Accelerating the Surrogate Retraining for Poisoning Attacks against Recommender Systems

TL;DR

This paper proposes Gradient Passing (GP), a novel technique that accelerates surrogate retraining in data poisoning attacks against recommender systems by approximating cascading effects, leading to more efficient and effective attacks.

Contribution

Introduction of Gradient Passing (GP), a method that speeds up surrogate retraining by passing gradients between user-item pairs, improving attack efficiency and effectiveness.

Findings

GP achieves similar effects with a single update as multiple retraining iterations.

GP enables closer approximation of the surrogate to the victim recommender.

Experiments show GP improves attack efficiency and success rate.

Abstract

Recent studies have demonstrated the vulnerability of recommender systems to data poisoning attacks, where adversaries inject carefully crafted fake user interactions into the training data of recommenders to promote target items. Current attack methods involve iteratively retraining a surrogate recommender on the poisoned data with the latest fake users to optimize the attack. However, this repetitive retraining is highly time-consuming, hindering the efficient assessment and optimization of fake users. To mitigate this computational bottleneck and develop a more effective attack in an affordable time, we analyze the retraining process and find that a change in the representation of one user/item will cause a cascading effect through the user-item interaction graph. Under theoretical guidance, we introduce \emph{Gradient Passing} (GP), a novel technique that explicitly passes gradients between interacted user-item pairs during backpropagation, thereby approximating the cascading effect and accelerating retraining. With just a single update, GP can achieve effects comparable to multiple original training iterations. Under the same number of retraining epochs, GP enables a closer approximation of the surrogate recommender to the victim. This more accurate approximation provides better guidance for optimizing fake users, ultimately leading to enhanced data poisoning attacks. Extensive experiments on real-world datasets demonstrate the efficiency and effectiveness of our proposed GP.