Retrieval-Augmented Review Generation for Poisoning Recommender Systems

TL;DR

This paper introduces RAGAN, a novel poisoning attack framework that uses retrieval-augmented review generation with multimodal foundation models to craft high-quality, imperceptible fake profiles, revealing vulnerabilities in recommender systems.

Contribution

The paper presents RAGAN, a new attack method leveraging in-context learning and style transfer to improve transferability and imperceptibility of fake profiles in poisoning attacks.

Findings

RAGAN outperforms existing poisoning attack methods in effectiveness.

Generated profiles are more imperceptible and transferable across black-box RSs.

Experiments confirm the robustness of RAGAN against defenses.

Abstract

Recent studies have shown that recommender systems (RSs) are highly vulnerable to data poisoning attacks, where malicious actors inject fake user profiles, including a group of well-designed fake ratings, to manipulate recommendations. Due to security and privacy constraints in practice, attackers typically possess limited knowledge of the victim system and thus need to craft profiles that have transferability across black-box RSs. To maximize the attack impact, the profiles often remains imperceptible. However, generating such high-quality profiles with the restricted resources is challenging. Some works suggest incorporating fake textual reviews to strengthen the profiles; yet, the poor quality of the reviews largely undermines the attack effectiveness and imperceptibility under the practical setting. To tackle the above challenges, in this paper, we propose to enhance the quality of the review text by harnessing in-context learning (ICL) capabilities of multimodal foundation models. To this end, we introduce a demonstration retrieval algorithm and a text style transfer strategy to augment the navie ICL. Specifically, we propose a novel practical attack framework named RAGAN to generate high-quality fake user profiles, which can gain insights into the robustness of RSs. The profiles are generated by a jailbreaker and collaboratively optimized on an instructional agent and a guardian to improve the attack transferability and imperceptibility. Comprehensive experiments on various real-world datasets demonstrate that RAGAN achieves the state-of-the-art poisoning attack performance.