Knowledge-enhanced Black-box Attacks for Recommendations

TL;DR

This paper introduces KGAttack, a novel black-box attack framework for recommender systems that leverages item attribute knowledge graphs and deep reinforcement learning to generate high-quality fake user profiles, demonstrating effectiveness on real-world datasets.

Contribution

The paper presents a knowledge graph-enhanced black-box attack method using deep reinforcement learning, addressing the challenge of limited access to target system details.

Findings

Effective attack performance on real-world datasets

Knowledge graph integration improves fake profile quality

Reinforcement learning enables adaptive attack strategies

Abstract

Recent studies have shown that deep neural networks-based recommender systems are vulnerable to adversarial attacks, where attackers can inject carefully crafted fake user profiles (i.e., a set of items that fake users have interacted with) into a target recommender system to achieve malicious purposes, such as promote or demote a set of target items. Due to the security and privacy concerns, it is more practical to perform adversarial attacks under the black-box setting, where the architecture/parameters and training data of target systems cannot be easily accessed by attackers. However, generating high-quality fake user profiles under black-box setting is rather challenging with limited resources to target systems. To address this challenge, in this work, we introduce a novel strategy by leveraging items' attribute information (i.e., items' knowledge graph), which can be publicly accessible and provide rich auxiliary knowledge to enhance the generation of fake user profiles. More specifically, we propose a knowledge graph-enhanced black-box attacking framework (KGAttack) to effectively learn attacking policies through deep reinforcement learning techniques, in which knowledge graph is seamlessly integrated into hierarchical policy networks to generate fake user profiles for performing adversarial black-box attacks. Comprehensive experiments on various real-world datasets demonstrate the effectiveness of the proposed attacking framework under the black-box setting.