Practical Data Poisoning Attack against Next-Item Recommendation

TL;DR

This paper introduces LOKI, a reinforcement learning-based data poisoning attack method targeting blackbox next-item recommendation systems, demonstrating its effectiveness and transferability through extensive experiments.

Contribution

The paper presents a novel, practical poisoning attack approach called LOKI that uses reinforcement learning and a recommender simulator to attack blackbox recommendation systems.

Findings

LOKI outperforms existing attack methods in effectiveness.

The attack demonstrates high transferability to real-world systems.

Extensive experiments validate the approach on multiple datasets and models.

Abstract

Online recommendation systems make use of a variety of information sources to provide users the items that users are potentially interested in. However, due to the openness of the online platform, recommendation systems are vulnerable to data poisoning attacks. Existing attack approaches are either based on simple heuristic rules or designed against specific recommendations approaches. The former often suffers unsatisfactory performance, while the latter requires strong knowledge of the target system. In this paper, we focus on a general next-item recommendation setting and propose a practical poisoning attack approach named LOKI against blackbox recommendation systems. The proposed LOKI utilizes the reinforcement learning algorithm to train the attack agent, which can be used to generate user behavior samples for data poisoning. In real-world recommendation systems, the cost of retraining recommendation models is high, and the interaction frequency between users and a recommendation system is restricted.Given these real-world restrictions, we propose to let the agent interact with a recommender simulator instead of the target recommendation system and leverage the transferability of the generated adversarial samples to poison the target system. We also propose to use the influence function to efficiently estimate the influence of injected samples on the recommendation results, without re-training the models within the simulator. Extensive experiments on two datasets against four representative recommendation models show that the proposed LOKI achieves better attacking performance than existing methods.