample. Therefore, manipulating the recommendation for one user requires to inject many related user-item pairs, which may affect the recommendation results for other non-targeting users in RS and make the attack easy to be detected. This is different compared to attacking many other learning tasks where manipulating one data sample may achieve the desirable attack goal and adversarial attacks can be directly deployed (e.g., one-pixel attack (SuVS19) for changing the classification of an image).

  3. No prior knowledge of RS:

    A prevalent strategy of adversarial attack is to utilize the information of gradient decent in machine learning models to search undetectable perturbations and then combine perturbations with normal representation vectors to affect the learning system 

    (abs-1810-00069). As a comparison, in shilling attack, though the data (e.g., rating matrix) of RS is generally available to all users (i.e., a user can see all other users’ ratings) and thus exposed to attackers (SandvigMB08; GunesKBP14; LamR04), the recommendation model is typically a black box. Thus, it is required that the attack must be effective against a wide range of recommendation models.

  4. The balance of different complex attack goals: Instead of only promoting or demoting an item to the general audience, there are usually multiple goals that the attacker desires to achieve. However, incorporating multiple attack goals together may degrade the attack performance of individual attack goal or make the attack detectable. Consequently, special designs are required to balance and achieve multiple attack goals simultaneously, while keeping the attack undetectable.

Due to the aforementioned challenges, only a few recent works (Christakopoulou2018Adversarial; Christakopoulou19) consider directly adopting the idea of adversarial attacks for shilling attack, and they do not show satisfactory attack effects on a wide range of RS as illustrated later in our experiments. In addition to these methods, most existing shilling attack methods create injection profiles based on some global statistics, e.g., average rating value (GunesKBP14; LamR04)

and rating variance 

(SandvigMB08) for each item. For instance, average attack assigns the highest rating to the target item to be promoted and an average rating to a set of randomly sampled items (LamR04). Although all these existing methods, including both adversarial based and simple heuristic based approaches, were proved to be effective in some cases, they still suffer from the following limitations:

  1. [label=(0),leftmargin=15pt,topsep=2pt]

  2. Easy to detect: Generated user profiles lack personalization (i.e., different user behavior pattern), thus the injected profiles can be easily detected, even by some simple heuristics (more details described in Sec. 5.4).

  3. Narrow range of target models

    : Depending on how the statistics are computed, conventional shilling attacks are shown to be effective only on certain traditional collaborative filtering (CF) approaches. For example, average, bandwagon and random attacks are more effective against user-based KNN, but do not work well against item-based KNN 

    (MobasherBBW07). Moreover, their influence on deep learning based RS, which has attracted considerable interest and been deployed in real applications (ZhangYST19), has not been studied. In fact, as global statistics can not capture high-level associations among items or users, the actual effect of the existing attack approaches on modern RS is doubtable (more details described in Sec. 5.2).

  4. Inflexibility: It is difficult to tailor the attack for specific goals which attackers desire to achieve after the attack, e.g., to exert adverse effects on items from the competitors.

To address the above problems, a natural intuition to enhance the attack is to “augment” the templates, which are selected from existing real user profiles and are used to generate injected profiles. This way, the injected fake user profiles are diversified and it becomes difficult to distinguish them from real users. Based on this intuition, we present a novel Augmented Shilling Attack (AUSH) and implement it with the idea of Generative Adversarial Network (GAN) (GoodfellowPMXWOCB14)

. Specifically, the generator acts like an “attacker” and generates fake user profiles by augmenting the “template” of existing real user profiles. The deep neural network based generator can capture complex user-item associations better than existing attack methods using simple heuristics. Thus, it works well on modern RS which commonly deploys deep neural networks. Moreover, the generator is able to achieve secondary attack goals by incorporating a shilling loss. On the other hand, the discriminator module performs like a “defender”. It distinguishes fake user profiles from real user profiles and provides guidance to train the generator to generate undetectable fake user profiles. Each of the generator and the discriminator strikes to enhance itself to beat the other one at every round of the minimax competition. It is worthy noting that, as we have explained, deploying the idea of adversarial attack in shilling attack is not a trivial task, and

directly applying the adversarial attack method (i.e., using a general GAN) in shilling attacks without our designs to tailor it for the attack will not provide satisfactory results as shown in our experiments.

Our contributions can be summarized by three merits of AUSH. We show that AUSH resembles to the traditional segment attack and bandwagon attack (GunesKBP14), yet more powerful, undetectable and flexible than conventional shilling attack methods:

  1. [label=(0),leftmargin=15pt,topsep=2pt]

  2. AUSH is powerful on a wide range of recommendation models including both traditional CF methods and modern deep learning based approaches, while the prior knowledge of AUSH does not exceed what the conventional shilling attack approaches require to know.

  3. Furthermore, AUSH is virtually undetectable by the state-of-the-art attack detection method as shown in our experiments.

  4. Finally, AUSH contains more than a general GAN as it includes a reconstruction loss and a shilling loss which tailor AUSH for attacking RS and endows the AUSH with the ability of achieving secondary attack goals (e.g., promote items for a group of users who have shown preferences over a predefined set of competitors, or target on long-tail items).

We conduct comprehensive experiments to verify the above merits of AUSH and its attack power against both classic and modern deep learning based recommendation algorithms. Note that attacking modern deep neural network recommendation algorithms has rarely been studied in the literature.

The rest of the paper is organized as follows: Sec. 2 illustrate the related work. Sec. 3 demonstrates the design of AUSH and Sec 4 gives one possible implementation of AUSH. In Sec. 5, we compare AUSH with other state-of-the-art shilling attacks methods and verify its effectiveness. Sec. 6 concludes our work.

2. Related Work

We briefly survey four lines of research related to our work.

2.1. Recommender Systems (RS)

Traditional RS typically relies on collaborative filtering methods (CF), especially matrix factorization (MF) methods (KorenBV09)

. MF models user preferences and item properties by factorizing the user-item interaction matrix into two low-dimensional latent matrices. Recently, numerous deep learning techniques (e.g., multilayer perceptron 

(HeLZNHC17), CNNs (TuanP17), RNNs (SunW018), GNNs (FanZHSHML19)

, Autoencoder 

(Sedhain2015AutoRec), and Attention Mechanism (TayLH18)) have been introduced into RS. Compared to traditional RS, deep learning based RS is able to model the nonlinearity of data correlations and learn the underlying complex feature representations (ZhangYST19). Consequently, deep learning based RS has outperformed traditional RS in general.

2.2. Adversarial Attacks

Machine learning has played a vital role in a broad spectrum of applications and helped solve many difficult problems for us. However, security of machine learning systems are vulnerable to crafted adversarial examples (abs-1810-00069), which may be imperceptible to the human eye, but can lead the model to misclassify the output. Adversaries may leverage such vulnerabilities to compromise a learning system where they have high incentives and such attacks are called as adversarial attacks. Adversarial attack has show its ability to manipulate the outputs of many text and image based learning systems (abs-1902-07285; Zhang20; abs-1810-00069; YuanHZL19).

Adversarial examples in conventional machine learning models have been discussed since decades ago (YuanHZL19). DalviDMSV04 find manipulating input data may affect the prediction results of classification algorithms. BiggioCMNSLGR13 design a gradient-based approach to generate adversarial examples against SVM. BarrenoNSJT06; BarrenoNJT10 formally investigate the security of conventional machine learning methods under adversarial attacks. RoliBF13 discuss several defense strategies against adversarial attacks to improve the security of machine learning algorithms. In addition to conventional machine learning, recent studies have reported that deep learning techniques are also vulnerable to adversarial attacks (abs-1810-00069; YuanHZL19).

Though we have witness a great success of adversarial attacks against many learning systems, existing adversarial attacks cannot be directly adopted for the shilling attack task as explained in Sec. 1.

2.3. Generative Adversarial Network

Generative Adversarial Network (GAN) (GoodfellowPMXWOCB14) has recently attracted great attention for its potential to learn real data distribution and generate text (YuZWY17), images (LiuT16), recommendations (WangYZGXWZZ17) and many other types of data (HongHYY19; abs-2001-06937). GAN performs adversarial learning between the generator and the discriminator. The generator and the discriminator can be implemented with any form of differentiable system that maps data from one space to the other (abs-2001-06937). The generator tries to capture the real data distribution and generates real-like data, while the discriminator is responsible for discriminating the data generated by the generator and the real data. GAN plays a minimax game and the optimization terminates at a saddle point that is a minimum with respect to the generator and a maximum with respect to the discriminator (i.e., Nash equilibrium).

As GAN overcomes the limitations of previous generative models (HongHYY19), it has been successfully applied in many applications and there is a surge of works studying how to improve GAN (HongHYY19; abs-2001-06937). Follow-up works include DCGAN (RadfordMC15) which adopts the CNN architecture in GAN and Wasserstein GAN (ArjovskyCB17) which leverages Earth Mover distance. There also exists a direction of GAN research which utilizes GAN to generate adversarial examples. For instance, (ZhaoDS18) propose to search the representation space of input data instead of input data itself under the setting of GAN in order to generate more natural adversarial examples. (XiaoLZHLS18) design AdvGAN which can attack black-box models by training a distilled model.

2.4. Shilling Attacks against RS

OMahonyHS05; OMahonyHKS04 firstly study the robustness of user-based CF method for rating prediction by injecting some faked users. They also provide a theoretical analysis of the attack by viewing injected ratings as noises. LamR04; BurkeMBW05; Burke2005Limited; MobasherBBW07 further study the influence of some low-knowledge attack approaches to promote an item (e.g., random, average, bandwagon attack and segment attack) and to demote an item (e.g., love/hate attack and reverse bandwagon attack) on CF methods for both rating prediction and top- recommendation. They observe that CF methods are vulnerable to such attacks. Assuming more knowledge and cost, WilsonS13; SeminarioW14b design the power user/item attack models which leverage most influential users/items to shill RS, FangYGL18 study how to shill a graph based CF models, and LiWSV16 present near-optimal data poisoning attacks for factorization-based CF. XingMDSFL13; YangGC17 conduct experiments on attacking real-world RS (e.g., YouTube, Google Search, Amazon and Yelp) and show that manipulating RS is possible in practice.

Inspired by the success of GAN, a few works turn to leverage GAN for shilling attack task (Christakopoulou2018Adversarial; Christakopoulou19). However, directly adopting existing GAN methods for generating adversarial examples, without special designs (like AUSH) to tailor them for RS, will not provide satisfactory results in shilling attacks as shown in our experiments. Christakopoulou2018Adversarial; Christakopoulou19 employ DCGAN (RadfordMC15) to generate faked user profiles used in shilling attacks. They formulate this procedure as a repeated general-sum game between RS and adversarial fake user generator. Compared to their work, AUSH is more specially tailored for RS instead of directly using adversarial attacks (i.e., the general GAN) against machine learning models. We consider more realistic factors (e.g., users in the segment, attack cost and undetectability) when attacking RS, which descend from previous study on attacking traditional CF models.

Note that the study on the impact of shilling attacks against deep learning based RS is limited, although there is a tremendous amount of work on attack and defense of traditional RS. Therefore, we also include an analysis of attacking deep learning based RS in the Sec. 5 of this paper.

3. Augmented Shilling Attack

In this section, we introduce our proposed attack framework: Augmented Shilling Attack (AUSH).

Figure 1. Pipeline of AUSH. We use binary ratings for illustration, though AUSH can handle a five-point scale. Red and blue indicate a high rating and a low rating, respectively.

3.1. Terminology

We follow the terminology used in the literature (GunesKBP14) and divide the items in a fake user profile into one target item (i.e., the attacker wants to assign it a malicious rating), a number of filler items (i.e., a group of randomly sampled items which have been rated by the real user and will be used to obstruct detection of the attack), a number of selected items (i.e., a group of human-selected items for special treatment to form the characteristics of the attack), and unrated items (i.e., the rest of the items in the RS). Selected items are the same across all fake user profiles, while each fake user profile has its own filler items.

3.2. Attack Budget and Goal

Attacking RS is costly. As such, in designing a practical attack model against RS, we have to take into account the following attack budget and goal:

  • [leftmargin=10pt]

  • Attack budget: we consider two factors

    • Attack size is the number of fake user profiles

    • Profile size is the number of non-zero ratings. The larger the attack size / profile size is, the more effective and expensive the attack could be.

  • Attack goal: the goal an adversarial party wants to achieve could be complex and we mainly consider the following aspects

    • Attack type indicates whether it is a push attack (i.e., assign a maximal rating on target item to promote it) or a nuke attack (i.e., assign a minimal rating on target item to demote it). Since the two types are similar and can be exchanged (i.e., change a maximal rating to a minimal rating), we consider push attacks in the sequel for simplicity.

    • Target user group is the group of users that an attack aims at.

    • Ancillary effects (e.g., demoting competitors, bias the ratings of a special user groups on selected items) are also desired in the attack. Such intentions will manifest in choosing selected items.

3.3. Overview of AUSH

Conventional attack models make up a fake user profile from scratch. On the contrary, our intuition is to use an existing real user profile as a “template” and augment it to generate the fake user profile for shilling (AUSH). The template knowledge is accessible in practice and do not exceed the requirements of recent sophisticated attack methods (LiWSV16; FangYGL18), as we will show later. The benefits are two-fold. Firstly, the generated profile is indistinguishable as it is built upon real user behavior patterns. Moreover, it retains the preference diversity of the community. Unlike random or average attack, where fake users do not show specific tastes, our strategy can generate fake users who have a special taste on niche items.

Inspired by the success of adversarial learning in image generation (GoodfellowPMXWOCB14), we employ a Generative Adversarial Network framework for AUSH to make the attack even more undetectable. Fig. 1 gives an overview of our pipeline, which consists of the following parts:

  1. [label=(0),leftmargin=15pt]

  2. Sampling (“template” selection) contains two steps. In the first step, a batch of real users are chosen as “templates”. In the second step, filler items of each “template” are sampled from the rated items of the corresponding “template” user.

  3. Generator (“patch” generation) patches each “template” by adding ratings on selected items to generate one fake profile. Generator takes as input the sampled user-item rating sub-matrix (i.e., “templates”) and captures the latent association between items and users. To better learn behavior patterns of the real user (i.e., the “template” user) including positive and negative preference on selected items, AUSH attempts to recover each “template” user’s observed ratings on selected items and samples of unobserved selected items (i.e., to recover the rating “”) via a reconstruction loss. The output of generator is a set of fake user profiles, which contain ratings on selected items. We can harness a shilling loss to optimize secondary attack effects, including but not limited to demoting the competitors, targeting on special user groups, etc.

  4. Discriminator

    is fed with the output of the generator. It attempts to accurately classify real user profiles and fake user profiles. The

    adversarial loss is optimized to boost the performance of discriminator.

The design of AUSH is general and there are various possible implementations for the generator and the discriminator. We provide one implementation in Sec. 4.

Input: rating matrix
Output: parameter set for generator and parameter set for discriminator

number of training epochs

       for  steps do
             uniformly sample a minibatch of users ;
             foreach   do
                   sample items to construct ;
            generate a minibatch of fake user profiles ;
             optimize to with fixed;
      for  steps do
             uniformly sample a minibatch of user rating vectors ;
             foreach   do
                   sample items to construct ;
            generate a minibatch of fake user profiles ;
             optimize to with fixed;
Algorithm 1 Training procedure for AUSH

3.4. Relation to Segment/Bandwagon Attack

Segment attack injects user profiles, each of which comprises maximal ratings on selected items and minimal ratings on filler items. For in-segment users (defined as users who like selected items), segment attack is one of the few attack models that work effectively on item-based CF recommendation models. The design of segment attack ensures that similarity between users in the segment and injected profiles appears high and target item becomes more likely to be recommended.

Another commonly adopted attack model is bandwagon attack. In bandwagon attack, the most popular items are regarded as selected items and are assigned with highest ratings. The filler items are randomly chosen and randomly rated. It associates the target item with popular items, so that the inserted profiles will have a high probability of being similar to many users 


We see that segment attack and bandwagon attack can be expressed under our framework. If we fix ratings on the fillers and selected items to be minimal rating and maximal rating respectively, then AUSH is degraded to segment attack. If we sample frequently rated items as selected items, then AUSH is degraded to bandwagon attack. Due to the architectural resemblance, AUSH is empowered by the capabilities of both segment attack and bandwagon attack. Moreover, AUSH improves over bandwagon attack by allowing the selected item to be tuned according to the rating values of fillers, making the injected profile more natural and indistinguishable. It also advances segment attack by revealing real patterns of filler ratings. In addition to the aforementioned advantages, AUSH is more flexible and able to achieve multiple goals (i.e., Attack Goal in Sec. 3.2) in a single attack.

4. Implementation

We use to denote the rating matrix in RS, where is the set of real users and is the item universe. indicates the set of items that have been rated by . Similarly, denotes the set of users that have rated . Unless otherwise stated, we use lower-case letters for indices, capital letters for scalars, boldface lower-case letters for vectors, boldface capital letters for matrices, calligraphic letters for sets. For instance, , , , and are attack size, profile size, filler size, set of fake users and set of selected items, respectively. The generator of AUSH takes as the input and generates the fake user profiles , where each column has exactly non-zero entries. As depicted in Alg. 1, AUSH comprises of the following components and steps.

4.1. Sampling

In this step, AUSH samples a sub-matrix (i.e., “templates”) from . Each “template” is sampled randomly from real users who have sufficient ratings. Mathematically, . In each training epoch of Alg. 1, the set is a minibatch of users. In test time (i.e., the generated fake profiles are used for attack), we sample exactly fake user profiles . We adopt different strategies as shown below to sample the filler items for each and form . For each filler item , . For other items, .

  1. [label=(0),leftmargin=17pt]

  2. Random Sample: randomly sample items from .

  3. Sample by Rating: sample items based on their ratings, i.e., , where is ’s average rating.

  4. Sample by Popularity: items are sampled based on their popularity, i.e., .

  5. Sample by Similarity: sample items based on their similarity to the selected items, i.e., .

4.2. Generator

The generator aims to “patch” the “templates” with ratings on selected items in order to form the fake user profiles for attack.

We employ a reconstruction loss (i.e., MSE loss), shown in Eq. 1, to optimize the generator parameters. We will slightly abuse the notation, and define as the set of observed ratings of the “template” user for user on selected items, and as random samples from the set of selected items that the “template” user has not rated in the original data. And indicates .


where indicates the generator which will be defined in Eq. 2.

The reconstruction loss helps to produce ratings on the selected items that are consistent with the real user’s preference. Note that we use minibatch for training as shown in Alg. 1. Thus we sample (the percentage) of unobserved selected items for all the users in a minibatch when constructing reconstructed items for these users, instead of independently sampling unobserved selected items for each user.

There is a variety of model structures for optimizing the reconstruction loss, we empirically find that towered multilayer perceptron (MLP) combined with the MSE loss on selected items works best. Let be the number of hidden layers, the generator is a mapping function that operates in a towered manner:


In Eq 2, with denotes the mapping function for the -th hidden layer. , where and

are learnable weight matrix and bias vector for layer

. The activation function

for each layer is sigmoid. We set the size of layers (i.e., dimensionality of ) as one third of the previous layers. The output layer is similar to and its size is the number of selected items.

AUSH can be extended to achieve secondary attack goals by incorporating a shilling loss. In this work, we consider enhancing the attack effect on in-segment users (LamR04). That is, we increase the impact of the attack on users who like the selected items before the attack. Such an effect is desirable when an adversarial party (i.e., the attacker) is competing with the selected items (from its competitor). The shilling loss we adopt is shown as follows:


where is the maximal possible rating in the system. The shilling loss produces fake user profiles that are more likely to associate with in-segment users. Thus in-segment users, after our attack, prefer to purchase the target item rather than the selected items (from the competitor). Through optimizing shilling loss, AUSH is able to achieve the ancillary effects.

4.3. Discriminator

The discriminator attempts to correctly distinguish fake user profiles from real user profiles, and encourages the generator to produce realistic user profiles. We use MLP as our discriminator, where estimates probabilities of its inputs been real user profiles, and are weight matrix and bias vector.

Inspired by the idea of GAN (GoodfellowPMXWOCB14), we aim to unify the different goals of generator and discriminator by letting them play a minimax game via optimizing the following adversarial loss:


where and are model parameters of and , respectively. is a real user profile. is a fake user profile from the generator distribution .

4.4. Learning

Finally, the complete objective considers adversarial loss, reconstruction loss and shilling loss, and leads to the following formulation:


As shown in Alg. 1, in each round of the optimization, each of the “attacker” (i.e., generator) and “defender” (i.e., discriminator) endeavors to improve itself to defeat the other part. The generator attempts to generate “perfect” fake user profiles that are difficult to detect, while the discriminator tries to accurately identify fake profiles. During this procedure, the generator learns to produce fake profiles similar to real profiles via optimizing the reconstruction loss. At the same time, optimizing the shilling loss endows the fake profiles with the capability to exert ancillary influence (e.g., demote competitors or bias in-segment users).

5. Experiment

In this section, we conduct experiments in order to answer the following research questions:

  • [leftmargin=14pt]

  • RQ1: Does AUSH have better attack performance on both traditional and deep learning based RS, than other shilling attack methods?

  • RQ2: If adversarial attack methods are directly used (i.e., using a general GAN) for shilling attack, what are the attack impacts?

  • RQ3: Is AUSH able to achieve secondary attack goals at the same time?

  • RQ4: How much does each component in AUSH contribute to the attack effects?

  • RQ5: Is it more difficult for attack detector to recognize the attack launched by AUSH, compared to shilling attack methods?

In the following, we first demonstrate our experiment setup in Sec. 5.1. Then, the attack effect of AUSH is verified on three well-known recommendation benchmarks and is compared with both heuristic based and general GAN based attack models in Sec. 5.2 (RQ1, RQ2, RQ3). After that, we investigate the role of each component in AUSH on the attack impact (RQ4). Finally, we show that AUSH can not be detected by supervised and unsupervised attack detection methods in Sec. 5.4 and it generates indistinguishable profiles in terms of similarity measurements (RQ5).

5.1. Experimental Setup

We use three benchmark data sets for RS in our experiments: ML-100K111, FilmTrust222 and Amazon Automotive333 Most of the previous work (SandvigMB08) only uses ML-100K as the single data set. We use its default training/test split. In addition, we use FilmTrust and Automotive, which are larger and sparser, to testify the competence of AUSH in different settings. We randomly split them by 9:1 for training and testing, respectively. To exclude cold-start users (as they are too vulnerable), we filter users with less than 15 ratings and items without ratings.

Data #Users #Items #Ratings Sparsity
ML-100K 943 1,682 100,000 93.70%
FilmTrust 780 721 28,799 94.88%
Automotive 2,928 1,835 20,473 99.62%
Data Attack Size Filler Size #Selected Items Profile Size
ML-100K 50 90 3 94
FilmTrust 50 35 2 38
Automotive 50 4 1 6
Table 1. Statistics of data

We inject user profiles (i.e., roughly 5% of the population which can manifest the differences among attack models (BurkeMBW05)) in each attack. The number of fillers in each injected user profile equals to the average number of ratings per user in the data set. For each target item in ML-100K, we select a small number of items that are most frequently rated under the same tag/category of the target item as the selected items. For each target item in FilmTrust and Automotive which do not have information of tag/category, we sample items from global popular items as the selected items. Tab. 1 illustrates the statistics of the data.

We use TensorFlow for the implementation. The generator of AUSH has 5 hidden layers (i.e.,

) with , , , and neurons for each layer. We use random sampling as the default strategy for sampling filler items in AUSH as it requires the least effort. The output layer size is the number of selected items. We use Adam (KingmaB14) for optimization with an initial learning rate of 0.01. The maximal number of adversarial iterations is set to be .

5.2. Attack Performance (RQ1, RQ2, RQ3)

To answer RQ1, we investigate the attack performance of AUSH and compare it with other baselines on several classic and deep learning based RS models including NMF (Lee2001Algorithms), NNMF (Dziugaite2015Neural) and AutoEncoder (Sedhain2015AutoRec) in our experiments. Note that AUSH is designed for attacking rating based RS and we need to estimate the exact values of ratings in the experiment. Thus we exclude methods such as NCF (HeLZNHC17) which is designed for implicit feedback. We compare AUSH with several shilling attack models:

  1. [label=(0),leftmargin=15pt]

  2. Random attack assigns a rating to a filler, where and are the mean and the variance of all ratings in the system, respectively.

  3. Average attack assigns a rating to a filler, where and are the mean and the variance of ratings on this filler in the system, respectively.

  4. Segment attack assigns maximal ratings to the selected items and minimal ratings to the filler items.

  5. Bandwagon attack uses the most popular items as the selected items and assigns maximal ratings to them, while fillers are assigned ratings in the same manner as random attack.

  6. DCGAN is an adversarial network (RadfordMC15) adopted in a recent shilling attack method (Christakopoulou2018Adversarial; Christakopoulou19), where the generator takes the input noise and output fake user profiles through convolutional units. We use the default settings in (Christakopoulou19).

  7. WGAN is similar to DCGAN, but we replace the GAN used in the shilling attack with Wasserstein GAN (ArjovskyCB17) which has a good empirical performance (Ishaan2017WGAN).

In all methods, the highest rating is assigned to the target item. We train each RS and AUSH until convergence. The required information (e.g., mean and variance) is obtained from the training set. Note the prior knowledge of AUSH does not exceed what the baselines require to know. Then we inject user profiles generated by the attack models to the training set and train the RS again on the polluted data. We evaluate the attack performance on the test set using prediction shift (PS) and Hit Ratios at (HR@). PS is the difference of ratings that the RS makes before and after the attack. HR@ is the hit ratio of target items in the top- recommendations after the attack. As we are performing a push attack, the PS and HR@ need to be positive to indicate an effective attack. The larger their values are, the more effective the attack is. In the evaluation, we use for HR@.

Overall Performance (RQ1). We randomly select five items as random targets. As indicated in the literature (LamR04), unpopular items (i.e., long-tail items) are likely to be the targets of an attack. Therefore, we additionally sample five target items with the number of ratings no more than a threshold as random long-tail targets. The threshold number of ratings is one in ML-100K, two in FilmTrust, and three in Automotive. We report the average attack performance on the three data sets for random targets and random long-tail targets, when the complete loss (i.e., Eq. 5) is used in AUSH, in Tabs. 234 and 5 for attacking NMF, NNMF, U-AutoEncoder and I-AutoEncoder, respectively. We highlight the best performance in each category. AUSH will also be highlighted if it achieves the second best performance.

From experimental results, we can see that AUSH generally achieves attractive attack performance against all recommendation models on target items. It generates the largest PS and HR@ in most categories including both random targets and random long-tail targets, showing that AUSH is a practical method for attackers who want to promote their products. Conventional attack models do not show a robust attack performance like AUSH, even though they may exceed AUSH in a few cases.

Comparisons between AUSH and General GANs (RQ2). We can observe from Tabs. 234 and 5 that directly adopting the idea of adversarial attacks (i.e., using general GANs) does not give a satisfactory performance. Particularly, both DCGAN which is adopted in the recent shilling attack (Christakopoulou2018Adversarial; Christakopoulou19) and WGAN (ArjovskyCB17) which aims at stabilizing GAN training do not show better performance than simple heuristic based attack approaches like Average attack and Random attack. In some cases, attacks launched by DCGAN and WGAN even give opposite effects (i.e., negative PS and HR@). It validates our assumption that a tailored GAN framework is necessary for shilling attack.

Secondary Attack Goals (RQ3). As explained in Sec. 4.2, incorporating a shilling loss helps AUSH to achieve secondary attack goal, i.e., increasing the impact of the attack on users who like the selected items before the attack. We call such users in-segment users (LamR04) and they are target population to certain attackers. We define in-segment users as users who have assigned high ratings (i.e., 4- or 5-stars) on all selected item in our experiments. In Tabs. 234 and 5, we already report the attack results for in-segment users and all users, and list random targets and random long-tail targets separately. In Tab. 6, we further show the attack performance on I-AutoEncoder in different settings and the results are reported by averaging attack impacts on random targets and random long-tail targets. Note that AUSH in Tab. 6 indicates the complete loss (i.e., Eq. 5) and the default random sampling are used, i.e., it is equivalent to AUSH in Tabs. 234 and 5. For example, AUSH has a PS of 1.6623 for in-segment users in Tab. 6 which is the average of AUSH’s attack performances for in-segment users on random targets and random long-tail targets of ML-100K (i.e., 1.3746 and 1.9499) in Tab. 5. Due to space limit, we only report attack results in ML-100K in Tab. 6, but we observe similar results in other settings.

We can observe that AUSH (in Tabs. 234 and 5) and AUSH (in Tab. 6) enhance the power of segment attack – a much more significant attack impact on in-segment users than on all users, while other baselines are not that flexible and they are unable to achieve such a secondary attack goal. This property of AUSH is desirable if the attacker wants to demote the items from competitors. Note AUSH uses the complete loss. For a further study on impacts of the different loss components, please refer to the next section.

Metric In-segment Users All Users
Prediction Shift HR@10 Prediction Shift HR@10
Data Set ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive
Model Random Targets
AUSH 1.8857 0.8937 0.2778 0.2538 0.2822 0.0539 1.7503 0.9650 0.2585 0.1849 0.2821 0.0541
Segment 1.0157 0.6832 0.2313 0.0372 0.3214 0.1545 0.7061 0.4504 0.2649 0.0380 0.1978 0.1132
Average 1.8478 0.8721 0.1972 0.2147 0.2208 0.0239 1.7754 0.9522 0.2100 0.1787 0.2241 0.0241
Random 1.7220 0.8667 0.2332 0.1253 0.2708 0.0380 1.6285 0.9570 0.2391 0.0995 0.3140 0.0406
Bandwagon 1.7199 0.8184 0.2380 0.1791 0.2380 0.0294 1.6194 0.8508 0.2327 0.1257 0.2048 0.0300
DCGAN -0.0112 0.1082 0.1002 0.0000 0.0833 0.0086 -0.0096 0.1005 0.1065 0.0000 0.0751 0.0046
WGAN 0.0774 0.1966 0.0473 0.0000 0.0469 0.0040 0.0723 0.1923 0.0396 0.0000 0.0374 0.0055
Random Long-tail Targets
AUSH 2.9387 1.4263 0.2575 0.6007 0.1571 0.0055 2.8949 1.4758 0.2456 0.5057 0.1961 0.0091
Segment 2.7918 0.9993 0.1719 0.5175 0.2197 0.0669 2.5726 0.7095 0.2961 0.3450 0.1265 0.0541
Average 2.9427 1.4084 0.2508 0.5044 0.0941 0.0066 2.9038 1.4723 0.2544 0.4420 0.1247 0.0041
Random 2.8994 1.4084 0.2618 0.6661 0.1568 0.0050 2.8401 1.4718 0.2724 0.5276 0.2159 0.0091
Bandwagon 2.8752 1.3426 0.1385 0.6232 0.1412 0.0000 2.8100 1.3561 0.1628 0.4900 0.1501 0.0011
DCGAN -0.1479 0.1753 -0.0731 0.0000 0.0008 0.0000 -0.1374 0.1836 -0.0383 0.0000 0.0088 0.0002
WGAN 1.2299 0.4455 -0.0509 0.0000 0.0332 0.0000 1.2473 0.4071 -0.0416 0.0000 0.0298 0.0016
Table 2. Attack performance against NMF. Best results are marked in bold, and AUSH results are also marked in bold if they are the second best in each category.
Metric In-segment Users All Users
Prediction Shift HR@10 Prediction Shift HR@10
Data Set ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive
Model Random Targets
AUSH 1.2225 0.9092 0.2507 0.1170 0.3027 0.0242 1.4009 1.1156 0.3017 0.1704 0.3614 0.0254
Segment 0.0500 0.4423 0.1745 0.0156 0.1330 0.0213 -0.4469 0.4486 0.1701 0.0069 0.1240 0.0242
Average 0.8749 0.7795 0.3016 0.0665 0.2220 0.0279 1.1468 0.9129 0.3491 0.1112 0.2340 0.0392
Random 0.5837 0.7634 0.2815 0.0431 0.1568 0.0399 0.8732 0.9334 0.3005 0.0411 0.2083 0.0426
Bandwagon 0.6517 0.7333 0.2716 0.0388 0.1945 0.0223 0.5153 0.8634 0.3157 0.0309 0.2168 0.0260
DCGAN -0.0611 -0.2444 0.0468 0.0012 0.0010 0.0000 0.0885 -0.1889 0.0274 0.0013 0.0034 0.0010
WGAN -0.0543 0.0786 0.0093 0.0000 0.0600 0.0100 -0.0649 0.1085 -0.0041 0.0007 0.0457 0.0037
Random Long-tail Targets
AUSH 1.5956 0.9002 0.8406 0.2654 0.2957 0.0257 1.7413 1.1241 0.8343 0.3420 0.3799 0.0206
Segment -0.4232 0.3003 0.5454 0.0011 0.1360 0.0116 -0.8599 0.3996 0.5150 0.0011 0.1242 0.0162
Average 1.4323 0.7883 0.8203 0.1503 0.1532 0.0188 1.5251 0.9430 0.7721 0.2236 0.1841 0.0158
Random 1.3755 0.8430 0.8023 0.1432 0.2011 0.0307 1.4984 1.0222 0.7878 0.2255 0.2648 0.0402
Bandwagon 1.3315 0.6977 0.5278 0.1296 0.1143 0.0102 1.4923 0.8026 0.5131 0.1877 0.1306 0.0056
DCGAN 0.1487 -0.4251 0.1673 0.0000 0.0010 0.0000 0.2164 -0.3518 0.1438 0.0000 0.0008 0.0028
WGAN 0.0555 0.1383 0.2385 0.0000 0.0021 0.0000 0.0266 0.2591 0.1144 0.0000 0.0033 0.0081
Table 3. Attack performance against NNMF. Best results are marked in bold, and AUSH results are also marked in bold if they are the second best in each category.

5.3. Impacts of Sampling Strategies and Each Loss (RQ4)

To answer RQ4, we remove or change some components of AUSH and investigate the performance changes.

Impacts of Sampling Strategies. We report the impacts of different sampling strategies in Tab. 6. AUSH, AUSH, AUSH and AUSH indicate random sample, sample by rating, sample by popularity and sample by similarity, respectively. All the four variations of AUSH adopt the complete loss (i.e., Eq. 5). We can observe that sample by rating is the best strategy for AUSH. The reason may be that it is easy to bias people with items having high ratings, as customers tend to trust such “power” items (SeminarioW14b). Nevertheless, all the variations have more significant attack impacts than other baselines.

Impacts of Each Loss. To study the contributions of each loss term, in Tab. 6, we also report the results of AUSH, AUSH and AUSH, which denote using adversarial loss only, using reconstruction loss only, and using reconstruction and shilling losses, respectively. In these three methods, random sampling is employed. An ordinary neural network (i.e., AUSH) is outperformed by the complete AUSH (i.e., AUSH, AUSH, AUSH and AUSH), showing the effectiveness of our design of tailoring GAN for use in shilling attacks. AUSH has the worst attack performance compared to other variations of AUSH, showing that the reconstruction loss also contributes to the attack.

In-segment Users All Users
Metric Prediction Shift HR@10 Prediction Shift HR@10
Data Set ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive
Model Random Targets
AUSH 1.7661 1.3406 0.2206 0.2465 0.5596 0.0168 1.6184 1.1550 0.0382 0.2006 0.3549 0.0050
Segment 0.4721 1.0875 0.4700 0.0036 0.5371 0.7789 0.3098 0.8886 0.0121 0.0050 0.3719 0.2166
Average 0.9297 0.9024 0.1311 0.0144 0.1490 0.0000 1.0187 0.9731 0.1514 0.0231 0.1481 0.0000
Random 0.4624 0.7527 0.1262 0.0027 0.0807 0.0000 0.6284 0.8271 0.1200 0.0059 0.1023 0.0000
Bandwagon 0.5501 0.6026 0.0896 0.0012 0.0316 0.0000 0.6311 0.6382 0.0686 0.0062 0.0335 0.0000
DCGAN -1.064 0.0076 -0.2258 0.0000 0.0000 0.0000 -0.2215 -0.0326 -0.2415 0.0000 0.0000 0.0000
WGAN 1.3940 0.0923 0.1813 0.0000 0.0000 0.1583 1.2985 0.1095 0.1630 0.0212 0.0000 0.0928
Random Long-tail Targets
AUSH 3.2274 1.7384 0.3898 0.6657 0.6896 0.0000 2.9440 1.5602 -0.0424 0.4894 0.5149 0.0000
Segment 3.3397 1.4665 0.2109 0.6364 0.5570 0.3733 3.0081 1.2709 -0.4654 0.5423 0.4175 0.0098
Average 3.1671 1.2961 0.2915 0.3897 0.0425 0.0000 3.0299 1.3290 0.2930 0.4439 0.0851 0.0000
Random 2.5778 1.0348 0.0466 0.1508 0.0259 0.0000 2.5229 1.1324 0.0275 0.1575 0.0815 0.0000
Bandwagon 2.5466 0.8524 0.1227 0.1581 0.0073 0.0000 2.4444 0.9117 0.0509 0.1242 0.0198 0.0000
DCGAN -0.3896 0.3782 -0.0539 0.0000 0.0000 0.0000 -0.3813 0.4132 0.0496 0.0000 0.0000 0.0000
WGAN 1.3940 0.0923 0.1813 0.0000 0.0000 0.1583 1.2985 0.1095 0.1630 0.0212 0.0000 0.0928
Table 4. Attack performance against U-AutoEncoder. Best results are marked in bold, and AUSH results are also marked in bold if they are the second best in each category.
In-segment Users All Users
Metric Prediction Shift HR@10 Prediction Shift HR@10
Data Set ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive ML-100K FilmTrust Automotive
Model Random Targets
AUSH 1.3746 1.4280 0.9913 0.1488 0.9155 0.9141 1.2180 1.3059 0.8870 0.0990 0.8333 0.8965
Segment 0.5137 1.2035 0.4927 0.0086 0.6423 0.7266 0.3232 0.8689 1.6986 0.0274 0.4371 0.9777
Average 1.0117 1.4203 0.5394 0.0487 0.9187 0.6490 1.1044 1.3589 0.5470 0.1025 0.8520 0.6500
Random 0.6304 1.2210 0.5492 0.0585 0.8307 0.6732 0.7634 1.1630 0.5391 0.0918 0.7477 0.6483
Bandwagon 0.5978 1.2788 0.9718 0.0287 0.8299 0.8608 0.5960 1.2297 1.8099 0.0430 0.7825 0.9309
DCGAN 0.0243 -0.0633 0.0046 0.0000 0.0010 0.0050 0.0213 -0.0600 0.0054 0.0000 0.0010 0.0054
WGAN 0.1131 -0.1228 0.0412 0.0000 0.0000 0.0050 0.1045 -0.1142 0.0465 0.0002 0.0008 0.0047
Random Long-tail Targets
AUSH 1.9499 1.7052 0.9820 0.2974 0.9239 0.8821 1.7822 1.6019 0.8150 0.2369 0.8396 0.8623
Segment 0.5188 1.4510 0.3969 0.0072 0.5835 0.5938 0.3249 1.1385 1.5154 0.0344 0.4165 0.9629
Average 1.3898 1.6790 0.4245 0.1019 0.9041 0.3726 1.3793 1.6318 0.4478 0.1104 0.8483 0.3846
Random 0.9227 1.4590 0.46697 0.0401 0.7768 0.4368 1.0349 1.4076 0.4740 0.0900 0.6910 0.4477
Bandwagon 0.6220 1.5672 0.2814 0.0091 0.8390 0.4267 0.7456 1.5190 0.6489 0.0346 0.7728 0.6593
DCGAN 0.0241 0.0119 0.0056 0.0000 0.0000 0.0000 0.0348 0.0114 -0.0029 0.000 0.0005 0.0086
WGAN 0.1096 0.0718 -0.0428 0.0000 0.0000 0.0000 0.1374 0.0728 -0.0364 0.0006 0.0003 0.0018
Table 5. Attack performance against I-AutoEncoder. Best results are marked in bold, and AUSH results are also marked in bold if they are the second best in each category.
Attack Method In-segment Users All Users
Prediction Shift HR@10 Prediction Shift HR@10
AUSH 1.6623 0.2231 1.5001 0.1679
AUSH 1.7310 0.2735 1.5695 0.2243
AUSH 1.7252 0.2699 1.5620 0.2212
AUSH 1.6752 0.2300 1.5383 0.1992
AUSH 1.2960 0.0640 1.3162 0.0881
AUSH 1.4980 0.1450 1.4411 0.1441
AUSH 1.6569 0.2349 1.5033 0.1849
Segment 0.5163 0.0079 0.3241 0.0309
Average 1.2008 0.0753 1.2419 0.1065
Random 0.7766 0.0493 0.8992 0.0909
Bandwagon 0.6099 0.0189 0.6708 0.0388
DCGAN 0.0242 0.0000 0.0281 0.0000
WGAN 0.1114 0.0000 0.1210 0.0004
Table 6. Attack performance on I-AutoEncoder using different sampling strategies and losses in ML-100K. Best results are marked in bold.
Measure AUSH Average Bandwagon Random Segment DCGAN WGAN
TVD 0.01210 0.05450 0.05762 0.05704 0.08010 0.11302 0.11598
JS 0.00215 0.01162 0.01398 0.01353 0.03461 0.04363 0.04601
Table 7. Two distance measures between injected user profiles and real user profiles in ML-100K.
Figure 2. Attack detection of injected profiles on ML-100K. Lower value suggests a better attack model.

5.4. Attack Detection (RQ5)

We apply a state-of-the-art unsupervised attack detector (Zhang2015Catch)

on the injected user profiles generated by different attack models and report the precision and recall on 10 random selected target items. Fig. 

2 depicts the detection results on ML-100K. We can observe that the detector performs the worst in terms of precision and recall against AUSH and AUSH, i.e., it fails to distinguish the injected user profiles generated by these two approaches. On the contrary, most of the injected user profiles from conventional attack models can be easily detected. Compared to AUSH, the detection performance of an ordinary neural network such as AUSH is unstable over the 10 target items. In the worst case, the injections generated by AUSH will be more likely to be detected compared to those produced by AUSH. This observation further verifies the ability of our special designed AUSH to generate virtually undetectable injections in shilling attack.

Additionally, we run a set of similarity tests to further demonstrate the undetectability of AUSH. We generate as many fake user profiles as the population of real users, i.e., 943 fake users for ML-100K. We compute the distribution for each item , where is the percentage of real ratings on with value . We also compute the distribution in the injected user profiles. Following Christakopoulou2018Adversarial; Christakopoulou19, we compute two distance measures, i.e., Total Variation Distance and Jensen-Shannon divergence:

where and

represents the Kullback-Leibler divergence, between fake profiles and real profiles. As shown in Tab. 

7, the fake profiles generated by AUSH have the smallest TVD and JS. Since TVD and JS measure the difference of overall rating distributions, we can see that AUSH can preserve the distribution patterns and diversity of the original rating space.

6. Conclusion

In this paper, we present a novel shilling attack framework AUSH. We design a minimax game to let each of the attack profile generator and fake profile discriminator iteratively strikes to improve itself and beat the other one. We additionally employ a reconstruction loss and a shilling loss to help generate “perfect” fake profiles and achieve secondary attack goals. The experimental results show the superiority of AUSH over conventional attack approaches in terms of both attack impacts and undetectability. In the future, we plan to design more sophisticated mechanisms for learning selected items instead of selection by human. This way, the ultimate goal of the attack can not be easily inferred from the selected items and AUSH can become even more undetectable.