ID-Free Not Risk-Free: LLM-Powered Agents Unveil Risks in ID-Free Recommender Systems

TL;DR

This paper reveals that LLM-powered agents can exploit ID-free recommender systems through sophisticated deception strategies, highlighting a new security vulnerability and proposing detection methods to mitigate such attacks.

Contribution

The paper introduces a novel attack mechanism using LLMs to deceive ID-free recommenders and proposes a detection approach to identify such malicious textual descriptions.

Findings

LLM-powered agents can effectively promote low-quality items in ID-free recommenders.

A rewriting-based deception strategy enables stealthy attacks.

A detection method can identify suspicious generated text.

Abstract

Recent advances in ID-free recommender systems have attracted significant attention for effectively addressing the cold start problem. However, their vulnerability to malicious attacks remains largely unexplored. In this paper, we unveil a critical yet overlooked risk: LLM-powered agents can be strategically deployed to attack ID-free recommenders, stealthily promoting low-quality items in black-box settings. This attack exploits a novel rewriting-based deception strategy, where malicious agents synthesize deceptive textual descriptions by simulating the characteristics of popular items. To achieve this, the attack mechanism integrates two primary components: (1) a popularity extraction component that captures essential characteristics of popular items and (2) a multi-agent collaboration mechanism that enables iterative refinement of promotional textual descriptions through independent thinking and team discussion. To counter this risk, we further introduce a detection method to identify suspicious text generated by our discovered attack. By unveiling this risk, our work aims to underscore the urgent need to enhance the security of ID-free recommender systems.