Defending Substitution-Based Profile Pollution Attacks on Sequential Recommenders

TL;DR

This paper demonstrates the vulnerability of sequential recommender systems to substitution-based profile pollution attacks and proposes a novel defense method involving Dirichlet neighborhood sampling and adversarial training to improve robustness.

Contribution

The paper introduces a new adversarial attack algorithm on sequential recommenders and a robust defense strategy combining Dirichlet sampling and adversarial training.

Findings

Attack significantly deteriorates recommender performance.

Proposed defense improves robustness against attacks.

Method outperforms baselines across datasets and models.

Abstract

While sequential recommender systems achieve significant improvements on capturing user dynamics, we argue that sequential recommenders are vulnerable against substitution-based profile pollution attacks. To demonstrate our hypothesis, we propose a substitution-based adversarial attack algorithm, which modifies the input sequence by selecting certain vulnerable elements and substituting them with adversarial items. In both untargeted and targeted attack scenarios, we observe significant performance deterioration using the proposed profile pollution algorithm. Motivated by such observations, we design an efficient adversarial defense method called Dirichlet neighborhood sampling. Specifically, we sample item embeddings from a convex hull constructed by multi-hop neighbors to replace the original items in input sequences. During sampling, a Dirichlet distribution is used to approximate the probability distribution in the neighborhood such that the recommender learns to combat local perturbations. Additionally, we design an adversarial training method tailored for sequential recommender systems. In particular, we represent selected items with one-hot encodings and perform gradient ascent on the encodings to search for the worst case linear combination of item embeddings in training. As such, the embedding function learns robust item representations and the trained recommender is resistant to test-time adversarial examples. Extensive experiments show the effectiveness of both our attack and defense methods, which consistently outperform baselines by a significant margin across model architectures and datasets.