WF
Uploaded byWQ Fan
PDF, PPTX373 views

Adversarial Attacks for Recommender Systems

This document discusses adversarial attacks on recommendation systems, detailing various attack methodologies including data poisoning and user profile manipulation. It categorizes attacks into white-box, grey-box, and black-box types, highlighting the challenges and strategies for each approach. The content emphasizes the importance of understanding these attacks to defend against potential risks in recommender systems.

Embed presentation

Download as PDF, PPTX
Adversarial Attacks for Recommendations 1 Data Science and Engineering Lab Tutorial website: https://advanced-recommender-systems.github.io/ijcai2021-tutorial/ Wenqi Fan The Hong Kong Polytechnic University https://wenqifan03.github.io, wenqifan@polyu.edu.hk
Adversarial Attacks on Deep Learning Classified as panda 𝑥 Small adversarial noise 𝜖 Classified as gibbon 𝑥′
3 Attacks can happen in Recommender Systems https://www.bbc.com/news/business-47941181 https://www.gov.uk/government/news/facebook-and-ebay-pledge-to-combat-trading-in-fake-reviews “More than three-quarters of people are influenced by reviews when they shop online.” Defend against potential adversarial attacks Understand how attacks can be performed
4 Attacks can happen in Recommender Systems • Security (Attacking) in Recommender Systems • Data poisoning/shilling attacks: promote/demote a set of items Adversary (fake user profiles)
... ... ... ... ... ... ... ... ... ... Normal Data Fake User Profiles Target/Victim Recommender System User-item Interactions Target items being recommended Generating  Fake  User  Profiles Attacker A General Attacking Framework 5
Attack settings 6 qWhite/grey-box attacks vs. Black-box attacks. • have full/partial knowledge of the victim model/have no knowledge. qTargeted Attacks vs. Non-Targeted Attacks. • attack specific target items / hurt the overall recommendation performance. Grey- box White- box Black- box Adversary’s Knowledge High Low
§ White-box Attacks • Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 7
§ White-box Attacks • Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 8
§ Collaborative Filtering: § Given data. , § Goal: matrix completion § Alternating minimization: Preliminaries 9 Data Poisoning Attacks on Factorization-Based Collaborative Filtering, NIPS, 2016
§ Inject malicious users § The CF formulations will be: § Goal: § Solution: Projected gradient ascent (PGA) Attacking Formulation 10 Data Poisoning Attacks on Factorization-Based Collaborative Filtering, NIPS, 2016
§ White-box Attacks • Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 11
Threat Model Attacker’s Goal: promote certain items availability of being recommended Attacker’s knowledge: fully (partial) observable dataset Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
§ Step 1: Train surrogate model How to attack a RecSys: A bi-level optimization problem Training Recommender System Normal Data Injected fake data where $ 𝑋 is the fake rating matrix, 𝜃∗ is the parameters of the surrogate model Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
§ Step 2: Evaluate the malicious goal after fake data are consumed How to attack a RecSys: A bi-level optimization problem Adversarial objective (defined on prediction on normal data) Well-trained surrogate model parameters Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
Solving the bi-level optimization: gradient-based Train surrogate model based on new fake data Obtain gradient and update fake data Repeat until converge Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
Limitations How to obtain the desired gradients Lacking exactness in gradient computation ignored Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
§ Exact Solution Computational graph Inner objective Outer objective Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020. Forward computation flow: solid black arrow Gradient backpropagation flow: dashed red arrow
§ White-box Attacks • Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 18
§ Challenges in existing attacking methods: § Less "realistic" user profiles (easily detected) Challenges 19 ... ... ... ... ... ... ... ... ... ... Normal Data Fake User Profiles Target/Victim Recommender System User-item Interactions Target items being recommended Generating  Fake  User  Profiles Attacker Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
§ Cross-domain Information § Share a lot of items § Users from these platforms with similar functionalities also share similar behavior patterns/preferences. Solution 20 Taobao JD.com Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
§ Challenges in existing attacking methods: § Less "realistic" user profiles (easily detected) • Copy cross-domain users with real profiles from other domains Solution 21 Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
§ Challenges in existing attacking methods: § Less "realistic" user profiles (easily detected) • Cross-domain Information § White/Grey-box setting (i.e., model architecture and parameters, and datasets) à impossible and unrealistic (privacy and security) § Black-box setting Ø Reinforcement Learning (RL) -- Query Feedback (Reward) Challenges 22 Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
25 CopyAttack 1 3 6 2 7 4 Target RecSys in Target Domain A User Profile Selection in Source Domain B User Profile Crafting  in Source Domain B Copying User Profile  (Injection Attack) Reward (+/-) Users:  Items:  Reward (+/-) (+) (-) Top-k List Feedback (Queries) 5 PN-1 PN-2 PN-3 Start Point PN-Length End Point Target Item to be Attacked Path for User Profile Selection  Mask (Stop Sign) Raw User Profile  Crafting  User Profile Spy Users Real Users No. Non-leaf Node Users with Target Item Users without Target Item Sharing Items in Two Domains PN-* Policy Network Target Item Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
26 User Profile Selection • User Profile Selection • Construct hierarchical clustering tree • Masking Mechanism - specific target items • Hierarchical-structure Policy Gradient Time Complexity: Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
• User Profile Crafting • Clipping operation to craft the raw user profiles • Sequential patterns (forward/backward) 27 User Profile Crafting w = 50% Example: Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
28 CopyAttack 1 3 6 2 7 4 Target RecSys in Target Domain A User Profile Selection in Source Domain B User Profile Crafting  in Source Domain B Copying User Profile  (Injection Attack) Reward (+/-) Users:  Items:  Reward (+/-) (+) (-) Top-k List Feedback (Queries) 5 PN-1 PN-2 PN-3 Start Point PN-Length End Point Target Item to be Attacked Path for User Profile Selection  Mask (Stop Sign) Raw User Profile  Crafting  User Profile Spy Users Real Users No. Non-leaf Node Users with Target Item Users without Target Item Sharing Items in Two Domains PN-* Policy Network Target Item Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.

More Related Content

PPTX
Generative models
byBirger Moell
 
PPTX
Collaborative Filtering Recommendation System
byMilind Gokhale
 
PPTX
Explainable AI in Industry (KDD 2019 Tutorial)
byKrishnaram Kenthapadi
 
PDF
Exploring Generative AI with GAN Models
byKonfHubTechConferenc
 
PDF
Autoencoders
byCloudxLab
 
PDF
Bayesian networks in AI
byByoung-Hee Kim
 
PPTX
AI - Introduction to Bellman Equations
byAndrew Ferlitsch
 
PPTX
AI: AI & Problem Solving
byDataminingTools Inc
 
Generative models
byBirger Moell
 
Collaborative Filtering Recommendation System
byMilind Gokhale
 
Explainable AI in Industry (KDD 2019 Tutorial)
byKrishnaram Kenthapadi
 
Exploring Generative AI with GAN Models
byKonfHubTechConferenc
 
Autoencoders
byCloudxLab
 
Bayesian networks in AI
byByoung-Hee Kim
 
AI - Introduction to Bellman Equations
byAndrew Ferlitsch
 
AI: AI & Problem Solving
byDataminingTools Inc
 

What's hot

PPTX
Recommendation system
byDing Li
 
PDF
Fairness in Machine Learning and AI
bySeth Grimes
 
PDF
Image Segmentation (D3L1 2017 UPC Deep Learning for Computer Vision)
byUniversitat Politècnica de Catalunya
 
PDF
Unified Approach to Interpret Machine Learning Model: SHAP + LIME
byDatabricks
 
PPS
Neural Networks
byIsmail El Gayar
 
PPTX
Recommender systems: Content-based and collaborative filtering
byViet-Trung TRAN
 
PDF
Faster R-CNN: Towards real-time object detection with region proposal network...
byUniversitat Politècnica de Catalunya
 
PDF
Computer Vision: Feature matching with RANSAC Algorithm
byallyn joy calcaben
 
PPTX
Learning a Personalized Homepage
byJustin Basilico
 
PDF
Introduction to Recurrent Neural Network
byYan Xu
 
PPTX
CS 402 DATAMINING AND WAREHOUSING -MODULE 5
byNIMMYRAJU
 
PPTX
Fraud and Risk in Big Data
byUmma Khatuna Jannat
 
PDF
ResNet basics (Deep Residual Network for Image Recognition)
bySanjay Saha
 
PDF
CNNs: from the Basics to Recent Advances
byDmytro Mishkin
 
PDF
Recurrent Neural Networks
byRakuten Group, Inc.
 
PDF
generative-ai-fundamentals and Large language models
byAdventureWorld5
 
PDF
Recommender Systems
byCarlos Castillo (ChaTo)
 
PDF
And then there were ... Large Language Models
byLeon Dohmen
 
PPTX
Convolutional Neural Network - CNN | How CNN Works | Deep Learning Course | S...
bySimplilearn
 
PPTX
Apriori Algorithm
byInternational School of Engineering
 
Recommendation system
byDing Li
 
Fairness in Machine Learning and AI
bySeth Grimes
 
Image Segmentation (D3L1 2017 UPC Deep Learning for Computer Vision)
byUniversitat Politècnica de Catalunya
 
Unified Approach to Interpret Machine Learning Model: SHAP + LIME
byDatabricks
 
Neural Networks
byIsmail El Gayar
 
Recommender systems: Content-based and collaborative filtering
byViet-Trung TRAN
 
Faster R-CNN: Towards real-time object detection with region proposal network...
byUniversitat Politècnica de Catalunya
 
Computer Vision: Feature matching with RANSAC Algorithm
byallyn joy calcaben
 
Learning a Personalized Homepage
byJustin Basilico
 
Introduction to Recurrent Neural Network
byYan Xu
 
CS 402 DATAMINING AND WAREHOUSING -MODULE 5
byNIMMYRAJU
 
Fraud and Risk in Big Data
byUmma Khatuna Jannat
 
ResNet basics (Deep Residual Network for Image Recognition)
bySanjay Saha
 
CNNs: from the Basics to Recent Advances
byDmytro Mishkin
 
Recurrent Neural Networks
byRakuten Group, Inc.
 
generative-ai-fundamentals and Large language models
byAdventureWorld5
 
Recommender Systems
byCarlos Castillo (ChaTo)
 
And then there were ... Large Language Models
byLeon Dohmen
 
Convolutional Neural Network - CNN | How CNN Works | Deep Learning Course | S...
bySimplilearn
 
Apriori Algorithm
byInternational School of Engineering
 

Similar to Adversarial Attacks for Recommender Systems

PPT
Robust recommendation
byAravindharamanan S
 
PPTX
An Overview of Advesarial-attack-in-Recommender-system.pptx
byvudinhphuong96
 
PDF
Assessing the impact of a user item collaborative attack on class of users
byFeliceAntonioMerra
 
PPTX
Profile injection attack detection in recommender system
byASHISH PANNU
 
PPTX
Major
byKARAN GOYAL
 
PDF
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
byIRJET Journal
 
PPTX
Profile Injection Attack Detection in Recommender System
byASHISH PANNU
 
PDF
Adversarial ml
byJunfeiWang1
 
PDF
DEF CON 27 - workshop - YACIN NADJI - hands on adverserial machine learning
byFelipe Prado
 
PPT
Developing a Secured Recommender System in Social Semantic Network
byTamer Rezk
 
DOCX
Minor Project Report about Cyber security Effects on AI: Challenges and Mitig...
byTechno India University
 
DOCX
Minor Project ReportCyber security Effects on AI: Challenges and Mitigation S...
bysrinjoy221001102046
 
PDF
Tutorial on Countering Bias in Personalized Rankings: From Data Engineering t...
byMirko Marras
 
PDF
Threats_Report_2013
byMary Claire Thompson
 
Robust recommendation
byAravindharamanan S
 
An Overview of Advesarial-attack-in-Recommender-system.pptx
byvudinhphuong96
 
Assessing the impact of a user item collaborative attack on class of users
byFeliceAntonioMerra
 
Profile injection attack detection in recommender system
byASHISH PANNU
 
Major
byKARAN GOYAL
 
IRJET- Review on “Using Big Data to Defend Machines against Network Attacks”
byIRJET Journal
 
Profile Injection Attack Detection in Recommender System
byASHISH PANNU
 
Adversarial ml
byJunfeiWang1
 
DEF CON 27 - workshop - YACIN NADJI - hands on adverserial machine learning
byFelipe Prado
 
Developing a Secured Recommender System in Social Semantic Network
byTamer Rezk
 
Minor Project Report about Cyber security Effects on AI: Challenges and Mitig...
byTechno India University
 
Minor Project ReportCyber security Effects on AI: Challenges and Mitigation S...
bysrinjoy221001102046
 
Tutorial on Countering Bias in Personalized Rankings: From Data Engineering t...
byMirko Marras
 
Threats_Report_2013
byMary Claire Thompson
 

Recently uploaded

PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
December Patch Tuesday
byIvanti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 

Adversarial Attacks for Recommender Systems

  • 1.
    Adversarial Attacks for Recommendations 1 DataScience and Engineering Lab Tutorial website: https://advanced-recommender-systems.github.io/ijcai2021-tutorial/ Wenqi Fan The Hong Kong Polytechnic University https://wenqifan03.github.io, wenqifan@polyu.edu.hk
  • 2.
    Adversarial Attacks onDeep Learning Classified as panda 𝑥 Small adversarial noise 𝜖 Classified as gibbon 𝑥′
  • 3.
    3 Attacks can happenin Recommender Systems https://www.bbc.com/news/business-47941181 https://www.gov.uk/government/news/facebook-and-ebay-pledge-to-combat-trading-in-fake-reviews “More than three-quarters of people are influenced by reviews when they shop online.” Defend against potential adversarial attacks Understand how attacks can be performed
  • 4.
    4 Attacks can happenin Recommender Systems • Security (Attacking) in Recommender Systems • Data poisoning/shilling attacks: promote/demote a set of items Adversary (fake user profiles)
  • 5.
    ... ... ... ... ...... ... ... ... ... Normal Data Fake User Profiles Target/Victim Recommender System User-item Interactions Target items being recommended Generating  Fake  User  Profiles Attacker A General Attacking Framework 5
  • 6.
    Attack settings 6 qWhite/grey-box attacksvs. Black-box attacks. • have full/partial knowledge of the victim model/have no knowledge. qTargeted Attacks vs. Non-Targeted Attacks. • attack specific target items / hurt the overall recommendation performance. Grey- box White- box Black- box Adversary’s Knowledge High Low
  • 7.
    § White-box Attacks •Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 7
  • 8.
    § White-box Attacks •Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 8
  • 9.
    § Collaborative Filtering: §Given data. , § Goal: matrix completion § Alternating minimization: Preliminaries 9 Data Poisoning Attacks on Factorization-Based Collaborative Filtering, NIPS, 2016
  • 10.
    § Inject malicioususers § The CF formulations will be: § Goal: § Solution: Projected gradient ascent (PGA) Attacking Formulation 10 Data Poisoning Attacks on Factorization-Based Collaborative Filtering, NIPS, 2016
  • 11.
    § White-box Attacks •Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 11
  • 12.
    Threat Model Attacker’s Goal:promote certain items availability of being recommended Attacker’s knowledge: fully (partial) observable dataset Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
  • 13.
    § Step 1:Train surrogate model How to attack a RecSys: A bi-level optimization problem Training Recommender System Normal Data Injected fake data where $ 𝑋 is the fake rating matrix, 𝜃∗ is the parameters of the surrogate model Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
  • 14.
    § Step 2:Evaluate the malicious goal after fake data are consumed How to attack a RecSys: A bi-level optimization problem Adversarial objective (defined on prediction on normal data) Well-trained surrogate model parameters Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
  • 15.
    Solving the bi-leveloptimization: gradient-based Train surrogate model based on new fake data Obtain gradient and update fake data Repeat until converge Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
  • 16.
    Limitations How to obtainthe desired gradients Lacking exactness in gradient computation ignored Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020.
  • 17.
    § Exact Solution Computationalgraph Inner objective Outer objective Revisiting Adversarially Learned Injection Attacks Against Recommender Systems. RecSys 2020. Forward computation flow: solid black arrow Gradient backpropagation flow: dashed red arrow
  • 18.
    § White-box Attacks •Data Poisoning Attacks on Factorization-Based Collaborative Filtering (NIPS’16) § Grey-box Attacks • Revisiting Adversarially Learned Injection Attacks Against Recommender Systems (RecSys’20) • Adversarial Attacks on an Oblivious Recommender (RecSys’19) § Black-box Attacks • CopyAttack: Attacking Black-box Recommendations via Copying Cross-domain User Profiles (ICDE’21) • PoisonRec: An Adaptive Data Poisoning Framework for Attacking Black-box Recommender Systems (ICDE’20) Adversarial Attacks 18
  • 19.
    § Challenges inexisting attacking methods: § Less "realistic" user profiles (easily detected) Challenges 19 ... ... ... ... ... ... ... ... ... ... Normal Data Fake User Profiles Target/Victim Recommender System User-item Interactions Target items being recommended Generating  Fake  User  Profiles Attacker Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 20.
    § Cross-domain Information §Share a lot of items § Users from these platforms with similar functionalities also share similar behavior patterns/preferences. Solution 20 Taobao JD.com Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 21.
    § Challenges inexisting attacking methods: § Less "realistic" user profiles (easily detected) • Copy cross-domain users with real profiles from other domains Solution 21 Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 22.
    § Challenges inexisting attacking methods: § Less "realistic" user profiles (easily detected) • Cross-domain Information § White/Grey-box setting (i.e., model architecture and parameters, and datasets) à impossible and unrealistic (privacy and security) § Black-box setting Ø Reinforcement Learning (RL) -- Query Feedback (Reward) Challenges 22 Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 23.
  • 24.
    26 User Profile Selection •User Profile Selection • Construct hierarchical clustering tree • Masking Mechanism - specific target items • Hierarchical-structure Policy Gradient Time Complexity: Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 25.
    • User ProfileCrafting • Clipping operation to craft the raw user profiles • Sequential patterns (forward/backward) 27 User Profile Crafting w = 50% Example: Attacking Black-box Recommendations via Copying Cross-domain User Profiles, ICDE, 2021.
  • 26.