Prompt-Unknown Promotion Attacks against LLM-based Sequential Recommender Systems

TL;DR

This paper introduces a novel black-box attack framework, PUDA, that effectively promotes target items in LLM-based sequential recommender systems without access to the victim model or prompt.

Contribution

It proposes a dual-poisoning attack method that infers prompts and models, demonstrating significant vulnerabilities in LLM-SRSs under realistic security assumptions.

Findings

PUDA outperforms existing methods in boosting target item exposure.

The attack is effective even when both prompts and models are unknown.

The study highlights critical security risks in current LLM-SRSs.

Abstract

Large language model-powered sequential recommender systems (LLM-SRSs) have recently demonstrated remarkable performance, enabling recommendations through prompt-driven inference over user interaction sequences. However, this paradigm also introduces new security vulnerabilities, particularly text-level manipulations, rendering them appealing targets for promotion attacks that purposely boost the ranking of specific target items. Although such security risks have been receiving increasing attention, existing studies typically rely on an unrealistic assumption of access to either the victim model or prompt to unveil attack mechanisms. In this work, we investigate the item promotion attack in LLM-SRSs under a more realistic setting where both the system prompt and victim model are unknown to the attacker, and propose a Prompt-Unknown Dual-poisoning Attack (PUDA) framework. To simulate attacks under this full black-box setting, we introduce an LLM-based evolutionary refinement strategy that infers discrete system prompts, enabling the training of an effective surrogate model that mimics the behaviors of the victim model. Leveraging the distilled prompt and surrogate model, we devise a promotion attack that adversarially revises target item texts under semantic constraints, which is further complemented by the highly plausible, surrogate-generated poisoning sequences to enable cost-effective target item promotion. Extensive experiments on real-world datasets demonstrate that PUDA consistently outperforms state-of-the-art competitors in boosting the exposure of unpopular target items. Our findings reveal critical security risks in modern LLM-SRSs even when both prompts and models are protected, and highlight the need for more robust defensive means.