Data Poisoning Attacks to Deep Learning Based Recommender Systems

TL;DR

This paper systematically studies data poisoning attacks on deep learning-based recommender systems, proposing an optimization-based attack method that effectively manipulates recommendations even with detection mechanisms in place.

Contribution

It introduces the first comprehensive analysis of data poisoning attacks on deep learning recommenders and develops techniques to optimize fake user ratings for targeted manipulation.

Findings

The attack effectively promotes target items in recommendations.

The attack outperforms existing methods on multiple datasets.

Detection of fake users via statistical analysis is less effective against the attack.

Abstract

Recommender systems play a crucial role in helping users to find their interested information in various web services such as Amazon, YouTube, and Google News. Various recommender systems, ranging from neighborhood-based, association-rule-based, matrix-factorization-based, to deep learning based, have been developed and deployed in industry. Among them, deep learning based recommender systems become increasingly popular due to their superior performance. In this work, we conduct the first systematic study on data poisoning attacks to deep learning based recommender systems. An attacker's goal is to manipulate a recommender system such that the attacker-chosen target items are recommended to many users. To achieve this goal, our attack injects fake users with carefully crafted ratings to a recommender system. Specifically, we formulate our attack as an optimization problem, such that the injected ratings would maximize the number of normal users to whom the target items are recommended. However, it is challenging to solve the optimization problem because it is a non-convex integer programming problem. To address the challenge, we develop multiple techniques to approximately solve the optimization problem. Our experimental results on three real-world datasets, including small and large datasets, show that our attack is effective and outperforms existing attacks. Moreover, we attempt to detect fake users via statistical analysis of the rating patterns of normal and fake users. Our results show that our attack is still effective and outperforms existing attacks even if such a detector is deployed.