Few-shot Model Extraction Attacks against Sequential Recommender Systems

TL;DR

This paper introduces a novel few-shot model extraction framework for sequential recommender systems, utilizing data augmentation and bidirectional repair loss to create high-quality surrogate models with minimal raw data.

Contribution

The study develops a new framework combining autoregressive data augmentation and bidirectional repair loss for effective few-shot model extraction in sequential recommendation.

Findings

Surrogate models outperform baselines in similarity to victim models.

Framework effectively utilizes less than 10% raw data.

Experimental results on three datasets validate the approach.

Abstract

Among adversarial attacks against sequential recommender systems, model extraction attacks represent a method to attack sequential recommendation models without prior knowledge. Existing research has primarily concentrated on the adversary's execution of black-box attacks through data-free model extraction. However, a significant gap remains in the literature concerning the development of surrogate models by adversaries with access to few-shot raw data (10\% even less). That is, the challenge of how to construct a surrogate model with high functional similarity within the context of few-shot data scenarios remains an issue that requires resolution.This study addresses this gap by introducing a novel few-shot model extraction framework against sequential recommenders, which is designed to construct a superior surrogate model with the utilization of few-shot data. The proposed few-shot model extraction framework is comprised of two components: an autoregressive augmentation generation strategy and a bidirectional repair loss-facilitated model distillation procedure. Specifically, to generate synthetic data that closely approximate the distribution of raw data, autoregressive augmentation generation strategy integrates a probabilistic interaction sampler to extract inherent dependencies and a synthesis determinant signal module to characterize user behavioral patterns. Subsequently, bidirectional repair loss, which target the discrepancies between the recommendation lists, is designed as auxiliary loss to rectify erroneous predictions from surrogate models, transferring knowledge from the victim model to the surrogate model effectively. Experiments on three datasets show that the proposed few-shot model extraction framework yields superior surrogate models.