about mutation testing and demonstration of muJava. muJava is automated tool for mutation testing of java programs. It tests the test cases. hence good to enhance and checking effectiveness of your test suites.
Stands for Graphical User Interface and is pronounced "gooey." It is a user interface that includes graphical elements, such as windows, icons and buttons.
In this project by using GUI we designed a basic calculator in which general operations can be perform like addition ,subtraction, multiplication etc.
Predicting Answering Behaviour in Online Question Answering CommunitiesGregoire Burel
The value of Question Answering (Q&A) communities is dependent on members of the community finding the questions they are most willing and able to answer. This can be difficult in communities with a high volume of questions. Much previous has work attempted to address this problem by recommending questions similar to those already answered. However, this approach disregards the question selection behaviour of the answers and how it is affected by factors such as question recency and reputation. In this paper, we identify the parameters that correlate with such a behaviour by analysing the users’ answering patterns in a Q&A com- munity. We then generate a model to predict which question a user is most likely to answer next. We train Learning to Rank (LTR) models to predict question selections using various user, question and thread feature sets. We show that answering behaviour can be predicted with a high level of success, and highlight the particular features that influence users’ question selections.
CQA services are collaborative platforms where users ask and answer questions. We investigate the influence of national culture on people’s online questioning and answering behavior. For this, we analyzed a sample of 200 thousand users in Yahoo Answers from 67 countries. We use a number of cultural factors extracted from Geert Hofstede’s cultural dimensions and Robert Levine’s Pace of Life and show that behavioral cultural differences exist in community question answering platforms. We find that national cultures differ in Yahoo Answers along a number of dimensions such as temporal predictability of activities, contribution related behavioral patterns, privacy concerns, and power inequality.
Cultures in Community Question Answering. Imrul Kayes, Nicolas Kourtellis, Daniele Quercia, Adriana Iamnitchi, and Francesco Bonchi. ACM 26th Conference on Hypertext and Social Media (HT'15), 2015
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
about mutation testing and demonstration of muJava. muJava is automated tool for mutation testing of java programs. It tests the test cases. hence good to enhance and checking effectiveness of your test suites.
Stands for Graphical User Interface and is pronounced "gooey." It is a user interface that includes graphical elements, such as windows, icons and buttons.
In this project by using GUI we designed a basic calculator in which general operations can be perform like addition ,subtraction, multiplication etc.
Predicting Answering Behaviour in Online Question Answering CommunitiesGregoire Burel
The value of Question Answering (Q&A) communities is dependent on members of the community finding the questions they are most willing and able to answer. This can be difficult in communities with a high volume of questions. Much previous has work attempted to address this problem by recommending questions similar to those already answered. However, this approach disregards the question selection behaviour of the answers and how it is affected by factors such as question recency and reputation. In this paper, we identify the parameters that correlate with such a behaviour by analysing the users’ answering patterns in a Q&A com- munity. We then generate a model to predict which question a user is most likely to answer next. We train Learning to Rank (LTR) models to predict question selections using various user, question and thread feature sets. We show that answering behaviour can be predicted with a high level of success, and highlight the particular features that influence users’ question selections.
CQA services are collaborative platforms where users ask and answer questions. We investigate the influence of national culture on people’s online questioning and answering behavior. For this, we analyzed a sample of 200 thousand users in Yahoo Answers from 67 countries. We use a number of cultural factors extracted from Geert Hofstede’s cultural dimensions and Robert Levine’s Pace of Life and show that behavioral cultural differences exist in community question answering platforms. We find that national cultures differ in Yahoo Answers along a number of dimensions such as temporal predictability of activities, contribution related behavioral patterns, privacy concerns, and power inequality.
Cultures in Community Question Answering. Imrul Kayes, Nicolas Kourtellis, Daniele Quercia, Adriana Iamnitchi, and Francesco Bonchi. ACM 26th Conference on Hypertext and Social Media (HT'15), 2015
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...Marco Brambilla
Web users are increasingly relying on social interaction to complete and validate the results of their search activities. While search systems are superior machines to get world-wide information, the opinions collected within friends and expert/local communities can ultimately determine our decisions: human curiosity and creativity is often capable of going much beyond the capabilities of search systems in scouting “interesting” results, or suggesting new, unexpected search directions. Such personalized interaction occurs in most times aside of the search systems and processes, possibly instrumented and mediated by a social network; when such interaction is completed and users resort to the use of search systems, they do it through new queries, loosely related to the previous search or to the social interaction.
In this paper we propose CrowdSearcher, a novel search paradigm that embodies crowds as first-class sources for the information seeking process. CrowdSearcher aims at filling the gap between generalized search systems, which operate upon world-wide information - including facts and recommendations as crawled and indexed by computerized systems – with social systems, capable of interacting with real people, in real time, to capture their opinions, suggestions, emotions. The technical contribution of this paper is the discussion of a model and architecture for integrating computerized search with human interaction, by showing how search systems can drive and encapsulate social systems. In particular we show how social platforms, such as Facebook, LinkedIn and Twitter, can be used for crowdsourcing search-related tasks; we demonstrate our approach with several prototypes and we report on our experiment upon real user communities.
Toward Better Interactions in Recommender Systems: Cycling and Serpentining A...Qian Zhao
An experience design perspective on recommenders: There is a tradeoff between serving come-and-go users vs. encouraging deeper interaction/engagement!
Better understanding of the trade-off between efficiency vs. engagement can help design a better recommender user experience!
Cycling and serpentining top-N recommendation lists have benefits (higher engagement) but also costs (negative perception)!
More work combining algorithms and user experience is needed!
Introduction to association mapping and tutorial using tasselAwais Khan
This presentation introduces association mapping/linkage disequilibrium mapping and also includes a tutorial showing association mapping analysis using TASSEL software.
Recommenders Systems tutorial slides from the European Summer School of Information Retrieval (ESSIR).
Covers basic ideas on Collaborative Filtering, Content-based methods, Matrix Factorization, Restricted Boltzmann Machines, Ranking, Diversity.
The slides include material from Xavier Amatriain, Saul Vargas and Linas Baltrunas.
genetic algorithm based music recommender systemneha pevekar
The goal of a recommender
system is to generate meaningful recommendations to
a collection of users for items or products that might
interest them.
Many of the largest e-commerce websites are already
using recommender systems to help their customers
find products to purchase or download.
An overview of some deep learning methods for recommender systems along with an intro to the relevant deep learning methods such as convolutional neural networks (CNN's), recurrent neural networks (RNN's), autoencoders, restricted boltzmann machines (RBM's) and more.
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...Marco Brambilla
Web users are increasingly relying on social interaction to complete and validate the results of their search activities. While search systems are superior machines to get world-wide information, the opinions collected within friends and expert/local communities can ultimately determine our decisions: human curiosity and creativity is often capable of going much beyond the capabilities of search systems in scouting “interesting” results, or suggesting new, unexpected search directions. Such personalized interaction occurs in most times aside of the search systems and processes, possibly instrumented and mediated by a social network; when such interaction is completed and users resort to the use of search systems, they do it through new queries, loosely related to the previous search or to the social interaction.
In this paper we propose CrowdSearcher, a novel search paradigm that embodies crowds as first-class sources for the information seeking process. CrowdSearcher aims at filling the gap between generalized search systems, which operate upon world-wide information - including facts and recommendations as crawled and indexed by computerized systems – with social systems, capable of interacting with real people, in real time, to capture their opinions, suggestions, emotions. The technical contribution of this paper is the discussion of a model and architecture for integrating computerized search with human interaction, by showing how search systems can drive and encapsulate social systems. In particular we show how social platforms, such as Facebook, LinkedIn and Twitter, can be used for crowdsourcing search-related tasks; we demonstrate our approach with several prototypes and we report on our experiment upon real user communities.
Toward Better Interactions in Recommender Systems: Cycling and Serpentining A...Qian Zhao
An experience design perspective on recommenders: There is a tradeoff between serving come-and-go users vs. encouraging deeper interaction/engagement!
Better understanding of the trade-off between efficiency vs. engagement can help design a better recommender user experience!
Cycling and serpentining top-N recommendation lists have benefits (higher engagement) but also costs (negative perception)!
More work combining algorithms and user experience is needed!
Introduction to association mapping and tutorial using tasselAwais Khan
This presentation introduces association mapping/linkage disequilibrium mapping and also includes a tutorial showing association mapping analysis using TASSEL software.
Recommenders Systems tutorial slides from the European Summer School of Information Retrieval (ESSIR).
Covers basic ideas on Collaborative Filtering, Content-based methods, Matrix Factorization, Restricted Boltzmann Machines, Ranking, Diversity.
The slides include material from Xavier Amatriain, Saul Vargas and Linas Baltrunas.
genetic algorithm based music recommender systemneha pevekar
The goal of a recommender
system is to generate meaningful recommendations to
a collection of users for items or products that might
interest them.
Many of the largest e-commerce websites are already
using recommender systems to help their customers
find products to purchase or download.
An overview of some deep learning methods for recommender systems along with an intro to the relevant deep learning methods such as convolutional neural networks (CNN's), recurrent neural networks (RNN's), autoencoders, restricted boltzmann machines (RBM's) and more.
Secure Data Aggregation Technique for Wireless Sensor Networks in the Presenc...1crore projects
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
Vulnerability Assessment and Penetration Testing: Safeguarding Digital AssetsAhad
Vulnerability assessment and penetration testing are indispensable tools in the fight against cyber threats. By partnering with trusted cybersecurity providers like Ahad Cybersecurity, organizations can leverage the latest technologies and methodologies to identify, assess, and mitigate potential vulnerabilities, ensuring the security and integrity of their digital assets.
Vulnerability Assessment and Penetration Testing (VAPT) are two distinct but complementary cybersecurity practices used to identify and address security weaknesses in an organization's IT infrastructure, applications, and networks. Both are crucial components of a robust cybersecurity strategy.
Vulnerability Assessment:
Vulnerability Assessment (VA) involves the systematic scanning and analysis of systems, networks, and applications to identify potential security vulnerabilities.
Automated tools are commonly used for vulnerability scanning to efficiently discover known security weaknesses and misconfigurations.
The assessment results in a detailed report outlining the identified vulnerabilities, their severity levels, and potential impacts.
VA is a proactive process, helping organizations prioritize and address vulnerabilities before malicious actors can exploit them.
It is an essential element for maintaining compliance with industry standards and regulations.
Penetration Testing:
Penetration Testing (PT), also known as ethical hacking, involves simulating real-world cyber-attacks on an organization's systems and applications.
Skilled cybersecurity professionals, known as penetration testers or ethical hackers, conduct these tests.
The main objective of penetration testing is to identify and exploit vulnerabilities and weaknesses that may not be detectable by automated scanning tools.
PT goes beyond vulnerability assessment, as it attempts to determine the actual impact and risks associated with successful exploitation.
It provides valuable insights into an organization's security posture and the effectiveness of existing security controls.
https://lumiversesolutions.com/vapt-services/
Operational Security for Transportation: Connectivity to Rails Ashley Finden
The rail industry has a complex and novel threat model and Frank Marcus will provide an industry overview of the unique process. With a rise in connectivity between devices, it is necessary to understand what you can learn from other industries to protect your whole system.
The increasing accuracy of the machine learning systems is quite impressive. It has naturally led to a veritable flood of applications using them including self-driving vehicles, face recognition, cancer diagnosis and even in next-gen shops. A few years ago, getting wrong predictions from a machine learning model used to be the norm. Nowadays, this has become the exception, and we’ve come to expect them to perform flawlessly, especially when they are deployed in real-world applications.
Metasploit framework can also be called as ‘Swiss Army knife ’ of penetration testers as it provides multiple exploit, customization, easy to redevelop according to the requirements of the system . To secure our system and prevent it from any type of threats , we should perform the penetration testing.
Dear Students
Ingenious techno Solution offers an expertise guidance on you Final Year IEEE & Non- IEEE Projects on the following domain
JAVA
.NET
EMBEDDED SYSTEMS
ROBOTICS
MECHANICAL
MATLAB etc
For further details contact us:
enquiry@ingenioustech.in
044-42046028 or 8428302179.
Ingenious Techno Solution
#241/85, 4th floor
Rangarajapuram main road,
Kodambakkam (Power House)
http://www.ingenioustech.in/
In an era dominated by digital interactions and technological advancements, ensuring the security of digital assets has become paramount for organizations across industries.
हम आग्रह करते हैं कि जो भी सत्ता में आए, वह संविधान का पालन करे, उसकी रक्षा करे और उसे बनाए रखे।" प्रस्ताव में कुल तीन प्रमुख हस्तक्षेप और उनके तंत्र भी प्रस्तुत किए गए। पहला हस्तक्षेप स्वतंत्र मीडिया को प्रोत्साहित करके, वास्तविकता पर आधारित काउंटर नैरेटिव का निर्माण करके और सत्तारूढ़ सरकार द्वारा नियोजित मनोवैज्ञानिक हेरफेर की रणनीति का मुकाबला करके लोगों द्वारा निर्धारित कथा को बनाए रखना और उस पर कार्यकरना था।
In a May 9, 2024 paper, Juri Opitz from the University of Zurich, along with Shira Wein and Nathan Schneider form Georgetown University, discussed the importance of linguistic expertise in natural language processing (NLP) in an era dominated by large language models (LLMs).
The authors explained that while machine translation (MT) previously relied heavily on linguists, the landscape has shifted. “Linguistics is no longer front and center in the way we build NLP systems,” they said. With the emergence of LLMs, which can generate fluent text without the need for specialized modules to handle grammar or semantic coherence, the need for linguistic expertise in NLP is being questioned.
31052024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
03062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
role of women and girls in various terror groupssadiakorobi2
Women have three distinct types of involvement: direct involvement in terrorist acts; enabling of others to commit such acts; and facilitating the disengagement of others from violent or extremist groups.
‘वोटर्स विल मस्ट प्रीवेल’ (मतदाताओं को जीतना होगा) अभियान द्वारा जारी हेल्पलाइन नंबर, 4 जून को सुबह 7 बजे से दोपहर 12 बजे तक मतगणना प्रक्रिया में कहीं भी किसी भी तरह के उल्लंघन की रिपोर्ट करने के लिए खुला रहेगा।
01062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
1. Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender
Systems
Neil Hurley
Complex Adaptive System Laboratory
Computer Science and Informatics
University College Dublin
Clique Strategic Research Cluster
clique.ucd.ie
October 2011
RecSys 2011: Tutorial on Recommender Robustness
2. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
RecSys 2011: Tutorial on Recommender Robustness
3. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
RecSys 2011: Tutorial on Recommender Robustness
4. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
RecSys 2011: Tutorial on Recommender Robustness
5. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
6. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
RecSys 2011: Tutorial on Recommender Robustness
7. Tutorial on Robustness of Recommender Systems
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
8. Tutorial on Robustness of Recommender Systems
What is Robustness?
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
9. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
10. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Defining the Problem
Recommender Systems use personal information about
end-users to make useful personalised recommendations.
When ratings are provided explicitly, recommender algorithms
have been designed on the assumption that the provided
information is correct.
However . . .
“One can have, some claim, as many electronic per-
sonas as one has time and energy to create”
–Judith Donath (1998) as quoted in Douceur (2002)
How does the system perform if multiple identities are used to
try to deliberately bias the recommender output?
RecSys 2011: Tutorial on Recommender Robustness
11. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Defining the Problem
In 2002, John Douceur of Microsoft Research coined the term
Sybil Attack to refer to an attack against identity on
peer-to-peer systems in which an individual entity
masquerades as multiple separate entities
“If the local entity has no direct physical knowledge of remote entities, it perceives them only
as informational abstractions that we call identities. The system must ensure that distinct
identities refer to distinct entities; otherwise, when the local entity selects a subset of identities
to redundantly perform a remote operation, it can be duped into selecting a single remote
entity multiple times, thereby defeating the redundancy”
In the same year, the first paper (O’Mahony et al. 2002)
appeared on the vulnerability of Recommender Systems to
malicious strategies for “recommendation promotion” – later
dubbed profile injection attacks.
RecSys 2011: Tutorial on Recommender Robustness
12. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Defining the Problem
Robustness refers to the ability of a system to operate under
stressful conditions.
While there are many possible stresses that can be applied to
Recommender Systems, research on RS robustness has
focused on performance when the dataset is stressed
specifically when
the dataset is full of noisy, erroneous data;
typically, imagined to have been corrupted through a concerted
sybil attack, with an aim of biasing the recommender output.
RecSys 2011: Tutorial on Recommender Robustness
13. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
RecSys 2011: Tutorial on Recommender Robustness
14. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
RecSys 2011: Tutorial on Recommender Robustness
15. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
Each identity is referred to as an attack profile.
RecSys 2011: Tutorial on Recommender Robustness
16. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
Each identity is referred to as an attack profile.
Research has concentrated on attacks designed to achieve a
particular recommendation outcome
RecSys 2011: Tutorial on Recommender Robustness
17. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
Each identity is referred to as an attack profile.
Research has concentrated on attacks designed to achieve a
particular recommendation outcome
A Product Push attack: attempt to secure positive
recommendations for an item or items;
RecSys 2011: Tutorial on Recommender Robustness
18. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
Each identity is referred to as an attack profile.
Research has concentrated on attacks designed to achieve a
particular recommendation outcome
A Product Push attack: attempt to secure positive
recommendations for an item or items;
A Product Nuke attack: attempt to secure negative
recommendations for an item or items.
RecSys 2011: Tutorial on Recommender Robustness
19. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
The goal of robust recommendation is to prevent attackers
from manipulating an RS through large-scale insertion of false
user profiles: a profile injection attack
An attack is a concerted effort to bias the results of a
recommender system by the insertion of a large number of
profiles using false identities or sybils.
Each identity is referred to as an attack profile.
Research has concentrated on attacks designed to achieve a
particular recommendation outcome
A Product Push attack: attempt to secure positive
recommendations for an item or items;
A Product Nuke attack: attempt to secure negative
recommendations for an item or items.
We can also think of attacks that aim to simply destroy the
accuracy of the system.
RecSys 2011: Tutorial on Recommender Robustness
20. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
We assume that the attacker has no direct access to the
ratings database – manipulation achieved via the creation of
false profiles only.
RecSys 2011: Tutorial on Recommender Robustness
21. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
We assume that the attacker has no direct access to the
ratings database – manipulation achieved via the creation of
false profiles only.
We ignore system-level methods (e.g. Captchas) for
preventing the generation of false identities or ratings
RecSys 2011: Tutorial on Recommender Robustness
22. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
We assume that the attacker has no direct access to the
ratings database – manipulation achieved via the creation of
false profiles only.
We ignore system-level methods (e.g. Captchas) for
preventing the generation of false identities or ratings
Focus is on the recommendation algorithm’s ability to resist
manipulation either by
RecSys 2011: Tutorial on Recommender Robustness
23. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
We assume that the attacker has no direct access to the
ratings database – manipulation achieved via the creation of
false profiles only.
We ignore system-level methods (e.g. Captchas) for
preventing the generation of false identities or ratings
Focus is on the recommendation algorithm’s ability to resist
manipulation either by
Identifying false profiles from their statistical properties and
ignoring or lessening their impact on the generation of
recommendations;
RecSys 2011: Tutorial on Recommender Robustness
24. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Robust RS Research
We assume that the attacker has no direct access to the
ratings database – manipulation achieved via the creation of
false profiles only.
We ignore system-level methods (e.g. Captchas) for
preventing the generation of false identities or ratings
Focus is on the recommendation algorithm’s ability to resist
manipulation either by
Identifying false profiles from their statistical properties and
ignoring or lessening their impact on the generation of
recommendations; or
Generating recommendations in a manner that is inherently
insensitive to manipulation.
RecSys 2011: Tutorial on Recommender Robustness
25. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Example
RecSys 2011: Tutorial on Recommender Robustness
26. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Example
RecSys 2011: Tutorial on Recommender Robustness
27. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Example
RecSys 2011: Tutorial on Recommender Robustness
28. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Threats to Reputation Systems I
It is interesting to compare the scenario studied in RS research
with the threats identified for reputation systems in the 2007
ENISA report (Carrara and Hogben 2007):
1 Whitewashing attack: reseting a poor reputation by
rejoining the system with a new identity.
2 Sybil attack or pseudospoofing: the attacker uses multiple
identities (sybils) in order to manipulate a reputation score.
3 Impersonation and reputation theft: acquiring the identity
of another and stealing her reputation.
4 Bootstrap issues and related threats: the initial reputation
of a newcomer may be particularly vulnerable to attack.
RecSys 2011: Tutorial on Recommender Robustness
29. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Threats to Reputation Systems II
5 Extortion: co-ordinated campaigns aimed at blackmail by
damaging an individual’s reputation for malicious motives.
6 Denial-of-reputation: attack designed to damage reputation
and create an opportunity for blackmail in order to have the
reputation cleaned.
7 Ballot stuffing and bad mouthing: reporting of a false
reputation score; the attackers collude to give
positive/negative feedback, to increase or lower a reputation.
8 Collusion: multiple users conspire to influence a given
reputation.
9 Repudiation of data and transaction: denial that a
transaction occurred, or denial of the existence of data for
which individual is responsible.
RecSys 2011: Tutorial on Recommender Robustness
30. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Threats to Reputation Systems III
10 Recommender dishonesty: dishonest reputation scoring.
11 Privacy threats for voters and reputation owners: for
example, anonymity improves the accuracy of votes.
12 Social threats: Discriminatory behaviour, herd behaviour,
penalisation of innovative, controversial opinions, vocal
minority effect etc.
13 Threats to the underlying networks: e.g. denial of service
attack.
14 Trust topology threats: e.g.targeting most highly influential
nodes.
15 Threats to ratings: exploiting features of metrics used by
the system to calculate the aggregate reputation rating
RecSys 2011: Tutorial on Recommender Robustness
31. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
RecSys 2011: Tutorial on Recommender Robustness
32. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
RecSys 2011: Tutorial on Recommender Robustness
33. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
time/effort cost;
RecSys 2011: Tutorial on Recommender Robustness
34. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
time/effort cost;
risk cost, associated with the likelihood of being detected;
RecSys 2011: Tutorial on Recommender Robustness
35. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
time/effort cost;
risk cost, associated with the likelihood of being detected;
In any case, we may model the cost as proportional to
RecSys 2011: Tutorial on Recommender Robustness
36. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
time/effort cost;
risk cost, associated with the likelihood of being detected;
In any case, we may model the cost as proportional to
The number of sybil profiles created ;
RecSys 2011: Tutorial on Recommender Robustness
37. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommendation Attack Game
An attack has an associated context-dependent cost
real dollar cost if the insertion of a sybil rating requires the
purchase of the corresponding item;
time/effort cost;
risk cost, associated with the likelihood of being detected;
In any case, we may model the cost as proportional to
The number of sybil profiles created ;
the total number of constituent ratings within the sybil profiles.
RecSys 2011: Tutorial on Recommender Robustness
38. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Impact Curve
Figure: Impact curve from Burke et al. (2011)
RecSys 2011: Tutorial on Recommender Robustness
39. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Consider R to be an n × m database of ratings provided by a
set of n genuine users for m items in a system catalogue.
RecSys 2011: Tutorial on Recommender Robustness
40. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let G be the set of n genuine users, and let
ra = (ra,1 , . . . , ra,m )T represent the set of ratings provided by
user a for each item.
ra,i ∈ L, some quality label, typically a numerical value over
some discrete range. Write ra,i = ∅ if user a has not rated
item i.
RecSys 2011: Tutorial on Recommender Robustness
41. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let A be the set of attack profiles of size nA = number of
profiles and mA = number of ratings. Let ai denote a single
attack profile 1 ≤ i ≤ nA .
RecSys 2011: Tutorial on Recommender Robustness
42. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let R be the (n + nA ) × m database of genuine and attack
profiles available to the recommendation algorithm
post-attack.
RecSys 2011: Tutorial on Recommender Robustness
43. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
RecSys 2011: Tutorial on Recommender Robustness
44. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
The recommendation algorithm may be represented as a
function φ, that uses the rating database R and a user’s
history of previous ratings, ru , to make a set of predictions
p(u, i) = φ(i, R, ru ) ∈ L on the set of items.
RecSys 2011: Tutorial on Recommender Robustness
45. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
The recommendation algorithm may be represented as a
function φ, that uses the rating database R and a user’s
history of previous ratings, ru , to make a set of predictions
p(u, i) = φ(i, R, ru ) ∈ L on the set of items.
More generally, φ(.) results in a probability mass function over
the label space L for each predicted item.
RecSys 2011: Tutorial on Recommender Robustness
46. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
The recommendation algorithm may be represented as a
function φ, that uses the rating database R and a user’s
history of previous ratings, ru , to make a set of predictions
p(u, i) = φ(i, R, ru ) ∈ L on the set of items.
More generally, φ(.) results in a probability mass function over
the label space L for each predicted item.
Let l(φ(., R , .), φ(., R, .)) be a loss function representing the
quality loss of the recommendation process due to an attack.
RecSys 2011: Tutorial on Recommender Robustness
47. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
The recommendation algorithm may be represented as a
function φ, that uses the rating database R and a user’s
history of previous ratings, ru , to make a set of predictions
p(u, i) = φ(i, R, ru ) ∈ L on the set of items.
More generally, φ(.) results in a probability mass function over
the label space L for each predicted item.
Let l(φ(., R , .), φ(., R, .)) be a loss function representing the
quality loss of the recommendation process due to an attack.
This function may depend on the goal of the attack e.g. the
overall loss in accuracy, if the attack seeks to distort general
recommendation performance,
RecSys 2011: Tutorial on Recommender Robustness
48. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
Notation
Let cA = cA (nA , mA ) denote the cost of mounting an attack.
The recommendation algorithm may be represented as a
function φ, that uses the rating database R and a user’s
history of previous ratings, ru , to make a set of predictions
p(u, i) = φ(i, R, ru ) ∈ L on the set of items.
More generally, φ(.) results in a probability mass function over
the label space L for each predicted item.
Let l(φ(., R , .), φ(., R, .)) be a loss function representing the
quality loss of the recommendation process due to an attack.
This function may depend on the goal of the attack e.g. the
overall loss in accuracy, if the attack seeks to distort general
recommendation performance,
or the shift in ratings for some targeted set of items over some
targeted set of users, in a focused attack.
RecSys 2011: Tutorial on Recommender Robustness
49. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommender Attack Game
Then the manipulation game, from the attacker’s point of
view is to choose the attack A∗ that maximises the loss for a
given cost bound cmax .
Attack Goal
A∗ = arg max{A|cA ≤cmax } minφ l(φ(R ), φ(R))
RecSys 2011: Tutorial on Recommender Robustness
50. Tutorial on Robustness of Recommender Systems
What is Robustness?
Profile Injection Attacks
The Recommender Attack Game
Then the manipulation game, from the attacker’s point of
view is to choose the attack A∗ that maximises the loss for a
given cost bound cmax .
Attack Goal
A∗ = arg max{A|cA ≤cmax } minφ l(φ(R ), φ(R))
While the system designer strives to find a recommendation
algorithm that militates against attack
Defense Goal
φ∗ = arg minφ max{A|cA ≤cmax } l(φ(R ), φ(R))
RecSys 2011: Tutorial on Recommender Robustness
51. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
52. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
Our Original Motivation
Inspired by Work in Digital Watermarking . . .
RecSys 2011: Tutorial on Recommender Robustness
53. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
Our Original Motivation
Inspired by Work in Digital Watermarking . . .
RecSys 2011: Tutorial on Recommender Robustness
54. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
news.bbc.co.uk/2/hi/4741259.stm (2001) “ ... ads for films including Hollow Man and A Knight’s Tale quoted
praise from a reviewer called David Manning, who was exposed as being invented ...”
RecSys 2011: Tutorial on Recommender Robustness
55. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
http://tinyurl.com/3d6d969 (Sept. 2003) “AuctionBytes conducted a reader survey to find out how serious
these problems were. According to the survey, 39% of respondents felt that feedback retaliation was a very big
problem on eBay. Nineteen percent of respondents had received retaliatory feedback within the previous 6
months, and 16% had been a victim of feedback extortion within the previous 6 months.”
RecSys 2011: Tutorial on Recommender Robustness
56. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
http://tinyurl.com/n3d5lp (June 2009) “Elsevier officials said Monday that it was a mistake for the publishing
giant’s marketing division to offer $25 Amazon gift cards to anyone who would give a new textbook five stars in a
review posted on Amazon or Barnes & Noble. While those popular Web sites’ customer reviews have long been
known to be something less than scientific, and prone to manipulation if an author has friends write on behalf of
a new work, the idea that a major academic publisher would attempt to pay for good reviews angered some
professors who received the e-mail pitch..”
RecSys 2011: Tutorial on Recommender Robustness
57. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
http://tinyurl.com/cfmqce (2009) Paul Lamere cites an example of “precision hacking” of a Time Poll.
RecSys 2011: Tutorial on Recommender Robustness
58. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
http://tinyurl.com/mupy7d (2009) Hotel review manipulation
RecSys 2011: Tutorial on Recommender Robustness
59. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
Lang et al. (2010) Social Manipulation in Buzznet “...Hey, I know you don’t know me, but could you do me a
huge fav and vote for me in this contest? All you have to do is buzz me...”
RecSys 2011: Tutorial on Recommender Robustness
60. Tutorial on Robustness of Recommender Systems
What is Robustness?
Relevance of Robustness
How Realistic Is this Scenario?
All examples of types of manipulation attacks on
recommender systems.
No hard evidence of automated shilling attacks by sybil
insertion bots.
RecSys 2011: Tutorial on Recommender Robustness
61. Tutorial on Robustness of Recommender Systems
What is Robustness?
Measuring Robustness
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
62. Tutorial on Robustness of Recommender Systems
What is Robustness?
Measuring Robustness
Simple Measures of Attack Impact
Average Prediction Shift
The change in an item’s predicted rating before and after attack,
averaged over all predictions or over predictions that are targetted
by the attack.
pshift (u, i) = φ(i, R , ru ) − φ(i, R, ru )
RecSys 2011: Tutorial on Recommender Robustness
63. Tutorial on Robustness of Recommender Systems
What is Robustness?
Measuring Robustness
Simple Measures of Attack Impact
Average Prediction Shift
The change in an item’s predicted rating before and after attack,
averaged over all predictions or over predictions that are targetted
by the attack.
pshift (u, i) = φ(i, R , ru ) − φ(i, R, ru )
Average Hit Ratio
The average likelihood over tested users that a top-N
recommendation will recommend an item that is the target of an
attack. For each such item i and each tested user, u, in a test set
of t users, let h(u, i) = 1 if i ∈ Ru , the recommended set. Then,
H(i) = 1 u∈U h(u, i)
t
RecSys 2011: Tutorial on Recommender Robustness
64. Tutorial on Robustness of Recommender Systems
What is Robustness?
Measuring Robustness
Other Measures of Attack Impact
Considering φ(i, R, ru ) as a pmf over L, attack impact can be
measured in terms of the change in this distribution as a
result of the attack.
For instance (Yan and Roy 2009), measure impact in terms of
the average Kullback-Liebler distance between φ(i, R, ru ) and
φ(i, R , ru ) over the set of inspected items.
Resnick and Sami (2007) propose loss functions L(l, q) where
l ∈ L, q = φ(i, R, ru ) where the true label of item i is l
RecSys 2011: Tutorial on Recommender Robustness
65. Tutorial on Robustness of Recommender Systems
What is Robustness?
Measuring Robustness
Other Measures of Attack Impact
Considering φ(i, R, ru ) as a pmf over L, attack impact can be
measured in terms of the change in this distribution as a
result of the attack.
For instance (Yan and Roy 2009), measure impact in terms of
the average Kullback-Liebler distance between φ(i, R, ru ) and
φ(i, R , ru ) over the set of inspected items.
Resnick and Sami (2007) propose loss functions L(l, q) where
l ∈ L, q = φ(i, R, ru ) where the true label of item i is l
e.g. the quadratic loss over a two rating scale [HI, LO], with
q the probability of HI is given by
L(HI, q) = (1 − q)2 ; L(LO, q) = q 2
RecSys 2011: Tutorial on Recommender Robustness
66. Tutorial on Robustness of Recommender Systems
Attack Strategies
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
67. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
(Mobasher et al. 2007) introduce the following notation for
the components of an attack profile:
RecSys 2011: Tutorial on Recommender Robustness
68. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
(Mobasher et al. 2007) introduce the following notation for
the components of an attack profile:
IT , the target item(s) receive typically the maximum (resp.
minimum) rating for a push (resp. nuke) attack.
RecSys 2011: Tutorial on Recommender Robustness
69. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
(Mobasher et al. 2007) introduce the following notation for
the components of an attack profile:
IS , the selected item(s) are chosen and rated in a manner to
support the attack.
RecSys 2011: Tutorial on Recommender Robustness
70. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
(Mobasher et al. 2007) introduce the following notation for
the components of an attack profile:
IF , the filler items(s) fill out the remainder of the ratings in
the attack profile.
RecSys 2011: Tutorial on Recommender Robustness
71. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
RecSys 2011: Tutorial on Recommender Robustness
72. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
But, remain unobtrusive so as to avoid detection and filtering
– selection of the filler items IF .
RecSys 2011: Tutorial on Recommender Robustness
73. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
But, remain unobtrusive so as to avoid detection and filtering
– selection of the filler items IF .
Must also consider what information is available to the
attacker
RecSys 2011: Tutorial on Recommender Robustness
74. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
But, remain unobtrusive so as to avoid detection and filtering
– selection of the filler items IF .
Must also consider what information is available to the
attacker
Typically assume some knowledge of the statistics of the rating
database is available;
RecSys 2011: Tutorial on Recommender Robustness
75. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
But, remain unobtrusive so as to avoid detection and filtering
– selection of the filler items IF .
Must also consider what information is available to the
attacker
Typically assume some knowledge of the statistics of the rating
database is available;
May also have knowledge of the recommendation algorithm –
an informed attack.
RecSys 2011: Tutorial on Recommender Robustness
76. Tutorial on Robustness of Recommender Systems
Attack Strategies
Forming Attack Profiles
The goal of attack profile creation must be to
Effectively support the purpose of the attack – selection of
target rating and IS ;
But, remain unobtrusive so as to avoid detection and filtering
– selection of the filler items IF .
Must also consider what information is available to the
attacker
Typically assume some knowledge of the statistics of the rating
database is available;
May also have knowledge of the recommendation algorithm –
an informed attack.
Note Kerkchoff’s principal – avoid “security through
obscurity”.
RecSys 2011: Tutorial on Recommender Robustness
77. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
78. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
The first CF profile insertion attack (O’Mahony et al. 2002),
was an informed attack that exploited a particular weakness in
the basic version of Resnick’s user-based kNN algorithm.
RecSys 2011: Tutorial on Recommender Robustness
79. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
The first CF profile insertion attack (O’Mahony et al. 2002),
was an informed attack that exploited a particular weakness in
the basic version of Resnick’s user-based kNN algorithm.
User-based CF predicts a rating pa,j for item j, user a as
follows:
RecSys 2011: Tutorial on Recommender Robustness
80. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
The first CF profile insertion attack (O’Mahony et al. 2002),
was an informed attack that exploited a particular weakness in
the basic version of Resnick’s user-based kNN algorithm.
User-based CF predicts a rating pa,j for item j, user a as
follows:
– Form a neighbourhood by picking the top-k most similar users
to a
– Pearson Correlation
P
j (ra,j −¯a )(ri,j −¯i )
r r
wa,i = √P 2
P 2
j∈Na ∩Ni (ra,j −¯a )
r j (ri,j −¯i )
r
– Make a prediction by taking a weighted average of
n
neighbours ratings using: pa,j = ra + κ i=1 wa,i (ri,j − ri )
¯ ¯
where κ is a normalising factor
RecSys 2011: Tutorial on Recommender Robustness
81. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
Correlation calculated over the items which the target user
and attack profile have in common. A small intersection set
can lead to high correlations.
RecSys 2011: Tutorial on Recommender Robustness
82. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
Correlation calculated over the items which the target user
and attack profile have in common. A small intersection set
can lead to high correlations.
Therefore a small profile of popular items will have a large
correlation with users who have rated these items
RecSys 2011: Tutorial on Recommender Robustness
83. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
Correlation calculated over the items which the target user
and attack profile have in common. A small intersection set
can lead to high correlations.
Therefore a small profile of popular items will have a large
correlation with users who have rated these items
Implies a low-cost, effective attack on a large proportion of
the userbase.
RecSys 2011: Tutorial on Recommender Robustness
84. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
User-based kNN Attack
Correlation calculated over the items which the target user
and attack profile have in common. A small intersection set
can lead to high correlations.
Therefore a small profile of popular items will have a large
correlation with users who have rated these items
Implies a low-cost, effective attack on a large proportion of
the userbase.
However, not at all unobtrusive.
RecSys 2011: Tutorial on Recommender Robustness
85. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Other Attacks Strategies
Many other attack variants proposed by (Lam and Riedl 2004) and
(Mobasher et al. 2007). Assuming a push attack – a target item is
given the maximum rating and the attack profile is filled out as
follows:
Random Attack Randomly chosen filler items get randomly
drawn rating values.
RecSys 2011: Tutorial on Recommender Robustness
86. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Other Attacks Strategies
Many other attack variants proposed by (Lam and Riedl 2004) and
(Mobasher et al. 2007). Assuming a push attack – a target item is
given the maximum rating and the attack profile is filled out as
follows:
Average Attack Randomly chosen filler items. Ratings drawn
from normal distribution with item means set to
those of rating database.
RecSys 2011: Tutorial on Recommender Robustness
87. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Other Attacks Strategies
Many other attack variants proposed by (Lam and Riedl 2004) and
(Mobasher et al. 2007). Assuming a push attack – a target item is
given the maximum rating and the attack profile is filled out as
follows:
Probe Attack Filler items filled by starting with a set of seed
ratings, querying the recommender system to fill
the ratings of the remaining items.
RecSys 2011: Tutorial on Recommender Robustness
88. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Other Attacks Strategies
Many other attack variants proposed by (Lam and Riedl 2004) and
(Mobasher et al. 2007). Assuming a push attack – a target item is
given the maximum rating and the attack profile is filled out as
follows:
Segment Attack Identifying popular items in a particular user
segment, these are given maximum rating
and remaining filler items are given minimum
rating.
RecSys 2011: Tutorial on Recommender Robustness
89. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Other Attacks Strategies
Many other attack variants proposed by (Lam and Riedl 2004) and
(Mobasher et al. 2007). Assuming a push attack – a target item is
given the maximum rating and the attack profile is filled out as
follows:
Bandwagon Attack A set of popular items is given the maximum
rating, while remaining filler items are given
random ratings.
RecSys 2011: Tutorial on Recommender Robustness
90. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Evaluation User-based kNN
Toward Trustworthy Recommender Systems • 23:21
Fig. 8. Comparison of attacks against user-based algorithm, prediction shift (left) and hit ratio
(right). The baseline in the right panel indicatesMovielens 100K dataset. User-based kNN algorithm with
Results from (Mobasher et al. 2007) on the the hit ratio results prior to attack.
k = 20. All users who have rated at least 20 items.
target item. The fillerasize, in as a percentagenumber total numberof the remaining items shown
Attack Size given as percentage of the total
for different filler sizes, written
this case, is the proportionthe dataset on the x-axis. Results
of the
of users in
of items.
that are assigned random ratings based on the overall data distribution across
Bandwagon attack uses a single popular item and 3% filler size.
the whole database (see Figure 4). In the case of the MovieLens data, these
frequently-ratedto hit-ratio pre-attack
Baseline refers
items are predictable box office successes including such titles
as Star Wars, Return of Jedi, Titanic, etc. The attack profiles consist of high
ratings given to these popular titles in conjunction with high ratings for the
pushed movie. Figure 7 shows the effect of filler size on the effectiveness of
RecSys 2011: Tutorial on Recommender Robustness
91. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Evaluation Item-based kNN
Results from (Mobasher et al. 2007) on the Movielens 100K dataset. Item-based kNN algorithm with
k = 20.
RecSys 2011: Tutorial on Recommender Robustness
92. Tutorial on Robustness of Recommender Systems
Attack Strategies
Attacking kNN Algorithms
Evaluation Item-based kNN
Toward Trustworthy Recommender Systems • 23:23
Fig. 10. Prediction shift and hit 2007) resultsMovielenshorror dataset.segment in kNN item-based
Results from (Mobasher et al. ratio on the for the 100K movie Item-based the algorithm with
algorithm. 20.
k=
Prediction shift and hit ratio results for the Horror Movie Segment.
the target item for use as the segment portion of the attack profile IS . In the
realm of movies, we might imagine selecting movies of a similar genre or movies
containing the same actors.
If we evaluate the segmented attack based on its average impact on all users,
there is nothing remarkable. The attack has an effect but does not approach the
numbers reached by the average attack. However, we must recall our market
segment assumption: namely, that recommendations made to in-segment users
are much more useful to the attacker than recommendations to other users. Our
focus must therefore be with the “in-segment” users, those users who have rated
RecSys 2011: Tutorial on Recommender Robustness
93. Tutorial on Robustness of Recommender Systems
Attack Detection
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
94. Tutorial on Robustness of Recommender Systems
Attack Detection
Profile Injection Attacks
Two well-studied attacks :
Construct spam profile with max (or min) rating for targeted
item.
Choose a set of filler items at random
Random Attack – insert ratings in filler items according to
N (µ, σ)
Average Attack – insert ratings in filler item i according to
N (µi , σi )
For evaluations, genuine profiles are drawn from 1,000,000
rating Movielens dataset.
RecSys 2011: Tutorial on Recommender Robustness
95. Tutorial on Robustness of Recommender Systems
Attack Detection
Detection Flow
RecSys 2011: Tutorial on Recommender Robustness
96. Tutorial on Robustness of Recommender Systems
Attack Detection
PCA-based Attack Detection
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
97. Tutorial on Robustness of Recommender Systems
Attack Detection
PCA-based Attack Detection
PCA Detector (Mehta et al. 2007)
A method of identifying and removing a cluster of
highly-correlated attack profiles.
A cluster C defined by an indicator vector x such that xi = 1
if user ui ∈ C and xi = 0 otherwise.
S a profile similarity matrix, with eigenvectors/values ei , λi
Quadratic form
m
T
x Sx = S(i, j) = (x.ei )2 λi .
i∈C,j∈C i=1
Find x that correlates most with first few eigenvectors of S.
RecSys 2011: Tutorial on Recommender Robustness
98. Tutorial on Robustness of Recommender Systems
Attack Detection
PCA-based Attack Detection
PCA Detector (Mehta et al. 2007)
Success of PCA depends on how S is calculated.
S = Z0 , covariance of profiles ignoring missing values.
RecSys 2011: Tutorial on Recommender Robustness
99. Tutorial on Robustness of Recommender Systems
Attack Detection
PCA-based Attack Detection
PCA Detector (Mehta et al. 2007)
Success of PCA depends on how S is calculated.
S = Z1 , covariance of profiles treating missing values as 0.
RecSys 2011: Tutorial on Recommender Robustness
100. Tutorial on Robustness of Recommender Systems
Attack Detection
PCA-based Attack Detection
PCA Detector (Mehta et al. 2007)
Success of PCA depends on how S is calculated.
Small Overlap → low genuine/attack covariance.
RecSys 2011: Tutorial on Recommender Robustness
101. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
102. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Neyman-Pearson Statistical Detection
y ∈ Y be an observation i.e. a user profile over all possible
profiles Y
Two hypotheses
H0 – that y is a genuine profile, associated pdf fY|H1 (y)
H1 – that y is an attack profile, associated pdf fY|H0 (y)
N-P criterion sets a bound α on false alarm probability pf and
maximises the good detection probability pD
H1 if l(y) > η fY|H1 (y)
ψ ∗ (y) = where l(y) = fY|H0 (y)
H0 if l(y) < η
(likelihood ratio)
RecSys 2011: Tutorial on Recommender Robustness
103. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Modelling Attack Profiles
As attacks follow well-defined construction, easy to construct
model:
m
Pr[Yi = yi ]
i=1
m
= Pr[Yi = φ]θi (Pr[Yi = yi |Yi = φ]Pr[Yi = φ])1−θi
i=1
Which items are rated?
RecSys 2011: Tutorial on Recommender Robustness
104. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Modelling Attack Profiles
As attacks follow well-defined construction, easy to construct
model:
m
Pr[Yi = yi ]
i=1
m
= Pr[Yi = φ]θi (Pr[Yi = yi |Yi = φ]Pr[Yi = φ])1−θi
i=1
What ratings used?
RecSys 2011: Tutorial on Recommender Robustness
105. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Modelling Attack Profiles
As attacks follow well-defined construction, easy to construct
model:
m
Pr[Yi = yi ]
i=1
m 1 1 1−θi
θi yi − 2 − µi yi + 2 − µi
= Pr[Yi = φ] Q −Q
σi σi
i=1
Q(.) = Gaussian Q-function
RecSys 2011: Tutorial on Recommender Robustness
106. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Modelling Genuine Profiles
Simple model – identical to attack model except that
probability of selecting a filler item is estimated as
pi Pr[Yi = φ] from a dataset of genuine profiles.
ˆ
m
Pr[Yi = yi ]
i=1
m
= pi θi (Pr[Yi = yi |Yi = φ](1 − pi ))1−θi
ˆ ˆ
i=1
Not a realistic model of genuine ratings – assumes user’s
ratings are all independent
But sufficient (almost) to distinguish from attack profiles.
RecSys 2011: Tutorial on Recommender Robustness
107. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Random Attack (Filler Size=5%)
RecSys 2011: Tutorial on Recommender Robustness
108. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Average Attack (Filler Size=5%)
RecSys 2011: Tutorial on Recommender Robustness
109. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Lesson Learned
Filler item selection is key to the success of the standard
attacks on k-NN user-based algorithm.
Low (attack profile / genuine profile) overlap (few common
ratings) makes extreme correlations possible – hence attack
profiles are unusually influential. (Basis of original attack
proposed in O’Mahony et al. (2002).)
But also allows for successful detection – also highly
perceptible.
RecSys 2011: Tutorial on Recommender Robustness
110. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Attack Obfuscation
Several obfuscation strategies evaluated previously (Williams
et al. 2006).
Effective obfuscation must try to reduce the statistical
differences between genuine and attack profiles.
RecSys 2011: Tutorial on Recommender Robustness
111. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Average over Popular (AoP) attack
It is clear that a major weakness of the average and random
attacks is their unrealistic selection of filler items.
To be imperceptible an attacker must choose items to rate in
a similar fashion to genuine users.
Average Over Popular Attack – identical to average
attack, but filler items are chosen from x-% most popular
items.
AoP is a less perceptible but also less effective attack on
kNN user-based algorithm.
Nevertheless it does work . . .
RecSys 2011: Tutorial on Recommender Robustness
112. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP Prediction Shift (Attack Size=3%)
RecSys 2011: Tutorial on Recommender Robustness
113. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP Hits (rating of ≥ 4) (Attack Size=3%)
RecSys 2011: Tutorial on Recommender Robustness
114. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP PCA Detection
RecSys 2011: Tutorial on Recommender Robustness
115. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Improved Genuine Profile Model
Adopt model that takes account of correlations between
ratings.
Assume ratings follow multivariate normal distribution –
parameters:
µ0 , m-dimensional vector of mean-ratings for each item; and
Σ0 , m × m matrix of item correlations.
Assume attack profiles also multivariate gaussian with
parameters µ1 , Σ1
Hence, attacked database can be modelled as a Gaussian
Mixture Model.
RecSys 2011: Tutorial on Recommender Robustness
116. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Improved Genuine Profile Model
Difficulty
Very high dimensional vectors
Missing values
Factor Model : Assume that the rating matrix can be
represented by the linear model
YT = AXT + N ,
X : n × k matrix, xu,j = extent user u likes category j
A : m × k matrix ai,j = extent item i belongs in category j
N : independent noise
X(i, :) assumed independent normal.
Expectation maximisation to learn A from dataset ([Canny,
2002]).
RecSys 2011: Tutorial on Recommender Robustness
117. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Improved Genuine Profile Model
N-P test on multivariate normal k-dimensional vector
obtained by projection with A
w = AT YT = AT (AXT + N)
X : n × k matrix, xu,j = extent user u likes category j
A : m × k matrix ai,j = extent item i belongs in category j
N : independent noise
X(i, :) assumed independent normal.
RecSys 2011: Tutorial on Recommender Robustness
118. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Projection by Clustering
N-P test on multivariate normal k-dimensional vector
obtained by projection with P
w = PT YT
Obtain a clustering of item-set into k clusters of similar items.
P : n × k projection matrix sums all ratings belonging to a
cluster.
RecSys 2011: Tutorial on Recommender Robustness
119. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Supervised AoP Detection
N-P test reduces to
(w−µw 0 )T Σw0 −1 (w−µw 0 )−(w−µw 1 )T Σw1 −1 (w−µw 1 ) η
Need
Database of genuine profiles and
Database of attack profiles
to train the detector.
RecSys 2011: Tutorial on Recommender Robustness
120. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP Detection (Factor Analysis)
Actual attack=20% AoP Attack. Plot shows training on
different attack types.
RecSys 2011: Tutorial on Recommender Robustness
121. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP Detection (Clustering)
Actual attack=20% AoP Attack. Plot shows training on
different attack types.
RecSys 2011: Tutorial on Recommender Robustness
122. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
Unsupervised AoP Detection
Unsupervised Gaussian mixture model to learn model
parameters
µw 0 , Σw0 , µw 1 , Σw1 , a0 and a1 , where ai is the probability
that a profile belongs in cluster i.
Implementation from William Wong, Purdue University,
http://web.ics.purdue.edu/~wong17/.
RecSys 2011: Tutorial on Recommender Robustness
123. Tutorial on Robustness of Recommender Systems
Attack Detection
Statistical Attack Detection
AoP Detection
RecSys 2011: Tutorial on Recommender Robustness
124. Tutorial on Robustness of Recommender Systems
Attack Detection
Cost-Benefit Analysis
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
125. Tutorial on Robustness of Recommender Systems
Attack Detection
Cost-Benefit Analysis
Cost-Benefit Analysis
In O’Mahony et al. (2006), we examined a simple cost-benefit
model
The ROI for an attack on item j given by:
P
cj N (nj −nj ) − k∈Ij ck
ROIj = P
ck
k∈Ij
Simplify by assuming cp = cq , ∀ p, q ∈ I
N (nj −nj ) − sj
ROIj = sj
sj – total number of ratings inserted in an attack on item j
Approximated the fractions nj & nj using count of good
predictions and browser-to-buyer conversion probability
RecSys 2011: Tutorial on Recommender Robustness
126. Tutorial on Robustness of Recommender Systems
Attack Detection
Cost-Benefit Analysis
Results
Profitj = c αj (GPj − GPj ) − sj ; c = $10, α = 10%
600
400
Profit ($)
200 2
r = 0.9894
0
−200
0 2000 4000 6000 8000 10000
N
RecSys 2011: Tutorial on Recommender Robustness
127. Tutorial on Robustness of Recommender Systems
Attack Detection
Cost-Benefit Analysis
Cost-benefit Analysis
Vu et al. (2010) examines the adversarial cost to attacking a
ranking system in terms of nA = number of profiles and
mA =number of ratings.
They assume a rating function r(u, i) ∈ {−1, 0, 1} and a
quality-popularity score for each item
f (i) = r(u, i)
u∈G
RecSys 2011: Tutorial on Recommender Robustness
128. Tutorial on Robustness of Recommender Systems
Attack Detection
Cost-Benefit Analysis
Cost-benefit Analysis
Using a trust mechanism that can detect a malicious rating
with probability γ, they show that a ranking function of the
form
f (i) = r(u, i)t(u, i)
u∈G∪A
can be used to design a ranking system in which the minimum
adversarial cost in expectation to boost the rank of an item
from k to 1 includes the cost of posting mA =nA ratings, with
1−2 + γ
nA = (x1 + xk )
1−γ
where xi denotes the number of honest ratings for item i and
is the probability of an erroneous rating.
RecSys 2011: Tutorial on Recommender Robustness
129. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
130. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
131. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
132. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
133. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
134. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
135. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
RecSys 2011: Tutorial on Recommender Robustness
136. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Model-based Algorithms
Attack takes effect when model is re-trained, using corrupted
ratings database.
RecSys 2011: Tutorial on Recommender Robustness
137. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
Initial work such as Mobasher et al. (2006) showed that
model-based algorithms are more resistant to manipulation
than memory-based algorithms.
RecSys 2011: Tutorial on Recommender Robustness
138. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
Initial work such as Mobasher et al. (2006) showed that
model-based algorithms are more resistant to manipulation
than memory-based algorithms.
RecSys 2011: Tutorial on Recommender Robustness
139. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
Initial work such as Mobasher et al. (2006) showed that
model-based algorithms are more resistant to manipulation
than memory-based algorithms.
The user-base is clustered into segments using k-means or
PLSA clustering and users matched to closest segment
profiles.
RecSys 2011: Tutorial on Recommender Robustness
140. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
Initial work such as Mobasher et al. (2006) showed that
model-based algorithms are more resistant to manipulation
than memory-based algorithms.
Sybil profiles tend to be clustered into same segment, thereby
reducing power of attack.
RecSys 2011: Tutorial on Recommender Robustness
141. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
Initial work such as Mobasher et al. (2006) showed that
model-based algorithms are more resistant to manipulation
than memory-based algorithms.
However, as shown in Cheng and Hurley (2009a), a diversified
attack can create less similar but yet still effective attack
profiles.
RecSys 2011: Tutorial on Recommender Robustness
142. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
From Mobasher et al. (2006): Evaluation on MovieLens 100K
dataset
RecSys 2011: Tutorial on Recommender Robustness
143. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Model-based Algorithms
From Cheng and Hurley (2009a): Evaluation on MovieLens 1M
dataset
RecSys 2011: Tutorial on Recommender Robustness
144. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Matrix Factorisation
Modern matrix factorization algorithms use a least squares
step to find the factors. This is known to be sensitive to
outliers.
RecSys 2011: Tutorial on Recommender Robustness
145. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Manipulation-resistance of Matrix Factorisation
Cheng and Hurley (2010) Prediction shift of basic Bellkor
algorithm kNN for a single randomly chosen unpopular item.
RecSys 2011: Tutorial on Recommender Robustness
146. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Summary of Robustness Results on Standard Algorithms
A number of general attack strategies have been proposed
that work effectively in particular on memory-based
algorithms.
RecSys 2011: Tutorial on Recommender Robustness
147. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Summary of Robustness Results on Standard Algorithms
A number of general attack strategies have been proposed
that work effectively in particular on memory-based
algorithms.
Standard attacks are generally detectable:
RecSys 2011: Tutorial on Recommender Robustness
148. Tutorial on Robustness of Recommender Systems
Robustness of Model-based Algorithms
Summary of Robustness Results on Standard Algorithms
A number of general attack strategies have been proposed
that work effectively in particular on memory-based
algorithms.
Standard attacks are generally detectable:
Cost effectiveness implies that a sybil profile should be
unusually influential.
Special purpose (informed) attacks can be tailored towards
particular CF algorithms
e.g. a high diversity attack proved effective against the
k-means clustering algorithm.
Sybil profiles can be obfuscated to make them less detectable
Selection of filler items is Achille’s heal of standard average
attack, but also explains its power.
Obfuscation reduces the effectiveness of attacks but
memory-based algorithms are still vulnerable.
RecSys 2011: Tutorial on Recommender Robustness
149. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
150. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
Some early work (O’Mahony et al. 2004) applied
neighbourhood filtering to the standard user-based algorithm,
to cluster and filter suspicious neighbours.
RecSys 2011: Tutorial on Recommender Robustness
151. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
Some early work (O’Mahony et al. 2004) applied
neighbourhood filtering to the standard user-based algorithm,
to cluster and filter suspicious neighbours.
Mehta and Nejdl (2008) introduces the the VarSelectSVD
method – a matrix factorisation strategy taking robustness
into account.
RecSys 2011: Tutorial on Recommender Robustness
152. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
Some early work (O’Mahony et al. 2004) applied
neighbourhood filtering to the standard user-based algorithm,
to cluster and filter suspicious neighbours.
Mehta and Nejdl (2008) introduces the the VarSelectSVD
method – a matrix factorisation strategy taking robustness
into account.
An SVD factorization of the rating matrix R requires the
following to be solved:
arg min R − GH
G,H
RecSys 2011: Tutorial on Recommender Robustness
153. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
Some early work (O’Mahony et al. 2004) applied
neighbourhood filtering to the standard user-based algorithm,
to cluster and filter suspicious neighbours.
Mehta and Nejdl (2008) introduces the the VarSelectSVD
method – a matrix factorisation strategy taking robustness
into account.
An SVD factorization of the rating matrix R requires the
following to be solved:
arg min R − GH
G,H
Users are flagged as suspicious using PCA clustering.
RecSys 2011: Tutorial on Recommender Robustness
154. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
Some early work (O’Mahony et al. 2004) applied
neighbourhood filtering to the standard user-based algorithm,
to cluster and filter suspicious neighbours.
Mehta and Nejdl (2008) introduces the the VarSelectSVD
method – a matrix factorisation strategy taking robustness
into account.
An SVD factorization of the rating matrix R requires the
following to be solved:
arg min R − GH
G,H
Users are flagged as suspicious using PCA clustering.
Flagged users do not contribute to the update of right
eigenvector – they do not contribute to the model.
RecSys 2011: Tutorial on Recommender Robustness
155. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD
RecSys 2011: Tutorial on Recommender Robustness
156. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
VarSelectSVD Results
MAE, Prediction Shift and Hit Ratio for 5% Average Attack,
7% Filler on Movielens 1M
RecSys 2011: Tutorial on Recommender Robustness
157. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Manipulation Resistance Through Robust Statistics
Robust statistics describes an alternative approach to classical
statistics where the motivation is to produce estimators that
are not unduly affected by small departures from the model.
Robust regression uses a bounded cost function which limits
the effect of outliers.
Two Approaches
RecSys 2011: Tutorial on Recommender Robustness
158. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Manipulation Resistance Through Robust Statistics
Robust statistics describes an alternative approach to classical
statistics where the motivation is to produce estimators that
are not unduly affected by small departures from the model.
Robust regression uses a bounded cost function which limits
the effect of outliers.
Two Approaches
1 M-estimators –
1 2
2γ r |r| ≤ γ
arg min ρ(rij −gi hj ) where ρ(r) =
G,H |r| − γ2 |r| > γ
rij =0
RecSys 2011: Tutorial on Recommender Robustness
159. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Manipulation Resistance Through Robust Statistics
Robust statistics describes an alternative approach to classical
statistics where the motivation is to produce estimators that
are not unduly affected by small departures from the model.
Robust regression uses a bounded cost function which limits
the effect of outliers.
Two Approaches
2 Least Trimmed Squares –
h
arg min e2
(i) where e2 ≤ e2 ≤ · · · ≤ e2
(1) (2) (n)
G,H
i=1
RecSys 2011: Tutorial on Recommender Robustness
160. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Robust Statistics Results on Bellkor Method
RecSys 2011: Tutorial on Recommender Robustness
161. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
Outline
1 What is Robustness?
Profile Injection Attacks
Relevance of Robustness
Measuring Robustness
2 Attack Strategies
Attacking kNN Algorithms
3 Attack Detection
PCA-based Attack Detection
Statistical Attack Detection
Cost-Benefit Analysis
4 Robustness of Model-based Algorithms
5 Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
6 Stability, Trust and Privacy
RecSys 2011: Tutorial on Recommender Robustness
162. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
The Influence Limiter (Resnick and Sami 2007)
Output of recommendation system
qj passes through an
influence-limiting process to
produce a modified output qj .
˜
qj is a weighted average of qj−1
˜ ˜
and qj
The weighting depends on the
reputation that user j has
accumulated with respect to the
target.
RecSys 2011: Tutorial on Recommender Robustness
163. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
The Influence Limiter (Resnick and Sami 2007)
A scoring function assigns
reputation to j based on whether
or not the target actually likes the
item.
Tuned so that honest users can
reach full credibility after O(log n)
steps.
The main result states that the
total impact of n sybils in terms of
performance reduction is bounded
by −neλ .
RecSys 2011: Tutorial on Recommender Robustness
164. Tutorial on Robustness of Recommender Systems
Attack Resistant Recommendation Algorithms
Provably Manipulation Resistant Algorithms
Yan and Roy (2009)’s Manipulation Robust Algorithm
A class of CF algorithms – which the authors’ call linear CF
algorithms – is presented in which the manipulation
distortion is bounded above by
1 1
n 1−r .
where r is the fraction of the data that is generated by
manipulators and n is the number of products that have
already been rated by a user whose future ratings are to be
predicted.
“Suppose a CF system that accepts binary ratings predicts
future ratings correctly 80% of the time in the absence of
manipulation. If 10% of all ratings are provided by
manipulators, according to our bound, the system can maintain
a 75% rate of correct predictions by requiring each new user to
rate at least 21 products before receiving recommendations.”
RecSys 2011: Tutorial on Recommender Robustness