Data Poisoning Attacks on Factorization-Based Collaborative Filtering

TL;DR

This paper reveals vulnerabilities in collaborative filtering recommendation systems by demonstrating how malicious data can be crafted to manipulate outputs while avoiding detection, highlighting the need for robust defenses.

Contribution

It introduces a data poisoning attack framework for factorization-based collaborative filtering, providing efficient algorithms and evaluating their effectiveness on real-world data.

Findings

Attacks can significantly distort recommendations without detection.

Factorization-based methods are vulnerable to malicious data injection.

Proposed defenses can mitigate attack effectiveness.

Abstract

Recommendation and collaborative filtering systems are important in modern information and e-commerce applications. As these systems are becoming increasingly popular in the industry, their outputs could affect business decision making, introducing incentives for an adversarial party to compromise the availability or integrity of such systems. We introduce a data poisoning attack on collaborative filtering systems. We demonstrate how a powerful attacker with full knowledge of the learner can generate malicious data so as to maximize his/her malicious objectives, while at the same time mimicking normal user behavior to avoid being detected. While the complete knowledge assumption seems extreme, it enables a robust assessment of the vulnerability of collaborative filtering schemes to highly motivated attacks. We present efficient solutions for two popular factorization-based collaborative filtering algorithms: the \emph{alternative minimization} formulation and the \emph{nuclear norm minimization} method. Finally, we test the effectiveness of our proposed algorithms on real-world data and discuss potential defensive strategies.