Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System

TL;DR

This paper introduces Vulnerability-aware Adversarial Training (VAT), a novel defense method for recommender systems that adaptively applies perturbations based on user vulnerability, improving robustness against poisoning attacks while maintaining recommendation quality.

Contribution

The paper proposes a new vulnerability-aware adversarial training approach that estimates user vulnerability and applies adaptive perturbations, enhancing defense effectiveness over existing methods.

Findings

VAT reduces attack success rates significantly.

VAT maintains or improves recommendation quality.

Experiments show VAT outperforms existing defenses across models and attack types.

Abstract

Recommender systems play a pivotal role in mitigating information overload in various fields. Nonetheless, the inherent openness of these systems introduces vulnerabilities, allowing attackers to insert fake users into the system's training data to skew the exposure of certain items, known as poisoning attacks. Adversarial training has emerged as a notable defense mechanism against such poisoning attacks within recommender systems. Existing adversarial training methods apply perturbations of the same magnitude across all users to enhance system robustness against attacks. Yet, in reality, we find that attacks often affect only a subset of users who are vulnerable. These perturbations of indiscriminate magnitude make it difficult to balance effective protection for vulnerable users without degrading recommendation quality for those who are not affected. To address this issue, our research delves into understanding user vulnerability. Considering that poisoning attacks pollute the training data, we note that the higher degree to which a recommender system fits users' training data correlates with an increased likelihood of users incorporating attack information, indicating their vulnerability. Leveraging these insights, we introduce the Vulnerability-aware Adversarial Training (VAT), designed to defend against poisoning attacks in recommender systems. VAT employs a novel vulnerability-aware function to estimate users' vulnerability based on the degree to which the system fits them. Guided by this estimation, VAT applies perturbations of adaptive magnitude to each user, not only reducing the success ratio of attacks but also preserving, and potentially enhancing, the quality of recommendations. Comprehensive experiments confirm VAT's superior defensive capabilities across different recommendation models and against various types of attacks.