Influence Function based Data Poisoning Attacks to Top-N Recommender Systems

02/19/2020 ∙ by Minghong Fang, et al. ∙ Iowa State University of Science and Technology Duke University 10

Recommender system is an essential component of web services to engage users. Popular recommender systems model user preferences and item properties using a large amount of crowdsourced user-item interaction data, e.g., rating scores; then top-N items that match the best with a user's preference are recommended to the user. In this work, we show that an attacker can launch a data poisoning attack to a recommender system to make recommendations as the attacker desires via injecting fake users with carefully crafted user-item interaction data. Specifically, an attacker can trick a recommender system to recommend a target item to as many normal users as possible. We focus on matrix factorization based recommender systems because they have been widely deployed in industry. Given the number of fake users the attacker can inject, we formulate the crafting of rating scores for the fake users as an optimization problem. However, this optimization problem is challenging to solve as it is a non-convex integer programming problem. To address the challenge, we develop several techniques to approximately solve the optimization problem. For instance, we leverage influence function to select a subset of normal users who are influential to the recommendations and solve our formulated optimization problem based on these influential users. Our results show that our attacks are effective and outperform existing methods.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Recommender system is a key component of many web services to help users locate items they are interested in. Many recommender systems are based on collaborative filtering. For instance, given a large amount of user-item interaction data (we consider rating scores in this work) provided by users, a recommender system learns to model latent users’ preferences and items’ features, and then the system recommends top- items to each user, where the features of the top- items best match with the user’s preference.

As a recommender system is driven by user-item interaction data, an attacker can manipulate a recommender system via injecting fake users with fake user-item interaction data to the system. Such attacks are known as data poisoning attacks (Lam and Riedl, 2004; Mobasher et al., 2007; Wilson and Seminario, 2013; Li et al., 2016; Yang et al., 2017; Fang et al., 2018, 2020). Several recent studies designed recommender-system-specific data poisoning attacks to association-rule-based (Yang et al., 2017), graph-based  (Fang et al., 2018) and matrix-factorization-based recommender systems (Li et al., 2016). However, how to design customized attacks to matrix-factorization-based top- recommender systems remains an open question even though such recommender systems have been widely deployed in the industry. In this work, we aim to bridge the gap. In particular, we aim to design an optimized data poisoning attack to matrix-factorization-based top- recommender systems. Suppose that an attacker can inject fake users into the recommender system and each fake user can rate at most items, which we call filler items. Then, the key question is: how to select the filler items and assign rating scores to them such that an attacker-chosen target item is recommended to as many normal users as possible? To answer this question, we formulate an optimization problem for selecting filler items and assigning rating scores for the fake users, with an objective to maximize the number of normal users to whom the target item is recommended.

However, it is challenging to solve this optimization problem because it is a non-convex integer programming problem. To address the challenge, we propose a series of techniques to approximately solve the optimization problem. First, we propose to use a loss function to approximate the number of normal users to whom the target item is recommended. We relax the integer rating scores to continuous variables and convert them back to integer rating scores after solving the reformulated optimization problem. Second, to enhance the effectiveness of our attack, we leverage the

influence function approach inspired by the interpretable machine learning literature (Koh and Liang, 2017; Wang et al., 2018; Koh et al., 2019) to account for the reality that the top- recommendations may be only affected by a subset of influential users. For convenience, throughout the rest of this paper, we refer to our attack as -attack. We show that the influential user selection subproblem enjoys the submodular property, which guarantees a approximation ratio with a simple greedy selection algorithm. Lastly, given , we develop a gradient-based optimization algorithm to determine rating scores for the fake users.

We evaluate our -attack and compare it with multiple baseline attacks on two benchmark datasets, including Yelp and Amazon Digital Music (Music). Our results show that our attacks can effectively promote a target item. For instance, on the Yelp dataset, when injecting only 0.5% of fake users, our attack can make a randomly selected target item appear in the top- recommendation lists of 150 times more normal users. Our

-attack outperforms the baseline attacks and continues to be effective even if the attacker does not know the parameters of the target recommender system. We also investigate the effects of our attacks on recommender systems that are equipped with fake users detection capabilities. For this purpose, we train a binary classifier to distinguish between fake users and normal ones. Our results show that this classifier is effective against traditional attack schemes, e.g., PGA attack

(Li et al., 2016), etc. Remarkably, we find that our influence-function-based attack continues to be effective. The reason is that our proposed attack is designed with stealth in mind, and the detection method can detect some fake users but miss a large fraction of them.

Finally, we show that our influence function based approach can also be used to enhance data poisoning attacks to graph-based top- recommender systems. Moreover, we show that instead of using influence function to select a subset of influential users, using influence function to weight each normal user can further improve the effectiveness of data poisoning attacks, though such approach sacrifices computational efficiency.

In summary, our contributions are as follows:

  • We propose the first data poisoning attack to matrix-factorization-based Top- recommender systems, which we formulate as a non-convex integer optimization problem.

  • We propose a series of techniques to approximately solve the optimization problem with provable performance guarantee.

  • We evaluate our -attack and compare it with state-of-the-art using two benchmark datasets. Our results show that our attack is effective and outperforms existing ones.

2. Related Work

Data poisoning attacks to recommender systems:  The security and privacy issues in machine learning models have been studied in many scenarios  (Yin et al., 2018; Shafahi et al., 2018; Shokri et al., 2017; Nasr et al., 2019; Wang and Gong, 2018; Yang et al., 2019; Zhang et al., 2020). The importance of data poisoning attacks has also been recognized in recommender systems (Christakopoulou and Banerjee, 2019; Xing et al., 2013; Mobasher et al., 2005; Seminario and Wilson, 2014; Mehta and Nejdl, 2008; Mobasher et al., 2007). Earlier work on poisoning attacks against recommender systems are mostly agnostic to recommender systems and do not achieve satisfactory attack performance, e.g., random attack (Lam and Riedl, 2004) and average attack (Lam and Riedl, 2004). Recently, there is a line of work focusing on attacking specific types of recommender systems (Yang et al., 2017; Fang et al., 2018; Li et al., 2016). For example, Fang et al. (Fang et al., 2018) proposed efficient poisoning attacks to graph-based recommender systems. They injected fake users with carefully crafted rating scores to the recommender systems in order to promote a target item. They modeled the attack as an optimization problem to decide the rating scores for the fake users. Li et al. (Li et al., 2016) proposed poisoning attacks to matrix-factorization-based recommender systems. Instead of attacking the top- recommendation lists, their goal was to manipulate the predictions for all missing entries of the rating matrix. As a result, the effectiveness of their attacks is unsatisfactory in matrix-factorization-based top- recommender systems.

Data poisoning attacks to other systems:  Data poisoning attacks generally refer to attacks that manipulate the training data of a machine learning or data mining system such that the learnt model makes predictions as an attacker desires. Other than recommender systems, data poisoning attacks were also studied for other systems. For instance, existing studies have demonstrated effective data poisoning attacks can be launched to anomaly detectors (Rubinstein et al., 2009), spam filters (Nelson et al., 2008), SVMs (Biggio et al., 2012; Xiao et al., 2012), regression methods (Xiao et al., 2015; Jagielski et al., 2018), graph-based methods (Zügner et al., 2018; Wang and Gong, 2019)

, neural networks 

(Gu et al., 2017; Liu et al., 2018; Chen et al., 2017), and federated learning (Fang et al., 2020), which significantly affect their performance.

3. Problem Formulation

3.1. Matrix-Factorization-Based Recommender Systems: A Primer

A matrix-factorization-based recommender system (Koren et al., 2009)

maps users and items into latent factor vectors. Let

, and denote the user, item and rating sets, respectively. We also let , and denote the numbers of users, items and ratings, respectively. Let represent the user-item rating matrix, where each entry denotes the score that user rates the item . Let and denote the latent factor vector for user and item , respectively, where is the dimension of latent factor vector. For convenience, we use matrices and to group all - and -vectors. In matrix-factorization-based recommender systems, we aim to learn and via solving the following optimization problem:

(1)

where is the norm and is the regularization parameter. Then, the rating score that a user gives to an unseen item is predicted as , where denotes the transpose of vector . Lastly, the unseen items with the highest predicted rating scores are recommended to each user.

3.2. Threat Model

Given a target item , the goal of the attacker is to promote item to as many normal users as possible and maximize the hit ratio , which is defined as the fraction of normal users whose top- recommendation lists include the target item . We assume that the attacker is able to inject some fake users into the recommender system, each fake user will rate the target item with high rating score and give carefully crafted rating scores to other well-selected items. The attacker may have full knowledge of the target recommender system (e.g., all the rating data, the recommendation algorithm). The attacker may also only have partial knowledge of the target recommender system, e.g., the attacker only has access to some ratings. We will show that our attacks are still effective when the attacker has partial knowledge of the target recommender system.

3.3. Attack Strategy

We assume that the rating scores of the target recommender system are integer-valued and can only be selected from the set , where is the maximum rating score. We assume that the attacker can inject fake users into the recommender system. We denote by the set of fake users. Each fake user will rate the target item and at most other carefully selected items (called filler items). We consider each fake user rates at most filler items to avoid being easily detected. We let and denote the rating score vector of fake user and the set of items rated by , respectively, where and . Then, is the score that user rates the item , . Clearly, satisfies , where is the norm (i.e., the number of non-zero entries in a vector). The attacker’s goal is to find an optimal rating score vector for each fake user to maximize the hit ratio . We formulate this hit ratio maximization problem (HRM) as follows:

(2) HRM: max
(3) s.t.
(4)

Problem HRM is an integer programming problem and is NP-hard in general. Thus, finding an optimal solution is challenging. In the next section, we will propose techniques to approximately solve the problem.

4. Our Solution

We optimize the rating scores for fake users one by one instead of optimizing for all the fake users simultaneously. In particular, we repeatedly optimize the rating scores of one fake user and add the fake user to the recommender system until we have fake users. However, it is still challenging to solve the HRM problem even if we consider only one fake user. To address the challenge, we design several techniques to approximately solve the HRM problem for one fake user. First, we relax the discrete ratings to continuous data and convert them back to discrete ratings after solving the problem. Second, we use a differentiable loss function to approximate the hit ratio. Third, instead of using all normal users, we use a selected subset of influential users to solve the HRM problem, which makes our attack more effective. Fourth, we develop a gradient-based method to solve the HRM problem to determine the rating scores for the fake user.

4.1. Relaxing Rating Scores

We let vector be the relaxed continuous rating score vector of fake user , where is the rating score that user gives to the item . Since is discrete, which makes it difficult to solve the optimization problem defined in (2), we relax the discrete rating score to continuous variables that satisfy . Then, we can use gradient-based methods to compute . After we solve the optimization problem, we convert each back to a discrete integer value in the set .

4.2. Approximating the Hit Ratio

We let be the set of top- recommended items for a user , i.e., consists of the items that has not rated before and have the largest predicted rating scores. To approximate the optimization problem defined in (2), we define a loss function that is subject to the following rules: 1) for each item , if , then the loss is small, where and are the predicted rating scores that user gives to item and target item , respectively; 2) the higher target item ranks in , the smaller the loss. Based on these rules, we reformulate the HRM problem as the following problem:

(5)

where is the Wilcoxon-Mann-Whitney loss function (Backstrom and Leskovec, 2011), is the width parameter, is the regularization parameter, and is the norm. Note that guarantees that and is differentiable. The regularizer aims to model the constraint that each fake user rates at most filler items. In particular, the regularizer makes a fake user’s ratings small to many items and we can select the items with the largest ratings as the filler items.

4.3. Determining the Set of Influential Users

It has been observed in (Lapedriza et al., 2013; Wang et al., 2018) that different training samples have different contributions to the solution quality of an optimization problem, and the performance of the model training could be improved if we drop some training samples with low contributions. Motivated by this observation, instead of optimizing the ratings of a fake user over all normal users, we solve the problem in (5) using a subset of influential users, who are the most responsible for the prediction of the target item before attack. We let represent the set of influential users for the target item . For convenience, in what follows, we refer to our attack as -attack. Under the -attack, we further reformulate (5) as the following problem:

(6)

Next, we propose an influence function approach to determine and then solve the optimization problem defined in (6). We let denote the influence of removing all users in the set on the prediction at the target item , where influence here is defined as the change of the predicted rating score. We want to find a set of influential users that have the largest influence on the target item . Formally, the influence maximization problem can be defined as:

(7)

where is the desired set size (i.e., the number of users in set ). However, it can be shown that the problem is NP-hard (Kempe et al., 2003). In order to solve the above influence maximization problem of (7), we first show how to measure the influence of one user, then we show how to approximately find a set of users with the maximum influence.

We define as the influence of removing user on the prediction at the target item :

(8)

where is the influence of removing edge in the user-item bipartite on the prediction at the target item , is the set of items rated by user . Then, the influence of removing user set on the prediction at the target item can be defined as:

(9)

Since the influence of user and user set can be computed based on the edge influence , the key challenge boils down to how to evaluate efficiently. Next, we will propose an appropriate influence function to efficiently compute .

4.3.1. Influence Function for Matrix-factorization-based Recommender Systems

For a given matrix-factorization-based recommender system, we can rewrite (1) as follows:

(10)

where , , , is the predicted rating score that user gives to item under parameter , and .

If we increase the weight of the edge by some , then the perturbed optimal parameter can be written as:

(11)

Since removing the edge is equivalent to increasing its weight by , the influence of removing edge on the prediction at edge can be approximated as follows (Cook and Weisberg, 1980; Koh and Liang, 2017):

(12)

where is the optimal model parameter after removing edge and represents the Hessian matrix of the objective function defined in (10). Therefore, the influence of removing edge on the prediction at the target item can be computed as:

(13)

where is the absolute value.

4.3.2. Approximation Algorithm for Determining

Due to the combinatorial complexity, solving the optimization problem defined in (7) remains an NP-hard problem. Fortunately, based on the observation that the influence of set (e.g., ) exhibits a diminishing returns property, we propose a greedy selection algorithm to find a solution to (7) with an approximation ratio guarantee. The approximation algorithm is a direct consequence of the following result, which says that the influence is monotone and submodular.

Theorem 1 (Submodularity).

The influence is normalized, monotonically non-decreasing and submodular.

Proof.

Define three sets , and , where and . To simplify the notation, we use to denote . It is clear that the influence function is normalized since . Since which implies that the influence is monotonically non-decreasing. To show the submodular property, we let denote the complement of a set . Now, consider an arbitrary set , for which we have: where follows from . Hence, the influence is submodular and the proof is completed. ∎

Based on the submodular property of , we propose Algorithm 1, a greedy-based selection method to select an influential user set with users. More specifically, we first compute the influence of each user, and add the user with the largest influence to the candidate set (breaking ties randomly). Then, we recompute the influence of the remaining users in the set , and find the user with the largest influence within the remaining users, so on and so forth. We repeat this process until we find users. Clearly, the running time of Algorithm 1 is linear. The following result states that Algorithm 1 achieves a approximation ratio, and its proof follows immediately from standard results in submodular optimization (Nemhauser et al., 1978) and is omitted here for brevity.

Theorem 2 ().

Let be the influential user set returned by Algorithm 1 and let be the optimal influential user set, respectively. It then holds that .

0:  Rating matrix , budget .
0:  Influential user set .
1:  Initialize .
2:  while  do
3:     Select .
4:     .
5:  end while
6:  return  .
Algorithm 1 Greedy Influential User Selection.

4.4. Solving Rating Scores for a Fake User

Given , we design a gradient-based method to solve the problem in (6). Recall that we let be the rating vector for the current injected fake user . We first determine his/her latent factors by solving Eq. (1), which can be restated as:

(14)

where is the latent factor vector for fake user , and is the current rating set (rating set without attack plus injected ratings of fake users added before user ).

Toward this end, note that a subgradient of loss in (6) can be computed as:

(15)

where and . The subgradient can be computed as . To compute , noting that , then the gradient can be computed as:

(16)

where and are the Jacobian matrices of and taken with respect to , respectively. Next, we leverage first-order stationary condition to approximately compute and . Note that the optimal solution of problem in (4.4) satisfies the following first-order stationary condition:

(17)
(18)
(19)

where is the set of items rated by user and is the set of users who rate the item . Inspired by (Xiao et al., 2015; Li et al., 2016), we assume that the optimality conditions given by (17)–(19) remain valid under an infinitesimal change of . Thus, setting the derivatives of (17)–(19) with respect to to zero and with some algebraic computations, we can derive that:

(20)
(21)

where

is the identity matrix and (

21) follows from . Lastly, computing (20) and (21) for all yields and . Note that can be computed in exactly the same procedure. Finally, after obtaining , we can use the projected subgradient method (Bazaraa et al., 2010) to solve for fake user . With , we select the top items with largest values of as the filler items. However, the values of obtained from solving (6) may not mimic the rating behaviors of normal users. To make our -attack more “stealthy,” we will show how to generate rating scores to disguise fake user . We first set to promote the target item

. Then, we generate rating scores for the filler items by rating each filler item with a normal distribution around the mean rating for this item by legitimate users, where

is the normal distribution with mean

and variance

of item . Our -attack algorithm is summarized in Algorithm 2.

0:  Rating matrix , target item , parameters .
0:  Fake user set .
1:  Find influential user set according to Algorithm 1 for item .
2:  Let .
3:  for  do
4:     Solve the optimization problem defined in Eq. (6) to get .
5:     Select items with the largest values of as filler items.
6:     Set .
7:     Let and be item ’s mean and variance of the scores rated by all normal users. Let be the random rating for each filler item given by fake user .
8:     Let and .
9:  end for
10:  return   and .
Algorithm 2 Our -Attack.

5. Experiments

5.1. Experimental Setup

5.1.1. Datasets

We evaluate our attack on two real-world datasets. The first dataset is Amazon Digital Music (Music) (Amazon Digital Music Dataset., 2018). This dataset consists of 88,639 ratings on 15,442 music by 8,844 users. The second dataset is Yelp (Yelp Challenge Dataset., 2018), which contains 504,713 ratings of 11,534 users on 25,229 items.

5.1.2. -Attack Variants

With different ways of choosing the influential user set , we compare three variants of our -attack.

-Top- attack (-TNA):  This variant uses all normal users as the influential user set , i.e., , then solve Problem (6).

-Top- attack+Random (-TNA-Rand):  This variant randomly selects users as the influential user set , then solve Problem (6).

-Top- attack+Influence (-TNA-Inf):  This variant finds the influential user set by Algorithm 1, then solve Problem (6).

5.1.3. Baseline Attacks

We compare our -attack variants with the following baseline attacks.

Projected gradient ascent attack (PGA) (Li et al., 2016):  PGA attack aims to assign high rating scores to the target items and generates filler items randomly for the fake users to rate.

Stochastic gradient Langevin dynamics attack (SGLD) (Li et al., 2016):  T-his attack also aims to assign high rating scores to the target items, but it mimics the rating behavior of normal users. Each fake user will select items with the largest absolute ratings as filler items.

5.1.4. Parameter Setting

Unless otherwise stated, we use the following default parameter setting: , , , , and . Moreover, we set the attack size to be 3% (i.e., the number of fake users is 3% of the number of normal users) and the number of filler items is set to . We randomly select 10 items as our target items and the hit ratio (HR@) is averaged over the 10 target items, where HR@ of a target item is the fraction of normal users whose top- recommendation lists contain the target item. Note that our -attack is -TNA-Inf attack.

Dataset Attack Attack size
0.3% 0.5% 1% 3% 5%
Music None 0.0017 0.0017 0.0017 0.0017 0.0017
PGA (Li et al., 2016) 0.0107 0.0945 0.1803 0.3681 0.5702
SGLD (Li et al., 2016) 0.0138 0.1021 0.1985 0.3587 0.5731
-TNA 0.0498 0.1355 0.2492 0.4015 0.5832
-TNA-Rand 0.0141 0.0942 0.2054 0.3511 0.5653
-TNA-Inf 0.0543 0.1521 0.2567 0.4172 0.6021
Yelp None 0.0015 0.0015 0.0015 0.0015 0.0015
PGA (Li et al., 2016) 0.0224 0.1623 0.4162 0.4924 0.6442
SGLD (Li et al., 2016) 0.0261 0.1757 0.4101 0.5131 0.6431
-TNA 0.0619 0.2304 0.4323 0.5316 0.6806
-TNA-Rand 0.0258 0.1647 0.4173 0.4923 0.6532
-TNA-Inf 0.0643 0.2262 0.4415 0.5429 0.6813
Table 1. HR@10 for different attacks.

5.2. Full-Knowledge Attack

In this section, we consider the worst-case attack scenario, where the attacker has full knowledge of the recommender system, e.g., the type of the target recommender system (matrix-factorization-based), all rating data, and the parameters of the recommender system (e.g., the dimension and the tradeoff parameter in use).

Table 1 summaries the results of different attacks. “None” means the hit ratios without any attacks. First, we observe that the variants of our -attack can effectively promote the target items using only a small number of fake users. For instance, in the Yelp dataset, when injecting only 0.5% of fake users, -TNA-Inf attack improves the hit ratio by 150 times for a random target item compared to that of the non-attack setting. Second, the variants of our -attack outperform the baseline attacks in most cases. This is because the baseline attacks aim to manipulate all the missing entries of the rating matrix, while our attack aims to manipulate the top- recommendation lists. Third, it is somewhat surprising to see that the -TNA-Inf attack outperforms the -TNA attack. Our observation shows that by dropping the users that are not influential to the recommendation of the target items when optimizing the rating scores for the fake users, we can improve the effectiveness of our attack.

5.3. Partial-Knowledge Attack

In this section, we consider partial-knowledge attack. In particular, we consider the case where the attacker knows the type of the target recommender system (matrix-factorization-based), but the attacker has access to a subset of the ratings for the normal users and does not know the dimension . In particular, we view the user-item rating matrix as a bipartite graph. Given a size of observed data, we construct the subset of ratings by selecting nodes (users and items) with increasing distance from the target item (e.g., one-hop distance to the target item, then two-hop distance and so on) on the bipartite graph until we reach the size of observed data.

(a) Music
(b) Yelp
Figure 1. The attacker knows a subset of ratings for the normal users and does not know .

Figure 1 shows the attack results when the attacker observes different amounts of normal users ratings and our attack uses different , where the target recommender system uses . The attack size is set to be 3%. Note that in the partial-knowledge attack, the attacker selects the influential user set and generates fake users based only on the observed data. Naturally, we observe that as the attacker has access to more ratings of the normal users, the attack performance improves. We find that our attack also outperforms SGLD attack (which performs better than PGA attack) in the partial-knowledge setting. Moreover, our attack is still effective even if the attacker does not know . In particular, the curves corresponding to different are close to each other for our attack in Figure 1.

(a) Music
(b) Yelp
Figure 2. FNR scores for different attacks.

6. Detecting Fake Users

To minimize the impact of potential attacks on recommender systems, a service provider may arm the recommender systems with certain fake-user detection capability. In this section, we investigate whether our attack is still effective in attacking the fake-user-aware recommender systems. Specifically, we extract six features–namely, RDMA (Chirita et al., 2005), WDMA (Mobasher et al., 2007), WDA (Mobasher et al., 2007), TMF (Mobasher et al., 2007), FMTD (Mobasher et al., 2007), and MeanVar (Mobasher et al., 2007)–for each user from its ratings. Then, for each attack, we construct a training dataset consisting of 800 fake users generated by the attack and 800 randomly sampled normal users. We use the training dataset to learn a SVM classifier. Note that the classifier may be different for different attacks.

Fake-user detection results:  We deploy the trained SVM classifiers to detect the fake users under different attacks settings. Figure 2 reports the fake users detection results of different attacks, where False Negative Rate (FNR) represents the fraction of fake users that are predicted to be normal. From Figure 2, we find that PGA attack is most likely to be detected. The reason is that the fake users generated by PGA attack do not rate the filler items according to normal users’ behavior, thus the generated fake users are easily detected. We also observe that a large fraction of fake users are not detected.

Attacking fake-user-aware recommender systems:  We now test the performance of attacks on fake-user-aware recommender systems. Suppose that the service provider removes the predicted fake users from the system detected by the trained SVM classifiers. We recompute the hit ratio after the service provider excludes the predicted fake users from the systems. Note that a large portion of fake users and a small number of normal users will be deleted. The results are shown in Table 2. We observe that PGA attack achieves the worst attack performance when the service provider removes the predicted fake users from the systems. The reason is that the PGA attack is most likely to be detected. Comparing Table 1 and Table 2, we can see that when the target recommender system is equipped with fake-user detectors, our attacks remain effective in promoting the target items and outperform the baseline attacks. This is because the detectors miss a large portion of the fake users.

Dataset Attack Attack size
0.3% 0.5% 1% 3% 5%
Music None 0.0011 0.0011 0.0011 0.0011 0.0011
PGA (Li et al., 2016) 0.0028 0.0043 0.0311 0.2282 0.3243
SGLD (Li et al., 2016) 0.0064 0.0145 0.0916 0.2631 0.3516
-TNA 0.0127 0.0298 0.1282 0.2846 0.3652
-TNA-Rand 0.0068 0.0139 0.0934 0.2679 0.3531
-TNA-Inf 0.0199 0.0342 0.1215 0.2994 0.3704
Yelp None 0.0010 0.0010 0.0010 0.0010 0.0010
PGA (Li et al., 2016) 0.0018 0.0062 0.1143 0.3301 0.4081
SGLD (Li et al., 2016) 0.0097 0.0278 0.1585 0.3674 0.4223
-TNA 0.0231 0.0431 0.1774 0.3951 0.4486
-TNA-Rand 0.0093 0.0265 0.1612 0.3665 0.4269
-TNA-Inf 0.0242 0.0474 0.1831 0.3968 0.4501
Table 2. HR@10 for different attacks when attacking the fake-user-aware recommender systems.

7. Discussion

We show that our influence function based approach can be extended to enhance data poisoning attacks to graph-based top- recommender systems. In particular, we select a subset of normal users based on influence function and optimize data poisoning attacks using them. Moreover, we show that an attacker can also use influence function to weight each normal user instead of selecting the most influential ones, which sacrifices computational efficiency but achieves even better attack effectiveness.

7.1. Influence Function for Graph-based Recommender Systems

We investigate whether we can extend our influence function based method to optimize data poisoning attacks to graph-based recommender systems (Fang et al., 2018). Specifically, we aim to find a subset of users who have the largest impact on the target items in graph-based recommender systems. It turns out that, when optimizing the attack over these subset of users, we obtain better attack effectiveness. Toward this end, we will first show how to find a subset of influential users for the target items in graph-based recommender systems. Then, we optimize the attack proposed by (Fang et al., 2018) over the subset of influential users.

We consider a graph-based recommender system using random walks (Pirotte et al., 2007). Specifically, the recommender system models the user-item ratings as a bipartite graph, where a node is a user or an item, an edge between a user and an item means that the user rated the item, and an edge weight is the corresponding rating score. We let represent the stationary distribution of a random walk with restart that starts from the user in the bipartite graph. Then, can be computed by solving the following equation:

(22)

where is a basis vector whose -th entry is 1 and all other entries are 0, is the transition matrix, and

is the restart probability. We let

denote the value at -th entry of matrix . Then can be computed as:

(23)

The items that were not rated by user and that have the largest probabilities in the stationary distribution are recommended to . We define the influence of removing edge in the user-item bipartite graph on the target item when performing a random walk from user as the change of prediction at upon removing edge :

(24)

where is the transition matrix entry as defined in (23). According to (22), can be computed as:

(25)

After rearranging terms in (25), we have:

(26)

where is the identity matrix, is a single-nonzero-entry matrix with its -th entry being 1 and 0 elsewhere. By letting , we have the following:

(27)

where is the -th column of matrix . Then, the influence of removing edge on the prediction at the target item when performing a random walk from user can be calculated as:

(28)

Therefore, the influence of removing edge on the prediction at the target item can be computed as:

(29)

We could approximate matrix by using Taylor expansion . For example, we can choose if we use first order Taylor approximation.

After obtaining , we can compute the influence of user at the target item , namely , based on (8). Then, we apply Algorithm 1 to approximately find an influential user set . With the influential user set , we can optimize the attack proposed by (Fang et al., 2018) over the most influential user set and compare with the attack proposed by (Fang et al., 2018), which uses all normal users. The poisoning attack results of graph-based recommender systems are shown in Table 3, where the experimental settings are the same as those in (Fang et al., 2018). Here, “None” in Table 3 means the hit ratios without attacks computed in graph-based recommender systems; and “-Graph” means optimizing the attack proposed by (Fang et al., 2018) over the most influential users in , where we select 400 influential users. From Table 3, we observe that the optimized attacks based on influence function outperform existing ones (Fang et al., 2018).

Dataset Attack Attack size
0.3% 0.5% 1% 3% 5%
Music None 0.0021 0.0021 0.0021 0.0021 0.0021
Fang et. al (Fang et al., 2018) 0.0252 0.1021 0.2067 0.2949 0.5224
-Graph 0.0245 0.1046 0.2125 0.3067 0.5368
Yelp None 0.0023 0.0023 0.0023 0.0023 0.0023
Fang et. al (Fang et al., 2018) 0.0256 0.1359 0.2663 0.4024 0.5704
-Graph 0.0342 0.1514 0.2701 0.4011 0.5723
Table 3. HR@10 for attacks to graph-based recommender systems.

7.2. Weighting Normal Users

In this section, we show that our approach can be extended to a more general framework: we can weight the normal users instead of dropping some of them using the influence function. More specifically, we optimize our attack over all normal users, and different normal users are assigned different weights in the objective function based on their importance with respect to the target item. Intuitively, the important users should receive more penalty if the target item does not appear in those users’ recommendation lists. Toward this end, we let be the weight vector for all normal users, then we can modify the loss function defined in (6) as:

(30)

where is the weight for normal user and satisfies . We can again leverage the influence function technique to compute the weight vector . For a normal user , the weight can be computed in a normalized fashion as follows:

(31)

where is the influence of user at the target item , and can be computed according to (8). Note that here we compute for each user at one time.

After obtaining the weight vector , we can compute the derivative of function defined in (30) in a similar way. Table 4 illustrates the attack results on matrix-factorization-based recommender systems when we weight normal users, where the experimental settings are the same as those in Table 1. Here, “Weighting” means that we weight each normal user and optimize the attack of (30) over the weighted normal users, and the weight of each normal user is computed based on (31). Comparing Tables 1 and 4, we can see that the performance is improved when we consider the weights of different normal users with respect to the target items. Our results show that, when an attacker has enough computational resource, the attacker can further improve attack effectiveness using influence function to weight normal users instead of dropping some of them.

Dataset Attack Attack size
0.3% 0.5% 1% 3% 5%
Music Weighting 0.0652 0.1543 0.2436 0.4285 0.6087
Yelp Weighting 0.0698 0.2312 0.4498 0.5501 0.6924
Table 4. HR@10 for weighting-based attacks to matrix-factorization-based recommender systems.

8. Conclusion

In this paper, we proposed the first data poisoning attack to matrix-factorization-based top- recommender systems. Our key idea is that, instead of optimizing the ratings of a fake user using all normal users, we use a subset of influential users. Moreover, we proposed an efficient influence function based method to determine the influential user set for a specific target item. We also performed extensive experimental studies to demonstrate the efficacy of our proposed attacks. Our results showed that our proposed attacks outperform existing ones.

Acknowledgements

This work has been supported in part by NSF grants ECCS-1818791, CCF-1758736, CNS-1758757, CNS-1937786; ONR grant N00014-17-1-2417, and AFRL grant FA8750-18-1-0107.

References

  • (1)
  • Amazon Digital Music Dataset. (2018) Amazon Digital Music Dataset. 2018. http://jmcauley.ucsd.edu/data/amazon/
  • Backstrom and Leskovec (2011) Lars Backstrom and Jure Leskovec. 2011. Supervised Random Walks: Predicting and Recommending Links in Social Networks. In Proceedings of the Fourth ACM International Conference On Web Search and Data Mining (WSDM). ACM, 635–644.
  • Bazaraa et al. (2010) Mokhtar S. Bazaraa, John J. Jarvis, and Hanif D. Sherali. 2010. Linear Programming and Network Flows (4 ed.). John Wiley & Sons Inc., New York.
  • Biggio et al. (2012) Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012.

    Poisoning attacks against support vector machines. In

    ICML.
  • Chen et al. (2017) Xinyun Chen, Chang Liu, Bo Li, Kimberly Lu, and Dawn Song. 2017.

    Targeted backdoor attacks on deep learning systems using data poisoning. In

    arxiv.
  • Chirita et al. (2005) Paul-Alexandru Chirita, Wolfgang Nejdl, and Cristian Zamfir. 2005. Preventing Shilling Attacks in Online Recommender Systems. In Proceedings of the 7th Annual ACM International Workshop on Web Information and Data Management (WIDM). ACM, 67–74.
  • Christakopoulou and Banerjee (2019) Konstantina Christakopoulou and Arindam Banerjee. 2019. Adversarial Atacks on an Oblivious Recommender. In Proceedings of the 13th ACM Conference on Recommender Systems (RecSys). 322–330.
  • Cook and Weisberg (1980) R Dennis Cook and Sanford Weisberg. 1980. Characterizations of an Empirical Influence Function for Detecting Influential Cases in Regression. Technometrics 22, 4 (1980), 495–508.
  • Fang et al. (2020) Minghong Fang, Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2020. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. In Usenix Security Symposium.
  • Fang et al. (2018) Minghong Fang, Guolei Yang, Neil Zhenqiang Gong, and Jia Liu. 2018. Poisoning Attacks to Graph-Based Recommender Systems. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC). ACM, 381–392.
  • Gu et al. (2017) Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. In Machine Learning and Computer Security Workshop.
  • Jagielski et al. (2018) Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, and Bo Li. 2018. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. In IEEE S & P.
  • Kempe et al. (2003) David Kempe, Jon Kleinberg, and Éva Tardos. 2003. Maximizing the Spread of Influence Through a Social Network. In Proceedings of the ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD). ACM, 137–146.
  • Koh et al. (2019) Pang Wei Koh, Kai-Siang Ang, Hubert HK Teo, and Percy Liang. 2019. On the Accuracy of Influence Functions for Measuring Group Effects. In Advances in Neural Information Processing Systems (NeurIPS).
  • Koh and Liang (2017) Pang Wei Koh and Percy Liang. 2017. Understanding Black-box Predictions via Influence Functions. In International Conference on Machine Learning (ICML). 1885–1894.
  • Koren et al. (2009) Yehuda Koren, Robert Bell, and Chris Volinsky. 2009. Matrix Factorization Techniques for Recommender Systems. Computer 8 (2009), 30–37.
  • Lam and Riedl (2004) Shyong K Lam and John Riedl. 2004. Shilling Recommender Systems for Fun and Profit. In Proceedings of the 13th International Conference on World Wide Web (WWW). ACM, 393–402.
  • Lapedriza et al. (2013) Agata Lapedriza, Hamed Pirsiavash, Zoya Bylinskii, and Antonio Torralba. 2013. Are All Training Examples Equally Valuable? arXiv preprint arXiv:1311.6510 (2013).
  • Li et al. (2016) Bo Li, Yining Wang, Aarti Singh, and Yevgeniy Vorobeychik. 2016. Data Poisoning Attacks on Factorization-Based Collaborative Filtering. In Advances in Neural Information Processing Systems (NeurIPS). 1885–1893.
  • Liu et al. (2018) Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2018. Trojaning Attack on Neural Networks. In NDSS.
  • Mehta and Nejdl (2008) Bhaskar Mehta and Wolfgang Nejdl. 2008. Attack Resistant Collaborative Filtering. In Proceedings of the 31st annual international ACM SIGIR conference on Research and development in information retrieval. ACM, 75–82.
  • Mobasher et al. (2005) Bamshad Mobasher, Robin Burke, Runa Bhaumik, and Chad Williams. 2005. Effective Attack Models for Shilling Item-Based Collaborative Filtering Systems. In Proceedings of the WebKDD Workshop. Citeseer, 13–23.
  • Mobasher et al. (2007) Bamshad Mobasher, Robin Burke, Runa Bhaumik, and Chad Williams. 2007. Toward Trustworthy Recommender Systems: An Analysis of Attack Models and Algorithm Robustness. In ACM Transactions on Internet Technology (TOIT), Vol. 7. ACM, 23.
  • Nasr et al. (2019) Milad Nasr, Reza Shokri, and Amir Houmansadr. 2019. Comprehensive Privacy Analysis of Deep Learning: Stand-alone and Federated Learning under Passive and Active White-box Inference Attacks. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE.
  • Nelson et al. (2008) B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. 2008. Exploiting machine learning to subvert your spam filter. In LEET.
  • Nemhauser et al. (1978) George L Nemhauser, Laurence A Wolsey, and Marshall L Fisher. 1978. An Analysis Of Approximations For Maximizing Submodular Set Functions—I. Mathematical programming 14, 1 (1978), 265–294.
  • Pirotte et al. (2007) Alain Pirotte, Jean-Michel Renders, Marco Saerens, et al. 2007. Random-Walk Computation of Similarities Between Nodes of a Graph with Application to Collaborative Recommendation. In IEEE Transactions on Knowledge and Data Engineering. IEEE, 355–369.
  • Rubinstein et al. (2009) Benjamin IP Rubinstein, Blaine Nelson, Ling Huang, Anthony D Joseph, Shing-hon Lau, Satish Rao, Nina Taft, and JD Tygar. 2009. Antidote: understanding and defending against poisoning of anomaly detectors. In ACM IMC.
  • Seminario and Wilson (2014) Carlos E Seminario and David C Wilson. 2014. Attacking Item-Based Recommender Systems with Power Items. In Proceedings of the 8th ACM Conference on Recommender systems (RecSys). ACM, 57–64.
  • Shafahi et al. (2018) Ali Shafahi, W Ronny Huang, Mahyar Najibi, Octavian Suciu, Christoph Studer, Tudor Dumitras, and Tom Goldstein. 2018. Poison Frogs! Targeted Clean-Label Poisoning Attacks on Neural Networks. In Advances in Neural Information Processing Systems (NeurIPS). 6103–6113.
  • Shokri et al. (2017) Reza Shokri, Marco Stronati, Congzheng Song, and Vitaly Shmatikov. 2017. Membership Inference Attacks Against Machine Learning Models. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 3–18.
  • Wang and Gong (2018) Binghui Wang and Neil Zhenqiang Gong. 2018.

    Stealing Hyperparameters in Machine Learning. In

    2018 IEEE Symposium on Security and Privacy (SP). IEEE, 36–52.
  • Wang and Gong (2019) Binghui Wang and Neil Zhenqiang Gong. 2019. Attacking Graph-based Classification via Manipulating the Graph Structure. In CCS.
  • Wang et al. (2018) Tianyang Wang, Jun Huan, and Bo Li. 2018.

    Data Dropout: Optimizing Training Data for Convolutional Neural Networks. In

    2018 IEEE 30th International Conference on Tools with Artificial Intelligence (ICTAI)

    . IEEE, 39–46.
  • Wilson and Seminario (2013) David C Wilson and Carlos E Seminario. 2013. When Power Users Attack: Assessing Impacts in Collaborative Recommender Systems. In Proceedings of the 7th ACM conference on Recommender Systems (RecSys). ACM, 427–430.
  • Xiao et al. (2015) Huang Xiao, Battista Biggio, Gavin Brown, Giorgio Fumera, Claudia Eckert, and Fabio Roli. 2015.

    Is Feature Selection Secure against Training Data Poisoning?. In

    International Conference on Machine Learning (ICML). 1689–1698.
  • Xiao et al. (2012) Han Xiao, Huang Xiao, and Claudia Eckert. 2012. Adversarial Label Flips Attack on Support Vector Machines. In ECAI.
  • Xing et al. (2013) Xingyu Xing, Wei Meng, Dan Doozan, Alex C Snoeren, Nick Feamster, and Wenke Lee. 2013. Take This Personally: Pollution Attacks on Personalized Services. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). 671–686.
  • Yang et al. (2017) Guolei Yang, Neil Zhenqiang Gong, and Ying Cai. 2017. Fake Co-visitation Injection Attacks to Recommender Systems. In NDSS.
  • Yang et al. (2019) Haibo Yang, Xin Zhang, Minghong Fang, and Jia Liu. 2019.

    Byzantine-Resilient Stochastic Gradient Descent for Distributed Learning: A Lipschitz-Inspired Coordinate-wise Median Approach. In

    Conference on Decision and Control (CDC).
  • Yelp Challenge Dataset. (2018) Yelp Challenge Dataset. 2018. https://www.yelp.com/dataset/challenge
  • Yin et al. (2018) Dong Yin, Yudong Chen, Kannan Ramchandran, and Peter Bartlett. 2018. Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates. In International Conference on Machine Learning (ICML).
  • Zhang et al. (2020) Xin Zhang, Minghong Fang, Jia Liu, and Zhengyuan Zhu. 2020. Private and Communication-Efficient Edge Learning: A Sparse Differential Gaussian-Masking Distributed SGD Approach. arXiv preprint arXiv:2001.03836 (2020).
  • Zügner et al. (2018) Daniel Zügner, Amir Akbarnejad, and Stephan Günnemann. 2018. Adversarial Attacks on Neural Networks for Graph Data. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD). ACM, 2847–2856.