Shilling Black-box Recommender Systems by Learning to Generate Fake User Profiles

TL;DR

This paper introduces Leg-UP, a GAN-based method for generating fake user profiles to perform shilling attacks on recommender systems, improving attack transferability and invisibility over previous approaches.

Contribution

Leg-UP is a novel generative adversarial network model that learns real user behavior patterns to create undetectable fake profiles, enhancing attack effectiveness and transferability.

Findings

Leg-UP outperforms existing shilling attack methods on various RS models.

The attack achieves high transferability across different victim models.

Generated profiles are more difficult to detect as fake.

Abstract

Due to the pivotal role of Recommender Systems (RS) in guiding customers towards the purchase, there is a natural motivation for unscrupulous parties to spoof RS for profits. In this paper, we study Shilling Attack where an adversarial party injects a number of fake user profiles for improper purposes. Conventional Shilling Attack approaches lack attack transferability (i.e., attacks are not effective on some victim RS models) and/or attack invisibility (i.e., injected profiles can be easily detected). To overcome these issues, we present Leg-UP, a novel attack model based on the Generative Adversarial Network. Leg-UP learns user behavior patterns from real users in the sampled ``templates'' and constructs fake user profiles. To simulate real users, the generator in Leg-UP directly outputs discrete ratings. To enhance attack transferability, the parameters of the generator are optimized by maximizing the attack performance on a surrogate RS model. To improve attack invisibility, Leg-UP adopts a discriminator to guide the generator to generate undetectable fake user profiles. Experiments on benchmarks have shown that Leg-UP exceeds state-of-the-art Shilling Attack methods on a wide range of victim RS models. The source code of our work is available at: https://github.com/XMUDM/ShillingAttack.