ToDA: Target-oriented Diffusion Attacker against Recommendation System

TL;DR

This paper introduces ToDA, a novel diffusion-based attack method against recommendation systems, leveraging latent diffusion models to craft targeted malicious user profiles with improved stability and effectiveness.

Contribution

The paper pioneers the use of diffusion models for shilling attacks on recommendation systems, proposing a new framework that outperforms existing generative attack methods.

Findings

ToDA achieves higher attack success rates than baselines.

The diffusion-based approach provides more stable and targeted profile generation.

Extensive experiments validate the effectiveness of ToDA against state-of-the-art defenses.

Abstract

Recommendation systems (RS) have become indispensable tools for web services to address information overload, thus enhancing user experiences and bolstering platforms' revenues. However, with their increasing ubiquity, security concerns have also emerged. As the public accessibility of RS, they are susceptible to specific malicious attacks where adversaries can manipulate user profiles, leading to biased recommendations. Recent research often integrates additional modules using generative models to craft these deceptive user profiles, ensuring them are imperceptible while causing the intended harm. Albeit their efficacy, these models face challenges of unstable training and the exploration-exploitation dilemma, which can lead to suboptimal results. In this paper, we pioneer to investigate the potential of diffusion models (DMs), for shilling attacks. Specifically, we propose a novel Target-oriented Diffusion Attack model (ToDA). It incorporates a pre-trained autoencoder that transforms user profiles into a high dimensional space, paired with a Latent Diffusion Attacker (LDA)-the core component of ToDA. LDA introduces noise into the profiles within this latent space, adeptly steering the approximation towards targeted items through cross-attention mechanisms. The global horizon, implemented by a bipartite graph, is involved in LDA and derived from the encoded user profile feature. This makes LDA possible to extend the generation outwards the on-processing user feature itself, and bridges the gap between diffused user features and target item features. Extensive experiments compared to several SOTA baselines demonstrate ToDA's effectiveness. Specific studies exploit the elaborative design of ToDA and underscore the potency of advanced generative models in such contexts.