Your SlideShare is downloading. ×
0
Tutorial on Robustness of Recommender Systems             Tutorial on Robustness of Recommender                           ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?               Profile Injection Attacks   ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?          Profile Injection Attacks        ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?          Profile Injection Attacks        ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?          Profile Injection Attacks        ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?            Profile Injection Attacks      ...
Tutorial on Robustness of Recommender SystemsOutline       1 What is Robustness?             Profile Injection Attacks     ...
Tutorial on Robustness of Recommender Systems  What is Robustness?Outline       1 What is Robustness?             Profile I...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksOutline       1 What is Rob...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksDefining the Problem        ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksDefining the Problem        ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksDefining the Problem        ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksRobust RS Research         ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksExample      RecSys 2011: T...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksExample      RecSys 2011: T...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksExample      RecSys 2011: T...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThreats to Reputation Syste...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThreats to Reputation Syste...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThreats to Reputation Syste...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommendation Attack G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksImpact Curve               ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Consi...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let G...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let A...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let R...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksNotation              Let c...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommender Attack Game...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Profile Injection AttacksThe Recommender Attack Game...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessOutline       1 What is Robu...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessOur Original Motivation     ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessOur Original Motivation     ...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Relevance of RobustnessHow Realistic Is this Scenar...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Measuring RobustnessOutline       1 What is Robustn...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Measuring RobustnessSimple Measures of Attack Impac...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Measuring RobustnessSimple Measures of Attack Impac...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Measuring RobustnessOther Measures of Attack Impact...
Tutorial on Robustness of Recommender Systems  What is Robustness?     Measuring RobustnessOther Measures of Attack Impact...
Tutorial on Robustness of Recommender Systems  Attack StrategiesOutline       1 What is Robustness?             Profile Inj...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              (Mobasher et al. 2007)...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              (Mobasher et al. 2007)...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              (Mobasher et al. 2007)...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              (Mobasher et al. 2007)...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack StrategiesForming Attack Profiles              The goal of attack pro...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOutline       1 What is Robus...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsUser-based kNN Attack        ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOther Attacks Strategies     ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOther Attacks Strategies     ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOther Attacks Strategies     ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOther Attacks Strategies     ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsOther Attacks Strategies     ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsEvaluation User-based kNN    ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsEvaluation Item-based kNN    ...
Tutorial on Robustness of Recommender Systems  Attack Strategies     Attacking kNN AlgorithmsEvaluation Item-based kNN    ...
Tutorial on Robustness of Recommender Systems  Attack DetectionOutline       1 What is Robustness?             Profile Inje...
Tutorial on Robustness of Recommender Systems  Attack DetectionProfile Injection Attacks               Two well-studied att...
Tutorial on Robustness of Recommender Systems  Attack DetectionDetection Flow      RecSys 2011: Tutorial on Recommender Ro...
Tutorial on Robustness of Recommender Systems  Attack Detection     PCA-based Attack DetectionOutline       1 What is Robu...
Tutorial on Robustness of Recommender Systems  Attack Detection     PCA-based Attack DetectionPCA Detector (Mehta et al. 2...
Tutorial on Robustness of Recommender Systems  Attack Detection     PCA-based Attack DetectionPCA Detector (Mehta et al. 2...
Tutorial on Robustness of Recommender Systems  Attack Detection     PCA-based Attack DetectionPCA Detector (Mehta et al. 2...
Tutorial on Robustness of Recommender Systems  Attack Detection     PCA-based Attack DetectionPCA Detector (Mehta et al. 2...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionOutline       1 What is Ro...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionNeyman-Pearson Statistical...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionModelling Attack Profiles  ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionModelling Attack Profiles  ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionModelling Attack Profiles  ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionModelling Genuine Profiles ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionRandom Attack (Filler Size...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAverage Attack (Filler Siz...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionLesson Learned            ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAttack Obfuscation        ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAverage over Popular (AoP)...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP Prediction Shift (Atta...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP Hits (rating of ≥ 4) (...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP PCA Detection      Rec...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionImproved Genuine Profile Mo...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionImproved Genuine Profile Mo...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionImproved Genuine Profile Mo...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionProjection by Clustering  ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionSupervised AoP Detection  ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP Detection (Factor Anal...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP Detection (Clustering)...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionUnsupervised AoP Detection...
Tutorial on Robustness of Recommender Systems  Attack Detection     Statistical Attack DetectionAoP Detection      RecSys ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Cost-Benefit AnalysisOutline       1 What is Robustness...
Tutorial on Robustness of Recommender Systems  Attack Detection     Cost-Benefit AnalysisCost-Benefit Analysis              ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Cost-Benefit AnalysisResults                  Profitj = ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Cost-Benefit AnalysisCost-benefit Analysis              ...
Tutorial on Robustness of Recommender Systems  Attack Detection     Cost-Benefit AnalysisCost-benefit Analysis              ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsOutline       1 What is Robustness?    ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms      RecSys 2011...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsModel-based Algorithms              Att...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Model-based ...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Matrix Facto...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsManipulation-resistance of Matrix Facto...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsSummary of Robustness Results on Standa...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsSummary of Robustness Results on Standa...
Tutorial on Robustness of Recommender Systems  Robustness of Model-based AlgorithmsSummary of Robustness Results on Standa...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsOutline       1 What is Robustnes...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD              Some ea...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD              Some ea...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD              Some ea...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD              Some ea...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD              Some ea...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD      RecSys 2011: Tu...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsVarSelectSVD Results             ...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsManipulation Resistance Through R...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsManipulation Resistance Through R...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsManipulation Resistance Through R...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation AlgorithmsRobust Statistics Results on Bell...
Tutorial on Robustness of Recommender Systems  Attack Resistant Recommendation Algorithms     Provably Manipulation Resist...
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
Upcoming SlideShare
Loading in...5
×

Tutorial on Robustness of Recommender Systems

3,067

Published on

Tutorial given at ACM RecSys 2011 on robustness of recommender algorithms to profile injection / sybil attacks.

Published in: News & Politics, Technology

Transcript of "Tutorial on Robustness of Recommender Systems"

  1. 1. Tutorial on Robustness of Recommender Systems Tutorial on Robustness of Recommender Systems Neil Hurley Complex Adaptive System Laboratory Computer Science and Informatics University College Dublin Clique Strategic Research Cluster clique.ucd.ie October 2011 RecSys 2011: Tutorial on Recommender Robustness
  2. 2. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness RecSys 2011: Tutorial on Recommender Robustness
  3. 3. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms RecSys 2011: Tutorial on Recommender Robustness
  4. 4. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis RecSys 2011: Tutorial on Recommender Robustness
  5. 5. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  6. 6. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms RecSys 2011: Tutorial on Recommender Robustness
  7. 7. Tutorial on Robustness of Recommender SystemsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  8. 8. Tutorial on Robustness of Recommender Systems What is Robustness?Outline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  9. 9. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  10. 10. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksDefining the Problem Recommender Systems use personal information about end-users to make useful personalised recommendations. When ratings are provided explicitly, recommender algorithms have been designed on the assumption that the provided information is correct. However . . . “One can have, some claim, as many electronic per- sonas as one has time and energy to create” –Judith Donath (1998) as quoted in Douceur (2002) How does the system perform if multiple identities are used to try to deliberately bias the recommender output? RecSys 2011: Tutorial on Recommender Robustness
  11. 11. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksDefining the Problem In 2002, John Douceur of Microsoft Research coined the term Sybil Attack to refer to an attack against identity on peer-to-peer systems in which an individual entity masquerades as multiple separate entities “If the local entity has no direct physical knowledge of remote entities, it perceives them only as informational abstractions that we call identities. The system must ensure that distinct identities refer to distinct entities; otherwise, when the local entity selects a subset of identities to redundantly perform a remote operation, it can be duped into selecting a single remote entity multiple times, thereby defeating the redundancy” In the same year, the first paper (O’Mahony et al. 2002) appeared on the vulnerability of Recommender Systems to malicious strategies for “recommendation promotion” – later dubbed profile injection attacks. RecSys 2011: Tutorial on Recommender Robustness
  12. 12. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksDefining the Problem Robustness refers to the ability of a system to operate under stressful conditions. While there are many possible stresses that can be applied to Recommender Systems, research on RS robustness has focused on performance when the dataset is stressed specifically when the dataset is full of noisy, erroneous data; typically, imagined to have been corrupted through a concerted sybil attack, with an aim of biasing the recommender output. RecSys 2011: Tutorial on Recommender Robustness
  13. 13. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack RecSys 2011: Tutorial on Recommender Robustness
  14. 14. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. RecSys 2011: Tutorial on Recommender Robustness
  15. 15. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. Each identity is referred to as an attack profile. RecSys 2011: Tutorial on Recommender Robustness
  16. 16. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. Each identity is referred to as an attack profile. Research has concentrated on attacks designed to achieve a particular recommendation outcome RecSys 2011: Tutorial on Recommender Robustness
  17. 17. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. Each identity is referred to as an attack profile. Research has concentrated on attacks designed to achieve a particular recommendation outcome A Product Push attack: attempt to secure positive recommendations for an item or items; RecSys 2011: Tutorial on Recommender Robustness
  18. 18. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. Each identity is referred to as an attack profile. Research has concentrated on attacks designed to achieve a particular recommendation outcome A Product Push attack: attempt to secure positive recommendations for an item or items; A Product Nuke attack: attempt to secure negative recommendations for an item or items. RecSys 2011: Tutorial on Recommender Robustness
  19. 19. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research The goal of robust recommendation is to prevent attackers from manipulating an RS through large-scale insertion of false user profiles: a profile injection attack An attack is a concerted effort to bias the results of a recommender system by the insertion of a large number of profiles using false identities or sybils. Each identity is referred to as an attack profile. Research has concentrated on attacks designed to achieve a particular recommendation outcome A Product Push attack: attempt to secure positive recommendations for an item or items; A Product Nuke attack: attempt to secure negative recommendations for an item or items. We can also think of attacks that aim to simply destroy the accuracy of the system. RecSys 2011: Tutorial on Recommender Robustness
  20. 20. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research We assume that the attacker has no direct access to the ratings database – manipulation achieved via the creation of false profiles only. RecSys 2011: Tutorial on Recommender Robustness
  21. 21. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research We assume that the attacker has no direct access to the ratings database – manipulation achieved via the creation of false profiles only. We ignore system-level methods (e.g. Captchas) for preventing the generation of false identities or ratings RecSys 2011: Tutorial on Recommender Robustness
  22. 22. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research We assume that the attacker has no direct access to the ratings database – manipulation achieved via the creation of false profiles only. We ignore system-level methods (e.g. Captchas) for preventing the generation of false identities or ratings Focus is on the recommendation algorithm’s ability to resist manipulation either by RecSys 2011: Tutorial on Recommender Robustness
  23. 23. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research We assume that the attacker has no direct access to the ratings database – manipulation achieved via the creation of false profiles only. We ignore system-level methods (e.g. Captchas) for preventing the generation of false identities or ratings Focus is on the recommendation algorithm’s ability to resist manipulation either by Identifying false profiles from their statistical properties and ignoring or lessening their impact on the generation of recommendations; RecSys 2011: Tutorial on Recommender Robustness
  24. 24. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksRobust RS Research We assume that the attacker has no direct access to the ratings database – manipulation achieved via the creation of false profiles only. We ignore system-level methods (e.g. Captchas) for preventing the generation of false identities or ratings Focus is on the recommendation algorithm’s ability to resist manipulation either by Identifying false profiles from their statistical properties and ignoring or lessening their impact on the generation of recommendations; or Generating recommendations in a manner that is inherently insensitive to manipulation. RecSys 2011: Tutorial on Recommender Robustness
  25. 25. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksExample RecSys 2011: Tutorial on Recommender Robustness
  26. 26. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksExample RecSys 2011: Tutorial on Recommender Robustness
  27. 27. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksExample RecSys 2011: Tutorial on Recommender Robustness
  28. 28. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThreats to Reputation Systems I It is interesting to compare the scenario studied in RS research with the threats identified for reputation systems in the 2007 ENISA report (Carrara and Hogben 2007): 1 Whitewashing attack: reseting a poor reputation by rejoining the system with a new identity. 2 Sybil attack or pseudospoofing: the attacker uses multiple identities (sybils) in order to manipulate a reputation score. 3 Impersonation and reputation theft: acquiring the identity of another and stealing her reputation. 4 Bootstrap issues and related threats: the initial reputation of a newcomer may be particularly vulnerable to attack. RecSys 2011: Tutorial on Recommender Robustness
  29. 29. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThreats to Reputation Systems II 5 Extortion: co-ordinated campaigns aimed at blackmail by damaging an individual’s reputation for malicious motives. 6 Denial-of-reputation: attack designed to damage reputation and create an opportunity for blackmail in order to have the reputation cleaned. 7 Ballot stuffing and bad mouthing: reporting of a false reputation score; the attackers collude to give positive/negative feedback, to increase or lower a reputation. 8 Collusion: multiple users conspire to influence a given reputation. 9 Repudiation of data and transaction: denial that a transaction occurred, or denial of the existence of data for which individual is responsible. RecSys 2011: Tutorial on Recommender Robustness
  30. 30. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThreats to Reputation Systems III 10 Recommender dishonesty: dishonest reputation scoring. 11 Privacy threats for voters and reputation owners: for example, anonymity improves the accuracy of votes. 12 Social threats: Discriminatory behaviour, herd behaviour, penalisation of innovative, controversial opinions, vocal minority effect etc. 13 Threats to the underlying networks: e.g. denial of service attack. 14 Trust topology threats: e.g.targeting most highly influential nodes. 15 Threats to ratings: exploiting features of metrics used by the system to calculate the aggregate reputation rating RecSys 2011: Tutorial on Recommender Robustness
  31. 31. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost RecSys 2011: Tutorial on Recommender Robustness
  32. 32. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; RecSys 2011: Tutorial on Recommender Robustness
  33. 33. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; time/effort cost; RecSys 2011: Tutorial on Recommender Robustness
  34. 34. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; time/effort cost; risk cost, associated with the likelihood of being detected; RecSys 2011: Tutorial on Recommender Robustness
  35. 35. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; time/effort cost; risk cost, associated with the likelihood of being detected; In any case, we may model the cost as proportional to RecSys 2011: Tutorial on Recommender Robustness
  36. 36. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; time/effort cost; risk cost, associated with the likelihood of being detected; In any case, we may model the cost as proportional to The number of sybil profiles created ; RecSys 2011: Tutorial on Recommender Robustness
  37. 37. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommendation Attack Game An attack has an associated context-dependent cost real dollar cost if the insertion of a sybil rating requires the purchase of the corresponding item; time/effort cost; risk cost, associated with the likelihood of being detected; In any case, we may model the cost as proportional to The number of sybil profiles created ; the total number of constituent ratings within the sybil profiles. RecSys 2011: Tutorial on Recommender Robustness
  38. 38. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksImpact Curve Figure: Impact curve from Burke et al. (2011) RecSys 2011: Tutorial on Recommender Robustness
  39. 39. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Consider R to be an n × m database of ratings provided by a set of n genuine users for m items in a system catalogue. RecSys 2011: Tutorial on Recommender Robustness
  40. 40. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let G be the set of n genuine users, and let ra = (ra,1 , . . . , ra,m )T represent the set of ratings provided by user a for each item. ra,i ∈ L, some quality label, typically a numerical value over some discrete range. Write ra,i = ∅ if user a has not rated item i. RecSys 2011: Tutorial on Recommender Robustness
  41. 41. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let A be the set of attack profiles of size nA = number of profiles and mA = number of ratings. Let ai denote a single attack profile 1 ≤ i ≤ nA . RecSys 2011: Tutorial on Recommender Robustness
  42. 42. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let R be the (n + nA ) × m database of genuine and attack profiles available to the recommendation algorithm post-attack. RecSys 2011: Tutorial on Recommender Robustness
  43. 43. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. RecSys 2011: Tutorial on Recommender Robustness
  44. 44. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. The recommendation algorithm may be represented as a function φ, that uses the rating database R and a user’s history of previous ratings, ru , to make a set of predictions p(u, i) = φ(i, R, ru ) ∈ L on the set of items. RecSys 2011: Tutorial on Recommender Robustness
  45. 45. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. The recommendation algorithm may be represented as a function φ, that uses the rating database R and a user’s history of previous ratings, ru , to make a set of predictions p(u, i) = φ(i, R, ru ) ∈ L on the set of items. More generally, φ(.) results in a probability mass function over the label space L for each predicted item. RecSys 2011: Tutorial on Recommender Robustness
  46. 46. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. The recommendation algorithm may be represented as a function φ, that uses the rating database R and a user’s history of previous ratings, ru , to make a set of predictions p(u, i) = φ(i, R, ru ) ∈ L on the set of items. More generally, φ(.) results in a probability mass function over the label space L for each predicted item. Let l(φ(., R , .), φ(., R, .)) be a loss function representing the quality loss of the recommendation process due to an attack. RecSys 2011: Tutorial on Recommender Robustness
  47. 47. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. The recommendation algorithm may be represented as a function φ, that uses the rating database R and a user’s history of previous ratings, ru , to make a set of predictions p(u, i) = φ(i, R, ru ) ∈ L on the set of items. More generally, φ(.) results in a probability mass function over the label space L for each predicted item. Let l(φ(., R , .), φ(., R, .)) be a loss function representing the quality loss of the recommendation process due to an attack. This function may depend on the goal of the attack e.g. the overall loss in accuracy, if the attack seeks to distort general recommendation performance, RecSys 2011: Tutorial on Recommender Robustness
  48. 48. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksNotation Let cA = cA (nA , mA ) denote the cost of mounting an attack. The recommendation algorithm may be represented as a function φ, that uses the rating database R and a user’s history of previous ratings, ru , to make a set of predictions p(u, i) = φ(i, R, ru ) ∈ L on the set of items. More generally, φ(.) results in a probability mass function over the label space L for each predicted item. Let l(φ(., R , .), φ(., R, .)) be a loss function representing the quality loss of the recommendation process due to an attack. This function may depend on the goal of the attack e.g. the overall loss in accuracy, if the attack seeks to distort general recommendation performance, or the shift in ratings for some targeted set of items over some targeted set of users, in a focused attack. RecSys 2011: Tutorial on Recommender Robustness
  49. 49. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommender Attack Game Then the manipulation game, from the attacker’s point of view is to choose the attack A∗ that maximises the loss for a given cost bound cmax . Attack Goal A∗ = arg max{A|cA ≤cmax } minφ l(φ(R ), φ(R)) RecSys 2011: Tutorial on Recommender Robustness
  50. 50. Tutorial on Robustness of Recommender Systems What is Robustness? Profile Injection AttacksThe Recommender Attack Game Then the manipulation game, from the attacker’s point of view is to choose the attack A∗ that maximises the loss for a given cost bound cmax . Attack Goal A∗ = arg max{A|cA ≤cmax } minφ l(φ(R ), φ(R)) While the system designer strives to find a recommendation algorithm that militates against attack Defense Goal φ∗ = arg minφ max{A|cA ≤cmax } l(φ(R ), φ(R)) RecSys 2011: Tutorial on Recommender Robustness
  51. 51. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  52. 52. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessOur Original Motivation Inspired by Work in Digital Watermarking . . . RecSys 2011: Tutorial on Recommender Robustness
  53. 53. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessOur Original Motivation Inspired by Work in Digital Watermarking . . . RecSys 2011: Tutorial on Recommender Robustness
  54. 54. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? news.bbc.co.uk/2/hi/4741259.stm (2001) “ ... ads for films including Hollow Man and A Knight’s Tale quoted praise from a reviewer called David Manning, who was exposed as being invented ...” RecSys 2011: Tutorial on Recommender Robustness
  55. 55. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? http://tinyurl.com/3d6d969 (Sept. 2003) “AuctionBytes conducted a reader survey to find out how serious these problems were. According to the survey, 39% of respondents felt that feedback retaliation was a very big problem on eBay. Nineteen percent of respondents had received retaliatory feedback within the previous 6 months, and 16% had been a victim of feedback extortion within the previous 6 months.” RecSys 2011: Tutorial on Recommender Robustness
  56. 56. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? http://tinyurl.com/n3d5lp (June 2009) “Elsevier officials said Monday that it was a mistake for the publishing giant’s marketing division to offer $25 Amazon gift cards to anyone who would give a new textbook five stars in a review posted on Amazon or Barnes & Noble. While those popular Web sites’ customer reviews have long been known to be something less than scientific, and prone to manipulation if an author has friends write on behalf of a new work, the idea that a major academic publisher would attempt to pay for good reviews angered some professors who received the e-mail pitch..” RecSys 2011: Tutorial on Recommender Robustness
  57. 57. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? http://tinyurl.com/cfmqce (2009) Paul Lamere cites an example of “precision hacking” of a Time Poll. RecSys 2011: Tutorial on Recommender Robustness
  58. 58. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? http://tinyurl.com/mupy7d (2009) Hotel review manipulation RecSys 2011: Tutorial on Recommender Robustness
  59. 59. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? Lang et al. (2010) Social Manipulation in Buzznet “...Hey, I know you don’t know me, but could you do me a huge fav and vote for me in this contest? All you have to do is buzz me...” RecSys 2011: Tutorial on Recommender Robustness
  60. 60. Tutorial on Robustness of Recommender Systems What is Robustness? Relevance of RobustnessHow Realistic Is this Scenario? All examples of types of manipulation attacks on recommender systems. No hard evidence of automated shilling attacks by sybil insertion bots. RecSys 2011: Tutorial on Recommender Robustness
  61. 61. Tutorial on Robustness of Recommender Systems What is Robustness? Measuring RobustnessOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  62. 62. Tutorial on Robustness of Recommender Systems What is Robustness? Measuring RobustnessSimple Measures of Attack Impact Average Prediction Shift The change in an item’s predicted rating before and after attack, averaged over all predictions or over predictions that are targetted by the attack. pshift (u, i) = φ(i, R , ru ) − φ(i, R, ru ) RecSys 2011: Tutorial on Recommender Robustness
  63. 63. Tutorial on Robustness of Recommender Systems What is Robustness? Measuring RobustnessSimple Measures of Attack Impact Average Prediction Shift The change in an item’s predicted rating before and after attack, averaged over all predictions or over predictions that are targetted by the attack. pshift (u, i) = φ(i, R , ru ) − φ(i, R, ru ) Average Hit Ratio The average likelihood over tested users that a top-N recommendation will recommend an item that is the target of an attack. For each such item i and each tested user, u, in a test set of t users, let h(u, i) = 1 if i ∈ Ru , the recommended set. Then, H(i) = 1 u∈U h(u, i) t RecSys 2011: Tutorial on Recommender Robustness
  64. 64. Tutorial on Robustness of Recommender Systems What is Robustness? Measuring RobustnessOther Measures of Attack Impact Considering φ(i, R, ru ) as a pmf over L, attack impact can be measured in terms of the change in this distribution as a result of the attack. For instance (Yan and Roy 2009), measure impact in terms of the average Kullback-Liebler distance between φ(i, R, ru ) and φ(i, R , ru ) over the set of inspected items. Resnick and Sami (2007) propose loss functions L(l, q) where l ∈ L, q = φ(i, R, ru ) where the true label of item i is l RecSys 2011: Tutorial on Recommender Robustness
  65. 65. Tutorial on Robustness of Recommender Systems What is Robustness? Measuring RobustnessOther Measures of Attack Impact Considering φ(i, R, ru ) as a pmf over L, attack impact can be measured in terms of the change in this distribution as a result of the attack. For instance (Yan and Roy 2009), measure impact in terms of the average Kullback-Liebler distance between φ(i, R, ru ) and φ(i, R , ru ) over the set of inspected items. Resnick and Sami (2007) propose loss functions L(l, q) where l ∈ L, q = φ(i, R, ru ) where the true label of item i is l e.g. the quadratic loss over a two rating scale [HI, LO], with q the probability of HI is given by L(HI, q) = (1 − q)2 ; L(LO, q) = q 2 RecSys 2011: Tutorial on Recommender Robustness
  66. 66. Tutorial on Robustness of Recommender Systems Attack StrategiesOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  67. 67. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles (Mobasher et al. 2007) introduce the following notation for the components of an attack profile: RecSys 2011: Tutorial on Recommender Robustness
  68. 68. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles (Mobasher et al. 2007) introduce the following notation for the components of an attack profile: IT , the target item(s) receive typically the maximum (resp. minimum) rating for a push (resp. nuke) attack. RecSys 2011: Tutorial on Recommender Robustness
  69. 69. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles (Mobasher et al. 2007) introduce the following notation for the components of an attack profile: IS , the selected item(s) are chosen and rated in a manner to support the attack. RecSys 2011: Tutorial on Recommender Robustness
  70. 70. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles (Mobasher et al. 2007) introduce the following notation for the components of an attack profile: IF , the filler items(s) fill out the remainder of the ratings in the attack profile. RecSys 2011: Tutorial on Recommender Robustness
  71. 71. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; RecSys 2011: Tutorial on Recommender Robustness
  72. 72. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; But, remain unobtrusive so as to avoid detection and filtering – selection of the filler items IF . RecSys 2011: Tutorial on Recommender Robustness
  73. 73. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; But, remain unobtrusive so as to avoid detection and filtering – selection of the filler items IF . Must also consider what information is available to the attacker RecSys 2011: Tutorial on Recommender Robustness
  74. 74. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; But, remain unobtrusive so as to avoid detection and filtering – selection of the filler items IF . Must also consider what information is available to the attacker Typically assume some knowledge of the statistics of the rating database is available; RecSys 2011: Tutorial on Recommender Robustness
  75. 75. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; But, remain unobtrusive so as to avoid detection and filtering – selection of the filler items IF . Must also consider what information is available to the attacker Typically assume some knowledge of the statistics of the rating database is available; May also have knowledge of the recommendation algorithm – an informed attack. RecSys 2011: Tutorial on Recommender Robustness
  76. 76. Tutorial on Robustness of Recommender Systems Attack StrategiesForming Attack Profiles The goal of attack profile creation must be to Effectively support the purpose of the attack – selection of target rating and IS ; But, remain unobtrusive so as to avoid detection and filtering – selection of the filler items IF . Must also consider what information is available to the attacker Typically assume some knowledge of the statistics of the rating database is available; May also have knowledge of the recommendation algorithm – an informed attack. Note Kerkchoff’s principal – avoid “security through obscurity”. RecSys 2011: Tutorial on Recommender Robustness
  77. 77. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  78. 78. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack The first CF profile insertion attack (O’Mahony et al. 2002), was an informed attack that exploited a particular weakness in the basic version of Resnick’s user-based kNN algorithm. RecSys 2011: Tutorial on Recommender Robustness
  79. 79. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack The first CF profile insertion attack (O’Mahony et al. 2002), was an informed attack that exploited a particular weakness in the basic version of Resnick’s user-based kNN algorithm. User-based CF predicts a rating pa,j for item j, user a as follows: RecSys 2011: Tutorial on Recommender Robustness
  80. 80. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack The first CF profile insertion attack (O’Mahony et al. 2002), was an informed attack that exploited a particular weakness in the basic version of Resnick’s user-based kNN algorithm. User-based CF predicts a rating pa,j for item j, user a as follows: – Form a neighbourhood by picking the top-k most similar users to a – Pearson Correlation P j (ra,j −¯a )(ri,j −¯i ) r r wa,i = √P 2 P 2 j∈Na ∩Ni (ra,j −¯a ) r j (ri,j −¯i ) r – Make a prediction by taking a weighted average of n neighbours ratings using: pa,j = ra + κ i=1 wa,i (ri,j − ri ) ¯ ¯ where κ is a normalising factor RecSys 2011: Tutorial on Recommender Robustness
  81. 81. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack Correlation calculated over the items which the target user and attack profile have in common. A small intersection set can lead to high correlations. RecSys 2011: Tutorial on Recommender Robustness
  82. 82. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack Correlation calculated over the items which the target user and attack profile have in common. A small intersection set can lead to high correlations. Therefore a small profile of popular items will have a large correlation with users who have rated these items RecSys 2011: Tutorial on Recommender Robustness
  83. 83. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack Correlation calculated over the items which the target user and attack profile have in common. A small intersection set can lead to high correlations. Therefore a small profile of popular items will have a large correlation with users who have rated these items Implies a low-cost, effective attack on a large proportion of the userbase. RecSys 2011: Tutorial on Recommender Robustness
  84. 84. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsUser-based kNN Attack Correlation calculated over the items which the target user and attack profile have in common. A small intersection set can lead to high correlations. Therefore a small profile of popular items will have a large correlation with users who have rated these items Implies a low-cost, effective attack on a large proportion of the userbase. However, not at all unobtrusive. RecSys 2011: Tutorial on Recommender Robustness
  85. 85. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOther Attacks Strategies Many other attack variants proposed by (Lam and Riedl 2004) and (Mobasher et al. 2007). Assuming a push attack – a target item is given the maximum rating and the attack profile is filled out as follows: Random Attack Randomly chosen filler items get randomly drawn rating values. RecSys 2011: Tutorial on Recommender Robustness
  86. 86. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOther Attacks Strategies Many other attack variants proposed by (Lam and Riedl 2004) and (Mobasher et al. 2007). Assuming a push attack – a target item is given the maximum rating and the attack profile is filled out as follows: Average Attack Randomly chosen filler items. Ratings drawn from normal distribution with item means set to those of rating database. RecSys 2011: Tutorial on Recommender Robustness
  87. 87. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOther Attacks Strategies Many other attack variants proposed by (Lam and Riedl 2004) and (Mobasher et al. 2007). Assuming a push attack – a target item is given the maximum rating and the attack profile is filled out as follows: Probe Attack Filler items filled by starting with a set of seed ratings, querying the recommender system to fill the ratings of the remaining items. RecSys 2011: Tutorial on Recommender Robustness
  88. 88. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOther Attacks Strategies Many other attack variants proposed by (Lam and Riedl 2004) and (Mobasher et al. 2007). Assuming a push attack – a target item is given the maximum rating and the attack profile is filled out as follows: Segment Attack Identifying popular items in a particular user segment, these are given maximum rating and remaining filler items are given minimum rating. RecSys 2011: Tutorial on Recommender Robustness
  89. 89. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsOther Attacks Strategies Many other attack variants proposed by (Lam and Riedl 2004) and (Mobasher et al. 2007). Assuming a push attack – a target item is given the maximum rating and the attack profile is filled out as follows: Bandwagon Attack A set of popular items is given the maximum rating, while remaining filler items are given random ratings. RecSys 2011: Tutorial on Recommender Robustness
  90. 90. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsEvaluation User-based kNN Toward Trustworthy Recommender Systems • 23:21 Fig. 8. Comparison of attacks against user-based algorithm, prediction shift (left) and hit ratio (right). The baseline in the right panel indicatesMovielens 100K dataset. User-based kNN algorithm with Results from (Mobasher et al. 2007) on the the hit ratio results prior to attack. k = 20. All users who have rated at least 20 items. target item. The fillerasize, in as a percentagenumber total numberof the remaining items shown Attack Size given as percentage of the total for different filler sizes, written this case, is the proportionthe dataset on the x-axis. Results of the of users in of items. that are assigned random ratings based on the overall data distribution across Bandwagon attack uses a single popular item and 3% filler size. the whole database (see Figure 4). In the case of the MovieLens data, these frequently-ratedto hit-ratio pre-attack Baseline refers items are predictable box office successes including such titles as Star Wars, Return of Jedi, Titanic, etc. The attack profiles consist of high ratings given to these popular titles in conjunction with high ratings for the pushed movie. Figure 7 shows the effect of filler size on the effectiveness of RecSys 2011: Tutorial on Recommender Robustness
  91. 91. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsEvaluation Item-based kNN Results from (Mobasher et al. 2007) on the Movielens 100K dataset. Item-based kNN algorithm with k = 20. RecSys 2011: Tutorial on Recommender Robustness
  92. 92. Tutorial on Robustness of Recommender Systems Attack Strategies Attacking kNN AlgorithmsEvaluation Item-based kNN Toward Trustworthy Recommender Systems • 23:23 Fig. 10. Prediction shift and hit 2007) resultsMovielenshorror dataset.segment in kNN item-based Results from (Mobasher et al. ratio on the for the 100K movie Item-based the algorithm with algorithm. 20. k= Prediction shift and hit ratio results for the Horror Movie Segment. the target item for use as the segment portion of the attack profile IS . In the realm of movies, we might imagine selecting movies of a similar genre or movies containing the same actors. If we evaluate the segmented attack based on its average impact on all users, there is nothing remarkable. The attack has an effect but does not approach the numbers reached by the average attack. However, we must recall our market segment assumption: namely, that recommendations made to in-segment users are much more useful to the attacker than recommendations to other users. Our focus must therefore be with the “in-segment” users, those users who have rated RecSys 2011: Tutorial on Recommender Robustness
  93. 93. Tutorial on Robustness of Recommender Systems Attack DetectionOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  94. 94. Tutorial on Robustness of Recommender Systems Attack DetectionProfile Injection Attacks Two well-studied attacks : Construct spam profile with max (or min) rating for targeted item. Choose a set of filler items at random Random Attack – insert ratings in filler items according to N (µ, σ) Average Attack – insert ratings in filler item i according to N (µi , σi ) For evaluations, genuine profiles are drawn from 1,000,000 rating Movielens dataset. RecSys 2011: Tutorial on Recommender Robustness
  95. 95. Tutorial on Robustness of Recommender Systems Attack DetectionDetection Flow RecSys 2011: Tutorial on Recommender Robustness
  96. 96. Tutorial on Robustness of Recommender Systems Attack Detection PCA-based Attack DetectionOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  97. 97. Tutorial on Robustness of Recommender Systems Attack Detection PCA-based Attack DetectionPCA Detector (Mehta et al. 2007) A method of identifying and removing a cluster of highly-correlated attack profiles. A cluster C defined by an indicator vector x such that xi = 1 if user ui ∈ C and xi = 0 otherwise. S a profile similarity matrix, with eigenvectors/values ei , λi Quadratic form m T x Sx = S(i, j) = (x.ei )2 λi . i∈C,j∈C i=1 Find x that correlates most with first few eigenvectors of S. RecSys 2011: Tutorial on Recommender Robustness
  98. 98. Tutorial on Robustness of Recommender Systems Attack Detection PCA-based Attack DetectionPCA Detector (Mehta et al. 2007) Success of PCA depends on how S is calculated. S = Z0 , covariance of profiles ignoring missing values. RecSys 2011: Tutorial on Recommender Robustness
  99. 99. Tutorial on Robustness of Recommender Systems Attack Detection PCA-based Attack DetectionPCA Detector (Mehta et al. 2007) Success of PCA depends on how S is calculated. S = Z1 , covariance of profiles treating missing values as 0. RecSys 2011: Tutorial on Recommender Robustness
  100. 100. Tutorial on Robustness of Recommender Systems Attack Detection PCA-based Attack DetectionPCA Detector (Mehta et al. 2007) Success of PCA depends on how S is calculated. Small Overlap → low genuine/attack covariance. RecSys 2011: Tutorial on Recommender Robustness
  101. 101. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  102. 102. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionNeyman-Pearson Statistical Detection y ∈ Y be an observation i.e. a user profile over all possible profiles Y Two hypotheses H0 – that y is a genuine profile, associated pdf fY|H1 (y) H1 – that y is an attack profile, associated pdf fY|H0 (y) N-P criterion sets a bound α on false alarm probability pf and maximises the good detection probability pD H1 if l(y) > η fY|H1 (y) ψ ∗ (y) = where l(y) = fY|H0 (y) H0 if l(y) < η (likelihood ratio) RecSys 2011: Tutorial on Recommender Robustness
  103. 103. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionModelling Attack Profiles As attacks follow well-defined construction, easy to construct model: m Pr[Yi = yi ] i=1 m = Pr[Yi = φ]θi (Pr[Yi = yi |Yi = φ]Pr[Yi = φ])1−θi i=1 Which items are rated? RecSys 2011: Tutorial on Recommender Robustness
  104. 104. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionModelling Attack Profiles As attacks follow well-defined construction, easy to construct model: m Pr[Yi = yi ] i=1 m = Pr[Yi = φ]θi (Pr[Yi = yi |Yi = φ]Pr[Yi = φ])1−θi i=1 What ratings used? RecSys 2011: Tutorial on Recommender Robustness
  105. 105. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionModelling Attack Profiles As attacks follow well-defined construction, easy to construct model: m Pr[Yi = yi ] i=1 m 1 1 1−θi θi yi − 2 − µi yi + 2 − µi = Pr[Yi = φ] Q −Q σi σi i=1 Q(.) = Gaussian Q-function RecSys 2011: Tutorial on Recommender Robustness
  106. 106. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionModelling Genuine Profiles Simple model – identical to attack model except that probability of selecting a filler item is estimated as pi Pr[Yi = φ] from a dataset of genuine profiles. ˆ m Pr[Yi = yi ] i=1 m = pi θi (Pr[Yi = yi |Yi = φ](1 − pi ))1−θi ˆ ˆ i=1 Not a realistic model of genuine ratings – assumes user’s ratings are all independent But sufficient (almost) to distinguish from attack profiles. RecSys 2011: Tutorial on Recommender Robustness
  107. 107. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionRandom Attack (Filler Size=5%) RecSys 2011: Tutorial on Recommender Robustness
  108. 108. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAverage Attack (Filler Size=5%) RecSys 2011: Tutorial on Recommender Robustness
  109. 109. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionLesson Learned Filler item selection is key to the success of the standard attacks on k-NN user-based algorithm. Low (attack profile / genuine profile) overlap (few common ratings) makes extreme correlations possible – hence attack profiles are unusually influential. (Basis of original attack proposed in O’Mahony et al. (2002).) But also allows for successful detection – also highly perceptible. RecSys 2011: Tutorial on Recommender Robustness
  110. 110. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAttack Obfuscation Several obfuscation strategies evaluated previously (Williams et al. 2006). Effective obfuscation must try to reduce the statistical differences between genuine and attack profiles. RecSys 2011: Tutorial on Recommender Robustness
  111. 111. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAverage over Popular (AoP) attack It is clear that a major weakness of the average and random attacks is their unrealistic selection of filler items. To be imperceptible an attacker must choose items to rate in a similar fashion to genuine users. Average Over Popular Attack – identical to average attack, but filler items are chosen from x-% most popular items. AoP is a less perceptible but also less effective attack on kNN user-based algorithm. Nevertheless it does work . . . RecSys 2011: Tutorial on Recommender Robustness
  112. 112. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP Prediction Shift (Attack Size=3%) RecSys 2011: Tutorial on Recommender Robustness
  113. 113. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP Hits (rating of ≥ 4) (Attack Size=3%) RecSys 2011: Tutorial on Recommender Robustness
  114. 114. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP PCA Detection RecSys 2011: Tutorial on Recommender Robustness
  115. 115. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionImproved Genuine Profile Model Adopt model that takes account of correlations between ratings. Assume ratings follow multivariate normal distribution – parameters: µ0 , m-dimensional vector of mean-ratings for each item; and Σ0 , m × m matrix of item correlations. Assume attack profiles also multivariate gaussian with parameters µ1 , Σ1 Hence, attacked database can be modelled as a Gaussian Mixture Model. RecSys 2011: Tutorial on Recommender Robustness
  116. 116. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionImproved Genuine Profile Model Difficulty Very high dimensional vectors Missing values Factor Model : Assume that the rating matrix can be represented by the linear model YT = AXT + N , X : n × k matrix, xu,j = extent user u likes category j A : m × k matrix ai,j = extent item i belongs in category j N : independent noise X(i, :) assumed independent normal. Expectation maximisation to learn A from dataset ([Canny, 2002]). RecSys 2011: Tutorial on Recommender Robustness
  117. 117. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionImproved Genuine Profile Model N-P test on multivariate normal k-dimensional vector obtained by projection with A w = AT YT = AT (AXT + N) X : n × k matrix, xu,j = extent user u likes category j A : m × k matrix ai,j = extent item i belongs in category j N : independent noise X(i, :) assumed independent normal. RecSys 2011: Tutorial on Recommender Robustness
  118. 118. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionProjection by Clustering N-P test on multivariate normal k-dimensional vector obtained by projection with P w = PT YT Obtain a clustering of item-set into k clusters of similar items. P : n × k projection matrix sums all ratings belonging to a cluster. RecSys 2011: Tutorial on Recommender Robustness
  119. 119. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionSupervised AoP Detection N-P test reduces to (w−µw 0 )T Σw0 −1 (w−µw 0 )−(w−µw 1 )T Σw1 −1 (w−µw 1 ) η Need Database of genuine profiles and Database of attack profiles to train the detector. RecSys 2011: Tutorial on Recommender Robustness
  120. 120. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP Detection (Factor Analysis) Actual attack=20% AoP Attack. Plot shows training on different attack types. RecSys 2011: Tutorial on Recommender Robustness
  121. 121. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP Detection (Clustering) Actual attack=20% AoP Attack. Plot shows training on different attack types. RecSys 2011: Tutorial on Recommender Robustness
  122. 122. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionUnsupervised AoP Detection Unsupervised Gaussian mixture model to learn model parameters µw 0 , Σw0 , µw 1 , Σw1 , a0 and a1 , where ai is the probability that a profile belongs in cluster i. Implementation from William Wong, Purdue University, http://web.ics.purdue.edu/~wong17/. RecSys 2011: Tutorial on Recommender Robustness
  123. 123. Tutorial on Robustness of Recommender Systems Attack Detection Statistical Attack DetectionAoP Detection RecSys 2011: Tutorial on Recommender Robustness
  124. 124. Tutorial on Robustness of Recommender Systems Attack Detection Cost-Benefit AnalysisOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  125. 125. Tutorial on Robustness of Recommender Systems Attack Detection Cost-Benefit AnalysisCost-Benefit Analysis In O’Mahony et al. (2006), we examined a simple cost-benefit model The ROI for an attack on item j given by: P cj N (nj −nj ) − k∈Ij ck ROIj = P ck k∈Ij Simplify by assuming cp = cq , ∀ p, q ∈ I N (nj −nj ) − sj ROIj = sj sj – total number of ratings inserted in an attack on item j Approximated the fractions nj & nj using count of good predictions and browser-to-buyer conversion probability RecSys 2011: Tutorial on Recommender Robustness
  126. 126. Tutorial on Robustness of Recommender Systems Attack Detection Cost-Benefit AnalysisResults Profitj = c αj (GPj − GPj ) − sj ; c = $10, α = 10% 600 400 Profit ($) 200 2 r = 0.9894 0 −200 0 2000 4000 6000 8000 10000 N RecSys 2011: Tutorial on Recommender Robustness
  127. 127. Tutorial on Robustness of Recommender Systems Attack Detection Cost-Benefit AnalysisCost-benefit Analysis Vu et al. (2010) examines the adversarial cost to attacking a ranking system in terms of nA = number of profiles and mA =number of ratings. They assume a rating function r(u, i) ∈ {−1, 0, 1} and a quality-popularity score for each item f (i) = r(u, i) u∈G RecSys 2011: Tutorial on Recommender Robustness
  128. 128. Tutorial on Robustness of Recommender Systems Attack Detection Cost-Benefit AnalysisCost-benefit Analysis Using a trust mechanism that can detect a malicious rating with probability γ, they show that a ranking function of the form f (i) = r(u, i)t(u, i) u∈G∪A can be used to design a ranking system in which the minimum adversarial cost in expectation to boost the rank of an item from k to 1 includes the cost of posting mA =nA ratings, with 1−2 + γ nA = (x1 + xk ) 1−γ where xi denotes the number of honest ratings for item i and is the probability of an erroneous rating. RecSys 2011: Tutorial on Recommender Robustness
  129. 129. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  130. 130. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  131. 131. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  132. 132. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  133. 133. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  134. 134. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  135. 135. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms RecSys 2011: Tutorial on Recommender Robustness
  136. 136. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsModel-based Algorithms Attack takes effect when model is re-trained, using corrupted ratings database. RecSys 2011: Tutorial on Recommender Robustness
  137. 137. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms Initial work such as Mobasher et al. (2006) showed that model-based algorithms are more resistant to manipulation than memory-based algorithms. RecSys 2011: Tutorial on Recommender Robustness
  138. 138. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms Initial work such as Mobasher et al. (2006) showed that model-based algorithms are more resistant to manipulation than memory-based algorithms. RecSys 2011: Tutorial on Recommender Robustness
  139. 139. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms Initial work such as Mobasher et al. (2006) showed that model-based algorithms are more resistant to manipulation than memory-based algorithms. The user-base is clustered into segments using k-means or PLSA clustering and users matched to closest segment profiles. RecSys 2011: Tutorial on Recommender Robustness
  140. 140. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms Initial work such as Mobasher et al. (2006) showed that model-based algorithms are more resistant to manipulation than memory-based algorithms. Sybil profiles tend to be clustered into same segment, thereby reducing power of attack. RecSys 2011: Tutorial on Recommender Robustness
  141. 141. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms Initial work such as Mobasher et al. (2006) showed that model-based algorithms are more resistant to manipulation than memory-based algorithms. However, as shown in Cheng and Hurley (2009a), a diversified attack can create less similar but yet still effective attack profiles. RecSys 2011: Tutorial on Recommender Robustness
  142. 142. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms From Mobasher et al. (2006): Evaluation on MovieLens 100K dataset RecSys 2011: Tutorial on Recommender Robustness
  143. 143. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Model-based Algorithms From Cheng and Hurley (2009a): Evaluation on MovieLens 1M dataset RecSys 2011: Tutorial on Recommender Robustness
  144. 144. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Matrix Factorisation Modern matrix factorization algorithms use a least squares step to find the factors. This is known to be sensitive to outliers. RecSys 2011: Tutorial on Recommender Robustness
  145. 145. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsManipulation-resistance of Matrix Factorisation Cheng and Hurley (2010) Prediction shift of basic Bellkor algorithm kNN for a single randomly chosen unpopular item. RecSys 2011: Tutorial on Recommender Robustness
  146. 146. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsSummary of Robustness Results on Standard Algorithms A number of general attack strategies have been proposed that work effectively in particular on memory-based algorithms. RecSys 2011: Tutorial on Recommender Robustness
  147. 147. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsSummary of Robustness Results on Standard Algorithms A number of general attack strategies have been proposed that work effectively in particular on memory-based algorithms. Standard attacks are generally detectable: RecSys 2011: Tutorial on Recommender Robustness
  148. 148. Tutorial on Robustness of Recommender Systems Robustness of Model-based AlgorithmsSummary of Robustness Results on Standard Algorithms A number of general attack strategies have been proposed that work effectively in particular on memory-based algorithms. Standard attacks are generally detectable: Cost effectiveness implies that a sybil profile should be unusually influential. Special purpose (informed) attacks can be tailored towards particular CF algorithms e.g. a high diversity attack proved effective against the k-means clustering algorithm. Sybil profiles can be obfuscated to make them less detectable Selection of filler items is Achille’s heal of standard average attack, but also explains its power. Obfuscation reduces the effectiveness of attacks but memory-based algorithms are still vulnerable. RecSys 2011: Tutorial on Recommender Robustness
  149. 149. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  150. 150. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Some early work (O’Mahony et al. 2004) applied neighbourhood filtering to the standard user-based algorithm, to cluster and filter suspicious neighbours. RecSys 2011: Tutorial on Recommender Robustness
  151. 151. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Some early work (O’Mahony et al. 2004) applied neighbourhood filtering to the standard user-based algorithm, to cluster and filter suspicious neighbours. Mehta and Nejdl (2008) introduces the the VarSelectSVD method – a matrix factorisation strategy taking robustness into account. RecSys 2011: Tutorial on Recommender Robustness
  152. 152. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Some early work (O’Mahony et al. 2004) applied neighbourhood filtering to the standard user-based algorithm, to cluster and filter suspicious neighbours. Mehta and Nejdl (2008) introduces the the VarSelectSVD method – a matrix factorisation strategy taking robustness into account. An SVD factorization of the rating matrix R requires the following to be solved: arg min R − GH G,H RecSys 2011: Tutorial on Recommender Robustness
  153. 153. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Some early work (O’Mahony et al. 2004) applied neighbourhood filtering to the standard user-based algorithm, to cluster and filter suspicious neighbours. Mehta and Nejdl (2008) introduces the the VarSelectSVD method – a matrix factorisation strategy taking robustness into account. An SVD factorization of the rating matrix R requires the following to be solved: arg min R − GH G,H Users are flagged as suspicious using PCA clustering. RecSys 2011: Tutorial on Recommender Robustness
  154. 154. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Some early work (O’Mahony et al. 2004) applied neighbourhood filtering to the standard user-based algorithm, to cluster and filter suspicious neighbours. Mehta and Nejdl (2008) introduces the the VarSelectSVD method – a matrix factorisation strategy taking robustness into account. An SVD factorization of the rating matrix R requires the following to be solved: arg min R − GH G,H Users are flagged as suspicious using PCA clustering. Flagged users do not contribute to the update of right eigenvector – they do not contribute to the model. RecSys 2011: Tutorial on Recommender Robustness
  155. 155. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD RecSys 2011: Tutorial on Recommender Robustness
  156. 156. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsVarSelectSVD Results MAE, Prediction Shift and Hit Ratio for 5% Average Attack, 7% Filler on Movielens 1M RecSys 2011: Tutorial on Recommender Robustness
  157. 157. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsManipulation Resistance Through Robust Statistics Robust statistics describes an alternative approach to classical statistics where the motivation is to produce estimators that are not unduly affected by small departures from the model. Robust regression uses a bounded cost function which limits the effect of outliers. Two Approaches RecSys 2011: Tutorial on Recommender Robustness
  158. 158. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsManipulation Resistance Through Robust Statistics Robust statistics describes an alternative approach to classical statistics where the motivation is to produce estimators that are not unduly affected by small departures from the model. Robust regression uses a bounded cost function which limits the effect of outliers. Two Approaches 1 M-estimators – 1 2 2γ r |r| ≤ γ arg min ρ(rij −gi hj ) where ρ(r) = G,H |r| − γ2 |r| > γ rij =0 RecSys 2011: Tutorial on Recommender Robustness
  159. 159. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsManipulation Resistance Through Robust Statistics Robust statistics describes an alternative approach to classical statistics where the motivation is to produce estimators that are not unduly affected by small departures from the model. Robust regression uses a bounded cost function which limits the effect of outliers. Two Approaches 2 Least Trimmed Squares – h arg min e2 (i) where e2 ≤ e2 ≤ · · · ≤ e2 (1) (2) (n) G,H i=1 RecSys 2011: Tutorial on Recommender Robustness
  160. 160. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation AlgorithmsRobust Statistics Results on Bellkor Method RecSys 2011: Tutorial on Recommender Robustness
  161. 161. Tutorial on Robustness of Recommender Systems Attack Resistant Recommendation Algorithms Provably Manipulation Resistant AlgorithmsOutline 1 What is Robustness? Profile Injection Attacks Relevance of Robustness Measuring Robustness 2 Attack Strategies Attacking kNN Algorithms 3 Attack Detection PCA-based Attack Detection Statistical Attack Detection Cost-Benefit Analysis 4 Robustness of Model-based Algorithms 5 Attack Resistant Recommendation Algorithms Provably Manipulation Resistant Algorithms 6 Stability, Trust and Privacy RecSys 2011: Tutorial on Recommender Robustness
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×