Targeted Data Poisoning Attack on News Recommendation System by Content Perturbation

TL;DR

This paper introduces a novel content perturbation attack on news recommendation systems, using reinforcement learning to maximize target news rank manipulation while minimizing exposure risk.

Contribution

It proposes a new poisoning method that perturbs news content, along with a reinforcement learning framework to optimize attack success under exposure constraints.

Findings

TDP-CP effectively increases target news rank across multiple systems.

The approach maintains low exposure risk during attacks.

Experimental results demonstrate high success rate of rank manipulation.

Abstract

News Recommendation System(NRS) has become a fundamental technology to many online news services. Meanwhile, several studies show that recommendation systems(RS) are vulnerable to data poisoning attacks, and the attackers have the ability to mislead the system to perform as their desires. A widely studied attack approach, injecting fake users, can be applied on the NRS when the NRS is treated the same as the other systems whose items are fixed. However, in the NRS, as each item (i.e. news) is more informative, we propose a novel approach to poison the NRS, which is to perturb contents of some browsed news that results in the manipulation of the rank of the target news. Intuitively, an attack is useless if it is highly likely to be caught, i.e., exposed. To address this, we introduce a notion of the exposure risk and propose a novel problem of attacking a history news dataset by means of perturbations where the goal is to maximize the manipulation of the target news rank while keeping the risk of exposure under a given budget. We design a reinforcement learning framework, called TDP-CP, which contains a two-stage hierarchical model to reduce the searching space. Meanwhile, influence estimation is also applied to save the time on retraining the NRS for rewards. We test the performance of TDP-CP under three NRSs and on different target news. Our experiments show that TDP-CP can increase the rank of the target news successfully with a limited exposure budget.