Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures

TL;DR

This survey comprehensively reviews poisoning attacks on recommender systems and evaluates countermeasures, providing a taxonomy and analysis to aid in protecting these systems from malicious data manipulations.

Contribution

It introduces a novel taxonomy for poisoning attacks, organizes over 30 attack types, and evaluates more than 40 countermeasures, filling a gap in systematic understanding.

Findings

Provides a detailed taxonomy of poisoning attacks

Evaluates effectiveness of various countermeasures

Highlights open issues and future research directions

Abstract

Recommender systems have become an integral part of online services to help users locate specific information in a sea of data. However, existing studies show that some recommender systems are vulnerable to poisoning attacks, particularly those that involve learning schemes. A poisoning attack is where an adversary injects carefully crafted data into the process of training a model, with the goal of manipulating the system's final recommendations. Based on recent advancements in artificial intelligence, such attacks have gained importance recently. While numerous countermeasures to poisoning attacks have been developed, they have not yet been systematically linked to the properties of the attacks. Consequently, assessing the respective risks and potential success of mitigation strategies is difficult, if not impossible. This survey aims to fill this gap by primarily focusing on poisoning attacks and their countermeasures. This is in contrast to prior surveys that mainly focus on attacks and their detection methods. Through an exhaustive literature review, we provide a novel taxonomy for poisoning attacks, formalise its dimensions, and accordingly organise 30+ attacks described in the literature. Further, we review 40+ countermeasures to detect and/or prevent poisoning attacks, evaluating their effectiveness against specific types of attacks. This comprehensive survey should serve as a point of reference for protecting recommender systems against poisoning attacks. The article concludes with a discussion on open issues in the field and impactful directions for future research. A rich repository of resources associated with poisoning attacks is available at https://github.com/tamlhp/awesome-recsys-poisoning.