Influence Function based Data Poisoning Attacks to Top-N Recommender Systems

TL;DR

This paper demonstrates how influence function-based data poisoning can manipulate top-N recommender systems, especially matrix factorization models, to promote targeted items by injecting carefully crafted fake user data.

Contribution

It introduces a novel influence function-based approach to craft data poisoning attacks on top-N recommender systems, improving attack effectiveness over existing methods.

Findings

Attacks successfully promote target items to many users.

Influence function helps identify influential users for attack optimization.

Proposed method outperforms previous attack strategies.

Abstract

Recommender system is an essential component of web services to engage users. Popular recommender systems model user preferences and item properties using a large amount of crowdsourced user-item interaction data, e.g., rating scores; then top-$N$ items that match the best with a user's preference are recommended to the user. In this work, we show that an attacker can launch a data poisoning attack to a recommender system to make recommendations as the attacker desires via injecting fake users with carefully crafted user-item interaction data. Specifically, an attacker can trick a recommender system to recommend a target item to as many normal users as possible. We focus on matrix factorization based recommender systems because they have been widely deployed in industry. Given the number of fake users the attacker can inject, we formulate the crafting of rating scores for the fake users as an optimization problem. However, this optimization problem is challenging to solve as it is a non-convex integer programming problem. To address the challenge, we develop several techniques to approximately solve the optimization problem. For instance, we leverage influence function to select a subset of normal users who are influential to the recommendations and solve our formulated optimization problem based on these influential users. Our results show that our attacks are effective and outperform existing methods.